Stratix® 10 Configuration User Guide

ID 683762
Date 11/04/2024
Public
Document Table of Contents

1.2.1. Secure Device Manager

The SDM comprises peripherals, cryptographic IP and sensors, boot ROM, triple-redundant lockstep processors, and other blocks shown in the SDM Block Diagram figure. The SDM performs and manages the following security functions:

  • Configuration bitstream authentication: During the configuration state, the SDM authenticates the Intel-generated configuration firmware and configuration bitstream, ensuring that configuration bitstream is from a trusted source. All Stratix® 10 support authentication.

  • Encryption: Encryption protects the configuration bitstream or confidential data from unauthorized third-party access.
  • Side channel attack protection: Side channel attack protection guards AES Key and confidential data under non-intrusive attacks.
  • Integrity checking: Integrity checking verifies that an accidental event has not corrupted the configuration bitstream. This function is active, even if you do not enable authentication.

The following security features are available in Stratix® 10 devices that support advanced security. Devices with advanced security enabled can only load firmware shipped with Quartus® Prime Pro Edition software. Intel recommends Stratix® 10 devices with a -BK ordering part number (OPN) suffix for use with the black key provisioning feature.

Table 3.  Supported Security Features in Stratix® 10 Devices
Stratix® 10 Authentication Advanced Security
GX Yes -AS suffix devices
GX 10M Yes No
SX Yes -AS suffix devices
MX Yes -AS suffix devices
TX Yes -AS suffix devices
DX Yes Yes
Figure 3. SDM Block Diagram

Here is an overview of the additional functions the SDM controls:

  • SDM uses temperature sensor for SmartVID feature to communicate to the external PMBus voltage regulator when you select -V devices.

  • The AES/SHA and other Crypto Accelerator blocks implement secure configuration and boot.

  • The Key Vault provides volatile and non-volatile cryptographic key storage. To mitigate potential side-channel attacks, crypto functions that use keys require a special hardware storage mechanism.

  • The AS enables active configuration schemes via dedicated SDM pins.

  • The Avalon® -ST x8 configuration scheme uses SDM I/O pins. The Avalon® -ST x16 and x32 configuration schemes use dedicated SDM I/O pins and dual-purpose I/O pins. Refer to the SDM Pin Mapping for more information.

  • To reduce configuration file size and support smaller memory sizes, and enable faster configuration, the Quartus® Prime software compresses the configuration data. All Stratix® 10 devices compress the configuration bitstream. This feature is always enabled. When specifying an encrypted configuration bitstream, the Quartus® Prime Pro Edition software compresses the configuration bitstream before encryption.

  • A specific PCIe* block included in the Stratix® 10 device supports CvP.