Symmetric Cryptographic Intel FPGA Hard IP User Guide

Download PDF
ID 714305
Date 4/13/2022
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents
Document Table of Contents x
1. Introduction 2. Interface Overview 3. Parameters 4. Designing with the IP Core 5. Block Description 6. Cryptographic IP Data Profiles 7. Configuration Registers 8. Design Example 9. Document Revision History for the Symmetric Cryptographic Intel FPGA Hard IP User Guide
1. Introduction x
1.1. Terminology 1.2. IP Core Overview 1.3. Release Information 1.4. Device Family Support 1.5. Resource Utilization
1.2. IP Core Overview x
1.2.1. IP Core Applications
2. Interface Overview x
2.1. Clock Signals 2.2. Reset Signals 2.3. AXI-ST Interface 2.4. AXI-Lite Interface
4. Designing with the IP Core x
4.1. Installing and Licensing Intel® FPGA IP Cores 4.2. Specifying the IP Core Parameters and Options 4.3. Generated File Structure 4.4. Symmetric Cryptographic IP Core Flow 4.5. Dynamically Disabling SM4 Capability 4.6. Error Handling 4.7. Error Reporting 4.8. Resetting the IP Core 4.9. Channel Definition and Allocation 4.10. Byte Ordering 4.11. AXI-ST Single Packet Mode 4.12. AXI-ST Multiple Packet Mode
4.1. Installing and Licensing Intel® FPGA IP Cores x
4.1.1. Intel® FPGA IP Evaluation Mode
4.6. Error Handling x
4.6.1. Detected Error Handling 4.6.2. Key RAM ECC Error Handling
5. Block Description x
5.1. Reset Sequencer 5.2. AXI-ST Ready Latency 5.3. AXI Adapter 5.4. Integrity Check Value Comparison
5.3. AXI Adapter x
5.3.1. MAC Packing 5.3.2. Data Last Indicator 5.3.3. Stream and Channel ID Buffering 5.3.4. TKEEP and LAST_SEGMENT Signals Generation 5.3.5. MAC Dropping on Decryption
6. Cryptographic IP Data Profiles x
6.1. MAC Security Profile (MACsec) 6.2. IP Security Profile (IPsec) 6.3. Generic GCM Profile (GCM) 6.4. Generic XTS Profile (XTS)
6.1. MAC Security Profile (MACsec) x
6.1.1. MACsec Flow 6.1.2. AXI-ST Interface Using MAC Security (MACsec) Profile Pattern
6.2. IP Security Profile (IPsec) x
6.2.1. AXI-ST Interface Using IP Security (IPsec) Profile Pattern
6.3. Generic GCM Profile (GCM) x
6.3.1. AXI- ST Interface Using Generic GCM Profile Pattern
6.4. Generic XTS Profile (XTS) x
6.4.1. AXI-ST Interface Using Generic XTS Profile Pattern
7. Configuration Registers x
7.1. Cryptographic Primary Control Register 7.2. Cryptographic Secondary Control Register 7.3. Cryptographic Primary Status Register 7.4. Cryptographic Error Status Register 7.5. Cryptographic Error Control Register 7.6. Cryptographic Packet Error Control 1 Register 7.7. Cryptographic Packet Error Control 2 Register 7.8. Cryptographic Error Code Control 1 Register 7.9. Cryptographic Error Code Control 2 Register 7.10. Cryptographic Error Code Internal Control Register 7.11. Cryptographic Internal Error Control Register 7.12. Cryptographic First Error Log Register 7.13. Cryptographic Packet Error Log 1 Register 7.14. Cryptographic Packet Error Log 2 Register 7.15. Cryptographic Internal Error Log Register 7.16. Cryptographic Wall Clock LSB Register 7.17. Cryptographic Wall Clock MSB Register 7.18. Ternary Control Register
8. Design Example x
8.1. Functional Description 8.2. Hardware and Software Requirements 8.3. Simulation Requirements 8.4. Generating the Design 8.5. Compiling the Design Example 8.6. Simulating the Design Example Testbench
8.1. Functional Description x
8.1.1. Pattern Generator and Checker
1. Introduction
2. Interface Overview
3. Parameters
4. Designing with the IP Core
5. Block Description
6. Cryptographic IP Data Profiles
7. Configuration Registers
8. Design Example
9. Document Revision History for the Symmetric Cryptographic Intel FPGA Hard IP User Guide

5.3.5. MAC Dropping on Decryption

The Symmetric Cryptographic IP core support a feature to drop the 16 byte MAC tag on decryption request. The feature is available for MACsec only.

To enable this feature, set the decrypt_drop_mac_en parameter to 1. This feature is independent to ICV comparison feature where the ICV comparison result sent out to user is unaffected by this feature.

The Table 30 illustrates the Egress packet exiting the AES/SM4 Inline Cryptographic Accelerator with 16 byte MAC located at different 128 bits segment within the cycle. The Table 31 illustrates the Symmetric Cryptographic IP core discarding the 16 byte MAC. All the AXI-ST control signals such as tlast, tkeep, tuser_last_segment<N> are updated to reference the last byte of the payload and not the last byte of MAC.

Table 30.  Egress Packet Example Exiting the AES/SM4 Inline Cryptographic Accelerator
Profile MACsec MACsec   MACsec   MACsec   MACsec
MAC_IV_tweak_en 0 1   1   1   1
data_en 1 0   1   1   1
next_packet_en 0 1   1   1   0
tlast 0 1   1   1   1
num_empty_bytes 0 64   48 to 63   32 to 63   16 to 63
DATA
data[127:0] AAD/Text MAC   AAD/Text   AAD/Text   AAD/Text
data[255:128] AAD/Text AAD/Text   MAC   AAD/Text   AAD/Text
data[391:256] AAD/Text AAD/Text   AAD/Text   MAC   AAD/Text
data[511:392] AAD/Text AAD/Text   AAD/Text   AAD/Text   MAC
Table 31.  Egress Packet Example within the Symmetric Cryptographic IP core
Profile MACsec MACsec   MACsec   MACsec   MACsec
tvalid 1 1   1   1   1
MAC_IV_tweak_en 0 1   1   1   1
data_en 1 0   1   1   1
next_packet_en 0 1   1   1   0
tlast 1 0   1   1   1
tkeep All 1's

1111_1111

1111_1111

1111_1111

1111_1111

1111_1111

1111_1111

0000_0000

0000_0000

  

1111_1111

1111_1111

1111_1111

1111_1111

0000_0000

0000_0000

1111_1111

1111_1111

  

1111_1111

1111_1111

0000_0000

0000_0000

1111_1111

1111_1111

1111_1111

1111_1111

  

0000_0000

0000_0000

1111_1111

1111_1111

1111_1111

1111_1111

1111_1111

1111_1111
tuser_last_segment0 0 0   1   0   0
tuser_last_segment1 0 0   0   1   0
tuser_last_segment2 0 0   0   0   1
tuser_last_segment3 1 0   0   0   0
DATA
data[127:0] AAD/Text IDLE   AAD/Text   AAD/Text   AAD/Text
data[255:128] AAD/Text AAD/Text   IDLE   AAD/Text   AAD/Text
data[391:256] AAD/Text AAD/Text   AAD/Text   IDLE   AAD/Text
data[511:392] AAD/Text AAD/Text   AAD/Text   AAD/Text   IDLE

If MAC is located in segment 0 and there is no subsequent packets in segment 1, 2, or 3, the tvalid signal deasserts since all segments are the IDLE bytes after the MAC dropping.

Level Two Title