Symmetric Cryptographic Intel FPGA Hard IP User Guide

Download PDF
ID 714305
Date 10/31/2022
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents
Document Table of Contents x
1. Introduction 2. Interface Overview 3. Parameters 4. Designing with the IP Core 5. Block Description 6. Cryptographic IP Data Profiles 7. Configuration Registers 8. Design Example 9. Symmetric Cryptographic Intel FPGA Hard IP User Guide Archives 10. Document Revision History for the Symmetric Cryptographic Intel FPGA Hard IP User Guide
1. Introduction x
1.1. Terminology 1.2. IP Core Overview 1.3. Release Information 1.4. Device Family Support 1.5. Resource Utilization
1.2. IP Core Overview x
1.2.1. IP Core Applications
2. Interface Overview x
2.1. Clock Signals 2.2. Reset Signals 2.3. AXI-ST Interface 2.4. AXI-Lite Interface
4. Designing with the IP Core x
4.1. Installing and Licensing Intel® FPGA IP Cores 4.2. Specifying the IP Core Parameters and Options 4.3. Generated File Structure 4.4. Symmetric Cryptographic IP Core Flow 4.5. Dynamically Disabling SM4 Capability 4.6. Error Handling 4.7. Error Reporting 4.8. Resetting the IP Core 4.9. Channel Definition and Allocation 4.10. Byte Ordering 4.11. AXI-ST Single Packet Mode 4.12. AXI-ST Multiple Packet Mode
4.1. Installing and Licensing Intel® FPGA IP Cores x
4.1.1. Intel® FPGA IP Evaluation Mode
4.6. Error Handling x
4.6.1. Detected Error Handling 4.6.2. Key RAM ECC Error Handling
5. Block Description x
5.1. Reset Sequencer 5.2. AXI-ST Ready Latency 5.3. AXI Adapter 5.4. Integrity Check Value Comparison
5.3. AXI Adapter x
5.3.1. MAC Packing 5.3.2. Data Last Indicator 5.3.3. Stream and Channel ID Buffering 5.3.4. TKEEP and LAST_SEGMENT Signals Generation 5.3.5. MAC Dropping on Decryption
6. Cryptographic IP Data Profiles x
6.1. MAC Security Profile (MACsec) 6.2. IP Security Profile (IPsec) 6.3. Generic GCM Profile (GCM) 6.4. Generic XTS Profile (XTS)
6.1. MAC Security Profile (MACsec) x
6.1.1. MACsec Flow 6.1.2. AXI-ST Interface Using MAC Security (MACsec) Profile Pattern
6.2. IP Security Profile (IPsec) x
6.2.1. AXI-ST Interface Using IP Security (IPsec) Profile Pattern
6.3. Generic GCM Profile (GCM) x
6.3.1. AXI- ST Interface Using Generic GCM Profile Pattern
6.4. Generic XTS Profile (XTS) x
6.4.1. AXI-ST Interface Using Generic XTS Profile Pattern
7. Configuration Registers x
7.1. Cryptographic Primary Control Register 7.2. Cryptographic Secondary Control Register 7.3. Cryptographic Primary Status Register 7.4. Cryptographic Error Status Register 7.5. Cryptographic Error Control Register 7.6. Cryptographic Packet Error Control 1 Register 7.7. Cryptographic Packet Error Control 2 Register 7.8. Cryptographic Error Code Control 1 Register 7.9. Cryptographic Error Code Control 2 Register 7.10. Cryptographic Error Code Internal Control Register 7.11. Cryptographic Internal Error Control Register 7.12. Cryptographic First Error Log Register 7.13. Cryptographic Packet Error Log 1 Register 7.14. Cryptographic Packet Error Log 2 Register 7.15. Cryptographic Internal Error Log Register 7.16. Cryptographic Wall Clock LSB Register 7.17. Cryptographic Wall Clock MSB Register 7.18. Ternary Control Register
8. Design Example x
8.1. Functional Description 8.2. Crypto VSIP Top Block Descriptions 8.3. Test Configurations 8.4. Software Requirements 8.5. Simulation Requirements 8.6. Steps to Generate the Design Example 8.7. Running Simulation Tests 8.8. Running Hardware Tests
8.2. Crypto VSIP Top Block Descriptions x
8.2.1. Clock and Reset 8.2.2. Host Interface
8.7. Running Simulation Tests x
8.7.1. Steps to Simulate the Design Example
8.8. Running Hardware Tests x
8.8.1. Supported Boards 8.8.2. Steps to Compile the Design Example for Hardware 8.8.3. Steps to Run the Design Example on Hardware
1. Introduction
2. Interface Overview
3. Parameters
4. Designing with the IP Core
5. Block Description
6. Cryptographic IP Data Profiles
7. Configuration Registers
8. Design Example
9. Symmetric Cryptographic Intel FPGA Hard IP User Guide Archives
10. Document Revision History for the Symmetric Cryptographic Intel FPGA Hard IP User Guide

3. Parameters

You customize the IP core by specifying parameters in the IP parameter editor.
Figure 3. IP Parameter Editor
Table 16.  IP Parameter Settings
Parameter Supported Values Default Setting Description
General
AES
  • Enable
  • Disable
 Enable Enable or disable the AES algorithm.
SM4
  • Enable
  • Disable
 Enable Enable or disable the SM4 algorithm.
GCM Options
Enable authentication check
  • On
  • Off
 On Enable or disable authentication check on a packet decryption flow.
Drop the MAC on MACsec decryption
  • On
  • Off
 Off Enable or disable dropping the MAC on decryption and not sending it out from the Symmetric Cryptographic IP core
Number of MACsec streams 1-64 64 Specifies the number of streams supported for MACsec profile.
XTS Options
XTS
  • Enable
  • Disable
 Enable Enable or disable the XTS mode.
Cipher Text Stealing
  • Enable
  • Disable
 Enable Enable or disable the Ciphertext Stealing (CTS) mode.
XTS+other high-frequency interleaving
  • On
  • Off
 On

When enabled, it counts the number of tweaks/CTS/decryption within a window of time on the AXI-ST TX interface.

If the threshold of either four tweaks occurs within 20 clocks, three CTS occurs within 20 cycles, or four decryption keys occur within 16 cycles, the interface is back pressured by de-asserting the tready signal.

During the back pressure, logic injects a dummy encryption key cycle using channel 1023 XTS profile until the number of tweaks/CTS/decryption keys within the window drops below the threshold.

This logic prevents the ICA hard IP from overflowing the number of outstanding tweaks/CTS/decryption key events that it can support.

This can be disabled (turned off) to improve throughput and reduce resource usage if the traffic doesn't interleave XTS with Generic GCM or IPSEC; or frame-based interleave XTS+Generic GCM, and key is always reprogrammed for each Generic GCM packet.

XTS+MACSEC interleaving is not supported in this release.

AXI-ST Options
AXI-ST tvalid path additional latency 0-6 0

Specifies the additional number of pipelines needed for the tvalid/tdata signal path for timing convergence.

Applicable only to the responder TX side.

Maximum AXI-ST Tx Latency (ready path + valid path + mode base) is up to 12.

  • Mode base is 0 if XTS and CTS modes are enabled
  • Otherwise, mode base is 5
AXI-ST tready path additional latency 0-6 0

Specifies the additional number of pipelines needed for the tready signal path for timing convergence.

Applicable only to the responder TX side.

Maximum AXI ST TX Latency (Ready + valid signal path) is up to 13.
AXI-LITE Options
AXI_LITE ready latency 0-2 0 Specifies the additional number of pipelines needed for timing convergence.
  • 0: No register
  • 1: One register on valid path
  • 2: One register each on both, valid and ready paths

Applicable only to AXI-Lite responder side.
Example Design Options
Example Design Configuration
  • GCM 1 x 512-bit interface
  • MACSEC 1 x 512-bit interface
  • IPSEC 1 x 512-bit interface
  • XTS 1 x 512-bit interface
 GCM 1 x 512-bit interface Selects the example design options.
Acknowledgement: The example design generates with only the Example Design Options specified in the drop-down menu. No other IP parameters that you specify applies to the example design generation.
Level Two Title