Symmetric Cryptographic Accelerator Hard IP User Guide

Download PDF
ID 714305
Date 11/28/2025
Public
Document Table of Contents
Document Table of Contents x
1. Introduction 2. Interface Overview 3. Parameters 4. Designing with the IP 5. Block Description 6. Cryptographic IP Data Profiles 7. Configuration Registers 8. Design Example 9. Document Revision History for the Symmetric Cryptographic Accelerator Hard IP User Guide
1. Introduction x
1.1. Terminology 1.2. IP Overview 1.3. Release Information 1.4. Device Family Support 1.5. Resource Utilization
1.2. IP Overview x
1.2.1. IP Applications
2. Interface Overview x
2.1. Clock Signals 2.2. Reset Signals 2.3. AXI-ST Interface 2.4. AXI-Lite Interface
4. Designing with the IP x
4.1. Installing and Licensing IP Cores 4.2. Specifying the IP Parameters and Options 4.3. Generated File Structure 4.4. Symmetric Cryptographic Accelerator Hard IP Flow 4.5. Dynamically Disabling the SM4 Capability 4.6. Error Handling 4.7. Error Reporting 4.8. Resetting the IP 4.9. Channel Definition and Allocation 4.10. Byte Ordering 4.11. AXI-ST Single Packet Mode 4.12. AXI-ST Multiple Packet Mode
4.1. Installing and Licensing IP Cores x
4.1.1. IP Evaluation Mode
4.6. Error Handling x
4.6.1. Steps to Record and Report the Received Errors to the Soft Logic 4.6.2. Detected Error Handling 4.6.3. Key RAM ECC Error Handling
4.6.2. Detected Error Handling x
4.6.2.1. Recovering from a Recoverable Error 4.6.2.2. Recovering from an Internal Error
5. Block Description x
5.1. Reset Sequencer 5.2. AXI-ST Ready Latency 5.3. AXI Adapter 5.4. Integrity Check Value Comparison 5.5. GCM Padding and Depadding
5.3. AXI Adapter x
5.3.1. MAC Packing 5.3.2. Data Last Indicator 5.3.3. Stream and Channel ID Buffering 5.3.4. TKEEP and LAST_SEGMENT Signals Generation 5.3.5. MAC Dropping on Decryption
5.5. GCM Padding and Depadding x
5.5.1. GCM Padding 5.5.2. GCM Depadding
6. Cryptographic IP Data Profiles x
6.1. MAC Security Profile (MACsec) 6.2. IP Security Profile (IPsec) 6.3. Generic GCM Profile (GCM) 6.4. Generic XTS Profile (XTS)
6.1. MAC Security Profile (MACsec) x
6.1.1. MACsec Flow 6.1.2. AXI-ST Interface Using MAC Security (MACsec) Profile Pattern
6.2. IP Security Profile (IPsec) x
6.2.1. AXI-ST Interface Using IP Security (IPsec) Profile Pattern
6.3. Generic GCM Profile (GCM) x
6.3.1. AXI- ST Interface Using Generic GCM Profile Pattern
6.4. Generic XTS Profile (XTS) x
6.4.1. AXI-ST Interface Using Generic XTS Profile Pattern
8. Design Example x
8.1. Functional Description 8.2. Crypto VSIP Top Block Descriptions 8.3. Test Configurations 8.4. Software Requirements 8.5. Simulation Requirements 8.6. Steps to Generate the Design Example 8.7. Running Simulation Tests 8.8. Running Hardware Tests
8.2. Crypto VSIP Top Block Descriptions x
8.2.1. Clock and Reset 8.2.2. Host Interface
8.7. Running Simulation Tests x
8.7.1. Steps to Simulate the Design Example
8.8. Running Hardware Tests x
8.8.1. Supported Boards 8.8.2. Steps to Compile the Design Example for Hardware 8.8.3. Steps to Run the Design Example on Hardware
1. Introduction
2. Interface Overview
3. Parameters
4. Designing with the IP
5. Block Description
6. Cryptographic IP Data Profiles
7. Configuration Registers
8. Design Example
9. Document Revision History for the Symmetric Cryptographic Accelerator Hard IP User Guide

6.2. IP Security Profile (IPsec)

This profile is optimized for the IP Security (IPsec) usage. To select the IPsec profile, you set tuser.pattern[2:0] to 3'd3.
You must specify the following inputs when using the IPsec profile.
  • Key: Single 256 bit or a 128 bit key. The same key is used for GCM encryption, including the authentication, or decryption, including the authentication, operation.
  • Additional Authenticated Data (AAD): A GCM-specific additional authenticated data that requires the authentication only. The supported AAD length is a range of 1 to (232-1) bytes.
    Note: The AAD must be aligned to 16 bytes or padded with 0’s to align to 16 bytes in order to comply with the GCM specification.
  • Data/Text: Contains the plaintext or ciphertext data requiring the encryption or decryption. The data size range is between 1 byte to 239 bits.
    Note: The (AAD plus data) length must be at minimum 17 bytes.
  • Initialization Vector (IV): 96 bit IV is required for all GCM operations. Before programming the Symmetric Cryptographic Accelerator Hard IP, the AES/SM4 Inline Cryptographic Accelerator adds a counter value of 0x2 to the existing 96-bit IV, as described in the following statement. The counter and the IV use little endian format.
    IV_final[127:0] = {counter[31:0] || IV[95:0]}

The following output information is identified when using the MACsec pattern:
  • Additional Authenticated Data (AAD): A GCM-specific additional authenticated data that requires the authentication only. The output propagates the original entered input AAD value.
  • Data/Text: Contains the plaintext or ciphertext data that has been encrypted or decrypted.
  • MAC: 128-bit long Ghash or GMAC authenticated tag calculated by the AES ICA Hard IP.
  • Key: The key size depends on the selected mode:
    • 128 or 256 bit key for AES GCM mode
    • 128 bit key for SM4 GCM mode
  • The keys are streamed along with the data to be encrypted or decrypted.
  • Supports a (AAD + text size of any length) packet size. If the AAD is not aligned to 128 bits, the plaintext or ciphertext is packed within the same 128 bit segment.
  • Optimized throughput for greater than 200 bytes packets size.
  • Supports multiple channels as long as when a channel starts, the channel needs to end the operation with the tlast signal.
The following example depicts the traffic flow for the IPsec profile. The example processes 3 packets. The first two packets send AAD. The third packet sends AAD along with data (plaintext or ciphertext). The keys are streamed for each of the packets.
Table 37.  IPsec Profile Traffic Pattern Example
DATA
data[127:0] Key AAD Key AAD Key AAD Text Text Text
data[255:128] Key AAD Key AAD IV_+

AAD length

 AAD Text Text Text
data[383:256] IV_+

AAD length

 AAD IV_+

AAD length

 AAD AAD AAD Text Text Text
data[511:384] AAD AAD AAD Key AAD AAD Text Text Text

Section Content
AXI-ST Interface Using IP Security (IPsec) Profile Pattern

Level Two Title