AN 556: Using the Design Security Features in Intel FPGAs

Download PDF
ID 683269
Date 5/21/2021
Public
Document Table of Contents
Document Table of Contents x
Using the Design Security Features in Intel® FPGAs
Using the Design Security Features in Intel® FPGAs x
Overview of the Design Security Feature Hardware and Software Requirements Steps for Implementing a Secure Configuration Flow Steps to Enable Tamper-Protection Bit Programming Supported Configuration Schemes Security Mode Verification Serial Flash Loader Support with Encryption Enabled Serial Flash Loader Support with Encryption Enabled for Single FPGA Device Chain JTAG Secure Mode for 28-nm and 20-nm FPGAs Document Revision History for AN 556: Using the Design Security Features in Intel® FPGAs
Overview of the Design Security Feature x
Security Encryption Algorithm Non-Volatile and Volatile Key Storage Key Programming Intel® Arria® 10 and Intel® Cyclone® 10 GX Qcrypt Security Tool
Intel® Arria® 10 and Intel® Cyclone® 10 GX Qcrypt Security Tool x
Using Qcrypt Tool Qcrypt Tool Options Security Levels of Qcrypt Tool Security Option
Hardware and Software Requirements x
Hardware Requirements Software Requirements
Steps for Implementing a Secure Configuration Flow x
Step 1: Generating .ekp File and Encrypting Configuration File Step 2a: Programming Volatile Key into the FPGAs Step 2b: Programming Non-Volatile Key into the FPGAs Step 3: Configuring the 40-nm, 28-nm, or 20-nm FPGAs with Encrypted Configuration Data
Step 1: Generating .ekp File and Encrypting Configuration File x
Generating Single-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software Generating Single-Device .ekp File and Encrypting Configuration File using Command-Line Interface in Intel® Quartus® Prime Software Generating Multi-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software
Step 2b: Programming Non-Volatile Key into the FPGAs x
Programming Volatile or Non-Volatile Key using Intel® FPGA Ethernet Cable and Intel® Quartus® Prime Software Programming Single-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software Programming Single-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software Programming Multi-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software Programming Multi-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software Programming Key using JTAG Technologies
Security Mode Verification x
Verification During JTAG Secure Mode
JTAG Secure Mode for 28-nm and 20-nm FPGAs x
Internal JTAG Interface Design Example for JTAG Secure Mode
Design Example for JTAG Secure Mode x
Design Example Intel® Quartus® Prime Design Components LOCK and UNLOCK JTAG Instructions Verifying JTAG Secure Mode
Using the Design Security Features in Intel® FPGAs

Generating Single-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software

To generate a single device .ekp file and encrypt your configuration file, follow these steps:
  1. Obtain a license file to enable the design security feature from Intel® FPGA Technical Support.
  2. Start the Intel® Quartus® Prime software.
  3. On the Tools menu, click License Setup. The Options dialog box displays the License Setup options.
  4. In the License file field, enter the location and name of the license file, or browse to and select the license file.
  5. Click OK.
  6. Compile your design with one of the following options:
    1. On the Processing menu, click Start Compilation.
    2. On the Processing menu, point to Start and click Start Assembler.
    An unencrypted SRAM Object File (.sof) is generated.
  7. On the File menu, click Convert Programming Files. The Convert Programming Files dialog box appears.
    1. In the Convert Programming Files dialog box, select the programming file type from the Programming file type list.
    2. If applicable, select the appropriate configuration device from the Configuration device list.
    3. Select the mode from the Mode list.
    4. Type the file name in the File name field, or browse to and select the file.
    5. Under the Input files to convert section, click SOF Data.
    6. Click Add File to open the Select Input File dialog box.
    7. Browse to the unencrypted SOF file and click Open.
    8. Under the Input files to convert section, select- the SOF file name. The field is highlighted.
    9. Click Properties. The SOF Files Properties: Bitstream Encryption dialog box appears.
    10. In the SOF Files Properties: Bitstream Encryption dialog box, turn on Generate encrypted bitstream.
    11. Turn on Generate key programming file and type the .ekp file path and file name in the text area, or browse to and select <filename>.ekp .
    12. Additional step for 20-nm FPGAs only: Turn on Enable volatile security key check box to encrypt the .sof file with volatile security key or turn it off to use non-volatile security key.
    13. Additional step for 20-nm FPGAs only: Turn on Generate encryption lock file and insert the .qlk file path and file name in the text area, or browse to the desired <filename>.qlk.
    14. Add the keys to the pull-down list either with a .key file or the Add button. The Add and Edit buttons bring up the Key Entry dialog box. The Delete button deletes the currently selected key from the pull-down list.
      Note: 40-nm FPGAs require entry of two 256-bit keys. The encryption derived from a combination of the two 256-bit keys. 28-nm and 20-nm FPGAs require entry of a single 256-bit key. The final encryption key is derived using a one-way function.
      Using the .key file option allows you to specify one or two key files in the corresponding drop-down box. You may use different files for the Key 1 and Key 2 fields, or use one .key file for both.
      The .key file is a plain text file in which each line represents a key unless the line starts with "#". The "#" symbol is used to denote comments. Each valid key line has the following format: <key identity><white space><256-bit hexadecimal key>. 
      # This is an example key file
key1 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
key2 ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789
      The key identity is an alphanumeric name that is used to identify the keys (similar to the key file entry). The key is also the text displayed when the Show entered keys button is turned off. It is displayed together with the full key when Show entered keys is turned on.
      You can save the keys in the pull-down list to a .key file. You must click the corresponding Save button to save a key and to display the standard File dialog box. All keys in the pull-down list are saved to the selected or created .key file.
      Select the Key Entry Method to enter the encryption key either with the on-screen keypad or keyboard.
      The on-screen keypad allows you to enter the keys using the keypad. Select a key and click on the on-screen keypad to enter values. You have the option of allowing the keys to be shown as they are entered. If you use this option, you do not need to confirm the keys.
      While the on-screen keypad is being used, any attempt to use the keyboard to enter the keys generates a pop-up notification and the key press is ignored. Alternatively, you can enter the encryption key from the keyboard.
      1. Read the design security feature disclaimer. If you agree to and acknowledge the design security feature disclaimer, turn on the acknowledgment box.
      2. Click OK.
    15. Additional step for 20-nm FPGAs only: Under Security Options, select the level from the Disable external partial reconfiguration list.
    16. Additional step for 20-nm FPGAs only: Under Security Options, select the level from the Disable key-related JTAG instructions list.
    17. Additional step for 20-nm FPGAs only: Under Security Options, select the level from the Disable other extended JTAG instructions list.
  8. In the Convert Programming Files dialog box, click OK. The <filename>.ekp and encrypted configuration file are generated in the same project directory.
  9. On the Tools menu, click Programmer. The Programmer dialog box appears.
  10. In the Mode list, select JTAG as the programming mode.
  11. Click Hardware Setup. The Hardware Setup dialog box appears.
    1. In the currently selected hardware list, select Intel® FPGA Ethernet Cable as the programming hardware.
    2. Click Done.
  12. Click Add File. The Select Programmer File dialog box appears.
    1. Type <filename>.ekp in the File name field.
    2. Click Open.
  13. Highlight the .ekp file you added and click Program/Configure.
  14. On the File menu, point to Create/Update and click Create JAM, SVF, or ISC File. The Create JAM, SVF, or ISC File dialog box appears.
  15. Select the file format required (JEDEC STAPL Format [.jam]), for the .ekp file in the File format field.
  16. Type the file name in the File name field, or browse to and select the file.
  17. Click OK to generate the .jam file.
  18. On the Tools menu, click Programmer Options. The Programmer Options dialog box appears.
    Note: For non-volatile secure design feature, you must turn off the Configure volatile design security key option to generate a non-volatile .svf file of the .ekp file.
  19. Click OK.
  20. Repeat steps 15 to 17 to generate a .svf file of the .ekp file. Use the default setting in the Create JAM, SVF, or ISC File dialog box when generating a .svf file of the .ekp file.
Level Two Title