AN 556: Using the Design Security Features in Intel FPGAs

Download PDF
ID 683269
Date 5/21/2021
Public
Document Table of Contents
Document Table of Contents x
Using the Design Security Features in Intel® FPGAs
Using the Design Security Features in Intel® FPGAs x
Overview of the Design Security Feature Hardware and Software Requirements Steps for Implementing a Secure Configuration Flow Steps to Enable Tamper-Protection Bit Programming Supported Configuration Schemes Security Mode Verification Serial Flash Loader Support with Encryption Enabled Serial Flash Loader Support with Encryption Enabled for Single FPGA Device Chain JTAG Secure Mode for 28-nm and 20-nm FPGAs Document Revision History for AN 556: Using the Design Security Features in Intel® FPGAs
Overview of the Design Security Feature x
Security Encryption Algorithm Non-Volatile and Volatile Key Storage Key Programming Intel® Arria® 10 and Intel® Cyclone® 10 GX Qcrypt Security Tool
Intel® Arria® 10 and Intel® Cyclone® 10 GX Qcrypt Security Tool x
Using Qcrypt Tool Qcrypt Tool Options Security Levels of Qcrypt Tool Security Option
Hardware and Software Requirements x
Hardware Requirements Software Requirements
Steps for Implementing a Secure Configuration Flow x
Step 1: Generating .ekp File and Encrypting Configuration File Step 2a: Programming Volatile Key into the FPGAs Step 2b: Programming Non-Volatile Key into the FPGAs Step 3: Configuring the 40-nm, 28-nm, or 20-nm FPGAs with Encrypted Configuration Data
Step 1: Generating .ekp File and Encrypting Configuration File x
Generating Single-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software Generating Single-Device .ekp File and Encrypting Configuration File using Command-Line Interface in Intel® Quartus® Prime Software Generating Multi-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software
Step 2b: Programming Non-Volatile Key into the FPGAs x
Programming Volatile or Non-Volatile Key using Intel® FPGA Ethernet Cable and Intel® Quartus® Prime Software Programming Single-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software Programming Single-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software Programming Multi-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software Programming Multi-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software Programming Key using JTAG Technologies
Security Mode Verification x
Verification During JTAG Secure Mode
JTAG Secure Mode for 28-nm and 20-nm FPGAs x
Internal JTAG Interface Design Example for JTAG Secure Mode
Design Example for JTAG Secure Mode x
Design Example Intel® Quartus® Prime Design Components LOCK and UNLOCK JTAG Instructions Verifying JTAG Secure Mode
Using the Design Security Features in Intel® FPGAs

Qcrypt Tool Options

Table 7.  Basic Options in Qcrypt Tool
Basic Option Descriptions
--encrypt Encrypts input_file.rbf with default behavior.
--decrypt Decrypts input_file.rbf to obtain the original bit-stream. The decrypted .rbf is not the same as original bit-stream if you had previously enabled any security options. You must explicitly reset these security options to level 0 if you want the decrypted .rbf to match the original pre-encrypted .rbf. Note that there are minor differences between the original and decrypted .rbf files. The differences can be ignored.
--keyfile=<KEY_FILE> Default name for this key file is keyfile.key. This option allows you to specify an alternate name for the keyfile.key. The key file is located in the current project directory where the input_file.rbf is also stored. Refer example key file in Generating Single-Device .ekp File and Encrypting Configuration File using Intel Quartus Prime Software.
--keyname=<KEY_NAME> Specify a named key to use from the key file. By default, the tool uses the first key from the key file.
--keystore=<types of key> Specify which security key to be use:
  • otp (non-volatile key)
  • battery (volatile key)
One-time programmable (otp) is the default value.
--iv=<HEX_VALUE> Optional seed value for creating a non-random initialization vector (IV). By default, an .rbf generates a different encrypted .rbf every time it is encrypted. This option allows you to specify a seed value to ensure the same encrypted .rbf is generated when using same --iv value. HEX_VALUE can be any arbitrary 32-bit hexadecimal value.
Table 8.  Security Options in Qcrypt Tool
Security Option Descriptions
--lockto=<FILE_NAME.qlk>

Locks authentication to corresponding prior base bitstream.

The .qlk file is automatically created when a base configuration file, such as a CvP core image bitstream, is encrypted. Use this option when you want a follow-on core CvP or partial reconfiguration image to be usable only with that base configuration. This prevents a follow-on bitstream from being loaded over a wrong (but otherwise authenticated) base bitstream.

--no-lockto Overrides any mandatory --lockto requirement
--epof-only=[0:3] Only allow encrypted and authenticated bit-streams to be used for external configuration.
--no-config=[0:3] Disables configuration from external pins. With this option set, configuration can only be controlled by the internal HPS.
Note: This security option is not supported in Intel® Cyclone® 10 GX.
--no-pr=[0:3] Disables external partial-configuration.
--no-jtag-key=[0:3] Disables key-related JTAG instructions.
--no-jtag-ext=[0:3] Enables JTAG Secure mode.
--no-jtag=[0:3] Forces the external JTAG pins into BYPASS mode.
--no-hps-jtag=[0:3] Forces the internal HPS JTAG into BYPASS mode.
Note: This security option is not supported in Intel® Cyclone® 10 GX.
--no-otp-key=[0:3] Disables use of the non-volatile OTP fuse key.
--no-battery-key=[0:3] Disables use of the battery-backed key.
--lock-battery-key=[0:3] Prevents the battery-backed volatile key from being changed or overwritten.
--secure=[2:3] Disables Test Mode <default=2>.
Related Information
Level Two Title