AN 556: Using the Design Security Features in Intel FPGAs

Download PDF
ID 683269
Date 5/21/2021
Public
Document Table of Contents
Document Table of Contents x
Using the Design Security Features in Intel® FPGAs
Using the Design Security Features in Intel® FPGAs x
Overview of the Design Security Feature Hardware and Software Requirements Steps for Implementing a Secure Configuration Flow Steps to Enable Tamper-Protection Bit Programming Supported Configuration Schemes Security Mode Verification Serial Flash Loader Support with Encryption Enabled Serial Flash Loader Support with Encryption Enabled for Single FPGA Device Chain JTAG Secure Mode for 28-nm and 20-nm FPGAs Document Revision History for AN 556: Using the Design Security Features in Intel® FPGAs
Overview of the Design Security Feature x
Security Encryption Algorithm Non-Volatile and Volatile Key Storage Key Programming Intel® Arria® 10 and Intel® Cyclone® 10 GX Qcrypt Security Tool
Intel® Arria® 10 and Intel® Cyclone® 10 GX Qcrypt Security Tool x
Using Qcrypt Tool Qcrypt Tool Options Security Levels of Qcrypt Tool Security Option
Hardware and Software Requirements x
Hardware Requirements Software Requirements
Steps for Implementing a Secure Configuration Flow x
Step 1: Generating .ekp File and Encrypting Configuration File Step 2a: Programming Volatile Key into the FPGAs Step 2b: Programming Non-Volatile Key into the FPGAs Step 3: Configuring the 40-nm, 28-nm, or 20-nm FPGAs with Encrypted Configuration Data
Step 1: Generating .ekp File and Encrypting Configuration File x
Generating Single-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software Generating Single-Device .ekp File and Encrypting Configuration File using Command-Line Interface in Intel® Quartus® Prime Software Generating Multi-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software
Step 2b: Programming Non-Volatile Key into the FPGAs x
Programming Volatile or Non-Volatile Key using Intel® FPGA Ethernet Cable and Intel® Quartus® Prime Software Programming Single-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software Programming Single-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software Programming Multi-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software Programming Multi-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software Programming Key using JTAG Technologies
Security Mode Verification x
Verification During JTAG Secure Mode
JTAG Secure Mode for 28-nm and 20-nm FPGAs x
Internal JTAG Interface Design Example for JTAG Secure Mode
Design Example for JTAG Secure Mode x
Design Example Intel® Quartus® Prime Design Components LOCK and UNLOCK JTAG Instructions Verifying JTAG Secure Mode
Using the Design Security Features in Intel® FPGAs

Serial Flash Loader Support with Encryption Enabled for Single FPGA Device Chain

To use the Serial Flash Loader IP core with the encryption feature enabled in a single FPGA device chain, follow these steps:
  1. Start the Intel® Quartus® Prime software.
  2. Instantiate the Serial Flash Loader IP core in your FPGA top-level design.
  3. Compile your design with one of the following options. An unencrypted .sof is generated.
    1. On the Processing menu, click Start Compilation; or
    2. On the Processing menu, point Start and click Start Assembler.
  4. Follow these steps to convert a .sof to a .jic file:
    1. On the File menu, choose Convert Programming Files.
    2. In the Convert Programming Files dialog box, scroll to the JTAG Indirect Configuration File (.jic) from the Programming file type field.
    3. In the Configuration device field, specify the serial configuration device.
    4. In the File name field, browse to the target directory and specify an output file name.
    5. Highlight the .sof data in the Input files to convert section.
    6. Click Add File.
    7. Select the .sof file that you want to convert to a .jic file.
    8. Click OK.
    9. Click on the .sof file name to encrypt the .sof file.
      Note: To encrypt the .sof file, refer to step 7 of Generating Single-Device .ekp File and Encrypting Configuration File using Intel Quartus Prime Software.
    10. Highlight Flash Loader and click Add Device.
    11. Click OK. The Select Devices page appears.
    12. Select the target FPGA that you are using to program the serial configuration device.
    13. Click OK.
  5. Program the serial configuration device with the encrypted .jic file.
  6. Program the key into the FPGA device.
    Note: To program the key to a single FPGA device, follow the steps in Programming Single-Device Volatile or Non-Volatile Key using Intel Quartus Prime Software.
  7. The encrypted FPGA is then configured by the programmed serial configuration device.
    Note: To program the key with a .jam file, you must convert the .jic file to a .jam file.
Related Information
Level Two Title