AN 556: Using the Design Security Features in Intel FPGAs

Download PDF
ID 683269
Date 5/21/2021
Public
Document Table of Contents
Document Table of Contents x
Using the Design Security Features in Intel® FPGAs
Using the Design Security Features in Intel® FPGAs x
Overview of the Design Security Feature Hardware and Software Requirements Steps for Implementing a Secure Configuration Flow Steps to Enable Tamper-Protection Bit Programming Supported Configuration Schemes Security Mode Verification Serial Flash Loader Support with Encryption Enabled Serial Flash Loader Support with Encryption Enabled for Single FPGA Device Chain JTAG Secure Mode for 28-nm and 20-nm FPGAs Document Revision History for AN 556: Using the Design Security Features in Intel® FPGAs
Overview of the Design Security Feature x
Security Encryption Algorithm Non-Volatile and Volatile Key Storage Key Programming Intel® Arria® 10 and Intel® Cyclone® 10 GX Qcrypt Security Tool
Intel® Arria® 10 and Intel® Cyclone® 10 GX Qcrypt Security Tool x
Using Qcrypt Tool Qcrypt Tool Options Security Levels of Qcrypt Tool Security Option
Hardware and Software Requirements x
Hardware Requirements Software Requirements
Steps for Implementing a Secure Configuration Flow x
Step 1: Generating .ekp File and Encrypting Configuration File Step 2a: Programming Volatile Key into the FPGAs Step 2b: Programming Non-Volatile Key into the FPGAs Step 3: Configuring the 40-nm, 28-nm, or 20-nm FPGAs with Encrypted Configuration Data
Step 1: Generating .ekp File and Encrypting Configuration File x
Generating Single-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software Generating Single-Device .ekp File and Encrypting Configuration File using Command-Line Interface in Intel® Quartus® Prime Software Generating Multi-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software
Step 2b: Programming Non-Volatile Key into the FPGAs x
Programming Volatile or Non-Volatile Key using Intel® FPGA Ethernet Cable and Intel® Quartus® Prime Software Programming Single-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software Programming Single-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software Programming Multi-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software Programming Multi-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software Programming Key using JTAG Technologies
Security Mode Verification x
Verification During JTAG Secure Mode
JTAG Secure Mode for 28-nm and 20-nm FPGAs x
Internal JTAG Interface Design Example for JTAG Secure Mode
Design Example for JTAG Secure Mode x
Design Example Intel® Quartus® Prime Design Components LOCK and UNLOCK JTAG Instructions Verifying JTAG Secure Mode
Using the Design Security Features in Intel® FPGAs

Step 1: Generating .ekp File and Encrypting Configuration File

To use the design security feature in the FPGAs, you must encrypt your 20-nm design using the Qcrypt tool, or generate an .ekp file and encrypt your configuration files using the Intel® Quartus® Prime software. The key is not saved into any Intel® Quartus® Prime-generated configuration files and the actual 256-bit key is generated from the bit sequences.

To enable the design security feature, you can obtain a license file from Intel® FPGA Technical Support.

The .ekp file has different formats, depending on the hardware and system used for programming. There are three file formats supported by the Intel® Quartus® Prime software:

  • JAM Byte Code (.jbc) file
  • JAM™ Standard Test and Programming Language (STAPL) Format (.jam) file
  • Serial Vector Format (.svf) file

Only the .ekp file type is generated automatically from the Intel® Quartus® Prime software. You must create the .jam and .svf files using the Intel® Quartus® Prime software if these files are required in the key programming. The Intel® Quartus® Prime software generates the JBC format of the .ekp file in the same project directory.

Note: Intel® recommends that you keep the .ekp file confidential.

Use the .ekp file with the Intel® FPGA Ethernet Cable communications cable or Intel® FPGA Download Cable and the Intel® Quartus® Prime software. The Intel® FPGA Ethernet Cable communications cable can support both volatile and non-volatile key programming whereas the Intel® FPGA Download Cable is used only for volatile key programming. The .jam file format is generally used with third-party programming vendors and JTAG programmer vendors. The .svf file format is used with JTAG programmer vendors.


Section Content
Generating Single-Device .ekp File and Encrypting Configuration File using Intel Quartus Prime Software
Generating Single-Device .ekp File and Encrypting Configuration File using Command-Line Interface in Intel Quartus Prime Software
Generating Multi-Device .ekp File and Encrypting Configuration File using Intel Quartus Prime Software

Level Two Title