Step 2b: Programming Non-Volatile Key into the FPGAs

AN 556: Using the Design Security Features in Intel FPGAs

Download PDF

ID 683269

Date 5/21/2021

Version current

Public

Visible to Intel only — GUID: bhc1410500748302

Ixiasoft

View Details

Document Table of Contents

Document Table of Contents x

Using the Design Security Features in Intel® FPGAs

Using the Design Security Features in Intel® FPGAs x

Overview of the Design Security Feature Hardware and Software Requirements Steps for Implementing a Secure Configuration Flow Steps to Enable Tamper-Protection Bit Programming Supported Configuration Schemes Security Mode Verification Serial Flash Loader Support with Encryption Enabled Serial Flash Loader Support with Encryption Enabled for Single FPGA Device Chain JTAG Secure Mode for 28-nm and 20-nm FPGAs Document Revision History for AN 556: Using the Design Security Features in Intel® FPGAs

Overview of the Design Security Feature x

Security Encryption Algorithm Non-Volatile and Volatile Key Storage Key Programming Intel® Arria® 10 and Intel® Cyclone® 10 GX Qcrypt Security Tool

Intel® Arria® 10 and Intel® Cyclone® 10 GX Qcrypt Security Tool x

Using Qcrypt Tool Qcrypt Tool Options Security Levels of Qcrypt Tool Security Option

Hardware and Software Requirements x

Hardware Requirements Software Requirements

Steps for Implementing a Secure Configuration Flow x

Step 1: Generating .ekp File and Encrypting Configuration File Step 2a: Programming Volatile Key into the FPGAs Step 2b: Programming Non-Volatile Key into the FPGAs Step 3: Configuring the 40-nm, 28-nm, or 20-nm FPGAs with Encrypted Configuration Data

Step 1: Generating .ekp File and Encrypting Configuration File x

Generating Single-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software Generating Single-Device .ekp File and Encrypting Configuration File using Command-Line Interface in Intel® Quartus® Prime Software Generating Multi-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software

Step 2b: Programming Non-Volatile Key into the FPGAs x

Programming Volatile or Non-Volatile Key using Intel® FPGA Ethernet Cable and Intel® Quartus® Prime Software Programming Single-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software Programming Single-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software Programming Multi-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software Programming Multi-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software Programming Key using JTAG Technologies

Security Mode Verification x

Verification During JTAG Secure Mode

JTAG Secure Mode for 28-nm and 20-nm FPGAs x

Internal JTAG Interface Design Example for JTAG Secure Mode

Design Example for JTAG Secure Mode x

Design Example Intel® Quartus® Prime Design Components LOCK and UNLOCK JTAG Instructions Verifying JTAG Secure Mode

Using the Design Security Features in Intel® FPGAs

Overview of the Design Security Feature

Security Encryption Algorithm

Non-Volatile and Volatile Key Storage

Key Programming

Intel® Arria® 10 and Intel® Cyclone® 10 GX Qcrypt Security Tool

Using Qcrypt Tool

Qcrypt Tool Options

Security Levels of Qcrypt Tool Security Option

Hardware and Software Requirements

Hardware Requirements

Software Requirements

Steps for Implementing a Secure Configuration Flow

Step 1: Generating .ekp File and Encrypting Configuration File

Generating Single-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software

Generating Single-Device .ekp File and Encrypting Configuration File using Command-Line Interface in Intel® Quartus® Prime Software

Generating Multi-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software

Step 2a: Programming Volatile Key into the FPGAs

Step 2b: Programming Non-Volatile Key into the FPGAs

Programming Volatile or Non-Volatile Key using Intel® FPGA Ethernet Cable and Intel® Quartus® Prime Software

Programming Single-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software

Programming Single-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software

Programming Multi-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software

Programming Multi-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software

Programming Key using JTAG Technologies

Step 3: Configuring the 40-nm, 28-nm, or 20-nm FPGAs with Encrypted Configuration Data

Steps to Enable Tamper-Protection Bit Programming

Supported Configuration Schemes

Security Mode Verification

Verification During JTAG Secure Mode

Serial Flash Loader Support with Encryption Enabled

Serial Flash Loader Support with Encryption Enabled for Single FPGA Device Chain

JTAG Secure Mode for 28-nm and 20-nm FPGAs

Internal JTAG Interface

Design Example for JTAG Secure Mode

Design Example Intel® Quartus® Prime Design Components

LOCK and UNLOCK JTAG Instructions

Verifying JTAG Secure Mode

Document Revision History for AN 556: Using the Design Security Features in Intel® FPGAs

Visible to Intel only — GUID: bhc1410500748302

Ixiasoft

View Details

Step 2b: Programming Non-Volatile Key into the FPGAs

Before programming the non-volatile key into the devices, ensure that you can successfully configure the FPGA with an unencrypted configuration file. The non-volatile key is one-time programmable through the JTAG interface. You can program the non-volatile key into the devices without an external battery. Devices with the non-volatile key successfully programmed can accept both encrypted and unencrypted configuration bitstreams. If you set the tamper protection bit, only encrypted configuration bitstreams are accepted. This enables the use of unencrypted configuration bitstreams for board-level testing.

Any attempt to configure the FPGAs containing the volatile key with a configuration file encrypted with the wrong key causes the configuration to fail. If this occurs, the nSTATUS signal from the FPGA pulses low and continues to reset itself if you enable the Auto-restart configuration after error option in the Intel® Quartus® Prime software.

You can program the non-volatile key into the devices using on-board prototyping, volume production, and off-board prototyping and production listed in Key Programming.

Section Content
Programming Volatile or Non-Volatile Key using Intel FPGA Ethernet Cable and Intel Quartus Prime Software
Programming Single-Device Volatile or Non-Volatile Key using Intel Quartus Prime Software
Programming Single-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel Quartus Prime Software
Programming Multi-Device Volatile or Non-Volatile Key using Intel Quartus Prime Software
Programming Multi-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel Quartus Prime Software
Programming Key using JTAG Technologies

Level Two Title

Select Your Language

Using Intel.com Search

Quick Links

Recent Searches

Advanced Search

Only search in

AN 556: Using the Design Security Features in Intel FPGAs

Step 2b: Programming Non-Volatile Key into the FPGAs