Visible to Intel only — GUID: bhc1410500775598
Ixiasoft
Overview of the Design Security Feature
Hardware and Software Requirements
Steps for Implementing a Secure Configuration Flow
Steps to Enable Tamper-Protection Bit Programming
Supported Configuration Schemes
Security Mode Verification
Serial Flash Loader Support with Encryption Enabled
Serial Flash Loader Support with Encryption Enabled for Single FPGA Device Chain
JTAG Secure Mode for 28-nm and 20-nm FPGAs
Document Revision History for AN 556: Using the Design Security Features in Intel® FPGAs
Generating Single-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software
Generating Single-Device .ekp File and Encrypting Configuration File using Command-Line Interface in Intel® Quartus® Prime Software
Generating Multi-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software
Programming Volatile or Non-Volatile Key using Intel® FPGA Ethernet Cable and Intel® Quartus® Prime Software
Programming Single-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software
Programming Single-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software
Programming Multi-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software
Programming Multi-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software
Programming Key using JTAG Technologies
Visible to Intel only — GUID: bhc1410500775598
Ixiasoft
Supported Configuration Schemes
The design security feature is available in all configuration schemes except JTAG-based configuration.
| Configuration Scheme | Configuration Method | Design Security | Notes |
|---|---|---|---|
| FPP | A MAX® II or MAX® V device, or a microprocessor and a flash memory | Yes | In this mode, the host system must send a DCLK signal that is 4x the data rate. |
| AS | Serial configuration device | Yes | — |
| PS | A MAX® II or MAX® V device, or a microprocessor and a flash memory | Yes | — |
| Intel® FPGA Download Cable and Intel® FPGA Download Cable II | Yes | Configure encrypted .rbf to FPGA using PS mode in Intel® Quartus® Prime Programmer. | |
| JTAG | Intel® FPGA Download Cable and Intel® FPGA Download Cable II | — | For key programming. |
If your system contains a common flash interface (CFI) flash memory, you can also use it for the FPGA configuration. The MAX® II and MAX® V together with the Parallel Flash Loader Intel® FPGA IP core provides an efficient method to program CFI flash memory through the JTAG interface.
You can use the design security feature with other configuration features, such as the compression and remote system upgrade features. When compression is used with the design security feature, the configuration file is first compressed and then encrypted in the Intel® Quartus® Prime software. During configuration, the FPGA first decrypts and then uncompresses the configuration file.
Note: Encryption and compression cannot be used simultaneously in 20-nm FPGAs.
You can either perform boundary-scan test (BST) or use the Signal Tap logic analyzer to analyze functional data within the FPGA. However, you cannot perform JTAG configuration after the key with tamper-protection bit set is programmed into the 40-nm, 28-nm or 20-nm FPGAs.
When using the Signal Tap logic analyzer, you must first configure the device with an encrypted configuration file using PS, FPP, or AS configuration schemes. The design must contain at least one instance of the Signal Tap logic analyzer. After the FPGA is configured with a Signal Tap logic analyzer instance in the design. Open the Signal Tap logic analyzer window in the Intel® Quartus® Prime software and click Scan Chain. Once the scanning is complete, the Signal Tap logic analyzer is ready to acquire data using JTAG interface.
Related Information