AN 556: Using the Design Security Features in Intel FPGAs

ID 683269
Date 5/21/2021
Public
Document Table of Contents

Using the Design Security Features in Intel® FPGAs

This application note describes how you can use the design security features in Intel® 40-, 28- and 20-nm FPGAs to protect your designs against unauthorized copying, reverse engineering, and tampering of your configuration files. This application note provides the hardware and software requirements for the 40-, 28- and 20-nm FPGAs design security features. This application note also provides steps for implementing secure configuration flow.

Note: This application note uses the term "40-nm","28-nm" or "20-nm" FPGAs. The following table lists the supported FPGAs and its applicable devices.
Table 1.  Supported FPGAs
FPGA Devices
40 nm Arria® II and Stratix® IV
28 nm Arria® V, Cyclone® V, and Stratix® V
20 nm Intel® Arria® 10 and Intel® Cyclone® 10 GX

In the commercial and military environments, design security is an important consideration for digital designers. As FPGAs start to play a role in larger and more critical system components, it is important to protect the designs from unauthorized copying, reverse engineering, and tampering. Intel FPGAs address these concerns by encrypting their configuration bitstreams with the 256-bit Advanced Encryption Standard (AES) algorithm.

Table 2.  AES Modes in Supported Intel® FPGAs
FPGA AES Mode
40 nm Counter Mode (CTR)
28 nm Cipher-block chaining (CBC)
20 nm CTR and keyed-hash message authentication code (HMAC)

During device operation, FPGAs store configuration data in SRAM configuration cells. Because SRAM memory is volatile, the SRAM cells must be loaded with configuration data each time the device powers up. Configuration data is typically sent from an external memory source, such as a flash memory or a configuration device, to the FPGA. It is possible to intercept the configuration data when it is being sent from the memory source to the FPGA. If the configuration data were not encrypted, you could use the intercepted configuration data to configure another FPGA.

Intel FPGAs offer both volatile and non-volatile key storage. The key is stored in FPGAs when using the design security feature. Depending on the security mode, you can configure the FPGAs with a configuration file that is encrypted with the same key, or for board testing, configure with a normal configuration file.

The design security feature is available when configuring the FPGAs with fast passive parallel (FPP) configuration scheme with an external host (such as a MAX® II or MAX V device or microprocessor) or when using active serial (AS) or passive serial (PS) configuration schemes.