beautypg.com

Design security – Achronix Speedster22i Configuration User Manual

Page 18

background image

18

UG033, December 18, 2013

Design Security

Speedster22iHD devices provide design security features using a 256‐bit Advanced
Encryption Standard (AES) algorithm in Cipher Block Chaining (CBC) mode. The FPGA
contains a non‐volatile memory (known as a high-security or HS eFuse) for the storage of the
required AES key.

Design security on Speedster22iHD devices is provided by putting the device in secure
mode. This puts the following two mechanisms into effect:

FPGA configuration bitstream encryption: the FPGA only accepts encrypted
bitstreams. During configuration the FCU decrypts the encrypted bitstream using a
decryption key based off of the same encryption key.

Readback disable: Configuration bitstream readback is disabled, meaning that the
design information cannot be read out and copied. HS eFuse readback capability is
also blocked.

Enabling design security features requires two functions:

a. Generation of encrypted bitstreams after enabling AES encryption and specifying the

encryption key that will be programmed into the FPGA in ACE. This is simply done
in the ACE Bitstream Options GUI interface by checking the appropriate box and
typing in the actual key to be written.

b. One-time blowing of HS eFuses to program in the key needed for AES.

The blowing of eFuses has to be very carefully integrated into the design security
implementation process, since it is irreversible. Recovery from unintentionally blown fuses is
not feasible, and should be diligently validated for correct operation before enabling it in a
production flow. Also please note that as specified in the Pin Connections and Power Supply
Sequencing User Guide, one of the fuse power rails, VCCFHV_EFUSE[3:1] needs to be
powered by its own separate regulator to ensure that this rail can be increased to the voltage
level needed for fuse blowing without affecting the rest of the FPGA operation. Therefore, the
FPGA board and setup needs to provide for this ability.

The fuse blowing process consists of 3 phases:

1. Run phase 1 programming steps to cycle through the FCU states, write required

values to the eFuse registers and bring the device to a state where eFuses are ready to
be blown

2. Raise VCCFHV_EFUSE[3:1] to 2.2V and VCCRAM_EFUSE[3:1]/VDDA_NOM_E/W

to 1.1V. Run phase 2 steps needed to blow the eFuses.

See also other documents in the category Achronix Computer hardware: