How to use ekp as persistent master key on MAX 10.

BSusi · ‎08-28-2019

I've tried to develop a secure FPGA environment with master key (8.ekp) and encrypted ROM image (*.pof). The idea is to program the master key once before the FPGA left to the customer and the (*.pof) should be field up-gradable multiple times in the overseas customer.

However, by following Intel documentation of MAX 10 Configuration: https://www.intel.com/content/dam/www/programmable/us/en/pdfs/literature/hb/max-10/ug_m10_config.pdf section 3.8, I have a problem that the ekp key will also be erased if I do the bulk erase. This might cause a problem in the field in the FPGA CFM is erased.

Second problem is, I found out that downloading encrypted pof multiple times causes a problem of: Error (209014): CONF_DONE pin failed to go high in device 1. Which according to this: https://www.intel.com/content/www/us/en/programmable/support/support-resources/knowledge-base/soluti..., means that each time the encrypted pof needs to be flashed, CFM needs to be erased which then the erased ekp needs to be reprogrammed.

I tried to use JTAG secure, this makes the ekp persistent on the device since the JTAG connection is not there for programming afterwards.

My question is:

Can I make the ekp not erasable?
How can I design a system which consist of one time programmable ekp and field upgrade-able pof?

JohnT_Intel · ‎08-29-2019

Hi,

The ekp content is store in the ICB portion and not on CFM. If you would like to prevent it from erasable then JTAG Secure mode is the most suitable method as this will disable JTAG from accessing it.
Any system can enable it. I would recommend you to use "On-Chip Flash Intel FPGA" IP (https://www.intel.com/content/dam/www/programmable/us/en/pdfs/literature/hb/max-10/ug_m10_ufm.pdf) for you to update the CFM content. This will prevent user from accidentally erasing the EKP. Since you plan to performed filed upgrade then I would recommend you to use "Dual Configuration" IP so that you have a golden design that you are able to revert to in case there is a corrupted image during field upgrade. By using this method, JTAG Secure mode can also be enabled without any issue as we no longer using JTAG to update the CFM. The only thing that you need to do is to design a interface that you can use to remotely communicate (other than JTAG) and connect it to "On-Chip Flash Intel FPGA" and "Dual Configuration" IP. You may refer to https://www.intel.com/content/dam/www/programmable/us/en/pdfs/literature/an/an741.pdf which is using UART interface to performed remote upgrade.

BSusi · ‎08-29-2019

Hi @JohnT_Intel ,

Thanks for your suggestion.

Unfortunately, the only interface that our customer have is JTAG. So using UART communication means a significant redesign is required, thus we don't prefer.

My further question is:

Is the EKP which stored in ICB secure? I see that there's not possible to retrieve the key via JTAG programmer.
Is it also protected from being read? I suppose that the EKP is stored in an unencrypted manner in the ICB.
I see that based on this document https://www.intel.com/content/www/us/en/programmable/documentation/bhc1410500804155.html#bhc14105007... in the part of Non-Volatile and Volatile Key Storage, the possibility to program an OTP hardware key (for 20nm FPGAs) is mentioned. Is this the case also for MAX 10 devices? I use 10M04SCM153C8G to be specific.

JohnT_Intel · ‎08-30-2019

Hi,

Is the EKP which stored in ICB secure? I see that there's not possible to retrieve the key via JTAG programmer.

Yes. You can either write or erase. No read is possible.

Is it also protected from being read? I suppose that the EKP is stored in an unencrypted manner in the ICB.

Yes.

I see that based on this document https://www.intel.com/content/www/us/en/programmable/documentation/bhc1410500804155.html#bhc14105007... in the part of Non-Volatile and Volatile Key Storage, the possibility to program an OTP hardware key (for 20nm FPGAs) is mentioned. Is this the case also for MAX 10 devices? I use 10M04SCM153C8G to be specific.

Max 10 does not support this.