Community
cancel
Showing results for 
Search instead for 
Did you mean: 
MVanM
Beginner
348 Views

Can I use design security feature to decrypt different bitfiles encrypted with the same key

The manual for the design security feature states that it is possible to program an AES key into the FPGA in order to be able to decrypt encrypted bitfiles. When looking at the manual I see the following command line example to generate the .ekp file that is used to program the key into the device.

 

quartus_cpf --keyD:\SIV_DS\key12.key:key1:key2 D:\SIV_DS\test.sof D:\SIV_DS\test.ekp

 

This example takes the .sof file as an input in the generation of the .ekp file. Does that mean that the programmed key only works for that specific design or can I generate a new design and do encryption/decription using the same key?

 

Regards,

Maarten

 

0 Kudos
4 Replies
ShafiqY_Intel
Employee
33 Views

Hi MVanM,

 

Yes, the programmed key only work for specific design.

If you generate a new design, you need to create new key.

 

For more details regarding Intel Design Security, please refer to the following AN:

https://www.intel.com/content/dam/www/programmable/us/en/pdfs/literature/an/an556.pdf

 

Thanks😉

MVanM
Beginner
33 Views

Hi MShafiq

 

Thanks for the initial explanation. An556 was the manual I was referring to and from which I took the command line example.

 

What makes a design 'specific' or 'new'? if I add an inverter somewhere in the design and regenerate configuration data (.sof) . Is that already different? So if I write the key to the fuses I can only ever decrypt that precise configuration down to the delays/routing etc?

 

Your answer already seems to indicate so. But hopefully I am mistaken. Because I would like to encrypt my bitfiles and be able to decrypt them. But hardware in the field should be able to decrypt possible future updates to the design if new functionality is added or possible bugfixes are made.

 

Regards,

Maarten

 

 

ShafiqY_Intel
Employee
33 Views

Hi,

 

Any changes in design (small changes or big changes) cause the bitstream in sof change. This make new sof file (new changes in design) different to previous sof file.

 

Usually, design security features is used when your design is in the final stage (final design and ready for production).

 

If any bug/error in future, decrypt the previous design. Generate a new key and program the new design.

I think the design security features is straight forward and not complicated.

 

I hope this will make you much clear.

 

Thanks😉

 

MVanM
Beginner
33 Views

Hi

 

But if you program a non-volatile key it cannot be changed anymore. So generating a new key is not an option for boards with the key already programmed into the fpga. To be 100% clear. Assume the following steps:

 

  1. Create .sof file
  2. Create .ekp and encrypted .sof (.rbf) by supplying KEY and .sof file
  3. Program non-volatile key into fuse on fpga using .ekp file
  4. FPGA can now decrypt the encrypted design (.rbf) using the programmed key.
  5. Decide a small change in design is needed
  6. Generate a new .sof file with design changes.
  7. Encrypt the new .sof file with original KEY
  8. FPGA cannot decrypt the new encrypted configuration (.rbf)?

 

This would make it completely impossible to do an upgrade in the field.

Reply