Programmable Devices
CPLDs, FPGAs, SoC FPGAs, Configuration, and Transceivers
20957 Discussions

Erasing a Volatile Key from Arria-10 GX

PawelMa
Novice
‎05-20-2024 07:20 AM
1,161 Views
Solved Jump to solution

Hello!

 

In one of our designs, we use the bitstream encryption feature in Arria-10 GX FPGA. We'd like to implement a kill switch (triggered by externally detected tampering).

 

Is it possible to erase (or perhaps program a fake one) volatile key programatically, i.e. from inside the design?

 

Such action should result in rendering the device unusable (unbootable), since the bitstream is encrypted and stored in the flash.

 

All I've found in the documentation, including AN556, is how to do this using JTAG. I presume it could also be done using Virtual JTAG, but maybe there's a simpler way?

 

Thanks in advance!

Pawel

0 Kudos
1 Solution
PawelMa
Novice
‎06-11-2024 04:37 AM
719 Views
Solved Jump to solution
In response to FvM

Yes, that was my original question and the goal.

Ad 1. I've recently received some info on this subject from one of the FAE's, that's very much under NDA, regarding the use of the internal JTAG in the discussed topic. I hope I won't violate the NDA by saying this: It's not impossible.

Ad 2. That's a very good point. Removing the VCCBAT indeed causes the POR and needs to be extended by external logic, i.e. a monoflip. Having an external security controller, it's easy to implement.

That solves my question. Thank You a lot!

Pawel

View solution in original post

In response to FvM
0 Kudos
Copy link

Link Copied

13 Replies
NurAiman_M_Intel
Employee
‎05-24-2024 01:04 AM
1,075 Views
Solved Jump to solution

Hi,


To answer your questions,


  • We do not provide killed switch.
  • The purpose of encryption is to provide protection. The design that has been encrypted cannot be tampered.

Regards,

Aiman


0 Kudos
Copy link
PawelMa
Novice
‎05-24-2024 01:27 AM
1,073 Views
Solved Jump to solution

Thank You for the reply.

All I need to do is to erase the volatile key.

It's a simple task when the FPGA is powered off, one can just remove power from the VCCBAT pin.

Would disconnecting the VCCBAT while the FPGA is powered on also result in the key being deleted?

TIA & regards,

Pawel

0 Kudos
Copy link
NurAiman_M_Intel
Employee
‎05-27-2024 07:52 PM
974 Views
Solved Jump to solution

Hi,


I am confirming this with our internal team.


Can I know if you enable Tamper-Protection bit? And do you intended to reprogram the volatile key?


Regards,

Aiman


0 Kudos
Copy link
PawelMa
Novice
‎05-28-2024 02:03 AM
955 Views
Solved Jump to solution
In response to NurAiman_M_Intel

Hi,

No, we did not enable the Tamper-Protection bit. I used the word "tamper" for the mechanical tampering with the device's enclosure.

In our case, it will be sufficient to erase the volatile key.

If it couldn't be done without programming a new one, we can do the full reprogramming cycle.

Regards,

Pawel

In response to NurAiman_M_Intel
0 Kudos
Copy link
NurAiman_M_Intel
Employee
‎05-29-2024 07:34 PM
929 Views
Solved Jump to solution

Hi,


VCCBAT is a dedicated power supply for the volatile key storage. I believe the key will be gone if remove VCCBAT.

If you do not use the volatile key, refer to the respective device family pin connection guidelines for VCCBAT connection.


You can confirm if the volatile key is clear by perform the KEY_VERIFY JTAG instruction bit 20 to read out the information on the security features that are enabled on the chip. You can also verify by configure the FPGA without the key to ensure the volatile key is no longer needed. Refer figure on my next post.


Regards,

Aiman


0 Kudos
Copy link
FvM
Honored Contributor I
‎05-30-2024 03:14 AM
893 Views
Solved Jump to solution
In response to NurAiman_M_Intel

I understand that original question is asking how volatile key can be cleared in user mode without using JTAG interface.
1. Unlikely by virtual JTAG operation. Virtual key register is part of dedicated JTAG hardware, not soft SLD infrastructure.
2. VCCBAT is monitored by POR comparator, removing it will most likely trigger power-on reset. Voltage level for key clearance is probably far below POR threshold. If you consider to switch off VCCBAT by logic output, consider to extend pulse duration by a monoflop.

In response to NurAiman_M_Intel
Copy link
PawelMa
Novice
‎06-11-2024 04:37 AM
720 Views
Solved Jump to solution
In response to FvM

Yes, that was my original question and the goal.

Ad 1. I've recently received some info on this subject from one of the FAE's, that's very much under NDA, regarding the use of the internal JTAG in the discussed topic. I hope I won't violate the NDA by saying this: It's not impossible.

Ad 2. That's a very good point. Removing the VCCBAT indeed causes the POR and needs to be extended by external logic, i.e. a monoflip. Having an external security controller, it's easy to implement.

That solves my question. Thank You a lot!

Pawel

In response to FvM
0 Kudos
Copy link
PawelMa
Novice
‎06-11-2024 04:40 AM
717 Views
Solved Jump to solution
In response to FvM

BTW, I'm sorry, I intended to mark Your reply as the solution, not my comment.

Pawel

In response to FvM
0 Kudos
Copy link
NurAiman_M_Intel
Employee
‎06-10-2024 08:03 PM
743 Views
Solved Jump to solution

Hi,


Any further information needed for this case?


Regards,

Aiman


0 Kudos
Copy link
NurAiman_M_Intel
Employee
‎06-11-2024 12:05 AM
730 Views
Solved Jump to solution

Hi,


Any further information needed for this case?


Regards,

Aiman


0 Kudos
Copy link
PawelMa
Novice
‎06-11-2024 04:41 AM
717 Views
Solved Jump to solution
In response to NurAiman_M_Intel

Hi Aiman,

No, thank you for Your assistance.

Best regards,

Pawel

In response to NurAiman_M_Intel
0 Kudos
Copy link
NurAiman_M_Intel
Employee
‎06-11-2024 07:51 PM
667 Views
Solved Jump to solution

Hi,


Thanks for the confirmation. I’m glad that your question has been addressed, I now transition this thread to community support. If you have a new question, feel free to open a new thread to get the support from Intel experts. Otherwise, the community users will continue to help you on this thread. Thank you.


Regards,

Aiman


0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.