Solved: Erasing a Volatile Key from Arria-10 GX

PawelMa · ‎05-20-2024

Hello!

In one of our designs, we use the bitstream encryption feature in Arria-10 GX FPGA. We'd like to implement a kill switch (triggered by externally detected tampering).

Is it possible to erase (or perhaps program a fake one) volatile key programatically, i.e. from inside the design?

Such action should result in rendering the device unusable (unbootable), since the bitstream is encrypted and stored in the flash.

All I've found in the documentation, including AN556, is how to do this using JTAG. I presume it could also be done using Virtual JTAG, but maybe there's a simpler way?

Thanks in advance!

Pawel

PawelMa · ‎06-11-2024

Yes, that was my original question and the goal.

Ad 1. I've recently received some info on this subject from one of the FAE's, that's very much under NDA, regarding the use of the internal JTAG in the discussed topic. I hope I won't violate the NDA by saying this: It's not impossible.

Ad 2. That's a very good point. Removing the VCCBAT indeed causes the POR and needs to be extended by external logic, i.e. a monoflip. Having an external security controller, it's easy to implement.

That solves my question. Thank You a lot!

Pawel

View solution in original post

NurAiman_M_Intel · ‎05-24-2024

Hi,

To answer your questions,

We do not provide killed switch.
The purpose of encryption is to provide protection. The design that has been encrypted cannot be tampered.

Regards,

Aiman

PawelMa · ‎05-24-2024

Thank You for the reply.

All I need to do is to erase the volatile key.

It's a simple task when the FPGA is powered off, one can just remove power from the VCCBAT pin.

Would disconnecting the VCCBAT while the FPGA is powered on also result in the key being deleted?

TIA & regards,

Pawel

NurAiman_M_Intel · ‎05-27-2024

Hi,

I am confirming this with our internal team.

Can I know if you enable Tamper-Protection bit? And do you intended to reprogram the volatile key?

Regards,

Aiman

PawelMa · ‎05-28-2024

Hi,

No, we did not enable the Tamper-Protection bit. I used the word "tamper" for the mechanical tampering with the device's enclosure.

In our case, it will be sufficient to erase the volatile key.

If it couldn't be done without programming a new one, we can do the full reprogramming cycle.

Regards,

Pawel

NurAiman_M_Intel · ‎05-29-2024

Hi,

VCCBAT is a dedicated power supply for the volatile key storage. I believe the key will be gone if remove VCCBAT.

If you do not use the volatile key, refer to the respective device family pin connection guidelines for VCCBAT connection.

You can confirm if the volatile key is clear by perform the KEY_VERIFY JTAG instruction bit 20 to read out the information on the security features that are enabled on the chip. You can also verify by configure the FPGA without the key to ensure the volatile key is no longer needed. Refer figure on my next post.

Regards,

Aiman

NurAiman_M_Intel · ‎05-29-2024

FvM · ‎05-30-2024

I understand that original question is asking how volatile key can be cleared in user mode without using JTAG interface.
1. Unlikely by virtual JTAG operation. Virtual key register is part of dedicated JTAG hardware, not soft SLD infrastructure.
2. VCCBAT is monitored by POR comparator, removing it will most likely trigger power-on reset. Voltage level for key clearance is probably far below POR threshold. If you consider to switch off VCCBAT by logic output, consider to extend pulse duration by a monoflop.

PawelMa · ‎06-11-2024

Yes, that was my original question and the goal.

Ad 1. I've recently received some info on this subject from one of the FAE's, that's very much under NDA, regarding the use of the internal JTAG in the discussed topic. I hope I won't violate the NDA by saying this: It's not impossible.

Ad 2. That's a very good point. Removing the VCCBAT indeed causes the POR and needs to be extended by external logic, i.e. a monoflip. Having an external security controller, it's easy to implement.

That solves my question. Thank You a lot!

Pawel

PawelMa · ‎06-11-2024

BTW, I'm sorry, I intended to mark Your reply as the solution, not my comment.

Pawel

NurAiman_M_Intel · ‎06-10-2024

Hi,

Any further information needed for this case?

Regards,

Aiman

NurAiman_M_Intel · ‎06-11-2024

Hi,

Any further information needed for this case?

Regards,

Aiman

PawelMa · ‎06-11-2024

Hi Aiman,

No, thank you for Your assistance.

Best regards,

Pawel

NurAiman_M_Intel · ‎06-11-2024

Hi,

Thanks for the confirmation. I’m glad that your question has been addressed, I now transition this thread to community support. If you have a new question, feel free to open a new thread to get the support from Intel experts. Otherwise, the community users will continue to help you on this thread. Thank you.

Regards,

Aiman

Erasing a Volatile Key from Arria-10 GX

Configuration (FPGA)

General Architecture (Non|IO)

Programming (CPLD|Config Dev)