Programmable Devices
CPLDs, FPGAs, SoC FPGAs, Configuration, and Transceivers
21611 Discussions

FPGA Non-Volatile key and Tamper-Protection

FOZDEMIR
Novice
‎06-04-2025 06:56 AM
679 Views

Hi,

I was working on security features for Cyclone V FPGA according to AN556 Intel document and I have a problem re-configuring FPGA via Serial Flash Loader. (Active Serial with .jic file)

Situation step by step:

 - Configuration flash memory is empty

 - Security features are programmed via JTAG with .jam file

Security Features Applied to Cyclone V FPGA:

 - Tamper-Protection

 - Non-Volatile Key (Key is known and available)

Configuration Scheme/Tools:

 - Active Serial from EPCQ256

 - Quartus Prime 20.1

 - USB-Blaster II

As far as I know, my problem is the JTAG Secure mode caused by Tamper-Protection, but I am open for suggestions.

I was in a rush and did not cover the whole document before burning keys/security options. Thus, there is nothing in the configuration flash (EPCQ256) which means I did not include SFL IP core before security measures. Now, I need to configure FPGA, but I cannot access FPGA through JTAG to configure "Factory default enhanced SFL image" in order to write .jic programming file to EPCQ256 flash. I cannot afford to lose FPGA so I would like to recover it.

 

I cannot configure FPGA with .sof or .jic files. Error code: 209014 "CONF_DONE pin failed to go high in device x"

I cannot burn new security features with .ekp or .jam. Error code: 209012 "Failed to program the non-volatile security key on device x"

 

My issue is, do you have any suggestions to recover from this state?

 

I have a few ideas explained below, but they are a bit messy, time consuming and frankly I am not sure if they will work. Can someone help me navigate through?

Ideas:

 - Separating EPCQ256 flash from board and configuring encrypted .jic file externally. Then, re-combining the EPCQ256 flash to FPGA board. Thus, I would achieve SFL IP core prerequisite of SFL encryption.

 - Changing, configuration mode of FPGA from AS to PS. Then configuring encrypted SFL image to FPGA (.rbf). After that, writing encrypted .jic file that has SFL IP core to EPCQ256 flash. (I am not sure if I can configure encrypted SFL image while JTAG secure mode is active)

 

I have also searched the community and found the link below, but it did not help me.

Community Link: Solved: Re:FPGA non-volatile key and tamper bit protection - Intel Community

 

Labels (2)
0 Kudos

Link Copied

3 Replies
Farabi
Employee
‎06-09-2025 09:47 PM
558 Views

Hello,


Checking your status:

1- can you re-program the FPGA via JTAG?

2- can you re-program the Flash via JTAG?

3- Do you have the .ekp?


regards,

Farabi


0 Kudos
Copy link
FOZDEMIR
Novice
‎06-09-2025 10:51 PM
546 Views

Hi Farabi,

 

No, I cannot reprogram FPGA/Flash via JTAG.

 

Yes, I have the .ekp and key.

 

Thank you.

0 Kudos
Copy link
Farabi
Employee
‎06-25-2025 08:09 PM
413 Views

Hello,


Unfortunately, once you programmed the non-volatile key, only the encrypted bitstream with the key can be loaded.

If you accidentally programmed the key, the fuse has already permanently burnt. There is no way it can be recovered.


regards,

Farabi


0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.