- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
To implement security feature on Cyclone V, I am following this application note :
Everything worked fine so far, then I flashed a .ekp file including a non-volatile encryption key and activation of tamper bit protection. And then I lost power supply.
When I restarted Cyclone V, I found out that at power-up, JTAG is in secure mode due to previous tamper bit activation. So I can't reprogram it through external JTAG interface.
The FPGA is connected to a EPCQ-A on my board that I can program through AS port. However, my understanding is that FPGA can now be configured only by an encrypted file. Because I am not able to store an encryption key in the FPGA (due to JTAG secure mode), I can't decrypt the file I flash in EPCQ.
It seems that I am stuck in a vicious circle. Is there a way to flash a non-volatile/volatile key to solve this ? A way to disable JTAG secure mode ? Should I buy a new SoC ?
Thanks for helping
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Apologies for the delay in response as I was checking this with our internal team.
The conclusion after discussed with engineering is when the tamper resistance bit is set, that means the device will accept only encrypted POF. Therefore, you can’t reprogram the key.
Since they key is lost and unable to reprogram the key, the device is unable to program.
Regards,
Aiman
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Per my understanding, the flash has been encrypted not the FPGA?
I am checking internally if we can recover the flash without the key. I will let you know once I get the findings.
Regards,
Aiman
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you for answering.
I'm sorry if my primary post isn't clear enough. I can access the EPCQ through its serial interface so it's really not the problem here.
My problem is :
Because I activated tamper-protection, FPGA only accepts encrypted configuration file. I need to program a key on FPGA to decrypt configuration file but I can't do this because JTAG is in secure mode. So I can't program FPGA with .ekp file.
I'm looking for a way to flash a key on FPGA, to be able to program FPGA with a configuration file.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Please try to disable JTAG secure mode by issue the UNLOCK instruction
https://www.intel.com/content/www/us/en/docs/programmable/683375/current/jtag-secure-mode-91182.html
Regards,
Aiman
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a 28nm device
Considering this part of AN556 :
I can only issue UNLOCK instruction using internal JTAG interface. My understanding is that interface can only be enabled by including a specific IP in FPGA design. Since I can't configure FPGA anymore, it is the same problem...
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just realized that I my primary post, I made a mistake. I talked about non-volatile key, which is not correct. I configured FPGA for a volatile key.
My issue still remains but I just wanted to correct my mistake and it seems I can't edit my post.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
-What are the process that you can do and you cannot do now?
-Can you program JTAG, AS?
-Per my understanding, you cannot load the design into FPGA through due to you do not have the key? You can try to replace the flash and program again.
Regards,
Aiman
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
- What are the process that you can do and you cannot do now?
What I can do : Flash FPGA configuration file in EPCQ
What I cannot do : Load a design into FPGA and program encryption key
- Can you program JTAG, AS?
I can program EPCQ with AS. I cannot program FPGA with JTAG because JTAG is in secure mode.
- Per my understanding, you cannot load the design into FPGA through due to you do not have the key? You can try to replace the flash and program again
Indeed I cannot load the design into FPGA but it has nothing to do with the flash.
My problem seems to be confusing so I will try to explain it again through a user case :
- I try to load an unencrypted design into FPGA but it doesn't work. Why ?
- Because I activated tamper bit protection (which is irreversible). What does tamper bit protection mean ?
- It means that only encrypted FPGA configuration files are accepted. No worry ! I just have to encrypt my design. I do it but FPGA configuration step fails. Why ?
- Because FPGA needs the encryption key to be able to decrypt the design. Let's try to program this key on FPGA. It fails. Why ?
- Because JTAG is in secure mode. What does JTAG secure mode means ?
- It means that I cannot program a device and I can only issue mandatory JTAG commands. Why is JTAG in secure mode ?
- Because I activated it when I enabled tamper bit protection. Is there a way to disable JTAG secure mode ?
- Yes ! There is one way : by issuing UNLOCK command. For 28nm devices (my device), you can only issue UNLOCK command through JTAG internal interface. How do I access JTAG internal interface ?
- By adding a specific module in my FPGA design. Let's do this and configure FPGA with this new design. Configuration fails. Why ?
- Back to step 1 : I cannot load a design into FPGA.
The question is : Considering this tamper bit activation, is there a way to configure FPGA ? Or a way to program a key ? Anything that could allow me to configure FPGA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Apologies for the delay in response as I was checking this with our internal team.
The conclusion after discussed with engineering is when the tamper resistance bit is set, that means the device will accept only encrypted POF. Therefore, you can’t reprogram the key.
Since they key is lost and unable to reprogram the key, the device is unable to program.
Regards,
Aiman
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We do not receive any response from you to the previous answer that I have provided. This thread will be transitioned to community support. If you have a new question, feel free to open a new thread to get the support from Intel experts. Otherwise, the community users will continue to help you on this thread. Thank you
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page