Programmable Devices
CPLDs, FPGAs, SoC FPGAs, Configuration, and Transceivers
20815 Discussions

Erasing a Volatile Key from Arria-10 GX

PawelMa
Novice
673 Views

Hello!

 

In one of our designs, we use the bitstream encryption feature in Arria-10 GX FPGA. We'd like to implement a kill switch (triggered by externally detected tampering).

 

Is it possible to erase (or perhaps program a fake one) volatile key programatically, i.e. from inside the design?

 

Such action should result in rendering the device unusable (unbootable), since the bitstream is encrypted and stored in the flash.

 

All I've found in the documentation, including AN556, is how to do this using JTAG. I presume it could also be done using Virtual JTAG, but maybe there's a simpler way?

 

Thanks in advance!

Pawel

0 Kudos
1 Solution
PawelMa
Novice
231 Views

Yes, that was my original question and the goal.

Ad 1. I've recently received some info on this subject from one of the FAE's, that's very much under NDA, regarding the use of the internal JTAG in the discussed topic. I hope I won't violate the NDA by saying this: It's not impossible.

Ad 2. That's a very good point. Removing the VCCBAT indeed causes the POR and needs to be extended by external logic, i.e. a monoflip. Having an external security controller, it's easy to implement.

That solves my question. Thank You a lot!

Pawel

View solution in original post

0 Kudos
13 Replies
NurAiman_M_Intel
Employee
587 Views

Hi,


To answer your questions,


  • We do not provide killed switch.
  • The purpose of encryption is to provide protection. The design that has been encrypted cannot be tampered.

Regards,

Aiman


0 Kudos
PawelMa
Novice
585 Views

Thank You for the reply.

All I need to do is to erase the volatile key.

It's a simple task when the FPGA is powered off, one can just remove power from the VCCBAT pin.

Would disconnecting the VCCBAT while the FPGA is powered on also result in the key being deleted?

TIA & regards,

Pawel

0 Kudos
NurAiman_M_Intel
Employee
486 Views

Hi,


I am confirming this with our internal team.


Can I know if you enable Tamper-Protection bit? And do you intended to reprogram the volatile key?


Regards,

Aiman


0 Kudos
PawelMa
Novice
467 Views

Hi,

No, we did not enable the Tamper-Protection bit. I used the word "tamper" for the mechanical tampering with the device's enclosure.

In our case, it will be sufficient to erase the volatile key.

If it couldn't be done without programming a new one, we can do the full reprogramming cycle.

Regards,

Pawel

0 Kudos
NurAiman_M_Intel
Employee
441 Views

Hi,


VCCBAT is a dedicated power supply for the volatile key storage. I believe the key will be gone if remove VCCBAT.

If you do not use the volatile key, refer to the respective device family pin connection guidelines for VCCBAT connection.


You can confirm if the volatile key is clear by perform the KEY_VERIFY JTAG instruction bit 20 to read out the information on the security features that are enabled on the chip. You can also verify by configure the FPGA without the key to ensure the volatile key is no longer needed. Refer figure on my next post.


Regards,

Aiman


0 Kudos
FvM
Valued Contributor III
405 Views

I understand that original question is asking how volatile key can be cleared in user mode without using JTAG interface.
1. Unlikely by virtual JTAG operation. Virtual key register is part of dedicated JTAG hardware, not soft SLD infrastructure.
2. VCCBAT is monitored by POR comparator, removing it will most likely trigger power-on reset. Voltage level for key clearance is probably far below POR threshold. If you consider to switch off VCCBAT by logic output, consider to extend pulse duration by a monoflop.

PawelMa
Novice
232 Views

Yes, that was my original question and the goal.

Ad 1. I've recently received some info on this subject from one of the FAE's, that's very much under NDA, regarding the use of the internal JTAG in the discussed topic. I hope I won't violate the NDA by saying this: It's not impossible.

Ad 2. That's a very good point. Removing the VCCBAT indeed causes the POR and needs to be extended by external logic, i.e. a monoflip. Having an external security controller, it's easy to implement.

That solves my question. Thank You a lot!

Pawel

0 Kudos
PawelMa
Novice
229 Views

BTW, I'm sorry, I intended to mark Your reply as the solution, not my comment.

Pawel

0 Kudos
NurAiman_M_Intel
Employee
255 Views

Hi,


Any further information needed for this case?


Regards,

Aiman


0 Kudos
NurAiman_M_Intel
Employee
242 Views

Hi,


Any further information needed for this case?


Regards,

Aiman


0 Kudos
PawelMa
Novice
229 Views

Hi Aiman,

No, thank you for Your assistance.

Best regards,

Pawel

0 Kudos
NurAiman_M_Intel
Employee
179 Views

Hi,


Thanks for the confirmation. I’m glad that your question has been addressed, I now transition this thread to community support. If you have a new question, feel free to open a new thread to get the support from Intel experts. Otherwise, the community users will continue to help you on this thread. Thank you.


Regards,

Aiman


0 Kudos
Reply