Many FPGA designs implement encryption, and there is often the need to embed secret keys in the FPGA bitstream. In newer device families, such as Stratix® 10 and Agilex™ 7, there is a Secure Device Manager block that can securely provision and manage these secret keys. Where these features do not exist, you can secure the content of the FPGA bitstream, including any embedded secret user keys, with encryption.
You can keep the user keys secure within your design environment, and ideally add to the design using an automated secure process. The following steps show how you can implement such a process with
Quartus® Prime tools.
- Develop and optimize the HDL in Quartus® Prime in a non-secure environment.
- Transfer the design to a secure environment and implement an automated process to update the secret key. The on-chip memory embed the key value. When the key is updated, the memory initialization file (.mif) can change and the “quartus_cdb --update_mif” assembler flow can change the HDCP protection key without re-compiling. This step is very quick to run and preserves the original timing.
- The Quartus® Prime bitstream would then encrypt with the FPGA key before transferring the encrypted bitstream back to the non-secure environment for final testing and deployment.
It is recommended to disable all debug access that can recover the secret key from
the FPGA. You can disable the debug capabilities completely by disabling the JTAG port,
or selectively disable and review that no debug features such as in-system memory editor
or Signal Tap can recover the key. Refer to the Security
Overview for
SDM-Based FPGA
Devices
for further information on using FPGA security features including specific steps on how
to encrypt the FPGA bitstream and configure security options such as disabling JTAG
access.
Note: You can consider
the additional step of obfuscation or encryption with another key of the secret key
in the MIF storage.