Allow encrypted POF only

Question

Hi!Can someone explain what this is security feature (Allow encrypted POF only) is supposed to do?&nbsp; In the description it says, "When enabled, devices accepts encrypted POF".&nbsp; However, this is not the case.&nbsp; After creating a .pof with "Allow encrypted POF only" and encryption, then loading this .pof + ekp file, everything after this first program/configure fails.&nbsp; This means you cannot program/configure/verify/blankcheck/examine with the same or different .pof/.ekp.&nbsp; The only solution is erase.&nbsp;&nbsp;But this feature should have allowed for encrypted pof to be programmed.&nbsp; Originally, I thought it would allow you to load a new .pof as long as you use the same key (.ekp).&nbsp; After experimenting with various cases, I cannot get pass the failure of reconfiguring the device.&nbsp; (CONFIG_DONE pin failed to go high in device 1.&nbsp; .... Operation Failed).&nbsp; The only solution is to erase.&nbsp; Which brings me back to the question of what is "Allow encrypted POF only" supposed to do?&nbsp; Can you provide procedures to get this feature to actual work?I am on Quartus Prime Standard Edition version 23.1 using a Max10 (m50) FPGA.Thank you!&nbsp;

farabi · Answer

Hello,&nbsp;&nbsp;You need to have separate license to enable the design encryption on MAX10 with Quartus Prime Standard edition.&nbsp;link : https://licensing.intel.com/psg/s/?language=en_US&nbsp;regards,Farabi

too_chappy · Answer

I am able to encrypt the file so I have the right license. I know this because without "Allow Encrypted POF only", I loaded an encrypted .pof with its .ekp and the FPGA behaved as expected (aka... lights blink after programming).

Here is what I did and on the m50 development board from Altera.

Create an .ekp + .pof from the Convert Programming File with the allow encrypted POF only enable AND generate encrypted bitstream enable. (I created multiple versions with different keys and different .sof to test out.)
(Note: I did this with loading the .ekp + .pof together and separate). Program the FPGA with these files wait for successful programming. --This works.
(power cycle the board- which didn't seem necessary but I did it anyways.)
Load a new/orig/same_key_generated_pof/different_key_same_sof/pof_only/sof_only/etc... All the the results failed with CONFIG_DONE pin failed to go high in device 1. .... Operation Failed

At Step 4, either the original programming file used in step 2 should work or one of the different other configuration combination should have also worked. But all fail.

To get back to a working state, I had to erase the device. I also figured out that I can load a .ekp file that does not have "Allow Encrypted POF only" to get back to a good working state.

So back to the original question which is what does "Allow Encrypted POF only" do and what steps do I do during FPGA configuration to see that this is working as intended? The definition of this feature is "When enabled, device only accepts encrypted POF". But it does NOT appear that it accepts anything configuration including the original configuration used during the first initial programming.

Is there any other special thing I need to do? Can you please check on your end to see?

Thank you!

too_chappy · Answer

Hi!&nbsp; Is there any updates on this?&nbsp; Were you able to try this on your dev board?&nbsp; Thank you for your assistance!

farabi · Answer

Hello,&nbsp;&nbsp;I am taking this case, I will response to you asap.&nbsp;&nbsp;regards,Farabi

farabi · Answer

Hello,&nbsp;&nbsp;Once you selected "Allow encryption POF only" - the device refuses unencrypted configuration images, only encrypted POF (must match AES key) can be used to configure the FPGA.&nbsp;1- After programming the encrypted POF (even with matching key), any further operation will fail, until you erase. The device remains in a secure state that rejects even valid encrypted/reconfigured POFs.&nbsp;2- The device expects the AES key to be in place before its encrypted POF is accepted. Trying to load a new encrypted POF without loading its matching EKP first, will cause rejection.&nbsp;&nbsp;Steps :1- Generate .ekp and encrypted .pof in Quartus:a. Use Convert Programming File GUIb. Within Options/Boot info -&gt; enable the Security option&nbsp;c. "Allow encrypted POF only"d. "Verify Protect"&nbsp;e. Add .ekp file, then generate both .ekp and encrypted .pof.&nbsp;2- Erase the device completelya. Before any configuration- "Erase Device" in Quartus Programmer toolb. This will clear any prior AES key on encrypted image that would block new programming.&nbsp;&nbsp;3- Program the AES key(.ekp) firsta. In Quartus Programmer, add the .ekp fileb. command : quartus_pgm -c 1 -m jtag -o "p;yourfile.ekp"c. Ensure .ekp key is loaded and ready.&nbsp;4- Program the encrypted POFa. After .ekp in place: run this command : quartus_pgm -c 1 -m jtag -o "p;yourfile.pof"&nbsp;regards,Farabi

Forum Discussion

Allow encrypted POF only

5 Replies

Recent Discussions

intel_onchip_Memory II RAM: r/w doesn t work from FPGA but from HPS

Power Rating Required for RZQ Resistor on Cyclone V SE

MAX 10. No 3.0 V Schmitt Trigger I/O standard

Arria 10: Remote Update may brick FPGA and Factory Fallback won't work

Unable to program EPCQ16A on custom cyclone IV board - error during jic flashing.