Can I use design security feature to decrypt different bitfiles encrypted with the same key

Question

The manual for the design security feature states that it is possible to program an AES key into the FPGA in order to be able to decrypt encrypted bitfiles. When looking at the manual I see the following command line example to generate the .ekp file that is used to program the key into the device.

quartus_cpf --keyD:\SIV_DS\key12.key:key1:key2 D:\SIV_DS\test.sof D:\SIV_DS\test.ekp

This example takes the .sof file as an input in the generation of the .ekp file. Does that mean that the programmed key only works for that specific design or can I generate a new design and do encryption/decription using the same key?

Regards,

Maarten

shafiqy_intel · Answer

Hi MVanM,Yes, the programmed key only work for specific design. If you generate a new design, you need to create new key.For more details regarding Intel Design Security, please refer to the following  AN:https://www.intel.com/content/dam/www/programmable/us/en/pdfs/literature/an/an556.pdfThanks😉

mvanm · Answer

Hi MShafiqThanks for the initial explanation. An556 was the manual I was referring to and from which I took the command line example. What makes a design 'specific' or 'new'? if I add an inverter somewhere in the design and regenerate configuration data (.sof) . Is that already different? So if I write the key to the fuses I can only ever decrypt that precise configuration down to the delays/routing etc?Your answer already seems to indicate so. But hopefully I am mistaken. Because I would like to encrypt my bitfiles and be able to decrypt them. But hardware in the field should be able to decrypt possible future updates to the design if new functionality is added or possible bugfixes are made. Regards,Maarten

shafiqy_intel · Answer

Hi,Any changes in design (small changes or big changes) cause the bitstream in sof change.  This make new sof file (new changes in design) different to previous sof file.Usually, design security features is used when your design is in the final stage (final design and ready for production).If any bug/error in future, decrypt the previous design. Generate a new key and program the new design. I think the design security features is straight forward and not complicated.I hope this will make you much clear.Thanks😉

mvanm · Answer

HiBut if you program a non-volatile key it cannot be changed anymore. So generating a new key is not an option for boards with the key already programmed into the fpga. To be 100% clear. Assume the following steps:Create .sof fileCreate .ekp and encrypted .sof (.rbf) by supplying KEY and .sof fileProgram non-volatile key into fuse on fpga using .ekp fileFPGA can now decrypt the encrypted design (.rbf) using the programmed key.Decide a small change in design is neededGenerate a new .sof file with design changes.Encrypt the new .sof file with original KEYFPGA cannot decrypt the new encrypted configuration (.rbf)?This would make it completely impossible to do an upgrade in the field.

Forum Discussion

Can I use design security feature to decrypt different bitfiles encrypted with the same key

4 Replies

Recent Discussions

MAX10 Bitstreams Authentication

Arria 10 GX RX max intra-differential pair skew

Cyclone 10 GX development board collaterals

Agilex 7 FPGA Availability on Cloud Platforms (AWS, Azure, GCP)?

AGRW027R28A2I2V Thermal Model