Clarification on Arria 10 Design Security Features

We're working on securing the IP using design security features available in the Arria 10 FPGA. We went through the AN556 multiple times, but still some aspects are not clear to us.

We've successfully configured the non-volatile key into the FPGA, but we did not set the tamper protection in the EKP file. Is it still possible to enable it on this device?
Is the tamper protection set per key type (volatile/non-volatile)? Or is it effective for both volatile and non-volatile keys?
Let's say that EKP and the encrypted bitstream leaked. Is it possible to extract the key from the EKP file to decrypt the bitstream?
Is there a possibility to check from the FPGA fabric whether the non-volatile key was configured or not? I mean, e.g. is it possible to instantiate the Internal JTAG interface/WYSIWYG atom and execute the KEY_VERIFY instruction?
If tamper protection is enabled, is it still possible to configure the FPGA with the SOF file?
If JTAG secure mode is enabled, is it still possible to configure the FPGA using JTAG?

That's a lot of questions. Thanks in advance.
Damian

Forum Discussion

Clarification on Arria 10 Design Security Features

Recent Discussions

IBIS models GTS banks agilex 5E

Clarification on Arria 10 Design Security Features

rsu_client failing to write to slot

Netlength Agilex5 028B

Agilex 7 Decoupling capacitor scaling factor