Clarification on Arria 10 Design Security Features

Hi Damian,

1. We've successfully configured the non-volatile key into the FPGA, but we did not set the tamper protection in the EKP file. Is it still possible to enable it on this device?
   1. Yes, it is still possible to enable it. Please refer to "Steps to Enable Tamper-Protection Bit Programming" of AN556
2. Is the tamper protection set per key type (volatile/non-volatile)? Or is it effective for both volatile and non-volatile keys?
   1. It is effective for both volatile and non-volatile key. If you are using volatile key and tamper protection, please make sure that the VccBat is always connected. If the volatile key is loss due to the loss of VccBat voltage then the FPGA is no longer usable.
3. Let's say that EKP and the encrypted bitstream leaked. Is it possible to extract the key from the EKP file to decrypt the bitstream?
   1. Nope. There is no way to extract the key from the EKP file as it is encrypted key file
4. Is there a possibility to check from the FPGA fabric whether the non-volatile key was configured or not? I mean, e.g. is it possible to instantiate the Internal JTAG interface/WYSIWYG atom and execute the KEY_VERIFY instruction?
   1. Yes, it is possible to check. You will need to implement your own state machine to send the KEY_VERIFY instruction.
5. If tamper protection is enabled, is it still possible to configure the FPGA with the SOF file?
   1. No. Only encrypted bitstream is possible.
6. If JTAG secure mode is enabled, is it still possible to configure the FPGA using JTAG?
   1. No, unless you implement UNLOCK JTAG instruction though user logic.

Thanks.
John Tio