Forum Discussion

PawelMa's avatar
PawelMa
Icon for New Contributor rankNew Contributor
1 year ago
Solved

Erasing a Volatile Key from Arria-10 GX

Hello!

In one of our designs, we use the bitstream encryption feature in Arria-10 GX FPGA. We'd like to implement a kill switch (triggered by externally detected tampering).

Is it possible to erase (or perhaps program a fake one) volatile key programatically, i.e. from inside the design?

Such action should result in rendering the device unusable (unbootable), since the bitstream is encrypted and stored in the flash.

All I've found in the documentation, including AN556, is how to do this using JTAG. I presume it could also be done using Virtual JTAG, but maybe there's a simpler way?

Thanks in advance!

Pawel

Configuration
Fpga Devkit
Programmable Logic Device
  • PawelMa's avatar
    PawelMa
    1 year ago

    Yes, that was my original question and the goal.

    Ad 1. I've recently received some info on this subject from one of the FAE's, that's very much under NDA, regarding the use of the internal JTAG in the discussed topic. I hope I won't violate the NDA by saying this: It's not impossible.

    Ad 2. That's a very good point. Removing the VCCBAT indeed causes the POR and needs to be extended by external logic, i.e. a monoflip. Having an external security controller, it's easy to implement.

    That solves my question. Thank You a lot!

    Pawel

13 Replies

  • NurAiman_M_Intel's avatar
    NurAiman_M_Intel
    Icon for Super Contributor rankSuper Contributor
    1 year ago

    Hi,


    To answer your questions,


    • We do not provide killed switch.
    • The purpose of encryption is to provide protection. The design that has been encrypted cannot be tampered.

    Regards,

    Aiman


  • PawelMa's avatar
    PawelMa
    Icon for New Contributor rankNew Contributor
    1 year ago

    Thank You for the reply.

    All I need to do is to erase the volatile key.

    It's a simple task when the FPGA is powered off, one can just remove power from the VCCBAT pin.

    Would disconnecting the VCCBAT while the FPGA is powered on also result in the key being deleted?

    TIA & regards,

    Pawel

  • NurAiman_M_Intel's avatar
    NurAiman_M_Intel
    Icon for Super Contributor rankSuper Contributor
    1 year ago

    Hi,


    I am confirming this with our internal team.


    Can I know if you enable Tamper-Protection bit? And do you intended to reprogram the volatile key?


    Regards,

    Aiman


    • PawelMa's avatar
      PawelMa
      Icon for New Contributor rankNew Contributor
      1 year ago

      Hi,

      No, we did not enable the Tamper-Protection bit. I used the word "tamper" for the mechanical tampering with the device's enclosure.

      In our case, it will be sufficient to erase the volatile key.

      If it couldn't be done without programming a new one, we can do the full reprogramming cycle.

      Regards,

      Pawel

  • NurAiman_M_Intel's avatar
    NurAiman_M_Intel
    Icon for Super Contributor rankSuper Contributor
    1 year ago

    Hi,


    VCCBAT is a dedicated power supply for the volatile key storage. I believe the key will be gone if remove VCCBAT.

    If you do not use the volatile key, refer to the respective device family pin connection guidelines for VCCBAT connection.


    You can confirm if the volatile key is clear by perform the KEY_VERIFY JTAG instruction bit 20 to read out the information on the security features that are enabled on the chip. You can also verify by configure the FPGA without the key to ensure the volatile key is no longer needed. Refer figure on my next post.


    Regards,

    Aiman


      • FvM's avatar
        FvM
        Icon for Super Contributor rankSuper Contributor
        1 year ago

        I understand that original question is asking how volatile key can be cleared in user mode without using JTAG interface.
        1. Unlikely by virtual JTAG operation. Virtual key register is part of dedicated JTAG hardware, not soft SLD infrastructure.
        2. VCCBAT is monitored by POR comparator, removing it will most likely trigger power-on reset. Voltage level for key clearance is probably far below POR threshold. If you consider to switch off VCCBAT by logic output, consider to extend pulse duration by a monoflop.

    • PawelMa's avatar
      PawelMa
      Icon for New Contributor rankNew Contributor
      1 year ago

      Hi Aiman,

      No, thank you for Your assistance.

      Best regards,

      Pawel

  • NurAiman_M_Intel's avatar
    NurAiman_M_Intel
    Icon for Super Contributor rankSuper Contributor
    1 year ago

    Hi,


    Thanks for the confirmation. I’m glad that your question has been addressed, I now transition this thread to community support. If you have a new question, feel free to open a new thread to get the support from Intel experts. Otherwise, the community users will continue to help you on this thread. Thank you.


    Regards,

    Aiman