Tz170 Security Feature

The FPGA security feature includes:

  • Intellectual property protection using bitstream encryption with the AES-GCM-256 algorithm
  • Anti-tampering support using asymmetric bitstream authentication with the RSA-4096 algorithm
Important: You cannot enable the FPGA security features when using compressed bitstreams.

You can enable encryption, authentication, or both. You enable the security features at the project level.

Figure 1. Security Flow

Bitstream Encryption

Symmetric bitstream encryption uses a 256-bit key and the AES-GCM-256 algorithm. You create the key and then use it to encrypt the bitstream. You also need to store the key into the FPGA's fuses. During configuration, the built-in AES-GCM-256 engine decrypts the encrypted configuration bitstream using the stored key. Without the correct key, the bitstream decryption process cannot recover the original bitstream.

Bitstream Authentication

For bitstream authentication, you use a public/private key pair and the RSA-4096 algorithm. You create a public/private key pair and sign the bitstream with the private key. Then, you save a hashed version of the public key into fuses in the FPGA. During configuration, the FPGA validates the signature on the bitstream using the public key.

If the signature is valid, the FPGA knows that the bitstream came from a trusted source and has not been altered by a third party. The FPGA continues configuring normally and goes into user mode. If the signature is invalid, the FPGA stops configuration and does not go into user mode.

The private key remains on your computer and is not shared with anyone. The FPGA only has the public key: the bitstream contains the public key data and a signature, while the fuses contain a hashed public key. You can only sign the bitstream with the private key. An attacker cannot re-sign a tampered bitstream without the private key.

Disabling JTAG Access

Tz170 FPGA's support JTAG blocking, which disables JTAG access to the FPGA by blowing a fuse. Once the fuse is blown, you cannot perform any JTAG operation except for reading the FPGA IDCODE, reading DEVICE_STATUS, using SAMPLE/PRELOAD, and enabling BYPASS mode. To fully secure the FPGA, you must blow the JTAG fuse.

If you still want to use the JTAG interface for debugging, you can use the DISABLE_EFUSE_ONLY option, which permanently disables the JTAG efuse instructions only. Other JTAG instructions are not affected, for example, you can still perform debugging. Refer to "Using the Efinity Bitstream Security Key Generator" in the Efinity Software User Guide for more information.

Important: Once you disable JTAG by blowing the fuse, however, you cannot use JTAG ever again in that FPGA (except for IDCODE, DEVICE_STATUS, SAMPLE/PRELOAD, and BYPASS). So blowing this fuse should be the very last step in your manufacturing process.

Fuse Programming Requirements

Important: The VQPS supply current requires a minimum of 100 mA.
To program the security fuses in FPGA, follow these requirements:
  • During fuse programming, avoid device configuration and other JTAG operations that are not related to fuse programming.
  • Ramp up the VQPS pin only after all other power supplies have ramped to their nominal voltages. The VQPS ramp rate follows the requirements shown in Table 3.
  • After powering up the VQPS pin, wait for a minimum of 10 ms before issuing JTAG instructions for fuse programming.
  • After completing fuse programming through JTAG, wait for a minimum of 10 ms before powering down the VQPS pin.
  • If required, other power supplies can be powered down only after the VQPS pin has been powered down below 25% of its nominal voltage level.
Figure 2. Fuse Programming Waveform
This waveform assumes you are using an SVF file generated with the Efinity Bitstream Security Key Generator.
Important: The SPI bus must be inactive during fuse programming.
The EXT_CONFIG_CLK pin must be inactive during fuse programming.