Intel Stratix 10 User Manual

Intel® Stratix® 10 Device Security User Guide

Updated for Intel® Quartus® Prime Design Suite: 19.1

Send Feedback

UG-S10SECURITY | 2019.05.10

1. Intel® Stratix® 10 Device Security Overview

Intel® Stratix® 10 devices provide flexible and robust security features to protect sensitive data, intellectual property, and the device itself under both remote and physical attacks.

Intel Stratix 10 devices provide two main categories of security features: authentication and encryption.

Authentication ensures that both the firmware and the configuration bitstream are from a trusted source. Authentication is fundamental to Intel Stratix 10 security. You cannot enable any other Intel Stratix 10 security features without enabling owner authentication. Integrity checking which is part of authentication prevents accidental bitstream change, corruption, or malicious attack.

Encryption prevents theft of intellectual property. Encryption protects confidential information in the owner configuration bitstream.

Here are the specific security features that Intel Stratix 10 devices provide:

Authentication Category

• Elliptic Curve Based Public-Key Authentication: This feature allows the device to authenticate Intel firmware and the configuration bitstream. Intel Stratix 10 devices always require firmware authentication for all Intel firmware that loads into silicon. This requirement ensures that Intel is the only source that provides the primary firmware for the Secure Device Manager (SDM) and most other firmware that runs on other configuration processors in the Intel Stratix 10 device.

Intel Stratix 10 devices do not require authentication for the owner configuration bitstream. You enable authentication for your configuration bitstream through eFuse settings. After you program the hash of the root public key into eFuses, the Intel Stratix 10 device only accepts an owner configuration bitstream that is signed with corresponding private signing key.

• Anti-tampering security feature: Anti-tampering addresses physical attacks on silicon. There are two categories of anti-tampering features: passive and active anti-tampering.

— The passive anti-tampering feature enforces physical security features using

redundancy and interlocking systems. Passive anti-tampering is always running on Intel Stratix 10 devices. Passive anti-tampering functions do not operate in response to a particular function.

— Active anti-tampering responds when the silicon detects physical attacks from

the outside. By default, all active anti-tampering functions are off. When the active anti-tampering function is on, you can select which detection functions and responses to enable.

Intel Corporation. All rights reserved. Agilex, Altera, Arria, Cyclone, Enpirion, Intel, the Intel logo, MAX, Nios, Quartus and Stratix words and logos are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries. Intel warrants performance of its FPGA and semiconductor products to current specifications in accordance with Intel's standard warranty, but reserves the right to make changes to any products and services at any time without notice. Intel assumes no responsibility or liability arising out of the application or use of any information, product, or service described herein except as expressly agreed to in writing by Intel. Intel customers are advised to obtain the latest version of device specifications before relying on any published information and before placing orders for products or services. *Other names and brands may be claimed as the property of others.

ISO 9001:2015 Registered

1. Intel

UG-S10SECURITY | 2019.05.10

Stratix® 10 Device Security Overview

Encryption Category

• Advanced Encryption Standard (AES)-256 encryption: This feature protects the owner configuration bitstream intellectual property (IP) or confidential data as part of root security in the owner configuration bitstream. AES-CTR (counter) mode is the base for bitstream encryption. To reduce AES key exposure from random attacks, AES decryption only operates on data that has already passed public key authentication.

• Side channel protection: Side channel protection prevents AES Key and confidential data under non-intrusive attack. Intel Stratix 10 devices include the following functions to protect side channel leakage from silicon.

— A key update function protects the AES keys in bitstream decryption.

— The authentication first flow protects against unnecessary key exposure.

— Long route data line scrambling protects against side channel leakage over

data lines.

— A 256-bit wide direct key bus loading limits unauthorized access to keys.

— Key scrambling in the key vault protects key values.

• Multiple AES root key choices: Intel Stratix 10 devices support three different types of root AES keys: eFuse, BBRAM, and physically unclonable function (PUF).

• Black key provisioning: Key provisioning, especially secret key provisioning, is costly. In addition, key provisioning is the least secure step in the encryption process. Black key provisioning creates a direct secure channel between your custom hardware security module (HSM) and the Intel Stratix 10 device for key provisioning. Having a secure channel ensures confidential information including the AES key are provisioned into silicon without exposure to an intermediate party. As a side benefit, black key provisioning also helps secure the supply chain at contract manufacturing facilities.

Note: These security features are available in Intel Stratix 10 devices that support advanced

security. The ordering codes for Intel Stratix 10 devices that include advanced security features includes the AS (Advanced Security) suffix. Please contact your Intel Programmable Solutions representative to get additional information about Intel Stratix 10 device security features.

Related Information

Intel Quartus® Prime Pro Edition User Guide Programmer

Describes operation of the Intel Quartus® Prime Pro Edition Programmer, which allows you to configure Intel FPGA devices, and program CPLD and configuration devices, via connection with an Intel FPGA download cable.

Send Feedback

Intel® Stratix® 10 Device Security User Guide

Configuration

Sector

Configuration

Sector

Configurable Network Interface

SDM Pins

Secure Device Manager

Dual Purpose I/O

Intel Stratix 10 FPGA

Intel Stratix 10 SX Blocks

Intel Stratix 10 GX Blocks

Intel Stratix 10 TX Blocks

Intel Stratix 10 MX Blocks

Additional blocks in the Intel Stratix 10 device variants: SX: Includes Hard Processor System

MX: Includes High-Bandwidth Memory

TX: Includes High-Bandwidth XCVRs

GX: General Purpose FPGA

Configuration

Sector

Configuration

Sector

Configuration Network

Local Sector

Manager (LSM)

Local Sector

Manager (LSM)

Local Sector

Manager (LSM)

Local Sector

Manager (LSM)

1. Intel

Stratix® 10 Device Security Overview

1.1. Intel Stratix 10 Secure Device Manager (SDM)

The Secure Device Manager (SDM) is a triple-redundant processor-based module that manages the configuration and security features of Intel Stratix 10 devices. The SDM authenticates and decrypts configuration data.

Figure 1. Secure Device Manager

UG-S10SECURITY | 2019.05.10

Authentication includes the following steps:

1. First, the SDM performs an integrity check using SHA-256 or SHA-384. The integrity check ensures that the bitstream is not corrupted due to an accidental occurrence such as a bad write to flash.

2. Then, the authentication process guarantees that a trusted source, the device owner, created the configuration bitstream.

3. If successful, and you have enabled AES Encryption, the SDM then decrypts the data. The SDM drives the decrypted data on the configuration network to Local Sector Managers (LSM) on the configuration network. Each LSM parses the sector configuration block data and configures the logic elements in the sector that it manages.

Related Information

Intel Stratix 10 Configuration User Guide: Secure Device Manager

Intel® Stratix® 10 Device Security User Guide

Send Feedback

1. Intel

UG-S10SECURITY | 2019.05.10

Stratix® 10 Device Security Overview

1.2. Intel Stratix 10 Base Security

To enable base security features, you must program the hash of the owner public root key eFuse into Intel Stratix 10. As soon as you program the owner root key you have created an Intel Stratix 10 device with basic security. Your configuration bitstream must be signed.

Note: The fusing process automatically computes the hash of the owner public root key.

When you program the owner public root key, the programmer automatically programs the hash value, not the full key.

You can enable the following additional security options to further enhance the security level:

• Advanced Encryption Standard (AES) Encryption protects your IP and secures your data. This option includes multiple sub-options relating to side channel mitigation.

• Configuration firmware joint signature capability allows you to sign the version of configuration firmware to run on your device. At all times, the device only loads firmware that Intel has authenticated. An eFuse on the Intel Stratix 10 device enables this feature.

eFuse programming sets a minimum-security strength. All eFuse enforced security options are permanent. In contrast to permanent security features, Intel Stratix 10 devices include some dynamic security options that you can control without using eFuses. JTAG Secure is one example of a dynamic security feature. Intel Stratix 10 devices control dynamic security options by setting optional fields in the configuration bitstream. Intel recommends using the optional fields in the configuration bitstream to enforce security options when available. The optional fields provide a similar security level as the eFuse setting with more flexibility.

1.2.1. Side Channel Resistance

Side channel resistance technology helps prevent secret leakage from the Intel Stratix 10 device. Side channel mitigation is not limited to the AES engine. Any circuit which could transport secret key material has its associated mitigation. Long data transmission lines in silicon also implement security control agreement mitigation.

The following side channel mitigation features are available in Intel Stratix 10 devices:

• AES side channel mitigation

— Key update: Limits to the amount of data encrypted by each key. The default

limit each key can encrypt is 4 KB.

— Authentication first: The device authenticates the bitstream before decrypting

it. Attackers cannot perform differential attacks on the AES before breaking authentication.

• Datapath random number scrambling

• Physically unclonable function (PUF) enrollment and extraction scrambling

• 256-bit point-to-point Key bus

Send Feedback

Intel® Stratix® 10 Device Security User Guide

1. Intel

Stratix® 10 Device Security Overview

UG-S10SECURITY | 2019.05.10

1.3. Owner Security Keys and Programming

Intel Stratix 10 devices support two types of security keys:

• Owner public root key hash: Programming this key enables the base security features. The Intel Stratix 10 stores the SHA-256 or SHA-384 hash of this key in eFuses or virtual eFuses. This key authenticates the final owner design signing key through the public signature chain.

• Owner AES key: This optional key decrypts the encrypted owner image during the configuration process. You can store the AES key in virtual or physical eFuses, a BBRAM, or a PUF. You program the AES key using JTAG. The configuration bitstream specifies the owner AES key location. For extra security, you can program fuses to enforce eFuse key selection. For example, if your design stores the AES key in eFuses, you can disable the BBRAM root key fuse for additional security. Intel Stratix 10 devices support both red key (unencrypted) and black key (encrypted) programming.

Note: You program or blow eFuses by flowing a large current for a specific amount of time.

This process is irreversible.

1.3.1. eFuse (Volatile or Non-Volatile) AES Root Key

Virtual eFuses are volatile. Physical eFuses are non-volatile. Once you program the physical eFuse key, you cannot change or reprogram the key. The value stored in eFuses is a device-unique scrambled version of the original owner key.

The Intel Quartus® Prime Programmer includes a Device security key storage option. This option is available for Intel Stratix 10 and later devices that include the SDM when you program a Intel Quartus Prime encryption key .qek.

Note: The current release only support the battery-backed RAM (BBRAM) storage location.

1.3.2. BBRAM (Volatile) AES Root Key

In contrast to eFuse keys, BBRAM keys are reprogrammable. The BBRAM key vault holds a single key. Programming a new key deletes the previously programmed key. The BBRAM key vault includes a built-in function to perform periodic key flipping to prevent key imprinting.

The BBRAM AES key has its own power supply. V The allowed voltage range is 1.2V - 1.8V.

Related Information

Recommended Operating Conditions for V

in Stratix 10 Device Datasheet

CCBAT

powers the BBRAM AES key.

CCBAT

Intel® Stratix® 10 Device Security User Guide

Send Feedback

UG-S10SECURITY | 2019.05.10

Send Feedback

2. Design Authentication

For networked systems, every power up or remote system upgrade to an unauthenticated bitstream is vulnerable to attack. Malicious attacks can occur because the FPGA does not verify that configuration bitstream is from a trusted source. Intel Stratix 10 FPGAs include a feature to authenticate the bitstream, guaranteeing that the bitstream is from a trusted source. Authentication uses signature keys to validate the content of a bitstream, preventing the Intel Stratix 10 FPGA from configuring with an unauthorized configuration bitstream.

When you use authentication, your manufacturing process programs the hash digest of the Elliptic Curve Digital Signature Algorithm (ECDSA) public signature key into FPGA eFuses. The configuration bitstream contains the public signature key. The SDM compares the hash digest of configuration bitstream public signature key to the hash digest stored in eFuses. The SDM only loads the bitstream if the values match.

You can choose either ECDSA256 or ECDSA384. The ECDSA256 and ECDSA384 use the SHA-256 and SHA-384 cryptographic hash function to create the secure hash. Intel recommends that you use 384-bit algorithm. The 256-bit algorithm is weaker than the algorithm and consequently more likely to become vulnerable to attack. Use the 256-bit algorithm if you have a custom hardware security module (HSM) that does not accept SHA-384 hashes. SHA-384 generates a bitstream that is larger than SHA-256. SHA-384 hashes result in longer configuration times.

2.1. The Configuration Bitstream

The figure below shows an Intel Stratix 10 configuration bitstream that includes an FPGA and HPS. The firmware section is static and is dependent on the Intel Quartus Prime version.

The SDM always authenticates the firmware configuration bitstream whether you choose to authenticate the other dynamic sections of the bitstream. To create an additional level of security, you may request joint signing for the configuration bitstream by programming the Joint Signature fuse on the device. When the Joint Signature fuse is programmed, the device checks for an owner signature on the firmware section of the configuration bitstream. The device only runs firmware with both signatures.

ISO 9001:2015 Registered

Firmware Section

Firmware section

is static and

Quartus Prime

version dependent

Design Section

(IO Configuration)

Design Section

(FPGA Core Configuration)

Design Section

(HPS boot code)

Header Block

Hash for Hash Block 0

Hash in the

Header Block

validates

Hash Block 0

Hash and signature

over Header Block

Signature Block

Hash Block 0 (SHA-384 or SHA-256)

Data Block 0

Data Block 1

Data Block 83 or 125

Hash Block 1 (SHA-384 or SHA-256)

Data Block 83 or 125

Hash Block N

Data Block 0

Data Block 1

Hash Block 0

validates

Hash Block 1,

and so on

2. Design Authentication

UG-S10SECURITY | 2019.05.10

Figure 2. Example of an Intel Stratix 10 Configuration Bitstream Structure

The I/O, HPS, and FPGA sections are dynamic and contain the device configuration information based on your design. Each dynamic section of the configuration bitstream stores information in the same format. Each section begins with a 4 kilobyte (KB) header block, followed by a signature block, hash blocks, and data.

Figure 3. Configuration Bitstream Layout

Intel® Stratix® 10 Device Security User Guide

Send Feedback

SHA-384 hash over Header Block 1st Signature Chain

2nd Signature Chain

3rd Signature Chain

4th Signature Chain

Root Key

Public Key Entry 1 (Recommended)

Public Key Entry 2 (Optional)

Header Block Entry

Offset to signature chains

Up to 4 Signature Chains

Dynamic Sector Pointers

32-bit CRC

2. Design Authentication

UG-S10SECURITY | 2019.05.10

The header block contains a hash which validates hash block 0. Each hash block contains up to 125 SHA-256 hashes or 83 SHA-384 hashes. These hashes validate subsequent data blocks.

2.2. Signature Block

The signature block validates the contents of the header block. After successfully validating the signatures, the SDM processes the data based on the signatures provided.

Figure 4. Signature Block Format

Table 1. Signature Block

Block Description

SHA-384 hash of header block

Signature chains Zero or more signature chains. Each signature chain can include up to 3 keys, including the owner

Dynamic sector pointers

32-bit CRC Protects the block from accidental modification. The CRC does not provide security. Software tools

This hash function checks for accidental changes in the preceding block of the configuration bitstream, typically the header block.

public root key. The other 2 keys support separate signatures for the firmware, core, and HPS sections of the configuration bitstream.

The Intel Quartus Prime Software supports 2 keychains for control module firmware (CMF) signing and up to 4 keychains for the configuration bitstream. Multiple keychains provide some flexibility. For example, if you change your root key and want to create a design which works on devices with both the old and new root key.

Locate the design sections for the remainder of the image when you store the image in flash memory.

can check the CRC to identify accidental modifications.

Signature Chain Details

Intel Stratix 10 FPGAs support up to four signature chains. If a signature chain is invalid, it is ignored. The FPGA starts validating the next signature chain. This capability allows for root key rollover. To pass authentication, at least one signature keychain must pass.

Table 2. Signature Chain Content

Content Description

Root Key Entry

Public Key Entry

The Root Entry anchors the chain to a root key known to the FPGA. The FPGA calculates the hash of the root entry and checks if the it matches the expected hash. You store the root key in eFuses.

Signature chains enable flexible key management. Intel recommends one public key entry in each signature chain. The previous public key signs the new public key. The public key entry provides following capabilities:

continued...

Send Feedback

Intel® Stratix® 10 Device Security User Guide

Content Description

Create 1st Level

Signature Chain Signature Chain

Root Keychain

Permission = 4 (HPS, FSBL) Cancellation ID = 33

Level Public Key

Permission = 2 (Core, I/O, PR) Cancellation ID = 32

1st Level

Level Public Key

• Key bit fields to limit the areas a public key entry can sign. The following permissions values are valid: — Bit 0: Firmware — Bit 1: FPGA I/O, core sections, and PR sections — Bit 2: HPS I/O and first stage bootloader sections (FSBL)

• If more than one bit field is on, the key can sign more than one section. For example, if both bits 1 and 2 are on, the key can sign the FPGA I/O, score, PR, HPS I/O, and FSBL sections of the design.

• Cancellation ID: Specifies the number that cancels a key that is no longer valid. Intel Stratix 10 devices include 32 cancellation IDs. Cancellation IDs 0-31 cancel owner keys. Once you cancel a key, any previous designs using the canceled key are unusable. You can use this feature to prevent older designs from running on a device or as part of recovery from a compromised key. Firmware controls the order in which eFuses are blown.

Second- or third-level keys typically sign data. Intel Stratix 10 devices support signature chains containing up to three keys, including up to 2 public key entries.

Header Block Entry

The final entry in a signature chain signs the actual data. The Block0 Entry authenticates the first block of the section, and thus authenticates the whole section.

Understanding Permissions and Cancellation IDs

You use permissions to specify the sections that a key can sign. You can use the same or different cancellation key for the different sections. If you use the same cancellation ID for more than one section, canceling any section with that cancellation ID cancels all sections using that cancellation ID. For example, if you assign the same cancellation ID to both the FPGA and HPS sections, canceling the HPS section also invalidates the FPGA section. The root signature key does not have a cancellation ID. Consequently, you cannot cancel the root key. However, you can cancel a signature chain that includes two or more signature levels. Intel strongly recommends that you create a signature chain with at least two levels to retain the ability to update your signature keychain. The following figure shows a signature chain with a root key and two level one signature keys. The level one keys have different permissions and cancellation IDs.

2. Design Authentication

UG-S10SECURITY | 2019.05.10

Figure 5. Three-Key Signature Chain

Here are some reasons that you may need to cancel a signature key:

• A private key is accidentally released

• You find a vulnerability in your design

• You find a bug in the design after having created the signed configuration bitstream

• You want to update the current design as part of a normal release cycle

Intel® Stratix® 10 Device Security User Guide

Send Feedback

2. Design Authentication

UG-S10SECURITY | 2019.05.10

2.2.1. Authentication for HPS Software

If you are using an SoC device, the HPS Boot Code is part of the bitstream that is authenticated by the SDM during configuration.

After you successfully load the HPS Boot Code on the Intel Stratix 10 device, you may need to ensure that the following boot stages of the HPS Software are also authenticated.

The Rocketboards web page includes an example that uses U-boot to authenticate the subsequent boot stages of the HPS software.

Related Information

Intel Stratix 10 SoC Secure Boot Demo Design

Send Feedback

Intel® Stratix® 10 Device Security User Guide

Operation: fuse_info

Operation: sign

Operation: make_private_pem

Operation: make_public_pem

Operation: append_keyOperation: make_root

Signed

Bitstream

Write Hash

to Fuses

Create Root

Signature Chain

Create 1st Level

Signature Chain

1st Level

Signature Chain

2nd Level

Signature Chain

Create 2nd Level Signature Chain

Bitstream

Add Signature

to Bitstream

2nd Level

Public Key

1st Level

Public Key

Root

Keychain

2nd Level

Private Key

Root

Public Key

Root

Private Key

1st Level

Private Key

UG-S10SECURITY | 2019.05.10

Send Feedback

3. Using the Authentication Feature

To authenticate an Intel Stratix 10 FPGA configuration bitstream, you prepare an authentication signature chain which includes root and public keys.

Starting with version 18.1 of the Intel Quartus Prime software, you can use the

quartus_sign command to create a signature chain.

The following figure provides an overview of the steps to create an authentication signature chain. It shows the steps for the following operations:

make_root (light yellow)

fuse_info (darker yellow)

append_key (light blue)

sign (light gray)

The make_private_pem and make_public_pem (top right of figure) prepare the public and private keys that are inputs to the four operations listed above.

Figure 6. Steps to Create a Signature Chain

ISO 9001:2015 Registered

+ 31 hidden pages

Intel Stratix 10 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

1. Intel® Stratix® 10 Device Security Overview

1.1. Intel Stratix 10 Secure Device Manager (SDM)

1.2. Intel Stratix 10 Base Security

1.2.1. Side Channel Resistance

1.3. Owner Security Keys and Programming

1.3.1. eFuse (Volatile or Non-Volatile) AES Root Key

1.3.2. BBRAM (Volatile) AES Root Key

2. Design Authentication

2.1. The Configuration Bitstream

2.2. Signature Block

2.2.1. Authentication for HPS Software

3. Using the Authentication Feature