Configuration design security, Aes encryption protection, Encryption and decryption – Altera MAX 10 FPGA User Manual
Page 19: Configuration design security -15
Related Information
•
Altera Dual Configuration IP Core Avalon-MM Address Map
•
Provides more information about the Avalon-MM interface specifications applied in Altera Dual
Configuration IP Core.
•
Instantiating the Altera Dual Configuration IP Core
on page 4-2
•
Accessing the Remote System Upgrade Block Through User Interface
Configuration Design Security
The MAX 10 design security feature supports the following capabilities:
• Encryption—Built-in encryption standard (AES) to support 128-bit key industry-standard design
security algorithm
• Chip ID—Unique device identification
• JTAG secure mode—limits access to JTAG instructions
• Verify Protect—allows optional disabling of CFM content read-back
AES Encryption Protection
The MAX 10 design security feature provides the following security protection for your designs:
• Security against copying—the non-volatile key is securely stored in the MAX 10 devices and cannot be
read through any interface. Without this key, attacker will not be able to decrypt the encrypted
configuration image.
• Security against reverse engineering—reverse engineering from an encrypted configuration file is very
difficult and time consuming because the file require decryption.
• Security against tampering—after you enable the JTAG Secure and Encrypted POF (EPOF) only, the
MAX 10 device can only accept configuration files encrypted with the same key. Additionally, configu‐
ration through the JTAG interface is blocked.
Related Information
.pof Generation through Convert Programming Files
on page 3-6
Encryption and Decryption
MAX 10 supports AES encryption. Programming bitstream is encrypted based on the encryption key that
is specified by user. In MAX 10 devices, the key is part of the ICB settings stored in the internal flash.
Hence, the key will be non-volatile but user can clear/delete the key by a full chip erase the device.
When you use compression with encryption, the configuration file is first compressed, and then
encrypted using the Quartus II software. During configuration, the device first decrypts, and then
decompresses the configuration file.
The header and I/O configuration shift register (IOCSR) data will not be encrypted. The decryption block
is activated after the IOCSR chain is programmed. The decryption block only decrypts core data and
postamble.
Related Information
on page 2-17
UG-M10CONFIG
2015.05.04
Configuration Design Security
2-15
MAX 10 FPGA Configuration Schemes and Features
Altera Corporation