# Actel FPGAs Security Features



# **The Rising Need for Security**



# **System Design circa 1995**

# System Design circa 2004





# FPGA = Glue Logic FPGA = ASIC Replacement

Today, the FPGA is the heart of the system

# **Security Exposure**

# Cloning

 A competitor makes a copy of the boot prom or intercepts the bitstream from the on-board processor and copies the code.

### Reverse Engineering

 A competitor copies a design by reconstructing a "schematic" or netlist level representation; in the process, he understands how the design works and how to improve it.

### Over-building

 An unscrupulous contract manufacturer buys standard parts on the open market and over builds, selling the extra production for profit with none of the support and design overhead costs.

© 2005 Actel Confidential and Proprietary

# **Actel**

# **Security Attacks Review**



### Two Principal Types:

- Noninvasive: Monitored by external means such as brute force key generation, changing voltages to discover hidden test modes, etc.
- Invasive: Decapped and then microprobed using Focused Ion Beams, or other sophisticated techniques to determine the contents of the device.

### Security Threats

- IP Security: Protecting the integrity of the design or IP that is in the chip
- Data Security: Protecting the flow of data from the chip



- SRAM based devices are volatile
- Configuration data must be loaded each time power is cycled.
- This configuration data is stored in a PROM or microprocessor
- This data can be easily copied at boot-up



# The Myth of ASIC Security



- Often considered a "secure" technology, ASICs are actually relatively easy to reverse engineer
- Packages are de-capped, layers are stripped and photographed one by one

4 layer metal ASIC stripped to metal layer 1



# Actel Antifuse/Flash-based FPGAs Actel

# Two Actel FPGA technologies

- Antifuse
  - Nonvolatile and One Time Programmable
- Flash
  - Nonvolatile and Reprogrammable

# Both technologies are nonvolatile

- After being programmed in a secure environment, Flash-based & Antifuse-based FPGAs do not require an external bit stream
- The bitstream does not need to be loaded at system power-up.

# Flash/Antifuse-based FPGA Design Security



- After being programmed in a secure environment, flash/Antifuse-based devices do not require an external bit stream
- Highly resistant to invasive attacks, decapping and stripping only reveals the structure of the device, not the actual contents
- Large number of switch elements; therefore, attempting to determine the state of millions of switches is prohibitive





# Antifuse FPGAs have all data internal to chip

No external bitstream or boot-up PROM required

# No optical change is visible in a programmed Antifuse

Requires a difficult invasive attack and SEM analysis to identify a programmed link

# An Axcelerator AX2000 contains approximately 53 million antifuses

- Attempts to determine their state physically would take years
- Only a small fraction (2%-3%) are actually programmed

# Fusion & ProASIC3/E Security



# Agenda



### Security Features

- Terminology
- A3P/E & AFS Security Features Overview

# Security Usage

- Software Settings
- Security Use Models
- Permanent Lock

# **Security Features**



# Terminology



# FlashLock Key

Protects Device Security Settings

# Permanently lock the security settings

 Individual Security Settings for Array and FROM can be set Permanently

### Permanent Lock

- Permanently Lock the Array from being Erased/Written or Verified
- Permanently Lock the FROM from being Erased/Written or Read (verify always allowed)

# AES Encryption

Protects Programming Data for File Transfer into Device

# **AFS and A3P/E Security Features**



|                                                | AFS                       | A3P/E                     |
|------------------------------------------------|---------------------------|---------------------------|
| FlashLock™                                     | $\checkmark$              | ✓                         |
| FlashLock Key                                  | 128 bits                  | 128 bits                  |
| Years to Uncover Key <sup>1</sup>              | 5.4x10 <sup>23</sup>      | 5.4x10 <sup>23</sup>      |
| Permanent FlashLock                            | $\checkmark$              | ✓                         |
| AES Encryption on<br>Programming File          | $\checkmark$              | ✓                         |
| AES Key                                        | 128 bits                  | 128 bits                  |
| Years to Uncover Key                           | 149 trillion <sup>2</sup> | 149 trillion <sup>2</sup> |
| Permanent Lock Individual<br>Security Settings | $\checkmark$              | ✓                         |

- 1 Based on maximum JTAG clock frequency 20MHz
- 2 Using a computing system that could recover a DES key in one second (DES standard has a 56-bit key size)

[National Institute of Standards and Technology, "ADVANCED ENCRYPTION STANDARD (AES)

Questions and Answers," 28 January 2002, http://csrc.nist.gov/CryptoToolkit/aes/aesfact.html]

### A3P/E & AFS Security Features Device Security Overview



#### Device Security Features

- Security Header
  - 128-bit FlashLock Key
  - 128-bit AES Key
  - Security Access Mode Control
- Built-in 128-bit AES Decryption Core
  - Decrypts Incoming Encrypted Programming Data Using AES
- Message Authentication Control (MAC)
- Flash Cells Located beneath Seven Metal Layers
  - Cannot Remove Layers without Disturbing the Charge on Programmed (or Erased) Flash Gates



# **Options for Security Features**



#### FlashLock Key Protection (without AES Encryption)

• Protection for FROM Only, FPGA Array Only, or Both

#### AES Encryption with FlashLock Key Protection

- AES Key Always Protected by FlashLock Key
  - AES-encrypted File Does NOT Contain FlashLock Key
- Encrypted for FROM Only, FPGA Array Only, or Both

#### ■ Can Update FROM and FPGA Arrays Independently with ...

- ... STAPL File in Plaintext Format OR
- ... STAPL File with AES-encrypted Programming Data
- STAPL Files Can Be for FROM Only, Array Only, or Both

| Security Options      | FROM | FPGA<br>Array | Both FROM and<br>FPGA Array |
|-----------------------|------|---------------|-----------------------------|
| No AES / No FlashLock | ✓    | $\checkmark$  | $\checkmark$                |
| FlashLock only        | ~    | ✓             | $\checkmark$                |
| AES and FlashLock     | ~    | ✓             | $\checkmark$                |

# **Security Header**



#### Security Header Contains Security Keys and Access Mode Control for Both Array and FROM

- FlashLock Key
- AES Key
- Array Security Setting
  - Access Control for both Write/Erase and Verify
  - Access Control for Encryption/No Encryption (Write/Erase, Verify)
- FROM Security Setting
  - Access Control for Write/Erase and Read
    - Verify Always Enabled
  - Access Control for Encryption/No Encryption (Write/Erase, Read)

# Message Authentication Control (MAC)



#### Authenticates Entire Programming Data Stream

- AES Decryption Core Decrypts STAPL File
- MAC Checks if Decrypted Data Is Recognizable
  - If Valid, Device Can Be Erased and Programmed
  - If Not, Software Prevents Programming Sequence from Starting
- Device Operation Still Allowed during Authentication

#### Detects Programming Data Corruption during Data Transfer into Device

 Validates each Data Packet before Programming Device



#### **ProASIC3/E** Device

# **Security Usage**



# **Security Usage**

Actel

**Software Settings** 

ProASIC Plus and ProASIC3/E Security Webinar

#### © 2005 Actel Confidential and Proprietary

| 2' |
|----|

| Security Settings - S                | tep 2 of 3                                                                                                                                 |                                                                                                                                                                                                                    |                                                                                                                                                                          |   |
|--------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|
| Set security level to the previously | y programmed value:                                                                                                                        |                                                                                                                                                                                                                    |                                                                                                                                                                          |   |
| Custom security                      | Security settings for FPGA Array:<br>- Lock the FPGA Array for writing.<br>- Use the Pass Key to write.<br>Security settings for FlashROM: |                                                                                                                                                                                                                    |                                                                                                                                                                          |   |
|                                      | <ul> <li>Use AES key to write or verify the Fla<br/>interface.</li> </ul>                                                                  | Custom Security Level                                                                                                                                                                                              |                                                                                                                                                                          | × |
| Daas Kou (may langth is 30 HEY s     | Custom Level                                                                                                                               | Security of the FPGA Array<br>• Lock for both writing and verifying<br>• Lock for writing<br>• Use AES key for both writing and verifying<br>• Allow write and verify<br>• Permanently lock the security settings. | Security of the FlashROM<br>Lock for both reading and writing<br>Lock for writing<br>Use AES key for both writing and verifying<br>Allow reading, writing, and verifying |   |
|                                      |                                                                                                                                            | ок                                                                                                                                                                                                                 | Cancel Help                                                                                                                                                              |   |

# Software Settings Custom Security Levels

User Can Choose Custom Settings





# Lock for Both Writing and Verifying

Allows Write/Erase and Verify only with Valid FlashLock Key

# Lock for Writing

- Allows Write/Erase only with Valid FlashLock Key
- Verify Is Allowed without Requiring FlashLock Key

# Use the AES Key for Both Writing and Verifying

- Allows Write/Erase and Verify only with a Valid AES Key in the Device
- Configures the Device to Accept an Encrypted Programming File for Reprogramming and Verifying FPGA Array
- Requires Valid AES Key in the Device

# Allow Write and Verify

 Allows Write/Erase and Verify with Plaintext STAPL File without Requiring a FlashLock Key or AES Key

# Implications of Security Levels Reading/Writing/Verifying FROM



### Lock for Both Reading and Writing

- Allows Write/Erase and Read only with a Valid FlashLock Key
- Verify Is Allowed without Requiring a FlashLock Key

### Lock for Writing

- Allows Write/Erase of the FROM only with a Valid FlashLock Key
- Read and Verify Is Allowed without Requiring a FlashLock Key

### Use the AES Key for Both Writing and Verify

- Allows Write/Erase and Verify only with a Valid AES Key in the Device
- This Configures the Device to Accept an Encrypted STAPL File for Reprogramming and Verifying the FROM
- Requires a Valid AES Key in the Device
- Read Is Disabled in this Mode
  - Encrypted FlashROM Contents Only Allow Verify

### Allow Reading, Writing, and Verifying

 Allows Write/Erase, Read, and Verify with a Plaintext STAPL File without Requiring a Valid FlashLock Key or AES Key

# **Security Usage**

Actel

**Security Use Models** 



# Scenarios

- Prototyping at design location
- Programming at trusted IHP location

# **NO Requirements for Security Settings**

- STAPL File Generation in Plaintext Format
- Encryption Not Required
  - STAPL Files Not Sent to Unknown Locations
- Locking Devices Optional
  - User Can Protect Programmed Devices

### **Trusted Environment** STAPL File Generation



# Select Silicon Features to Be Programmed

- Check FPGA Array, FROM (FlashROM in software), or Both
- Security Settings Optional

| FlashPoint - Programming File Generator for PA3 | - Step 1 of 2 🛛 🛛 🛛 |
|-------------------------------------------------|---------------------|
| Output filename:                                |                     |
| /design.stp                                     | Browse              |
| Silicon feature(s) to be programmed:            |                     |
| Security settings                               |                     |
| FPGA Array                                      |                     |
| RashROM                                         |                     |
| BashROM configeration file:                     |                     |
| F:\flashrom_example.ufc                         | Browse              |
| Programming previously secured device(s)        |                     |
| Silicon signature (max length is 8 HEX chars):  |                     |
|                                                 |                     |
|                                                 |                     |
|                                                 |                     |
|                                                 |                     |
|                                                 |                     |
|                                                 |                     |
|                                                 |                     |
| < Back Next >                                   | Finish Cancel Help  |



# Scenario

Production programming at contract manufacturers

# Pre-programming at Trusted Environment

- Devices Pre-programmed in-house with FlashLock Key and AES Key
- STAPL File Contains FlashLock Key / AES Key

# Final Programming Done in Non-trusted Environment

- STAPL File Generated with AES Encryption
  - For Array, FROM, or Both
- STAPL File MUST Be Encrypted with Same AES Key Used for Pre-programming
- STAPL File Does Not Contain FlashLock Key / AES Key

# Non-Trusted Environment Programming Flow





### Non-Trusted Environment STAPL File Generation – Pre-Programming Actel

### Configuring Security Header

- Check Security Settings Option
- Uncheck FPGA Array / FlashROM
- Select Desired Security Settings
- Enter FlashLock key (Pass Key in software) and AES Key

| FlashPoint - Programming                                                                                                                               | Security Settings - Step 2 of 2                                                                     |
|--------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
| Output filename:<br>//design.stp<br>Silicon feature(s) to be programmed:<br>Security settings<br>FPGA Array<br>RashROM<br>FlashROM configuration file: | Select security level:                                                                              |
| F:\flashrom_example.ufc<br>Programming previously secured device(s)<br>Silicon signature (max length is 8 HEX chars):                                  | Pass Key (max length is 32 HEX chars):       123456789012345678901234567890     Generate random key |
|                                                                                                                                                        | AES Key (max length is 32 HEX chars): DBF5C4D90D64501007098EC4DEE5F3BB Generate random key          |

ProASIC Plus and ProASIC3/E Security Webinar

# **Non-Trusted Environment** *STAPL File Generation – Programming*

# Configuring STAPL File for Encrypted Programming

Actel

- Check "Programming previously secured device(s)" Option
- Check FPGA Array Only, FlashROM Only, or Both
- Provide Same AES Key Previously Used for Pre-programming



### **Remote Field Updates** *Use Model*



### Scenario

 Devices reprogrammed remotely with updated information

### Update Design

- Update Design for FPGA Array Only, FROM Only, or Both
- STAPL File Generated with AES Encryption

### Encryption

• Must Be Encrypted with Same AES Key Previously Pre-programmed to Device

### Programming Update

• STAPL File Sent through Web or Service to Remote System



# Configuring STAPL File for Encrypted Programming

- Check "Programming previously secured device(s)" Option
- Check FPGA Array Only, FlashROM Only, or Both
- Provide Same AES Key Previously Programmed to Device

| FlashPoint - Programming File Gen                                                                                       | Security Settings - Step 2 of 2                                                                                                                                                                                                                                                                                                                                          |
|-------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Output filename:<br>./design.stp<br>Silicon feature(s) to be programmed:<br>Security settings<br>FPGA Array<br>FlashROM | Set security level to the previously programmed value:         -       -       Hiah         -       Protect with 128-bit Advanced Encryption Standard (AES) key and Pass Key         -       -         -       Medium         -       Use AES key to write or verify the FPGA Array.         -       Use AES key to write or verify the FlashROM via the JTAG interface. |
| FlashBOM_configuration file; F:\flashrom_example.ufc  Programming previously secured device(s)                          | - None Custom Level Default Level Pass Key (max length is 32 HEX chars):                                                                                                                                                                                                                                                                                                 |
| Silicon signature (max length is 8 HEX chars):                                                                          | Generate random key         AES Key (max length is 32 HEX chars):         DBF5C4D90D64501007098EC4DEE5F3BB         Generate random key                                                                                                                                                                                                                                   |

/ictel

# **Subscription Use Model**





OEM programs AES Key and FROM with a unique TAG



Part is deployed in 'box'





New feature is enabled and will only work with the correctly encrypted design supplied



OEM looks up AES Key based on TAG supplied

New feature-enabled design is encrypted with AES Key and sent to customer via Internet, satellite or direct to 'box' for secure ISP 'Customer' requests additional feature by supplying TAG value of 'box' over Internet



# **Security Usage**



**Permanent Lock** 

# A3P/E & AFS Permanent Security Settings



# Select 'Permanently Lock the Security Settings'

# No Changes to Security Settings Are Possible after Programming

| Security of the FPGA Array                                                                                                                                                         | Security of the FlashROM                   |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------|
| $^{igodoldsymbol{	imes}}$ Lock for both writing and verifying                                                                                                                      | C Lock for both reading and writing        |
| • Lock for writing                                                                                                                                                                 | C Lock for writing                         |
| C Use AES key for both writing and verifying                                                                                                                                       | Use AES key for both writing and verifying |
| C Allow write and verify                                                                                                                                                           | C Allow reading, writing, and verifying    |
|                                                                                                                                                                                    |                                            |
| Permanently lock the security settings.                                                                                                                                            |                                            |
| <ul> <li>Permanently lock the security settings.</li> <li>Permanently lock the security settings.</li> <li>You cannot reprogram the following silic</li> <li>FPGA Array</li> </ul> | on features:                               |

# A3P/E & AFS Permanent Security Settings



### Permanent FlashLock

- Select the Following Settings in the Software
  - FPGA Array Lock for Both Writing and Verifying
  - FlashROM Lock for Both Reading and Writing
  - Permanently Lock the Security Settings
- Similar to APA Permanent Lock
  - FPGA Array Does Not Allow Reprogramming or Verifying
  - FlashROM Does Not Allow Reprogramming or Reading
    - Only Allows Verify



## **Fusion Features**



### Fusion – Programmable System Chip



#### Changes the competitive landscape

- The world's first mixed-signal FPGA
- Fusion unlocks creativity: New architecture provides configurability and new tools provide simplified design flow



### Fusion – Unprecedented Integration



#### Integrates across functional boundaries



ProASIC Plus and ProASIC3/E Security Webinar

### **Fusion Configurability Benefits**

#### In System Programmable

- Late-stage manufacturing
- Secure field updates
- Single update for firmware (flash) and hardware

#### Single chip, many projects

- One-stop shop and economies of scale
- Market-specific customization

#### Increase precision

On-the-fly analog dynamic range selection

#### Power optimization

Multiple configurable clocks sources and PLL

#### Configurable peripherals provide ultimate soft MCU platform



Acte

### Fusion: Analog Features





# Elements of Analog Block

- Selectable 8/10/12 bit resolution
- 32 input channels
- Up to 600K samples per second
- Internal reference voltage

#### Analog Quad (up to 10 Analog quads)

- Voltage monitor block
- Current Monitor block
- Temperature monitor block
- Gate control/driver block

#### 1.5V Voltage regulator



Actel

### Fusion ADC – Flexible to meet your needs



#### ■ 8/10/12 bit configurable resolution

#### Resources abound with 30 user input channels

- Plus 1 channel monitors device Vcc
- Plus 1 channel monitors internal temperature diode

#### Robust and accurate

| Resolution | Through put | TUE (total unadjusted error) |
|------------|-------------|------------------------------|
| ♦ 8 bit    | 600 ksps    | ± 2 LSB                      |
| ♦ 10 bit   | 550 ksps    | ± 4 LSB                      |
| ♦ 12 bit   | 500 ksps    | ± 6 LSB                      |

#### Configurable timing controls

- ADC interface clock max frequency 100MHz
- Selectable clock divider (divide by 4 to 1024) to generate ADC internal clock
- ADC internal clock frequency range 1 10MHz
- Sample and Hold
  - Selectable sample time 2 257 \* ADC internal clock period

### Fusion Analog I/O – Analog Quad





### Fusion: Analog Quad



#### Includes 4 analog interface pins

- AV pin Input: direct and prescaler voltage monitor
- AC pin Input: direct and prescaler voltage monitor, current monitor
- AT pin Input: direct and prescaler voltage monitor, temp monitor
- AG pin Output Power Fet gate control or high voltage, high drive output

### ■ Configurable as digital I/O

 AV, AC, AT pads can be used as high voltage, lower speed digital inputs (10 MHz max)

### Modular building block used on all Fusion family members

### Fusion: Only FPGA with Flash Memory



### Fusion: Flash Features





### Fusion: Flash Features (cont.)





#### **Flash Memory level:**

- FPGA access
- Password security
- JTAG access for programming

#### Page level:

- JTAG read / write protection
- Program/erase
- Partition on page boundaries

#### Block level error detect:

- Single error correct
- Double error detect

### **Module Security Features**



#### Status Flash Control of JTAG access to flash block

- Similar security for flash data as PA3/E design security
- 3 lock\_controls / module (read/write/encrypt)
- Chip "user pass code" overrides all JTAG locks
- Flash access through FPGA core must be secured by FPGA design

#### **1. JTAG write lock**

• Inhibits JTAG update of flash module

#### 2. JTAG read lock

Inhibits JTAG read of flash module

#### 3. Enforce Encrypted JTAG download stream

- Uses PA3's AES decryption engine
- Inhibits plain text download to flash module
- AES decrypt ensures integrity of received data stream (MAC check)



#### Inhibits JTAG read / write to a page

Independent read and write access controls

#### Does not inhibit access from FPGA core

### Set on page by page bases

- Set at design entry time
- Sets lock bits in page
- Overridden by user\_pass\_code match
- Modify protection mask by changing parameters at design entry and match of user\_pass\_code

# **Fusion Clocking**



### Fusion: Comprehensive Clocking resources





# Fusion builds up clocking resources:

- On chip clock sources:
  - CCC (6) / PLLs (1 or 2)
  - RC oscillator
  - Crystal Oscillator
- Real Time Counter (RTC)

#### ■ Use Models

- Internal 100MHz RC oscillator
  - ±1% over I-temp range
- Crystal OSC circuit
  - 32 KHz 20 MHz
- CCC/PLLs can multiply, divide, and phase shifts clock signals for user applications
  - Sources include: crystal Osc, RC Osc, or external clock
- RTC enables low power standby mode

### **Real Time Counter (RTC)**

# Actel

#### Added in the 3.3V section

#### Comprised of:

- Control / Status register which is access through ACM
- 40 bit counter
- 40 bit match register
- Input scaler 1/128
  - w/32 kHz clock bit 7 toggles as 1s tick
  - Full counter >20 yr life

#### Can be used for...

- Watchdog timer
- Track real time
- Long term timed alarms
- Life of product



### Voltage Regular (V-Reg)



#### Generates 1.5 V supply up to 500 mA

- Uses external pass transistor
- 1.5V supply is external to the device and can be routed to
  - Power FPGA
  - Embedded Flash

#### Single supply for both core and Embedded Flash

• Cannot be powered down independently

#### Configurable control includes:

- FPGA power down signal
- External wake up signal push button, wake up signal...
- Internal wake up RTC



Actel