Specifications
Page 6 Steps for Implementing a Secure Configuration Flow
Using the Design Security Features in Altera FPGAs June 2012 Altera Corporation
Steps for Implementing a Secure Configuration Flow
To implement a secure configuration flow, follow these steps, which are shown in
Figure 1:
1. Generate the .ekp file and encrypt the configuration data.
The Quartus II configuration software always uses the user-defined 256-bit key to
generate a key programming file and an encrypted configuration file. The
encrypted configuration file is stored in an external memory, such as a flash
memory or a configuration device. For more information, refer to “Step 1:
Generate the .ekp File and Encrypt Configuration File” on page 6.
2. Program the user-defined 256-bit key into the FPGAs.
For more information, refer to “Step 2a: Program the Volatile Key into the FPGAs”
on page 18 and “Step 2b: Program the Non-Volatile Key into the FPGAs” on
page 19.
3. Configure the 40-nm or 28-nm FPGA device.
At power up, the external memory source sends the encrypted configuration file
to the FPGAs. The devices use the stored key to decrypt the file and to configure
itself. For more information about how to configure FPGAs with encrypted
configuration data, refer to “Step 3: Configure the 40-nm or 28-nm FPGAs with
Encrypted Configuration Data” on page 25.
Step 1: Generate the .ekp File and Encrypt Configuration File
To use the design security feature in the FPGAs, you must generate an .ekp file and
encrypt your configuration files using the Quartus II software (for 40-nm FPGAs,
make sure you use the same two 256-bit sequences for both. For the 28-nm FPGAs,
use only one 256-bit sequence for the key). The key is not saved into any
Quartus II-generated configuration files and the actual 256-bit key is generated from
the bit sequences. Thus, copying the key to another 40-nm or 28-nm FPGA is
impossible.
f To enable the design security feature, you must obtain a license file. Contact Altera
Technical Support for assistance.
Figure 1. Secure Configuration Flow
AES
Decryptor
FPGA
AES KEY
Encrypted
Configuration
Data
Encryption Key
Programming File
Encrypted
Configuration
Data
Configuration
Data
Step 1. Generate the Encryption Key Programming File
Encrypt Configuration Data and Store in External Memory
Quartus II
Step 2. Program Key into Devices
AES KEY
Volatile and
Non-Volatile
Key Storage
Memory
Storage
Encrypted
Configuration
Data
AES
Encryptor
Step 3. Configure the Devices Using
Encrypted Configuration Data