Single Chip Cryptographic (“SCC”) technology enables FPGA designs to process both unencrypted (“red”) and encrypted (“black”) data on a single field-programmable gate array (“FPGA”) by enabling fail-secure data separation via physical separation between two or more regions, or “partitions” within the FPGA. A design can be created that isolates red data in one or more SCC partitions from black data in one or more other SCC partitions. As long as no communication paths exist between the physically separate partitions, the SCC technology alone ensures that the red and black data remain separate.
Issues arise in situations in which a design requires communication between the physically separate SCC partitions used to provide the fail-secure data separation. While SCC technology can ensure fail-secure data communications between the SCC partitions, it cannot ensure what information is placed on those data connections. If within a particular design, a red data SCC partition sends red data to a black SCC partition, the red/black data separation has been violated in a manner that does not constitute an SCC technology failure. To allow communication between the physically separate SCC partitions, the design within both partitions must provide fail-secure data separation on what data is sent over the data connections. Note that the fail-secure design solution that controls what data is sent over the data connections must operate within the SCC partitions to ensure red and black data separation. Together, this provides separation between the partitions, the connections, and the data over the connections.
The most common type of communications within FPGA-based information system is processor data buses communicating to peripherals or interfaces. The difficulty occurs when the FPGA's processor data bus is required to communicate with peripherals in more than one SCC partition. Data buses on the peripherals in black data SCC partitions must not be exposed to red data contained within red data SCC partitions with a high level of assurance. Since FPGA processor systems typically use a common data bus, communication with a red peripheral would expose that data to the input ports of the black peripheral interfaces. A failure within the FPGA could expose red data on the data bus connected to the black data SCC partition. This situation would be a violation of the red/black separation.
One solution to the above-noted issues is to use multiple processors (in separate FPGAs or separate SCC partitions). One processor will process the red data and the other the black data. A communication method is established that does not use the common data bus. An obvious problem with this solution is the additional resource utilization it requires. Having a second processor costs FPGA resources as well as additional software resources to support it.
Another common solution is to use different data buses. A problem with this solution is that processors have a limited number of data buses. Many use one for software instructions and another for software, as well as peripheral, data. If instructions and data are stored on external memory, a single data bus must be used for both instructions and data, which eliminates the possibility of using two separate buses. In this case, if the external memory is black, the entire bus must be black.