Programmable integrated circuits may be configured to implement logic required by a developer and thus allow for fast development and realization of circuit designs. In the circuit design process, a target programmable integrated circuit may be configured with a circuit design to verify correct behavior of the circuit on the programmable IC. Wasted manufacturing costs due to faulty design may thus be avoided. Furthermore, programmable ICs allow logic to be reconfigured after deployment to correct newly discovered bugs or add additional functionality.
The reconfigurability of programmable ICs can pose significant vulnerability for many applications. Exploiting the reconfigurable nature, an attacker may attempt to modify a circuit design after deployment to add unauthorized logic (Trojan horse logic) to the general function of the circuit design. For example, an attacker may attempt to modify a programmable IC to bypass security features of a system. As another example, an attacker may modify a programmable IC to retrieve sensitive data that may be stored in or retrieved by the programmable IC during operation. The risks are relevant to applications ranging from military defense systems to commercial banking systems, for example.
Many programmable ICs, such as field programmable gate arrays (FPGAs), use volatile configuration memory that is programmed using configuration data retrieved from an external memory or device every time the programmable IC is powered up. The configuration data loaded from the external memory is referred to as a configuration bitstream. Because the configuration bitstream is stored external to the programmable IC and must be transmitted to a configuration access port, the privacy of the design can be violated by an attacker who monitors the data on the configuration access port, e.g., by putting probes on board traces. Efforts have been made to encrypt designs, but it is difficult to make the design both secure from attackers and easy to use by legitimate users. For example, the Data Encryption Standard (DES) and the more secure Advanced Encryption Standard (AES) algorithms are known for encrypting blocks of data. Cipher block chaining (CBC), in which each block of data is exclusive-ORed (XORed) with the immediately previous block and then encrypted, allows the DES or AES to encrypt a serial stream of data and these are therefore appropriate for encrypting a bitstream for configuring a programmable IC. A key used for encrypting the design must somehow be communicated in a secure way to the programmable IC so that the configuration bitstream may be decrypted and used to configure programmable resources of the programmable IC. Once the programmable IC has been configured using the unencrypted design, the design must continue to be protected from unauthorized discovery.
Some previous encryption approaches store a decryption key in nonvolatile memory in a programmable IC, load an encrypted bitstream into the programmable IC, and then decrypt the encrypted bitstream using the stored key. It is possible, however, to discover the program states of non-volatile memories, and consequently to reverse-engineer proprietary circuit designs. For example, some memory technologies, such as antifuses, are vulnerable to inspection under a microscope. Likewise, memory technologies that rely on stored charge can be attacked by chemically treating memory cells to determine their charge states after removing overlaying metal layers. If the decryption key can be retrieved from non-volatile memory, an attacker may decrypt the circuit design and encrypt a Trojan circuit design using the cryptographic key.
For ease of reference, the process in which the decryption key is stored in the programmable IC may be referred to as initialization. Likewise, for ease of reference, the process of programming the programmable resources of the programmable IC with the decrypted bitstream may be referred to as configuration or startup and such terms may be used interchangeably herein.
Another method stores the cryptographic key in a battery-backed volatile memory of the programmable IC. The battery-backed memory includes anti-tamper measures configured to disconnect the battery from the volatile memory if an attacker attempts to physically access the memory. Once the battery is disconnected, the volatile memory will be cleared, and the cryptographic key will be set to a default value (e.g., 0). This method works well to prevent an attacker from decrypting the bitstream, but does little to prevent an attacker from replacing the bitstream outright. All the attacker needs to do is disconnect the battery to reset the cryptographic key to a value of 0, and program the programmable IC using an unencrypted Trojan bitstream.
One or more embodiments may address one or more of the above issues.