The invention relates to PLDs, more particularly to protection of designs loaded into a PLD through a bitstream.
A PLD (programmable logic device) is an integrated circuit structure that performs digital logic functions selected by a designer. PLDs include logic blocks and interconnect lines and typically both the logic blocks and interconnections are programmable. One common type of PLD is an FPGA (field programmable logic device), in which the logic blocks typically include lookup tables and flip flops, and can typically generate and store any function of their input signals. Another type is the CPLD (complex programmable logic device) in which the logic blocks perform the AND function and the OR function and the selection of input signals is programmable.
Problem with Storing Bitstream External to PLD
Designs implemented in PLDs have become complex, and it often takes months to complete and debug a design to be implemented in a PLD. When the design is going into a system of which the PLD is a part and is to be sold for profit, the designer does not want the result of this design effort to be copied by someone else. The designer often wants to keep the design a trade secret. Many PLDs, particularly FPGAs, use volatile configuration memory that must be loaded from an external device such as a PROM every time the PLD is powered up. Since configuration data is stored external to the PLD and must be transmitted through a configuration access port, the privacy of the design can easily be violated by an attacker who monitors the data on the configuration access port, e.g. by putting probes on board traces.
Current Solutions and Their Disadvantages
Efforts have been made to encrypt designs, but it is difficult to make the design both secure from attackers and easy to use by legitimate users. The encryption algorithm is not a problem. Several encryption algorithms, for example, the standard Data Encryption Standard (DES) and the more secure Advanced Encryption Standard (AES) algorithm, are known for encrypting blocks of data. The process of cipher block chaining (CBC), in which an unencrypted data word is XORed with the next encrypted data word before decryption allows the DES or AES to encrypt a serial stream of data and these are therefore appropriate for encrypting a bitstream for configuring a PLD. A key used for encrypting the design must somehow be communicated in a secure way between the PLD and the structure that decrypts the design, so the design can be decrypted by the PLD before being used to configure the PLD. Then, once the PLD has been configured using the unencrypted design, the design must continue to be protected from unauthorized discovery.
A Nov. 24, 1997 publication by Peter Alfke of Xilinx, Inc. entitled xe2x80x9cConfiguration Issues: Power-up, Volatility, Security, Battery Back-upxe2x80x9d describes several steps that can be taken to protect a design in an existing FPGA device having no particular architectural features within the FPGA to protect the design. Loading design configuration data into the FPGA and then removing the source of the configuration data but using a battery to maintain continuous power to the FPGA while holding the FPGA in a standby non-operational mode is one method. However, power requirements on the battery make this method impractical for large FPGA devices.
Nonvolatile configuration memory is another possibility. If the design is loaded at the factory before the device is sold, it is difficult for a purchaser of the configured PLD device to determine what the design is. However, a reverse engineering process in which the programmed device is decapped, metal layers are removed, and the nonvolatile memory cells are chemically treated can expose which memory cells have been charged and thus can allow an attacker to learn the design. Further, nonvolatile memory requires a more complex and more expensive process technology than standard CMOS process technology, and takes longer to bring to market.
It is also known to store a decryption key in nonvolatile memory in a PLD, load an encrypted bitstream into the PLD and decrypt the bitstream using the key within the PLD. This prevents an attacker from reading the bitstream as it is being loaded into the PLD, and does retain the key when power is removed from the PLD. Such an arrangement is described by Austin in U.S. Pat. No. 5,388,157. But this structure does not protect the user""s design from all modes of attack.
In addition to design protection, some users need data protection. They may have generated data within the PLD that should not be lost when the PLD loses power. It is desirable to protect such data.
There remains a need for a design protection method that is convenient, reliable, and secure.
The invention provides several structures and methods for protecting a PLD from unauthorized use and data loss.
If the PLD is configured by static RAM memory that must be loaded on power-up, the configuration data must be protected as it is being loaded into the device. As in the prior art, this is accomplished by encrypting the configuration data for storing it in a memory outside the integrated circuit device, loading one or more decryption keys into the PLD and maintaining the keys in the PLD when powered down, including a decryption circuit within the PLD that uses the key to decrypt the configuration data, generating decrypted configuration data within the PLD and configuring the PLD using the decrypted configuration data.
For additional security, rather than using nonvolatile memory to preserve keys, the invention preferably uses a battery connected to the PLD to preserve the key when power is removed from the PLD. Whereas it is possible to remove a PLD storing keys in nonvolatile memory, decap the PLD and observe which of the nonvolatile bits are programmed to logic 1 and which are programmed to logic 0, it is believed that it is very difficult to determine the contents of keys stored only in static memory cells since power must be maintained to the memory cells storing the keys in order for the keys to even be stored, and the PLD would have to be decapped, delayered, and probed while operating power is continuous to the PLD.
Ways an Attacker can Steal a Design Once Loaded into a PLD
If a key does not offer sufficient security, an attacker may break the encryption code and determine the value of the key. The well-known Data Encryption Standard DES used a 56-bit encryption key, and has been broken in a few hours by a sophisticated computer to reveal the key. DES is described by Bruce Schneier in xe2x80x9cApplied Cryptography Second Edition: protocols, algorithms, and source code in Cxe2x80x9d copyright 1996 by Bruce Schneier, published by John Wiley and Sons, Inc., at pages 265-278. If it is desirable to use such a well known encryption standard, then in order to increase security, the configuration data may be encrypted several times using different keys each time, thus strengthening the encryption code by about 256 each time the encryption is repeated. Or it may be encrypted using a first key, decrypted using a second key, and encrypted using a third key, a combination that is part of the triple DES standard. Other encryption algorithms may also be used, and it is not necessary to keep the algorithm secret since the security resides in the key. When the encryption method is symmetrical, the same keys used for encryption are stored in the PLD and used in reverse order for decryption.
In a PLD offering multiple keys, if the number of keys to be used and the addresses of all keys were provided in an unencrypted bitstream, an attacker might be able to attack the keys one at a time and more easily determine the key values. To avoid such attack, additional security is achieved by storing within the keys, not the bitstream, an indication of how many keys are to be used and whether a key is the last key of a set or whether more are to follow.
If the PLD offers the option of reading back the bitstream after it has been loaded into the PLD, another method that can be used by an attacker is to read back this bitstream. To avoid this method of attacking the design, in one embodiment, a PLD that offers readback and also offers encryption includes the ability to disable the readback feature when encryption has been used. In another embodiment, the PLD that offers the ability to read back encrypts the configuration data before it is read back.
Additionally, some PLDs offer the option of partial configuration (where several configuration addresses are specified for loading several portions of a design) and partial reconfiguration (where an existing design is not erased before new design data are loaded). If the PLD offers these options, an attacker could partially reconfigure a PLD to make successive portions of the design visible, and probably learn the whole design. To avoid such an attack, in one embodiment, partial configuration and reconfiguration of PLDs loaded with encrypted designs are disallowed. In another embodiment, several configuration addresses can be specified, but the addresses are encrypted.
Yet another mode of attack is to try to flip a bit that indicates the security status of the PLD. Lowering or raising the operating voltage, changing the temperature, and applying noise to certain ports come to mind. To protect against such bit-flipping, when the PLD is operating with a secured bitstream, a secure-mode flag is set, and in one embodiment, if this flag becomes unset, all configuration data is erased. In another embodiment that doesn""t allow for reconfiguration while the device is still operating, the configuration data is erased before any bitstream is sent.
Another mode of attack is to relocate portions of the encrypted bitstream so that when they are unencrypted they are placed into visible portions of the PLD not intended by the designer. To prevent this relocation, address information is used in the encryption and decryption processes so that sending a portion of an encrypted bitstream to a different PLD location from that intended by the designer will cause it to decrypt differently into data with no meaning. Cipher block chaining (CBC) is one effective means of achieving this result. In cipher block chaining, the decrypted data packet (block) is combined using the XOR function with the next data block before the next block is decrypted, thus the encrypted data for each data block depends on every block that preceded it and on the order of those blocks. Identical blocks of data will encrypt to different values depending on the value of the data blocks that preceded them. This way, if the order of the blocks is changed, the bitstream will not decrypt correctly because the place where the encrypted bitstream is rearranged will scramble subsequent data. Further, the initial CBC value can be modified to incorporate the address of the data to force the decrypted data to be placed at a specific location in order to decrypt correctly.
Alternatively, if the PLD allowed part of a design to be encrypted and part to be unencrypted, the attacker could add an unencrypted portion to the encrypted portion that would read out information about the encrypted portion of the design. Thus, additional security is achieved by permitting the design to be totally encrypted or totally unencrypted, but not to be mixed. Further to this, in one embodiment, when data are being encrypted, additional security is provided by allowing only a single full-chip configuration following a single starting address for the configuration data.
Further, in order to allow convenient testing and debugging and to allow the PLD manufacturer to communicate freely with its customers (the designers who produce the designs for configuring the PLD), the PLD has both encrypted and unencrypted modes of operating, and when operating in the encrypted mode, parts of the configuration bitstream that control loading of the configuration data into the PLD are still not encrypted.
As another mode of attack, if the PLD manufacturer gives information freely about the configuration bitstream format, including header information and addresses for loading configuration data, and gives information about the encryption method used, encrypting this well known information would expose the encryption key to possible discovery. Such exposure is avoided by encrypting only the actual configuration data and leaving control information unencrypted.
If the PLD manufacturer allows the key memory to be used in both secure and non-secure modes, an attacker could simply learn the keys by placing the key memory into non-secure mode and reading out the keys. To avoid such attack, the PLD manufacturer includes a circuit that causes all keys plus any configuration data loaded into the PLD to be erased when the key memory is moved to non-secure mode.