Programmable logic devices (PLDs), programmable logic arrays (PLAs), complex programmable logic devices (CPLDs), and field programmable gate arrays (FPGAs), (collectively referred to herein as “PLDs”) are well known devices that can be programmed by a user to implement user-defined logic functions. PLDs, as described and claimed in numerous patents assigned to Xilinx, Inc., assignee of the present invention, allow a user to configure and reconfigure the programmable elements on the PLD to implement various logic functions. Because of this versatility, the functionality implemented on a PLD can be updated as improvements in design and efficiency occur, without requiring new silicon. In general, a PLD can be reconfigured with an improved design, instead of designing a new device.
Numerous different configuration memory technologies are used with PLDs to provide programmability. In general, these technologies can be categorized as either volatile, where the memory loses its state information when power is removed from the circuit, or nonvolatile, where state information is retained in the circuit even when power is removed from the circuit. PLDs typically use some combination of the two to accomplish desired functions. One particularly useful class of nonvolatile memories are those that can be programmed multiple times, such as erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), E2CMOS™ memory, flash memory, and magnetoresistive RAM (MRAM).
FIGS. 1A-1B illustrate simplified diagrams of several different types of PLDs that make use of such re-programmable nonvolatile configuration memory. As shown in FIG. 1A, PLD 100 includes device logic 105, e.g., various programmable logic blocks, interconnect blocks, and I/O blocks, and associated volatile configuration memory 110. Volatile configuration memory 110 is typically implemented as static random access memory (SRAM), and provides storage of the configuration data used to define the device functionality. SRAM is essentially infinitely re-configurable, but since it loses its programming once power has been removed from the device it requires some non-volatile memory source for the configuration data. In some implementations (not shown), traditional ROMs or programmable ROMs (PROMs) are used off-chip for this purpose. However, PLD 100 provides nonvolatile configuration memory 125 that eliminates the need for external configuration devices. When included in a device like PLD 100, nonvolatile configuration memory 125 more permanent, and in some cases re-programmable, storage for configuration information.
On device startup, configuration data is loaded into volatile configuration memory 110 from nonvolatile configuration memory 125. Interfaces are typically available in PLD 100 to access one or both of the memories. In this example, JTAG interface 120 is used by external devices and by device logic 105 to program nonvolatile configuration memory 125. An additional interface 115 (typically implemented as a serial or parallel data interface) provides direct I/O access to volatile memory 110.
FIG. 1B illustrates an alternate arrangement where the nonvolatile configuration memory is external to the PLD. Thus, PLD 150 includes device logic 155, volatile configuration memory 160, JTAG interface 170, and serial/parallel interface 165. Nonvolatile configuration memory 175 is on a separate integrated circuit, and includes its own JTAG interface 190, memory circuit 185 (implementing some type of nonvolatile memory), and serial/parallel interface 180. Examples of devices such as nonvolatile configuration memory 175 are described, for example, in U.S. Pat. No. 6,651,199, entitled “In-System Programmable Flash Memory Device with Trigger Circuit for Generating Limited Duration Program Instruction,” naming Farshid Shokouhi as the inventor, which is hereby incorporated by reference herein in its entirety. When PLD 150 starts up, configuration data is loaded into volatile configuration memory 160 from nonvolatile configuration memory 175.
The primary advantage of using nonvolatile configuration memory can be a significant disadvantage in some implementations where secure information is to be stored on the PLD. Secure information can include, for example, device programming providing security functions (e.g., encryption, hashing, one-way algorithms, pseudo-random number generation); security-related parameters (e.g., secret and private cryptographic keys, and authentication data such as passwords and PINs) whose disclosure or modification can compromise the security of a cryptographic module; and private data (test data, personal information, etc.). When such secure information is stored in nonvolatile memory, it is more likely that the information can be comprised when the device itself is compromised or vulnerable.
Moreover, various standards for the security requirements of cryptographic modules, including, for example, the FIPS PUB 140-2, Security Requirements for Cryptographic Modules, as promulgated by the National Institute of Standards and Technology (NIST), require that devices possess some sort of zeroization capability. Zeroization is generally defined by NIST as a method of erasing electronically stored data, cryptographic keys, and cryptographic security parameters by altering or deleting the contents of the data storage to prevent recovery of the data.
Accordingly, it is desirable to have PLD architectures and usage methods that allow for safeguarding of security information when it is retained in nonvolatile, but typically reprogrammable, memory.