This video (6:31 min.) introduces the "Security" section of Intel® Agilex™ FPGAs.

Video Overview

Security in Agilex™ FPGAs

Agilex™ devices include a number of new and innovative security features. 
These features are managed by the Secure Device Manager (SDM). 
Under the management of the SDM, configuration data is deployed inside the FPGA via the on-chip configuration network.

Security Services Provided by SDM

The security services provided by SDM include

Agilex™ FPGA Security

Two of the most common security features of Agilex™ FPGAs are Authentication and Encryption. 
These two security features protect sensitive data, intellectual property, and the device itself from both remote and physical attacks.

Authentication

Authentication prevents spoofing attacks, such as an external party changing the behavior of an FPGA. 
It creates an authentication key and signature chain and constantly verifies the integrity of the device firmware and configuration bitstream to ensure that no configuration bitstream with unexpected changes, such as corruption or malicious attacks, is loaded into the Agilex FPGA device. to ensure that they are from a trusted source. 
This feature does not encrypt the configuration bitstream itself.

Two types of eFuses can be used for the encryption key: Virtual eFuse, which can be changed, and Physical eFuse, which cannot be changed.

Encryption

Encryption is a feature that reduces the risk of misappropriation of the configuration bitstream by third parties. 
It protects sensitive design data, such as the owner's IP and design, and reduces the threat of intellectual property theft. 
The configuration bitstream itself is encrypted with an AES encryption key so that even if the configuration bitstream is used elsewhere, the FPGA will not operate without this encryption key. 
The encryption key can be a Virtual eFuse, which can be changed, or a Physical eFuse and Battery-Backup RAM (BBRAM), which cannot be changed.

Types of Authentication and Encryption Keys

There are three types of methods for storing cryptographic keys: Virtual eFuse, Physical eFuse and Battery-Backup RAM (BBRAM).

Virtual eFuse supports both authentication and encryption, and the encryption key can be changed later. 
Physical eFuse also supports both authentication and encryption, although the level of security is higher since the eFuse inside the FPGA device is cut and the encryption key is physically written, However, the encryption key cannot be changed afterwards. 
The Physical eFuse can be written using JTAG or by using a dedicated programmer at our Programming Center. 
JTAG requires a stable power supply, but a dedicated programmer can be used to write the encryption key stably. The use of a dedicated programmer allows for the stable writing of encryption keys. 
BBRAM is a method that requires battery backup and supports only encryption, not authentication. 
When the battery backup runs out, the encryption key is automatically erased, and a new encryption key can be written after the battery backup again.

Reference

Numerous documents are available for Agilex™ FPGAs. 
Please refer to these linked documents for more detailed information.

• Agilex™ 7 Device Security User Guide
• Agilex™ 7 FPGAs and SoCs Device Overview
• Agilex™ 7 FPGAs and SoCs Device Data Sheet: F-Series and I-Series
• Agilex™ 7 FPGAs Documentation