Intel ^® Agilex™ devices include many new and innovative security features.

These functions are managed by the Secure Device Manager (SDM).
Under the control of the SDM, the configuration data is deployed inside the FPGA via the on-chip configuration network.

Security services provided by SDM include:

Among the security functions of Intel® Agilex™ FPGA, we will introduce two typical security functions, Authentication and Encryption.

These two security features protect sensitive data, intellectual property, and the device itself from both remote and physical attacks.

Authentication is a function that prevents spoofing damage, such as changing the operation of the FPGA from the outside.

Create authentication keys and signature chains to constantly verify the integrity of device firmware and configuration bitstreams,
Ensure that configuration bitstreams are not loaded into Agilex FPGA devices with unexpected changes, such as corruption or malicious attacks, that they come from trusted sources.
This feature does not encrypt the configuration bitstream itself.

And the encryption key can use two types of eFuses: Virtual eFuse that can be changed and Physical eFuse that cannot be changed.

Encryption is a function that reduces the misappropriation of the configuration bitstream by a third party.
Sensitive design data such as the owner's IP and designs are protected, reducing the threat of intellectual property theft.

The configuration bitstream itself is encrypted with an AES encryption key, so even if the configuration bitstream is used elsewhere, the FPGA will not work without this encryption key.

The encryption key can use changeable Virtual eFuse, immutable Physical eFuse and Battery-Backup RAM (BBRAM).

There are three ways to store encryption keys: Virtual eFuse, Physical eFuse and BBRAM (Battery Backup RAM).
Virtual eFuse supports authentication and encryption, and you can change the encryption key later.

Physical eFuse also supports both authentication and encryption, but since the eFuse inside the FPGA device is disconnected and the encryption key is physically written, the security level is higher, but the encryption key cannot be changed later. you can't.
In addition to using JTAG to write the physical eFuse, it is also possible to write using a dedicated programmer at our programming center.

In the case of JTAG, it is essential to secure a stable power supply, but using a dedicated programmer makes it possible to write the encryption key stably.

BBRAM is also a battery-backed method that cannot be authenticated and only supports encryption.
When the battery backup runs out, the encryption key is automatically deleted, and after backing up with the battery again, a new encryption key can be written.