# Libero® SoC v2021.1 # Secure IP Flow for IP Vendors and Libero SoC Users ## Introduction Microchip has adopted IEEE<sup>®</sup> 1735-2014 and supports an encrypted IP design flow for the SmartFusion<sup>®</sup>2, IGLOO<sup>®</sup>2, RTG4<sup>®</sup>, and PolarFire<sup>®</sup> silicon families. - See section 2. Securing Your IP Core to secure your IP core. - See section 3. Running Libero SoC with Encrypted IP for information on running Libero SoC with encrypted IP. Together with its OEM tools, Synplify Pro® from Synopsys® (Synplify Pro ME I2013.09MSP1 or later), ModelSim (ModelSim 10.2c or later) from Mentor Graphics (both of which support IEEE 1735-2014), and Libero SoC (v11.3 or later) enable a seamless design flow for designers targeting SmartFusion2, IGLOO2, RTG4, and PolarFire, when they use encrypted IP cores in their design. The use of IP cores not only shortens the design cycle time but also provides proven and reliable design components for re-use in multiple applications. Using an IP core in the EDA design flow involves two conflicting considerations that must be resolved: IP security and IP interoperability across different EDA tools. # **Table of Contents** | Inti | oducti | ion | 1 | |------|--------------------------------------|------------------------------------------------------------------|----| | 1. | Libero SoC Secure IP Flow | | | | | 1.1. | Libero SoC Secure IP Design Flow Requirements | | | | 1.2. | IP Security and IP Interoperability Across Design Tools | | | | 1.3. | IEEE 1735-2014 Standards for IP and EDA Vendors | | | | 1.4. | Encryption Algorithms | | | | 1.5. | Encryption Envelopes | | | | 1.6. | Decryption Envelopes | | | 2. | Securing Your IP Core | | | | | 2.1. | Encryption of IP Core with IEEE 1735-2014 Scheme | 8 | | | 2.2. | Public Key from EDA Vendors | | | | 2.3. | Adding an Encryption Envelope to Your RTL | 1C | | | 2.4. | encryptP1735.pl Script | 12 | | | 2.5. | Packaging and Bundling the Encrypted IP and the Data Key | 15 | | 3. | Running Libero SoC with Encrypted IP | | | | | 3.1. | To run Libero SoC with Encrypted IP | 16 | | | 3.2. | Encrypted IP Design Flow Must Use Verilog Netlist from Synthesis | | | | 3.3. | Import Encrypted IP Core as HDL | | | | 3.4. | Run Synthesis | 19 | | | 3.5. | Run ModelSim Simulation | 20 | | | 3.6. | Libero SoC and Encrypted IPs | 20 | | | 3.7. | Frequently Asked Questions (FAQs) | 24 | | 4. | Revi | sion History | 25 | | 5. | Microchip FPGA Technical Support | | 26 | | | 5.1. | Customer Service | 26 | | | 5.2. | Customer Technical Support | 26 | | | 5.3. | Website | 26 | | | 5.4. | Outside the U.S | 26 | | The | e Micro | ochip Website | 27 | | Pro | duct ( | Change Notification Service | 27 | | Cu | stome | r Support | 27 | | Mic | crochip | Devices Code Protection Feature | 27 | | Le | gal No | tice | 28 | | | | rks | | | | | lanagement System | | | | | le Sales and Service | | | VVC | ııu vviU | 10 Outoo at 10 Oct 1106 | | # 1. Libero SoC Secure IP Flow The following sections describe the IP design flow requirements and algorithms. ## 1.1 Libero SoC Secure IP Design Flow Requirements The following table lists the software and hardware requirements for Designing with Secure IPs in Libero SoC. Table 1-1. Software and Hardware Design Requirements | Design Requirements | Description | | | |------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|--|--| | Hardware Requirements | | | | | SmartFusion2/IGLOO2 Family devices | This feature is supported for SmartFusion2/IGLOO2 family devices. | | | | Host PC or Laptop | Windows 64-bit Operating System (OS)/Linux 64-bit OS. | | | | Software Requirements | | | | | Libero System-on-Chip (SoC) | v11.3 or later. | | | | Synplify version | Synplify Pro ME I2013.09MSP1 or later. | | | | ModelSim version | ModelSim 10.2c or later. | | | | Encryption Script Requirements | | | | | OpenSSL | Most Linux and Cygwin have OpenSSL pre-installed. Provide OpenSSL installation location in "PATH" environment variable of system. | | | | Perl | Any version of Perl with the following packages installed: FindBin, Math, Getopt, File, and MIME. | | | | Cygwin (for Windows OS) | For executing Perl Script on Windows OS. | | | | Public Keys for encryption | Provided on request. | | | # 1.2 IP Security and IP Interoperability Across Design Tools The use of IP cores not only shortens the design cycle time but also provides proven and reliable design components for re-use in multiple applications. Using an IP core in the EDA design flow involves two conflicting considerations that must be resolved: IP security and IP interoperability across different EDA tools. #### 1.3 IEEE 1735-2014 Standards for IP and EDA Vendors IEEE 1735-2014 is an encryption scheme proposal adopted by most IP and EDA vendors to ensure the interoperability of IP cores among the IP vendors and EDA tools. The objective of IEEE 1735-2014 is to serve the IP vendors and the EDA community in the following ways: - For the IP vendor: Protect the security of the IP core in the design flow across different EDA tools. - For the IP core users and EDA tool vendors: Ensure the interoperability of the IP core across different EDA tools. ### 1.4 Encryption Algorithms Libero SoC supports the following encryption algorithms: - des-cbc - · 3des-cbc - aes128-cbc - aes256-cbc There are two major classes of encryption methodologies: Symmetric and Asymmetric. #### 1.4.1 Symmetric Encryption This encryption scheme uses a special string as a key to encrypt the data. The same key is used to decrypt the data (Figure 1-1). Examples of this type of encryption algorithms include: - · Data Encryption Standard (DES), such as des-cbc. - Triple DES, TDES, or Triple Data Encryption Algorithm (TDEA), which uses the DES algorithm three times, such as 3des-cbc. - Advanced Encryption Standard (AES), such as aes128-cbc and aes256-cbc. ### 1.4.2 Asymmetric Encryption This encryption scheme uses two different keys: one for encryption and another for decryption. The end user generates two keys, one public and another private. The end user distributes the public key to whoever needs it for encryption and keeps the private key to use for decryption (Figure 1-2). Common examples of asymmetric encryption algorithms are: - Diffie-Hellman (DH) - · Rivest, Shamir, and Adelman (RSA) #### 1.4.2.1 Two Levels of Encryption There are two levels of encryption when producing an encrypted IP core. Figure 1-1 shows the first level of encryption, where the IP core vendor uses a session (random) key to encrypt the IP content. Figure 1-2 shows the second level of encryption, where the IP core vendor uses the public keys from EDA vendors to encrypt the session key. A public key must be provided for each EDA tool to the IP core vendor. For Libero SoC customers who use third-party IP's in their design, the EDA vendors are: - Synopsys for Synplify Pro - · Mentor Graphics for ModelSim - · Microchip for Libero SoC The result of the first level of encryption is the encrypted data block. The Random session key required for symmetric encryption of the data block is generated by the encryptP1735.pl script. Figure 1-1. Data Encryption of Source Data IP The result of the second level of encryption is the encrypted session key. Figure 1-2. Session Key Encryption ## 1.5 Encryption Envelopes The Encryption envelope is the preamble to the IP in the HDL file. The IP core vendor must prepare an Encryption envelope for all EDA tools, which are used with the IP. The encryption envelope consists of pragma keywords (see section 2.3.3 Pragma Keywords) that provide the following information: - · Encryption version - · Encoding type - · Encryption agent - Key owner - Key name - · Key method #### Following is an example of an Encryption envelope. ``` module secret (a, b, sum, clk, rstn); input[7:0]a, b; input clk, rstn; output[8:0]sum; reg[8:0]sum; `pragma protect version=1 `pragma protect encoding=(enctype="base64") `pragma protect author="author-a", author info="author-a-details" `pragma protect encrypt agent="encryptP1735.pl", encrypt agent info="Synplify encryption scripts" `pragma protect key keyowner="Synplicity", key keyname="SYNP05 001", key method="rsa", key block `pragma protect key keyowner="Mentor Graphics Corporation", key keyname="MGC-VERIF-SIM- RSA-1", key method="rsa", key block `pragma protect key keyowner="Microsemi Corporation", key keyname="MSC-IP-KEY- RSA", key method="rsa", key block `pragma protect data_keyowner="ip-vendor-a", data_keyname="fpga-ip", data method="aes128-cbc" `pragma protect begin always @(posedge clk or negedge rstn) begin if (!rstn) sum <= 9'b0; else sum \le a + b; end `pragma protect end endmodule ``` Note: The encryption envelope identifies three EDA tool vendors/key owners. ### 1.6 Decryption Envelopes The Decryption envelope is the preamble to the encrypted IP. The Decryption envelope consists of pragma keywords (see section 2.3.3 Pragma Keywords) that provide the following information: - · Encryption version - · Encoding type - · Encryption agent - · Key owner - · Key name - Key method Following is a Verilog example of a Decryption envelope. ``` module secret (a, b, sum, clk, rstn); input[7:0]a, b; input clk, rstn; output[8:0]sum; reg[8:0]sum; `pragma protect begin protected `pragma protect version=1 `pragma protect author="author-a", author info="author-a-details" `pragma protect encrypt agent="encryptP1735.pl", encrypt agent info="Synplify encryption scripts" `pragma protect key keyowner="Synplicity", key keyname="SYNP05 001", key method="rsa" `pragma protect encoding=(enctype="base64", line length=76, bytes=256) `pragma protect key block NfR8W3gmxwh3Bj4QxA+Qi+BhD1CTnQv7KO4UGOOS27KzF4jtejZxAewyFaShFSqRn9tRNx+u7Ivw 1m2BydGyW7MAQx2ePgbrKQbRLaN8XF/iiUFUX0QXnWDZrxtgcVHULOsPXpwd25wNyeWQkTekAsln ubKiFDfNySxaP5W3SboZE0pMLqH+mpZlcvKljlE30uOAQQLjECEBGj1KxMZQ2hhUKLrXz34+9p68 tVzbM/u1TbsXvdPcN23UItAxNPSH5ND75rAviq7ACIVawH87/m2RshSDSVcmz7ndMpSJRQOFe2pd usuHdCFJm1YaEaCZYfqReV7RjCzbV48d3LPtoA== `pragma protect key keyowner="Mentor Graphics Corporation", key keyname="MGC-VERIF- SIM- RSA-1", key method="rsa" `pragma protect encoding=(enctype="base64", line length=76, bytes=128) `pragma protect key block boN+vsIsOJ/ Ihy7BF0MM2ZdaeY12zoepUP9xdDVn1ME3q51gqZtPjMtPqTQDvwbree7NngmOUGVm WbggEEW/ UWYWajwld641fsggKfu7kcFcMhLLBu0WHUVFvQjRhdiqcBWbEKM3900SCYTJnhQFPs0B RZqdCwOPvZ4IEAUqx4U= `pragma protect key keyowner="Microsemi Corporation", key keyname="MSC-IP-KEY-RSA", key method="rsa" `pragma protect encoding=(enctype="base64", line length=76, bytes=960) `pragma protect key block MIID4jANBgkqhkiG9w0BAQEFAAOCA88AMIIDygKCA8EAxvOR7+3o0rtdoggobQ7e 3LQ5Bhjfcudafujkinm+213ui89cvxjkaYKRDadsklgfklDGTFyiYUIKasKv3MrW xbaIlfktti2lBBdU/SDV83mLYKzAqe20/SaZR5FAZH8cyuUPxYOviHQ/fpqNwUao U/3jp4nvc76K/F014W56I/hXb23/0s8zzyny3qHfqcEu8Dn8OpNWDY4fZ4q9vQFB hmv71HjJl0NRvvJHrXYmCEwlWPQjzru+8lj4JhBx/9ChKskTpVB6vkV//IX5Od10 Zvaxh5x+xPCSKEgbmjv0uxaXtvnBJQa4xdMM7eHglGDSbZ2A13cg1qtxrCn05f6N Bc4EiyOT2iofDDtqoxdLZPb4L6UDIR+EY1o+111mDBrBvqn6hQtpUoi+bgWe+xtS ry30qmJkjjkejkJKJk+258uUI622kjlCCVGijj2145x9vnXXINiuOIuIj1K/a2dj kP+2A3Jvt53z8qv9Jij9xC90725pCl5Cziw4XsBsq+jJJEn4IpqvwqoA/7SkDpZp /ZSoVRqMfDvn60mzc/0Y6dtaX4FTsyJiduQBtKNtssGSVQGajOKEcfUOVqslkwuX ``` IPIODGoHEdFC4feve5uuucMbHw8pmjI0dYGz0XIcU5dZNW1yVvNaPXC7cKvIeuKS F3bogXenDzZ40/6+n9kRRS74vzdOMv5CSoxQOrQw0pBvWm0DyUFRTJ53GZAfbEz+1IU+cwAMmQR7FMpbJtaKJeNdccHe/n0m4kdnW6W00FxUVeUvbmcuRL8wVMHvXo586qDuHOk0LPXK+KLRr5P1QyD7b78t4PJOmbKgT0xQd8h1Oun2j61ZfQsvaguF0dM+QOO+EWoUU0+1I4eCzMG38R927w9kT8jJCPmIF2DT5tSB0JWIMC+Md6u0HFKUPG2C qbSB58Ykljvoiu70Avay79vAAREvjkjlVWYKLJMjiuvaweRGPWtKdeBXwOHNSFRY 1JekLYeGaSX0WzVcxQcA3flpGL+4SdjdRWDYK3wXv6QoQ9YVaq78nMIYUECtz+Yt py8dTIjdp3d+KDsJ8t0dYkvHETiv8QoDNeutIZZXgP0PhR1smfcEFeUTwe56nDDp BJJsyaybQhj76+tz1346gymRTEasBTlklnmu6XafYJ290fklsfdjkYjklaqoviDZ 10phMGkNCqUa0JslpPBuPbVAgEBB4R3MUNQZpR9W7GlIMW8KNBNtbn6qFYaMq2uG 6AmwTZAVfhru0yjnIELj3k3t/OS/YbA6wRFpg0GddNNRAgMBAAE= `pragma protect data\_keyowner="ip-vendor-a", data\_keyname="fpga-ip", data\_method="aes128-cbc" `pragma protect encoding=(enctype="base64", line\_length=76, bytes=128) `pragma protect data\_block RgKC7i4hx7zh3MLd50RYrZoCwPWFEyLwISIXDLkpkL6qFgFm1WmZEwFvZjNfQCNUgoSHeIRpxg9i lXnvMiBjQCiQVvMp32UtfSX625K8+yvJLMPdHQ8G/2qxa6ViHAhBhRcsSUl0XGskRmU3JvNuNfAk 0IoB1HpFEJ0Vv6vEI5g= `pragma protect end\_protected endmodule # 2. Securing Your IP Core As an IP vendor, you must protect your Intellectual Property and package your IP core in such a way that it is inter-operable with EDA tools without compromising security. Encryption is managed at two levels (see Figure 2-1): - · IP Core encryption - · Data Key encryption # 2.1 Encryption of IP Core with IEEE 1735-2014 Scheme Perform the following steps to encrypt the IP core with IEEE 1735-2014 scheme. - Obtain the Public Key (see section 2.2 Public Key from EDA Vendors) from each downstream EDA tool vendor. - Add the Encryption Envelopes (see section 1.5 Encryption Envelopes to the RTL code. Ensure that all required EDA tool vendors are included. - 3. Execute the encryptP1735 Perl script. Figure 2-1. IP Encryption **Encryption Steps (IP Vendor)** # 2.2 Public Key from EDA Vendors Obtain a public key from every downstream EDA tool vendor. Aggregate the Public Keys from the vendors into a single Public Keys Repository file. Following is an example of a file. **Note:** The following keys are dummy keys and do work. To request the public key file that contains all three public keys along with the Perl script to encrypt your files, email soc <a href="marketing@microsemi.com">marketing@microsemi.com</a>. ``` `pragma protect key keyowner="Synplicity",key keyname="SYNP05 001",key public key ----BEGIN PUBLIC KEY---- Public Key from Synopsys MIIBIjANBqkqhkiG9w0BAQEFAAOCAQ8AMIIBCqKCAQEAybsQaMidiCHZyh14wbXn UpP81K+jJY5oLpGqDfSW5PMXBVp0WFd1d32onXEpRkwxEJL1K4RqS43d0FG2ZQ11 irdimRKNnUtPxsrJzbMr74MOkwmG/X7SEe/lEgwK9Uk77cMEncLycI5yX4f/K909 WS5nLD+Nh6BL7kwR0vSevfePC1fkOa1uC7b7Mwb1mcqCLBBRP9/eF0wUIoxVRzjA +pJvORwhYtZEhnwvTblBJsnyneT1LfDi/D5WZoikTP/OKBiP87QHMSuVBydMA7J7 q6sxKB92hx2Dpv1ojds1Y5ywjxFxOAA93nFjmLsJq3i/P01v5TmtnCYX3Wkryw4B eQIDAQAB ----END PUBLIC KEY---- `pragma protect key keyowner="Mentor Graphics Corporation", key keyname="MGC-VERIF- SIM-RSA-1", key public key ----BEGIN PUBLIC KEY---- Public Key from Mentor Graphics MIGFMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBqQCnJfQb+LLzTMX3NRARsv7A8+LV 5SqMEJCvIf9Tif2emi4z0qtp8E+nX7QFzocTlClC6Dcq2qIvEJcpqUqTTD+mJ6qr JSJ+R4AxxCqvHYUwoT80Xs0QqRqkrGYxW1RUnNBcJm4ZULexYz89720j6rQ99n5e 1kDa/ eBcszMJyOkcGQIDAQAB ----END PUBLIC KEY---- `pragma protect key keyowner="Microsemi Corporation", key keyname="MSC-IP-KEY- RSA", key public key ----BEGIN PUBLIC KEY---- Public Key from Microchip MIID4 jANBqkqhkiG9w0BAQEFAAOCA88AMIIDyqKCA8EAxvOR7+3o0rtdogqobQ7e 3LQ5Bhjfcudafujkinm+213ui89cvxjkaYKRDadsklgfklDGTFyiYUIKasKv3MrW xbaIlfktti21BBdU/SDV83mLYKzAqe20/SaZR5FAZH8cyuUPxYOviHQ/fpqNwUao U/3jp4nvc76K/F014W56I/hXb23/0s8zzyny3gHfqcEu8Dn8OpNWDY4fZ4g9vQFB hmv71HjJl0NRvvJHrXYmCEwlWPQjzru+8lj4JhBx/9ChKskTpVB6vkV//IX5Od10 Zvaxh5x+xPCSKEgbmjv0uxaXtvnBJQa4xdMM7eHglGDSbZ2A13cg1qtxrCn05f6N Bc4EiyOT2iofDDtqoxdLZPb4L6UDIR+EY1o+111mDBrBvqn6hQtpUoi+bqWe+xtS ry30qmJkjjkejkJKJk+258uUI622kjlCCVGijj2145x9vnXXINiuOIuIj1K/a2dj kP+2A3Jvt53z8gv9Jij9xC90725pCl5Cziw4XsBsg+jJJEn4IpqvwgoA/7SkDpZp /ZSoVRgMfDvn60mzc/0Y6dtaX4FTsyJiduQBtKNtssGSVQGajOKEcfUOVgslkwuX IPIODGoHEdFC4feve5uuucMbHw8pmjI0dYGz0XIcU5dZNW1yVvNaPXC7cKvIeuKS F3bogXenDzZ40/6+n9kRRS74vzdOMv5CSoxQOrQw0pBvWm0DyUFRTJ53GZAfbEz+ 1IU+cwAMmQR7FMpbJtaKJeNdccHe/nOm4kdnW6W00FxUVeUvbmcuRL8wVMHvXo58 6qDuHOk0LPXK+KLRr5P1QyD7b78t4PJOmbKqT0xQd8h1Oun2j61ZfQsvaquF0dM+ QOO+EWoUU0+114eCzMG38R927w9kT8jJCPmIF2DT5tSB0JWIMC+Md6u0HFKUPG2C qbSB58Ykljvoiu70Avay79vAAREvjkjlVWYKLJMjiuvaweRGPWtKdeBXwOHNSFRY 1JekLYeGaSX0WzVcxQcA3flpGL+4SdjdRWDYK3wXv6QoQ9YVaq78nMIYUECtz+Yt py8dTIjdp3d+KDsJ8t0dYkvHETiv8QoDNeutIZZXgP0PhR1smfcEFeUTwe56nDDp BJJsyaybQhj76+tz1346qymRTEasBTlklnmu6XafYJ290fklsfdjkYjklaqoviDZ 10phMGkNCqUa0JslpPBuPbVAqEBB4R3MUNQZpR9W7GlIMW8KNBNtbn6qFYaMq2uG 6AmwTZAVfhru0yjnIELj3k3t/OS/YbA6wRFpg0GddNNRAgMBAAE= ----END PUBLIC KEY---- ``` # 2.3 Adding an Encryption Envelope to Your RTL You must add the Encryption envelopes (see section 1.5 Encryption Envelopes) to the RTL codes. All EDA tools that need access to the encrypted data block must be included and identified as a key owner in the Encryption envelope. Following is an example of a Verilog IP core and a VHDL IP core with an Encryption envelope. The envelope identifies Microchip, Synopsys, and Mentor Graphics as key owners. ### 2.3.1 Verilog IP Core with Encryption Envelope ``` module secret (a, b, sum, clk, rstn); input[7:0]a, b; input clk, rstn; output[8:0]sum; reg[8:0]sum; `pragma protect version=1 `pragma protect encoding=(enctype="base64") `pragma protect author="author-a", author info="author-a-details" `pragma protect encrypt agent="encryptP1735.pl", encrypt agent info="Symplify encryption scripts" `pragma protect key keyowner="Synplicity", key keyname="SYNP05 001", key method="rsa", key block `pragma protect key keyowner="Mentor Graphics Corporation", key keyname="MGC-VERIF- SIM-RSA-1", key_method="rsa", key_block `pragma protect key keyowner="Microsemi Corporation", key keyname="MSC-IP-KEY- RSA", key method="rsa", key block `pragma protect data keyowner="ip-vendor-a", data keyname="fpga-ip", data method="aes128-cbc" `pragma protect begin always @(posedge clk or negedge rstn) begin if (!rstn) sum <= 9'b0; else sum \le a + b; end `pragma protect end endmodule ``` #### 2.3.2 VHDL IP Core with Encryption Envelope ``` library ieee ; use ieee.std_logic_1164.all; use ieee.std_logic_unsigned.all; entity counter is generic(n: natural :=2); port(clock:in std_logic; clear:in std_logic; count:in std_logic; Q:out std_logic_vector(n-1 downto 0) ); end counter; architecture behv of counter is signal Pre_Q: std_logic_vector(n-1 downto 0); begin `protect version=1 `protect encoding=(enctype="base64") `protect author="author-a", author info="author-a-details" ``` # **Securing Your IP Core** ``` `protect encrypt_agent="encryptP1735.pl", encrypt_agent_info="Synplify encryption scripts" `protect key_keyowner="Synplicity",key_keyname="SYNP05_001",key_method="rsa",key_block `protect key keyowner="Mentor Graphics Corporation",key keyname="MGC-VERIF-SIM-RSA- 1", key method="rsa", key block `protect key_keyowner="Microsemi Corporation",key_keyname="MSC-IP-KEY- RSA", key_method="rsa", key_block `protect data keyowner="ip-vendor-a", data keyname="fpga-ip", data method="aes128-cbc" `protect begin process(clock, count, clear) begin if clear = '1' then Pre_Q <= Pre_Q - Pre_Q;</pre> elsif (clock='1' and clock'event) then if count = '1' then Pre Q <= Pre Q + 1; end if;</pre> end if; end process; Q <= Pre Q; `protect end end behv; ``` ### 2.3.3 Pragma Keywords The following table lists the Pragma keywords in the Encryption envelope. Table 2-1. Pragma Keywords | Pragma Keywords | Description | |------------------|----------------------------------------------------| | begin | Opens a new encryption envelope | | end | Closes an encryption envelope | | begin_protected | Opens a new decryption envelope | | end_protected | Closes a decryption envelope | | author | Identifies the author of an envelope | | author_info | Specifies additional author information | | encoding | Specifies the coding scheme for the encrypted data | | data_keyowner | Identifies the owner of the data encryption key | | data_method | Identifies the data encryption algorithm | | data_keyname | Specifies the name of the data encryption key | | data_public_key | Specifies the public key for data encryption | | data_decrypt_key | Specifies the data session key | | key_keyowner | Identifies the owner of the key encryption key | | key_method | Specifies the key encryption algorithm | # **Securing Your IP Core** | continued | | | | |-----------------|----------------------------------------------|--|--| | Pragma Keywords | Description | | | | key_keyname | Specifies the name of the key encryption key | | | | key_public_key | Specifies the public key for key encryption | | | | key_block | Begins an encoded block of key data | | | | version | P1735 encryption version | | | # 2.4 encryptP1735.pl Script Execute the <code>encryptP1735.pl</code> script to encrypt your IP. The <code>encryptP1735</code> script is a Perl script that Synopsys provides to IP vendors for encryption of their IP cores. #### Notes: - Before running the script, make sure that the OpenSSL is installed on your machine. OpenSSL is required for the script to work. - For Windows OS, it is recommended that the script is executed in the Cygwin Environment on Windows. The following example command invokes the script with a random key to encrypt the data block: perl./encryptP1735.pl -input secret.v -output secret\_enc.v -pk public\_keys.txt -v -om encrypted #### where: | -input secret.v | Specifies secret.v as the input file to the script. The input file is the non-encrypted HDL file containing one or more encryption envelopes. | | |----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--| | -output secret_enc.v | Specifies secret_enc.v as the name of the encrypted output file after running the encryption script. | | | -pk public_keys.txt | Specifies <code>public_keys.txt</code> as the public keys repository file. This file contains public keys for all downstream EDA tools. The public keys file must include public keys for all EDA vendors mentioned in the Encryption envelope. | | | -om encrypted | Specifies how the IP is treated when generating the synthesis netlist; encrypted is the default mode. In this mode, the same data key used for encryption of the IP is used in the output synthesis netlist. | | | -V | Specifies that the script runs in Verbose mode. | | #### 2.4.1 Output Encrypted File The output file generated by the script contains Pragma directives for decrypting the encrypted data (IP core) and the data key that encrypts the data. The following example shows a Verilog and a VHDL of the output. ### 2.4.1.1 Output Encrypted Verilog ``` `pragma protect encoding=(enctype="base64", line length=76, bytes=256) ``` Block NfR8W3gmxwh3Bj4QxA+Qi+BhD1CTnQv7KO4UGOOS27KzF4jtejZxAewyFaShFSqRn9tRNx+u7Ivw 1m2BydGyW7MAQx2ePgbrKQbRLaN8XF/iiUFUX0QXnWDZrxtgcVHULOsPXpwd25wNyeWQkTekAsln ubKiFDfNySxaP5W3SboZE0pMLqH+mpZlcvKlj1E30uOAQQLjECEBGj1KxMZQ2hhUKLrXz34+9p68 tVzbM/u1TbsXvdPcN23UItAxNPSH5ND75rAviq7ACIVawH87/m2RshSDSVcmz7ndMpSJRQOFe2pd usuHdCFJm1YaEaCZYfqReV7RjCzbV48d3LPtoA== `pragma protect key\_keyowner="Mentor Graphics Corporation", key\_keyname="MGC-VERIF-SIM- RSA-1", key method="rsa" `pragma protect encoding=(enctype="base64", line length=76, bytes=128) Block boN+vsIsOJ/Ihy7BF0MM2ZdaeY12zoepUP9xdDVnlME3q51gqZtPjMtPqTQDvwbree7NngmOUGVm WbggEEW/UWYWajwld641fsggKfu7kcFcMhLLBu0WHUVFvQjRhdiqcBWbEKM39O0SCYTJnhQFPs0B RZqdCwOPvZ4IEAUqx4U= `pragma protect key\_keyowner="Microsemi Corporation", key\_keyname="MSC-IP-KEY-RSA", key method="rsa" `pragma protect encoding=(enctype="base64", line length=76, bytes=960) `pragma protect key block Microchip Key Block MIID4jANBgkqhkiG9w0BAQEFAAOCA88AMIIDygKCA8EAxvOR7+3o0rtdoggobQ7e 3LQ5Bhjfcudafujkinm+213ui89cvxjkaYKRDadsklgfklDGTFyiYUIKasKv3MrW xbaIlfktti2lBBdU/SDV83mLYKzAqe20/SaZR5FAZH8cyuUPxYOviHQ/fpqNwUao U/3jp4nvc76K/F014W56I/hXb23/0s8zzyny3gHfqcEu8Dn8OpNWDY4fZ4g9vQFB hmv71HjJl0NRvvJHrXYmCEwlWPQjzru+8lj4JhBx/9ChKskTpVB6vkV//IX5Od10 Zvaxh5x+xPCSKEgbmjv0uxaXtvnBJQa4xdMM7eHglGDSbZ2A13cg1qtxrCn05f6N Bc4EiyOT2iofDDtqoxdLZPb4L6UDIR+EY1o+1llmDBrBvqn6hQtpUoi+bgWe+xtS ry30qmJkjjkejkJKJk+258uUI622kjlCCVGijj2145x9vnXXINiu0IuIj1K/a2dj kP+2A3Jvt53z8qv9Jij9xC90725pCl5Cziw4XsBsq+jJJEn4IpqvwqoA/7skDpZp /ZSoVRgMfDvn60mzc/0Y6dtaX4FTsyJiduQBtKNtssGSVQGajOKEcfUOVgslkwuX IPIODGoHEdFC4feve5uuucMbHw8pmjI0dYGz0XIcU5dZNW1yVvNaPXC7cKvIeuKS F3bogXenDzZ40/6+n9kRRS74vzdOMv5CSoxQOrQw0pBvWm0DyUFRTJ53GZAfbEz+1IU+cwAMmQR7FMpbJtaKJeNdccHe/nOm4kdnW6W00FxUVeUvbmcuRL8wVMHvXo58 6qDuHOk0LPXK+KLRr5P1QyD7b78t4PJOmbKgT0xQd8h1Oun2j61ZfQsvaguF0dM+QOO+EWoUU0+1I4eCzMG38R927w9kT8jJCPmIF2DT5tSB0JWIMC+Md6u0HFKUPG2C qbSB58Ykljvoiu70Avay79vAAREvjkjlVWYKLJMjiuvaweRGPWtKdeBXwOHNSFRY 1JekLYeGaSX0WzVcxQcA3flpGL+4SdjdRWDYK3wXv6QoQ9YVag78nMIYUECtz+Yt py8dTIjdp3d+KDsJ8t0dYkvHETiv8QoDNeutIZZXgP0PhR1smfcEFeUTwe56nDDp BJJsyaybQhj76+tz1346gymRTEasBTlklnmu6XafYJ290fklsfdjkYjklaqoviDZ 1OphMGkNCqUa0JslpPBuPbVAgEBB4R3MUNQZpR9W7GlIMW8KNBNtbn6qFYaMq2uG 6AmwTZAVfhru0yjnIELj3k3t/OS/YbA6wRFpg0GddNNRAgMBAAE= `pragma protect data\_keyowner="ip-vendor-a", data\_keyname="fpga-ip", data\_method="aes128-cbc" `pragma protect encoding=(enctype="base64", line length=76, bytes=128) RqKC7i4hx7zh3MLd50RYrZoCwPWFEyLwISIXDLkpkL6qFqFm1WmZEwFvZjNfQCNUqoSHeIRpxq9i 1XnvMiBjQCiQVvMp32UtfSX625K8+yvJLMPdHQ8G/2qxa6ViHAhBhRcsSU10XGskRmU3JvNuNfAk0IoB1HpFEJ0Vv6vEI5q= `pragma protect end protected endmodule #### 2.4.1.2 Output Encrypted VHDL library ieee ; use ieee.std\_logic\_1164.all; <sup>`</sup>pragma protect key\_block Synopsys Key <sup>`</sup>pragma protect key block Mentor Graphics Key # **Securing Your IP Core** ``` use ieee.std logic unsigned.all; entity counter is generic(n: natural :=2); port(clock:in std logic; clear:in std logic; count:in std logic; Q:out std logic vector(n-1 downto 0) ) ; end counter; architecture behv of counter is signal Pre Q: std logic vector(n-1 downto 0); begin `protect begin protected `protect version=1 `protect author="author-a", author info="author-a-details" `protect encrypt agent="encryptP1735.pl", encrypt agent info="Synplify encryption scripts" `protect key keyowner="Synplicity", key keyname="SYNP05 001", key method="rsa" `protect encoding=(enctype="base64", line length=76, bytes=256) `protect key block Synopsys Key Block EzupxwpLZCgcCoy7O42J4O6TjEXDsFH1EXYIfYKVXIsm/8incqBuPuWZ26osQcaeqOtanunB71Po sTFj1ZBLLgsDLE/P17j8PhcxhySoKy/8TkZClQf7osKMbfeFAMFtIOAqjGT4Ab2F9DdosbC6QkNY FCVLJSk5nNBeA6bslznTicV416exZcHTV5tJycz2vkFVlRY+BBtcXlhBrxCZSguf90wHkr00cufC jKaHE//kfF1dlJ1jjcuidCnJ5r0tG3BDWFQ7f/ClH6H9IkqikEfDy2qG04Kz1N8OF6sH2MKCj405 ye7d1aH+QH3FrTmoNgnVg9f7McoZ0Ito4Z1qCQ== `protect key keyowner="Mentor Graphics Corporation", key keyname="MGC-VERIF-SIM- RSA-1", key method="rsa" `protect encoding=(enctype="base64", line length=76, bytes=128) `protect key block Mentor Graphics Key Block Pfy8Cgmz1tqEDSqqkQ+/HYByVzO7Iq9WS1fEgti2EYSXVTU974UChUeOJwTJUA5z24gL1gI2QF3I SYQs6NqHG84V+DMh9s3biK9UDHz4KJqa5Xrsx6QwvD6co3rZ09bzNPL8w9uGaPK40DXWTQbY0T6W pDdIw9u4pvhII/2L5eY= `protect key keyowner="Microsemi Corporation", key keyname="MSC-IP-KEY-RSA", key_method="rsa" `protect encoding=(enctype="base64", line length=76, bytes=960) `protect key block Microchip Key Block MIID4jANBgkqhkiG9w0BAQEFAAOCA88AMIIDygKCA8EAxvOR7+3o0rtdoggobQ7e 3LQ5Bhjfcudafujkinm+213ui89cvxjkaYKRDadsklgfklDGTFyiYUIKasKv3MrW xbaIlfktti21BBdU/ SDV83mLYKzAqe20/SaZR5FAZH8cyuUPxYOviHQ/fpqNwUao U/3jp4nvc76K/F014W56I/ hXb23/0s8zzyny3gHfqcEu8Dn8OpNWDY4fZ4g9vQFB hmv71HjJ10NRvvJHrXYmCEwlWPQjzru+8lj4JhBx/ 9ChKskTpVB6vkV//IX50d10 Zvaxh5x+xPCSKEgbmjv0uxaXtvnBJQa4xdMM7eHglGDSbZ2A13cg1qtxrCn05f6N Bc4EiyOT2iofDDtqoxdLZPb4L6UDIR+EY1o+111mDBrBvqn6hQtpUoi+bgWe+xtS ry30qmJkjjkejkJKJk+258uUI622kjlCCVGijj2145x9vnXXINiuOIuIj1K/a2dj kP+2A3Jvt53z8gv9Jij9xC90725pCl5Cziw4XsBsg+jJJEn4IpqvwgoA/7SkDpZp /ZSoVRqMfDvn60mzc/0Y6dtaX4FTsyJiduQBtKNtssGSVQGajOKEcfUOVqs1kwuX IPIODGoHEdFC4feve5uuucMbHw8pmjI0dYGz0XIcU5dZNW1yVvNaPXC7cKvIeuKS F3bogXenDzZ40/6+n9kRRS74vzdOMv5CSoxQOrQw0pBvWm0DyUFRTJ53GZAfbEz+ 1IU+cwAMmQR7FMpbJtaKJeNdccHe/nOm4kdnW6W00FxUVeUvbmcuRL8wVMHvXo58 ``` 6qDuHOk0LPXK+KLRr5P1QyD7b78t4PJOmbKgT0xQd8h1Oun2j61ZfQsvaguF0dM+QOO+EWoUU0+114eCzMG38R927w9kT8jJCPmIF2DT5tSB0JWIMC+Md6u0HFKUPG2C qbSB58Ykljvoiu70Avay79vAAREvjkjlVWYKLJMjiuvaweRGPWtKdeBXwOHNSFRY 1JekLYeGaSX0WzVcxQcA3flpGL+4SdjdRWDYK3wXv6QoQ9YVag78nMIYUECtz+Yt py8dTIjdp3d+KDsJ8t0dYkvHETiv8QoDNeutIZZXgP0PhR1smfcEFeUTwe56nDDp BJJsyaybQhj76+tz1346gymRTEasBTlklnmu6XafYJ290fklsfdjkYjklaqoviDZ 1OphMGkNCqUa0JslpPBuPbVAgEBB4R3MUNQZpR9W7GlIMW8KNBNtbn6qFYaMq2uG 6AmwTZAVfhru0yjnIELj3k3t/OS/YbA6wRFpg0GddNNRAgMBAAE= `protect data\_keyowner="ip-vendor-a", data\_keyname="fpga-ip", data\_method="aes128-cbc" `protect encoding=(enctype="base64", line\_length=76, bytes=288) `protect data block Data (IP core) Block +m/P6uHpXWo/2MDE81nrIGmBHe6DSUtiNm7PkpwC+dMErJ9rG4vuwDcoqErHHk4oToYBn4ZavftY DJc1W3U7+dxEN31VcgRsWveZZ0ePIfkkEKhp7cSgfFt5kFfwPEoMHPDhAPeElMr84o0pYEiFd06V GwOJgULvGsFedDKwWnTn6O9FbtKBKuKy18NG27C89GRtkr4UhguNgVDJKs/O8E9bHlSlyxSh2sD4 GnTPLAVC4NONi4HjsBhxVGvq04yjbJwOHohjI/WeY26ZqHJN7jqkKrdOhXTi/DRoCY15vjfvALr1 kzErv8zjc9qGqBWucHhmUgwfKzp6p8XfFPHTZ1OnsKigVN9Q8Kmu6ZmN3nYadlK8ASo4A7q3v9mA otx6 `protect end protected end behv; # 2.5 Packaging and Bundling the Encrypted IP and the Data Key When you execute the <code>encryptP1735.pl</code> script, you bundle and package the Encrypted IP and the Encrypted Data Key together in one single file, which is the output of the script. This file is ready for delivery to your customers. # 3. Running Libero SoC with Encrypted IP Libero SoC software v11.3 or later supports the use of third-party encrypted IP cores in the design flow for SmartFusion2, IGLOO2, RTG4, and PolarFire families (Figure 3-1). ### 3.1 To run Libero SoC with Encrypted IP The Libero SoC software support for encrypted IP is enabled by default. Perform the following the steps to incorporate an encrypted IP inside the Libero software. - 1. Set your Project Settings so that the synthesized output is a Verilog netlist. - 2. Import the encrypted IP core as HDL (see section 3.3 Import Encrypted IP Core as HDL). - 3. Run synthesis (see section 3.4 Run Synthesis) and simulation (see section 3.5 Run ModelSim Simulation). - 4. The following figure shows how to run the remaining Libero SoC design flow. Figure 3-1. Encrypted IP Design Flow # 3.2 Encrypted IP Design Flow Must Use Verilog Netlist from Synthesis When a new project is created, you must change Project Settings to support the IEEE 1735-2014 secure IP flow. You can then import the encrypted IP core as Verilog or VHDL source files. The IEEE 1735-2014 scheme supports only Verilog as the netlist format; EDIF format is not supported. You must set Libero SoC Project Settings to use the Verilog netlist from Synthesis. - 1. From the Project menu, choose Project Settings > Design Flow. - 2. Select **Verilog** as the HDL generated file language option as shown in Figure 3-2. - 3. Click Save and then Close. Figure 3-2. Project Settings # 3.3 Import Encrypted IP Core as HDL Import the encrypted IP HDL and the non-encrypted HDL file as HDL source files (**File > Import > HDL Source Files**). The Design Hierarchy window displays the imported file in your design. Figure 3-3. Design Hierarchy **Note:** It is recommended that the encrypted IP be presented as a single file. If the IP is currently organized in a hierarchy of files, it is recommended that the entire IP be concatenated into a single file after encryption. Currently, if the encrypted IP is defined in multiple files, the user must pass the (lower level) files manually to synthesis and RTL simulation steps. This is done from **Organize input file** option Synthesis/Simulation tool, as shown Figure 3-4. See the Organize Source file in *Libero Help* for more information on how to organize source files. Figure 3-4 shows how to organize input source files for Synthesis. Figure 3-4. Organizing Input Source Files for Synthesis #### 3.3.1 Smart Design Support SmartDesign is a visual block-based design creation tool for instantiation, configuration, and connection of Microchip IP, user-generated IP, and the custom/glue-logic HDL modules. Encrypted IP can also be instantiated in a SmartDesign, along with another non-encrypted IP. See the *About SmartDesign* document in *Libero Help* for more information. ## 3.4 Run Synthesis After synthesis, only the interface signals (inputs and output ports) of the Secure IP core are visible in the RTL and Technology views (Figure 3-5 and Figure 3-6). Signals and instance names that are internal to the Encrypted IP are not visible. Figure 3-5. Synplify Pro RTL View Figure 3-6. SynplifyPro Technology View ## Running Libero SoC with Encrypted IP In the RTL and Technology Views, the Push and Pop commands are disabled for design blocks encrypted with the IEEE 1735-2014. You cannot push into the encrypted IP block 'U0' to look at the internal signals, nets, or instances inside the encrypted block. #### 3.5 Run ModelSim Simulation ModelSim simulates the entire design for pre-synthesis, post-synthesis and post-layout simulations. However, the signals and instances internal to the encrypted IP are not exposed and are not available for debug. The values of the internal signals are not displayed in the waveform window; only the interface signals at the boundary of the encrypted IP instance 'U0' are displayed. Figure 3-7. Modelsim Simulation of Encrypted IP Core Note: Simulation is supported for both Verilog and VHDL. ### 3.6 Libero SoC and Encrypted IPs Libero SoC Software processes designs with encrypted IP through the entire Design without compromising the encrypted IP content. The encryption of IP is protected in Synthesis and Simulation tools, as mentioned in previous sections. All netlists exported from Libero SoC have the IP component encrypted. These include: - Back annotated netlist after Place and Route: \*\_ba.v or \*\_ba.vhd - Exported netlist after Compile: \*.v or \*.vhd Microchip adheres to the Encryption Guidelines provided in the IEEE 1735-2014 standard throughout the design flow. #### **3.6.1** Example This section shows an example in which an Encrypted module is implemented using the Libero SoC Secure IP flow. The example consists of the following files: - Secret.v: This is a simple Non-Encrypted Verilog module. This module has encryption envelopes, as shown in section 1.5 Encryption Envelopes. - Secret\_enc.v: This is the encrypted version of Secret.v module which has been encrypted by executing encryptP1735.pl script on Secret.v module. ### Running Libero SoC with Encrypted IP - Top.v: This is a top level module instantiating encrypted secret\_enc.v module. Tb.v is the test bench for Top.v module. - Public\_keys.txt: This text file contains Public Keys from Synopsys, Mentor, and Microchip, as shown in section 2.2 Public Key from EDA Vendors. #### 3.6.1.1 Encryption of IP Module We are going to use to <code>encryptP1735.pl</code> script which implements IEEE 1735-2014 standard for encryption of IP module (secret.v in this example). The segment of the code that needs to be encrypted have to be included within Encryption envelopes. (see section 2.3 Adding an Encryption Envelope to Your RTL). All Public Keys from vendors supporting this standard are stored in a single file Public\_Keys.txt. Execute encryptP1735.pl script with the secret.v as input file and secret\_enc.v as output file. The following figure shows an example of output after <code>encryptP1735.pl</code> has been executed on the secret.v Figure 3-8. Output of EncryptP1735.pl Script ``` $perl ./encryptP1735.pl -i secret.v -o secret_enc.v -pk public_keys.txt -om encrypted Info: found openssl encryption engine in /usr/bin Info: HDL type is set to Verilog. Info: Found key 'Synplicity.SYNP05_001' in the repository Info: Found key 'Mentor Graphics Corporation.MGC-VERIF-SIM-RSA-1' in the repository Info: Found key 'Microsemi Corporation.MSC-IP-KEY-RSA' in the repository Generating Synplicity encryption version 1 key-block Info: using openssl for RSA 2048 bit encryption Generating encryption version 1 key-block Info: using openssl for RSA 2048 bit encryption Generating encryption version 1 key-block Info: using openssl for RSA 2048 bit encryption Generating aes256-cbc encrypted data-block Info: using openssl for AES256-CBC encryption Info: Processed 1 envelopes ``` The output file is similar to the one shown in section 2.4.1.1 Output Encrypted Verilog. The encrypted output source file of the IP has key\_blocks corresponding to all the vendors and Data\_blocks with encrypted information. **Note:** See section 2.4 encryptP1735.pl Script for more information about different parameters of the script. The script can be executed on both Windows and Linux OS with OpenSSL and Perl Installed. #### 3.6.1.2 Importing Encrypted IP in Libero SoC Perform the following steps to import an Encrypted module. The Encrypted module can be imported in the same way you import any HDL file into a Libero Project. 1. Create a Libero Project with SmartFusion2/IGLOO2/RTG4/PolarFire family die. Import Top.v and Secret\_enc.v files (File > import > HDL Source Files) into the Libero Project. Also import the corresponding Test bench file tb.v (File > Import > HDL Stimulus Files). On importing these files, your design hierarchy and stimulus hierarchy appear, as shown in Figure 3-9 and Figure 3-10. Figure 3-9. Design Hierarchy Figure 3-10. Stimulus Hierarchy - 2. There can be multiple instantiations of an encrypted module in a Top Level module or Smart Design. Select top.v as the Root module (Right-click > **Set as Root**). - 3. Change HDL generated file language option to Verilog from the Libero Project Settings Menu (**Project > Project Settings > Design Flow**), as shown in Figure 3-11. Project settings × Device selection Device settings Libero SoC supports mixed-HDL language designs; you can import Verilog and VHDL in the same project. For Verilog files you can enable the System Verilog syntax option if your Verilog files contain System Verilog constructs. For VHDL files, you may choose between VHDL-2008 and VHDL-93. Analysis operating conditions Simulation options SystemVerilog defines the notion of "compilation unit." When enabling the Multi-File Compilation Unit (MFCU) option, all files are compiled in the same and macros defined in one file will be seen by other files compiled later based on the file order. When disabling that option, each file is compiled as a separate compilation unit. DO file Waveforms Vsim commands Timescale Simulation libraries C Verilog 2001 System Verilog Multi File Compilation Unit PolarFire General Settings Global Include Paths VHDL ∨HDL-2008 C VHDL-93 HDI generated files language ontions HDL files generated by Libero SoC such as configured cores, SmartDesign components and post-layout gate level netlists use the preferred language option Block flow enables you to publish a reusable component that can be instantiated into another design. A block component may not contain I/O cells and cannot be programmed by itself. It could include timing constraints, physical constraints, placement or routing. Enable block creation Fnable synthesis number of high fanout nets to be displayed: 10 Abort flow if errors are found in Physical Design Constraints (PDC) Abort flow if errors are found in Timing Constraints (SDC) Close Figure 3-11. Project Settings for Netlist Format #### 3.6.1.3 Synthesis The Synthesis tool (Synplify Pro) decrypts the protected content using Synopsys Key Block present in Encrypted module secret\_enc.v. After synthesis, only the interface signals (inputs and output ports) of secure IP core are visible in the RTL and Technology views. See section 3.4 Run Synthesis for more information. The Verilog netlist file (.vm file) obtained after synthesis does not show internal instances of encrypted module and this information is again re-encrypted by the Synthesis tool. #### 3.6.1.4 Simulations The Simulation tool (ModelSim) decrypts the protected content using the ModelSim Key Block present in Encrypted module secret\_enc.v. ModelSim simulates the entire design for pre-synthesis, post-synthesis, and post-layout simulations. However, the signals and instances internal to the encrypted IP are not exposed and are not available for debug. See section 3.5 Run ModelSim Simulation for more information. #### 3.6.1.5 Compile and Layout The rest of the tools in the Libero SoC Design Flow decrypt the protected content using Microchip Key Block present in Encrypted module secret\_enc.v. Once the synthesis is completed, the Compile tool takes the encrypted . vm netlist file as input for further processing by the Layout tool. The execution and output of these tools are similar to the Regular flow. **Note:** Constraints flow, including Timing Constraints and Floorplan Constraints, are not supported for instances inside encrypted blocks. In the above example, Constraint flow is not supported for secret\_enc.v module. However, you can provide constraints to the interface of the Encrypted module. #### 3.6.1.6 Generate Back Annotated Files Once the Layout is complete, you can generate the Back Annotated Files for Post-Layout simulations. The \*\_ba.v or \*\_ba.vhd files generated show the internal information of secure\_enc.v module as encrypted. These files incorporate Key Block from Mentor, which is used for decryption while running Post-Layout simulations. # Running Libero SoC with Encrypted IP #### 3.6.1.7 Generate Programming Data Once the design has completed the Layout and Post-Layout simulations, you can generate the programming file. ### 3.7 Frequently Asked Questions (FAQs) Following is a list of FAQs about Secure IP flow and its support in Libero SoC. #### Are VHDL simulations supported, as we are using a Verilog Netlist? Secure IP flow is supported for both VHDL and Verilog. Mixed mode simulation is not required if the design and test bench are both in VHDL. The Verilog netlist is only required for passing the design from the synthesis to compile step in Libero. Post-synthesis and other simulation steps still use VHDL netlist, if the preferred input HDL type is VHDL at Project Creation. #### Is Microchip Block flow supported in Secure IP flow? No. Block flow is not supported for Encrypt IP and Secure IP flow. #### Are parameters/generics supported? Yes. Secure IP flow works on an Encrypted IP with parameters or generic definitions. However, leaving top level parameters/generics and ports unencrypted makes the RTL easier to integrate. See the VHDL example in this document, which has a generic definition. #### Which versions of Perl and OpenSSL are required for encryptP1735.pl script? Any version of OpenSSL/Perl can be used for the script to execute. #### How is OpenSSL intalled? OpenSSL is Open-Source Software. Most Linux Installations have OpenSSL pre-installed. For Windows, you must install OpenSSL.exe. You can download the application from the OpenSSL website. Once you install OpenSSL on Windows, you need to set the PATH environment variable to <openssl installation dir>\bin for the EncryptP1735.pl to work. #### Can we import an encrypted Verilog core into a VHDL design, and vice versa? Yes. You can import an Encrypted Verilog (or VHDL) module in a VHDL (or Verilog) Design. # 4. Revision History | Revision | Date | Description | |----------|---------|-------------------| | Α | 05/2021 | Initial Revision. | # 5. Microchip FPGA Technical Support Microchip FPGA Products Group backs its products with various support services, including Customer Service, Customer Technical Support Center, a website, and worldwide sales offices. This section provides information about contacting Microchip FPGA Products Group and using these support services. #### 5.1 Customer Service Contact Customer Service for non-technical product support, such as product pricing, product upgrades, update information, order status, and authorization. - From North America, call 800.262.1060 - From the rest of the world, call 650.318.4460 - Fax, from anywhere in the world, 650.318.8044 ### 5.2 Customer Technical Support Microchip FPGA Products Group staffs its Customer Technical Support Center with highly skilled engineers who can help answer your hardware, software, and design questions about Microchip FPGA Products. The Customer Technical Support Center spends a great deal of time creating application notes, answers to common design cycle questions, documentation of known issues, and various FAQs. So, before you contact us, please visit our online resources. It is very likely we have already answered your questions. You can communicate your technical questions through our Web portal and receive answers back by email, fax, or phone. Also, if you have design problems, you can upload your design files to receive assistance. We constantly monitor the cases created from the web portal throughout the day. When sending your request to us, please be sure to include your full name, company name, and your contact information for efficient processing of your request. Technical support can be reached at soc.microsemi.com/Portal/Default.aspx. For technical support on RH and RT FPGAs that are regulated by International Traffic in Arms Regulations (ITAR), log in at soc.microsemi.com/Portal/Default.aspx, go to the **My Cases** tab, and select **Yes** in the ITAR drop-down list when creating a new case. For a complete list of ITAR-regulated Microchip FPGAs, visit the ITAR web page. You can track technical cases online by going to My Cases. ### 5.3 Website You can browse a variety of technical and non-technical information on the Microchip FPGA Products Group home page, at www.microsemi.com/soc. #### 5.4 Outside the U.S. Customers needing assistance outside the US time zones can either contact technical support at (https://soc.microsemi.com/Portal/Default.aspx) or contact a local sales office. Visit About Us for sales office listings and corporate contacts. # The Microchip Website Microchip provides online support via our website at <a href="www.microchip.com/">www.microchip.com/</a>. This website is used to make files and information easily available to customers. Some of the content available includes: - Product Support Data sheets and errata, application notes and sample programs, design resources, user's guides and hardware support documents, latest software releases and archived software - General Technical Support Frequently Asked Questions (FAQs), technical support requests, online discussion groups, Microchip design partner program member listing - Business of Microchip Product selector and ordering guides, latest Microchip press releases, listing of seminars and events, listings of Microchip sales offices, distributors and factory representatives # **Product Change Notification Service** Microchip's product change notification service helps keep customers current on Microchip products. Subscribers will receive email notification whenever there are changes, updates, revisions or errata related to a specified product family or development tool of interest. To register, go to www.microchip.com/pcn and follow the registration instructions. # **Customer Support** Users of Microchip products can receive assistance through several channels: - · Distributor or Representative - · Local Sales Office - Embedded Solutions Engineer (ESE) - Technical Support Customers should contact their distributor, representative or ESE for support. Local sales offices are also available to help customers. A listing of sales offices and locations is included in this document. Technical support is available through the website at: www.microchip.com/support # Microchip Devices Code Protection Feature Note the following details of the code protection feature on Microchip devices: - · Microchip products meet the specifications contained in their particular Microchip Data Sheet. - Microchip believes that its family of products is secure when used in the intended manner and under normal conditions. - There are dishonest and possibly illegal methods being used in attempts to breach the code protection features of the Microchip devices. We believe that these methods require using the Microchip products in a manner outside the operating specifications contained in Microchip's Data Sheets. Attempts to breach these code protection features, most likely, cannot be accomplished without violating Microchip's intellectual property rights. - · Microchip is willing to work with any customer who is concerned about the integrity of its code. - Neither Microchip nor any other semiconductor manufacturer can guarantee the security of its code. Code protection does not mean that we are guaranteeing the product is "unbreakable." Code protection is constantly evolving. We at Microchip are committed to continuously improving the code protection features of our products. Attempts to break Microchip's code protection feature may be a violation of the Digital Millennium Copyright Act. If such acts allow unauthorized access to your software or other copyrighted work, you may have a right to sue for relief under that Act. # **Legal Notice** Information contained in this publication is provided for the sole purpose of designing with and using Microchip products. Information regarding device applications and the like is provided only for your convenience and may be superseded by updates. It is your responsibility to ensure that your application meets with your specifications. THIS INFORMATION IS PROVIDED BY MICROCHIP "AS IS". MICROCHIP MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WHETHER EXPRESS OR IMPLIED, WRITTEN OR ORAL, STATUTORY OR OTHERWISE, RELATED TO THE INFORMATION INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES RELATED TO ITS CONDITION, QUALITY, OR PERFORMANCE. IN NO EVENT WILL MICROCHIP BE LIABLE FOR ANY INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL OR CONSEQUENTIAL LOSS, DAMAGE, COST OR EXPENSE OF ANY KIND WHATSOEVER RELATED TO THE INFORMATION OR ITS USE, HOWEVER CAUSED, EVEN IF MICROCHIP HAS BEEN ADVISED OF THE POSSIBILITY OR THE DAMAGES ARE FORESEEABLE. TO THE FULLEST EXTENT ALLOWED BY LAW, MICROCHIP'S TOTAL LIABILITY ON ALL CLAIMS IN ANY WAY RELATED TO THE INFORMATION OR ITS USE WILL NOT EXCEED THE AMOUNT OF FEES, IF ANY, THAT YOU HAVE PAID DIRECTLY TO MICROCHIP FOR THE INFORMATION. Use of Microchip devices in life support and/or safety applications is entirely at the buyer's risk, and the buyer agrees to defend, indemnify and hold harmless Microchip from any and all damages, claims, suits, or expenses resulting from such use. No licenses are conveyed, implicitly or otherwise, under any Microchip intellectual property rights unless otherwise stated. ### **Trademarks** The Microchip name and logo, the Microchip logo, Adaptec, AnyRate, AVR, AVR logo, AVR Freaks, BesTime, BitCloud, chipKIT, chipKIT logo, CryptoMemory, CryptoRF, dsPIC, FlashFlex, flexPWR, HELDO, IGLOO, JukeBlox, KeeLoq, Kleer, LANCheck, LinkMD, maXStylus, maXTouch, MediaLB, megaAVR, Microsemi, Microsemi logo, MOST, MOST logo, MPLAB, OptoLyzer, PackeTime, PIC, picoPower, PICSTART, PIC32 logo, PolarFire, Prochip Designer, QTouch, SAM-BA, SenGenuity, SpyNIC, SST, SST Logo, SuperFlash, Symmetricom, SyncServer, Tachyon, TempTrackr, TimeSource, tinyAVR, UNI/O, Vectron, and XMEGA are registered trademarks of Microchip Technology Incorporated in the U.S.A. and other countries. APT, ClockWorks, The Embedded Control Solutions Company, EtherSynch, FlashTec, Hyper Speed Control, HyperLight Load, IntelliMOS, Libero, motorBench, mTouch, Powermite 3, Precision Edge, ProASIC, ProASIC Plus, ProASIC Plus logo, Quiet-Wire, SmartFusion, SyncWorld, Temux, TimeCesium, TimeHub, TimePictra, TimeProvider, Vite, WinPath, and ZL are registered trademarks of Microchip Technology Incorporated in the U.S.A. Adjacent Key Suppression, AKS, Analog-for-the-Digital Age, Any Capacitor, AnyIn, AnyOut, BlueSky, BodyCom, CodeGuard, CryptoAuthentication, CryptoAutomotive, CryptoCompanion, CryptoController, dsPICDEM, dsPICDEM.net, Dynamic Average Matching, DAM, ECAN, EtherGREEN, In-Circuit Serial Programming, ICSP, INICnet, Inter-Chip Connectivity, JitterBlocker, KleerNet, KleerNet logo, memBrain, Mindi, MiWi, MPASM, MPF, MPLAB Certified logo, MPLIB, MPLINK, MultiTRAK, NetDetach, Omniscient Code Generation, PICDEM, PICDEM.net, PICkit, PICtail, PowerSmart, PureSilicon, QMatrix, REAL ICE, Ripple Blocker, SAM-ICE, Serial Quad I/O, SMART-I.S., SQI, SuperSwitcher, SuperSwitcher II, Total Endurance, TSHARC, USBCheck, VariSense, ViewSpan, WiperLock, Wireless DNA, and ZENA are trademarks of Microchip Technology Incorporated in the U.S.A. and other countries. SQTP is a service mark of Microchip Technology Incorporated in the U.S.A. The Adaptec logo, Frequency on Demand, Silicon Storage Technology, and Symmcom are registered trademarks of Microchip Technology Inc. in other countries. GestIC is a registered trademark of Microchip Technology Germany II GmbH & Co. KG, a subsidiary of Microchip Technology Inc., in other countries. All other trademarks mentioned herein are property of their respective companies. © 2021, Microchip Technology Incorporated, Printed in the U.S.A., All Rights Reserved. ISBN: 978-1-5224-8048-8 # **Quality Management System** For information regarding Microchip's Quality Management Systems, please visit www.microchip.com/quality. # **Worldwide Sales and Service** | AMERICAS | ASIA/PACIFIC | ASIA/PACIFIC | EUROPE | |---------------------------|-----------------------|-------------------------|-----------------------| | Corporate Office | Australia - Sydney | India - Bangalore | Austria - Wels | | 2355 West Chandler Blvd. | Tel: 61-2-9868-6733 | Tel: 91-80-3090-4444 | Tel: 43-7242-2244-39 | | Chandler, AZ 85224-6199 | China - Beijing | India - New Delhi | Fax: 43-7242-2244-393 | | Tel: 480-792-7200 | Tel: 86-10-8569-7000 | Tel: 91-11-4160-8631 | Denmark - Copenhagen | | Fax: 480-792-7277 | China - Chengdu | India - Pune | Tel: 45-4485-5910 | | Technical Support: | Tel: 86-28-8665-5511 | Tel: 91-20-4121-0141 | Fax: 45-4485-2829 | | www.microchip.com/support | China - Chongqing | Japan - Osaka | Finland - Espoo | | Web Address: | Tel: 86-23-8980-9588 | Tel: 81-6-6152-7160 | Tel: 358-9-4520-820 | | www.microchip.com | China - Dongguan | Japan - Tokyo | France - Paris | | Atlanta | Tel: 86-769-8702-9880 | Tel: 81-3-6880- 3770 | Tel: 33-1-69-53-63-20 | | Duluth, GA | China - Guangzhou | Korea - Daegu | Fax: 33-1-69-30-90-79 | | Tel: 678-957-9614 | Tel: 86-20-8755-8029 | Tel: 82-53-744-4301 | Germany - Garching | | Fax: 678-957-1455 | China - Hangzhou | Korea - Seoul | Tel: 49-8931-9700 | | Austin, TX | Tel: 86-571-8792-8115 | Tel: 82-2-554-7200 | Germany - Haan | | Tel: 512-257-3370 | China - Hong Kong SAR | Malaysia - Kuala Lumpur | Tel: 49-2129-3766400 | | Boston | Tel: 852-2943-5100 | Tel: 60-3-7651-7906 | Germany - Heilbronn | | Westborough, MA | China - Nanjing | Malaysia - Penang | Tel: 49-7131-72400 | | Tel: 774-760-0087 | Tel: 86-25-8473-2460 | Tel: 60-4-227-8870 | Germany - Karlsruhe | | Fax: 774-760-0088 | China - Qingdao | Philippines - Manila | Tel: 49-721-625370 | | Chicago | Tel: 86-532-8502-7355 | Tel: 63-2-634-9065 | Germany - Munich | | Itasca, IL | China - Shanghai | Singapore | Tel: 49-89-627-144-0 | | Tel: 630-285-0071 | Tel: 86-21-3326-8000 | Tel: 65-6334-8870 | Fax: 49-89-627-144-44 | | Fax: 630-285-0075 | China - Shenyang | Taiwan - Hsin Chu | Germany - Rosenheim | | Dallas | Tel: 86-24-2334-2829 | Tel: 886-3-577-8366 | Tel: 49-8031-354-560 | | Addison, TX | China - Shenzhen | Taiwan - Kaohsiung | Israel - Ra'anana | | Tel: 972-818-7423 | Tel: 86-755-8864-2200 | Tel: 886-7-213-7830 | Tel: 972-9-744-7705 | | Fax: 972-818-2924 | China - Suzhou | Taiwan - Taipei | Italy - Milan | | Detroit | Tel: 86-186-6233-1526 | Tel: 886-2-2508-8600 | Tel: 39-0331-742611 | | Novi, MI | China - Wuhan | Thailand - Bangkok | Fax: 39-0331-466781 | | Tel: 248-848-4000 | Tel: 86-27-5980-5300 | Tel: 66-2-694-1351 | Italy - Padova | | Houston, TX | China - Xian | Vietnam - Ho Chi Minh | Tel: 39-049-7625286 | | Tel: 281-894-5983 | Tel: 86-29-8833-7252 | Tel: 84-28-5448-2100 | Netherlands - Drunen | | Indianapolis | China - Xiamen | | Tel: 31-416-690399 | | Noblesville, IN | Tel: 86-592-2388138 | | Fax: 31-416-690340 | | Tel: 317-773-8323 | China - Zhuhai | | Norway - Trondheim | | Fax: 317-773-5453 | Tel: 86-756-3210040 | | Tel: 47-72884388 | | Tel: 317-536-2380 | | | Poland - Warsaw | | Los Angeles | | | Tel: 48-22-3325737 | | Mission Viejo, CA | | | Romania - Bucharest | | Tel: 949-462-9523 | | | Tel: 40-21-407-87-50 | | Fax: 949-462-9608 | | | Spain - Madrid | | Tel: 951-273-7800 | | | Tel: 34-91-708-08-90 | | Raleigh, NC | | | Fax: 34-91-708-08-91 | | Tel: 919-844-7510 | | | Sweden - Gothenberg | | New York, NY | | | Tel: 46-31-704-60-40 | | Tel: 631-435-6000 | | | Sweden - Stockholm | | San Jose, CA | | | Tel: 46-8-5090-4654 | | Tel: 408-735-9110 | | | UK - Wokingham | | Tel: 408-436-4270 | | | Tel: 44-118-921-5800 | | Canada - Toronto | | | Fax: 44-118-921-5820 | | Tel: 905-695-1980 | | | | | Fax: 905-695-2078 | | | |