Select Microsemi PolarFire FPGAs build on the design security capabilities in all PolarFire FPGAs by enabling high-speed DPA resistant cryptographic protocols at wireline speeds. PolarFire data security FPGAs include the following additional features.
– Integrated true random number generator for enabling modern cryptographic protocols capable of generating random numbers at greater than 100 Mbps
– ~200 MHz Athena TeraFire F5200B DPA resistant cryptographic processor capable of implementing all Suite-B+ algorithms, plus more.
– Rambus/CRI DPA pass-through licensing enabling DPA resistant highspeed cryptographic designs in the FPGA fabric. A CRI license is included in the purchase price of the TS devices. There
is no need to negotiate a separate license.
– NIST-certified algorithms
– Athena TeraFire Cryptographic Algorithm Library (CAL) Users Guide
Building on a Secure Root of Trust
A secure Hardware Root of Trust must be established before higher level security functions can be utilized safely.
– Secure Algorithms and Protocols
Suite B algorithms such as: AES, SHA, HMAC, ECDH, ECDSA
Protocols such as: IPSEC, SSL, TLS, SSH, WEP, WPA2, HAIPE
Other algorithms and protocols benefiting from a secure execution environment
– Data Protection for:
– Secure Boot
Protects the start-up code for processors and MCUs from attack
The Microsemi Secure Boot reference design can be used as a starting point for your embedded system design
Tamper Prevention and Detection
Tamper prevention and detection block attacks that can extract secret data or change the state of the device, and provide an alarm signal if tampering is suspected. Some of the techniques used on Microsemi FPGAs include:
– Security lock modification
– Mesh open/short detection
– Clock tamper monitor
– Countermeasures for passive and active side channel attacks
– Detection of attempted programming port access and authentication failures
– Keys, passcodes (in NVM), and other data-at-rest (in ROM and RAM) protected cryptographically
– Digests on NVM and ROM to detect attacks on memory, keys or settings
– Microsemi offers the EnforceIT Security Monitor IP block that can flexibly process tamper flags, allow time for communication with a host system if desired, and trigger built-in or your own custom chip or system-level tamper penalties.
Tamper Penalties and Zeroization
Once tampering is detected it is useful to apply a penalty. It is common to use escalating penalties if tampering occurs too often or is too severe. A severe penalty, zeroization, can be applied to erase part or all of a device, even returning it to an unprogrammed state. Microsemi FPGAs can implement a variety of built-in penalties, such as:
– Resetting the device- so it reboots in a known, safe state
– Disabling I/O- to prevent loss of secrets
– Placing all security options in to their most secure state
– Zeroizing on-chip memory
– Erasing FPGA configuration NVM and MSS embedded NVM
– Erasing MSS SRAM, and fabric block RAMs & registers
– Erasing all crypto-variable storage incl. (optionally) the Factory Keys
– Eliminating any remnant traces of the non-volatile configuration
– Verifying all NVM and SRAM is in a known state, and
– Supplying a cryptographic proof of success
Read the Introduction to the SmartFusion2 and IGLOO2 Security Model White Paper to learn more about SmartFusion2 and IGLOO2 Tamper Penalties and Zeroization Features.
Pass-through License for CRI Patented DPA Protection
Microsemi has obtained a license from Cryptography Research, Inc. (CRI, now a division of Rambus) for the DPA patent portfolio, consisting of more than fifty patents. The pass through license:
– Extends a sub-license to customers who purchase selected Microsemi FPGA devices. The purchaser can then use any of CRI’s patented DPA-mitigation techniques to protect their end-
application from side-channel attacks. The protection techniques can be incorporated in the user’s logic implemented in the FPGA fabric or in the user’s firmware executing on a hard or
soft microcontroller, in the licensed Microsemi FPGA. No additional paperwork paperwork is required of the purchaser of these devices to use this license.
– Users of Microsemi’s DPA resistant Secure Boot Reference design have also been granted a pass through license to a target processor for implementing a secure boot function in conjunction
with Microsemi FPGAs or SoC FPGAs. The user has only to sign an Eligibility Certification Form to be able to use CRI’s patented DPA mitigation techniques in their target processor’s boot-
loader with these Microsemi FPGAs.
Read the SmartFusion2 Data Security Devices Product Brief and the IGLOO2 Data Security Devices Product Brief to find out more information about the advantages the CRI pass-through license brings to your designs.
Get Started Today on Your Secure Boot Design!
Visit the Microsemi Secure Boot web page to access the information needed to learn about, evaluate and purchase your own secure boot reference design.
Enabling Public Key Infrastructure
For enabling public key infrastructure in the SmartFusion2 SoC FPGA devices and also to secure machine-to-machine(M2M) communication using PKI-enrolled SmartFusion2 SoC FPGA devices, refer UG0626: Enabling a Public Key Infrastructure in SmartFusion2 Devices User Guide. For requesting reference designs, please send an email to firstname.lastname@example.org
Leave a Reply
You must be logged in to post a comment.