Security
Overview
Cyber Security is the #1 Concern for Connected Devices on the Network Edge
It is not enough for today's demanding applications to meet the functional requirements of their design—they must do so in a secured way. Security starts during silicon manufacturing and continues through system deployment and operations. Microsemi's PolarFire FPGAs represent the industry's most advanced secure programmable FPGAs.
- Prevent Overbuilding & Cloning with Microsemi's Secure Production Programming Solution
- Protect Your Valuable Design IP From Copying and Reverse Engineering with Design Security
- Secure Hardware creates Root of Trust for your System
- The Athena Group, Inc.TeraFire Cryptographic Processor for Data Security applications
- Tamper detection and responses built into Microsemi PolarFire devices
Are Your Systems Safe?
Watch this demonstration video from Cryptographic Research, a division of Rambus, the leaders in semiconductor security to see how easy it is to extract secrets from programmable logic devices that don't use licensed DPA countermeasures.
To Protect your IP you need Secure Hardware, Design Security and Data Security
The DPA logos are trademarks of Cryptography Research, Inc., used under license.
Are SRAM-based FPGAs Secure?
SRAM-based FPGA's lack the key capabilities required to create a trusted and secure hardware platform for a secure embedded system making them vulnerable to cloning, copying, and reverse engineering. Sensitive customer data can be attacked and embedded systems compromised.
Secure Hardware
Microsemi FPGAs Create the Secure Foundation for Your System
Secure hardware is used to create a secure hardware Root of Trust. A hardware Root of Trust is an immutable and trusted starting point from which security can be extended to other parts of the system. Without this secure foundation your system can't be protected. A secure hardware Root of Trust must include the following capabilities:
- Licensed, Patented DPA Protection
- Protects design IP from copying and reverse engineering
- Built-in Certified Security Functions
- True Random Number Generator, Physically Unclonable Function (PUF), Elliptical Curve Cryptography (ECC), AES, SHA, HMAC
- Tamper Detectors with Counter Measures
- Supply Chain Assurance that the FPGA is Authentic
- Factory Hardware Secure Module (HSM) Flow for Secure Key Injection
- Factory Key Database Generation
- Signed Device Digital Certificate
Licensed, Patented DPA Protection Counters Side Channel Attacks
Side-Channel Analysis attacks use information that 'leaks' from electronic systems to determine otherwise secret information.
- Like a safecracker listening to tumblers in a lock, side-channel analysis uses changes in operating current and timing information to indirectly determine on-chip secret keys.
- Differential Power Analysis uses statistical results of many measurements to find secret keys used in cryptographic functions.
- Without DPA resistance security keys are vulnerable and security systems can be completely bypassed.
- Microsemi has licensed from CRI, a division of Rambus, their DPA resistant patent portfolio to protect key operations from DPA sice channel attacks.
The following logo is a trademark of Cryptography Research, Inc. Used under license.
Built-in Certified Security Functions
Once the on-chip security keys and configuration bit streams are protected from DPA it is important to support the cryptographic functions needed to extend security and create a hardware Root of Trust. Key cryptographic functions must include:
- True Random Number Generation- used by many cryptographic standards
- Physically Uncloneable Function- used to create device unique security keys known only to the device
- Hardware Acceleration for Security Standards
- AES, SHA, HMAC and ECC
View the above video to see how security services in Microsemi SmartFusion2 SoC FPGAs and IGLOO2 FPGAs are used to support common security standards.
If your Supply Chain Isn't Secure, How Can Your System Be?
Microsemi secure manufacturing flow:
- Inject device unique keys with FIPS Hardware Security Modules (HSMs)
- Inject device unique signed X.509 digital certificate proving authenticity of device purchased
- Secure Derived Key Database generation for customer Managed HSM flow
View this video to see how a secure supply chain is protected when using SmartFusion2 SoC FPGAs and IGLOO2 FPGAs- beginning with secrets 'baked' into the wafer, through wafer test, assembly and binning, all the way to sales via the distribution channel. Hardware security modules, secure key storage and X.509 certificates all contribute to the Microsemi secure manufacturing flow that protects your supply chain.
Design Security
Protect Your Valuable Design IP From Copying and Reverse Engineering
Microsemi FPGAs leverage built-in design security features to protect your valuable design IP:
- Secure configuration bit streams via encryption
and protection from DPA attacks
- Tamper protection, zeroization, and secure key storage to protect your design
- Secure Production Flow Programming
- Cryptographically Secure Build Tickets- build only N systems
- Certificate of Conformance- prove only N number of devices were built
Secure Configuration Bit Streams with DPA Protection
Microsemi FPGAs use encrypted, DPA protected and authenticated bit streams to prevent copying and cloning.
- Only bitstreams encrypted with the key matching the key in the device will be programmed into that device
- Hardware security modules allow for secure production programming and accounting of programmed devices
Tamper Protection, Zeroization and Security Key Protection
Protecting Your Design also requires features to detect unauthorized access to critical on-chip data.
- On chip built in tamper detectors
- User configurable tamper macro with EnforcIT IP for tamper response
- Zeroize the device in response to a tamper event
- Disable JTAG, ETM
- Disable Verify
- Permanently lock user design
- Permanent Factory Test Mode Lockout
- Password protected Re-configurable security settings
Read the Introduction to the SmartFusion2 and IGLOO2 Security Model White Paper to learn more about SmartFusion2 and IGLOO2 Tamper Protection, Zeroization and Security Key Protection features.
Secure Production Flow Programming
Hardware Security Modules (HSMs), managed by a secure production center, create a secure environment using:
- Cryptographically Secure Build Tickets - build only N systems
- Certificate of Conformance - prove only N number of devices were built
- Certificate of Conformance - prove only N number of devices were built
Start Programming Secure Products Today!
Use Microsemi SmartFusion2 SoC FPGA or IGLOO2 FPGA devices in your next design to automatically protect your valuable design IP, sensitive data and embedded system. Use the Microsemi FlashPro5 programmer with Microsemi Libero SoC development tool suite to protect your valuable design IP no matter where they are programmed.
Data Security
Best-in-class High-performance, Hardened Security IP in Mid-range FPGAs
Select Microsemi PolarFire FPGAs build on the design security capabilities in all PolarFire FPGAs by enabling high-speed DPA resistant cryptographic protocols at wireline speeds. PolarFire data security FPGAs include the following additional features.
Integrated true random number generator for enabling modern cryptographic protocols capable of generating random numbers at greater than 100 Mbps
- ~200 MHz Athena TeraFire F5200B DPA resistant cryptographic processor capable of implementing all Suite-B+ algorithms, plus more.
- Rambus/CRI DPA pass-through licensing enabling DPA resistant highspeed cryptographic designs in the FPGA fabric. A CRI license is included in the purchase price of the TS devices. There is no need to negotiate a separate license.
- NIST-certified algorithms
- Athena TeraFire Cryptographic Algorithm Library (CAL) Users Guide
Building on a Secure Root of Trust
A secure Hardware Root of Trust must be established before higher level security functions can be utilized safely.
- Secure Algorithms and Protocols
- Suite B algorithms such as: AES, SHA, HMAC, ECDH, ECDSA
- Protocols such as: IPSEC, SSL, TLS, SSH, WEP, WPA2, HAIPE
- Other algorithms and protocols benefiting from a secure execution environment
- Data Protection for:
- Financial transactions
- Medical records
- Military applications
- Trade secrets
- Personal Communication
- Secure Boot
- Protects the start-up code for processors and MCUs from attack
- The Microsemi Secure Boot reference design can be used as a starting point for your embedded system design
Tamper Prevention and Detection
Tamper prevention and detection block attacks that can extract secret data or change the state of the device, and provide an alarm signal if tampering is suspected. Some of the techniques used on Microsemi FPGAs include:
- Security lock modification
- Mesh open/short detection
- Clock tamper monitor
- Countermeasures for passive and active side channel attacks
- Detection of attempted programming port access and authentication failures
- Keys, passcodes (in NVM), and other data-at-rest (in ROM and RAM) protected cryptographically
- Digests on NVM and ROM to detect attacks on memory, keys or settings
- Microsemi offers the EnforceIT Security Monitor IP block that can flexibly process tamper flags, allow time for communication with a host system if desired, and trigger built-in or your own custom chip or system-level tamper penalties.
Tamper Penalties and Zeroization
Once tampering is detected it is useful to apply a penalty. It is common to use escalating penalties if tampering occurs too often or is too severe. A severe penalty, zeroization, can be applied to erase part or all of a device, even returning it to an unprogrammed state. Microsemi FPGAs can implement a variety of built-in penalties, such as:
- Resetting the device- so it reboo
ts in a known, safe state
- Disabling I/O- to prevent loss of secrets
- Placing all security options in to their most secure state
- Zeroizing on-chip memory
- Erasing FPGA configuration NVM and MSS embedded NVM
- Erasing MSS SRAM, and fabric block RAMs & registers
- Erasing all crypto-variable storage incl. (optionally) the Factory Keys
- Eliminating any remnant traces of the non-volatile configuration
- Verifying all NVM and SRAM is in a known state, and
- Supplying a cryptographic proof of success
Read the Introduction to the SmartFusion2 and IGLOO2 Security Model White Paper to learn more about SmartFusion2 and IGLOO2 Tamper Penalties and Zeroization Features.
Pass-through License for CRI Patented DPA Protection
Microsemi has obtained a license from Cryptography Research, Inc. (CRI, now a division of Rambus) for the DPA patent portfolio, consisting of more than fifty patents. The pass through license:
- Extends a sub-license to customers who purchase selected Microsemi FPGA devices. The purchaser can then use any of CRI's patented DPA-mitigation techniques to protect their end-application from side-channel attacks. The protection techniques can be incorporated in the user's logic implemented in the FPGA fabric or in the user's firmware executing on a hard or soft microcontroller, in the licensed Microsemi FPGA. No additional paperwork paperwork is required of the purchaser of these devices to use this license.
- Users of Microsemi's DPA resistant Secure Boot Reference design have also been granted a pass through license to a target processor for implementing a secure boot function in conjunction with Microsemi FPGAs or SoC FPGAs. The user has only to sign an Eligibility Certification Form to be able to use CRI’s patented DPA mitigation techniques in their target processor’s boot-loader with these Microsemi FPGAs.
Read the SmartFusion2 Data Security Devices Product Brief and the IGLOO2 Data Security Devices Product Brief to find out more information about the advantages the CRI pass-through license brings to your designs.
Get Started Today on Your Secure Boot Design!
Visit the Microsemi Secure Boot web page to access the information needed to learn about, evaluate and purchase your own secure boot reference design.
Enabling Public Key Infrastructure
For enabling public key infrastructure in the SmartFusion2 SoC FPGA devices and also to secure machine-to-machine(M2M) communication using PKI-enrolled SmartFusion2 SoC FPGA devices, refer UG0626: Enabling a Public Key Infrastructure in SmartFusion2 Devices User Guide. For requesting reference designs, please send an email to pkidemo@microsemi.com
Resources
Security Resources
All security related resources are listed on this page and are organized by media type for easy access. You will find Security Solutions, Application notes, White Papers, Videos, Security related IP and other useful design related content.
Design Hardware
- The SmartFusion2 Security Evaluation Kit - provides the low-cost platform to evaluate design and data security features offered by the SmartFusion2 devices. Evaluation board features M2S090TS-FGG484 90K LE device and includes various high speed interfaces like PCIe Gen2x1, four SMA connectors for SERDES, RJ45 for 10/100/1000 Ethernet. Current measurement test points have been provided to evaluate the low-power capabilities of the device. Using SmartFusion2 device features and on-board resources, kit helps in quick prototyping of low-power, secure and highly integrated applications.
Security Solutions
Secure Production Programming | ![]() |
NA | 8/2016 |
Design of a Secure Personal Health Monitoring System | ![]() |
167 KB | 1/2104 |
Design of a Secure Wireless Communication System | ![]() |
570 KB | 1/2014 |
Design of a Safe and Secure Process Control System | ![]() |
510 KB | 1/2014 |
Design of a Secure Smart Energy Metering and Control System | ![]() |
501 KB | 1/2014 |
Design of a Secure Control Plane Bridge | ![]() |
510 KB | 1/2014 |
Design of a Secure and Reliable Data Recorder | ![]() |
51 KB | 4/2014 |
White Papers
Introduction to the SmartFusion2 and IGLOO2 Security Model | ![]() |
1 MB | 1/2014 |
Overview of Microsemi Antifuse Device Security | ![]() |
1 MB | 1/2014 |
Introduction to Implementing Design Security with Microsemi SmartFusion2 and IGLOO2 FPGAs | ![]() |
1 MB | 1/2014 |
Overview of Design Security Using Microsemi FPGAs and SoC FPGAs | ![]() |
517 KB | 1/2014 |
Overview of Secure Boot with Microsemi IGLOO2 FPGAs | ![]() |
210 KB | 4/2014 |
Overview of Secure Boot with Microsemi SmartFusion2 FPGAs | ![]() |
1 MB | 4/2014 |
Overview of Data Security Using Microsemi FPGAs and SoC FPGAs | ![]() |
1 MB | 1/2014 |
Microsemi Secure Boot Reference Design White Paper | ![]() |
1 MB | 6/2014 |
Overview of Supply Chain Assurance of Intelligent ICs | ![]() |
415 KB | 1/2014 |
Security Scenarios | ![]() |
1 MB | 9/2013 |
Truth in Randomness | ![]() |
517 KB | 9/2013 |
Securing Your Supply Chain Life Cycle | ![]() |
210 KB | 1/2014 |
Securing Your Embedded System Life Cycle | ![]() |
330 KB | 1/2014 |
Its Easy to Protect Your Embedded System from Theft White Paper | ![]() |
330 KB | 9/2013 |
WhiteBoxCRYPTO Strength of Security | ![]() |
330 KB | 3/2014 |
Protecting FPGAs from Power Analysis | ![]() |
1 MB | 4/2010 |
Technical Articles
Dont be the Weakest Link - Secure Supply Chain |
![]() |
473 KB | 1/2015 |
Cutting Malware off at the Root - Secure Boot |
![]() |
108 KB | 1/2015 |
Videos
Supply Chain Life Cycle | ![]() |
NA | 1/2014 |
Embedded System Life Cycle | ![]() |
NA | 1/2014 |
An Introduction to the Secure Boot Reference Design | ![]() |
NA | 4/2014 |
An Introduction to Side-Channel Analysis | ![]() |
NA | 1/2014 |
Security FAQ |
![]() |
635.13 KB | 1/2015 |
Enforce-IT(R) Security Monitor | ![]() |
490 KB | 1/2013 |
Code-Seal(TM) Software Anti-Tampering | ![]() |
350 KB | 1/2014 |
SmartFusion2 SoC and IGLOO2 FPGAs Security Features | ![]() |
380 KB | 9/2014 |
National Institute of Science and Technology (NIST) CAVP Certifications for Athena TeraFire® EXP-F5200B and Athena TeraFire® EXP-F5200ASR for PolarFire
EXP-F5200B certifications (S-Grade Devices* only) |
EXP-F200ASR** (for both S-Grade and Non-S Grade Devices) |
|||||
AES | 3951 |
|||||
DSA | - | |||||
RSA | - | |||||
ECDSA | 868 |
|||||
SHS | 3259 |
|||||
DRBG | 1154 |
|||||
HMAC | - | |||||
ECC CDH | - |
*PolarFire "S" grade devices include a dedicated hard cryptoprocessor Athena TeraFire EXP-F5200B(referred to as the User Cryptoprocessor) for data security applications
**TeraFire EXP-F200ASR is used by the system controller for FPGA design security
National Institute of Science and Technology (NIST) Certifications for SmartFusion2/IGLOO2
Device Densities, All Types (non-S, non-T, S, TS) | ||||||||
005 | 010 | 025 | 050 | 060 | 090 | 150 | ||
Validation Number | ||||||||
AES | 2908 | * | 2935 | |||||
SHA | 2447 | * | 2472 | |||||
DRBG | 535 | * | 542 | |||||
HMAC | 1841 | * | 1860 | |||||
ECC CDH | (NA) | (NA) | 335 |
* Algorithm implementations not yet validated by NIST
CRI DPA Countermeasure Validation Program
Microsemi has been granted certification of all SmartFusion2 and IGLOO2 FPGAs for seven protocols and services used to implement design security in these devices under the CRI DPA Countermeasure Validation Program after a thorough assessment by a CRI-accredited third-party security laboratory. This is the first ever such certification applying to an FPGA, and currently no SRAM FPGAs hold this or any similar certification.
- The following logo is a trademark of Cryptography Research, Inc. used under license:
CRI DPA Patents and Applications
A license to the Rambus DPA patent portfolio, including those patents in the following document, is extended to users of select Microchip FPGAs and SoC FPGAs including all SmartFusion2, IGLOO2, and PolarFire device models with an "S" suffix in the model number. The FPGA owner may use the patented techniques claimed in these patents, whether implemented in programmable logic or as software, in their FPGA designs without requiring any further license from Rambus, or the payment of any additional royalties. CRI DPA Patents and Applications List |
03/2020 |
Security Related IP Cores from Microsemi