Protecting design from being downloaded on other (similar) FPGA devices
in [FPGA]
|
Prev: Protecting design from being downloaded on other (similar) FPGA devices
Next: Beginner's silly question about ICAP
From: austin on 3 Apr 2008 08:13 All, Possible solutions exist today for Virtex II, IIP, 4, 5: use encryption. Only the device with the proper key configures. In Spartan 3A, 3AN, 3ADSP, there is the "DeviceDNA" feature which may be used to identify a specific device. This identification requires a customer design to provide the function you desire (reference designs are available). This is really not a good way to do what you ask (encryption is not authentication and the device ID is not a standard, so it can make no claims of perfect security like one can with SHA), but does work. More advanced would be to have a "secure hash algorithm" like SHA128, which could be used with some user readable efuses to provide for a secure means to authenticate. Austin
From: Andreas Ehliar on 8 Apr 2008 01:13
On 2008-04-05, Antti <Antti.Lukats(a)googlemail.com> wrote: > the OP wants COTS board to be used > 1) with no mods to the board > 2) with no additions to the board > > so adding anything isnt an option One way to do this (which is somewhat based on security through obscurity) would be to modify the BIOS on the computer so that it writes some secret initialization sequence to the FPGA to enable it. There are tools available which allows you to easily insert or remove an option ROM image into an AWARD base BIOS. Of course, this will not buy you _real_ security. But it is enough to make sure that someone will have to spend some time to analyze what is really going on in your device. If you want to tighten things up further you could make sure that the secret initialization sequence will depend on a serial number present in the computer (harddrive or DDR dimm for example). This will make things much more complicated for you and might also annoy a customer if they have more than one of your device and for some reason want to exchange parts in it. Otherwise, perhaps you could use a TPM module in some way, but I don't know if that could work or not in your case. /Andreas |