The Role of FPGAs in Next- Generation Secure A&D Systems

Electronics system security is a growing and ever-present concern in all applications areas, but in aerospace and defense (A&D) systems, security is a must. As such, the ICs used in these systems must have security and/or at least deterrent features.

Figure 1. A security-based lifecycle covers the device manufacturing, system design and assembly, and then, finally, the fielded system.
A growing number of systems created for the aerospace and defense markets are using Field Programmable Gate Arrays (FPGAs). Unlike custom ICs or standard processors, designers can program the hardware and software to create high-performance products. What’s more, FPGAs can be reprogrammed after deployment. As these products have matured over the last 25 years and become commonplace in A&D applications, the vendors that offer them have also added more sophisticated security features to the devices.

The current global environment and use of electronics in so many aspects of our lives has brought security of electronic designs to the forefront of design concerns. Threats to the ownership of proprietary IP and functional algorithms, as well as changes to intended operation of hardware and computing systems, are now pervasive in the constantly connected world. These threats can be manifested in forms ranging from counterfeiting through espionage, and they can impact the entire economic chain from corporate and industrial, to defense and government.

Recently, these threats have extended to directly attacking control electronics and hacking into control systems, which leads to the destruction of a targeted electromechanical system. Previously, a large part of the security was obtained by physical protection and isolation of the electronics from third parties. This is no longer an option due to the globalization of the supply chain, interaction of world economies, and distributed technology. As a result, companies need to incorporate threat protection into just about every aspect of their systems, especially the ICs.

There are currently three primary initiatives/ security guidelines:

1. DoDIA – also called CIIA (cyber, identity, and information assurance), it includes methods to protect and defend DoD information and IT systems.

2. DoD/DoDD 5200 – this describes methodology used to protect against loss and avoid the unauthorized disclosure of Essential Program Information, Technologies and/or Systems (EPTIS).

3. FIPS – Issued by the National Institute of Standards and Technology (NIST) for use by all non-defense government agencies and contractors.

Architectural Considerations

Figure 2. Modern FPGAs include several hardened IP blocks that FPGA vendors implement in their device architectures. Having IP blocks on the same silicon as the programmable logic optimizes the power and performance of the device and makes the devices more robust in terms of security. Here is an example of hard IP blocks in Xilinx’s Virtex-6 line of FPGAs. The new 7 series devices have hard IP blocks that are even more sophisticated.
For well over two decades, companies have been using FPGAs in military and avionic systems. As the devices have matured and grown larger, design teams have given FPGAs ever larger and more important roles in their systems. Today, many of these systems use FPGAs as their primary compute engines. As such, design teams implement their FPGA designs using a security-based lifecycle. This lifecycle (Figure 1) covers device manufacturing, system design and assembly, and finally, the fielded system. The lifecycle planning helps drive the component selection for the device and also helps protect its application specific programming.

Because an FPGA is programmable, companies can make changes to their systems even after they are deployed in the field. This is especially desirable in the A&D space, because design teams or technicians can make adjustments to the FPGAs in their systems to address new security threats or to simply upgrade systems to meet any new requirements for encryption standards like TDES to AES.

Because today’s FPGAs include millions of programmable logic elements, design teams can program an individual FPGA to do the job of many chips. To streamline the design process, design teams heavily leverage the hard IP that vendors incorporate into their FPGA architectures. Design teams also implement soft IP from FPGA vendors, IP vendors, or their own IP. Hard IP that FPGA vendors implement in their devices is typically very high-performance and lowpower. FPGA architectures commonly include hard IP blocks such as dedicated engines that are used only for bitstream decryption and a slew of general system functions like Ethernet MAC/PHY, PCI-E interface, and memory controllers. Some devices also include hardened microprocessor cores. An illustration of the typical Hard IP content of an FPGA is shown in Figure 2.

Soft IP from FPGA and IP vendors can range from standard functions/ blocks IP such as processor cores and graphics engines, to more market- and application-specific specialized functions and interfaces. Where hard IP is already implemented in the silicon and can’t be modified, design teams implement soft IP in programmable logic elements in the FPGA. As such, designers can place IP in almost any location in their FPGA designs. Design teams integrate the hardware description language code (typically Verilog or VHDL) for these soft IP blocks with the rest of the logic description for the design. They then use vendor tools (design software) to compile the design and create a bitstream that programs their design into the FPGA when the chip boots up.

Programming Considerations

Xilinx has a multi-generational commitment to secure technology for the AT Community.
Programming FPGAs requires some planning to ensure that security aspects are addressed and implemented early enough in the design flow so as to not impact floor planning, resource, or pinout requirements. Practical designs require a security-centric design methodology. These security measures, also called anti-tamper (AT), can be grouped into two categories — active and passive security. The table shows the various active and passive security options in the Xilinx FPGA family.

Passive security measures are those that do not require the user to do anything special other than select their use during various phases of the design cycle. The phases of the FPGA design cycle are no-power, power with no configuration, and configured. In the no-power condition, there are two major security options for storing the decryption key for the bitstream that is being used — Battery Backed and eFUSE. eFuse is a built-in technology and does not require additional components. BBRAM supports both active and passive key clearing but requires an external battery, which requires supplier support for operation at high-temp and long lifetimes.

To ensure that programming transfer is secure, some FPGA products support encrypted bitstreams that get decrypted in the dedicated hard IP block inside the FPGA. This methodology allows for a standard development flow that uses in-house, vendor-provided, and third-party Electronic Design Automation (EDA) tools to ensure the system function is correct, and there’s a way to securely transfer the design information to the part. These cryptographic solutions follow the standard and support the NIST Hashed Message Auth entication Code (HMAC) standard for authentication.

The active security systems are grouped into three categories — prevention, detection, and penalty. The prevention methods are active functions that restrict the loading and transferring of data to specific times when the data movement has been approved. The detection methods are focused on the verification or contextual compliance, which can direct a penalty action in response to active overbuilding (cloning) detection, bitstream integrity checking, JTAG activity detection, temperature, and voltage monitoring. The FPGAs also have an eFUSE capability that extends to support a 57-bit Device DNA ID, which can be used to uniquely define a part and help eliminate counterfeiting and overproduction risks. The monitor and detection methods that can be incorporated into the design and are controllable in the device include readback CRC & JTAG disable, and a FIPS 140 system monitor.

The penalty responses from tampering are in the form of data clearing to shut down the operation of the FPGA. These are a keyclear function that will clear the AES key for decryption in BBR as a result of a tamper detect, and IPROG, which is an internal function that responds by clearing the contents of the configuration memory, all of the flipflops, and the key memory (but not the AES encryption key).

Modern FPGA devices are an essential part of high-performance and high-security application systems. The fundamental architectures of the product, the design/development tools, and workflows for the devices have progressively grown in sophistication to incorporate ever more advanced security features necessary for the task.

It should be noted that any AT features enabled at the FPGA-level should always be part of an overall system-level AT solution. The features and techniques outlined in this article will provide for a very good “AT umbrella” for the FPGA itself; however, AT is most effective when it is part of a multi-layer approach developed with the entire system in mind.

Remember, no single AT feature or technique is going to be 100% effective all of the time or solve all your AT needs for the entire system. However, making the adversary’s job as difficult (and expensive) as possible and following a layered approach will almost always yield very good (if not excellent) results.

This article was written by Ed Peterson, Senior Staff Applications Engineer, Xilinx Inc. (San Jose, CA). For more information, Click Here .