Visible to Intel only — GUID: ynh1627580367411
Ixiasoft
Visible to Intel only — GUID: ynh1627580367411
Ixiasoft
5.4.1. Anti-Tamper Responses
You enable physical anti-tamper by selecting a response from the Anti-tamper response: dropdown list on the Assignments > Device > Device and Pin Options > Security > Anti-Tamper tab. By default, the anti-tamper response is disabled.
The corresponding assignment in the Quartus Prime settings .qsf file is the following:
set_global_assignment -name ANTI_TAMPER_RESPONSE "NOTIFICATION DEVICE WIPE DEVICE LOCK AND ZEROIZATION"
You may individually select the Enable device self-kill response for each detection method.
If you select Enable device self-kill response for any detection method, you must also generate a permit kill compact certificate, sign the compact certificate, and program the compact certificate to your device prior to loading a design with the self-kill response enabled.
Use one of the following commands to create a signature chain capable of signing a permit-type compact certificate. Note that permission bit 10 is used in this operation.
quartus_sign --family=stratix10 --operation=append_key \ --previous_pem=root_private.pem \ --previous_qky=root.qky \ --permission=0x400 \ --cancel=0 \ --input_pem=permit0_sign_public.pem permit0_sign_chain.qky
quartus_sign --family=stratix10 --operation=append_key --module=softHSM \ –module_args="--token_label=s10-token \ --user_pin=s10-token-pin \ --hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" \ --previous_keyname=root \ --previous_qky=root.qky \ --permission=0x400 \ --cancel=0 \ --input_keyname=permit0_sign permit0_sign_chain.qky
quartus_pfg --ccert –o ccert_type=DEVICE_PERMIT_KILL unsigned_permit_kill.ccert
Use one of the following commands to sign the permit kill compact certificate.
quartus_sign --family=stratix10 --operation=sign \ --pem=permit0_sign_private.pem \ --qky=permit0_sign_chain.qky \ unsigned_permit_kill.ccert signed_permit_kill.ccert
quartus_sign --family=stratix10 --operation=sign --module=softHSM \ --module_args="--token_label=s10-token \ --user_pin=s10-token-pin \ --hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" \ --keyname=permit0_sign \ --qky=permit0_sign_chain.qky \ unsigned_permit_kill.ccert signed_permit_kill.ccert
quartus_pgm –c 1 –m jtag –o "p;signed_permit_kill.ccert"
When you enable an anti-tamper response, you may choose two available SDM dedicated I/O pins to output the tamper event detection and response status using the Assignments > Device > Device and Pin Options > Configuration > Configuration Pin Options window.
set_global_assignment -name USE_TAMPER_DETECT SDM_IO15
set_global_assignment -name ANTI_TAMPER_RESPONSE_FAILED SDM_IO16