CN103023647A

CN103023647A - Method for enhancing safety of secondary radar FPGA (Field Programmable Gate Array)

Info

Publication number: CN103023647A
Application number: CN2012104919016A
Authority: CN
Inventors: 刘伟伟
Original assignee: Sichuan Jiuzhou ATC Technology Co Ltd
Current assignee: Sichuan Jiuzhou ATC Technology Co Ltd
Priority date: 2012-11-28
Filing date: 2012-11-28
Publication date: 2013-04-03
Anticipated expiration: 2032-11-28
Also published as: CN103023647B

Abstract

The invention discloses a method for enhancing the safety of a secondary radar FPGA (Field Programmable Gate Array) and relates to the design scope of the safety of the FPGA. The method comprises the following steps of: after the FPGA loads a configuration file, firstly, reading an ID (Identity) of hardware; secondly, reading a check code in a memory; finally, deciphering the check code and then comparing the deciphered check code with the ID; if the deciphered check code is consistent with the ID, executing a normal function; otherwise, starting a reconfiguration command; after the FPGA is reconfigured, firstly encrypting the read ID and then storing the encrypted ID on an ISF (Information System Finishing); and deleting the configuration file used in a reconfiguration process. According to the method disclosed by the invention, a resource of the FPGA is sufficiently utilized and a design cost is reduced; and a method for binding the ID of the hardware and monitoring a JTAG interface is adopted so as to prevent a secondary user from conducting reverse engineering, cloning and the like on the FPGA. Furthermore, the space occupancy rate and the power consumption are obviously improved. Currently, the design scheme is used in certain secondary radar equipment and the function is stable and reliable.

Description

A kind of method that strengthens secondary radar FPGA fail safe

Technical field

The present invention relates to the safety Design category of FPGA, especially a kind of method that strengthens secondary radar FPGA fail safe.

Background technology

Secondary radar is the secondary radar with west system enemy and we recognition function that my company manufactures and designs for some country.Secondary radar quantity is generally less, during flight-line service fibrous root factually the requirement of border situation and foreign side upgrade or improve, so its requirement on flexibility to design cost and hardware is higher.In addition, in order to protect the interests of enterprise self even country, must prevent that unauthorized parties is to the reverse engineering of key technology (module), excessively make up and clone etc.For the characteristics of secondary radar, we select XC3S700AN to carry out the FPGA(coding module) design.XC3S700AN is a kind of of the Spartan3AN of Xilinx company series, is the non-volatile FPGA(coding module that global first item can carry out multiple configuration), can realize cheaply safety Design based on resources such as its unique ID.

Our device that all relies on some to have encryption function is realized the safety Design of FPGA all the time.Having the single-chip microcomputer that adds lock function such as employing assists FPGA to finish the encryption of hardware program, although this scheme can realize the anti-copy of program, but the signal of communication is to expose outside between single-chip microcomputer and the FPGA, will be monitored by other people easily, then by logical derivation, analyze the sequential relationship of single-chip microcomputer inside, namely broken through the safe barrier that FPGA and single-chip microcomputer are erected by logic simulation at last.The storage chip with encryption function that is widely adopted for another example, also have in the export-oriented product in the past and adopt storage enciphered storage chip to prevent what the FPGA program from being illegally copied by other people, the same with the scheme that adopts single-chip microcomputer to encrypt, the port signal that memory is communicated by letter with FPGA also is exposed.

Then when having copy-proof function, overcome the exposed drawback of former FPGA program encryption scheme signal based on the FPGA design of XC3S700AN.The key point that this programme is encrypted is that each FPGA of XC3S700AN has a unique ID, if but cloning the FPGA with identical ID by back door comes, and the fail safe of this scheme will be challenged.

The security requirement of secondary radar FPGA mainly comprises: prevent primary key leakage, prevent reverse engineering and prevent the excessive structure of module.

Primary key is the key of encryption and decryption technology, in case leakage can cause extremely serious harm, thus during primary key, must guarantee primary key fail safe under any circumstance in storage, even stolen the effective information that also can't extract wherein by the enemy.The storage of primary key is the part of function, and the storage means of taking is similar with the method for storage ID.

JTAG (a kind of international standard test protocol) also provides convenience for unauthorized user steals the internal configurations program by reverse engineering when making things convenient for the project planner.By reverse engineering, the unauthorized person does not need to drop into the exploitation that a large amount of R﹠D funds just can be finished product.Prevent the direction engineering, the legitimate rights and interests of protection design side do not encroached on be the designer should emphasis the problem of consideration.

The unauthorized person is by cloning key module, and it need not to spend any R ﹠ D Cost just can produce same module.In the long run, the interests of its acquisition are apparent, but are the loss of the economic interests such as maintenance cost, later stage spare part for design side.

For legitimate rights and interests and the economic interests of Maintenance Design side are not encroached on, for the threat of above-mentioned existence, FPGA has adopted the security mechanism of start ID verification and in real time JTAG monitoring.

Summary of the invention

The purpose of this invention is to provide a kind of method that strengthens secondary radar FPGA fail safe, bind to improve the fail safe of FPGA design by the ID with programming and FPGA.

For achieving the above object, the technical scheme of employing is, after FPGA has loaded configuration file, at first read the ID of hardware, the check code in next read memory, the terminal check code compares with ID after decryption processing, if unanimously then carry out normal function, reconfigure order otherwise start; After FPGA reconfigures, be stored on the ISF configuration file that uses when deletion is reshuffled after at first the ID that reads being encrypted; FPGA receives key, adopts the method for interrupting processing, after receiving effective key information, at first key information is stored among the ISF, then again read, and the passback verification.

Preferred steps: after the ID verification is passed through, jtag port is monitored, in case listen to security threat, FPGA starting protection strategy.

Preferred steps: described protection strategy is specially the configuration file of wiping in the program storage, and starts and to reconfigure order, refreshes the operating state of FPGA.

Preferred steps: the ID verification relates to two processes, and the P1 process reads the check code of ISF, and deciphering; ID after the P2 process will be deciphered compares with the ID that the P1 process reads.

In sum, owing to adopted technique scheme, the invention has the beneficial effects as follows: although the ID of FPGA is visible to everyone, but for the cryptographic algorithm that ID carries out, only have designer oneself to know, just as the atm card of bank, card number is disclosed, oneself knows but password only has.FPGA is after executing the cryptographic algorithm of ID in the present design, and the cryptographic algorithm part in the configurator is thoroughly deleted, and has prevented the leakage of cryptographic algorithm.

The internal resource of comprehensive utilization XC3S700AN; based on its globally unique ID, adopt multiple configuration and jtag port monitoring technique, realize cheaply FPGA safety Design; reduce and even stop the unauthorized person to the copy of west system FPGA, the economic interests of protection factory.Present design can be applicable to the design field based on FPGA, and the intellectual property of individual or unit is played positive protective effect.

Description of drawings

Examples of the present invention will be described by way of reference to the accompanying drawings, wherein:

Fig. 1 is ICAP interface schematic diagram;

Fig. 2 is the ICAP sequential chart;

Fig. 3 is replacement Command design flow process;

Fig. 4 is the DNA_PORT module interface;

Fig. 5 reads the ID schematic diagram;

Fig. 6 is SPI _ ACCESS module interface;

Fig. 7 is coding module operation principle block diagram;

Fig. 8 is start ID verification design flow diagram;

Fig. 9 is the design flow diagram of wiping configuration file;

Figure 10 is that JTAG monitoring design cycle is seen figure.

Embodiment

Disclosed all features in this specification, or the step in disclosed all methods or the process except mutually exclusive feature and/or step, all can make up by any way.

Disclosed arbitrary feature in this specification (comprising any accessory claim, summary and accompanying drawing) is unless special narration all can be replaced by other equivalences or the alternative features with similar purpose.That is, unless special narration, each feature is an example in a series of equivalences or the similar characteristics.

1 multiple configuration technology

The multiple configuration technology is at the two or more configuration files of configuration store chip-stored, selects to trigger the technology that reconfigures by FPGA oneself.The address of reshuffling and pattern can arrange in ISE, also can arrange in reconfigure command.When receive reshuffle control command after, FPGA sends reconfigure command by the interfaces such as ICAP, JTAG, finishes reshuffling FPGA.XC3S700AN has ICAP and two kinds of interfaces of JTAG, has used the ICAP interface to send reconfigure command in the design of FPGA.The ICAP module has realized the interface between framework and the FPGA Configuration Control Unit, is usually used in disposing after finishing the function of reshuffling that realizes in the Spartan-3A/3AN/3A DSP platform, its interface as shown in Figure 1, I[7:0 wherein] be the inputs of 8 bits; O[7:0] be the outputs of 8 bits, WRITE is write control signal, and is effectively low; CE is the clock enable signal, and is effectively low; BUSY is ICAP module status output interface, and high expression is busy; CLK is the clock input interface.In the design of FPGA, by ISE address and the pattern of reshuffling is set, so in reconfigure command, do not relate to.After entering ISE, click right enters Generate Programming File-＞Process Properties ...-＞Configuration Options-＞next_config_addr finishes setting, and the address of reshuffling of XC3S700AN is fixed value a: 0x0C0000.Two configuration files all leave among the ISF, so pattern does not need to revise.

ICAP module I [7:0] low level in a front high position rear, with usage need not, must note during use.The sequential of ICAP as shown in Figure 2.

According to the sequential requirement of ICAP, the design cycle of reconfigure command as shown in Figure 3

VHDL realizes:

----configuration register initialize process

process(reset,ICAP_clk)

variable time_delay:integer range 0 to 10000;

begin

if reset='0' then

counter<=1;

time_delay:=0;

state <= delay;

ICAP_ce <= '1';

ICAP_wr <= '1';

ICAP_I <= x"FF";

else

if ICAP_clk'event and ICAP_clk='1' then

case state is

When delay=〉----time-delay 1MS

if time_delay<10000 then

time_delay:=time_delay+1;

else

time_delay:=0;state <= ICAP_init1;

end if;

When ICAP_init1=〉----wait reconfigure command

if reboot='1' then

state <= register_init;

else

state <= delay;

end if;

when register_init=>

---the configuration register initialization: the next_config_addr that arranges from ISE is that initial address is reshuffled

MultiBoot_reconfiguration_register(1) <= x"AA";----HEADER

MultiBoot_reconfiguration_register(2) <= x"99";----HEADER

MultiBoot_reconfiguration_register(3) <= x"30";

MultiBoot_reconfiguration_register(4) <= x"A1";

MultiBoot_reconfiguration_register(5) <= x"00";----REBOOT

MultiBoot_reconfiguration_register(6) <= x"0E";

MultiBoot_reconfiguration_register(7) <= x"20";----NOOP

MultiBoot_reconfiguration_register(8) <= x"00";

MultiBoot_reconfiguration_register(9) <= x"20";----NOOP

MultiBoot_reconfiguration_register(10) <= x"00";

MultiBoot_reconfiguration_register(11) <= x"20";----NOOP

MultiBoot_reconfiguration_register(12) <= x"00";

MultiBoot_reconfiguration_register(13) <= x"20";----NOOP

MultiBoot_reconfiguration_register(14) <= x"00"; state <= ICAP_write;

When ICAP_write=〉----replacement configuration register

ICAP_ce <= '0';

ICAP_wr <= '0';

The high low bit of the value of----reshuffle in the register is inverted

ICAP_I (7)<= MultiBoot_reconfiguration_register(counter)(0);

ICAP_I (6)<= MultiBoot_reconfiguration_register(counter)(1);

ICAP_I (5)<= MultiBoot_reconfiguration_register(counter)(2);

ICAP_I (4)<= MultiBoot_reconfiguration_register(counter)(3);

ICAP_I (3)<= MultiBoot_reconfiguration_register(counter)(4);

ICAP_I (2)<= MultiBoot_reconfiguration_register(counter)(5);

ICAP_I (1)<= MultiBoot_reconfiguration_register(counter)(6);

ICAP_I (0)<= MultiBoot_reconfiguration_register(counter)(7);

if counter < 14 then

counter <=counter + 1; state <= ICAP_write;

else

state <= ICAP_init2;counter <= 1;

end if;

when ICAP_init2=>

ICAP_ce <= '1';

ICAP_wr <= '1';

ICAP_I <= x"FF";

when others=>

state <= ICAP_init1;

end case;

end if;

end process;

2 ID

ID is unique 57 bit identifiers, and this identifier is placed into Spartan-3A/3AN/3A DSP FPGA device in the manufacturing process of Xilinx.Each FPGA has a unique ID, allows the designer that oneself design and specific FPGA device are associated.By anyone addressable read-only ID all of JTAG port or inner ID port.The designer sends into ID in the cryptographic algorithm of oneself, then the check code that generates is stored in inside or the external memory storage.The check code of ID and storage is not maintained secrecy, but cryptographic algorithm only have the designer and oneself know, so be cryptographic algorithm based on the key of the safety Design of ID.If clone person or excessively the structure person copied bit stream and put it among another FPGA, because the ID of new FPGA is different from the ID of design binding, design will be returned a unauthorized or failed result, and the user can according to circumstances determine how to process security threat.In addition, can also strengthen protection by the figure place that increases ID, attack in order to avoid be subject to rough power.In the design of FPGA, adopt the mode by the ID_PORT interface to read ID.The interface of inner ID_PORT module as shown in Figure 4.Wherein CLK is the clock input of 1bit; DIN is the user data input of 1bit, can be set by caller oneself, is used for the expansion of ID figure place; DOUT is the ID output of 1bit; READ is the input of 1bit, the value of from memory, reading ID when high, when low from the value of DOUT output ID; SHIFT is the shift control signal, and is effectively high.

Read the design flow diagram of ID and see Fig. 5.

The VHDL code is realized: by ID_PORT, the ID of hardware is read out, be positioned among the ID (0 to 64), the user can be according to the figure place of the random Extended ID of demand of oneself in the practical application.

process(reset,sysclk)

begin

if reset='0' then

ID_roadout <= '0';

ID <= (others=>'0');

ID_state <= 0;

else

if sysclk'event and sysclk='1' then

case ID_state is

when 0=>----load

read_ctrl<='1';

SHIFT<='0';

ID_state<=1;

when 1=>----read

read_ctrl<='0';

SHIFT<='1';

ID_state<=2;

when 2=>

ID(id_num)<=ID_temp;

if id_num<56 then

id_num<=id_num+1;

else

ID_state<=3;

end if;

when 3=>

ID_roadout <= '1';

ID (57 to 64)＜=x " 11 ";----user extension bits

end case;

end if;

end process;

ID_inst : ID_PORT

port map (

DOUT => ID_temp, -- 1-bit ID output data

CLK => sysclk, -- 1-bit clock input

DIN => '0', -- 1-bit user data input pin

READ => read_ctrl, -- 1-bit input, active high load ID, active low read

SHIFT => SHIFT -- 1-bit input, active high shift enable

);

3 SPI interfaces

In the Spartan-3AN Series FPGA, Xilinx is built-in SPI interface allows user's any one memory cell by this interface accessing internal memory after the FPGA configuration is finished.The operation that can carry out comprises: read operation, write operation, wipe, write-protect and sector locking etc.The internal memory of Spartan-3AN Series FPGA is divided into three modules according to function: configuration file 1 memory block, configuration file 2 memory blocks and storage of subscriber data district.Configuration file 1 memory block is the memory block of default configuration file, the configuration file of store initialization FPGA.The configuration file that uses when reshuffling is stored in configuration file 2 memory blocks under reconfiguration mode, can be used for storing user data under the non-reconfiguration mode.The storage of subscriber data district can only store user data.The SPI_ACCESS module is used the SPI serial protocol, and its interface as shown in Figure 6.

3.1 read operation

The support of Spartan-3AN Series FPGA directly from memory reading out data or from buffer memory reading out data, the user by selecting control command can easily realize.The type that reads comprises: fast fast reading, with machine-readable, read page data to buffer memory, read buffer memory etc.Reading at random is the higher a kind of reading manner of frequency of utilization, can access the data of assigned address by reading at random the user.

When carrying out read operation, the CSB control signal is made as effectively when the rising edge of CLK signal or high level; MOSI and CLK signal trailing edge are synchronous;

VHDL realizes:

process(reset,SPI_CLK)

variable i: integer range 7 downto 0;

variable counter: integer range byte_num downto 1;

begin

If reset='0'then----initialization

spi_RD_machine<= Ready;

spi_statue_machine<= tran_cmd;

flash_CSB <= '1';

read_status_reg<=x”00”;

wait_cycle<= 0;

Read_status_cmd＜=x " D7 ";---the order of-read states

Command_code＜=x " 03 "; The read command of----at random

Addr_high_byte＜=x " * * ";----high address

Addr_middle_byte＜=x " * * ";---middle address

Addr_low_byte＜=x " * * ";---low address

Else----reading out data

if SPI_CLK'event and SPI_CLK='1' then

case spi_RD_machine is

when Ready=> case spi_statue_machine is

Whether----judge SPI is ready to receive control command: need to write or the state of the time inquiry Flash that reads Flash

When tran_cmd=〉----transmission command byte

flash_CSB <= '0';

flash_MOSI <= read_status_cmd(i);

if i>0 then i:=i-1;else i:=7;spi_statue_machine <= recv_data;end if;

end if;

When recv_data=〉----receive data

flash_CSB <= '0';

--wait 1 cycle

if wait_cycle=1 then

read_status_reg(i) <= flash_MISO;

if i>0 then i:=i-1;else i:=7;spi_statue_machine <= ready_busy;end if;

else

wait_cycle <= wait_cycle + 1;

end if;

When ready_busy=〉----judge whether FLASH is idle

if read_status_reg(7)='1' and read_status_reg(1)='0' then

----SPI is Ready:If SPI is Ready,Go to next state;If not,GO on.

spi_RD_machine <= tran_cmd;

spi_statue_machine <= tran_cmd;flash_CSB <= '1';wait_cycle<=0;

else

spi_RD_machine <= ready;spi_statue_machine <= recv_data;

read_status_reg(i) <= flash_MISO;i:=i-1;

end if;

end case;

When tran_cmd=〉----transmission command byte

flash_CSB <= '0';

flash_MOSI <= command_code(i);

if i>0 then i:=i-1;else i:=7;spi_RD_machine <= tran_high_addr;end if;

When tran_high_addr=〉----transmission high byte

flash_CSB <= '0';

flash_MOSI <= addr_high_byte(i);

if i>0 then i:=i-1;else i:=7;spi_RD_machine <= tran_middle_addr;end if;

When tran_middle_addr=〉----byte in sending

flash_CSB <= '0';

flash_MOSI <= addr_middle_byte(i);

if i>0 then i:=i-1;else i:=7;spi_RD_machine <= tran_low_addr;end if;

When tran_low_addr=〉----transmission low byte

flash_CSB <= '0';

flash_MOSI <= addr_low_byte(i);

if i>0 then i:=i-1;else i:=7;spi_RD_machine <= recv_data;end if;

When recv_data=〉----receive data

flash_CSB <= '0';

--wait 1 cycle

If wait_cycle=1 then----delay a clock

RAM(counter)(i) <= flash_MISO;

if counter< byte_num then

if i>0 then i:=i-1; else i:=7;counter:=counter+1; end if;

else

if i>0 then i:=i-1;else i:=7;counter:=1;spi_RD_machine <= data_verify;end if;

end if;

else

wait_cycle<= wait_cycle + 1;

end if;

When data_verify=〉----data check is processed

………………………………………………

……………………………………………….

end case;

end if;

end process;

3.2 write operation

Similar with read operation, write operation also can operate for page or leaf or buffer memory.The type of write operation comprises: write buffer memory, first wipe data in the page or leaf and then with the data in the buffer memory write, do not wipe that data in the page or leaf are about to that data in the buffer memory write, page or leaf is write, in the page or leaf data and data cachedly compare, buffer memory initialization etc.Wherein a kind of action type commonly used is a page write operation, and this order is to write buffer memory and wipe first in the page or leaf data and then the data in the buffer memory are write two types combination, and its form sees Table 3, and is identical with read operation to the requirement of CSB and MOSI.

VHDL realizes:

process(reset,SPI_CLK)

variable i: integer range 7 downto 0;

variable counter: integer range byte_num downto 1;

begin

If reset='0'then----initialization

spi_WR_machine<= Ready;

spi_statue_machine<= tran_cmd;

flash_CSB <= '1';

read_status_reg<=x”00”;

wait_cycle<= 0;

Read_status_cmd＜=x " D7 ";---the order of-read states

Command_code＜=x " 82 ";----page or leaf write order

Addr_high_byte＜=x " * * ";----high address

Addr_middle_byte＜=x " * * ";---middle address

Addr_low_byte＜=x " * * ";---low address

Else----data write

if SPI_CLK'event and SPI_CLK='1' then

case spi_WR_machine is

when Ready=>

case spi_statue_machine is

When tran_cmd=〉----transmission control command

flash_CSB <= '0';

flash_MOSI <= read_status_cmd(i);

if i>0 then i:=i-1;else i:=7;spi_statue_machine <= recv_data;end if;

end if;

When recv_data=〉----receive data

flash_CSB <= '0';

--wait 1 cycle

if wait_cycle=1 then

read_status_reg(i) <= flash_MISO;

if i>0 then i:=i-1;else i:=7;spi_statue_machine <= ready_busy;end if;

else

wait_cycle <= wait_cycle + 1;

end if;

When ready_busy=〉----judge whether FLASH is idle

if read_status_reg(7)='1' and read_status_reg(1)='0' then

----SPI is Ready:If SPI is Ready,Go to next state;If not,GO on.

spi_WR_machine <= tran_cmd;

spi_statue_machine <= tran_cmd;flash_CSB <= '1';wait_cycle<=0;

else

spi_WR_machine <= ready;spi_statue_machine <= recv_data;

read_status_reg(i) <= flash_MISO;i:=i-1;

end if;

end case;

When tran_cmd=〉----transmission command byte

flash_CSB <= '0';

flash_MOSI <= command_code(i);

if i>0 then i:=i-1;else i:=7;spi_WR_machine <= tran_high_addr;end if;

When tran_high_addr=〉----transmission high byte

flash_CSB <= '0';

flash_MOSI <= addr_high_byte(i);

if i>0 then i:=i-1;else i:=7;spi_WR_machine <= tran_middle_addr;end if;

When tran_middle_addr=〉----byte in sending

flash_CSB <= '0';

flash_MOSI <= addr_middle_byte(i);

if i>0 then i:=i-1;else i:=7;spi_WR_machine <= tran_low_addr;end if;

When tran_low_addr=〉----transmission low byte

flash_CSB <= '0';

flash_MOSI <= addr_low_byte(i);

if i>0 then i:=i-1;else i:=7;spi_WR_machine <= tran_data;end if;

When tran_data=〉----transmission data

flash_CSB <= '0';

flash_MOSI <= RAM(counter)(i);

if counter<( byte_num) then

if i>0 then i:=i-1;else i:=7;counter:=counter+1;end if;

else

if i>0 then i:=i-1;

else i:=7;counter:=1;spi_WR_machine <= spi_busy;

end if;

When spi_busy=〉----wait pending data to write among the flash

flash_CSB <= '1';

----wait 50000us: set the stand-by period according to databook

if wait_counter<500000 then wait_counter:=wait_counter+1;

else wait_counter:=0; end if;

end case;

end process;

3.3 wipe

The least unit that erase operation is carried out is page or leaf, comprises in addition erase block and wipes the sector.A piece contains 8 pages or leaves, and a sector contains 8 pieces, and the user can select the suitable type of wiping as required.When carrying out erase operation, because the time of execution cost is longer, so must guarantee that before fill order memory is in idle condition.In addition, if memory being provided with wiped protection, all erase operations can't be carried out.

VHDL realizes:

process(reset,SPI_CLK)

variable counter,i: integer range 7 downto 0;

variable wait_counter: integer range 0 to 500000;

variable wait_5s: integer range 0 to 100;

begin

If reset='0'then----initialization

spi_ ERASE_ machine <= Ready;

spi_write_machine <=tran_cmd;

spi_statue_machine<=tran_cmd;

CSB <='1';

counter:=0;wait_cycle<='0'; i:=7;wait_counter:=0;wait_5s:=0;

lamp2_G <='0';lamp2_R <='1';

Read_status_cmd＜=x " D7 ";---the order of-read states

Command_code＜=x " 7C ";----wipe sector command

Addr_high_byte＜=x " * * ";----high address

Addr_middle_byte＜=x " * * ";---middle address

Addr_low_byte＜=x " * * ";---low address

Else----clash the sector

if SPI_CLK'event and SPI_CLK='1' then

case spi_ ERASE_ machine is

When Ready=〉----judge whether SPI is idle

case spi_statue_machine is

When tran_cmd=〉----transmission control command

CSB <= '0'; MOSI <= read_status_cmd(i);

If i〉0 then i:=i-1; Else i:=7; Spi_statue_machine＜=recv_data; End if; When recv_data=〉----receive data

CSB <= '0';

--wait 1 cycle

if wait_cycle='1' then

read_status_reg(i) <= MISO;

if i>0 then i:=i-1;

else i:=7;spi_statue_machine <= ready_busy;end if;

else wait_cycle<='1'; end if;

When ready_busy=〉----judge whether SPI is idle

if read_status_reg(7)='1' and read_status_reg(1)='0' then

----SPI is Ready

spi_ ERASE_ machine <= spi_ERASE;

spi_statue_machine <= tran_cmd;

CSB <= '1';wait_cycle<='0';

else

spi_ ERASE_ machine <= ready;

spi_statue_machine <= recv_data;

read_status_reg(i) <= MISO;i:=i-1;

end if;

end case;

When spi_ERASE=〉----configuration data among the Flash wiped

case spi_write_machine is

When tran_cmd=〉----transmission control command

CSB <= '0';

MOSI <= command_code(i);

if i>0 then i:=i-1;else i:=7;

spi_write_machine <= tran_high_addr;

end if;

When tran_high_addr=〉----transmission high address

CSB <= '0';

MOSI <= addr_high_byte(i);

if i>0 then

i:=i-1;else i:=7;spi_write_machine <= tran_middle_addr;

end if;

When tran_middle_addr=〉----address in sending

CSB <= '0';

MOSI <= addr_middle_byte(i);

if i>0 then

i:=i-1;else i:=7;spi_write_machine <= tran_low_addr;

end if;

When tran_low_addr=〉----transmission low address

CSB <= '0';

MOSI <= addr_low_byte(i);

if i>0 then

i:=i-1;else i:=7;spi_write_machine <= tran_cmd;

spi_ ERASE_ machine <= spi_busy;

end if;

when others=> null;

end case;

When spi_busy=〉----wait for that clashing operation is finished

CSB <= '1';

----wait 50000usx100=5s: wait program to be erased to be finished, set according to databook

if wait_counter<500000 then wait_counter:=wait_counter+1;

else

wait_counter:=0;

if wait_5s=100 then

wait_5s:=0;

The next sector of----wipe

if page_addr_add < x"500" then

page_addr_add:=page_addr_add + x"100";

spi_ ERASE_ machine <= Ready;

else

---the demonstration information that-program is finished

lamp2_G <='1';

lamp2_R <='0';

end if;

else

wait_5s:=wait_5s+1;

end if;

when others=>

spi_ ERASE_ machine <= Ready;

end case;

end if;

end process;

4 FPGA operation principles

FPGA mainly finishes the coding and decoding work of pattern, and its operation principle block diagram as shown in Figure 7.After FPGA has loaded configuration file, at first carry out the ID verification, whether the ID that judges the design binding is consistent with the ID of operation platform, if verification is not passed through, collector can automatically start reshuffle function, and the check code among the ISF is upgraded, upgrade complete after, the configuration file that uses when deletion is reshuffled, the function Exactly-once after FPGA loads configurator that like this ID check code is refreshed.Collector receives key, adopts the method for interrupting processing, after receiving effective key information, at first key information is stored among the ISF, then again read, and the passback verification.After the ID verification is passed through, jtag port is monitored, be in order to prevent that unauthorized user from carrying out the illegal operations such as reverse engineering to FPGA.In case listen to security threat, FPGA is the starting protection program at once, configuration file and user data among the deletion ISF.Only in the situation that the errorless and jtag port of ID verification is in a safe condition, FPGA just can carry out coding and encryption and decryption functions.

The safety Design of 5 FPGA

5.1 start ID verification

Each FPGA of Spartan-3AN series has unique ID, and the designer can strengthen the fail safe of design by design and the ID of FPGA binds.If the ID verification by carry out normal function, otherwise the designer can set different grades according to actual conditions, such as nonfunctional, partial function, time bomb even self-destruction etc.FPGA is when disposing for the first time, and there are difference in the ID of storage and the ID of reality, reshuffles function so automatically start, ID in the memory is upgraded, then horse back executive program delete function is deleted configuration file 2 from config memory, and is forever irrecoverable.Even the unauthorized person has read the configurator in the module, also because losing of configuration file 2 can't be upgraded check code, thereby can not on other FPGA, use.If obtained the configuration file among the FPGA by other approach, oneself know because cryptographic algorithm only has the designer, and can't crack by the manual modification configuration file designer's safe design.Start ID verification design flow diagram is seen Fig. 8.

As shown in Figure 8, the FPGA rear acquiescence that powers on is carried out first time configuration from " 0x00000000 " address (0 address), after FPGA starts, at first read the ID of hardware, check code in next read memory, the terminal check code compares with ID after decryption processing, if unanimously then carry out normal function, reconfigures order otherwise start.After FPGA reconfigures, be stored in the on-chip memory after at first the ID that reads being encrypted, then wipe configuration file 2.

[0033]The ID verification relates to two processes, and the P1 process reads the check code in the on-chip memory, and deciphering; ID after the P2 process will be deciphered compares with the ID that the P1 process reads.The designer can according to the resource residual amount of hardware, select the enciphering and deciphering algorithm of moderate complexity.

5.2 JTAG monitors

After start ID verification was passed through, FPGA entered normal mode of operation, starts simultaneously JTAG port oracle listener, when listening to illegal control command, and the starting protection program, FPGA removes the configuration file in the internal storage automatically, starts simultaneously reconfigure command.JTAG monitors design cycle and sees Figure 10.

Monitor JTAG and be in order to prevent the unauthorized user illegal modifications or to steal configuration file in the memory and the important information of storage, prevent reverse engineering.JTAG belongs to the universal standard, but designer's reference standard agreement for the security threat that own product may run into, is taked suitable security strategy.The strategy that FPGA takes is: in the FPGA normal operation, all think the threat to oneself when any operation appears in jtag port, wipe the configuration file in the program storage at once, and restart by execution, refresh the operating state of FPGA.

JTAG internal interface port mapping is as follows:

BSCAN_SPARTAN3A_inst : BSCAN_SPARTAN3A

port map (

CAPTURE => CAPTURE, -- CAPTURE output from TAP controller

DRCK1 => DRCK1, -- Data register output for USER1 functions

DRCK2 => DRCK2, -- Data register output for USER2 functions

RESET => RESET, -- Reset output from TAP controller

SEL1 => SEL1, -- USER1 active output

SEL2 => SEL2, -- USER2 active output

SHIFT => SHIFT, -- SHIFT output from TAP controller

TCK => TCK, -- TCK output from TAP controller

TDI => TDI, -- TDI output from TAP controller

TMS => TMS, -- TMS output from TAP controller

UPDATE => UPDATE, -- UPDATE output from TAP controller

TDO1 => TDO1, -- Data input for USER1 function

TDO2 => TDO2 -- Data input for USER2 function

);

For the security strategy that realizes that FPGA takes for JTAG, the state that we only need to monitor TDI and TMS gets final product, as long as the state of TDI or TMS changes, just thinks that jtag port is attacked.

VHDL realizes:

Process(sysclk)

Begin

If sysclk’event and sysclk=’1’ then

TDI_temp <= TDI;

TMS_temp <= TMS;

If TDI /= TDI_temp or TMS/= TMS_temp then

----start-up routine erase command

………..

----start reshuffled

………..

End if;

End process;

The present invention is not limited to aforesaid embodiment.The present invention expands to any new feature or any new combination that discloses in this manual, and the arbitrary new method that discloses or step or any new combination of process.

Claims

1. method that strengthens secondary radar FPGA fail safe, it is characterized in that: after FPGA has loaded configuration file, at first read the ID of hardware, check code in next read memory, the terminal check code compares with ID after decryption processing, if unanimously then carry out normal function, reconfigure order otherwise start; After FPGA reconfigures, be stored on the ISF configuration file that uses when deletion is reshuffled after at first the ID that reads being encrypted; FPGA receives key, adopts the method for interrupting processing, after receiving effective key information, at first key information is stored among the ISF, then again read, and the passback verification.

2. a kind of method that strengthens secondary radar FPGA fail safe according to claim 1 is characterized in that: further comprising the steps of: after the ID verification is passed through, jtag port is monitored, in case listen to security threat, FPGA starting protection strategy.

3. a kind of method that strengthens secondary radar FPGA fail safe according to claim 2 is characterized in that: described protection strategy is specially the configuration file of wiping in the program storage, and starts and reconfigure order, refreshes the operating state of FPGA.

4. according to claim 1 and 2 or 3 described a kind of methods that strengthen secondary radar FPGA fail safe, it is characterized in that: the ID verification relates to two processes, and the P1 process reads the check code of ISF, and deciphering; ID after the P2 process will be deciphered compares with the ID that the P1 process reads.