**Speedster FPGAs** 



# Copyrights, Trademarks and Disclaimers

Copyright © 2020 Achronix Semiconductor Corporation. All rights reserved. Achronix, Speedcore, Speedster, and ACE are trademarks of Achronix Semiconductor Corporation in the U.S. and/or other countries All other trademarks are the property of their respective owners. All specifications subject to change without notice.

NOTICE of DISCLAIMER: The information given in this document is believed to be accurate and reliable. However, Achronix Semiconductor Corporation does not give any representations or warranties as to the completeness or accuracy of such information and shall have no liability for the use of the information contained herein. Achronix Semiconductor Corporation reserves the right to make changes to this document and the information contained herein at any time and without notice. All Achronix trademarks, registered trademarks, disclaimers and patents are listed at http://www.achronix.com/legal.

#### Achronix Semiconductor Corporation

2903 Bunker Hill Lane Santa Clara, CA 95054 USA

Website: www.achronix.com E-mail : info@achronix.com

# **Table of Contents**

| Chapter - 1: Overview                                           | 6  |
|-----------------------------------------------------------------|----|
| Chapter - 2: Interface Performance                              | 8  |
| Chapter - 3: Configuration Modes for Speedster7t FPGAs          | 9  |
| Configuration via CPU Programming Data Ordering                 |    |
| Data Ordering In the ACE Output File                            |    |
| Configuration via Flash Memories<br>Flash Device Configurations |    |
| Addressing Modes and Memory Organization                        | 19 |
| Flash Programming Protocol                                      |    |
| Flash Modes                                                     |    |
| Registers and Addressing                                        |    |
| Configuration via JTAG                                          | 29 |
| Chapter - 4: Configuration Pin Tables                           | 32 |
| Chapter - 5: FPGA Configuration Unit (FCU)                      | 36 |
| Features                                                        |    |
| FCU AXI Lite Master and Slave                                   |    |
| CRC                                                             |    |
| Chapter - 6: Configuration Sequence and Power-Up                | 38 |
| Chapter - 7: Partial Reconfiguration                            |    |
| Design considerations                                           | 39 |
| Chapter - 8: Remote Update                                      | 41 |
| Introduction                                                    | 41 |
| Implementation       Fallback on Error                          |    |
| Chapter - 9: Design Security for Speedster 7t FPGA              | 43 |
| Bitstream Authentication                                        |    |
| Bitstream Encryption                                            | 43 |
| Generating Encrypted Bitstreams                                 | 44 |

| Hardware Security            |    |
|------------------------------|----|
| Security Fuses               |    |
| Fuses Set at Manufacturing   |    |
| Fuses Set By Customer        |    |
| Default Keys                 |    |
| Loading Encrypted Bitstreams | 47 |
| Revision History             |    |

# Chapter - 1: Overview

At startup, Speedster7t FPGAs require configuration by the end user via a bitstream. This bitstream can be programmed through one of four available interfaces in the FPGA configuration unit (FCU). The FPGA configuration unit (FCU) refers to logic that controls the configuration process of the Speedster7t FPGA. It is responsible for receiving data on a variety of core interfaces (depending on a selected programming mode), decoding instructions, and sending configuration bit values to the appropriate destination (core configuration memory, the core's boundary ring configuration memory, FCU registers, etc.). The FCU is also responsible for any core-level housekeeping that happens on reset de-assertion (e.g., clearing of configuration memory) as well as controlling the startup and shutdown sequences that drive resets to the rest of the core as well as CRC checks, SEU mitigation and security.

Data from the configuration pins is brought into the FCU located in the core's boundary logic. Depending on the configuration mode, this data passes through one of four interfaces and is then provided to the control logic and state machines in the FCU. At this point, the data bus is standardized to a common interface (configuration mode independent). This data is processed and propagated to the configuration registers in the core's boundary ring, to the core's configuration memory, or to the hard IP blocks in the FPGA's I/O ring.

Once all of the configuration bits are successfully loaded, the FCU transitions the Speedster7t FPGA into user mode, enabling the user to provide stimuli and enable operation.



# Chapter - 2: Interface Performance

The table below lists the various configuration interfaces supported by the Speedster7t FPGA and their corresponding maximum operating frequency.

**Table 1: Configuration Modes and Maximum Frequencies** 

| Configuration Mode | Maximum Frequency |
|--------------------|-------------------|
| JTAG               | 250 MHz           |
| CPU                | 250 MHz           |
| Serial flash       | 250 MHz           |

All of the programming modes and interfaces are capable of running up to 250 MHz at the configuration pins. The FCU and all associated circuitry is also capable of running up to 250 MHz. Since the internal data bus in the FCU is 128 bits wide, and in most configuration modes, the data pin count is less than 128, the incoming data stream goes through a gearbox to reduce the throughput. This configuration ensures that the internal programming circuitry runs at less than 250 MHz to process the incoming data stream. In the widest data mode (CPU ×128), the gearbox is bypassed and the entire configuration interface can run at the full 250 MHz bandwidth. Depending on the mode and configuration data width, the total bandwidth varies, and the programming time changes accordingly.

# Chapter - 3: Configuration Modes for Speedster7t FPGAs

Speedster7t FPGAs support four configuration modes: Flash, JTAG, CPU and PCI Express. The selection between these modes is controlled by setting the FCU\_CONFIG\_MODESEL pins to the values shown in the table below. Both JTAG and PCIe modes are independent of the FCU\_CONFIG\_MODESEL pin setting and have to be enabled by sending FCU commands that set the appropriate bits in FCU register space. The JTAG mode can be enabled by writing to the user data register of the JTAG TAP controller and the PCI Express mode is enabled by writing to the PCIe mode enable register in the FCU address space. JTAG mode overrides all other configuration modes until disabled.

| Configuration Mode      | Data<br>Width      | FCU_CONFIG_MODESEL [3:<br>0] | FCU_CONFIG_SYSCLK_BYPASS(<br>3) | FCU_CONFIG_CLKSEL <sup>(</sup><br>3) |
|-------------------------|--------------------|------------------------------|---------------------------------|--------------------------------------|
| JTAG <sup>(1)</sup>     | -                  | XXXX <sup>(2)</sup>          | ×                               | 1                                    |
| PCle                    | -                  | XXXX                         | X                               | 0                                    |
| NoOp                    | -                  | 0000                         | X                               | x                                    |
|                         | 1 (SPI)            | 0001                         |                                 |                                      |
| Flash single device     | 2 (Dual)           | 1000                         |                                 |                                      |
| (1D)                    | 4 (Quad)           | 1010                         |                                 |                                      |
|                         | 8 (Octa)           | 1100                         | 0/1                             | 0                                    |
|                         | 1 (SPI)            | 0010                         |                                 | 0                                    |
| Flash four devices (4D) | 2 (Dual)           | 1001                         |                                 |                                      |
| Flash lour devices (4D) | 4 (Quad)           | 1011                         |                                 |                                      |
|                         | 8 (Octa)           | 1101                         |                                 |                                      |
| -                       | 1                  | 0011                         |                                 |                                      |
|                         | 8                  | 0100                         |                                 |                                      |
| СРИ                     | 16                 | 0101                         | 1                               | 0                                    |
|                         | 32                 | 0110                         |                                 |                                      |
|                         | 128 <sup>(4)</sup> | 0111                         |                                 |                                      |

#### Table 2: Pin Settings for Various Configuration Modes

| Table Notes         1. Always active. Enabled in the JTAG TAP controller.         2. If FCU_CONFIG_MODELSEL[3:0] pins are set such that flash or CPU configuration mode is selected, then the coverride should be issued after flash programming has completed or the CPU mode interface is inactive.         3. These straps select the configuration clock source.         FCU_CONFIG_SYSCLK_BYPASS       Clock Selected         0       On-chip oscillator clock | onfiguration Mode                                                   | Data<br>Width                                      | FCU_CONFIC                                              | 6_MODESEL [3:<br>0]                                   | FCU_CONF        | IG_SYSCLK_<br>3) | BYPASS | FCU_CONFI<br>3 |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------|----------------------------------------------------|---------------------------------------------------------|-------------------------------------------------------|-----------------|------------------|--------|----------------|
| <ol> <li>If FCU_CONFIG_MODELSEL[3:0] pins are set such that flash or CPU configuration mode is selected, then the coverride should be issued after flash programming has completed or the CPU mode interface is inactive.</li> <li>These straps select the configuration clock source.</li> </ol> FCU_CONFIG_SYSCLK_BYPASS Clock Selected                                                                                                                           | Table Notes                                                         |                                                    |                                                         |                                                       |                 |                  |        |                |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | <ol> <li>If FCU_CON<br/>override sh</li> <li>These strap</li> </ol> | IFIG_MODELSE<br>ould be issued<br>ps select the co | L[3:0] pins an<br>after flash prog<br>pnfiguration cloc | e set such that flas<br>ramming has comp<br>k source. | bleted or the C | 0                |        |                |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                     |                                                    | -                                                       |                                                       |                 |                  |        |                |
| 1 FCU_CPU_CLK                                                                                                                                                                                                                                                                                                                                                                                                                                                       | 1                                                                   |                                                    | F                                                       | CU_CPU_CLK                                            |                 |                  |        |                |

# Configuration via CPU

In CPU configuration mode, an external CPU acts as the master controlling the programming operations to Speedster7t FPGA and offers a high-speed method for loading configuration data. Depending on the setting of FCU\_CONFIG\_MODESEL pins, the CPU mode can be either a 1-, 8-, 16-, 32-bit wide or 128-bit wide parallel interface, clocked using FCU\_CPU\_CLK, with chip select support to indicate valid data. This mode is the fastest programming mode as it provides the widest data interface and a maximum supported clock rate of 250 MHz.



#### Figure 2: External CPU Connectivity to a Speedster7t FPGA

#### Note

The CPU master needs only to connect to the first 1, 8, 16, 32 bits of FCU\_CPU\_DQ\_IN\_OUT depending on the CPU mode selected. All unused signals should be tied to ground.

As described in Configuration Sequence and Power-up (see page 38) section, the configuration mode-specific operations occur between the release of FCU\_CONFIG\_STATUS (indicating that the configuration memory has been cleared and that the Speedster7t FPGA is ready to accept bitstream data) and the assertion of FCU\_CONFIG\_DONE (stating completion of configuration). The example waveform below for CPU×8 mode illustrates the sequence of events, clocking and control signal states needed for successful configuration in CPU mode:

- 1. After FCU\_CPU\_RSTN is de-asserted, FCU\_CPU\_CLK must continue to cycle to ensure that the FPGA cycles through the FCU states and the configuration memory is cleared. At that point, FCU\_CONFIG\_STATUS is driven high.
- 2. After at least 5 clock cycles of FCU\_CONFIG\_STATUS being driven high, FCU\_CPU\_CSN must be pulled low to begin writing the bitstream data into the Speedster FPGA. When the last set of data is written into the Speedster7t FPGA, FCU\_CPU\_CSN is pulled back high.
- 3. Once FCU\_CPU\_CSN is pulled high, FCU\_CPU\_CLK needs to continue being clocked. Once the FCU cycles through all of the configuration states, FCU\_CONFIG\_DONE is driven high to indicate that the Speedster7t FPGA was successfully programmed.
- 4. As the FCU\_CPU\_CLK toggles, the FCU cycles through its states to move the Speedster7t FPGA from programming mode into user mode, taking the fabric out of reset and performing operations to enable user-mode functionality for all parts of the core. The FCU\_CONFIG\_USER\_MODE signal is asserted to indicate when the Speedster7t FPGA has successfully transitioned into user mode.

At any point during the configuration, if FCU\_CPU\_CSN is asserted low, then the bus FCU\_CPU\_DQ\_IN\_OUT should have valid data or NOPs, if FCU\_CPU\_CSN is high, the data on FCU\_CPU\_DQ\_IN\_OUT is ignored. Once the bitstream is programmed, FCU\_CPU\_CSN can be held low while sending NOPs to the Speedster7t FPGA. This action will not affect the assertion of FCU\_CONFIG\_DONE or FCU\_CONFIG\_USER\_MODE signals.



Figure 3: Clocking and Control Signals for Successful Configuration

### Programming Data Ordering

In Speedster7t FPGAs, the configuration memory data bus is 128 bits wide, but the command and FCU register buses are 32 bits wide. Data transmission occurs MSB to LSB at both the byte and 32-bit packet levels. Commands are executed 32 bits at a time, but the data register is 128 bits wide and requires that four sets of 32-bit packets be transmitted. At the 128-bit full payload level, the data transmission needs to occur in the following order: i3, i2, i1, i0, where ix is a 32-bit packet. The sequence of instructions is i0, i1, i2 and then i3.

This structure makes the bitstream programming implementation very uniform for CPU×1, CPU×8, CPU×16 and CPU×32 modes. The various potential data orders are illustrated in the example waveforms below, each showing the transmission of the same bitstream contents in the five different CPU widths.

#### Note

The figures in this section are to show methodologies and generalized scenarios. For detailed waveforms for specific commands, refer to the respective section in FCU Command List. Also, the JTAG ID values in the waveforms below are indicative and not specific to a device.

#### CPU×32

As shown in the waveform below, a command is issued on each clock cycle in CPUx32 mode:

- The first 128-bit payload shows that the order of loading is NOP, Instance ID, JTAG ID and then Sync, with each 32-bit packet transmitted MSB to LSB. However, as indicated above, the sequence in which these are processed by the FCU are Sync, JTAG ID, Instance ID and finally NOP.
- The second 128-bit payload operates the same way where the write command is transmitted first followed by three NOPs but the execution occurring in the reverse order with the write command being executed last. Also, when a write or read command is issued, it needs to be the last 32-bit FCU command in the 128-bit sequence. This requirement is because the FCU expects data input or provides data output immediately following the write and read operations respectively.
- Once the write command has been issued for a particular frame, subsequent clocks have CMEM frame data transmitted on every clock, again in 128-bit payload sets.

The signal FCU\_CPU\_CSN must be held low during the entire time when FCU commands are being issued for write operations. If FCU\_CPU\_CSN is asserted during the (128/CPU\_data\_width) continuous clock cycles of one request, that request is discarded. Once the FCU\_CPU\_CSN signal returns low, the next request is handled normally.



Figure 4: Bitstream Programming in CPU×32 Mode

#### CPU×16

CPU×16 mode is very similar to CPU×32 mode. The only difference is that 16-bits of data are transmitted on each FCU clock cycle, i.e., each FCU command is transmitted over two FCU clock cycles, MSB to LSB (as shown in the waveform below).



Figure 5: Bitstream Programming in CPU×16 Mode

#### CPU×8

CPU×8 mode follows along the lines of CPU×16 and CPU×32 modes, with each FCU command requiring four FCU clock cycles for transmission, MSB to LSB, as detailed in the waveform below.



Figure 6: Bitstream Programming in CPU×8 Mode

### CPU×1

In CPU×1 mode, a single bit of the FCU command (or write data) is transmitted on each FCU clock cycle, MSB to LSB, for a 32-bit packet, but in reverse order for the 128-bit payload as described in the other CPU width modes. The waveform below shows these details.



# Data Ordering In the ACE Output File

The programming files generated by ACE lists the FCU commands/data in the exact same transmission order as shown in the waveforms above. The code snippets below highlight this ordering in the CPU×32 and CPU×128 modes.

#### CPU×32 ACE Programming File Snippet

```
NOP
Instance ID
JTAG ID
Sync
Write Cmd
NOP
NOP
Write Data
Write Data
....
```

#### CPU×128 ACE Programming File Snippet

{NOP, Instance ID, JTAG ID, Sync}
{NOP, NOP, NOP, NOP}
{NOP, NOP, NOP, NOP}
{NOP, NOP, NOP, NOP}
{Write Cmd, NOP, NOP, NOP}
{NOP, NOP, NOP, NOP}
{NOP, NOP, NOP, NOP}
{NOP, NOP, NOP, NOP}
{Write Data, Write Data, Write Data, Write Data}

### **Configuration via Flash Memories**

#### Caution!

Speedster7t devices can interface to serial NOR flash devices only. Parallel NOR, NAND or other flash variants are *not* supported.

Flash programming mode allows flash memories to be used to configure Speedster7t devices. In this mode the FPGA is the master, and therefore, supplies the clock to the flash memory.

The clock supplied from the FPGA (on the FCU\_FLASH\_SCK pin) to the attached flash device(s) can be driven by the FCU\_CPU\_CLK or the on-chip oscillator clock depending on the configuration options selected as described in Configuration Modes for Speedster7t FPGAs (see page 9). The frequency of this clock can be selected from one of four variants of the clock sources arriving at the FCU: the original (divide-by-1), divide-by-2, divide-by-4 or divide-by-8. This selection is configured using the 'Serial Flash Clock Divider' drop-down menu in the 'Bitstream Generation Implementation Options' section of the ACE GUI. This setting ensures that only the flash state machine runs at the slower frequency. All other FCU and ACB circuitry will still operate at the original input clock frequency.

#### Notes

At power-on, the device defaults to divide-by-4 setting. The FCU then sets the appropriate configuration register to control the clock divider based on the user selection in ACE. The transition from a divide-by-4 clock to any other selected clock frequency is glitch-free.

### Flash Device Configurations

Speedster7t FPGAs support two flash device configurations, single flash device (1D) and four flash devices (4D).

#### **1D Configuration**

The 1D programming configuration is composed of a Speedster7t FPGA acting as the master and communicating with a single flash device. The signal  $o_flash_sck$  is used for clocking,  $o_flash_sdi$  is the data output from the FPGA to communicate instructions to the flash device, and  $i_flash_sdo[0]$  is the single-bit FPGA input pin which receives the bitstream from the flash in x1 mode. The signal  $o_flash_csn[0]$  is pulled low as soon as communication between the FPGA and flash device begins, and stays low during the valid bitstream window.

The FPGA can communicate with the flash device in SPI, Dual, Quad or Octa modes in 1D configuration.

The figure below provides a block diagram of how a serial flash device can be connected to a Speedster7t FPGA and a SPI header for programming in ×1 mode.





#### **4D Configuration**

Serial 4D flash programming mode is essentially an enhanced and higher bandwidth implementation of the serial flash 1D configuration. The FPGA is again the master, and interfaces with not one but four flash memory devices to increase the data bandwidth four times.

When writing to the four flash memories, the four-channel multiplexer must ensure that  $o_flash_csn[3:0]$  is asserted for only a single flash memory at any given time. Through the SPI header, data is written to each flash device in sequence. When reading from the four flash memories, the FPGA pulls all of the  $o_flash_csn[3:0]$ signals low. Four-wide configuration data is read from the flash memories and transferred to the FPGA through the i\_flash\_sdo ports. Once bitstream operations are complete (flash memory contents are read), transitioning from the end of the bitstream to user mode is done the same way as in CPU and flash 1D modes.

Each flash device can operate in SPI, Dual, Quad or Octa modes. The figure below provides a block diagram of how four flash memories can be connected to a Speedster7t FPGA in a 4D configuration.





Figure 9: Speedster7t 4D Flash Programming Configuration

### Addressing Modes and Memory Organization

Addressing modes for the flash memory are based on the size of the device. A three-byte addressing mode is required for 128 Mb flash and smaller and a four-byte addressing mode is required to support memory sizes above 128 Mb. Writes to the flash memory are done as pages, with each page consisting of 256 bytes. The figure below shows the memory organization:



#### **Address Range**

The below table shows the address ranges when two images are stored on a single flash devices, assuming that each image is 1Gb in size.

| Address<br>Range (32<br>bits)    | Description                                                                                                                                                                                    | Configuration Details                                                                                                                                                           |
|----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0x0000_0000<br>to<br>0x0000_00FF | Page-0 address space. This range contains<br>header information described in the flash<br>configuration header section. This address<br>range cannot be used for storing actual<br>bitstreams. | These addresses are not configurable by the user.                                                                                                                               |
| 0x0000_0100<br>to<br>0x0800_00FF | FPGA image 1 address space.                                                                                                                                                                    | The start address can be configured by the user via the current/fallback address in page-0 header. This example assumes the address starts at 0x0000_1000 for a 1 Gb bitstream. |
| 0x0800_0100<br>to<br>0x1000_00FF | FPGA image 2 address space                                                                                                                                                                     | The start address can be configured by the user via the current/fallback address in page-0 header. This example assumes the bitstream starts at address 0x0800_0100.            |

#### Flash Configuration Header (Page-0 Header)

The first 256 bytes in the flash memory (page 0) store control information that describe how the subsequent bitstream should be read from the flash device. This information can be written to the flash device in two ways:

- Via the JTAG interface along with the bitstream.
- Pre-programmed into the device by the manufacturer.

This space is not used for storing device bitstream.

#### Table 4: Page-0 Header Format

| Address    | Bits | Value                                 | Description                                                                                                                                                                                                                       |
|------------|------|---------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0x0 to 0x3 | 32   | Read command                          |                                                                                                                                                                                                                                   |
| 0x4 to 0x7 | 32   | Flash configuration header read count |                                                                                                                                                                                                                                   |
| 0x8 to 0xB | 32   | Bitstream read control                | bit 0 – Flash read enable<br>bit 1 – Flash fall back enable<br>bit [7:2] – Retry count<br>bit [21:8] – Timeout count<br>bit 22 – Enable 4-byte addressing<br>bit [27:23] – Dummy read cycles<br>bit [31:28] – Flash SCK div count |

| Address      | Bits | Value                                     | Description |  |
|--------------|------|-------------------------------------------|-------------|--|
| 0xC to 0xF   | 32   | Bitstream read address (new image)        |             |  |
| 0x10 to 0x13 | 32   | Bitstream fallback address (golden image) |             |  |
| 0x14 to 0x17 | 32   | Fallback read command                     |             |  |
| 0x18 to 0x20 | 24   | Reserved                                  |             |  |

## Flash Programming Protocol

With the FCU\_CONFIG\_MODESEL[3:0], FCU\_CONFIG\_CLKSEL and FCU\_CONFIG\_SYSCLK\_BYPASS straps set for serial flash programming, operations begin as soon as the FPGA is powered up and the FCU receives the clock input.

Immediately after reset is released, bitstream data is read out from flash device through the flash interface (at this time the default is SPI (×1) mode). The bitstream read is done as two stages as described below:

- Stage-1 Flash configuration header read from flash device.
  - The FCU sends a default read command and address of 0x0000\_0000 (32 bits) in SPI mode to the flash device and reads the flash configuration header.
  - Internal registers are then updated, including the start address for the bitstream and flash read command.
- Stage-2 Bitstream read from flash device
  - Based on the read mode (×1/×2/×4/×8) obtained from the flash configuration header, the command and start address are sent to the flash device.
  - The FCU reads the first 512 bits of bitstream data from flash device and enters a wait state.
  - If encryption is not enabled, the FCU reads the complete bitstream and configures the FPGA. If encryption is enabled and the efuse key is ready, the FCU reads the header segment0 data and sends it to the secure boot core. The flash read state machine now waits for 2.6 ms after which the FCU reads the complete bitstream and configures the FPGA.

Bitstream programming in all configuration modes is MSB to LSB. For transmitting a 32-bit FCU command, the ordering in the serial ×1 mode for 1D and 4D configuration is as follows:

- 1D flash configuration The flash device transmits command bit 31 on the first clock and bits 30, 29, 28, etc. on subsequent clocks all the way down to bit 0 on the 32<sup>nd</sup> (last) clock.
- 4D flash configuration The four flash devices transmit command bits [31:28] on the first clock, all the way down to bits [3:0] on the eighth (last) clock. The ordering within the 4-bit nibble corresponds to the flash device ordering. In other words, on the first clock, flash[3] transmits bit 31, flash[2] transmits bit 30, flash[1] transmits bit 29 and flash[0] transmits bit 28.

#### **Error Fallback**

The 'Error Fallback' feature helps in providing instructions to the FCU in the event of a failure during bitstream loading. Such a failure can happen due to the following scenarios:

- No IDCODE match after timeout expires
- CRC error after timeout expires

If any of these checks fail, loading is retried N times (as specified in the bitstream read control register in the flash configuration header). If failures persist and a fallback bitstream is enabled by the user, a fast read is issued to the fallback address but if there is no fallback bitstream enabled, the FCU abandons the bitstream loading operation.

# Flash Modes

The following section describes the various modes supported for read and write operations to/from the flash device. Read operations from the flase device can be configured either as SPI, Quad or Octa modes for both 1D and 4D configurations while write operations to the flash device is always done in SPI mode.

#### Note

A flash write can be done by the user either the JTAG mode or PCIe mode. The PCIe or JTAG can access the data and command registers by indirect mode of addressing.

The following table describes the different combinations of the flash device configurations and modes supported in Speedster7t FPGA.

| Flash programming mode<br>/configuration | Flash<br>interface<br>width | No of flash<br>devices | Write width<br>SO[0] pin x No of<br>Flash device | Read Width<br>SO[n:0] x No of<br>Flash device |
|------------------------------------------|-----------------------------|------------------------|--------------------------------------------------|-----------------------------------------------|
| SPI x1 (1D)                              | 1                           | 1                      | 1                                                | 1                                             |
| SPI x1 (4D)                              | 1                           | 4                      | 4                                                | 4                                             |
| Quad x4(1D)                              | 4                           | 1                      | 1                                                | 4                                             |
| Quad x4 (4D)                             | 4                           | 4                      | 4                                                | 16                                            |
| Octa x8 (1D)                             | 8                           | 1                      | 1                                                | 8                                             |
| Octa x8 (4D)                             | 8                           | 4                      | 4                                                | 32                                            |

Read operation timing diagrams for each of the modes is described below:

#### SPI Mode (×1)



#### Quad Mode (x4)





47419712-10.2019.12.18

#### Figure 16: Octa Mode (×8) Read

### **Registers and Addressing**

#### Table 5: Flash Controller Register Map

| Register Name                      | Address | Description                  |
|------------------------------------|---------|------------------------------|
| Flash write control register       | 0x1038  | Flash write control register |
| Flash write count                  | 0x1048  | Flash write count register   |
| Flash write configuration register | 0x1050  | Flash configuration register |
| Flash write status                 | 0x1060  | Flash status register        |
| Flash write data1                  | 0x1040  | Flash write data register    |
| Flash write data2                  | 0x11d4  | Flash write data register    |

| Register Name                             | Address | Description                           |
|-------------------------------------------|---------|---------------------------------------|
| Flash write data3                         | 0x11d8  | Flash write data register             |
| Flash write data4                         | 0x1044  | Flash write data register             |
| Flash current bitstream current address   | 0x12bc  | Flash bitstream read current address  |
| Flash fallback bitstream fallback address | 0x12b8  | Flash bitstream read fallback address |
| Flash write command 1                     | 0x103c  | Flash command register                |
| Flash write command 2                     | 0x104c  | Flash command register                |
| Flash write command 3                     | 0x1054  | Flash command register                |
| Flash write command 4                     | 0x1058  | Flash command register                |

#### Table 6: Flash Write Control Register

| Register Field                 | Bit<br>Position | Туре | Reset<br>value | Description                                                                               |
|--------------------------------|-----------------|------|----------------|-------------------------------------------------------------------------------------------|
| Flash write enable             | 0               | RW   | 0x0            | Initiate the flash write operation.                                                       |
| Flash write clock<br>div count | 4:1             | RW   | 0x1            | Clock divider. Set to 4'b0001 default, divide by 2 clock which is required for JTAG mode. |
| Flash write Stop               | 5               | RW   | 0x0            | Suspend the current operation.                                                            |
| Flash write wait               | 6               | RW   | 0x0            | Flash wait operation.                                                                     |
| Flash write ×1<br>mode         | 7               | RW   | 0x0            | Flash write in SPI ×1 device mode.                                                        |
| Flash write ×4<br>mode         | 8               | RW   | 0x0            | Flash write in SPI ×4 device mode.                                                        |
| Reserved                       | 31:9            | RW   | 0x0            | Reserved.                                                                                 |

### Table 7: Flash Write Configuration Register

| Register<br>Field            | Bit<br>Position | Туре                         | Reset<br>Value | Description                                                                                                                                                                                 |
|------------------------------|-----------------|------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Flash<br>write data<br>valid | 0               | RW<br>[Write<br>on<br>clear] | 0x0            | Write data valid, Indicates to the flash interface when data is written to flash write register. Cleared when the flash interface reads the data and writes it into the internal registers. |

| Register<br>Field                  | Bit<br>Position | Туре | Reset<br>Value | Description                                                                                                  |
|------------------------------------|-----------------|------|----------------|--------------------------------------------------------------------------------------------------------------|
| Flash<br>write<br>command<br>valid | 1               | RW   | 0x0            | Flash write command valid.                                                                                   |
| Flash<br>write<br>command<br>count | 8:2             | RW   | 0x8            | Write command count in number of bits.                                                                       |
| Flash<br>write data<br>count       | 15:9            | RW   | 0x127          | Write data count in number of bits.                                                                          |
| Flash<br>write data<br>request     | 16              | R    | 0x1            | Request write data, PCIe, should poll this bits, will be cleared once data is shifted to internal registers. |

#### Table 8: Flash Write Status

| Register Field             | Bit Pposition | Туре | Reset Value | Description                                  |
|----------------------------|---------------|------|-------------|----------------------------------------------|
| Flash write error          | 0             | RO   | 0x0         | Flash write error, flags flash device status |
| Flash read error           | 1             | RO   | 0x0         | Flash read rrror, CRC error                  |
| Flash write done           | 2             | RO   | 0x0         | Flash write is complete                      |
| Flash read done            | 3             | RO   | 0x0         | Flash read is complete                       |
| Flash state machine status | [8:4]         | RO   | 0x0         | Write state machine status                   |
| Reserved                   | 31:9          | RO   | 0x0         | Reserved                                     |

# Configuration via JTAG

The Speedster7t JTAG TAP controller is compliant to IEEE Std 1149.1 and is used for programming the bitstream and debug via Snapshot in ACE. The JTAG\_TMS and JTAG\_TCK inputs determine whether an instruction register scan or data register scan is performed. JTAG\_TMS and JTAG\_TDI are sampled on the rising edge of JTAG\_TCK, while JTAG\_TDO changes on the falling edge. JTAG configuration and operation mode is independent of FCU\_CONFIG\_MODESEL settings.

JTAG implementation in Speedster7t FPGAs, which allows for bitstream programming as well as real-time insystem control and observation, is composed of the blocks shown in the figure below.

The external interface is a standard 5-pin JTAG interface, connected directly to the JTAG TAP controller. The TAP controller operates independently from the Speedster7t FPGA FCU. It is always active and uses JTAG\_TCK for clocking. The TAP controller takes the data from the pins and converts it to DR instructions to communicate to the JTAG logic in the FCU. It also takes in data in the form of load/read requests, translating it to the appropriate signals to drive and expect on the JTAG pins.

The JTAG logic in the FCU uses these DR instructions and generates input data in the standard 128-bit Speedster7t FPGA frame size format, along with a data valid indicator, to be forwarded to the FCU data mux and ultimately FCU state machines for configuration memory loading. It also takes in 128-bit output data from the FCU, which also comes with a valid signal for debug and read-back operations. It provides an acknowledge signal to indicate to downstream circuitry that the data transfer was successful.

The FCU data mux simply selects between the configuration mode specific data buses coming in to the FCU. This logic is controlled by the static FCU\_CONFIG\_MODESEL straps and the JTAG override circuitry from the JTAG TAP controller.

Finally, the FCU state machine takes incoming data and uses it for loading the configuration memory. Conversely, it also provides output data from the configuration memory or Snapshot to be forwarded upstream.



#### Figure 17: Block Diagram for JTAG Instruction Processing in FCU

The JTAG programming sequence is highlighted in the waveform below to show the sequence of internal procedures that occur in the ACE generated jam file. An explanation of these steps is as follows:

- 1. DO\_RESET\_CHIP An internal signal generates a pulse on the FCU reset circuitry to reset it, similar to providing a pulse on the FCU\_CONFIG\_RSTN input pin.
- 2. DO\_ENTER\_JTAG A TAP command (override) is provided to place the Speedster7t FPGA FCU in JTAG mode. After this point, regardless of the FCU\_CONFIG\_MODESEL settings, the FCU configuration mode (and the data muxes) are set to listen to the JTAG inputs, and the FCU clock is sourced from JTAG\_TCK.
- 3. DO\_ERASE This step cycles through the FCU states to ensure that the configuration memory is cleared. After this step, FCU\_CONFIG\_STATUS is asserted.
- DO\_PROGRAM This is where the actual bitstream loading occurs. This operation consists of DRSCAN loops for every bit in the bitstream. Since the size of the bitstream is pre-determined, the loop count is set appropriately by ACE.
- 5. DO\_ENTER\_USER\_MODE IRSCAN and DRSCAN commands are provided to cycle through additional FCU states. Idle clocks are provided to ensure that the start-up state machine completes successfully, and in the process, o\_config\_done and FCU\_CONFIG\_USER\_MODE is asserted. After this step, functions hosted within a Speedster7t FPGA are active.
- 6. DO\_EXIT\_JTAG This is another TAP command performed in parallel once user-mode operations start to quickly provide additional instructions to remove the JTAG override on the FCU.

| i_jtag_tck         |               |               |          |     |                    |                        |
|--------------------|---------------|---------------|----------|-----|--------------------|------------------------|
| i_jtag_tms         | DO_RESET_CHIP | DO_ENTER_JTAG | DO_ERASE |     | DO_ENTER_USER_MODE | DO_EXIT_JTAG           |
| i_jtag_trstn       | DO_RESET_CHIP | DO_ENTER_JTAG | DO_ERASE |     | DO_ENTER_USER_MODE | DO_EXIT_JTAG           |
| i_jtag_tdi         | DO_RESET_CHIP | DO_ENTER_JTAG | DO_ERASE |     | DO_ENTER_USER_MODE | DO_EXIT_JTAG           |
| o_jtag_tdo         | DO_RESET_CHIP | DO_ENTER_JTAG | DO_ERASE |     | DO_ENTER_USER_MODE | DO_EXIT_JTAG           |
| o_config_status    |               |               |          |     |                    |                        |
| o_config_done      |               |               |          |     |                    |                        |
| o_config_user_mode |               |               |          |     |                    | <u></u>                |
|                    |               |               |          | • • |                    | 47419710-02.2016.12.19 |

#### Figure 18: JTAG Bitstream Programming Sequence

### JTAG Instructions

Table below lists all JTAG instructions supported by Speedster7t FPGAs.

#### Table 9: JTAG Instructions

| Instruction  | Opcode                                   | DR<br>Width | Function                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
|--------------|------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| BYPASS       | 23'b000000000000000000000000000000000000 | 1           | The required BYPASS instruction allows a Speedster7t FPGA to remain in a functional mode and selects the bypass register to be connected between JTAG_TDI and JTAG_TDO. The BYPASS instruction allows serial data to be transferred through the FCU from JTAG_TDI to JTAG_TDO without affecting the operation of a Speedster7t FPGA.                                                                                                                                                                                                                                                                                                     |
| EXTEST       | 23'5111111111111111111101000             | _           | The required EXTEST instruction places a<br>Speedster7t FPGA into an external boundary-test<br>mode and selects the boundary-scan register to be<br>connected between JTAG_TDI and JTAG_TDO.<br>Output pins operate in test mode, driven from the<br>contents of the boundary-scan update latch. Input<br>data captured in boundary-scan latches prior to<br>shift operation. In other words, during this<br>instruction, the boundary-scan register is accessed<br>to drive test data outside of a Speedster7t FPGA<br>via the boundary outputs and receive test data from<br>outside of a Speedster7t FPGA via the boundary<br>inputs. |
| EXTEST_PULSE | 23'b111111111111111111101001             | _           | As the names suggest, EXTEST_PULSE generates a single pulse by entering and exiting the Run-Test/Idle state of the 1149.1 TAP controller.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |

| Instruction        | Opcode                         | DR<br>Width | Function                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|--------------------|--------------------------------|-------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| EXTEST_TRAIN       | 23'b111111111111111111101010   | -           | EXTEST_TRAIN generates a stream of pulses<br>while in the Run-Test/Idle state. A BSDL file for an<br>1149.6 device specifies the minimum number of<br>pulses and the maximum time period allowed for<br>pulse generation in the Run-Test/Idle state.                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| SAMPLE<br>/PRELOAD | 23'b1111111111111111111000     | -           | The required SAMPLE/PRELOAD instruction<br>allows a Speedster7t FPGA to remain in its<br>functional mode and selects the boundary-scan<br>register to be connected between JTAG_TDI and<br>JTAG_TDO. The output and input pins operate in<br>normal mode. Input pin data and core logic output<br>data captured in the boundary-scan latches. In<br>other words, during this instruction, the boundary-<br>scan register can be accessed via a data scan<br>operation to take a sample of the functional data<br>entering and leaving a Speedster7t FPGA. This<br>instruction is also used to preload test data into the<br>boundary-scan register before loading an EXTEST<br>instruction. |
| IDCODE             | 23'b1111111111111111111111     | 32          | The optional IDCODE instruction allows a<br>Speedster7t FPGA to remain in its functional mode<br>and selects the optional device identification<br>register to be connected between JTAG_TDI and<br>JTAG_TDO. The IDCODE register appears<br>between JTAG_TDI and JTAG_TDO after power-<br>up, after the TAP has been reset using the optional<br>TRST pin, or by otherwise moving to the Test-<br>Logic-Reset state.                                                                                                                                                                                                                                                                       |
| HIGHZ              | 23'b11111111111111111001111    | _           | The optional HIGHZ instruction sets all outputs (including two-state as well as three-state types) to a disabled (high-impedance) state and selects the bypass register to be connected between JTAG_TDI and JTAG_TDO.                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| CLAMP              | 23'b11111111111111111111111111 | _           | Provides for "guarding" chip outputs during in-<br>circuit test or boundary-scan functional test. Output<br>pins operate in test mode, driven from content of<br>boundary-scan update latch. The one-bit bypass<br>register is selected for shifting.                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| INTDR              | 23'b00000000000000000111101    | 97          | Test data register is implemented internally to the<br>TAP controller. This internal register is used for<br>global configuration and monitoring of global status<br>signals. These registers are associated with a<br>specific user-defined instruction.                                                                                                                                                                                                                                                                                                                                                                                                                                   |

| JLOAD23'b0000010000001100111010128Enables the scan in of the configuration bitstream. For the<br>read-back, the data register is read back. All of<br>these operations are done internally using a 128-bit<br>parallel bus. Data is latched every 128 bits in the<br>UPDATE-DR state.JREAD23'b00000100000010001100111010128Enables the data register for read-back. When this<br>instruction is decoded and CAPTURE-DR is<br>executed, the data proster for read-back. When this<br>instruction is decoded and CAPTURE-DR is<br>executed, the data from the configuration logic is<br>sampled as 32-bit data plus a valid bit. Multiple<br>words of the configuration memory can be read<br>back by cycling through the CAPTURE-DR/SHIFT-<br>DR states. The 33-bit status register is selected<br>between JTAG_TDI and JTAG_TDO.JUSR123'b0000010000000100111010User<br>definedThis instruction enables the USER1 TDR.(†)JASYNCERR23'b000000000000111011010IdefinedThis instruction enables the connection to the fabric<br>error status scan register. | Instruction | Opcode                      | DR<br>Width | Function                                                                                                                                                                                                                                                                                                   |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|-----------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| JREAD23'b0000010000001000111010128instruction is decoded and CAPTURE-DR is<br>executed, the data from the configuration logic is<br>sampled as 32-bit data plus a valid bit. Multiple<br>words of the configuration memory can be read<br>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | JLOAD       | 23'b00000100000001100111010 | 128         | into the configuration logic (in this mode, the SHIFT-<br>DR state is used to scan in the bitstream). For the<br>read-back, the data register is read back. All of<br>these operations are done internally using a 128-bit<br>parallel bus. Data is latched every 128 bits in the                          |
| JUSR1       23 b00000100000000100111010       defined       This instruction enables the USER1 TDR.(1)         JUSR2       23 b0000010000000000111010       User defined       This instruction enables the USER2 TDR. <sup>(†)</sup> JASYNCERR       23 b000000000000000111011010       —       This instruction enables the connection to the fabric                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | JREAD       | 23'b00000100000001000111010 | 128         | instruction is decoded and CAPTURE-DR is<br>executed, the data from the configuration logic is<br>sampled as 32-bit data plus a valid bit. Multiple<br>words of the configuration memory can be read<br>back by cycling through the CAPTURE-DR/SHIFT-<br>DR states. The 33-bit status register is selected |
| JUSR2     23 b00000100000000111010     defined     This instruction enables the USER2 TDR. <sup>(1)</sup> JASYNCERR     23 b0000000000000000111011010     This instruction enables the connection to the fabric                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | JUSR1       | 23'b00000100000000100111010 |             | This instruction enables the USER1 TDR. <sup>(†)</sup>                                                                                                                                                                                                                                                     |
| JASYNCERR 23'6000000000001110111010                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | JUSR2       | 23'b0000010000000000111010  |             | This instruction enables the USER2 TDR. <sup>(†)</sup>                                                                                                                                                                                                                                                     |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | JASYNCERR   | 23'b0000000000001110111010  |             |                                                                                                                                                                                                                                                                                                            |

#### Table Note

† This TDR is implemented in the fabric and is used for supporting debug functionality in the fabric.

# Chapter - 4: Configuration Pin Tables

#### Table 10: Interface Pin Table

| Pin Name                                | Direction |                                                                         | Usage                                                                                        |                                                                                                                                                                           |  |  |  |
|-----------------------------------------|-----------|-------------------------------------------------------------------------|----------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|
| Configuration Inte                      | rface     |                                                                         |                                                                                              |                                                                                                                                                                           |  |  |  |
|                                         |           | Configuration mode selection                                            | inputs to define the FPGA                                                                    | configuration unit (FCU) mode of operation                                                                                                                                |  |  |  |
|                                         |           | Configuration Mode                                                      | CFG_MODESEL[3:0]                                                                             |                                                                                                                                                                           |  |  |  |
|                                         |           | Flash Serial 1x                                                         | 0001                                                                                         |                                                                                                                                                                           |  |  |  |
|                                         |           | Flash Serial 4x                                                         | 0010                                                                                         |                                                                                                                                                                           |  |  |  |
|                                         |           | CPU x1,x8,x16,x32,x128                                                  | 0011 to 0111                                                                                 |                                                                                                                                                                           |  |  |  |
|                                         |           | Flash Dual x1                                                           | 1000                                                                                         |                                                                                                                                                                           |  |  |  |
| FCU_CONFIG_M<br>ODESEL[3:0]             | Input     | Flash Dual x4                                                           | 1001                                                                                         |                                                                                                                                                                           |  |  |  |
|                                         |           | Flash Quad x1                                                           | 1010                                                                                         |                                                                                                                                                                           |  |  |  |
|                                         |           | Flash Quad x4                                                           | 1011                                                                                         |                                                                                                                                                                           |  |  |  |
|                                         |           | Flash Octa x1                                                           | 1100                                                                                         |                                                                                                                                                                           |  |  |  |
|                                         |           | Flash Octa x4                                                           | 1101                                                                                         |                                                                                                                                                                           |  |  |  |
|                                         |           | JTAG                                                                    | Always active mode                                                                           |                                                                                                                                                                           |  |  |  |
|                                         |           |                                                                         |                                                                                              |                                                                                                                                                                           |  |  |  |
| FCU_CONFIG_ST<br>ATUS <sup>(4)</sup>    | Output    | and has cleared the CMEM a                                              | nd is awaiting FCU comman                                                                    | hat the FCU has completed initial start-up<br>nds for bitstream programming. Once high<br>a re-initialization sequence or a CRC error                                     |  |  |  |
| FCU_CONFIG_D<br>ONE <sup>(4)</sup>      | Output    | and that the device is ready to<br>cycled or reset for a re-initialized | o enter user mode. Once hig<br>zation sequence. If a device<br>emain low. Holding this pin I | at bitstream loading completed successfull<br>gh, it stays asserted until the FCU is power<br>configuration error occurs, the<br>low on the board can be used as a method |  |  |  |
| FCU_CONFIG_R<br>STN <sup>(1)</sup>      | Input     | Asynchronous active-low rese<br>the FPGA configuration unit (           |                                                                                              | ration memory in the device and the logic i                                                                                                                               |  |  |  |
| FCU_CONFIG_U<br>SER_MODE <sup>(4)</sup> | Output    | Active-high output indicating t asserted until the FCU is pow           |                                                                                              | ned into user mode. Once high, it stays nitialization sequence.                                                                                                           |  |  |  |

| Pin Name                    | Direction | Usage                                                                                    |                                        |                                                                                                                                                        |                                   |                   |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |                                                                   |                  |                    |
|-----------------------------|-----------|------------------------------------------------------------------------------------------|----------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------|-------------------|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|-------------------------------------------------------------------|------------------|--------------------|
|                             |           | Active-high bypass co<br>for clock selection dur                                         |                                        | clock setting. Along with CFG_CL                                                                                                                       | SEL, this setting                 | allows            |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |                                                                   |                  |                    |
|                             |           | SYSCLK_BYPASS                                                                            | CFG_CLKSEL                             | CFG_MODESEL[3:0]                                                                                                                                       | Configuration                     | n Clock           |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |                                                                   |                  |                    |
| FCU_CONFIG_S                | Input     | 0                                                                                        | 0                                      | 0000, 0001, 0010<br>1000 to 1101                                                                                                                       | On-chip Oscilla                   | ator              |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |                                                                   |                  |                    |
| YSCLK_BYPASS                | mput      | 1                                                                                        | 0                                      | 0000, 0001, 0010,1000 to 1101                                                                                                                          | CPU clock                         |                   |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |                                                                   |                  |                    |
|                             |           | х                                                                                        | 0                                      | 0011, 01XX                                                                                                                                             | CPU clock                         |                   |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |                                                                   |                  |                    |
|                             |           | Х                                                                                        | 1                                      | XXXX                                                                                                                                                   | JTAG TCK                          |                   |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |                                                                   |                  |                    |
| FCU_CONFIG_B<br>YPASS_CLEAR | Input     | Active-high input pin to bypass configuration memory clear during device initialization. |                                        |                                                                                                                                                        |                                   |                   |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |                                                                   |                  |                    |
|                             |           | during device program                                                                    | nming. If asserted,                    | presence of a CRC, scrubbing or oth<br>it continues to stay high and users<br>and user mode is never entered.                                          |                                   |                   |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |                                                                   |                  |                    |
|                             |           | FCU_CONFIG_E<br>RR_ENC[2:0]                                                              | Status                                 |                                                                                                                                                        |                                   |                   |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |                                                                   |                  |                    |
|                             |           | 001                                                                                      | CRC Error.                             |                                                                                                                                                        |                                   | 0<br>(Lowe<br>st) |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |                                                                   |                  |                    |
| FCU_CONFIG_E<br>RR_ENC[2:0] | Output    | 010                                                                                      | Single-bit/multiple                    | Single-bit/multiple-bit scrubbing error                                                                                                                |                                   |                   |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |                                                                   |                  |                    |
|                             |           | 011                                                                                      | Secure Boot Failure OR Security error. |                                                                                                                                                        |                                   |                   |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |                                                                   |                  |                    |
|                             |           | 100                                                                                      | Efuse PUF enrollr                      | nent error.                                                                                                                                            |                                   | 3                 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |                                                                   |                  |                    |
|                             |           |                                                                                          |                                        |                                                                                                                                                        |                                   |                   |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | KI interface of IP configuration space<br>a ready from the master | e register block | 4<br>(High<br>est) |
|                             |           | Other                                                                                    | Undefined                              |                                                                                                                                                        |                                   |                   |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |                                                                   |                  |                    |
| FCU_LOCK                    | Output    | Active-high status bit t                                                                 | to indicate the FCL                    | J lock/unlock status                                                                                                                                   |                                   |                   |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |                                                                   |                  |                    |
| FCU_OSC_CLK                 | Output    | This clock is internally the external clock CPU                                          |                                        | ring oscillator. For debug purposes<br>d.                                                                                                              | it can be bypass                  | ed and            |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |                                                                   |                  |                    |
| FCU_PARTIAL_C<br>ONFIG_DONE | Output    |                                                                                          |                                        | gnal indicating that bitstream loading nd that the device is ready to enter                                                                            |                                   | essfully          |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |                                                                   |                  |                    |
| FCU_STAP_SEL                | Input     | JTAG controller in the<br>monitoring directly from                                       | SerDes PMA bloc<br>m the JTAG interfa  | the JTAG interface pins to be direct<br>ks allowing SerDes configuration, of<br>ice. For bitstream download and de<br>v. For SerDes PMA debug only mod | ebug and perforr sign debug using | nance<br>the      |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |                                                                   |                  |                    |

| Pin Name                                                      | Direction    | Usage               |                                                                                       |                                                                                           |  |  |  |
|---------------------------------------------------------------|--------------|---------------------|---------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|--|--|--|
|                                                               |              | FCU status bits sh  | FCU status bits showing the FCU state                                                 |                                                                                           |  |  |  |
|                                                               |              | FCU_STATUS          | State                                                                                 |                                                                                           |  |  |  |
|                                                               |              | 11                  | fcu_locked                                                                            |                                                                                           |  |  |  |
| FCU_STATUS[1:<br>0]                                           | Output       | 10                  | sync_found                                                                            |                                                                                           |  |  |  |
|                                                               |              | 01                  | ID found                                                                              |                                                                                           |  |  |  |
|                                                               |              | 00                  | instance ID found / FCU unlocked                                                      |                                                                                           |  |  |  |
| FCU_STRAP[2:0]                                                | Output       | Unconnected spa     | re outputs                                                                            |                                                                                           |  |  |  |
| JTAG Interface                                                | 1            | 1                   |                                                                                       |                                                                                           |  |  |  |
| JTAG_TCK Input Clock input to the JTAG controller in the FCU. |              |                     |                                                                                       |                                                                                           |  |  |  |
| JTAG_TRSTN                                                    | Input        | Active-low reset ir | nput to the JTAG controller in the FCU.                                               |                                                                                           |  |  |  |
| JTAG_TDI                                                      | Input        | Serial data input t | Serial data input to the JTAG controller in the FCU. Synchronous to JTAG_TCK.         |                                                                                           |  |  |  |
| JTAG_TDO                                                      | Output       | Serial data output  | Serial data output from the JTAG controller in the FCU. Synchronous to JTAG_TCK.      |                                                                                           |  |  |  |
| JTAG_TMS                                                      | Input        | Mode select input   | Mode select input to the JTAG controller in the FCU. Synchronous to JTAG_TCK.         |                                                                                           |  |  |  |
| Flash Memory Inte                                             | rface        |                     |                                                                                       |                                                                                           |  |  |  |
| FCU_FLASH_SC<br>K                                             | Output       | Clock output from   | FCU to flash memory device(s).                                                        |                                                                                           |  |  |  |
| FCU_FLASH_HO<br>LDN                                           | Output       |                     | er and the flash device without deselection                                           | nal is used to pause serial communications<br>ng the device or stopping the serial clock. |  |  |  |
| FCU_FLASH_CS<br>N[3:0]                                        | Output       |                     | elect to enable/disable one or more of the<br>o] is used, for x4 mode connect each CS |                                                                                           |  |  |  |
| CPU Interface                                                 |              |                     |                                                                                       |                                                                                           |  |  |  |
| FCU_CPU_CLK                                                   | Input        | Input clock from e  | xternal CPU. The data/address bus is sy                                               | nchronous to this clock.                                                                  |  |  |  |
| FCU_CPU_CSN                                                   | Input        | Active-low CPU m    | node chip select.                                                                     |                                                                                           |  |  |  |
| FCU_CPU_DQ_IN<br>_OUT[31:0]                                   | Input/Output |                     | pins shared between the CPU and Flas<br>the Flash mode is in use and vice-vers        |                                                                                           |  |  |  |
| FCU_CPU_DQ_V<br>ALID                                          | Output       |                     | I bit to indicate to the CPU the clock cyc ronous to FCU_CPU_CLK.                     | les when the CPU_DQ bus has valid read-                                                   |  |  |  |
| Q                                                             |              |                     |                                                                                       |                                                                                           |  |  |  |

| Pin Name Direction Usage                    |                                                                                                |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |  |  |
|---------------------------------------------|------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|
| stable<br>2. Refer<br>3. All cor<br>transit | CONFIG_RSTN<br>when i_config_rs<br>to the FCU_CPU<br>nfiguration status<br>ion from '0' to '1' | needs to be held low, and cannot glitch during device power-up. All other input pins need only be<br>stn is ready to be released after power-up.<br>_CSN Behavior and Implementation Details section of the user guide for details.<br>related output signals are driven from registers. The reset value for these registers is '0', and the<br>is glitch free after reset de-assertion and when reaching the appropriate FCU states.<br>and Configuration Sequence section of the user guide for details. |  |  |

# Chapter - 5: FPGA Configuration Unit (FCU)

The FPGA configuration unit (FCU) refers to logic that controls the configuration process of the Speedster7t FPGA. It is responsible for receiving data on a variety of core interfaces (depending on a selected programming mode), decoding instructions, and sending configuration bit values to the appropriate destination (core configuration memory, the core's boundary ring configuration memory, FCU registers, etc.). The FCU is also responsible for any core-level housekeeping that happens on reset de-assertion (e.g., clearing of configuration memory) as well as controlling the startup and shutdown sequences that drive resets to the rest of the core as well as CRC checks, SEU mitigation and security.

# Features

The following features are supported by the FCU:

- Multiple configuration modes (see Configuration Modes)
- Bitstream CRC
- AES encryption/decryption and bitstream security
- Configuration memory scrubbing and SEU mitigation (single-bit error correction, dual-bit error detection)
- Read-back

The FCU has two operating modes:

- **Power-on** Triggered after the input FCU\_CONFIG\_RSTN is driven high. Once the FCU state machine starts, it progresses through a number of housekeeping activities, including the clearing of the configuration memory if needed. All of this processing happens without any additional inputs from the user; all instructions sent via one of the programming interfaces during this time are ignored. At the end of this mode the output pin FCU\_CONFIG\_STATUS is driven high (it was driven low earlier) and the FCU returns to the instruction processing mode.
- Instruction processing The main mode of operation for the state machine. In this mode, the FCU functions as a simple CPU, processing incoming instructions and sending control signals downstream as directed. Instructions are received on 128-bit boundaries but processed 32 bits per clock cycle. The FCU can request data from the host or stall when it is processing the previous instruction. Depending on the programming interface being used, a set of output status signals generated by the FCU are used to determine how to proceed. Refer to Configuration Modes and FCU Command List for additional details.

### FCU AXI Lite Master and Slave

FCU configures all the hard IP Configuration Space Registers during bitstream programming. This includes, PLL and hard IPs like PCIe, DDR4, GDDR6 and Ethernet. FCU interfaces to an AXI Lite master which can be used to program the configuration registers of all hard IP and drive all AXI endpoints on the chip. It also interfaces to an AXI slave which interfaces to the NoC. A bitstream can be sent to the FCU via PCIe/Ethernet through the NoC interface.

#### **AXI Lite Master**

During bitstream programming, the FCU receives 128 bit segment of the bitstream every four clocks. The segment comprises of a 4-bit AXI write command, 43-bit address, 32-bits data payload and padding. Writes to the configuration space registers of the hard IP is done by the FCU AXI master which forms AXI write transactions by sending the address, write data and command to the NoC AXI slave.

The NoC AXI slave converts these AXI transactions to APB transactions and configures the hard IP configuration space registers. AXI writes are non-blocking i.e. the FCU does not accept any back-pressure from the NoC AXI Slave and response is not checked. The NoC AXI Slave is responsible for maintaining throughput requirements.

During reads, FCU receives AXI Read command and address. FCU forms AXI read transactions by sending address and command to the NoC AXI slave. FCU waits for the responses from the NoC AXI slave, latches the data and then accepts new commands.



#### **AXI Slave**

FCU AXI bridge communicates with PCIe or user logic via NoC AXI master interface. The NoC AXI master sends a transaction to the FCU according to the AXI slave address map. The FCU AXI slave receives the data from NoC AXI master and converts it to FCU specific packet format. The FCU bridge handles data transfer between AXI slave and FCU.

PCIe mode is enabled by writing the PCIe mode-enable register in the FCU address space [OFFSET ADDRESS=0x0]. PCIe sends the FCU address and writes the PCIe mode-enable register and the same register is read back. Once acknowledged, the bitstream can be sent from the PCIe interface via the FCU AXI Slave.

PCIe mode enable bit overrides all other external settings on the FCU\_CONFIG\_MODESEL[3:0] pins. The first two CMEM reads are dummy and the FCU AXI slave responds to the master with zero data.

### CRC

If CRC is enabled completely, an accumulative CRC is computed for each 128-bit data packet that comes through the datamux. The final CRC must match a hard-coded value in order to allow a startup or shutdown sequence to begin. The CRC register is set to 32'hFFFFFFF on reset and whenever the CRC register is written to. The current CRC computation can be read back at any time through an FCU register. CRC can also be completely bypassed.

## Chapter - 6: Configuration Sequence and Power-Up

The FCU has a startup sequencing block responsible for the initial power-up sequence out of reset. During power-on and bitstream programming, the startup state machine remains in its default IDLE state. After programming is finished and the chip is ready to be put into user mode, the state machine progresses through a number of startup states, de-asserting resets to the rest of the chip in a certain sequence. The final state of the startup process is user mode where it remains until it receives a request to initiate the shutdown process. The shutdown process is much like the startup process, but done in reverse (asserting resets along the way) and ending in the IDLE state.



The FCU startup sequencing block has three stages, the first two to support two-stage programming of the fabric and the third for partial reconfiguration.

After receiving a trigger, the state machines progresses through 32 start-up (or shut-down) states. There is an option of having each state wait for one or more PLLs to lock before continuing to the next state. The final startup state waits for assertion of FCU\_CONFIG\_DONE signal before asserting FCU\_USER\_MODE.



The FCU startup state machine generates 32 resets where 16 resets are connected to fabric and the other 16 resets are connected to the hard IPs. The fabric resets are staggered to avoid inrush currents.

# Chapter - 7: Partial Reconfiguration

Partial reconfiguration enables the user to reprogram a part of the fabric with a smaller bitstream. Each region that can be reconfigured independently is called a fabric cluster or just cluster. The Speedster7t FPGA has 80 clusters which can be reconfigured independently. Partial reconfiguration can only be initiated after the device has entered user-mode.

|       | SerDes (1-     | RU             |                            |   |
|-------|----------------|----------------|----------------------------|---|
| GDDR6 | ETHERNET       | PCle           | COBRE                      |   |
| G     | 1 2 3 4 5      | 6 7 8 9 10     | 9                          |   |
|       | 11 12 13 14 15 | 16 17 18 19 20 |                            |   |
| GDDR6 | 21 22 23 24 25 | 26 27 28 29 30 | g Up to 80 Fabric          | ٦ |
| 9     | 31 32 33 34 35 | 36 37 38 39 40 | Clusters                   |   |
| R6    | 41 42 43 44 45 | 46 47 48 49 50 | Available for<br>Partial   |   |
| GDDR6 | 51 52 53 54 55 | 56 57 58 59 60 | Partial<br>Reconfiguration |   |
| -1    | 61 62 63 64 65 | 66 67 68 69 70 |                            |   |
| GDDR6 | 71 72 73 74 75 | 76 77 78 79 80 | CDR6                       |   |
| PLL   | GPIO DD        | R4 GPIO        | PIL                        |   |

Figure - Partial reconfiguration available on any of the 80 fabric clusters connected to user instantiated NAPs

There are many advantages of partial-reconfiguration:

- · Enable dynamic functionality for certain blocks in the design
- Smaller FPGA logic, functionality can be programmed on the FPGA when needed
- Faster programming times

### Design considerations

Partial-reconfiguration introduces additional complexity in the design. Defining correct functional hierarchy is very important for designs that use partially reconfigurable modules. It is important to ensure that there would be no functional issues when the target module is being partially reconfigured and no outputs driven from that module are being actively used during partial-bitstream programming since the rest of the FPGA fabric is alive and performing regular tasks during partial reconfiguration.

Timing paths into and out of the module may change after partial reconfiguration and it is important to ensure that there are no timing violations after partial-reconfiguration for a design that met timing earlier. A good practice is to use the most challenging module for initial timing closure and ideally all inputs and outputs are registered.

Also, port definitions for the the new module and the module being swapped out must be the same. Reset scheme for the target module should be correctly defined and understood.

It is also important to define the correct placement constraints so that the target module is completely contained within the cluster marked for partial-reconfiguration and the resources for the module do not exceed the available resources for a cluster and optimizations across the cluster are disabled.

## Chapter - 8: Remote Update

## Introduction

Remote Update feature in Speedster7t FPGAs implements device reconfiguration using dedicated remote system upgrade circuitry in the FCU. The ability to upgrade an image remotely on an FPGA deployed in the field helps the user deliver feature enhancements and bug fixes without recalling the product, reduces time-to-market and extends product life.

The Remote Update logic within the FCU commands the configuration module to start a reconfiguration cycle. Error detection is enabled during and after the configuration process. If any errors are detected, the logic facilitates system recovery by reverting back to a safe, default factory configuration image and then provides error status information.

## Implementation



- 1. The flash device holds two bitstreams:
- Known good working image, "Golden bitstream".
- New bitstream with enhanced features and/or bug fixes, "New Bitstream".

2. Initially the device boots from the golden bitstream and enters user mode.

3. System software initializes the "Current Bitstream Address" register, which is the start address of the New bitstream programmed by the user.

4. System software initializes the "Golden Bitstream Address" register, which is the start address of the Golden bitstream programmed by the user.

5. Based on configuration modes, software writes the command and start address into the flash configuration header

6. System initiates a reset, the FPGA re-configures from the Current Bitstream Address and reads the first 512 bits of bit stream data from flash device and enters in to wait state.

7. If encryption is not enabled, read the complete bit stream and re-configure the FPGA.

8. If encryption is enabled and efuse key is ready:

- Read the header segment0 data and send to secure boot core.
- Flash read state machine enters in to wait state of 2.6 ms.
- · Flash interface read the complete bitstream and configure the FPGA.

### Fallback on Error

After bitstream load, failure can happen in two scenarios:

- No IDCODE match after timeout expires
- CRC error after timeout expires

If any of these checks fail, retry N times, the number of retries is described in the flash configuration header.

If the failures persist and the system is unable to boot from the New Bitstream and fallback is in the fpga configuration header, then issue fast read to header fallback address.

The user should then update the New Bitstream or point the default boot address to the Golden Bitstream.

## Chapter - 9: Design Security for Speedster 7t FPGA

Achronix recognizes the importance of protecting the sensitive IP a customer downloads onto their FPGA. To provide a high level of protection, Speedster7t FPGAs have a number of features to support bitstream encryption as well as authentication. These features ensure that no one can access the design configuration on the FPGA and also ensures that the design is the intended design. Speedster7t FPGAs provide this high level of security through the following features:

- Support for RSA authenticated and AES-GCM encrypted bitstream
- Dynamic power analysis (DPA) protection to prevent side-channel attacks
- Physically unclonable function (PUF) for tamper-proof protection
- · Securely stores both public and encrypted private keys

With this security solution deployed, a customer's design is secure. Even with possession of the device, no one can extract the underlying design, the design cannot be reverse engineered, nor can the design be altered in any way.

### **Bitstream Authentication**

Authentication of a bitstream ensures that the design on the device is the intended design. Achronix provides a two-step authentication process that first authenticates an encrypted bitstream before decrypting it, and then performs authentication a second time on the decrypted bitstream before configuring the device. First, a bitstream is encrypted using AES-GCM, which provides authenticated encryption. Next, the user provides an asymmetric private key to sign the encrypted bitstream using RSA-2048. Then, when an encrypted and signed bitstream is loaded into the FPGA, the device uses the public key stored in an electronic fuse (eFuse) on the device to authenticate the bitstream using the public key. Once authenticated, the bitstream decryption is enabled, and the bitstream is authenticated a second time while decrypting with AES-GCM. After the second authentication, the bitstream is used to configure the FPGA.

### **Bitstream Encryption**

Bitstreams consist of sensitive intellectual property of the designer. Achronix provides tools to generate bitstreams that are encrypted and signed using very strong encryption with hardware designed to be resilient to side-channel attacks, such as dynamic power analysis (DPA). Additionally, the key derivation function (KDF) inside the secure boot portion of the FPGA, along with the physically unclonable function (PUF) ensure protection of the secret keys to decode and authenticate the bitstreams. Together these systems provide a solution that is safe from attacks such that even with possession of the device, an adversary cannot extract the underlying design, cannot change the system to perform another task other than the intended task, and cannot reverse engineer the core intellectual property.

The figure below shows an overview of the security system and how everything works together to protect the bitstream. The portions shown in yellow represent the blocks used for encryption/decryption, the blocks in blue are for authentication, and the green portions are areas handling authenticated and encrypted bitstreams.



Figure 19: Bitstream Encryption/Authentication Block Diagram

### Generating Encrypted Bitstreams

To generate an encrypted bitstream, the user provides a 256-bit secret key to ACE. In order to provide better protection against side-channel attacks, ACE does not simply use this secret key to encrypt the entire bitstream. Instead, the secret key is used as an initial key. ACE then generates new derived keys based on the initial secret key to encrypt smaller segments of the bitstream, each with a different derived key and new nonce. Here the nonce, also known as an initialization vector (IV), is a random number only used once per segment, such that the same pattern is not generated while replaying or encrypting the same bitstream. Bitstream encryption is performed using the highly secure 256-bit AES-GCM encryption standard. Galois/counter mode (GCM) is an advanced form of symmetric-key block encryption which enhances 256-bit advanced encryption standard (AES) by using a nonce (one-time use random value) and a counter mode so that each segment of data is uniquely encrypted. ACE also uses a Galois message authentication code (GMAC) to simultaneously sign and authenticate the data, including the unencrypted preamble section of the bitstream to guarantee the bitstream has not been altered. To further protect the bitstream, ACE also signs each segment of the encrypted bitstream using RSA-2048. See the section on Bitstream Authentication (see page 43) above for more details on the RSA-2048 authentication.

### Hardware Security

There are several security features available in the hardware to support decryption of encrypted bitstreams, safe storage of secret keys, and strict rule enforcement such that the device will be locked if security rules are violated. The main features for decryption and safe storage of keys use the physically unclonable function (PUF) which provides a unique secret value per individual chip, and the key derivation function (KDF) which uses the PUF as the key to encrypt/decrypt the real secret keys from the encrypted keys that are stored in an electronic fuse (eFuse).

#### **Physically Unclonable Function**

The PUF generates a unique secret identifier for each individual chip. It is created from random physical variations that occur during the semiconductor manufacturing process, such that the same circuit on a device creates completely different and unique values on each chip, even chips on the same wafer. The value of the PUF is random per individual chip, but remains constant over the lifetime of that chip. The PUF value is not known to Achronix or the manufacturer, and the value cannot be observed without destroying or altering the value of the PUF. This PUF value can be used to encrypt the user's secret key and store an encrypted version of the secret key in an eFuse. Then when an encrypted bitstream is loaded into the FPGA, the PUF value is used to temporarily decrypt the stored encrypted secret key. This secret key is then used to generate the multiple rotating keys to decrypt the bitstream blocks that configure the FPGA.

#### **Key Derivation Function**

The KDF uses 256-bit AES encryption in conjunction with the PUF to create an encrypted version of the user's secret key that can be stored in an eFuse. While it is theoretically possible to observe the contents of the eFuse if an adversary is in possession of the device and has access to advanced reverse engineering equipment, the stored key is an encrypted version of the secret key that uses the PUF value as the master key for encryption. Again, the PUF value cannot be known and is unique to each individual device, thus making the stored key safe. Additionally, when the KDF needs to decrypt an encrypted bitstream, it loads the encrypted key from the eFuse along with the PUF value and temporarily decrypts the secret key. The secret key is then used as the initial key for the module that generates the multiple derived keys for AES-GCM decryption of the bitstream before loading it to configuration memory in the FPGA.

The two figures below showing how the PUF and KDF are used to generate a secure encrypted key to store in an eFuse, as well as how they are used to recreate the secret key to decrypt the bitstream.



#### Figure 20: Safe Secret Key Storage

#### Rules for Encryption

When using encrypted bitstreams, the FPGA device enforces a set of rules. If the security rules are violated, the FPGA locks up and cannot be used in any way without powering down the device. First, there is an ordering rule to how bitstreams can be loaded. There are three phases for bitstreams for Speedster7t devices, and they must follow these ordering rules.

- 1. Zero, one, or multiple pre-configuration bitstreams.
- 2. One, and only one, full configuration bitstream.
- 3. Zero, one, or multiple partial reconfiguration bitstreams.

Additionally, there are rules about which keys can be used for the encryption. The eFuses can store up to four secret keys — bitstreams can be encrypted using up to four different initial keys. The following rules must be followed to prevent locking the device.

- 1. If the encrypted\_bitstreams\_only eFuse bit has been set for the FPGA, the device will only accept encrypted bitstreams.
- 2. If any pre-configuration bitstream is encrypted, all pre-configuration bitstreams must be encrypted using the same key.
- 3. If either the pre-configuration bitstream or the full bitstream are encrypted, they both must be encrypted and both must use the same key.
- 4. Any partial reconfiguration bitstreams may use a different key if and only if the previous bitstream sets the same\_key bit to 0 in the preamble, and the partial reconfiguration bitstream also sets that same bit to 0 in its preamble.

#### Note

It is acceptable to load an unencrypted bitstream after a previous encrypted bitstream. It is not acceptable to load an encrypted bitstream after a previous unencrypted bitstream.

## Security Fuses

There are several eFuses that are related to the security features in Speedster7t devices. Some of these are set during manufacturing and cannot be changed by the customer, and others are available for customer use.

### Fuses Set at Manufacturing

There are two fuses that can be set at manufacturing time to limit the features of the FPGA. The part number of the device indicates if these limitations exist in a part.

- Bitstream decrypt disable If set, the FPGA cannot accept encrypted bitstreams.
- DPA disable for bitstream decrypt If set, the FPGA still supports encrypted bitstreams, but there is limited hardware protection for differential power analysis (DPA) side-channel attacks that can potentially expose secret keys.

### Fuses Set By Customer

There are several eFuses that can be set by the customer if using encrypted bitstreams:

- **Bitstream authentication key** This fuse contains a 768-bit hash of the public key used for first-level authentication of encrypted bitstreams. This fuse is not readable.
- Bitstream decryption key These fuses contain the four 256-bit secret keys that can be used for decryption and authentication of encrypted bitstreams. This fuse can contain the actual secret keys or the encrypted version of the secret keys (using PUF and KDF). This fuse is not readable.
- **Bitstream user register** This fuse contains the 32-bit value set by the user to identify the key version used. The secret key itself cannot be read back, but the user register value can be read. The user keeps a mapping of key versions to keys.
- **Bitstream user lock** This one-bit fuse, if set, disables further updates to authentication key, decryption key, and user register.
- Encrypted bitstreams only This one-bit fuse, if set, forces the FPGA to only accept encrypted bitstreams that use one of the keys in the fuses.

### Default Keys

Achronix provides a default public key for authentication and a default secret key for encryption/decryption of the bitstream. These keys are available to use for testing, so that a user has confidence the security system works. The default keys should not be used to protect sensitive designs — they are only made available for testing purposes. Additionally, once a user sets the eFuse to only accept encrypted bitstreams, the FPGA no longer accepts the default keys.

## Loading Encrypted Bitstreams

Loading an encrypted bitstream is similar to loading an unencrypted bitstream. However, the most important difference is that once the unencrypted 512-bit preamble of the bitstream is loaded, the FPGA disables all readout of any data, thus securing the device containing a user's sensitive IP, protecting it from being known, reverse engineered, or altered in any way. Below are the steps for loading encrypted bitstreams:

- 1. When the hardware detects an encrypted bitstream is being loaded, all readout and debug features are disabled by the hardware, disabling the ability for a user to read any internal state related to the FPGA fabric or the FCU.
- 2. Security rules for loading encrypted bitstreams are checked. If the rule checker fails, the FPGA enters a locked state and can only be re-enabled by a power cycle.

If the user's system uses a board management controller to load in the bitstreams, there are additional requirements the user needs to be aware of:

- 1. After the 512-bit preamble of the bitstream, the board management controller must pause and wait for some number of FCU clock cycles before sending the next portion of the encrypted bitstream.
- 2. After the first 12,688 bytes of the encrypted bitstream the board management controller must pause and wait at least 520,000 FCU clocks, or about 2 ms (assuming a 32-bit data path and 250 MHz FCU clock).
- 3. For encrypted bitstreams, a board management controller is limited to sending 32-bits per FCU clock. For unencrypted bitstreams, it can send data at a rate up to 128-bits per FCU clock.

#### Note

When using encrypted bitstreams, it is *not* possible to use any debug features of the FPGA. Debug features are *only* available when using unencrypted bitstreams.

# **Revision History**

| Version | Date        | Description            |
|---------|-------------|------------------------|
| 0.1     | 12 Feb 2020 | Initial draft release. |