Compact and On-the-Fly Secure Dynamic Reconfiguration for Volatile FPGAs

Abstract

The dynamic partial reconfiguration functionality of FPGAs can be attacked, particularly when the FPGA is remotely located or the configuration bitstreams are sent through insecure networks. The existing FPGA technologies provide some built-in security mechanisms; however, these are often inadequate. The existing solutions still impose a significant impact on the reconfiguration process and on the available resources. This article proposes a solution to improve the security of dynamic partial reconfiguration of FPGAs, without significantly affecting the reconfiguration performance. The proposed solution changes the encryption key of the remotely received bitstream by a randomly generated key, unique for each configuration, when storing them in the external unsecured memory. The native frame-wise error detection mechanism combined with an additional CBC-MAC authentication mechanism, allows for an improved countermeasure against replay attack and wrongful bitstream usage. The proposed solution introduces an overhead of 1% of the available resources on the target FPGA and provides the lowest impact on the reconfiguration process when compared to the state of the art, achieving a reconfiguration throughput of 2.5Gbps. Regarding the built-in security mechanism provided by the Xilinx FPGAs, the solution herein proposed provides better security and improves the reconfiguration performance by more than 3 times.