A system and method are disclosed for provisioning IP features in a system-on-chip. A plurality of identical chips are fabricated, each of which is capable of have a number of features enabled or disabled. As a default, all features are disabled. A production process is later carried out, in which the chip is installed in a greater device. During this process, the manufacturer requests a license the IP owner for enablement of various features. Using secure communications, a license is granted identifying the features to be enabled, and a volume of units permitted to be manufactured. The license information is encrypted using a key already known to the chip, and sent to the manufacturer. The chip receives the license information during provisioning, extracts relevant provisioning information using the key, and a secure processing system provisions the relevant features. Log information is generated to allow the IP owner to verify license compliance.

One aspect provides an FPGA chip mounted on a printed circuit board (PCB). The FPGA chip can include a joint test action group (JTAG) interface comprising a number of input/output pins and an enablement pin, and a control logic block coupled to the enablement pin of the JTAG interface. The control logic block can receive a control signal from an off-chip control unit and control a logical value of the enablement pin based on the received control signal, thereby facilitating the off-chip control unit to lock or unlock the JTAG interface. The FPGA chip can further include a detection logic block to detect an unauthorized access to the FPGA chip. An input to the detection logic is coupled to the enablement pin, and a conductive trace coupling the input of the detection logic block and the enablement pin is situated on an inner layer of the PCB.

A proposed technique allows for the security of the logic cone through logic locking and secures the outputs of the circuit from the scan chain without modifications to the structure of the scan chain. Since the oracle responses in test mode do not correspond to the functional key, satisfiability (SAT) attacks are not able to leverage the responses from the scan chain. In addition, a charge accumulation circuit is developed to prevent and detect any attempt to enter the partitioned test mode while the correct circuit responses are still stored within the registers.

Various implementations described herein refer to a device having base registers that receive input signals, receive a reset signal and provide first output signals based on the input signals and the reset signal. The device may have shadow registers that correspond to the base registers, wherein the shadow registers receive inverted input signals, receive an inverted reset signal and provide second output signals based on the inverted input signals and the inverted reset signal. The device may have attack detector logic that receives the first output signals from the base registers, receives the second output signals from the shadow registers and generates an alarm signal based on the first output signals and the second output signals.

Various implementations described herein refer to a device having base registers that receive input signals, receive a reset signal and provide first output signals based on the input signals and the reset signal. The device may have shadow registers that correspond to the base registers, wherein the shadow registers receive inverted input signals, receive an inverted reset signal and provide second output signals based on the inverted input signals and the inverted reset signal. The device may have attack detector logic that receives the first output signals from the base registers, receives the second output signals from the shadow registers and generates an alarm signal based on the first output signals and the second output signals.

A processing system comprises a processing unit, a hardware block configured to change operation as a function of life cycle data, and a one-time programmable memory storing original life cycle data. A hardware configuration module is configured to read the original life cycle data from the one-time programmable memory, to store the original life cycle data in a register, to receive a write request from the processing unit, and to selectively execute the write request to overwrite the original life cycle data with new life cycle data in the register.

A processing system comprises a processing unit, a hardware block configured to change operation as a function of life cycle data, and a one-time programmable memory storing original life cycle data. A hardware configuration module is configured to read the original life cycle data from the one-time programmable memory, to store the original life cycle data in a register, to receive a write request from the processing unit, and to selectively execute the write request to overwrite the original life cycle data with new life cycle data in the register.

Methods and systems are provided for decrypting and/or encryption information received by and/or transmitted from an integrated circuit (IC) device input/output (I/O) interface. A decryption circuit is configurable to apply a first decryption algorithm selected from a plurality of decryption algorithms to received information. An encryption circuit is configurable to apply a first encryption algorithm selected from a plurality of encryption algorithms to transmitted information. A key wrapping circuit is configurable to wrap decryption and/or encryption keys associated with the first decryption and/or encryption algorithm. A firewall circuit is configurable to prevent unauthorized access to the wrapped decryption and/or encryption keys. The decryption and/or encryption circuits are reconfigurable to apply a second decryption algorithm and/or a second encryption algorithm to the received information and/or the transmitted information.

Methods and systems are provided for decrypting and/or encryption information received by and/or transmitted from an integrated circuit (IC) device input/output (I/O) interface. A decryption circuit is configurable to apply a first decryption algorithm selected from a plurality of decryption algorithms to received information. An encryption circuit is configurable to apply a first encryption algorithm selected from a plurality of encryption algorithms to transmitted information. A key wrapping circuit is configurable to wrap decryption and/or encryption keys associated with the first decryption and/or encryption algorithm. A firewall circuit is configurable to prevent unauthorized access to the wrapped decryption and/or encryption keys. The decryption and/or encryption circuits are reconfigurable to apply a second decryption algorithm and/or a second encryption algorithm to the received information and/or the transmitted information.

A programmable logic device that is interposed between a client device and a database server is provided. The client device may issue read and write queries to the programmable logic device. The programmable logic device may serve as a cache. For read queries, confidential data that is stored locally on the programmable device or retrieved from the database server may be encrypted before sending it back to the client device. Non-confidential data may be left unencrypted and can be sent back to the client device in unencrypted form. The programmable logic device may be partially reconfigured during runtime to update database securities settings without causing unnecessary downtime for the overall system.