Intellectual property protection in a programmable logic device
First Claim
1. A method, comprising:
- (a) maintaining a device identifier and a private key in a programmable logic device, the device identifier and the private key being non-volatile such that if power to the programmable logic device is lost the device identifier and private key remain stored in the programmable logic device;
(b) receiving a first encrypted key onto the programmable logic device, and using the device Identifier and the private key to decrypt the first encrypted key thereby generating a first key;
(c) receiving onto the programmable logic device a bitstream comprising first encrypted configuration data encrypted with the first key;
(d) using the first key to decrypt the first encrypted configuration data on the programmable logic device thereby generating first configuration data; and
(e) configuring a first portion of the programmable logic device using the first configuration data.
1 Assignment
0 Petitions
Accused Products
Abstract
Individual IP vendors can directly license their IP modules to PLD users. Each PLD has a unique device identifier (UDI). If a user obtains a license to use an IP module on a particular PLD, then the IP vendor issues the user an authorization code (AC). The user supplies the AC to a license manager. The license manager decrypts the AC and checks that the UDI of the supplied AC matches the UDI of the PLD. If the two match, then the license manager encrypts a key, and sends the encrypted key to the PLD. The PLD uses a private key to decrypt the key. When the configuration bitstream for the design is later sent to the PLD, the license manager encrypts the IP module portion of the bitstream with the key. The PLD receives the bitstream and uses the decrypted key to decrypt the IP module portion.
167 Citations
27 Claims
-
1. A method, comprising:
-
(a) maintaining a device identifier and a private key in a programmable logic device, the device identifier and the private key being non-volatile such that if power to the programmable logic device is lost the device identifier and private key remain stored in the programmable logic device;
(b) receiving a first encrypted key onto the programmable logic device, and using the device Identifier and the private key to decrypt the first encrypted key thereby generating a first key;
(c) receiving onto the programmable logic device a bitstream comprising first encrypted configuration data encrypted with the first key;
(d) using the first key to decrypt the first encrypted configuration data on the programmable logic device thereby generating first configuration data; and
(e) configuring a first portion of the programmable logic device using the first configuration data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method comprising:
-
receiving onto a programmable logic device an encrypted first key;
on the programmable logic device decrypting the encrypted first key to generate a first key and storing the first key on the programmable logic device;
receiving onto the programmable logic device a configuration bitstream having a first portion and a second portion;
on the programmable logic device decrypting the first portion of the configuration bitstream using the first key; and
configuring the programmable logic device with the decrypted first portion of the configuration bitstream thereby realizing a first IP module. - View Dependent Claims (20)
-
-
21. A method, comprising:
-
receiving on a development system a device identifier from a programmable logic device;
receiving on the development system an authorization code;
verifying on the development system that the authorization code and the device identifier have a predetermined relationship, wherein if the authorization code and the device identifier have the predetermined relationship then encrypting a key using the device identifier and sending the encrypted key from the development system to the programmable logic device, but wherein if the authorization code and the device identifier do not have the predetermined relationship then the encrypted key is not sent from the development system to the programmable logic device; and
the development system using the key to encrypt a portion of a configuration data bitstream, the development system outputting the configuration data bitstream including the encrypted portion. - View Dependent Claims (22, 23, 24)
-
-
25. A development system, comprising:
-
a capture/design tool; and
means for verifying that an authorization code has a predetermined relationship with respect to a device identifier read from a programmable logic device, and if the authorization code is verified then the means also encrypting a key and sending the encrypted key to the programmable logic device, if the authorization code is verified then the means also uses the key to encrypt a portion of a configuration data bitstream output by the capture/design tool, the configuration data bitstream including the encrypted portion being sent to the programmable logic device. - View Dependent Claims (26, 27)
-
Specification