1735_SNPS_1nov2010
Download
Report
Transcript 1735_SNPS_1nov2010
Synopsys P1735 Proposals
Dave Graubart & Parminder Gill
November 1, 2010
1
Agenda
• Problem Statement
• Requirements
• Proposals
• Plan: Between now and next meeting:
collect feedback and contribute to Twiki
2
Problem Statement
• Interoperability needs not yet met
– Rights management
– More complex tool flows
– EDA tool version control
• These are essential for Synopsys FPGA
synthesis in first version of 1735
• We’re now prepared to make contributions
3
More Complex Tool Flow
C or M
High level
synthesis
RTL
SDC
RTL
synthesis
Simulation
Place &
Route
Formal
Verification
Netlist
Placed
Netlist
4
Requirements
1.
2.
3.
4.
5.
Extensibility to any language
Tool rights
User rights
IP creation tool
Control of authorized tool versions
5
Requirement 1:
Extensibility to any language
• Support existing envelope for Verilog and
VHDL
• Support envelope as header in any file
– Useful for C, M (Matlab), Edif, SDC, and others
6
Requirement 2:
Tool Rights
• Create rights/control block per key block
– Plain text so end-user can view
– Digest line that is tamper-proof and tightly
associated with IP
– Each right can be conditional
• Narrow scope of public key: key for single
tool or family of similar tools, not one key
for a big EDA vendor
7
Requirement 3:
User Rights
• Identical mechanism to Tool Rights
• Use conditional syntax where condition
varies by user
• Condition can be satisfied in multiple ways
such as
– License requirement
– Password
– One-time activation
– Arbitrary mechanism
8
Requirement 4:
Tool for IP Author
• Lower barrier for IP author participation
• Synopsys can contribute script that uses
OpenSSL to process:
– Encryption envelope or source plus commands
– Key repository
9
Requirement 5:
Control of authorized tool versions
• Allow IP author to specify minimum
version of tool
– After security fix
– After functional enhancement
• Avoid expensive introduction of new keys
• Different than P1735 version
10
Details and Proposed Solutions
11
Encrypted Synthesis flow
RTL
Log file
Graphical
Views
RTL view
Technology view
Compile
Compiler log
messages
Map
Mapper log
messages
Netlist
12
Encrypted Synthesis flow
RTL
Log file
Graphical
Views
RTL view
RTL view
Technology view
Technology view
Technology view
Compile
Map
Netlist
Netlist
Netlist
Netlist
13
Compiler log
Compiler log
messages
messages
Mapper log
Mapper log
messages
Mapper log
messages
messages
Encrypted Synthesis flow
RTL
Log file
Graphical
Views
Compile
RTL view
RTL view
Technology view
Technology view
Technology view
None,
Interfaces,
No-restriction
Map
Netlist
Netlist
Netlist
Netlist
Visibility
Output
Method
14
None,
Encrypted,
Obfuscated
Plain-text
Compiler log
Compiler log
messages
messages
Mapper log
Mapper log
messages
Mapper log
messages
messages
Log
Messages
None,
No-name,
No-restriction
Introducing Control Block
Decryption Envelope (current)
Key Block - Simulation User
Key Block - Synthesis User
Data Block
15
Introducing Control Block
Decryption Envelope (enhanced)
Key Block - Simulation User
Basic
encryption
Key Block - Synthesis User
Control Block - Synthesis User
Data Block
16
Encryption
with fine
grained
controls
Enhancing Key Block
Decryption Envelope (current)
Key Block - Simulation User
Session Key (for data-block)
Key Block – Synthesis User
Session Key (for data-block)
17
Enhancing Key Block
Decryption Envelope (enhanced)
Key Block - Simulation User
Session Key (for data-block)
Key Block – Synthesis User
Session Key (for data-block)
Session Key (for control-block)
Control Block – Synthesis User
18
Enhancing Key Block
Decryption Envelope (enhanced)
Key Block - Simulation User
Session Key (for data-block)
Key Block – Synthesis User A
Session Key (for data-block)
Session Key (for control-block)
Control Block – Synthesis User A
Separate Control
block for each tool
Key Block – Synthesis User B
Session Key (for data-block)
Session Key (for control-block)
Control Block – Synthesis User B
19
Separate Control
block session key
for each tool
Defining Control Block
Decryption Envelope (enhanced)
Key Block - Simulation User
Key Block - Synthesis User
Control Block
Control Line: Right=value
Control Line: Right=value, condition
Control Digest
20
Syntax Proposal – Key Block
Decryption Envelope (current)
`protect begin_protected
`protect key_keyowner=“IP User”, key_method=“rsa”
`protect encoding=(enctype=“base64”, …), key_block
<session key>
`protect data_method=“des-cbc”
`protect encoding=(enctype=“base64”, …), data_block
encoded encrypted IP
`protect end_protected
21
encoded encrypted
Syntax Proposal – Key Block
Decryption Envelope (enhanced)
`protect begin_protected
`protect key_keyowner=“IP User”, key_method=“rsa”
`protect encoding=(enctype=“base64”, …), key_block
data-session-key=<session key>
encoded encrypted
control-session-key=<control session key>
`protect data_method=“des-cbc”
`protect encoding=(enctype=“base64”, …), data_block
encoded encrypted IP
`protect end_protected
22
Syntax Proposal – Control Block
Decryption Envelope (re-spaced)
`protect begin_protected
`protect key_keyowner=“IP User”, key_method=“rsa”
`protect encoding=(enctype=“base64”, …), key_block
data-session-key=<session key>
control-session-key=<control session key>
`protect data_method=“des-cbc”
`protect encoding=(enctype=“base64”, …), data_block
encoded encrypted IP
`protect end_protected
23
Syntax Proposal – Control Block
Decryption Envelope (enhanced)
`protect begin_protected
`protect key_keyowner=“IP User”, key_method=“rsa”
`protect encoding=(enctype=“base64”, …), key_block
data-session-key=<session key>
control-session-key=<control session key>
`protect control_keyowner=“IP User”, control_method=“des-cbc”, control_block
`protect <right>=<value>
`protect <right>=<value>, <conditions>
`protect encoding=(enctype=“base64”, …), control_digest
encoded encrypted control digest
`protect data_method=“des-cbc”
`protect encoding=(enctype=“base64”, …), data_block
encoded encrypted IP
`protect end_protected
24
Control Block – Internal Details
Decryption Envelope (enhanced)
Key Block - Simulation User
Control Block
Control Line: Right=value
Control Line: Right=value, condition
Control Digest
Data Block
25
Syntax Example – Control Block
Decryption Envelope (enhanced with examples)
`protect begin_protected
`protect key_keyowner=“IP User”, key_method=“rsa”
`protect encoding=(enctype=“base64”, …), key_block
data-session-key=<session key>
control-session-key=<new session key>
`protect control_keyowner=“IP User”, control_method=“des-cbc”, control_block
`protect control_visibility=none
`protect control_visibility=unrestricted, data_state=mapped
`protect control_log_messages=noname
`protect control_output_method=encrypted
`protect control_output_method=plain-text, license=(…)
`protect encoding=(enctype=“base64”, …), control_digest
encoded encrypted control digest
`protect data_method=“des-cbc”
`protect encoding=(enctype=“base64”, …), data_block
encoded encrypted IP
`protect end_protected
26
Introducing Tool Version
Decryption Envelope (enhanced)
Key Block - Simulation User
Session Key (for data-block)
Key Block – Synthesis User
Session Key (for data-block)
Session Key (for control-block)
Tool Version
Control Block – Synthesis User
27
Synthesis User Tool with
version older than this is
not allowed to read this IP
Syntax – Tool Version
Decryption Envelope (enhanced with examples)
`protect begin_protected
`protect key_keyowner=“IP User”, key_method=“rsa”
`protect encoding=(enctype=“base64”, …), key_block
data-session-key=<session key>
control-session-key=<new session key>
tool-version=<version number>
`protect control_keyowner=“IP User”, control_method=“des-cbc”, control_block
`protect control_visibility=none
`protect control_visibility=full, data_state=mapped
`protect control_log_messages=noname
`protect control_output_method=obfuscated
`protect control_output_method=plain-text, license=(…)
`protect encoding=(enctype=“base64”, …), control_digest
encoded encrypted control digest
`protect data_method=“des-cbc”
`protect encoding=(enctype=“base64”, …), data_block
encoded encrypted IP
`protect end_protected
28
Encryption Script (for IP Vendors)
IP Source File
Verilog source
VHDL Source
…
Encryption
Tool/Script
Key Repository
IP User A = <Public Key>
IP User B = <Public Key>
29
Encrypted IP Source
(Decryption Envelope)
Encryption Script – Enhancements
(for non-HDL files)
IP Source File
C/EDIF source
Design constraints
…
Encryption
Tool/Script
IP Encryption Header
`protect pragmas
Key Repository
IP User A = <Public Key>
IP User B = <Public Key>
30
Encrypted IP Source
(Decryption Envelope)
Syntax Example – Encryption Header
Encryption Header file
`protect key_keyowner=“IP User”, key_method=“rsa”, key_block
`protect control_keyowner=“IP User”, control_method=“des-cbc”, control_block
`protect control_visibility=none
`protect control_visibility=full, data_state=mapped
`protect control_log_messages=noname
`protect control_output_method=obfuscated
`protect control_output_method=plain-text, license=(…)
`protect data_method=“des-cbc”, begin
<IP Source File>.c
`protect end
31
Optional. If present, ensures
encryption header is linked to
specified file only
End
Thank You
32