Embed Size (px)
DESCRIPTION
Synopsys P1735 Proposals. Dave Graubart & Parminder Gill November 1, 2010. Agenda. Problem Statement Requirements Proposals Plan: Between now and next meeting: collect feedback and contribute to Twiki. Problem Statement. Interoperability needs not yet met Rights management - PowerPoint PPT Presentation
Citation preview
1
Synopsys P1735 Proposals
Dave Graubart & Parminder GillNovember 1, 2010
2
• Problem Statement• Requirements• Proposals
• Plan: Between now and next meeting: collect feedback and contribute to Twiki
Agenda
3
• Interoperability needs not yet met– Rights management– More complex tool flows– EDA tool version control
• These are essential for Synopsys FPGA synthesis in first version of 1735
• We’re now prepared to make contributions
Problem Statement
4
More Complex Tool Flow
C or M
High level synthesis
RTL
RTL synthesis
SDC
Formal Verification
Simulation
Netlist
PlacedNetlist
Place & Route
5
1. Extensibility to any language2. Tool rights3. User rights4. IP creation tool5. Control of authorized tool versions
Requirements
6
• Support existing envelope for Verilog and VHDL
• Support envelope as header in any file– Useful for C, M (Matlab), Edif, SDC, and others
Requirement 1: Extensibility to any language
7
• Create rights/control block per key block– Plain text so end-user can view– Digest line that is tamper-proof and tightly
associated with IP– Each right can be conditional
• Narrow scope of public key: key for single tool or family of similar tools, not one key for a big EDA vendor
Requirement 2: Tool Rights
8
• Identical mechanism to Tool Rights• Use conditional syntax where condition
varies by user• Condition can be satisfied in multiple ways
such as– License requirement– Password– One-time activation– Arbitrary mechanism
Requirement 3: User Rights
9
• Lower barrier for IP author participation• Synopsys can contribute script that uses
OpenSSL to process:– Encryption envelope or source plus commands– Key repository
Requirement 4: Tool for IP Author
10
• Allow IP author to specify minimum version of tool– After security fix– After functional enhancement
• Avoid expensive introduction of new keys• Different than P1735 version
Requirement 5: Control of authorized tool versions
11
Details and Proposed Solutions
12
Encrypted Synthesis flow
RTL
Compile
Map
Netlist
Compiler log messages
Mapper log messages
Log file
Technology view
RTL view
Graphical Views
13
Encrypted Synthesis flow
RTL
Compile
Map
Netlist
Compiler log messages
Mapper log messages
Log file
Technology view
RTL view
Graphical Views
Technology viewTechnology view
Mapper log messagesMapper log
messages
NetlistNetlist
RTL viewCompiler log messages
Netlist
14
Encrypted Synthesis flow
RTL
Compile
Map
Netlist
Compiler log messages
Mapper log messages
Log file
Technology view
RTL view
Graphical Views
Technology viewTechnology view
Mapper log messagesMapper log
messages
NetlistNetlist
RTL viewCompiler log messages
NetlistVisibilityLog Messages
Output Method
None, No-name,No-restriction
None, Interfaces,No-restriction
None, Encrypted,ObfuscatedPlain-text
15
Introducing Control Block
Key Block - Simulation User
Decryption Envelope (current)
Key Block - Synthesis User
Data Block
16
Introducing Control Block
Key Block - Simulation User
Decryption Envelope (enhanced)
Key Block - Synthesis User
Data Block
Control Block - Synthesis User
Basic encryption
Encryption with fine grained controls
17
Enhancing Key Block
Key Block - Simulation User
Decryption Envelope (current)
Session Key (for data-block)
Key Block – Synthesis User
Session Key (for data-block)
18
Enhancing Key Block
Key Block - Simulation User
Decryption Envelope (enhanced)
Session Key (for data-block)
Key Block – Synthesis User
Session Key (for data-block)
Control Block – Synthesis User
Session Key (for control-block)
19
Enhancing Key Block
Key Block - Simulation User
Decryption Envelope (enhanced)
Session Key (for data-block)
Key Block – Synthesis User B
Session Key (for data-block)
Control Block – Synthesis User B
Session Key (for control-block)
Key Block – Synthesis User A
Session Key (for data-block)
Control Block – Synthesis User A
Session Key (for control-block)
Separate Control block for each tool
Separate Control block session key
for each tool
20
Defining Control Block
Key Block - Simulation User
Decryption Envelope (enhanced)
Key Block - Synthesis User
Control Block
Control Line: Right=value
Control Line: Right=value, conditionControl Digest
21
Syntax Proposal – Key Block
`protect begin_protected`protect key_keyowner=“IP User”, key_method=“rsa”`protect encoding=(enctype=“base64”, …), key_block<session key>
`protect data_method=“des-cbc”`protect encoding=(enctype=“base64”, …), data_blockencoded encrypted IP`protect end_protected
Decryption Envelope (current)
encoded encrypted
22
Syntax Proposal – Key Block
`protect begin_protected`protect key_keyowner=“IP User”, key_method=“rsa”`protect encoding=(enctype=“base64”, …), key_blockdata-session-key=<session key>control-session-key=<control session key>
`protect data_method=“des-cbc”`protect encoding=(enctype=“base64”, …), data_blockencoded encrypted IP`protect end_protected
Decryption Envelope (enhanced)
encoded encrypted
23
Syntax Proposal – Control Block
`protect begin_protected`protect key_keyowner=“IP User”, key_method=“rsa”`protect encoding=(enctype=“base64”, …), key_blockdata-session-key=<session key>control-session-key=<control session key>
`protect data_method=“des-cbc”`protect encoding=(enctype=“base64”, …), data_blockencoded encrypted IP`protect end_protected
Decryption Envelope (re-spaced)
24
Syntax Proposal – Control Block
`protect begin_protected`protect key_keyowner=“IP User”, key_method=“rsa”`protect encoding=(enctype=“base64”, …), key_blockdata-session-key=<session key>control-session-key=<control session key>
`protect control_keyowner=“IP User”, control_method=“des-cbc”, control_block`protect <right>=<value>`protect <right>=<value>, <conditions>`protect encoding=(enctype=“base64”, …), control_digestencoded encrypted control digest
`protect data_method=“des-cbc”`protect encoding=(enctype=“base64”, …), data_blockencoded encrypted IP`protect end_protected
Decryption Envelope (enhanced)
25
Control Block – Internal Details
Key Block - Simulation User
Decryption Envelope (enhanced)
Data Block
Control Block
Control Line: Right=value
Control Line: Right=value, conditionControl Digest
26
Syntax Example – Control Block
`protect begin_protected`protect key_keyowner=“IP User”, key_method=“rsa”`protect encoding=(enctype=“base64”, …), key_blockdata-session-key=<session key>control-session-key=<new session key>
`protect control_keyowner=“IP User”, control_method=“des-cbc”, control_block`protect control_visibility=none`protect control_visibility=unrestricted, data_state=mapped`protect control_log_messages=noname`protect control_output_method=encrypted`protect control_output_method=plain-text, license=(…)`protect encoding=(enctype=“base64”, …), control_digestencoded encrypted control digest
`protect data_method=“des-cbc”`protect encoding=(enctype=“base64”, …), data_blockencoded encrypted IP`protect end_protected
Decryption Envelope (enhanced with examples)
27
Introducing Tool Version
Key Block - Simulation User
Decryption Envelope (enhanced)
Session Key (for data-block)
Key Block – Synthesis User
Session Key (for data-block)
Control Block – Synthesis User
Session Key (for control-block)
Tool Version Synthesis User Tool with version older than this is not allowed to read this IP
28
Syntax – Tool Version
`protect begin_protected`protect key_keyowner=“IP User”, key_method=“rsa”`protect encoding=(enctype=“base64”, …), key_blockdata-session-key=<session key>control-session-key=<new session key>tool-version=<version number>`protect control_keyowner=“IP User”, control_method=“des-cbc”, control_block`protect control_visibility=none`protect control_visibility=full, data_state=mapped`protect control_log_messages=noname`protect control_output_method=obfuscated`protect control_output_method=plain-text, license=(…)`protect encoding=(enctype=“base64”, …), control_digestencoded encrypted control digest
`protect data_method=“des-cbc”`protect encoding=(enctype=“base64”, …), data_blockencoded encrypted IP`protect end_protected
Decryption Envelope (enhanced with examples)
29
Encryption Script (for IP Vendors)
IP Source FileVerilog sourceVHDL Source…
Key RepositoryIP User A = <Public Key>IP User B = <Public Key>
Encryption Tool/Script
Encrypted IP Source(Decryption Envelope)
30
Encryption Script – Enhancements(for non-HDL files)
IP Source FileC/EDIF sourceDesign constraints…
Key RepositoryIP User A = <Public Key>IP User B = <Public Key>
Encryption Tool/Script
IP Encryption Header`protect pragmas
Encrypted IP Source(Decryption Envelope)
31
Syntax Example – Encryption Header
`protect key_keyowner=“IP User”, key_method=“rsa”, key_block
`protect control_keyowner=“IP User”, control_method=“des-cbc”, control_block`protect control_visibility=none`protect control_visibility=full, data_state=mapped`protect control_log_messages=noname`protect control_output_method=obfuscated`protect control_output_method=plain-text, license=(…)
`protect data_method=“des-cbc”, begin<IP Source File>.c`protect end
Encryption Header file
Optional. If present, ensures encryption header is linked to specified file only
32
End
Thank You
