CYCLONE-User-Manual.pdf - 第117页
User Manual For Cyclone LC Programmers 117 configuration. 3) Stand Alone Programming (SAP) Data This section contains all of the information a Cyclone needs to program a target as specified in the image creation process.…
User Manual For Cyclone LC Programmers 116
11 SAP IMAGE ENCRYPTION
CYCLONE FX programmers and CYCLONE programmers with the ProCryption Security
Activation License allow users to create RSA/AES encrypted programming images that use their
own uniquely generated ImageKey. These encrypted images may only be used to program when
on Cyclones that are also pre-configured with the same ImageKey. This keeps the user securely in
control of both their IP and the programming process.
11.1 Overview
PEmicro uses a combination of industry-standard RSA and AES encryption technologies to
encrypt images. When a programming image has been encrypted it requires two different
asymmetric keys to be decrypted. The first is a user generated RSA encryption Key that was
specified when the programming image was generated. The second is a native key which comes
pre-installed in the Cyclone (and does not exist on the PC). This means that an encrypted image
may (A) only be loaded onto a Cyclone which holds a copy of a user generated ImageKey, and (B)
only be decrypted for programming while on a Cyclone which holds a copy of a user generated
ImageKey. The Cyclone Control Suite (GUI, Console, SDK) allows the user to add and delete
ImageKeys from Cyclones, much like programming images may be added or deleted. While many
users will use only a single ImageKey to encrypt all of their images, Cyclones may have many
different keys loaded.
Encrypted images are stored in the Cyclone in their encrypted form. If the ImageKey needed by a
programming image is deleted from the Cyclone, the Cyclone loses the ability to load any images
encrypted with that ImageKey or program any encrypted images encrypted with that ImageKey
that are already loaded. Adding the ImageKey back into a Cyclone gives that Cyclone access to
those stored encrypted images which require that ImageKey.
Encrypted images can safely be sent through electronic means to production facilities since they
are unusable without a Cyclone which has been pre-loaded with the appropriate ImageKey.
ImageKeys on the PC are themselves partially encrypted so that certain pieces can only by used
on a Cyclone. Even with this, they should be handled with care as they can be loaded into any
Cyclone.
11.2 Encrypting/Decrypting a Programming Image
The Cyclone Image Creation Utility can generate ImageKeys that are used to encrypt SAP images.
The steps that are necessary to generate ImageKeys, encrypt SAP images, provision Cyclones to
decrypt, and program with encrypted SAP images are detailed in Section 6.1.8 - ProCryption
Security License Features.
11.3 What is Encrypted in an eSAP File, and How
An encrypted image (eSAP) contains three distinct sections: an informational header, a
configuration section, and a stand alone programming (SAP) data section. The ImageKey encrypts
each section in different ways to control access to each portion of the eSAP file.
The three eSAP sections are:
1) Informational Header
This section includes the description of the eSAP Image, its unique ID, the ID and name of the
ImageKey used to encrypt it, and a checksum of the data. This section is not encrypted.
2) Configuration Section
This section contains a copy of the configuration settings used to generate the Image
including which algorithm was used, power settings, clock settings, script files, and paths to
the binary data files. No programming data from the user’s data files is included in this
section. This section is encrypted in such a way that if a user has the appropriate ImageKey
on the PC, they may import the configuration information from an eSAP file into the Image
Creation Utility. This is useful for seeing the settings used to generate an image, and, if the
user has all of the data files needed, generate a new programming image file with the same
User Manual For Cyclone LC Programmers 117
configuration.
3) Stand Alone Programming (SAP) Data
This section contains all of the information a Cyclone needs to program a target as specified
in the image creation process. This includes all programming data, algorithms, scripts,
settings, etc. This section is encrypted with several keys, including the user generated
asymmetric key as well as a native asymmetric key used by the Cyclone. Once encrypted,
this section may not be decrypted except by the Cyclone during the programming process.
Figure 11-4: SAP Encryption
The end result of the encryption used to proceed the Stand Alone Programming Data is that the
section can only by decrypted and used internally on a Cyclone which has a copy of the specified
ImageKey provisioned within it. This eSAP section cannot be decrypted on a PC even with the
ImageKey
11.4 Managing Encryption For Production Programming
The steps needed to encrypt programming images using the Cyclone Image Creation Utility are
detailed in Section 6.1.8.1 - SAP Image Encryption. This section details how to successfully
implement the use of these encrypted (eSAP) images into the production programming process.
11.4.1 Provisioning a Cyclone with an ImageKey
Cyclones that have been provisioned with an ImageKey are the only Cyclones that are able to load
and program eSAP images encrypted with that ImageKey. When the user determines that one or
more Cyclone programmer(s) will have access to an encrypted image, they need to load the
ImageKey that was used to encrypt that image onto the Cyclone. This can be done with the
Cyclone Control Suite GUI, Console, or SDK. Instructions on the use of these Control Suite
options is explained in CHAPTER 8 - CYCLONE PROGRAMMER AUTOMATED CONTROL
(CYCLONE CONTROL SUITE).
Figure 11-5 shows the Cyclone Control GUI with the Encrypted Keys tab selected.
User Manual For Cyclone LC Programmers 118
Figure 11-5: ImageKey Listing for Connected Cyclone
This tab displays any ImageKeys that are present on the Cyclone to which the user is connected.
Note: If there is an encrypted SAP image on the Cyclone whose corresponding ImageKey has been
removed, the required ImageKey will be displayed as “Missing,” along with its Name and ID.
To provision a Cyclone with an ImageKey, the user simply clicks the “Add Encryption Key” button
and browses for the ImageKey that they wish to load onto the connected Cyclone.
Figure 11-6: Browse for ImageKey