Why Choose Between an FPGA and an MCU when you Can Have Both … with Security?

Vincent van der Leest, Director Product Marketing
Grant Jennings, GOWIN Semiconductor |

Every day, millions of new devices get connected to the Internet of Things (IoT), and without a proper secure-by-design approach, these devices add unnecessary risk and liability for network operators, OEMs and end users. These devices are typically low cost and always on, and as a result they are very attractive targets for hackers looking to steal data or cause calamity to surrounding infrastructure, such as the power grid in the Ukraine. IoT device manufacturers cannot ignore security when they bring products to market.

But ensuring security can hinge on other product decisions, such as which semiconductors govern the operation and intelligence of such products. Today’s IoT devices often use one or more MCUs or FPGAs to control the system and process data. FPGAs have the benefits of high I/O counts, low latency and process parallelization, while MCUs have an ease of use when it comes to porting libraries and APIs from one device to another. Many MCUs and FPGAs do not address security at all, or do so only as an afterthought. This leads to vulnerabilities, as sensitive information is often stored in unprotected, non-volatile memory, open to an attack. Today’s devices need secure MCUs or FPGAs to protect the sensitive data they transport and the valuable IP that is stored in flash. And they also need to prevent cloning and counterfeiting of the devices themselves.

So, product managers must balance the trade-offs among MCU advantages, FPGA advantages and security. Or do they?

Have your cake, eat it too – and add ice cream

Actually, they can have all three. It is possible to have the security rooted in hardware that is required to build IoT devices, combined with the beneficial attributes of both an FPGA and an MCU. These features are enabled within GOWIN Semiconductor’s new and innovative product, SecureFPGA. SecureFPGA combines the programmable fabric of an FPGA with a fully integrated SoC, based on an Arm Cortex-M3. GOWIN SecureFPGA is the only IC product that contains an FPGA, MCU and a hardware root of trust at the power and size suitable for cost-effective edge applications. Furthermore, it offers a security library based on its hardware root of trust for device identification, secure boot, key generation, firmware signing and data encryption by using Intrinsic ID’s BroadKey-Pro for adding SRAM PUF (Physical Unclonable Function) technology. Compared to other solutions, SecureFPGA makes it easier and quicker to deploy essential security features.

SRAM PUF technology is based on the physical characteristics of a chip to secure an unclonable device identity. Since these characteristics are uncontrollable, the physical properties cannot be copied or cloned. The keys derived from SRAM PUFs are never stored, but only regenerated when they are needed. When combined with the building blocks from BroadKey-Pro, such as Elliptic Curve Cryptography (ECC), symmetric encryption (e.g. AES) and random number generation, this creates a security solution rooted in the hardware of the device. It allows devices to authenticate to the network and to other devices, set up secure connections, and even protect valuable IP and sensitive information on the IoT device itself.

The features of GOWIN’s SecureFPGA are well suited to implement small-form-factor IoT solutions with package sizes as small as 2.5×2.5mm². The FPGA fabric can be used for always-on, low-power applications where sensor and peripheral behavior is monitored constantly. This is done with no clock running or only a small portion of the fabric clocked. This often has a lower power profile than an MCU operating at a much higher frequency to perform the same function. In the SecureFPGA, the onboard processor can be turned on after the FPGA detects static power consumption during the monitoring phase. This adds many unique capabilities with the addition of security to the device. Since the FPGA can continually monitor sensors and peripherals and wake up the processor, it can use the BroadKey-Pro security library to safely process and transmit the identified information.

A similar case is true for edge-computing applications requiring hardware acceleration. FPGAs are good at applications such as imaging, graphics rendering or artificial intelligence requiring high throughput and multiple computations to be performed at the same time. In these cases, an MCU still provides high value in providing serial control of these acceleration blocks. Using the BroadKey-Pro security library, users can protect IP running within the SecureFPGA device, provide unique device identification to IP blocks and external connections, and encrypt data and control activities leaving the device.

SecureFPGA is also very useful in server applications as a security management device. Servers often have many large ICs on the motherboard such as processors, larger FPGAs and ASICs. Many of these devices utilize external SPI flash to hold instruction and configuration data which can be hacked or cloned if they are not monitored by a security engine. In these applications SecureFPGA performs secure boot of each of these independent systems by validating firmware signatures in each SPI flash prior to these larger IC’s powering up to validate that all ICs are running genuine firmware.

So SecureFPGA is the perfect solution to combine the strengths of MCUs and FPGAs with strong security rooted in the hardware of the chip. This new and innovative product family has the right balance of features for use in resource-constrained IoT devices, edge-computing platforms and server environments.

Vincent van der Leest is Director Product Marketing at Intrinsic ID. In his 9 years at Intrinsic ID, Vincent’s roles within the organization have included business development and managing the company’s portfolio of European-funded projects. Vincent is author or co-author of a number of scientific papers on Intrinsic ID’s core technology, as well as several of the company’s patents. He holds a master’s degree in Electrical Engineering from Eindhoven University of Technology and worked for ASML and Philips before joining Intrinsic ID.

Grant Jennings is Director of International Marketing at GOWIN Semiconductor, focused on strategic solutions for programmable technologies. He has over 12 years of FPGA systems architecture experience in areas including ASIC prototyping, interfacing, bridging and hardware acceleration. Grant received his electrical engineering degree from Iowa State University and his MBA from Texas A&M University. He worked at Collins Aerospace and Lattice Semiconductor for many years while also establishing his own hardware solutions company prior to joining GOWIN.