Invented by Mark Bradley Davis, Erez Izenberg, Robert Michael Johnson, Asif Khan, Islam Mohamed Hatem Abdulfattah Mohamed Atta, Nafea BShara, Christopher Joseph Pettey, Amazon Technologies Inc

The market for controlling access to previously stored logic in a reconfigurable logical device is experiencing significant growth as the demand for secure and flexible computing solutions continues to rise. Reconfigurable logical devices, such as field-programmable gate arrays (FPGAs), offer the ability to modify the functionality of the hardware after manufacturing, making them highly adaptable for various applications. In recent years, there has been a growing need for controlling access to the previously stored logic in these devices. This is primarily driven by concerns over intellectual property (IP) protection, security, and the prevention of unauthorized modifications to the logic stored within the device. As FPGAs are increasingly used in critical applications like aerospace, defense, and telecommunications, the need for robust access control mechanisms becomes paramount. One of the key drivers for the market growth is the increasing adoption of reconfigurable logical devices in various industries. FPGAs are being widely used in sectors such as automotive, healthcare, industrial automation, and data centers, where the ability to reconfigure the logic provides significant advantages. However, this flexibility also poses challenges in terms of ensuring the security and integrity of the stored logic. Controlling access to previously stored logic involves implementing security measures that restrict unauthorized access and modifications. This can be achieved through various techniques such as encryption, authentication, and access control policies. Encryption ensures that the stored logic is protected from unauthorized access by encrypting it using cryptographic algorithms. Authentication mechanisms verify the identity of users or devices attempting to access the logic, preventing unauthorized modifications. Access control policies define the permissions and privileges granted to different entities, ensuring that only authorized users can modify or access the stored logic. The market for controlling access to previously stored logic in reconfigurable logical devices is also driven by the increasing concern over IP protection. Companies invest significant resources in developing proprietary logic designs, and protecting this intellectual property is crucial for maintaining a competitive edge. Access control mechanisms help prevent unauthorized copying or reverse engineering of the stored logic, safeguarding valuable IP. Furthermore, the market growth is also fueled by the rising number of cyber threats and the need for secure computing solutions. Reconfigurable logical devices are susceptible to attacks such as tampering, side-channel attacks, and malicious modifications. Implementing access control measures helps mitigate these risks and ensures the integrity and confidentiality of the stored logic. The market for controlling access to previously stored logic in reconfigurable logical devices is highly competitive, with several companies offering specialized solutions. These solutions range from hardware-based security features integrated into the devices themselves to software-based solutions that provide access control through secure protocols and cryptographic algorithms. Companies are continuously innovating to develop more robust and efficient access control mechanisms to meet the evolving security requirements of the market. In conclusion, the market for controlling access to previously stored logic in reconfigurable logical devices is witnessing significant growth due to the increasing adoption of FPGAs in various industries and the need for secure and flexible computing solutions. The demand for access control mechanisms is driven by concerns over IP protection, security, and the prevention of unauthorized modifications. As the market continues to evolve, companies are investing in innovative solutions to provide robust access control measures and ensure the integrity and confidentiality of the stored logic.

The Amazon Technologies Inc invention works as follows

Methods are disclosed to securely erase partitions of reconfigurable devices, such as FPGAs, in a server multi-tenant environment. In one example, a method of securely erasing an FPGA includes identifying one partition of previously-programmed resources in the FPGA, erasing the identified partition by storing new values in memory or storage elements of the identified partition, and storing new values in memory or storage elements of additional external resources electrically connected to the integrated circuit and associated with the identified partition. Other partitions or subsequent users of the identified part are thus prevented from accessing securely erased data. “A configuration circuit that is accessible via DMA by the host computer can be programmed in the FPGA reconfigurable logical for performing the disclosed erasing operation.

Background for Controlling access to previously stored logic in a reconfigurable logical device

Cloud computing is the usage of computing resources, including hardware and software, which are located in remote locations and can be accessed via a network such as the Internet. Some arrangements allow users to purchase computing resources, such as storage and processing power, on a demand basis. Cloud computing allows remote services to handle a user’s software, data and computation. Virtual computing resources offer a variety of benefits, including cost savings and the ability to quickly adapt to changing computing needs.

Some computations can also be accelerated by using a coprocessor. This includes accelerators that are implemented with reconfigurable logical (e.g. in a Field Programmable Gate Array, or FPGA). FPGA developers connect a host computer equipped with a specialized JTAG interface to external pins on a local FPGA to accelerate functions mapped onto the FPGA. “Using such accelerators within a cloud computing system, which lacks FPGA specialized hardware or security features, offers ample opportunities for improvement.

As a solution to providing specialized computing within a set reusable of general computing resources, a server computing platform with configurable logic can be provided (for example by supplying a server computing device with an add-in-card that includes a reconfigurable logical device such as a FPGA). Configurable logic refers to hardware that can be configured or programmed to perform logic functions specified by configuration data. A user of computing resources may provide a specification for configuring configurable logic (e.g. written in Verilog or SystemVerilog or VHDL), or another language (e.g. C++ or SystemC) in the form of a netlist created by a schematic capture program or a script. The configurable logic may be configured in accordance with the specification and then used to perform an action for the user. Allowing a user to access low-level hardware can introduce privacy and security issues in the computing facility. As reconfigurable devices and their associated components (e.g. memory and other circuits connected to reconfigurable devices) are typically used by multiple users in a cloud-based environment, the data stored on the devices and components shouldn’t be accessible to future users.

The disclosed technologies include techniques for isolating, clearing, and/or scrubbing data stored in reconfigurable devices, and associated additional resources. The disclosed technologies include methods for isolating and/or cleaning data in reconfigurable devices and additional resources.

As used in this document, the term “isolating” refers to configuring a portion of a reconfigurable logic device so as to logically separate a partition from other circuitry within the reconfigurable logic device. Refers to the configuration of a portion within a reconfigurable logical device to logically isolate a partition from circuitry in the reconfigurable logic device. Isolating a partition makes it inaccessible to other partitions within the reconfigurable device (e.g. other processes of a user host), as well as unauthorized access by other devices (e.g. other processes of a user host on a computer host) external to that reconfigurable device. Devices can be isolated, for example, by reprogramming the logic that connects a partition to other partitions in the device, reprogramming the interconnect or by asserting/de-asserting signals controlling interface circuits, such as tristate gates, multiplexers, pass gates and/or gate gates. In some cases, isolating configurations allow logic in other partitions to continue operating while a selected partition has been isolated, scrubbed, and cleared.

As used herein, ?clearing? Resetting values in memory or storage elements is done by using the reset functionality of the reconfigurable logical device. Clearing is achieved by applying a configuration to a port on an FPGA. The configuration bitstream will cause the FGPA’s configuration to be reset or in another known state, which prevents the access of previously stored data. In some cases, the configuration bitstream is used to reconfigure only a portion of reconfigurable hardware in the device. In some examples, a FPGA has reset functionality which can be activated by asserting the signals on the FPGA’s I/O. In some examples the act of clearing the reconfigurable device logic can be performed using a specialized bitstream and a partial reconfiguration. Partial reconfiguration allows logic partitions and user partitions to be maintained, as well as supervisor and host partitions. Multiple users can use different parts of a reconfigurable device at the same time. After they are done using their portion, these users can clear and scrub it. While logic is being removed from a partition, other logic and memory devices may continue to function normally.

As used in this document, the term “scrubbing” refers to performing a series of operations with a circuit to erase values stored in memory or storage. Refers to a series operations performed on a circuit in order to erase data stored in the memory or storage elements of the circuit. Data can be erased by writing random values or a set of known values, such as all zeroes or all ones or all of the same pattern (0xdeadbeef) to replace previously stored data in the circuit. In some examples, the scrubbing of the partition can be done by operating the specialized logic within the reconfigurable device and performing partial reconfiguration. Scrubber circuits can send known values to alternate inputs (e.g. data inputs or set/clear/reset inputs), such as latches or flip-flops. This will reset the stored values. Scrubber circuits can perform multiple writes to multiple addresses of a memory or use a set or reset pin to perform the function. The scrubber circuit can use a port on a memory with multiple read ports to write data values known over previously stored values. While logic in a selected partition is being cleaned, logic in other partitions, and their associated memory devices, can continue to function normally.

Typically, users or supervisors are not allowed to access their partitions when isolating the reconfigurable device. However, in some cases, supervisor partitions or user partitions may be configured so that they can have partial access during this action. Clearing and/or scrubbing only a portion or resources of the reconfigurable devices and/or associated resource allows user logic and memory to be maintained in any other user partitions as well as supervisor and host partitions. Multiple users can use different portions of the reconfigurable logic devices at the same time. These users can then have their partitions cleared and scrubbed once they are done using it, such as when terminating a user compute host instance.

As described in this document, a computing facility can include various computing resources. One of these computing resources is a server computer, also known as a host, which includes a configurable platform. A user of the computer can program or configure the configurable platform so that the hardware (e.g. the configurable intelligence) of the computing resources is customized by them. The user could, for example, program the configurable logic to function as a hardware acceleration that is tightly coupled with the server computer. The hardware accelerator, for example, can be accessed via the local interconnect of the server computer, such as an IEEE 802.3 connection or a PCI-Express (PCIe). A user can run an application on a server computer, and the hardware accelerator can perform tasks using PCIe transactions. The latency between the accelerator computer and the server can be reduced by tightly coupling the accelerator computer to the server. This can increase the speed of processing.

The compute service provider can manage computing resources by using software services for the configuration and operation. The compute service provider, for example, can implement a logic repository for ingesting hardware or logic designs of users, generating validated configuration data to configure the configurable platform based upon the application logic created for the user and downloading the configured data as a response to a configuration request for an instance of configurable logic platforms. Configuration data may include circuits to clear and scrub reconfigurable logic components and devices after the use of computer resources has been terminated. The user who developed the logic or the user with a license can request the download. Thus, logic design can be developed by a compute services provider, user, or third-party independent of the user or compute services provider. Users of a compute services provider can, for example, be given access to a marketplace that contains intellectual property (IP), and they can increase the speed of applications by choosing an accelerator in the marketplace.

FIG. FIG. 1 shows a diagram of a computing system 100 that includes a logic repository 110. This service manages configuration data which can be used to configure configurable compute resources. The logic repository service 110 is used to ingest host and application logic in an infrastructure of a computing services provider. It can also be used to generate configuration data from the ingested design, maintain a repository for the ingested design and generated configuration data and provide configuration data for configurable resources within compute resources 120.

The logic repository 110 service can be a service that is accessible over the network, like a web-service. Cloud computing is often based on web services. A web service is software that can be accessed via the internet or cloud. Clients send web service requests to the servers, and servers respond with appropriate responses. Client web service requests can be initiated by an API request. Web service requests are described as API requests for simplicity. However, other web services can also be requested. API requests are a programmatic interface for a defined message system that is typically expressed in JSON, XML or other formats. This is made available via the internet, most commonly through an HTTP-based server. In certain implementations, APIs can be defined by a set Hypertext Transfer Protocol messages (HTTP), along with a description of the format of response messages. These can be expressed in Extensible Markup Languages (XML) and JavaScript Object Notation. APIs can be a collection of routines or functions that accomplish a task, such as completing a particular task or allowing software interaction. The web service can send a response when it receives an API request from the client device. The web service may also perform actions as a result of the API request, without sending a response back to the endpoint specified in the request.

The logic repository service can receive an API Request 130 for configuration data to be generated by a configurable platform, like configurable hardware 142 on a server computer. Typically, configurable hardware 142 consists of reprogrammable devices such as Field Programmable Gate Arrays, configurable programmable devices (CPLDs), programmable devices (PLDs), programmable memories (e.g. electrically erasable programmable Read Only Memory (EEPROM) and flash memory). In some examples, all or part of the configurable equipment is one-time programmable. In some examples the logic repository service is implemented entirely or partially using the server 140. In other examples the functionality is implemented by computer resources that are separate from the server.

The API request 130 may be initiated by a developer, or a partner user of ‘the compute services provider. The request 130 may include fields that specify data or metadata about a logic design, a configurable hardware platform (such as the source code for the hardware design), user information, permissions to access the service, and production status. It can also include additional fields that describe information about inputs, outputs and users of logic repository service 110. The request may include, for example, a description of a design, a production state (such a trial or production), the encrypted status of an input or output, a reference for a storage location (such as a source code for the hardware design), the type of input file, the instance type of configurable hardware and a reference for a storage location for an output file. The request can, for example, include a reference a hardware specification specifying application logic (132) to be implemented on the configurable platform. The host logic 134 that will be used by the compute services provider to control the operation of the application when programmed in the configurable hardware is received, for example, from the development team. The specification for the application logic and/or host logic can be a set of files such as source codes, netlists generated by logic synthesis tools, or placed and routed logic gate generated by place and route tools. The source code may be written in a register-transfer logic (RTL), HDL, Open Computing Language (OpenCL), or C.

The compute resources” 120 can include a variety of different types and categories of hardware and software. A resource’s instance type is a way to specify at least some of its hardware and software. Hardware resources include, for example, servers with CPUs of different performance levels, servers with or without coprocessors, servers with or without configurable logic, servers with memory and/or storage capacities and performance varying, and servers that have different levels of networking performance. Examples of software resources include operating systems, applications programs, and driver. A server computer 140 with a CPU 144 communicating with configurable hardware can be an example of a type of instance. The configurable hardware can be programmable such as an FPGA or a programmable logical array (PLA), and a programmable Array logic (PAL), or generic array logics (GAL) for example.

The logic repository 110 can generate configuration information 136 as a response to the API request 130. The generated configuration data can be based upon the application logic and host logic 134. The generated configuration data can contain information that is used to program the configurable hardware so that it can perform the functions specified in the application logic and host logic. The compute services provider, for example, can create the host logic including logic to interface between the CPU and configurable hardware. The host logic 134 could reduce the security and availability risk that the application logic 132 may introduce. In other cases, the application logic can directly communicate with the CPU 144 through an interface such as PCIe Ethernet Infiniband or another suitable interface.

Generating configuration data 136″ can include checking and/or testing the application 132 logic, integrating it into a wrapper logic 134, synthesizing and placing the logic, and/or routing and placing the logic.

Generating configuration data 136″ can include translating and/or compiling source code from the application logic and host logic 134 to data that can then be used to configure or program the configurable hardware. The logic repository service can, for example, integrate the application logic into a wrapper of host logic 134. The application logic can be included in a system that includes both the host logic and the application logic. The integrated system design may be synthesized using a logic-synthesis program to create a system design netlist. The netlist for the instance type specified in the system design can be routed and placed using a program called place and route. The designed placed and routed can be converted into configuration data 136, which can then be used to program configurable hardware 142. The configuration data 136, for example, can be output directly from the place-and-route program.

As an example, the generated data 136 may include a complete bitstream or a partial bitstream that can be used to configure all or part of the configurable logical of an FPGA. This includes isolating and clearing portions of the configurable Logic and Memory and other resources coupled to the integrated circuit containing the FPGA. The logic of an FPGA may be configurable or non-configurable. The configurable logic may include programmable blocks of combinational logic, look-up tables, sequential logic elements, such as latches or flip-flops, programmable clocking and routing resources, programmable RAMs (such a block and distributed random access memory), DSP bitslices (digital signal processing), and programmable pins. Configuration logic (e.g. a configuration port) can be used to load the bitstream into the on-chip memory of configurable logic. The values stored in the on-chip memory can be used to control configurable logic, so that it performs logic functions specified by the bitstream. The configurable logic may also be divided into regions or partitions that can be independently configured. A full bitstream could be used for configuring the configurable regions, while a partial bitstream could be used only to configure a portion. Partial bitstreams can be created for each portion of the FPGA, such as a host logic, first application logic, second application logic, etc. These partial bitstreams can then be downloaded and used independently to program different parts of an FPGA. As the partial bitstreams are independent, the user’s privacy is protected as the detailed knowledge of other parts of the FPGA does not need to be shared. Some examples allow for the encryption of some or all bitstreams. “The non-configurable logic may include macros which perform specific functions within the FPGA such as input/output (SERDES) and gigabit transceivers, analog-to digital converters, memory-control blocks, test-access ports, and configuration-logic for loading configuration data onto configurable logic.

The logic repository service 110 can store the generated configuration data 136 in a logic repository database 150. The logic repository database 150 can be stored on removable or non-removable media, including magnetic disks, direct-attached storage, network-attached storage (NAS), storage area networks (SAN), redundant arrays of independent disks (RAID), magnetic tapes or cassettes, CD-ROMs, DVDs, or any other medium which can be used to store information in a non-transitory way and which can be accessed by the logic repository service 110. Additionally, the logic repository service 110 can be used to store input files (such as the specifications for the application logic 132 and the host logic 134) and metadata about the logic designs and/or the users of the logic repository service 110. The generated configuration data 136 can be indexed by one or more properties such as a user identifier, an instance type or types, a marketplace identifier, a machine image identifier, and a configurable hardware identifier, for example.

The logic repository service can receive an API Request 160 to download configuration information. The request 160, for example, can be generated by a user when they launch or deploy a new instance within the compute resources (e.g. an?F1.small?” instance). The request 160 can be generated, for example, when a user of the compute resources 120 launches or deploys a new instance (e.g. an?F1.small? Another example is that the request 160 may be generated as a response to a query from an application running on an instance. It can be, for instance, requests for clearing and scrubbing reconfigurable code (e.g., by an application logic developer when testing and debugging a new application logic) or requests for terminating an instance. These requests initiate disclosed methods of isolating and cleaning selected portions within the reconfigurable code. The request 160 may include information such as a reference for the source or destination instance, the configuration data that is to be downloaded (e.g. an instance type, marketplace identifiers, machine image identifiers, or configurable hardware identifiers), a user ID, an authorization token and/or any other information necessary to identify the configuration to download and/or authorize access to the data. If the user who requests the configuration is authorized to view the configuration, then the configuration can be retrieved by the logic repository database. Validated configuration data 162 may be downloaded (e.g. Downloading a complete or partial bitstream to the requesting instance can be done (e.g. server computer 140). Validated configuration data 162 may be used to configure configurable logic in the destination instance.

Click here to view the patent on Google Patents.