9.13.9 Custom Security Levels
For advanced use cases, you can customize the security levels applied to the device.
To set custom security levels:
- Click the Custom Level button on the Security Settings page. The Custom Security Level dialog box appears.
- Select the security levels for the FPGA Array and FlashROM. For SmartFusion® and Fusion devices, you can also select the security level for the Embedded Flash Memory Block. The FPGA Array and FlashROM can be configured with different security settings.
See the following tables for descriptions of the available custom security options.
| Security Option | Description |
|---|---|
Lock for both writing and verifying  | Allows writing/erasing and verification of the FPGA Array through the JTAG interface only with a valid Pass Key. |
Lock for writing  | Allows writing/erasing of the FPGA Array only with a valid Pass Key. Verification is allowed without a valid Pass Key. |
Use the AES Key for both writing and verifying  | Allows writing/erasing and verification of the FPGA Array through the JTAG interface only with a valid AES Key. This configures the device to accept an encrypted bitstream for reprogramming and verification. Use this option when programming at an unsecured site or when planning remote updates. Accessing device security settings requires a valid Pass Key. |
Allow write and verify  | Allows writing/erasing and verification of the FPGA Array using a plain‑text bitstream without requiring a Pass Key or AES Key. Use this option during in‑house development. |
Note: The ProASIC3 family FPGA Array is always read‑protected regardless of Pass Key or AES Key
settings.
| Security Option | Description |
|---|---|
Lock for both reading and writing  | Allows writing/erasing and reading of FlashROM through the JTAG interface only with a valid Pass Key. Verification is allowed without a valid Pass Key. |
Lock for writing  | Allows writing/erasing of FlashROM through the JTAG interface only with a valid Pass Key. Reading and verification are allowed without a valid Pass Key. |
Use the AES Key for both writing and verifying  | Allows writing/erasing and verification of FlashROM through the JTAG interface only with a valid AES Key. This configures the device to accept an encrypted bitstream for reprogramming and verification. Use this option when programming at an unsecured site or when planning remote updates. Note: FlashROM readback is always unencrypted (plain text). |
Allow reading, writing, and verifying  | Allows writing/erasing, reading, and verification of FlashROM content using a plain‑text bitstream without requiring a Pass Key or AES Key. The FPGA Array can always read FlashROM content regardless of these settings. |
| Security Option | Description |
|---|---|
Lock for reading, verifying, and writing  | Allows writing and reading of the Embedded Flash Memory Block through the JTAG interface only with a valid Pass Key. Verification is performed by readback and comparison. |
Lock for writing  | Allows writing of the Embedded Flash Memory Block through the JTAG interface only with a valid Pass Key. Reading and verification are allowed without a valid Pass Key. |
Use AES Key for writing  | Allows writing of the Embedded Flash Memory Block through the JTAG interface only with a valid AES Key. This configures the device to accept an encrypted bitstream for reprogramming. Use this option when programming at an unsecured site or when planning remote updates. Note: Readback of Embedded Flash Memory Block content is always unencrypted (plain text) when a valid Pass Key is provided. |
Allow reading, writing, and verifying  | Allows writing, reading, and verification of Embedded Flash Memory Block content using a plain‑text bitstream without requiring a Pass Key or AES Key. |
- To make the selected security settings permanent, select the Permanently lock
the security settings checkbox. This option prevents any future modification
of the device security configuration. A Pass Key is not required when using this
option.Note: When security settings are permanently locked:
- The Silicon Signature can never be reprogrammed.
- If write operations are locked for the FPGA Array or FlashROM, those components can never be reprogrammed.
- If an AES Key is used, it cannot be changed after permanent locking.
- (SmartFusion Only) Enable M3 Debugger option enables access to the M3 debugger even if security is enforced. Select the Enable M3 debugger checkbox if you want to access the M3 debugger after programming.
- To use the Permanent FlashLock™ feature,
select Lock for both writing and verifying for FPGA Array and
Lock for both reading and writing for FlashROM and select the
Permanently lock the security settings checkbox as shown in the
figure below. This will make your device one-time-programmable.
Figure 9-130. Custom Security Level 
- Click the OK button.
The Security Settings page appears with the Custom
security settings information as shown in the figure below.
Figure 9-131. Security Settings 