Case study: Secure FPGA technology enables UAV communications and control
Single-chip cryptography enables a cost-effective implementation of a UAV command and control system in a single FPGA. Partial reconfiguration capabilities in the programmable IC add SWaP-C savings because a less-dense, lower-power FPGA can host the design.
Over the past few years, the U.S. military and its allies have come to increasingly rely on Unmanned Aerial Vehicle (UAV) systems to carry out surveillance and combat missions around the world. Secure communication links are vital for UAV operation, both to control the UAV based on mission objectives and to reliably deliver actionable data to mission controllers on the ground. Encryption and decryption are inherent requirements, adding complexity and cost in the UAV electronics package. But with a single FPGA capable of meeting Type 1 cryptographic requirements, design teams can leverage reprogrammability and realize Size, Weight, Power, and Cost savings – referred to as SWaP-C savings. Xilinx and Advanced Communications Concepts, Inc. (ACCI) have demonstrated one such UAV communication and control system based on an FPGA.
The UAV application relies on a Single-Chip Crypto (SCC) design implemented in an FPGA to protect communications between the ground control stations and the UAV. The implementation completely safeguards the telemetry, video, and control data. The example system relies on the power of FPGA partial reconfiguration to provide algorithm swapping within a field-upgradable solution, all in a small product footprint.
Xilinx worked with the leading defense solution developers and key government agencies to develop an FPGA design flow and verification process that enables a single FPGA to meet Type 1 cryptographic requirements. The older method for meeting Type 1 cryptographic requirements employed two FPGAs – one to securely partition the unencrypted portions of the design. In the single-chip implementation, unused logic elements serve to implement the partitions.
The design flow isolates regions of the FPGA that handle red and black data and the encryption/decryption function (Figure 1). The red portions of the design deal with unencrypted data and must be isolated from the portions that deal with encrypted data. The SCC sits functionally between the red and black sides. The UAV example described here is based on a Virtex-5 FPGA using the SCC technology.
The UAV demo
At conferences such as MILCOM, Xilinx and ACCI have demonstrated an FPGA-equipped UAV providing a real-time encrypted flow of control, telemetry, and video data between the UAV and the ruggedized, laptop computer-based ground-control stations (Figure 2). The live-fly version has flown at events such as Air Force Joint Forcible Entry Exercise (JFEX) and the SOCOM/NPS Tactical Network Topology (TNT) exercises. They are being evaluated for use in various planes and systems, including UAVs.
The UAV command and control system uses a Virtex-5 FPGA with an integrated PowerPC processor. The system requires little more than the FPGA, MEMS accelerometers, and a physical layer for the wireless communications link. In developing the system, ACCI started with the SCC design flow and Xilinx’s information assurance techniques, and added a secure communications layer called Tactically Unbreakable Security Communications or TUCNet. TUCNet can encrypt any digital data stream. For example, it can handle video, telemetry, control, or even voice data packets.
ACCI doesn’t reveal TUCNet technical details for both security and competitive reasons. But more broadly, the company relied on features such as protocol hopping and encryption-scheme hopping to deliver a network layer that is secure over any type of wired or wireless network.
To meet Type 1 requirements ACCI had to isolate each of the regions of the FPGA according to defense agency specifications. Using Xilinx’s SCC methodology along with the Isolation Verification Tool (IVT), ACCI was able to implement this solution and provide necessary documentation validating the isolation.
Most notably, ACCI implemented the Type 1 requirements in a single FPGA. Prior to Xilinx’s work with government agencies and the validation of Type 1 cryptographic capabilities, a design would have used multiple ICs or subsystems to isolate the red and black data and the algorithms that operate on each. The SCC technology simplified the system implementation, resulting in SWaP-C savings. At a minimum, the SCC technology eliminated one FPGA from the implementation, halving the PC-board real estate needed to host the design. Power and cost aren’t halved, because the two-chip implementation might have used slightly less dense FPGAs, but the savings are significant and even the weight is reduced by a small amount.
Compounding the SWaP-C advantages
While meeting all security requirements for Type 1 cryptographic certification, ACCI’s FPGA algorithms and processing implementation compounded the SWaP-C advantages in the UAV application by using dynamic partial reconfiguration. The work Xilinx did on Type 1 cryptographic systems proved the ability to maintain proper isolation of red and black data even when reconfiguring a portion of the FPGA on the fly. With dynamic partial reconfiguration, the FPGA does not have to be big enough to hold all of the processing algorithms. It only needs to be big enough to simultaneously hold the single largest data-processing algorithm, the main control algorithm, and the SCC implementation.
ACCI utilized unique dynamic partial reconfiguration to add to the capabilities of the UAV control and communication system, and to minimize the SWaP-C burden of doing so. The system has a proprietary Hardware Operating System (HardwareOS) that is static in the FPGA. HardwareOS provides system resource allocation and system services functions that an OS would provide in a traditional software based system architecture.
The UAV system relies on a library of application or algorithm accelerators developed by ACCI. The TUC-enabled algorithmic accelerators enable, besides security functions, on-UAV, real-time manipulation of telemetry and video data streams and data transcoding functions. For example, if the UAV is in a banked turn, the video frame is horizontally distorted by both the pitch and roll angles of both the UAV frame and the camera pan and tilt settings. This problem was solved by dynamically loading and running an algorithm to “counter-rotate” video frames in real time into the proper orientation.
The TUC system also transcodes the digital video from RS-170 format to MPEG-2 and H.264 formats, among others. The system then combines the transcoded video with the telemetry from the autopilot, and other onboard sensors, into an MPEG transport stream that correctly emulates a Predator data download format. This allows the UAV data to be utilized by any system that currently handles Predator formatted data streams. And all of the data streams are encrypted for ground transmission.
The system can load every data packet transmitted to the UAV or every packet of captured telemetry or video data into static Block RAM (BRAM) on the FPGA, and then dynamically apply any desired sequence of algorithms to each packet as required. With TUC hardware acceleration, the entire frame processing of video stabilization, horizontal correction, Predator format transcoding, transport stream packaging, and encryption is done in less than 12 milliseconds. At 30 frames per second from the camera, 33 milliseconds are available between frames, thus allowing ample processing resources for future planned enhancements, such as automated target tracking and direct autopilot control.
A closer look: Dynamic partial reconfiguration
While using SCC flow to help maintain Type 1 requirements, the real advantage of using dynamic partial reconfiguration is apparent: The system can reconfigure the FPGA more than 100,000 times per second. Moreover, the data flow and parallel processing inherent in the FPGA fabric minimize latency and enable real-time manipulation to optimize gathered data for transmission to the ground station. The ACCI system encrypts the preprocessed data and transmits the secured data to the ground control station. The laptops used in the demo decrypt the data and present it to the user.
The partial reconfiguration capability enabled additional savings by allowing ACCI to utilize the smallest, ruggedized, defense-grade Virtex-5 family member that integrates a PowerPC. The XQ5VFX70T device chosen includes 11,200 Configurable Logic Blocks (CLBs) and a single PowerPC core. Without partial reconfiguration, the design requires a larger FPGA that would cost more and use more power. As an example, this can mean a 5x savings in just static quiescent power consumption between the smaller product and the next larger product in the Virtex-5Q family.
ACCI and Xilinx are working on a new version of the UAV demonstration system that will leverage the defense-grade Virtex-6 family and further compound the SWaP-C benefits. Virtex-6 FPGAs consume 50 percent less power than Virtex-5 FPGAs with a similar number of CFBs. Moreover, the Virtex-6 family is manufactured in a 45 nm process technology, versus a 65 nm process for the Virtex-5 family. Rather than requiring an FPGA with an integrated PowerPC hard core, the new version of the UAV system will yield further savings through the use of a soft core MicroBlaze processor.
Xilinx 408-559-7778 www.xilinx.com