Quartus® Prime Pro Edition User Guide: Programmer

ID 683039
Date 4/01/2024
Document Table of Contents

1.3. Enabling Bitstream Security for Stratix® 10 and Agilex™ 7 Devices

Stratix® 10 and Agilex™ 7 devices provide flexible and robust security features to protect sensitive data, intellectual property, and device hardware from physical and remote attacks. The Stratix® 10 and Agilex™ 7 device architectures support bitstream authentication and encryption security features. The Assembler applies bitstream compression automatically to reduce file size whenever you use authentication or encryption.

  • Bitstream Authentication—verifies that the configuration bitstream and firmware are from a trusted source. Enable additional co-signing device firmware authentication to ensure that only signed firmware runs on the HPS or FPGA, and to authorize HPS JTAG debugging. Enable authentication security by specifying a first level signature chain file (.qky) for the Quartus Key File option (Device and Pin Options dialog box), as Enabling Bitstream Authentication (Programming File Generator) describes.5
  • Bitstream Encryption—protects proprietary or sensitive data from view or extraction in the configuration bitstream using an Advanced Encryption Standard (AES) 256-bit or 384-bit security key. Encryption also provides side-channel protection from non-intrusive attack. You can store the owner AES key in eFuses or BBRAM. Enable encryption by turning on the Enable programming bitstream encryption option (Device and Pin Options dialog box), as Enabling Bitstream Encryption (Programming File Generator) describes.
Table 7.   Stratix® 10 and Agilex™ 7 Bitstream Authentication Files
Term Description Extension
First Level Signature Chain Key File File you generate that specifies the root key (.pem) and one or more design signing keys (.pem) required to sign the bitstream and allow access to the FPGA when using authentication or encryption. .qky
Root Key File File you generate that anchors the first level signature chain to a known root key. The FPGA calculates the hash of the root entry and checks if it matches the expected hash. The Assembler appends the root key to the programming file and stores the key in eFuses. .qky
Design Signing Key File File you generate and append to the root key that authenticates the bitstream in the SDM to allow configuration of the device with the pending bitstream. Use separate design signing keys for the FPGA and HPS for highest security. .pem
Firmware Co-signing Key File Files provided in <install>\devices\programmer\firmware that includes the owner signature and firmware file that you use to sign the firmware to run on the FPGA or HPS. .zip
Signed HPS Certificate File Specifies a secure HPS debug certificate that permits access to the JTAG interface for HPS debugging. A secure HPS debug certificate is valid until you power down or reconfigure the device. .cert
Note: Arria® 10 and Cyclone® 10 GX devices do not support bitstream authentication.
5 For Stratix® 10 devices, bitstream authentication is available only for devices that include the AS (Advanced Security) ordering code suffix and all Stratix® 10 DX devices.