AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices

ID 683060
Date 3/29/2021
Document Table of Contents

Encrypting the Boot Image and Configuration File

The Quartus Prime Design Suite includes the Quartus Prime Convert Programming File tool, quartus_cpf, which you use to generate the AES 256 encryption file.1 You invoke the Quartus Prime Convert Programming File tool as follows:

quartus_cpf -e -k <keyfile>:<key_id>[:<key_id>] <input_sof_file> <output_ekp_file>

If you configure the boot loader generator to encrypt the boot image, quartus_cpf requires the encryption key file as specified in the configuration tool’s security settings. For an overview of the tool flow, see the figure in "Software Image Authentication and Encryption".

For details of Quartus Prime Convert Programming File tool usage, refer to "How to Generate the Single-Device .ekp File and Encrypt Configuration File Using Quartus Prime Software with the Command-Line Interface" in AN-556: Using the Design Security Features in the Altera FPGAs.

1 quartus_cpf can also encrypt the configuration bit stream in the SRAM object file (.sof).