AN 933: Updating Intel® Stratix® 10 FPGA Firmware

ID 683605
Date 11/18/2020
Public

1.2.3. Verifying Firmware Updates

The Intel Quartus Programming File Generator software provides a way to inspect and verify the integrity of signature chains of secondary programming files in the Raw Binary File (.rbf) format. This procedure allows you to confirm the version of the firmware present in the programming file and, if you are using firmware co-signing, verify that the your signature chain for the firmware is correct.

The first signature chain on firmware, identified by the Programming File Generator tool as Signature Chain #0 is always the signature provided by Intel. The version of firmware can be identified by the key cancellation ID that the signature chain can be canceled by. Refer to the Canceling Intel Firmware ID section of the Intel® Stratix® 10 Device Security User Guide for information on the key cancellation ID that corresponds to a given version of firmware.

Signature Chain #1 is reserved for use by Intel.

If you are using firmware co-signing, your signature chains are placed in entries Signature Chain #2 and Signature Chain #3, where you can verify the key cancellation ID, root public key hash fuse value, and public key X/Y contents.

Run the following command to use Programming File Generator to verify the secondary programming file:
quartus_pfg --check_integrity updated_bitstream.rbf
An example of the output of the command is below. The bold font emphasizes the important values to inspect.
Info: Command: quartus_pfg --check_integrity signed_bitstream.rbf 
Integrity status: OK

Section 
Type: CMF
Signature Descriptor ...
Signature chain #0 (entries: 3, offset: 96)
Entry #0
Fuse: A1B9545C CAC4152D 9511A9AB 321778ED 1180A280 6DC58F2C 5607433E \
02A872E3 F52B2AE5 F7B8BDE0 53FA000D 8FC7AC04
Generate key ...
Curve : secp384r1 
X	:
FC28C88662DF1437DD98E61336467DC9CDA788F22F949D8F488DA755A9F8CC11AEC10006E2649 0B3EAB8148E6C8AA8A1
Y	:
95D1EA0FF4C7374B350FDF39CFAE3AD8D0AEA9451EA66B5B1DFD4084DA68BC4DAD3AF5CF378D7 C6FB62A10BA7C512276
Entry #1
Generate key ...
Curve : secp384r1 
X	:
35D8FD7138328F1CE56AE5DD7B6A528FF01CFD1493E75064931CB71D90CE87AA56219AF0AC5C9
8096B939BE23AE7AD51
Y	:
81830A069C8831E39817F4D193091D7F829A6DE904A50274A2282F644F618B9B19CBE1CDBCC8D F79DC1206E6B054FAE8
Entry #2
Keychain permission: SIGN_CODE 
Keychain can be cancelled by ID: 7
Signature chain #1 (entries: 0, offset: 0) 
Signature chain #2 (entries: 3, offset: 640)
Entry #0
Fuse: 0E0EC654 BDA9944E 86B5E3D8 C0EAE5D0 7FA202DD 523AE96F 8E4639BC AA02F142
  
Generate key ...
Curve : prime256v1 
X	:
DD12BDA1116B67E53C01B4433B08C0FFC8BBF3E6367146E38E327C8AC6254B3A
Y	:
B586065A814E23A649E8B5B4DD35F3E8D39328AF387DFF0336B4CD278E4503EB
Entry #1
Generate key ...
Curve : prime256v1 
X	:
BDD025BE705CF1D58AC922EDF5BC156F0BB435D6309200CBC1AA46174E16EBEC
Y	:
56DA0651C1C3C76E1BB7174DE918752A2591B2138BB76D740D3A26C369763619
Entry #2
Keychain permission: SIGN_CODE 
Keychain can be cancelled by ID: 1
Signature chain #3 (entries: 0, offset: 0))

Did you find the information on this page useful?

Characters remaining:

Feedback Message