Intel® Stratix® 10 Device Security User Guide

ID 683642
Date 11/09/2021

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents
Give Feedback

2.2.3. Configuring Bitstream Signing Using the quartus_sign Command

To sign a configuration bitstream using the quartus_sign command, you first convert the .sof file to the unsigned raw binary file (.rbf) format. You may optionally specify co-signed firmware using the fw_source option during the conversion step.

You can generate the unsigned raw bitstream in .rbf format using the following command:
quartus_pfg -c -o design.sof \
-o sign_later=ON  unsigned_bitstream.rbf
Run one of the following commands to sign the bitstream using the quartus_sign tool depending on the location of your keys:
quartus_sign --family=stratix10 --operation=sign \  
--qky=design0_sign_chain.qky --pem=design0_sign_private.pem \ 
unsigned_bitstream.rbf signed_bitstream.rbf
quartus_sign --family=stratix10 --operation=sign --module=softHSM\
--module_args="--token_label=s10-token --user_pin=s10-token-pin \
--hsm_lib=/usr/local/lib/softhsm/" --pem=design0_sign \
--qky=design0_sign_chain.qky unsigned_bitstream.rbf signed_bitstream.rbf

You may convert signed .rbf files to other configuration bitstream file formats.

For example, if you are using the Jam* Standard Test and Programming Language (STAPL) Player to program a bitstream over JTAG, you use the following command to convert an .rbf file to the .jam format that the Jam STAPL Player requires:
quartus_pfg -c signed_bitstream.rbf signed_bitstream.jam