Intel® Stratix® 10 Device Security User Guide

ID 683642
Date 11/09/2021
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

2.1. Creating a Signature Chain

You may use the quartus_sign tool or the stratix10_sign.py reference implementation to perform signature chain operations. This document provides examples using quartus_sign.
To use the reference implementation, you substitute a call to the Python interpreter included with Intel® Quartus® Prime and omit the --family=Stratix10 option; all other options are equivalent. For example, the quartus_sign command found later in this section
quartus_sign --family=stratix10 --operation=make_root root_public.pem root.qky
can be converted into the equivalent call to the reference implementation as follows
pgm_py stratix10_sign.py --operation=make_root root_public.pem root.qky

Intel® Quartus® Prime Pro Edition software includes the quartus_sign, pgm_py, and stratix10_sign.py tools. You may use the Nios® II command shell tool, which automatically sets appropriate environment variables, to access the tools.

You use the following instructions to bring up a Nios® II command shell.

Bring up a Nios® II command shell.
Option Description
Windows On the Start menu, point to Programs > Intel FPGA > Nios II EDS > <version> and click Nios II <version> Command Shell.
Linux In a command shell change to the <install_dir>/nios2eds and run the following command:
./nios2_command_shell.sh

The examples in this section assume signature chain and configuration bitstream files are located in the current working directory. If you choose to follow the examples where key files are kept on the filesystem, those examples assume the key files are located in the current working directory. You may choose which directories to use, and the tools support relative file paths. If you choose to keep key files on the filesystem, you must carefully manage access permissions to those files.

Intel recommends the use of a commercially available Hardware Security Module (HSM) to store cryptographic keys and perform cryptographic operations. The quartus_sign tool and reference implementation include a Public Key Cryptography Standard #11 (PKCS #11) Application Programming Interface (API) to interact with an HSM while performing signature chain operations. The stratix10_sign.py reference implementation includes an interface abstract as well as an example interface to SoftHSM.

You may use these example interfaces to implement an interface to your HSM. Refer to the documentation from your HSM vendor for more information about implementing an interface to and operating your HSM.

SoftHSM is a software implementation of a generic cryptographic device with a PKCS #11 interface that is made available by the OpenDNSSEC® project. You may find more information, including instructions on how to download, build, and install OpenHSM, at the OpenDNSSEC project. The examples in this section utilize SoftHSM version 2.6.1. The examples in this section additionally use the pkcs11-tool utility from OpenSC to perform additional PKCS #11 operations with a SoftHSM token. You may find more information, including instructions on how to download, build, and install pkcs11-tool from OpenSC.