Intel® Stratix® 10 Device Security User Guide

ID 683642
Date 12/15/2021
Public
Download
Document Table of Contents

4.2. Authentication Root Key Provisioning

To program the owner root key hash, you must load the provision firmware first following a power-on reset, program the owner root key hash, and immediately perform another power-on reset.

To provision the owner root key hash using the Intel® Quartus® Prime Programmer graphical interface, select Programmer from the Tools menu in Intel® Quartus® Prime software.
  1. Right click the image of the Intel® Stratix® 10 device and select Edit > Add QKY/CCERT/Fuse file ....
  2. Browse to the owner root public key file and click Open.
  3. You can choose to program the non-volatile eFuses or simulate the actual hardware using virtual eFuses.
    CAUTION:
    Incorrect fuse programming can make your device unusable. Intel recommends that you test all eFuse programming sequences using virtual fusing before you program physical eFuses on your first device.
    • To select virtual eFuses, on the Programmer Tools menu, select Options. Turn on Enable device security using a volatile security key if this option is not already on. By default this option is on. Then, select OK.
    • To select the actual non-volatile eFuses, on the Programmer Tools menu, select Options. Turn off the Enable device security using a volatile security key option.
  4. Click Start to program the owner root public key hash.
  5. Power cycle your device.
  6. To verify that the fuse value and the hash value of the owner root public key match, turn off the Program/Configure option and turn on the Verify option in the Intel® Quartus® Prime software.
  7. Click Start to verify the owner root public key hash programming.
To program the authentication root key hash using the command line interface, run the following command to load the provision firmware helper image.
quartus_pgm -c 1 -m jtag -o “p;signed_provision_helper_image.rbf”
Then, run one of the following command to program the root key .qky file.
// For physical (non-volatile) eFuses
quartus_pgm -c 1 -m jtag -o “p;root.qky” --non_volatile_key
// For virtual (volatile) eFuses
quartus_pgm -c 1 -m jtag -o “p;root.qky”

Then, power cycle your device.