Intel® Stratix® 10 Device Security User Guide

ID 683642
Date 12/15/2021
Document Table of Contents

2.1. Creating a Signature Chain

You may use the quartus_sign tool or the reference implementation to perform signature chain operations. This document provides examples using quartus_sign.
To use the reference implementation, you substitute a call to the Python interpreter included with Intel® Quartus® Prime software and omit the --family=Stratix10 option; all other options are equivalent. For example, the quartus_sign command found later in this section
quartus_sign --family=stratix10 --operation=make_root root_public.pem root.qky
can be converted into the equivalent call to the reference implementation as follows
pgm_py --operation=make_root root_public.pem root.qky

Intel® Quartus® Prime Pro Edition software includes the quartus_sign, pgm_py, and tools. You may use the Nios® II command shell tool, which automatically sets appropriate environment variables, to access the tools.

Follow these instructions to bring up a Nios® II command shell.

Bring up a Nios® II command shell.
Option Description
Windows On the Start menu, point to Programs > Intel FPGA > Nios II EDS > <version> and click Nios II <version> Command Shell.
Linux In a command shell change to the <install_dir>/nios2eds and run the following command:

The examples in this section assume signature chain and configuration bitstream files are located in the current working directory. If you choose to follow the examples where key files are kept on the file system, those examples assume the key files are located in the current working directory. You may choose which directories to use, and the tools support relative file paths. If you choose to keep key files on the file system, you must carefully manage access permissions to those files.

Intel recommends the use of a commercially available Hardware Security Module (HSM) to store cryptographic keys and perform cryptographic operations. The quartus_sign tool and reference implementation include a Public Key Cryptography Standard #11 (PKCS #11) Application Programming Interface (API) to interact with an HSM while performing signature chain operations. The reference implementation includes an interface abstract as well as an example interface to SoftHSM.

You may use these example interfaces to implement an interface to your HSM. Refer to the documentation from your HSM vendor for more information about implementing an interface to and operating your HSM.

SoftHSM is a software implementation of a generic cryptographic device with a PKCS #11 interface that is made available by the OpenDNSSEC® project. You may find more information, including instructions on how to download, build, and install OpenHSM, at the OpenDNSSEC project. The examples in this section utilize SoftHSM version 2.6.1. The examples in this section additionally use the pkcs11-tool utility from OpenSC to perform additional PKCS #11 operations with a SoftHSM token. You may find more information, including instructions on how to download, build, and install pkcs11-tool from OpenSC.