Intel® Stratix® 10 Device Security User Guide

Download
ID 683642
Date 12/15/2021
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents
Document Table of Contents x
1. Intel Stratix 10 Device Security Overview 2. Authentication and Authorization 3. AES Bitstream Encryption 4. Device Provisioning 5. Advanced Features 6. Intel® Stratix® 10 Device Security User Guide Archives 7. Document Revision History for Intel® Stratix® 10 Device Security User Guide
1. Intel Stratix 10 Device Security Overview x
1.1. Commitment to Product Security
2. Authentication and Authorization x
2.1. Creating a Signature Chain 2.2. Signing a Configuration Bitstream
2.1. Creating a Signature Chain x
2.1.1. Creating Authentication Key Pairs on the Local File System 2.1.2. Creating Authentication Key Pairs in SoftHSM 2.1.3. Creating the Signature Chain Root Entry 2.1.4. Creating a Signature Chain Public Key Entry
2.2. Signing a Configuration Bitstream x
2.2.1. Quartus Key File Assignment 2.2.2. Co-Signing SDM Firmware 2.2.3. Signing Configuration Bitstream Using the quartus_sign Command 2.2.4. Verifying Configuration Bitstream Signature Chains
3. AES Bitstream Encryption x
3.1. Creating the AES Root Key 3.2. Quartus Encryption Settings 3.3. Encrypting a Configuration Bitstream
3.3. Encrypting a Configuration Bitstream x
3.3.1. Configuration Bitstream Encryption Using the Programming File Generator Graphical Interface 3.3.2. Configuration Bitstream Encryption Using the Programming File Generator Command Line Interface 3.3.3. Partially Encrypted Configuration Bitstream Generation Using the Command Line Interface 3.3.4. Partial Reconfiguration Bitstream Encryption
4. Device Provisioning x
4.1. Using SDM Provision Firmware 4.2. Authentication Root Key Provisioning 4.3. Using QSPI Factory Default Helper Image on Owned Devices 4.4. Programming Key Cancellation ID Fuses 4.5. Security Setting Fuse Provisioning 4.6. AES Root Key Provisioning 4.7. Converting Owner Root Key, AES Root Key Certificates, and Fuse files to Jam STAPL File Formats
4.6. AES Root Key Provisioning x
4.6.1. AES Root Key Compact Certificate 4.6.2. Intrinsic ID® PUF AES Root Key Provisioning 4.6.3. Black Key Provisioning
4.6.2. Intrinsic ID® PUF AES Root Key Provisioning x
4.6.2.1. Intrinsic ID PUF Enrollment 4.6.2.2. Wrapping the AES Root Key 4.6.2.3. Programming Helper Data and Wrapped Key to QSPI Flash Memory 4.6.2.4. Querying Intrinsic ID PUF Activation Status 4.6.2.5. Location of the PUF in Flash Memory
4.6.3. Black Key Provisioning x
4.6.3.1. Black Key Provisioning Options
5. Advanced Features x
5.1. Secure Debug Authorization 5.2. HPS Debug Certificates 5.3. Platform Attestation 5.4. Physical Anti-Tamper 5.5. Using Design Security Features with Remote System Update
5.4. Physical Anti-Tamper x
5.4.1. Anti-Tamper Responses 5.4.2. Anti-Tamper Detection 5.4.3. Anti-Tamper Lite Intel® FPGA IP
5.4.3. Anti-Tamper Lite Intel® FPGA IP x
5.4.3.1. Release Information
1. Intel Stratix 10 Device Security Overview
2. Authentication and Authorization
3. AES Bitstream Encryption
4. Device Provisioning
5. Advanced Features
6. Intel® Stratix® 10 Device Security User Guide Archives
7. Document Revision History for Intel® Stratix® 10 Device Security User Guide

2.1. Creating a Signature Chain

You may use the quartus_sign tool or the stratix10_sign.py reference implementation to perform signature chain operations. This document provides examples using quartus_sign.
To use the reference implementation, you substitute a call to the Python interpreter included with Intel® Quartus® Prime software and omit the --family=Stratix10 option; all other options are equivalent. For example, the quartus_sign command found later in this section 
quartus_sign --family=stratix10 --operation=make_root root_public.pem root.qky
can be converted into the equivalent call to the reference implementation as follows 
pgm_py stratix10_sign.py --operation=make_root root_public.pem root.qky

Intel® Quartus® Prime Pro Edition software includes the quartus_sign, pgm_py, and stratix10_sign.py tools. You may use the Nios® II command shell tool, which automatically sets appropriate environment variables, to access the tools.

Follow these instructions to bring up a Nios® II command shell.

Bring up a Nios® II command shell.
Option Description
Windows On the Start menu, point to Programs > Intel FPGA > Nios II EDS > <version> and click Nios II <version> Command Shell.
Linux In a command shell change to the <install_dir>/nios2eds and run the following command:
./nios2_command_shell.sh

The examples in this section assume signature chain and configuration bitstream files are located in the current working directory. If you choose to follow the examples where key files are kept on the file system, those examples assume the key files are located in the current working directory. You may choose which directories to use, and the tools support relative file paths. If you choose to keep key files on the file system, you must carefully manage access permissions to those files.

Intel recommends the use of a commercially available Hardware Security Module (HSM) to store cryptographic keys and perform cryptographic operations. The quartus_sign tool and reference implementation include a Public Key Cryptography Standard #11 (PKCS #11) Application Programming Interface (API) to interact with an HSM while performing signature chain operations. The stratix10_sign.py reference implementation includes an interface abstract as well as an example interface to SoftHSM.

You may use these example interfaces to implement an interface to your HSM. Refer to the documentation from your HSM vendor for more information about implementing an interface to and operating your HSM.

SoftHSM is a software implementation of a generic cryptographic device with a PKCS #11 interface that is made available by the OpenDNSSEC® project. You may find more information, including instructions on how to download, build, and install OpenHSM, at the OpenDNSSEC project. The examples in this section utilize SoftHSM version 2.6.1. The examples in this section additionally use the pkcs11-tool utility from OpenSC to perform additional PKCS #11 operations with a SoftHSM token. You may find more information, including instructions on how to download, build, and install pkcs11-tool from OpenSC.

Related Information
Level Two Title

Did you find the information on this page useful?

Characters remaining:

Feedback Message