Intel® Stratix® 10 Device Security User Guide

ID 683642
Date 12/15/2021
Public
Download
Document Table of Contents

7. Document Revision History for Intel® Stratix® 10 Device Security User Guide

Document Version Intel® Quartus® Prime Version Changes
2021.12.15 21.4 Made the following change:
  • Revised Using SDM Provision Firmware.
  • Added new section: Using QSPI Factory Default Helper Image on Owned Devices
  • Updated quartus_sign code snippets for append_key and sign operations.
  • Minor text revisions to improve clarity.
2021.11.09 21.3 Made the following change:
  • Added step to extract firmware in Co-Signing SDM Firmware.
  • Corrected minor errors and typos.
2021.09.02 21.2 Made the following changes:
  • Removed Important Notice to Customers Regarding Features Added in Intel® Quartus® Prime Pro Edition Software Version 21.1 and Planned Security Features topics. The anti-tamper feature is supported starting in Intel® Quartus® Prime Pro Edition software version 21.2.
  • Added information about Intel Support in Intel® Stratix® 10 Device Security Overview.
  • Revised Creating a Signature Chain. Added information about Hardware Security Module (HSM) and SoftHSM.
  • Updated the Input (.sof) File Properties for Authentication and Encryption figure.
  • Added anti-tamper and attestation features.
    • Globally updated sections and screenshots with anti-tamper and attestation content.
    • Updated Platform Attestation and Physical Anti-Tamper sections to include features description and usage.
    • Added new topics:
      • Anti-Tamper Responses
      • Anti-Tamper Detection
      • Anti-Tamper Intel® FPGA IP
  • Globally added HSM instructions to the existing command examples.
  • Revised Secure Debug Authorization. Clarified the debug owner role.
2021.04.30 21.1 Made the following changes:
  • Restructured the entire document as follows:
    • The Security Methodology User Guide contains the security features descriptions.
    • This Intel® Stratix® 10 Device Security User Guide contains specific instructions for Intel® Quartus® Prime software to implement security features on Intel® Stratix® 10 FPGA devices.
  • Updated Using Design Security Features with Remote System Update. Added examples to generate the initial RSU image, application image, and a factory update image.
2021.02.17 20.4 Made the following changes:
  • Revised Encryption section in the Intel® Stratix® 10 Device Security Overview topic. Added text stating that devices with advanced security enabled can only load a secured firmware.
  • Removed Partial Reconfiguration Bitstream Encryption (PRBE) topic from the Planned Security Features section. Intel® Quartus® Prime software version 20.4 supports PRBE feature.
  • Updated key permission content in the Signature Block section. Added permission bit used to sign black key provisioning.
  • Added firmware ID=8 along with its firmware release in the Intel Firmware IDs table.
  • Restructured content in Powering On In JTAG Mode After Implementing Co-Signed Firmware and Programing eFuses sections.
  • Revised Step 1: Enrolling the Intrinsic ID PUF via JTAG.
    • Revised PUF enrollment text to emphasize that the Intel® Quartus® Prime Pro Edition Programmer automatically loads the provision firmware.
    • Added note suggesting to toggle the nCONFIG signal in order to perform a successful reconfiguration.
    • Updated text to emphasize that Intel® Quartus® Prime Programmer restricts PUF operations without the appropriate license.
  • Revised Black Key Provisioning section. Added recommendation to use -BK OPN suffix for devices using black key provisioning features.
  • Updated Partial Reconfiguration Bitstream Encryption topic. Added new sections:
    • Enabling Partial Reconfiguration Bitstream Encryption
    • Generating Encrypted Partial Reconfiguration Persona Programming Files Using the Command Line Interface
    • Generating Partially Encrypted Partial Reconfiguration Partial Reconfiguration Persona Programming Files Using the Command Line Interface
  • Revised Using eFuses topic. Clarified restriction of programming physical eFuses after virtual eFuses.
  • Added new topics:
    • Signing Tool (with Source Code)
    • Encryption Tool (with Source Code)
    • Security Option eFuses
    • Using Design Security Features with Remote System Update
  • Corrected minor errors and typos.
2020.10.13 20.3 Made the following changes:
  • Revised Important Notice to Customers Regarding Features Added in Intel® Quartus® Prime Pro Edition Software Version 20.3 notice. The IID PUF-based AES key storage feature is a production feature. The anti-tamper features were removed in this release.
  • Added limitation for Intel® Stratix® 10 GX 10M devices in the Intel® Stratix® 10 Device Security Overview: Encryption section. The Intel® Stratix® 10 GX 10 devices don't support the advanced security features.
  • Updated the Owner Security Keys and Storage Options section:
    • Revised virtual eFuses, physical eFuses, and BBRAM typical applications in the Comparison of AES Key Storage Options table.
    • Revised Black Key Provisioning description in the Owner AES Key section.
    • Removed Owner AES Key Programming section. The content is already available in the Encryption and Decryption chapter.
  • Updated the Planned Security Features section:
    • Added the Anti-Tampering topic.
    • Added the Partial Reconfiguration Bitstream Encryption topic.
    • Removed the Black Key Provisioning topic.
  • Updated the Signature Chain Content table:
    • Added bit 6: AES root key certificate in the Public Key Entry description.
    • Revised Header Block Entry description.
  • Updated the Canceling Intel Firmware ID section:
    • Added firmware ID=7 along with its firmware release in the Intel Firmware IDs table.
    • Revised and added steps to prevent using older firmware versions once you upgraded to a new firmware version.
  • Corrected argument value for signing firmware in the Append Key to Signature Chain section. The value to sign firmware is 1, not 0.
  • Added assignment to specify the owner cancellation ID in the Step 4a: Signing the Bitstream Using the Programming File Generator section.
  • Revised note in the Using the Co-Signed Feature section. The text points to the Using eFuses section for information on programming the co-signed eFuses.
  • Revised the Prerequisites for Co-Signing Device Firmware section:
    • Rename argument from --key_storage to --non_volatile_key.
    • Updated the quartus_pgm commands.
    • Updated the instruction links.
  • Added new topic: Step 2c: Generating Partially Encrypted Programming File Using the Command Line Interface.
  • Added Quad SPI Intrinsic ID PUF-wrapped option in the Step 3a: Specifying Keys and Configuring the Encrypted Image Using the Intel® Quartus® Prime Programmer.
  • Updated description of -i option and added a note in the Step 3b: Programming the AES Key and Configuring the Encrypted Image Using the Command Line section. The note states that you can program the co-signed helper image prior to programming the .qek encryption key.
  • Removed Anti-Tamper Monitoring and Mitigation section and all related anti-tamper content.
  • Removed (Beta) label from all IID PUF-based AES key storage content. In this release, IID PUF is a production feature.
  • Revised all PUF-related content.
  • Added support for black key provisioning and new sections describing enabling black key provisioning, including the bkp_options description.
  • Revised Using eFuses and Key Cancellation eFuses topics.
    • Added statement to emphasize the usage of virtual eFuses. The virtual eFuses are meant for testing purposed only. They don't guarantee security in the production environment.
  • Revised the Using an HPS Debug Certificate topic.
    • Revised text to emphasize the debug certificate usage in order to ensure the bitstream security: Intel strongly recommends restricting such a bitstream from release and canceling the signing key ID after this configuration bitstream is no longer needed.
    • Revised the required conditions to create HPS debug certificate.
      • Updated JTAG related condition to emphasize that the JTAG disable fuse disables JTAG.
      • Added new condition to emphasize that the HPS debug disable fuse permanently disables the HPS debugging.
  • Updated Enabling HPS JTAG Debugging topic.
    • Corrected the statement on the permission usage. You should specify permission=8 for the HPS debug certificate.
    • Renamed a key file from <design0_sign_chain.qky> to <debug_cert_sign_chain.qky>.
  • Updated .puf file description in the File Types for Security appendix.
  • Added new quartus_pgm command arguments in the quartus_pgm Command Operation Argument appendix:
    • -o p;file.ccert
    • -o pvbi;file.puf
    • -o pvbi;file.wkey
    • -o ei;file.ccert;device_name
    • -o ei;file.puf;device_name
    • -o ei;file.wkey;device_name
  • Corrected minor errors and spelling mistakes.
2020.04.13 20.1 Made the following changes:
  • Added topic: Important Notice to Customers Regarding Features Added in Intel® Quartus® Prime Pro Edition Software Version 20.1. It states that the IID PUF-based AES key storage and Anti-Tamper features are a beta release in Intel® Quartus® Prime Pro Edition software version 20.1.
  • Added support for a PUF-wrapped AES key. Refer to Using a PUF-Wrapped AES Key (Beta) for more information. This feature is a beta release in Intel® Quartus® Prime Pro Edition software version 20.1.
  • Added support for monitors that can trigger an anti-tamper response when the temperature, voltage, or external clock frequency exceeds the values you specify. Refer to Anti-Tamper Monitoring and Mitigation (Beta) for more information. This feature is a beta release in Intel® Quartus® Prime Pro Edition software version 20.1.
  • Added the Comparison of AES Key Storage Options table that describes the features of each the 4 possible storage locations.
  • Added firmware ID=6 along with its firmware release in the Intel Firmware IDs table.
  • Reorganized user guide.
  • Added support for a quartus_pfg command that checks the integrity of a signed configuration bitstream. Refer to Verifying a Configuration Bitstream Signature for more information.
  • Added an appendix covering acronyms and definitions of security terminology.
  • Added an appendix describing file types that implement security features.
  • Added an appendix showing help for the operation (-o) argument to the quartus_pgm command.
  • Updated Security Category figures to show the new Permitted owner cancellation id and Anti-Tamper tab.
  • Removed statement that the JTAG disable eFuse eliminates boundary scan. In the Intel® Quartus® Prime Release 20.1 release, disabling JTAG does not disable boundary scan.
  • Corrected minor errors and spelling mistakes.
2020.01.15 19.3 Corrected the pem_file argument in 7.1.3. Step 2b: Generating Programming Files Using the Command Line. The correct command uses pem_file=design0_sign_private.pem:
quartus_pfg -c encryption_enabled.sof top.rbf \ 
-o finalize_encryption=ON -o qek_file=aes.qek \
 -o signing=ON -o pem_file=design0_sign_private.pem
2020.01.06 19.3 Made the following changes:
  • Corrected the quartus_encrypt command in the Step 1: Preparing the Owner Image and AES Key Filetopic. The ik_count and max_key_use arguments must be preceded by --.
  • Added command showing how to convert an .rbf to .jam format in the Step 4: Signing the Bitstream topic.
  • Added the following note to the Converting Key, Encryption, and Fuse Files to Jam Staple File Formats topic:
    CAUTION:
    When you convert the AES .qek file to .jam format, the .jam file contains the AES key in plaintext but obfuscated form. Consequently, you must protect the .jam file when storing the AES key. You can protect the .jam file by provisioning the AES key in a secure environment.
  • Added a link to the How can I write or erase the Intel® Stratix® 10 AES BBRAM encryption key using the Mailbox Client Intel® FPGA IP interface and System Console? article in Storing the AES Key in BBRAM using the JTAG Mailbox.
2019.10.30 19.3 Added the following new security features:
  • Added support for physical (non-volatile) eFuses.
  • Changed the way you specify virtual (volatile) or physical (non-volatile) eFuses. The --non_volatile_key parameter is now an argument to the quartus_pgm command. Consequently, you no longer need to recompile to change the eFuse storage location.
  • Increased the number of public keys entries supported from 2 to 3.
  • Added support for a signed secure HPS debug certificate to prevent unauthorized remote or physical access to the HPS.
  • Decreased the encryption update ratio from 127:1 to 31:1.
  • Revised description the Using the Authentication Feature example. The example now specifies permission 6 to allow the key to sign both the Core (permission=2) and HPS (permission=4) sections of the configuration bitstream. You must create separate key chains to limit the permissions to either Core or HPS.
  • Added support for 10 additional eFuses described in the Owner Programmable eFuses table.
  • Added examples of advanced security features.
  • Added descriptions of side-channel mitigation features.
  • Added the following topics:
    • Step 4a: Protecting the AES Key when Storing the AES in eFuses
    • Step 4b: Protecting the AES Key when Storing the AES Key in BBRAM
    • Encryption Command Detailed Description
    • Make AES Key
    • Encrypt the Bitstream
    • Programming eFuses
    • Canceling eFuses
  • Added examples of .jam commands under the Using the .jam Files to Program Root Key and AES Encryption Key heading.
  • Corrected AES Update Mode figure. The number of data bits in a data block is 256, not 128.
  • Corrected the cancellation ID Numbers in Figure 5: Three-Key Signature Chain. The cancellation IDs are 0 and 1.
  • Removed recommendation to use separate signing keys for core and HPS in Intel® Stratix® 10 SX devices. Changed Using the Authentication Feature example to set permissions to 6 which can sign both the core and HPS.
  • Revised Anti-Tampering topic.
  • Revised theUsing eFuses topic.
  • Corrected minor errors and typos.
2019.05.30 19.1 Made the following corrections:
  • Corrected the Signing Command Argument Summary table. The references to .key format should say .qky format.
2019.05.10 19.1 Made the following corrections:
  • Removed spaces before the fuse programming file name in the quartus_pgm commands in Step 3b: Programming the AES Key and Configuring the Encrypted Image Using the Command Line.
  • Changed file name argument to -o "p;my_fuse.fuse" in Step 4 of Canceling Non-Volatile eFuses.
2019.05.07 19.1 Initial release.