Intel® Stratix® 10 Device Security User Guide

ID 683642
Date 12/15/2021
Public
Download
Document Table of Contents

4.5. Security Setting Fuse Provisioning

You use the Intel® Quartus® Prime Programmer to examine device security setting fuses and write them to a text-based .fuse file.
quartus_pgm -c 1 -m jtag -o “ei;programming_file.fuse;1SX280LH2”

The .fuse file contains a list of fuse name-value pairs. The value specifies whether a fuse has been blown or the contents of the fuse field.

The following example shows the format of the .fuse file.
# Co-signed firmware                       = "Not blown" 
# Device not secure                        = "Not blown" 
# Disable HPS debug                        = "Not blown" 
# Disable Intrinsic ID PUF enrollment      = "Not blown" 
# Disable JTAG                             = "Not blown" 
# Disable PUF-wrapped encryption key       = "Not blown" 
# Disable owner encryption key in BBRAM    = "Not blown" 
# Disable owner encryption key in eFuses   = "Not blown" 
# Disable virtual eFuses                   = "Not blown" 
# Force SDM clock to internal oscillator   = "Not blown" 
# Force encryption key update              = "Not blown" 
# Intel key cancellation                   = "1" 
# Lock security eFuses                     = "Not blown" 
# Owner encryption key program done        = "Not blown" 
# Owner encryption key program start       = "Not blown" 
# Owner fuses                              = 
 "0x00000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000" 
# Owner key cancellation                   = "" 
# Owner public key hash                    = "" 
# Owner public key size                    = "" 
# QSPI start up delay                      = "10ms" 
# RMA Counter                              = "0" 
# SDMIO0 is I2C                            = "Not blown"
You modify the .fuse file to set the desired security setting fuses. A line that begins with # is treated as a comment line. To program a security setting fuse, you must remove the leading # and set the value to Blown. For example, to enable the Co-signed Firmware security setting fuse, you modify the first line of the fuse file to the following:
Co-signed firmware = "Blown"

You may also allocate and program the Owner Fuses according to your requirements.

The following fields are not writable through the .fuse file method; however, they are included during the examine operation output for verification:
  • Device not secure
  • Intel key cancellation
  • Owner encryption key program start
  • Owner encryption key program done
  • Owner key cancellation
  • Owner public key hash
  • Owner public key size
  • QSPI start up delay
  • RMA counter
  • SDMIO0 is I2C
You use the Intel® Quartus® Prime Programmer to program the .fuse file back to the device. If you add the i option, the Programmer automatically loads the provision firmware to program the security setting fuses.
//For physical (non-volatile) eFuses 
quartus_pgm -c 1 -m jtag -o "pi;programming_file.fuse" --non_volatile_key
//For virtual (volatile) eFuses 
quartus_pgm -c 1 -m jtag -o "pi;programming_file.fuse"

Did you find the information on this page useful?

Characters remaining:

Feedback Message