Intel® Stratix® 10 Device Security User Guide

ID 683642
Date 12/15/2021
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

2.2.4. Verifying Configuration Bitstream Signature Chains

After you create signature chains and signed bitstreams, you may verify that a signed bitstream correctly configures a device programmed with a given root key. You first use the fuse_info operation of the quartus_sign command to print the hash of the root public key to a text file:
quartus_sign --family=stratix10 --operation=fuse_info public_root.qky hash_fuse.txt
You then use the check_integrity option of the quartus_pfg command to inspect the signature chain on each section of a signed bitstream in .rbf format. The check_integrity option prints the following information:
  • Status of the overall bitstream integrity check
  • Contents of each entry in each signature chain attached to each section in the bitstream .rbf file,
  • Expected fuse value for the hash of the root public key for each signature chain.
The value from the fuse_info output should match the Fuse lines in the check_integrity output.
quartus_pfg --check_integrity signed_bitstream.rbf 
Here is an example of the check_integrity command output:
Info: Command: quartus_pfg --check_integrity output_file_signed.rbf 
Integrity status: OK 

Section 
Type: CMF 
Signature Descriptor ... 
Signature chain #0 (entries: 3, offset: 96) 
Entry #0 
Fuse: A1B9545C CAC4152D 9511A9AB 321778ED 1180A280 6DC58F2C 
5607433E 02A872E3 F52B2AE5 F7B8BDE0 53FA000D 8FC7AC04 
Generate key ... 
Curve : secp384r1 
X: FC28C88662DF1437DD98E61336467DC9CDA788F22F949D8F488DA755A9F8CC11AEC10006E2 
   6490B3EAB8148E6C8AA8A1 
Y: 95D1EA0FF4C7374B350FDF39CFAE3AD8D0AEA9451EA66B5B1DFD4084DA68BC4DAD3AF5CF37 
   8D7C6FB62A10BA7C512276 
Entry #1 
Generate key ... 
Curve : secp384r1 
X: B11534AA67A30EF884B89819281522F1D0326BBAFF108BC483946717A14F9630C682ECDAE5 
   40FECBADF3E66BC92A110A 
Y: 0ED5F19E6A38D97148CE6F53B679227311198105BD9E1912AD41C075711F6185E1B095DE7F 
   E2F4855851E78F9BF3D2C6 
Entry #2 
Keychain permission: SIGN_CODE 
Keychain can be cancelled by ID: 5 
Signature chain #1 (entries: 0, offset: 0) 
Signature chain #2 (entries: 0, offset: 0) 
Signature chain #3 (entries: 0, offset: 0) 

Section 
Type: IO 
Signature Descriptor ... 
Signature chain #0 (entries: 5, offset: 96) 
Entry #0 
Fuse: 46D2D1CD 666F6FA3 8CA6DF11 F09F1E84 41162254 D5E811F0 0B72B678 52D29F2F 
Generate key ... 
Curve : prime256v1 
X: DD4E3FB89EC29E0F2C9435A8D74E0780F2282367EABF4F84FD207A80EFDA1552 
Y: 9A8A74E440002AE72FF67716FE889C49DD5D0FD4FBC7195324DE267BFF06FF49 

Entry #1 
Generate key ... 
Curve : prime256v1 
X: 7EF9D2C6D246339E6D58B937D4127F83FF590B64663FEC316A418847AAA82505 
Y: 29EE71EAFC4CDBB99414C2673EA7AD44B4EE4442E803D350590DA0D95A0F2EF5 

Entry #2 
Generate key ... 
Curve : prime256v1 
X: 3A9083FF4B91136EAC43041916C2E1FC887397ABCEA017DE42AF143DBEA17ED8 
Y: 4DDDD1670C3F846EFFC4B071BC8D291FD9477EE035AD9C46B696DD20F5702809 

Entry #3 
Generate key ... 
Curve : prime256v1 
X: 8A1FBB3D3F0E5961E7FFF7D8E94AFD1836752169A9E66B79BB5861BBDA79E53F 
Y: 361FE17E8C73DE0FB4277480FAED32363A3C134DD27D6961E6F046222F06D600 

Entry #4 
Keychain permission: SIGN_CORE, SIGN_HPS 
Keychain can be cancelled by ID: 0, 0, 0 
Signature chain #1 (entries: 0, offset: 0) 
Signature chain #2 (entries: 0, offset: 0) 
Signature chain #3 (entries: 0, offset: 0) 

Section 
Type: HPS 
Signature Descriptor ... 
Signature chain #0 (entries: 5, offset: 96) 

Entry #0 
Fuse: 46D2D1CD 666F6FA3 8CA6DF11 F09F1E84 41162254 D5E811F0 0B72B678 52D29F2F 
Generate key ... 
Curve : prime256v1 
X: DD4E3FB89EC29E0F2C9435A8D74E0780F2282367EABF4F84FD207A80EFDA1552 
Y: 9A8A74E440002AE72FF67716FE889C49DD5D0FD4FBC7195324DE267BFF06FF49 

Entry #1 
Generate key ... 
Curve : prime256v1 
X: 7EF9D2C6D246339E6D58B937D4127F83FF590B64663FEC316A418847AAA82505 
Y: 29EE71EAFC4CDBB99414C2673EA7AD44B4EE4442E803D350590DA0D95A0F2EF5 

Entry #2 
Generate key ... 
Curve : prime256v1 
X: 3A9083FF4B91136EAC43041916C2E1FC887397ABCEA017DE42AF143DBEA17ED8 
Y: 4DDDD1670C3F846EFFC4B071BC8D291FD9477EE035AD9C46B696DD20F5702809 

Entry #3 
Generate key ... 
Curve : prime256v1 
X: 8A1FBB3D3F0E5961E7FFF7D8E94AFD1836752169A9E66B79BB5861BBDA79E53F 
Y: 361FE17E8C73DE0FB4277480FAED32363A3C134DD27D6961E6F046222F06D600 

Entry #4 
Keychain permission: SIGN_CORE, SIGN_HPS 
Keychain can be cancelled by ID: 0, 0, 0 
Signature chain #1 (entries: 0, offset: 0) 
Signature chain #2 (entries: 0, offset: 0) 
Signature chain #3 (entries: 0, offset: 0) 

Section 
Type: CORE 
Signature Descriptor ... 
Signature chain #0 (entries: 5, offset: 96) 

Entry #0 
Fuse: 46D2D1CD 666F6FA3 8CA6DF11 F09F1E84 41162254 D5E811F0 0B72B678 52D29F2F 
Generate key ... 
Curve : prime256v1 
X: DD4E3FB89EC29E0F2C9435A8D74E0780F2282367EABF4F84FD207A80EFDA1552 
Y: 9A8A74E440002AE72FF67716FE889C49DD5D0FD4FBC7195324DE267BFF06FF49 

Entry #1 
Generate key ... 
Curve : prime256v1 
X: 7EF9D2C6D246339E6D58B937D4127F83FF590B64663FEC316A418847AAA82505 
Y: 29EE71EAFC4CDBB99414C2673EA7AD44B4EE4442E803D350590DA0D95A0F2EF5 

Entry #2 
Generate key ... 
Curve : prime256v1 
X: 3A9083FF4B91136EAC43041916C2E1FC887397ABCEA017DE42AF143DBEA17ED8 
Y: 4DDDD1670C3F846EFFC4B071BC8D291FD9477EE035AD9C46B696DD20F5702809 

Entry #3 
Generate key ... 
Curve : prime256v1 
X: 8A1FBB3D3F0E5961E7FFF7D8E94AFD1836752169A9E66B79BB5861BBDA79E53F 
Y: 361FE17E8C73DE0FB4277480FAED32363A3C134DD27D6961E6F046222F06D600 

Entry #4 
Keychain permission: SIGN_CORE, SIGN_HPS 
Keychain can be cancelled by ID: 0, 0, 0 
Signature chain #1 (entries: 0, offset: 0) 
Signature chain #2 (entries: 0, offset: 0) 
Signature chain #3 (entries: 0, offset: 0)