Intel® Stratix® 10 Device Security User Guide

ID 683642
Date 12/15/2021
Public
Download
Document Table of Contents

2.2.4. Verifying Configuration Bitstream Signature Chains

After you create signature chains and signed bitstreams, you may verify that a signed bitstream correctly configures a device programmed with a given root key. You first use the fuse_info operation of the quartus_sign command to print the hash of the root public key to a text file:
quartus_sign --family=stratix10 --operation=fuse_info public_root.qky hash_fuse.txt
You then use the check_integrity option of the quartus_pfg command to inspect the signature chain on each section of a signed bitstream in .rbf format. The check_integrity option prints the following information:
  • Status of the overall bitstream integrity check
  • Contents of each entry in each signature chain attached to each section in the bitstream .rbf file,
  • Expected fuse value for the hash of the root public key for each signature chain.
The value from the fuse_info output should match the Fuse lines in the check_integrity output.
quartus_pfg --check_integrity signed_bitstream.rbf 
Here is an example of the check_integrity command output:
Info: Command: quartus_pfg --check_integrity output_file_signed.rbf 
Integrity status: OK 

Section 
Type: CMF 
Signature Descriptor ... 
Signature chain #0 (entries: 3, offset: 96) 
Entry #0 
Fuse: A1B9545C CAC4152D 9511A9AB 321778ED 1180A280 6DC58F2C 
5607433E 02A872E3 F52B2AE5 F7B8BDE0 53FA000D 8FC7AC04 
Generate key ... 
Curve : secp384r1 
X: FC28C88662DF1437DD98E61336467DC9CDA788F22F949D8F488DA755A9F8CC11AEC10006E2 
   6490B3EAB8148E6C8AA8A1 
Y: 95D1EA0FF4C7374B350FDF39CFAE3AD8D0AEA9451EA66B5B1DFD4084DA68BC4DAD3AF5CF37 
   8D7C6FB62A10BA7C512276 
Entry #1 
Generate key ... 
Curve : secp384r1 
X: B11534AA67A30EF884B89819281522F1D0326BBAFF108BC483946717A14F9630C682ECDAE5 
   40FECBADF3E66BC92A110A 
Y: 0ED5F19E6A38D97148CE6F53B679227311198105BD9E1912AD41C075711F6185E1B095DE7F 
   E2F4855851E78F9BF3D2C6 
Entry #2 
Keychain permission: SIGN_CODE 
Keychain can be cancelled by ID: 5 
Signature chain #1 (entries: 0, offset: 0) 
Signature chain #2 (entries: 0, offset: 0) 
Signature chain #3 (entries: 0, offset: 0) 

Section 
Type: IO 
Signature Descriptor ... 
Signature chain #0 (entries: 5, offset: 96) 
Entry #0 
Fuse: 46D2D1CD 666F6FA3 8CA6DF11 F09F1E84 41162254 D5E811F0 0B72B678 52D29F2F 
Generate key ... 
Curve : prime256v1 
X: DD4E3FB89EC29E0F2C9435A8D74E0780F2282367EABF4F84FD207A80EFDA1552 
Y: 9A8A74E440002AE72FF67716FE889C49DD5D0FD4FBC7195324DE267BFF06FF49 

Entry #1 
Generate key ... 
Curve : prime256v1 
X: 7EF9D2C6D246339E6D58B937D4127F83FF590B64663FEC316A418847AAA82505 
Y: 29EE71EAFC4CDBB99414C2673EA7AD44B4EE4442E803D350590DA0D95A0F2EF5 

Entry #2 
Generate key ... 
Curve : prime256v1 
X: 3A9083FF4B91136EAC43041916C2E1FC887397ABCEA017DE42AF143DBEA17ED8 
Y: 4DDDD1670C3F846EFFC4B071BC8D291FD9477EE035AD9C46B696DD20F5702809 

Entry #3 
Generate key ... 
Curve : prime256v1 
X: 8A1FBB3D3F0E5961E7FFF7D8E94AFD1836752169A9E66B79BB5861BBDA79E53F 
Y: 361FE17E8C73DE0FB4277480FAED32363A3C134DD27D6961E6F046222F06D600 

Entry #4 
Keychain permission: SIGN_CORE, SIGN_HPS 
Keychain can be cancelled by ID: 0, 0, 0 
Signature chain #1 (entries: 0, offset: 0) 
Signature chain #2 (entries: 0, offset: 0) 
Signature chain #3 (entries: 0, offset: 0) 

Section 
Type: HPS 
Signature Descriptor ... 
Signature chain #0 (entries: 5, offset: 96) 

Entry #0 
Fuse: 46D2D1CD 666F6FA3 8CA6DF11 F09F1E84 41162254 D5E811F0 0B72B678 52D29F2F 
Generate key ... 
Curve : prime256v1 
X: DD4E3FB89EC29E0F2C9435A8D74E0780F2282367EABF4F84FD207A80EFDA1552 
Y: 9A8A74E440002AE72FF67716FE889C49DD5D0FD4FBC7195324DE267BFF06FF49 

Entry #1 
Generate key ... 
Curve : prime256v1 
X: 7EF9D2C6D246339E6D58B937D4127F83FF590B64663FEC316A418847AAA82505 
Y: 29EE71EAFC4CDBB99414C2673EA7AD44B4EE4442E803D350590DA0D95A0F2EF5 

Entry #2 
Generate key ... 
Curve : prime256v1 
X: 3A9083FF4B91136EAC43041916C2E1FC887397ABCEA017DE42AF143DBEA17ED8 
Y: 4DDDD1670C3F846EFFC4B071BC8D291FD9477EE035AD9C46B696DD20F5702809 

Entry #3 
Generate key ... 
Curve : prime256v1 
X: 8A1FBB3D3F0E5961E7FFF7D8E94AFD1836752169A9E66B79BB5861BBDA79E53F 
Y: 361FE17E8C73DE0FB4277480FAED32363A3C134DD27D6961E6F046222F06D600 

Entry #4 
Keychain permission: SIGN_CORE, SIGN_HPS 
Keychain can be cancelled by ID: 0, 0, 0 
Signature chain #1 (entries: 0, offset: 0) 
Signature chain #2 (entries: 0, offset: 0) 
Signature chain #3 (entries: 0, offset: 0) 

Section 
Type: CORE 
Signature Descriptor ... 
Signature chain #0 (entries: 5, offset: 96) 

Entry #0 
Fuse: 46D2D1CD 666F6FA3 8CA6DF11 F09F1E84 41162254 D5E811F0 0B72B678 52D29F2F 
Generate key ... 
Curve : prime256v1 
X: DD4E3FB89EC29E0F2C9435A8D74E0780F2282367EABF4F84FD207A80EFDA1552 
Y: 9A8A74E440002AE72FF67716FE889C49DD5D0FD4FBC7195324DE267BFF06FF49 

Entry #1 
Generate key ... 
Curve : prime256v1 
X: 7EF9D2C6D246339E6D58B937D4127F83FF590B64663FEC316A418847AAA82505 
Y: 29EE71EAFC4CDBB99414C2673EA7AD44B4EE4442E803D350590DA0D95A0F2EF5 

Entry #2 
Generate key ... 
Curve : prime256v1 
X: 3A9083FF4B91136EAC43041916C2E1FC887397ABCEA017DE42AF143DBEA17ED8 
Y: 4DDDD1670C3F846EFFC4B071BC8D291FD9477EE035AD9C46B696DD20F5702809 

Entry #3 
Generate key ... 
Curve : prime256v1 
X: 8A1FBB3D3F0E5961E7FFF7D8E94AFD1836752169A9E66B79BB5861BBDA79E53F 
Y: 361FE17E8C73DE0FB4277480FAED32363A3C134DD27D6961E6F046222F06D600 

Entry #4 
Keychain permission: SIGN_CORE, SIGN_HPS 
Keychain can be cancelled by ID: 0, 0, 0 
Signature chain #1 (entries: 0, offset: 0) 
Signature chain #2 (entries: 0, offset: 0) 
Signature chain #3 (entries: 0, offset: 0)

Did you find the information on this page useful?

Characters remaining:

Feedback Message