Intel® Stratix® 10 Device Security User Guide

ID 683642
Date 7/20/2022

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

3.3.3. Partially Encrypted Configuration Bitstream Generation Using the Command Line Interface

You may generate a partially encrypted programming file to finalize encryption and sign the image at a later time. Generate the partially encrypted programming file in the .rbf format with the quartus_pfg command line interface:
quartus_pfg -c -o finalize_encryption_later=ON \ 
-o sign_later=ON top.sof top.rbf 
You use the quartus_encrypt command line tool to finalize bitstream encryption:
quartus_encrypt --family=stratix10 \  
--operation=ENCRYPT --key=aes_root.qek top.rbf encrypted_top.rbf 
You use the quartus_sign command line tool to sign the encrypted configuration bitstream:
quartus_sign --family=stratix10 --operation=sign \
--pem=design0_sign_private.pem --qky=design0_sign_chain.qky \
encrypted_top.rbf signed_encrypted_top.rbf
quartus_sign --family=stratix10 --operation=sign --module=softHSM \
--module_args="--token_label=s10-token --user_pin=s10-token-pin \
--hsm_lib=/usr/local/lib/softhsm/" --keyname=design0_sign \
--qky=design0_sign_chain.qky encrypted_top.rbf signed_encrypted_top.rbf

Did you find the information on this page useful?

Characters remaining:

Feedback Message