Intel® Stratix® 10 Device Security User Guide

ID 683642
Date 7/20/2022
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

2.2.3. Signing Configuration Bitstream Using the quartus_sign Command

To sign a configuration bitstream using the quartus_sign command, you first convert the .sof file to the unsigned raw binary file (.rbf) format. You may optionally specify co-signed firmware using the fw_source option during the conversion step.

You can generate the unsigned raw bitstream in .rbf format using the following command:
quartus_pfg -c -o fw_source=signed_Stratix10.zip design.sof \
-o sign_later=ON  unsigned_bitstream.rbf
Run one of the following commands to sign the bitstream using the quartus_sign tool depending on the location of your keys:
quartus_sign --family=stratix10 --operation=sign \  
--qky=design0_sign_chain.qky --pem=design0_sign_private.pem \ 
unsigned_bitstream.rbf signed_bitstream.rbf
quartus_sign --family=stratix10 --operation=sign --module=softHSM\
--module_args="--token_label=s10-token --user_pin=s10-token-pin \
--hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" --keyname=design0_sign \
--qky=design0_sign_chain.qky unsigned_bitstream.rbf signed_bitstream.rbf

You may convert signed .rbf files to other configuration bitstream file formats.

For example, if you are using the Jam* Standard Test and Programming Language (STAPL) Player to program a bitstream over JTAG, you use the following command to convert an .rbf file to the .jam format that the Jam STAPL Player requires:
quartus_pfg -c signed_bitstream.rbf signed_bitstream.jam