Intel® Stratix® 10 Device Security User Guide

ID 683642
Date 7/20/2022

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

5.5. Using Design Security Features with Remote System Update

Remote System Update (RSU) is an Intel Stratix 10 FPGAs feature that assists in updating configuration files in a robust way. RSU is compatible with design security features such as authentication, firmware, co-signing, and bitstream encryption as RSU does not depend on the design contents of configuration bitstreams.

To use design security features with RSU images, you follow the instructions in Generating Remote System Update Image Files Using the Programming File Generator of the Intel Stratix 10 Configuration User Guide to generate RSU images with .sof file inputs. For every .sof file specified on the Input Files tab, you click the Properties... button and specify the appropriate settings and keys for the signing and encryption tools. The programming file generator tool automatically signs and encrypts factory and application images while creating the RSU programming files.

You may build RSU images with .rbf format files as inputs. You must encrypt and sign .rbf format files prior to selecting them as input files for RSU images; however, the RSU boot info .rbf file must not be encrypted, only signed. The Programming File Generator does not support modifying properties of .rbf format files.

The following examples demonstrate the necessary modifications to the commands in the Generating Remote System Update Image Files Using the Programming File Generator of the Intel Stratix 10 Configuration User Guide.

Generating the Initial RSU Image Using .rbf Files: Command Modification

From Generating the Initial RSU Image Using .rbf Files, you modify the commands in Step 1. to enable the design security features as desired using instructions from earlier sections of this document.

In step 2, if you have enabled firmware co-signing, you must use an additional option in the creation of the boot .rbf from the factory image file:
quartus_pfg -c factory.sof boot.rbf -o rsu_boot=ON \

Generating an Application Image: Command Modification

To generate an application image with design security features, you modify the command in Generating an Application Image to use a .rbf with design security features enabled, including co-signed firmware if required, instead of the original application .sof file:
quartus_pfg -c cosigned_fw_signed_encrypted_application.rbf \
secured_rsu_application.rpd -o mode=ASX4 \
-o start_address=<start_address> -o bitswap=ON

Generating a Factory Update Image: Command Modification

To generate an RSU factory update image, you modify the command from Generating a Factory Update Image to use a .rbf file with design security features enabled and add the option to indicate the co-signed firmware usage:
quartus_pfg -c cosigned_fw_signed_encrypted_factory.rbf \
secured_rsu_factory_update.rpd \
-o mode=ASX4 -o start_address=<start_address> \
-o bitswap=ON -o rsu_upgrade=ON \