Intel® Stratix® 10 Device Security User Guide

Download PDF
ID 683642
Date 7/14/2023
Public
Document Table of Contents
Document Table of Contents x
1. Intel Stratix 10 Device Security Overview 2. Authentication and Authorization 3. AES Bitstream Encryption 4. Device Provisioning 5. Advanced Features 6. Troubleshooting 7. Intel® Stratix® 10 Device Security User Guide Archives 8. Document Revision History for Intel® Stratix® 10 Device Security User Guide
1. Intel Stratix 10 Device Security Overview x
1.1. Commitment to Product Security
2. Authentication and Authorization x
2.1. Creating a Signature Chain 2.2. Signing a Configuration Bitstream
2.1. Creating a Signature Chain x
2.1.1. Creating Authentication Key Pairs on the Local File System 2.1.2. Creating Authentication Key Pairs in SoftHSM 2.1.3. Creating the Signature Chain Root Entry 2.1.4. Creating a Signature Chain Public Key Entry
2.2. Signing a Configuration Bitstream x
2.2.1. Quartus Key File Assignment 2.2.2. Co-Signing SDM Firmware 2.2.3. Signing Configuration Bitstream Using the quartus_sign Command 2.2.4. Verifying Configuration Bitstream Signature Chains
3. AES Bitstream Encryption x
3.1. Creating the AES Root Key 3.2. Quartus Encryption Settings 3.3. Encrypting a Configuration Bitstream
3.3. Encrypting a Configuration Bitstream x
3.3.1. Configuration Bitstream Encryption Using the Programming File Generator Graphical Interface 3.3.2. Configuration Bitstream Encryption Using the Programming File Generator Command Line Interface 3.3.3. Partially Encrypted Configuration Bitstream Generation Using the Command Line Interface 3.3.4. Partial Reconfiguration Bitstream Encryption
4. Device Provisioning x
4.1. Using SDM Provision Firmware 4.2. Authentication Root Key Provisioning 4.3. Using QSPI Factory Default Helper Image on Owned Devices 4.4. Programming Key Cancellation ID Fuses 4.5. Security Setting Fuse Provisioning 4.6. AES Root Key Provisioning 4.7. Converting Owner Root Key, AES Root Key Certificates, and Fuse files to Jam STAPL File Formats
4.6. AES Root Key Provisioning x
4.6.1. AES Root Key Compact Certificate 4.6.2. Intrinsic ID® PUF AES Root Key Provisioning 4.6.3. Black Key Provisioning
4.6.2. Intrinsic ID® PUF AES Root Key Provisioning x
4.6.2.1. Intrinsic ID PUF Enrollment 4.6.2.2. Wrapping the AES Root Key 4.6.2.3. Programming Helper Data and Wrapped Key to QSPI Flash Memory 4.6.2.4. Querying Intrinsic ID PUF Activation Status 4.6.2.5. Location of the PUF in Flash Memory
4.6.3. Black Key Provisioning x
4.6.3.1. Black Key Provisioning Options
5. Advanced Features x
5.1. Secure Debug Authorization 5.2. HPS Debug Certificates 5.3. Platform Attestation 5.4. Physical Anti-Tamper 5.5. Using Design Security Features with Remote System Update 5.6. Bitstream Security Settings
5.4. Physical Anti-Tamper x
5.4.1. Anti-Tamper Responses 5.4.2. Anti-Tamper Detection 5.4.3. Anti-Tamper Lite Intel® FPGA IP
5.4.3. Anti-Tamper Lite Intel® FPGA IP x
5.4.3.1. Release Information
5.6. Bitstream Security Settings x
5.6.1. Selecting and Enabling Security Options
6. Troubleshooting x
6.1. Using Quartus Commands in a Windows Environment Error 6.2. Generating a Private Key Warning 6.3. Adding a Signing Key to the Quartus Project Error 6.4. Generating Quartus Prime Programming File was Unsuccessful 6.5. Unknown Argument Errors 6.6. Bitstream Encryption Option Disabled Error 6.7. Specifying Correct Path to the Key 6.8. Using Unsupported Output File Type
1. Intel Stratix 10 Device Security Overview
2. Authentication and Authorization
3. AES Bitstream Encryption
4. Device Provisioning
5. Advanced Features
6. Troubleshooting
7. Intel® Stratix® 10 Device Security User Guide Archives
8. Document Revision History for Intel® Stratix® 10 Device Security User Guide

2.2.4. Verifying Configuration Bitstream Signature Chains

After you create signature chains and signed bitstreams, you may verify that a signed bitstream correctly configures a device programmed with a given root key. You first use the fuse_info operation of the quartus_sign command to print the hash of the root public key to a text file: 
quartus_sign --family=stratix10 --operation=fuse_info public_root.qky hash_fuse.txt
You then use the check_integrity option of the quartus_pfg command to inspect the signature chain on each section of a signed bitstream in .rbf format. The check_integrity option prints the following information:
  • Status of the overall bitstream integrity check
  • Contents of each entry in each signature chain attached to each section in the bitstream .rbf file,
  • Expected fuse value for the hash of the root public key for each signature chain.
The value from the fuse_info output should match the Fuse lines in the check_integrity output. 
quartus_pfg --check_integrity signed_bitstream.rbf
Here is an example of the check_integrity command output: 
Info: Command: quartus_pfg --check_integrity output_file_signed.rbf 
Integrity status: OK 

Section 
Type: CMF 
Signature Descriptor ... 
Signature chain #0 (entries: 3, offset: 96) 
Entry #0 
Fuse: A1B9545C CAC4152D 9511A9AB 321778ED 1180A280 6DC58F2C 
5607433E 02A872E3 F52B2AE5 F7B8BDE0 53FA000D 8FC7AC04 
Generate key ... 
Curve : secp384r1 
X: FC28C88662DF1437DD98E61336467DC9CDA788F22F949D8F488DA755A9F8CC11AEC10006E2 
   6490B3EAB8148E6C8AA8A1 
Y: 95D1EA0FF4C7374B350FDF39CFAE3AD8D0AEA9451EA66B5B1DFD4084DA68BC4DAD3AF5CF37 
   8D7C6FB62A10BA7C512276 
Entry #1 
Generate key ... 
Curve : secp384r1 
X: B11534AA67A30EF884B89819281522F1D0326BBAFF108BC483946717A14F9630C682ECDAE5 
   40FECBADF3E66BC92A110A 
Y: 0ED5F19E6A38D97148CE6F53B679227311198105BD9E1912AD41C075711F6185E1B095DE7F 
   E2F4855851E78F9BF3D2C6 
Entry #2 
Keychain permission: SIGN_CODE 
Keychain can be cancelled by ID: 5 
Signature chain #1 (entries: 0, offset: 0) 
Signature chain #2 (entries: 0, offset: 0) 
Signature chain #3 (entries: 0, offset: 0) 

Section 
Type: IO 
Signature Descriptor ... 
Signature chain #0 (entries: 5, offset: 96) 
Entry #0 
Fuse: 46D2D1CD 666F6FA3 8CA6DF11 F09F1E84 41162254 D5E811F0 0B72B678 52D29F2F 
Generate key ... 
Curve : prime256v1 
X: DD4E3FB89EC29E0F2C9435A8D74E0780F2282367EABF4F84FD207A80EFDA1552 
Y: 9A8A74E440002AE72FF67716FE889C49DD5D0FD4FBC7195324DE267BFF06FF49 

Entry #1 
Generate key ... 
Curve : prime256v1 
X: 7EF9D2C6D246339E6D58B937D4127F83FF590B64663FEC316A418847AAA82505 
Y: 29EE71EAFC4CDBB99414C2673EA7AD44B4EE4442E803D350590DA0D95A0F2EF5 

Entry #2 
Generate key ... 
Curve : prime256v1 
X: 3A9083FF4B91136EAC43041916C2E1FC887397ABCEA017DE42AF143DBEA17ED8 
Y: 4DDDD1670C3F846EFFC4B071BC8D291FD9477EE035AD9C46B696DD20F5702809 

Entry #3 
Generate key ... 
Curve : prime256v1 
X: 8A1FBB3D3F0E5961E7FFF7D8E94AFD1836752169A9E66B79BB5861BBDA79E53F 
Y: 361FE17E8C73DE0FB4277480FAED32363A3C134DD27D6961E6F046222F06D600 

Entry #4 
Keychain permission: SIGN_CORE, SIGN_HPS 
Keychain can be cancelled by ID: 0, 0, 0 
Signature chain #1 (entries: 0, offset: 0) 
Signature chain #2 (entries: 0, offset: 0) 
Signature chain #3 (entries: 0, offset: 0) 

Section 
Type: HPS 
Signature Descriptor ... 
Signature chain #0 (entries: 5, offset: 96) 

Entry #0 
Fuse: 46D2D1CD 666F6FA3 8CA6DF11 F09F1E84 41162254 D5E811F0 0B72B678 52D29F2F 
Generate key ... 
Curve : prime256v1 
X: DD4E3FB89EC29E0F2C9435A8D74E0780F2282367EABF4F84FD207A80EFDA1552 
Y: 9A8A74E440002AE72FF67716FE889C49DD5D0FD4FBC7195324DE267BFF06FF49 

Entry #1 
Generate key ... 
Curve : prime256v1 
X: 7EF9D2C6D246339E6D58B937D4127F83FF590B64663FEC316A418847AAA82505 
Y: 29EE71EAFC4CDBB99414C2673EA7AD44B4EE4442E803D350590DA0D95A0F2EF5 

Entry #2 
Generate key ... 
Curve : prime256v1 
X: 3A9083FF4B91136EAC43041916C2E1FC887397ABCEA017DE42AF143DBEA17ED8 
Y: 4DDDD1670C3F846EFFC4B071BC8D291FD9477EE035AD9C46B696DD20F5702809 

Entry #3 
Generate key ... 
Curve : prime256v1 
X: 8A1FBB3D3F0E5961E7FFF7D8E94AFD1836752169A9E66B79BB5861BBDA79E53F 
Y: 361FE17E8C73DE0FB4277480FAED32363A3C134DD27D6961E6F046222F06D600 

Entry #4 
Keychain permission: SIGN_CORE, SIGN_HPS 
Keychain can be cancelled by ID: 0, 0, 0 
Signature chain #1 (entries: 0, offset: 0) 
Signature chain #2 (entries: 0, offset: 0) 
Signature chain #3 (entries: 0, offset: 0) 

Section 
Type: CORE 
Signature Descriptor ... 
Signature chain #0 (entries: 5, offset: 96) 

Entry #0 
Fuse: 46D2D1CD 666F6FA3 8CA6DF11 F09F1E84 41162254 D5E811F0 0B72B678 52D29F2F 
Generate key ... 
Curve : prime256v1 
X: DD4E3FB89EC29E0F2C9435A8D74E0780F2282367EABF4F84FD207A80EFDA1552 
Y: 9A8A74E440002AE72FF67716FE889C49DD5D0FD4FBC7195324DE267BFF06FF49 

Entry #1 
Generate key ... 
Curve : prime256v1 
X: 7EF9D2C6D246339E6D58B937D4127F83FF590B64663FEC316A418847AAA82505 
Y: 29EE71EAFC4CDBB99414C2673EA7AD44B4EE4442E803D350590DA0D95A0F2EF5 

Entry #2 
Generate key ... 
Curve : prime256v1 
X: 3A9083FF4B91136EAC43041916C2E1FC887397ABCEA017DE42AF143DBEA17ED8 
Y: 4DDDD1670C3F846EFFC4B071BC8D291FD9477EE035AD9C46B696DD20F5702809 

Entry #3 
Generate key ... 
Curve : prime256v1 
X: 8A1FBB3D3F0E5961E7FFF7D8E94AFD1836752169A9E66B79BB5861BBDA79E53F 
Y: 361FE17E8C73DE0FB4277480FAED32363A3C134DD27D6961E6F046222F06D600 

Entry #4 
Keychain permission: SIGN_CORE, SIGN_HPS 
Keychain can be cancelled by ID: 0, 0, 0 
Signature chain #1 (entries: 0, offset: 0) 
Signature chain #2 (entries: 0, offset: 0) 
Signature chain #3 (entries: 0, offset: 0)
Level Two Title