Visible to Intel only — GUID: uam1616562070239
Ixiasoft
1. Intel Stratix 10 Device Security Overview
2. Authentication and Authorization
3. AES Bitstream Encryption
4. Device Provisioning
5. Advanced Features
6. Troubleshooting
7. Intel® Stratix® 10 Device Security User Guide Archives
8. Document Revision History for Intel® Stratix® 10 Device Security User Guide
3.3.1. Configuration Bitstream Encryption Using the Programming File Generator Graphical Interface
3.3.2. Configuration Bitstream Encryption Using the Programming File Generator Command Line Interface
3.3.3. Partially Encrypted Configuration Bitstream Generation Using the Command Line Interface
3.3.4. Partial Reconfiguration Bitstream Encryption
4.1. Using SDM Provision Firmware
4.2. Authentication Root Key Provisioning
4.3. Using QSPI Factory Default Helper Image on Owned Devices
4.4. Programming Key Cancellation ID Fuses
4.5. Security Setting Fuse Provisioning
4.6. AES Root Key Provisioning
4.7. Converting Owner Root Key, AES Root Key Certificates, and Fuse files to Jam STAPL File Formats
6.1. Using Quartus Commands in a Windows Environment Error
6.2. Generating a Private Key Warning
6.3. Adding a Signing Key to the Quartus Project Error
6.4. Generating Quartus Prime Programming File was Unsuccessful
6.5. Unknown Argument Errors
6.6. Bitstream Encryption Option Disabled Error
6.7. Specifying Correct Path to the Key
6.8. Using Unsupported Output File Type
Visible to Intel only — GUID: uam1616562070239
Ixiasoft
3.3.3. Partially Encrypted Configuration Bitstream Generation Using the Command Line Interface
You may generate a partially encrypted programming file to finalize encryption and sign the image later. Generate the partially encrypted programming file in the .rbf format with the quartus_pfg command line interface:
quartus_pfg -c -o finalize_encryption_later=ON \ -o sign_later=ON top.sof top.rbf
You use the quartus_encrypt command line tool to finalize bitstream encryption:
quartus_encrypt --family=stratix10 \ --operation=ENCRYPT --key=aes_root.qek top.rbf encrypted_top.rbf
You use the quartus_sign command line tool to sign the encrypted configuration bitstream:
quartus_sign --family=stratix10 --operation=sign \ --pem=design0_sign_private.pem --qky=design0_sign_chain.qky \ encrypted_top.rbf signed_encrypted_top.rbf
quartus_sign --family=stratix10 --operation=sign --module=softHSM \ --module_args="--token_label=s10-token --user_pin=s10-token-pin \ --hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" --keyname=design0_sign \ --qky=design0_sign_chain.qky encrypted_top.rbf signed_encrypted_top.rbf