Visible to Intel only — GUID: ock1616559126163
Ixiasoft
1. Intel Stratix 10 Device Security Overview
2. Authentication and Authorization
3. AES Bitstream Encryption
4. Device Provisioning
5. Advanced Features
6. Troubleshooting
7. Intel® Stratix® 10 Device Security User Guide Archives
8. Document Revision History for Intel® Stratix® 10 Device Security User Guide
3.3.1. Configuration Bitstream Encryption Using the Programming File Generator Graphical Interface
3.3.2. Configuration Bitstream Encryption Using the Programming File Generator Command Line Interface
3.3.3. Partially Encrypted Configuration Bitstream Generation Using the Command Line Interface
3.3.4. Partial Reconfiguration Bitstream Encryption
4.1. Using SDM Provision Firmware
4.2. Authentication Root Key Provisioning
4.3. Using QSPI Factory Default Helper Image on Owned Devices
4.4. Programming Key Cancellation ID Fuses
4.5. Security Setting Fuse Provisioning
4.6. AES Root Key Provisioning
4.7. Converting Owner Root Key, AES Root Key Certificates, and Fuse files to Jam STAPL File Formats
6.1. Using Quartus Commands in a Windows Environment Error
6.2. Generating a Private Key Warning
6.3. Adding a Signing Key to the Quartus Project Error
6.4. Generating Quartus Prime Programming File was Unsuccessful
6.5. Unknown Argument Errors
6.6. Bitstream Encryption Option Disabled Error
6.7. Specifying Correct Path to the Key
6.8. Using Unsupported Output File Type
Visible to Intel only — GUID: ock1616559126163
Ixiasoft
2.2.3. Signing Configuration Bitstream Using the quartus_sign Command
To sign a configuration bitstream using the quartus_sign command, you first convert the .sof file to the unsigned raw binary file (.rbf) format. You may optionally specify co-signed firmware using the fw_source option during the conversion step.
You can generate the unsigned raw bitstream in .rbf format using the following command:
quartus_pfg -c -o fw_source=signed_Stratix10.zip design.sof \ -o sign_later=ON unsigned_bitstream.rbf
Run one of the following commands to sign the bitstream using the quartus_sign tool depending on the location of your keys:
quartus_sign --family=stratix10 --operation=sign \ --qky=design0_sign_chain.qky --pem=design0_sign_private.pem \ unsigned_bitstream.rbf signed_bitstream.rbf
quartus_sign --family=stratix10 --operation=sign --module=softHSM\ --module_args="--token_label=s10-token --user_pin=s10-token-pin \ --hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" --keyname=design0_sign \ --qky=design0_sign_chain.qky unsigned_bitstream.rbf signed_bitstream.rbf
You may convert signed .rbf files to other configuration bitstream file formats.
For example, if you are using the Jam* Standard Test and Programming Language (STAPL) Player to program a bitstream over JTAG, you use the following command to convert an .rbf file to the .jam format that the Jam STAPL Player requires:
quartus_pfg -c signed_bitstream.rbf signed_bitstream.jam