Intel® Agilex™ Device Security User Guide

ID 683823
Date 1/20/2022
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

4.9.2.3. Programming Helper Data and Wrapped Key to QSPI Flash Memory

You use the Quartus Programming File Generator graphical interface to build an initial QSPI flash image containing a PUF partition. You must generate and program an entire flash programming image to add a PUF partition to the QSPI flash. Creation of the PUF data partition and use of the PUF helper data and wrapped key files for flash image generation is not supported through the Programming File Generator command line interface.

The following steps demonstrate building a flash programming image with the PUF helper data and wrapped key:

  1. On the File menu, click Programming File Generator. On the Output Files tab make the following selections:
    1. For Device Family select Agilex.
    2. For Configuration mode select Active Serial x4.
    3. For Output directory browse to your output file directory. This example uses output_files
    4. For Name, specify a name for the programming file to be generated. This example uses output_file.
    5. Under Description select the programming files to generate. This example generates the JTAG Indirect configuration File (.jic) for device configuration and the Raw Binary File of Programming Helper Image (.rbf) for device helper image. This example also selects the optional Memory Map File (.map) and Raw Programming Data File (.rpd). The raw programming data file is necessary only if you plan to use a third-party programmer in the future.
      Figure 9. Programming File Generator - Output Files Tab - Select JTAG Indirect Configuration
On the Input Files tab, make the following selections:
  1. Click Add Bitstream and browse to your .sof.
  2. Select your .sof file and then click Properties.
    1. Turn On Enable signing tool.
    2. For Private key file select your .pem file.
    3. Turn On Finalize encryption.
    4. For Encryption key file select your .qek file.
    5. Click OK to return to the prior window.
  3. To specify your PUF helper data file, click Add Raw Data. Change the Files of type drop-down menu to Quartus Physical Unclonable Function File (*.puf). Browse to your .puf file.
  4. To specify your wrapped AES key file, click Add Raw Data. Change the Files of type drop-down menu to Quartus Wrapped Key File (*.wkey). Browse to your .wkey file.
    Figure 10. Specify Input Files for Configuration, Authentication, and Encryption

On the Configuration Device tab, make the following selections:

  1. Click Add Device and select your flash device from the list of available flash devices.
  2. Select the configuration device you have just added and click Add Partition.
  3. In the Edit Partition dialog box for the Input file and select your .sof from the dropdown list. You can retain the defaults or edit the other parameters in the Edit Partition dialog box.
    Figure 11. Specifying your .sof Configuration Bitstream Partition
  4. When you add the .puf and .wkey as input files, the Programming File Generator automatically creates a PUF partition in your Configuration Device. To store the .puf and .wkey in the PUF partition, select the PUF partition and click Edit. In the Edit Partition dialog box, select your .puf and .wkey files from the drop-down lists. If you remove the PUF partition, you must remove and re-add the configuration device for the Programming File Generator to create another PUF partition.
    Figure 12. Add the .puf and .wkey files to the PUF Partition
  5. For the Flash Loader parameter select the Intel® Agilex® device family and device name that matches your Intel® Agilex® OPN.
  6. Click Generate to generate the output files that you specified on the Output Files tab.
  7. The Programming File Generator reads your .qek file and prompts you for your passphrase. Type your passphrase in response to the Enter QEK passphrase prompt. Click the Enter key.
  8. Click OK when the Programming File Generator reports successful generation.
You use the Intel® Quartus® Prime Programmer to write the QSPI programming image to QSPI flash memory.
  1. On the Intel® Quartus® Prime Tools menu select Programmer.
  2. In the Programmer, click Hardware Setup and then select a connected Intel® FPGA Download Cable.
  3. Click Add File and browse to your .jic file.
    Figure 13. Program .jic
  4. Unselect the box associated with the Helper image.
  5. Select Program/Configure for the .jic output file.
  6. Turn on Start button to program your quad SPI flash memory.
  7. Power cycle your board. The design programmed to the quad SPI flash memory device subsequently loads into the target FPGA.

You must generate and program an entire flash programming image to add a PUF partition to the quad SPI flash.

When a PUF partition already exists in the flash, it is possible to use the  Intel® Quartus® Prime Programmer to directly access the PUF helper data and wrapped key files. For example, if activation is unsuccessful, it is possible to re-enroll the PUF, re-wrap the AES key, and subsequently only program the PUF files without having to overwrite the entire flash.

The Intel® Quartus® Prime Programmer supports the following operation argument for PUF files in a pre-existing PUF partition:
  • p: program
  • v: verify
  • r: erase
  • b: blank check
You must follow the same restrictions for PUF enrollment, even if a PUF partition exists.
  1. Use the i operation argument to load the provision firmware helper image for the first operation. For example, the following command sequence re-enrolls the PUF, re-wrap the AES root key, erase the old PUF helper data and wrapped key, then program and verify the new PUF helper data and AES root key.
    quartus_pgm -c 1 -m jtag -o "ei;new.puf;AFGB014R24A"
    quartus_pgm -c 1 -m jtag --ccert_file=signed_aes.ccert \
    -o "e;new.wkey;AFGB014R24A"
    quartus_pgm -c 1 -m jtag -o "r;old.puf"
    quartus_pgm -c 1 -m jtag -o "r;old.wkey"
    quartus_pgm -c 1 -m jtag -o "p;new.puf"
    quartus_pgm -c 1 -m jtag -o "p;new.wkey"
    quartus_pgm -c 1 -m jtag -o "v;new.puf"
    quartus_pgm -c 1 -m jtag -o "v;new.wkey"