Intel® Agilex™ Device Security User Guide

ID 683823
Date 11/22/2022

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

3.3.3. Partially Encrypted Configuration Bitstream Generation Using the Command Line Interface

You may generate a partially encrypted programming file to finalize encryption and sign the image later. Generate the partially encrypted programming file in the .rbf format with the quartus_pfg command line interface:
quartus_pfg -c -o finalize_encryption_later=ON \ 
-o sign_later=ON top.sof top.rbf 
You use the quartus_encrypt command line tool to finalize bitstream encryption:
quartus_encrypt --family=agilex \  
--operation=ENCRYPT --key=aes_root.qek top.rbf encrypted_top.rbf 
You use the quartus_sign command line tool to sign the encrypted configuration bitstream:
quartus_sign --family=agilex --operation=SIGN \
--qky=design0_sign_chain.qky \ 
--pem=design0_sign_private.pem --cancel=svnA:0 \
encrypted_top.rbf signed_encrypted_top.rbf 
quartus_sign --family=agilex --operation=sign --module=softHSM \
--module_args="--token_label=agilex-token --user_pin=agilex-token-pin \
--hsm_lib=/usr/local/lib/softhsm/" --keyname=design0_sign \
--qky=design0_sign_chain.qky \
--cancel=svnA:0 encrypted_top.rbf signed_encrypted_top.rbf

Did you find the information on this page useful?

Characters remaining:

Feedback Message