Intel Agilex® 7 Device Security User Guide

ID 683823
Date 7/07/2023
Document Table of Contents Intrinsic ID PUF Enrollment

To enroll the PUF, you must use the SDM provision firmware. The provision firmware must be the first firmware loaded after a power cycle, and you must issue the PUF enrollment command before any other command. The provision firmware supports other commands after PUF enrollment, including AES root key wrapping and programming quad SPI, however, you must power cycle the device to load a configuration bitstream.

You use the Intel® Quartus® Prime Programmer to trigger PUF enrollment and generate the PUF helper data .puf file.
Figure 7. Intrinsic ID PUF Enrollment
The Programmer automatically loads a provision firmware helper image when you specify both the i operation and a .puf argument.
quartus_pgm -c 1 -m jtag -o “ei;help_data.puf;AGFB014R24A”
If you are using co-signed firmware, you program the co-signed firmware helper image prior to using the PUF enrollment command.
quartus_pgm -c 1 -m jtag -o “p;signed_provision_helper_image.rbf” --force
quartus_pgm -c 1 -m jtag -o "e;help_data.puf;AGFB014R24A"

The UDS IID PUF is enrolled during device manufacturing, and is not available for re-enrollment. Instead, you use the Programmer to determine the location of the UDS PUF helper data on IPCS, download the .puf file directly, and then use the UDS .puf file in the same way as the .puf file extracted from an Intel Agilex® 7 device.

Use the following Programmer command to generate a text file containing a list of URLs pointing to device-specific files on IPCS:

quartus_pgm -c 1 -m jtag -o "e;ipcs_urls.txt;AGFB014R24B" --ipcs_urls

Did you find the information on this page useful?

Characters remaining:

Feedback Message