Intel Agilex® 7 Device Security User Guide

ID 683823
Date 7/07/2023
Document Table of Contents

3.3.3. Partially Encrypted Configuration Bitstream Generation Using the Command Line Interface

You may generate a partially encrypted programming file to finalize encryption and sign the image later. Generate the partially encrypted programming file in the .rbf format with the quartus_pfg command line interface:
quartus_pfg -c -o finalize_encryption_later=ON \ 
-o sign_later=ON top.sof top.rbf 
You use the quartus_encrypt command line tool to finalize bitstream encryption:
quartus_encrypt --family=agilex \  
--operation=ENCRYPT --key=aes_root.qek top.rbf encrypted_top.rbf 
You use the quartus_sign command line tool to sign the encrypted configuration bitstream:
quartus_sign --family=agilex --operation=SIGN \
--qky=design0_sign_chain.qky \ 
--pem=design0_sign_private.pem --cancel=svnA:0 \
encrypted_top.rbf signed_encrypted_top.rbf 
quartus_sign --family=agilex --operation=sign --module=softHSM \
--module_args="--token_label=agilex-token --user_pin=agilex-token-pin \
--hsm_lib=/usr/local/lib/softhsm/" --keyname=design0_sign \
--qky=design0_sign_chain.qky \
--cancel=svnA:0 encrypted_top.rbf signed_encrypted_top.rbf

Did you find the information on this page useful?

Characters remaining:

Feedback Message