Intel Agilex® 7 Device Security User Guide

ID 683823
Date 7/07/2023
Document Table of Contents

2.2.3. Signing Configuration Bitstream Using the quartus_sign Command

To sign a configuration bitstream using the quartus_sign command, you first convert the .sof file to the unsigned raw binary file (.rbf) format. You may optionally specify co-signed firmware using the fw_source option during the conversion step.

You can generate the unsigned raw bitstream in .rbf format using the following command:
quartus_pfg –c –o -o sign_later=ON \
design.sof unsigned_bitstream.rbf
Run one of the following commands to sign the bitstream using the quartus_sign tool depending on the location of your keys:
quartus_sign --family=agilex --operation=sign \ 
--qky=design0_sign_chain.qky --pem=design0_sign_private.pem \ 
--cancel=svnA:0 unsigned_bitstream.rbf signed_bitstream.rbf
quartus_sign --family=agilex --operation=sign --module=softHSM \
--module_args="--token_label=agilex-token --user_pin=agilex-token-pin \
--hsm_lib=/usr/local/lib/softhsm/" --keyname=design0_sign \
--qky=design0_sign_chain.qky \
--cancel=svnA:0 unsigned_bitstream.rbf signed_bitstream.rbf

You may convert signed .rbf files to other configuration bitstream file formats.

For example, if you are using the Jam* Standard Test and Programming Language (STAPL) Player to program a bitstream over JTAG, you use the following command to convert an .rbf file to the .jam format that the Jam STAPL Player requires:
quartus_pfg -c signed_bitstream.rbf signed_bitstream.jam

Did you find the information on this page useful?

Characters remaining:

Feedback Message