2.2.5. Verifying Configuration Bitstream Signature Chains

Intel Agilex® 7 Device Security User Guide

Download PDF

ID 683823

Date 7/07/2023

Version

Public

Visible to Intel only — GUID: xkg1616559736659

Ixiasoft

View Details

2.2.5. Verifying Configuration Bitstream Signature Chains

After you create signature chains and signed bitstreams, you may verify that a signed bitstream correctly configures a device programmed with a given root key. You first use the fuse_info operation of the quartus_sign command to print the hash of the root public key to a text file:

quartus_sign --family=agilex --operation=fuse_info root0.qky hash_fuse.txt

You then use the check_integrity option of the quartus_pfg command to inspect the signature chain on each section of a signed bitstream in .rbf format. The check_integrity option prints the following information:

Status of the overall bitstream integrity check
Contents of each entry in each signature chain attached to each section in the bitstream .rbf file,
Expected fuse value for the hash of the root public key for each signature chain.

The value from the fuse_info output should match the Fuse lines in the check_integrity output.

quartus_pfg --check_integrity signed_bitstream.rbf

Here is an example of the check_integrity command output:

Info: Command: quartus_pfg --check_integrity signed_bitstream.rbf
Integrity status: OK

Section
Type: CMF
Signature Descriptor ...
Signature chain #0 (entries: -1, offset: 96)
Entry #0
Fuse: 34FD3B5F 7829001F DE2A24C7 3A7EAE29 C7786DB1 D6D5BC3C 52741C79
      72978B22 0731B082 6F596899 40F32048 AD766A24
Generate key ...
Curve : secp384r1
X     : 29C39C3064AE594A36DAA85602D6AF0B278CBB0B207C4D97CFB6967961E5F0ECA
        456FF53F5DBB3A69E48A042C62AB6B0
Y     : 3E81D40CBBBEAC13601247A9D53F4A831308A24CA0BDFFA40351EE76438C7B5D2
        2826F7E94A169023AFAE1D1DF4A31C2
Generate key ...
Curve : secp384r1
X     : 29C39C3064AE594A36DAA85602D6AF0B278CBB0B207C4D97CFB6967961E5F0ECA
        456FF53F5DBB3A69E48A042C62AB6B0
Y     : 3E81D40CBBBEAC13601247A9D53F4A831308A24CA0BDFFA40351EE76438C7B5D2
        2826F7E94A169023AFAE1D1DF4A31C2

Entry #1
Generate key ...
Curve : secp384r1
X     : 015290C556F1533E5631322953E2F9E91258472F43EC954E05D6A4B63D611E04B
        C120C7E7A744C357346B424D52100A9
Y     : 68696DEAC4773FF3D5A16A4261975424AAB4248196CF5142858E016242FB82BC5
        08A80F3FE7F156DEF0AE5FD95BDFE05

Entry #2
Keychain permission: SIGN_CODE
Keychain can be cancelled by ID: 3
Signature chain #1 (entries: -1, offset: 648)

Entry #0
Fuse: FA6528BE 9281F2DB B787E805 6BF6EE0E 28983C56 D568B141 8EEE4BF6
      DAC2D422 0A3A0F27 81EFC6CD 67E973BF AC286EAE
Generate key ...
Curve : secp384r1
X     : 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765
        0411C4592FAFFC71DE36A105B054781
Y     : 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8
        6B7312EEE8241189474262629501FCD
Generate key ...
Curve : secp384r1
X     : 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765
        0411C4592FAFFC71DE36A105B054781
Y     : 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8
        6B7312EEE8241189474262629501FCD

Entry #1
Generate key ...
Curve : secp384r1
X     : 1E8FBEDC486C2F3161AFEB028D0C4B426258293058CD41358A164C1B1D60E5C1D
        74D982BC20A4772ABCD0A1848E9DC96
Y     : 768F1BF95B37A3CC2FFCEEB071DD456D14B84F1B9BFF780FC5A72A0D3BE5EB51D
        0DA7C6B53D83CF8A775A8340BD5A5DB

Entry #2
Generate key ...
Curve : secp384r1
X     : 13986DDECAB697A2EB26B8EBD25095A8CC2B1A0AB0C766D029CDF2AFE21BE3432
        76896E771A9C6CA5A2D3C08CF4CB83C
Y     : 0A1384E9DD209238FF110D867B557414955354EE6681D553509A507A78CFC05A1
        49F91CABA72F6A3A1C2D1990CDAEA3D

Entry #3
Keychain permission: SIGN_CODE
Keychain can be cancelled by ID: 15
Signature chain #2 (entries: -1, offset: 0)
Signature chain #3 (entries: -1, offset: 0)
Signature chain #4 (entries: -1, offset: 0)
Signature chain #5 (entries: -1, offset: 0)
Signature chain #6 (entries: -1, offset: 0)
Signature chain #7 (entries: -1, offset: 0)

Section
Type: IO
Signature Descriptor ...
Signature chain #0 (entries: -1, offset: 96)

Entry #0
Fuse: FA6528BE 9281F2DB B787E805 6BF6EE0E 28983C56 D568B141 8EEE4BF6 
      DAC2D422 0A3A0F27 81EFC6CD 67E973BF AC286EAE
Generate key ...
Curve : secp384r1
X     : 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765
        0411C4592FAFFC71DE36A105B054781
Y     : 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8
        6B7312EEE8241189474262629501FCD
Generate key ...
Curve : secp384r1
X     : 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765
        0411C4592FAFFC71DE36A105B054781
Y     : 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8
        6B7312EEE8241189474262629501FCD

Entry #1
Generate key ...
Curve : secp384r1
X     : 646B51F668D8CC365D72B89BA8082FDE79B00CDB750DA0C984DC5891CDF57BD21
        44758CA747B1A8315024A8247F12E51
Y     : 53513118E25E16151FD55D7ECDE8293AF6C98A74D52E0DA2527948A64FABDFE7C
        F4EA8B8E229218D38A869EE15476750

Entry #2
Generate key ...
Curve : secp384r1
X     : 13986DDECAB697A2EB26B8EBD25095A8CC2B1A0AB0C766D029CDF2AFE21BE3432
        76896E771A9C6CA5A2D3C08CF4CB83C
Y     : 0A1384E9DD209238FF110D867B557414955354EE6681D553509A507A78CFC05A1
        49F91CABA72F6A3A1C2D1990CDAEA3D

Entry #3
Keychain permission: SIGN_CORE
Keychain can be cancelled by ID: 15
Signature chain #1 (entries: -1, offset: 0)
Signature chain #2 (entries: -1, offset: 0)
Signature chain #3 (entries: -1, offset: 0)
Signature chain #4 (entries: -1, offset: 0)
Signature chain #5 (entries: -1, offset: 0)
Signature chain #6 (entries: -1, offset: 0)
Signature chain #7 (entries: -1, offset: 0)

Section
Type: HPS
Signature Descriptor ...
Signature chain #0 (entries: -1, offset: 96)
Entry #0
Fuse: FA6528BE 9281F2DB B787E805 6BF6EE0E 28983C56 D568B141 8EEE4BF6 
      DAC2D422 0A3A0F27 81EFC6CD 67E973BF AC286EAE
Generate key ...
Curve : secp384r1
X     : 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765
        0411C4592FAFFC71DE36A105B054781
Y     : 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8
        6B7312EEE8241189474262629501FCD
Generate key ...
Curve : secp384r1
X     : 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765
        0411C4592FAFFC71DE36A105B054781
Y     : 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8
        6B7312EEE8241189474262629501FCD

Entry #1
Generate key ...
Curve : secp384r1
X     : FAF423E08FB08D09F926AB66705EB1843C7C82A4391D3049A35E0C5F17ACB1A30
        09CE3F486200940E81D02E2F385D150
Y     : 397C0DA2F8DD6447C52048CD0FF7D5CCA7F169C711367E9B81E1E6C1E8CD9134E
        5AC33EE6D388B1A895AC07B86155E9D

Entry #2
Generate key ...
Curve : secp384r1
X     : 13986DDECAB697A2EB26B8EBD25095A8CC2B1A0AB0C766D029CDF2AFE21BE3432
        76896E771A9C6CA5A2D3C08CF4CB83C
Y     : 0A1384E9DD209238FF110D867B557414955354EE6681D553509A507A78CFC05A1
        49F91CABA72F6A3A1C2D1990CDAEA3D

Entry #3
Keychain permission: SIGN_HPS
Keychain can be cancelled by ID: 15
Signature chain #1 (entries: -1, offset: 0)
Signature chain #2 (entries: -1, offset: 0)
Signature chain #3 (entries: -1, offset: 0)
Signature chain #4 (entries: -1, offset: 0)
Signature chain #5 (entries: -1, offset: 0)
Signature chain #6 (entries: -1, offset: 0)
Signature chain #7 (entries: -1, offset: 0)

Section
Type: CORE
Signature Descriptor ...
Signature chain #0 (entries: -1, offset: 96)

Entry #0
Fuse: FA6528BE 9281F2DB B787E805 6BF6EE0E 28983C56 D568B141 8EEE4BF6 
      DAC2D422 0A3A0F27 81EFC6CD 67E973BF AC286EAE
Generate key ...
Curve : secp384r1
X     : 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765
        0411C4592FAFFC71DE36A105B054781
Y     : 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8
        6B7312EEE8241189474262629501FCD
Generate key ...
Curve : secp384r1
X     : 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765
        0411C4592FAFFC71DE36A105B054781
Y     : 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8
        6B7312EEE8241189474262629501FCD

Entry #1
Generate key ...
Curve : secp384r1
X     : 646B51F668D8CC365D72B89BA8082FDE79B00CDB750DA0C984DC5891CDF57BD21
        44758CA747B1A8315024A8247F12E51
Y     : 53513118E25E16151FD55D7ECDE8293AF6C98A74D52E0DA2527948A64FABDFE7C
        F4EA8B8E229218D38A869EE15476750

Entry #2
Generate key ...
Curve : secp384r1
X     : 13986DDECAB697A2EB26B8EBD25095A8CC2B1A0AB0C766D029CDF2AFE21BE3432
        76896E771A9C6CA5A2D3C08CF4CB83C
Y     : 0A1384E9DD209238FF110D867B557414955354EE6681D553509A507A78CFC05A1
        49F91CABA72F6A3A1C2D1990CDAEA3D

Entry #3
Keychain permission: SIGN_CORE
Keychain can be cancelled by ID: 15
Signature chain #1 (entries: -1, offset: 0)
Signature chain #2 (entries: -1, offset: 0)
Signature chain #3 (entries: -1, offset: 0)
Signature chain #4 (entries: -1, offset: 0)
Signature chain #5 (entries: -1, offset: 0)
Signature chain #6 (entries: -1, offset: 0)
Signature chain #7 (entries: -1, offset: 0)

Select Your Language

Using Intel.com Search

Quick Links

Recent Searches

Advanced Search

Only search in

Intel Agilex® 7 Device Security User Guide

2.2.5. Verifying Configuration Bitstream Signature Chains