2.2.5. Verifying Configuration Bitstream Signature Chains
After you create signature chains and signed bitstreams, you may verify that a signed bitstream correctly configures a device programmed with a given root key. You first use the fuse_info operation of the quartus_sign command to print the hash of the root public key to a text file:
quartus_sign --family=agilex --operation=fuse_info root0.qky hash_fuse.txt
You then use the check_integrity option of the quartus_pfg command to inspect the signature chain on each section of a signed bitstream in .rbf format. The check_integrity option prints the following information:
- Status of the overall bitstream integrity check
- Contents of each entry in each signature chain attached to each section in the bitstream .rbf file,
- Expected fuse value for the hash of the root public key for each signature chain.
quartus_pfg --check_integrity signed_bitstream.rbf
Here is an example of the check_integrity command output:
Info: Command: quartus_pfg --check_integrity signed_bitstream.rbf Integrity status: OK Section Type: CMF Signature Descriptor ... Signature chain #0 (entries: -1, offset: 96) Entry #0 Fuse: 34FD3B5F 7829001F DE2A24C7 3A7EAE29 C7786DB1 D6D5BC3C 52741C79 72978B22 0731B082 6F596899 40F32048 AD766A24 Generate key ... Curve : secp384r1 X : 29C39C3064AE594A36DAA85602D6AF0B278CBB0B207C4D97CFB6967961E5F0ECA 456FF53F5DBB3A69E48A042C62AB6B0 Y : 3E81D40CBBBEAC13601247A9D53F4A831308A24CA0BDFFA40351EE76438C7B5D2 2826F7E94A169023AFAE1D1DF4A31C2 Generate key ... Curve : secp384r1 X : 29C39C3064AE594A36DAA85602D6AF0B278CBB0B207C4D97CFB6967961E5F0ECA 456FF53F5DBB3A69E48A042C62AB6B0 Y : 3E81D40CBBBEAC13601247A9D53F4A831308A24CA0BDFFA40351EE76438C7B5D2 2826F7E94A169023AFAE1D1DF4A31C2 Entry #1 Generate key ... Curve : secp384r1 X : 015290C556F1533E5631322953E2F9E91258472F43EC954E05D6A4B63D611E04B C120C7E7A744C357346B424D52100A9 Y : 68696DEAC4773FF3D5A16A4261975424AAB4248196CF5142858E016242FB82BC5 08A80F3FE7F156DEF0AE5FD95BDFE05 Entry #2 Keychain permission: SIGN_CODE Keychain can be cancelled by ID: 3 Signature chain #1 (entries: -1, offset: 648) Entry #0 Fuse: FA6528BE 9281F2DB B787E805 6BF6EE0E 28983C56 D568B141 8EEE4BF6 DAC2D422 0A3A0F27 81EFC6CD 67E973BF AC286EAE Generate key ... Curve : secp384r1 X : 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765 0411C4592FAFFC71DE36A105B054781 Y : 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8 6B7312EEE8241189474262629501FCD Generate key ... Curve : secp384r1 X : 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765 0411C4592FAFFC71DE36A105B054781 Y : 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8 6B7312EEE8241189474262629501FCD Entry #1 Generate key ... Curve : secp384r1 X : 1E8FBEDC486C2F3161AFEB028D0C4B426258293058CD41358A164C1B1D60E5C1D 74D982BC20A4772ABCD0A1848E9DC96 Y : 768F1BF95B37A3CC2FFCEEB071DD456D14B84F1B9BFF780FC5A72A0D3BE5EB51D 0DA7C6B53D83CF8A775A8340BD5A5DB Entry #2 Generate key ... Curve : secp384r1 X : 13986DDECAB697A2EB26B8EBD25095A8CC2B1A0AB0C766D029CDF2AFE21BE3432 76896E771A9C6CA5A2D3C08CF4CB83C Y : 0A1384E9DD209238FF110D867B557414955354EE6681D553509A507A78CFC05A1 49F91CABA72F6A3A1C2D1990CDAEA3D Entry #3 Keychain permission: SIGN_CODE Keychain can be cancelled by ID: 15 Signature chain #2 (entries: -1, offset: 0) Signature chain #3 (entries: -1, offset: 0) Signature chain #4 (entries: -1, offset: 0) Signature chain #5 (entries: -1, offset: 0) Signature chain #6 (entries: -1, offset: 0) Signature chain #7 (entries: -1, offset: 0) Section Type: IO Signature Descriptor ... Signature chain #0 (entries: -1, offset: 96) Entry #0 Fuse: FA6528BE 9281F2DB B787E805 6BF6EE0E 28983C56 D568B141 8EEE4BF6 DAC2D422 0A3A0F27 81EFC6CD 67E973BF AC286EAE Generate key ... Curve : secp384r1 X : 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765 0411C4592FAFFC71DE36A105B054781 Y : 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8 6B7312EEE8241189474262629501FCD Generate key ... Curve : secp384r1 X : 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765 0411C4592FAFFC71DE36A105B054781 Y : 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8 6B7312EEE8241189474262629501FCD Entry #1 Generate key ... Curve : secp384r1 X : 646B51F668D8CC365D72B89BA8082FDE79B00CDB750DA0C984DC5891CDF57BD21 44758CA747B1A8315024A8247F12E51 Y : 53513118E25E16151FD55D7ECDE8293AF6C98A74D52E0DA2527948A64FABDFE7C F4EA8B8E229218D38A869EE15476750 Entry #2 Generate key ... Curve : secp384r1 X : 13986DDECAB697A2EB26B8EBD25095A8CC2B1A0AB0C766D029CDF2AFE21BE3432 76896E771A9C6CA5A2D3C08CF4CB83C Y : 0A1384E9DD209238FF110D867B557414955354EE6681D553509A507A78CFC05A1 49F91CABA72F6A3A1C2D1990CDAEA3D Entry #3 Keychain permission: SIGN_CORE Keychain can be cancelled by ID: 15 Signature chain #1 (entries: -1, offset: 0) Signature chain #2 (entries: -1, offset: 0) Signature chain #3 (entries: -1, offset: 0) Signature chain #4 (entries: -1, offset: 0) Signature chain #5 (entries: -1, offset: 0) Signature chain #6 (entries: -1, offset: 0) Signature chain #7 (entries: -1, offset: 0) Section Type: HPS Signature Descriptor ... Signature chain #0 (entries: -1, offset: 96) Entry #0 Fuse: FA6528BE 9281F2DB B787E805 6BF6EE0E 28983C56 D568B141 8EEE4BF6 DAC2D422 0A3A0F27 81EFC6CD 67E973BF AC286EAE Generate key ... Curve : secp384r1 X : 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765 0411C4592FAFFC71DE36A105B054781 Y : 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8 6B7312EEE8241189474262629501FCD Generate key ... Curve : secp384r1 X : 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765 0411C4592FAFFC71DE36A105B054781 Y : 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8 6B7312EEE8241189474262629501FCD Entry #1 Generate key ... Curve : secp384r1 X : FAF423E08FB08D09F926AB66705EB1843C7C82A4391D3049A35E0C5F17ACB1A30 09CE3F486200940E81D02E2F385D150 Y : 397C0DA2F8DD6447C52048CD0FF7D5CCA7F169C711367E9B81E1E6C1E8CD9134E 5AC33EE6D388B1A895AC07B86155E9D Entry #2 Generate key ... Curve : secp384r1 X : 13986DDECAB697A2EB26B8EBD25095A8CC2B1A0AB0C766D029CDF2AFE21BE3432 76896E771A9C6CA5A2D3C08CF4CB83C Y : 0A1384E9DD209238FF110D867B557414955354EE6681D553509A507A78CFC05A1 49F91CABA72F6A3A1C2D1990CDAEA3D Entry #3 Keychain permission: SIGN_HPS Keychain can be cancelled by ID: 15 Signature chain #1 (entries: -1, offset: 0) Signature chain #2 (entries: -1, offset: 0) Signature chain #3 (entries: -1, offset: 0) Signature chain #4 (entries: -1, offset: 0) Signature chain #5 (entries: -1, offset: 0) Signature chain #6 (entries: -1, offset: 0) Signature chain #7 (entries: -1, offset: 0) Section Type: CORE Signature Descriptor ... Signature chain #0 (entries: -1, offset: 96) Entry #0 Fuse: FA6528BE 9281F2DB B787E805 6BF6EE0E 28983C56 D568B141 8EEE4BF6 DAC2D422 0A3A0F27 81EFC6CD 67E973BF AC286EAE Generate key ... Curve : secp384r1 X : 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765 0411C4592FAFFC71DE36A105B054781 Y : 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8 6B7312EEE8241189474262629501FCD Generate key ... Curve : secp384r1 X : 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765 0411C4592FAFFC71DE36A105B054781 Y : 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8 6B7312EEE8241189474262629501FCD Entry #1 Generate key ... Curve : secp384r1 X : 646B51F668D8CC365D72B89BA8082FDE79B00CDB750DA0C984DC5891CDF57BD21 44758CA747B1A8315024A8247F12E51 Y : 53513118E25E16151FD55D7ECDE8293AF6C98A74D52E0DA2527948A64FABDFE7C F4EA8B8E229218D38A869EE15476750 Entry #2 Generate key ... Curve : secp384r1 X : 13986DDECAB697A2EB26B8EBD25095A8CC2B1A0AB0C766D029CDF2AFE21BE3432 76896E771A9C6CA5A2D3C08CF4CB83C Y : 0A1384E9DD209238FF110D867B557414955354EE6681D553509A507A78CFC05A1 49F91CABA72F6A3A1C2D1990CDAEA3D Entry #3 Keychain permission: SIGN_CORE Keychain can be cancelled by ID: 15 Signature chain #1 (entries: -1, offset: 0) Signature chain #2 (entries: -1, offset: 0) Signature chain #3 (entries: -1, offset: 0) Signature chain #4 (entries: -1, offset: 0) Signature chain #5 (entries: -1, offset: 0) Signature chain #6 (entries: -1, offset: 0) Signature chain #7 (entries: -1, offset: 0)