Intel Stratix 10 Device Security User Guide
Version Information
| Updated for: |
|---|
| Intel® Quartus® Prime Design Suite 19.3 |
1. Intel Stratix 10 Device Security Overview
Intel® Stratix® 10 devices provide two main categories of security features: authentication and encryption.
Authentication helps to ensure that both the firmware and the configuration bitstream are from a trusted source. Authentication is fundamental to Intel® Stratix® 10 security. You cannot enable any other Intel® Stratix® 10 security features without enabling owner authentication.
Encryption helps to protect confidential information such as intellectual property or sensitive data from being extracted from the owner configuration bitstream.
Here are the specific security features that Intel Stratix 10 devices provide:
Authentication Category
-
Elliptic Curve Digital Signature Algorithm (ECDSA) Based Public-Key Authentication: Intel® Stratix® 10 devices always require firmware authentication for all Intel firmware that loads into silicon. The ECDSA authentication of firmware implements this requirement. Intel is the only source that provides the primary firmware for the Secure Device Manager (SDM) and all other firmware that runs on other configuration processors in the Intel® Stratix® 10 device.
Intel® Stratix® 10 devices do not require authentication for configuration bitstreams. You may enable configuration bitstream authentication by programming the hash of your root public key into eFuses. This process establishes you as the owner of the device. After you enable configuration bitstream authentication, you must create a valid signature chain based on your root key for each configuration bitstream. Your Intel® Stratix® 10 device completes configuration after successful validation of your signature chain.
-
Anti-tampering security feature: Anti-tampering addresses physical attacks on silicon. There are two categories of anti-tampering features: passive and active anti-tampering.
- The passive anti-tampering feature enforces physical security features using redundancy and interlocking systems. Passive anti-tampering is always running on Intel® Stratix® 10 devices. Passive anti-tampering functions do not operate in response to a particular function.
- Active anti-tampering responds when the silicon detects physical attacks from the outside. By default, all active anti-tampering functions are off. When the active anti-tampering function is on, you can select which detection functions and responses to enable. Active anti-tampering is planned for a future release. Refer to Anti-Tampering for more information.
Encryption Category
- Advanced Encryption Standard (AES)-256 encryption: This feature helps protect the confidentiality of intellectual property (IP) or sensitive data in the owner configuration bitstream. AES-CTR (counter) mode is the base for bitstream encryption. To reduce AES key exposure AES decryption only operates on data that has already passed public key authentication.
- Side channel protection: This feature
helps to
protect
the AES Key and confidential data from extraction through non-intrusive attacks.
Intel®
Stratix® 10 devices include the following functions to
minimize any
potential
side
channel
leakage:
- The authentication first flow helps to protect against encrypted bitstream modifications that reveal an encryption key.
- A key update function reduces the amount of bitstream data encrypted with a single key.
- Long route data line scrambling reduces the exposure of decrypted configuration data on the chip-wide configuration network.
- A 256-bit wide direct key bus loading minimizes the transmission time of sensitive key material.
- Key scrambling limits any potential side-channel exposure when you store the AES root key in eFuses.
- Multiple AES root key choices: Intel® Stratix® 10 devices currently support two different locations for root AES keys: eFuse and BBRAM. In addition, physically unclonable function (PUF) is planned for a future release. Refer to Physically Unclonable Function (PUF) Overview for more information.
| Intel® Stratix® 10 | Authentication | Advanced Security |
|---|---|---|
| GX | Yes | -AS suffix devices |
| SX | Yes | -AS suffix devices |
| MX | Yes | -AS suffix devices |
| TX | Yes | -AS suffix devices |
| DX | Yes | Yes |
1.1. Intel Stratix 10 Secure Device Manager (SDM)
The Secure Device Manager (SDM) is a triple-redundant processor-based module that manages the configuration and security features of Intel® Stratix® 10 devices. The SDM authenticates and decrypts configuration data.
- If you have enabled authentication, the SDM checks that a trusted source, the device owner, has authorized the configuration bitstream.
- The SDM always performs an integrity check over the bitstream using SHA-256 or SHA-384. This integrity check protects against intentional attacks and against accidental corruption of the bitstream, such as a bad write to flash.
- If the configuration bitstream authenticates and you have enabled AES Encryption, the SDM decrypts the data. The SDM drives the decrypted data on the configuration network to Local Sector Managers (LSM) on the configuration network. Each LSM parses the sector configuration block data and configures the logic elements in the sector that it manages.
1.2. Enabling Intel Stratix 10 Security Features
The fusing process automatically computes the hash of the owner root public key. When you program the owner root key hash, the programmer automatically programs the hash value, not the full key.
You can enable the following additional security options to further enhance the security level:
- Advanced Encryption Standard (AES) Encryption protects your IP and secures your data. This option includes multiple sub-options relating to side channel mitigation.
- Configuration firmware joint signature capability specifies that you, in addition to Intel, must sign the version of configuration firmware that runs on your device. If you enable the joint signature capability, the device only loads firmware signed by both Intel and by you, the device owner. An eFuse on the Intel® Stratix® 10 device enables this feature. For a full list of available eFuse security options, refer to Using eFuses.
eFuse programming sets a minimum-security strength. All eFuse enforced security options are permanent.
In contrast to permanent security features, Intel® Stratix® 10 devices include some dynamic security options that you can control without using eFuses. Disabling HPS debugging is one example of a dynamic security feature. You control dynamic security options by setting optional fields in the configuration bitstream. The Intel® Stratix® 10 device enforces dynamic security options beginning with bitstream configuration, instead of at power-on, providing additional flexibility.
1.2.1. Side Channel Mitigation
The following side channel mitigation features are available in Intel® Stratix® 10 devices:
- Authentication first: The device authenticates the bitstream before decrypting it. Attackers cannot perform differential attacks on the AES encrypted data without breaking authentication.
- Key update: Limits the amount of encrypted data per key to 1024 bytes.
- Direct key loading: Uses a 256-bit point-to-point key bus to reduce emissions.
- Data scrambling: Scrambles data on long wires within the configuration network on a chip (NoC).
1.3. Owner Security Keys and Programming
Intel® Stratix® 10 devices support two types of security keys:
- Owner root public key hash: Programming this key enables the owner configuration bitstream authentication. Configuration bitstream authentication is the fundamental security feature. You must enable configuration bitstream authentication before you can enable other security features. The Intel® Stratix® 10 device stores the SHA-256 or SHA-384 hash of this key in physical eFuses or virtual eFuses. This hash validates the integrity of the root public key, which is the first step in the process to authenticate the configuration bitstream.
-
Owner AES key: This optional key decrypts the encrypted owner image during the configuration process. You can store the AES key in virtual eFuses, physical eFuses, or a BBRAM. PUF support for AES key handling is planned for a future release.
In contrast to eFuse (non-volatile) storage, BBRAM storage is reprogrammable. The BBRAM key vault holds a single key. Programming a new key deletes the previously programmed key. The BBRAM key vault includes a built-in function to perform periodic key flipping to prevent key imprinting. The BBRAM has its own power supply. VCCBAT powers the BBRAM AES key. The voltage range is 1.2V - 1.8V. For more information about required voltage ranges refer to the Intel® Stratix® 10 Device Family Pin Connection Guidelines.
You program both the root public key hash and the AES key using JTAG. The configuration bitstream specifies the owner AES key location. For extra security, you can program fuses to disable some of the key storage locations. For example, if your design stores the AES key in eFuses, you can program the BBRAM root key disable fuse for additional security.
Intel® Stratix® 10 devices support both red key (unencrypted) and black key (encrypted) provisioning (transport). JTAG transmits keys in an unencrypted format. Encrypting the AES key reduces the risk of disclosing the key during the manufacturing process. Refer to Black Key Provisioning for more information about programming an encrypted AES key.
1.3.1. Owner Root Public Key Hash Programming
You specify either virtual or physical eFuses when you program your device. Once you program the physical eFuse key, you cannot change or reprogram the key.
1.3.2. AES Root Key Programming
The Intel® Quartus® Prime Programmer also includes an Encryption Key Select option with two choices: Battery Backup RAM or eFuses. This option is available for Intel® Stratix® 10 and later devices that include the SDM when you program a Intel® Quartus® Prime encryption key .qek.
1.4. Planned Security Features
1.4.1. Physically Unclonable Function (PUF) Overview
1.4.2. Anti-Tampering
The SDM monitors operating conditions such as input clocks, voltage, and temperature to detect device tampering. Changes in these conditions may indicate a tampering event. You can choose an appropriate response to a detected event. Possible responses include but are not limited to the following actions:
- Device reset
- Device reset with configuration data zeroization
- BBRAM AES key destruction
You enable anti-tampering features during the design process. The configuration bitstream includes the resulting data.
1.4.3. Black Key Provisioning
Black key provisioning creates a direct secure channel between your hardware security module (HSM) and the Intel® Stratix® 10 device. This secure channel ensures that your HSM can provision the AES key and other confidential information without exposure to an intermediate party. Black key provisioning can reduce or eliminate the need to program the AES key at a trusted facility.
2. Design Authentication
When you use authentication, your manufacturing process programs the hash digest of the ECDSA root public key into FPGA eFuses. The configuration bitstream contains the full root public key. The SDM computes the hash digest of the root public key and compares the computed hash digest to the hash digest stored in eFuses. The SDM only proceeds to authenticate the bitstream if the values match.
Intel® Stratix® 10 devices support 256- or 384-bit key length for authentication. Intel strongly recommends that you use 384-bit authentication of all new designs. If you select 384-bit authentication, the Intel® Stratix® 10 device uses SHA-384 with ECDSA secp384r1. If you select 256-bit authentication, the Intel® Stratix® 10 device uses uses SHA-256 with ECDSA prime256v1. You cannot change the root key or the authentication key length after you program the eFuses. Choose 256-bit authentication only if you have legacy hardware, such as an HSM, that cannot handle 384 bit keys.
SHA-384 generates a bitstream that is larger than SHA-256. SHA-384 hashes result in longer configuration times.
2.1. The Configuration Bitstream
- FPGA configuration
- Voltage regulator configuration
- Temperature measurements
- HPS software load
- HPS reset
- Read, erase, and program flash memory
- Device security, including authentication and encryption
The SDM always authenticates the firmware section of the configuration bitstream. The SDM authenticates the SDM firmware section using an Intel keychain. You may also choose to sign the SDM firmware by programming the Co-signed Firmware eFuse on the device. When you enable co-signed firmware you must co-sign the firmware before generating bitstreams. The SDM validates both the Intel signature and your signature before loading and running the SDM firmware.
The I/O, HPS, and FPGA sections are dynamic and contain the device configuration information based on your design. Each dynamic section of the configuration bitstream stores information in the same format. Each section begins with a 4 kilobyte (KB) header block, followed by a signature block, hash blocks, and data.
The header block contains a hash which validates hash block 0. Each hash block contains up to 125 SHA-256 hashes or 83 SHA-384 hashes. These hashes validate subsequent data blocks. A modification to any part of a section invalidates the signature. The modification results in configuration failure before the SDM processes the modified data.
2.2. Signature Block
The signature block validates the contents of the header block. After successfully validating the signatures, the SDM processes the data based on the signatures provided.
For more information about how the quartus_sign command appends the public keys to the root key to create a signature chain refer to Figure 8.
| Block | Description |
|---|---|
| SHA-384 hash of header block | This hash function checks for accidental changes in the preceding block of the configuration bitstream, typically the header block. |
| Signature chains |
Zero or more signature chains. Each signature chain can include up to 4 keys, including the owner public root key. You can assign the other 3 keys reduced permissions so that the keys can only sign a specific section of the configuration bitstream. The Intel® Quartus® Prime Software supports 2 keychains for firmware signing and up to 4 keychains for the configuration bitstream. Multiple keychains provide some flexibility. |
| Dynamic sector pointers | Locate the design sections for the remainder of the image when you store the image in flash memory. |
| 32-bit CRC | Protects the block from accidental modification. The CRC does not provide security. Software tools can check the CRC to identify accidental modifications. |
Signature Chain Details
Intel® Stratix® 10 FPGAs support up to four signature chains. If a signature chain is invalid, it is ignored. The FPGA starts validating the next signature chain. To pass authentication, at least one signature keychain must pass.
| Content | Description |
|---|---|
| Root Key Entry |
The Root Entry anchors the chain to a root key known to the device. The SDM calculates the hash of the root entry and checks if the it matches the expected hash. You store the root key hash in eFuses. |
| Public Key Entry | Signature chains enable flexible key management.
Intel®
recommends one public key entry in each
signature chain. The previous public key signs the new public key. The public key
entry provides following capabilities:
|
| Header Block Entry | The final entry in a signature chain signs the actual data. The Header Block Entry authenticates the first block of the section, and thus authenticates the whole section. |
Understanding Permissions and Cancellation IDs
- To sign other keys with the same or fewer permissions
- To sign sections directly
You cannot cancel the root key. Consequently, the root key does not have a cancellation ID. However, you can cancel a signature chain that includes two or more signature levels. Intel strongly recommends that you create a signature chain with at least two levels to retain the ability to update your signature keychain.
- Root key which is not cancellable on Intel® Stratix® 10 devices.
- First-level public key with a cancellation ID and restricted permissions.
- Optional second- and third-level public keys. Normally, these keys are not cancellable and have same permissions as the first-level key which signed them. If you can cancel one key in a key chain you can conserve cancellation IDs by using keys that are not cancellable for the optional second- and third-level keys.
Here are some reasons that you may need to cancel a signature key:
- A private key is accidentally released.
- You find a vulnerability in your design.
- You find a bug in the design after having created the signed configuration bitstream.
- You want to update the current design as part of a normal release cycle.
The Programmer performs a logical AND to determine which sections of a design a key can sign. Consequently, to create separate permissions for Core, I/O and PR logic and the HPS and FSBL, you must create two first-level keychains as shown in the following figure.
2.2.1. Canceling Intel Firmware ID
As of Intel® Quartus® Prime Pro Edition Version 19.3, Intel has used the following firmware IDs.
| Firmware ID | Firm Release |
|---|---|
| 0-3 | Early versions of firmware |
| 4 | Intel® Quartus® Prime Pro Edition 19.1 and 19.2 |
| 5 | Intel® Quartus® Prime Pro Edition 19.3 |
When you program the owner root public key hash into a device the firmware also cancels ID eFuses to prevent older firmware from running. For example, if you use the 19.3 firmware to program the public key hash, this firmware automatically cancels IDs 0 to 4. The only situation where firmware automatically programs cancellation eFuses is during owner public key hash programming. In all other circumstances you must use the Intel® Quartus® Prime Programmer or mailbox commands to program eFuses.
- Upgrade all bitstreams stored in flash to use the new firmware version. You do not need to recompile your designs. You can recreate them by using the new version of Programmer or quartus_pfg to convert the .sof into a programming file such as .rbf or Programmer Object File .pof. You can then program the upgraded firmware into flash memory.
- If using RSU, follow the instructions in the Updates with the Factory Update Image topic in the Intel® Stratix® 10 Configuration User Guide to upgrade the decision firmware and factory images in the system to the latest version. The RSU upgrade procedure protects itself against disruptions such as power failure which could interrupt the upgrade.
- Send commands to the device to tell it to cancel the old Intel cancellation eFuses. You can use the Intel® Quartus® Prime Pro Edition Programmer to accomplish this task.
Intel recommends adopting the following practices:
- Use the newest available firmware in your configuration bitstreams.
- Program cancellation eFuses to prevent older firmware from running on the device.
2.2.2. Authentication for HPS Software
After you successfully load the HPS Boot Code on the Intel® Stratix® 10 device, you may need to ensure that the following boot stages of the HPS Software are also authenticated.
The Rocketboards web page includes an example that uses U-boot to authenticate the subsequent boot stages of the HPS software.
3. Using the Authentication Feature
Starting with version 18.1 of the Intel® Quartus® Prime software, you can use the quartus_sign command to create a signature chain.
- make_root (light yellow)
- fuse_info (darker yellow)
- append_key (light blue)
- sign (light gray)
3.1. Step 1: Creating the Root Key
The root key includes public and private components. These keys are in the Privacy Enhanced Mail Certificate (PEM) format and have the .pem extension.
Complete the following steps to generate the root private and public keys:
-
Bring up a
Nios® II command
shell.
Option Description Windows On the Start menu, point to Programs > Intel FPGA > Nios II EDS > <version> and click Nios II <version> Command Shell. Linux In a command shell change to the <install_dir>/nios2eds and run the following command: ./nios2_command_shell.sh
- In the Nios® II command shell, change to the directory that includes your .sof file.
-
Run the following command to create the private key which you
use to generate the root public key.
Note: You can create the private key with or without passphrase protection. The passphrase encrypts the private key. Intel recommends following industry best practices to use a strong, random passphrase on all private key files. Intel also recommends changing the permissions on the private .pem file to read-only for the owner.
Option Description With passphrase quartus_sign --family=stratix10 --operation=make_private_pem --curve=<prime256v1 or secp384r1> <root_private.pem> Enter the passphrase when prompted to do so.Without passphrase quartus_sign --family=stratix10 --operation=make_private_pem --curve=<prime256v1 or secp384r1> --no_passphrase <root_private.pem>
-
Run the following command to create the root public
key.
The root_private.pem you generated in the
previous step is an input to this command. You do not need to protect the root
public key.
quartus_sign --family=stratix10 --operation=make_public_pem <root_private.pem> <root_public.pem>
-
Convert the root
public
key to the
Intel®
Quartus® Prime key
file format (.qky).
You use the
Intel®
Quartus® Prime Programmer or the quartus_pgm
command
to program the root public key into a
Intel®
Stratix® 10
device.
The
.qky file is a few hundred bytes in
size.
quartus_sign --family=stratix10 --operation=make_root <root public.pem> <root_public.qky>
3.2. Step 2: Creating the Design Signing Key
You may need one or more design signing keys. You can create separate signing keys for the HPS and FPGA in Intel® Stratix® 10 SX devices. Creating multiple keys gives you the flexibility to cancel keys if you detect an error, uncover a vulnerability, or need to update the design.
-
Run the following command to create the first design signature
private key. You use the design signature private key to create the design
signature public key.
Note: Intel recommends following industry best practices to use a strong, random passphrase on all private key files. The curve argument in this command must be the same has the one you specified for the root key.
Option Description With passphrase quartus_sign --family=stratix10 --operation=make_private_pem --curve=<prime256v1 or secp384r1> <design0_sign_private.pem> Enter the passphrase when prompted to do so.Without passphrase quartus_sign --family=stratix10 --operation=make_private_pem --curve=<prime256v1 or secp384r1> --no_passphrase <design0_sign_private.pem>
-
Run the following command to create the design signature public
key.
quartus_sign --family=stratix10 --operation=make_public_pem <design0_sign_private.pem> <design0_sign_public.pem>
Enter your passphrase when prompted to do so.
3.3. Step 3: Appending the Design Signature Key to the Signature Chain
- Appends the 1st Level Public Key (design0_sign_public.pem) to the Root Public Key (root_public.qky) and generates the 1st Level Signature Chain (design0_sign_public.qky) that includes the root public key and design0 public key.
- Signs the new 1st Level Signature Chain (design0_sign_chain.qky) using the Root Private Key (root_private.pem).
-
Run the following command to append the first design signature
key to the root key, creating a two-level signature chain:
Setting the permission argument to 6 creates a signature that can sign the FPGA I/O, core, PR, and HPS sections. Setting the permission argument to 2 or 4 creates a signature that can sign only FPGA or HPS sections, respectively. Setting the cancellation argument to 0 means that eFuse0 can cancel this signature. eFuses 0-31 are available for owner cancellation.
quartus_sign --family=stratix10 --operation=append_key \ --previous_pem=<root_private.pem> --previous_qky=<root_public.qky> \ --permission=6 --cancel=0 <design0_sign_public.pem> \ <design0_sign_chain.qky>
-
Use
append_key again to create a three-level
signature chain:
- Repeat the commands in Step 1, to generate both design1_sign_private.pem and design1_sign_public.pem.
-
Append design1_sign_public.pem to the signature chain.
Setting the cancellation argument to 1, means that the second available cancellation eFuse, eFuse 1, cancels this signature.
quartus_sign --family=stratix10 --operation=append_key \ --previous_pem=<design0_sign_private.pem> \ --previous_qky=<design0_sign_chain.qky> --permission=6 \ --cancel=1 <design1_sign_public.pem> <design1_sign_chain.qky>
Enter the passphrase when prompted to do so. - If you are generating separate keychains for HPS and FPGA signing, repeat steps 1 and 2 with different PEM files. The FPGA signing chain should have permission=2. The HPS signing chain should have permission=4.
3.4. Step 4: Signing the Bitstream
Once you generate the private PEM and .qky files, you are ready to sign the bitstream. There are two options for bitstream signing:
- You use Intel® Quartus® Prime Programming File Generator to generate the signed bitstream from a .sof file. You specify the required format for your configuration scheme. The JTAG Indirect Configuration File (.jic) and Raw Programming Data File (.rpd) formats are available for Active Serial (AS) configuration. The Programmer Object File .pof and .rbf are available for Avalon® Streaming ( Avalon® -ST) configuration.
-
Alternatively, you can use quartus_sign command to sign the bitstream. This command requires the .rbf as the input to generate a signed .rbf file.
If you are using the Jam* Standard Test and Programming Language (STAPL) Player to program over JTAG the following command converts an .rbf file to the .jam format that the Jam STAPL Player requires:
quartus_pfg -c signed_bitstream.rbf signed_bitstream.jam
3.5. Step 4a: Signing the Bitstream Using the Programming File Generator
The Programming File Generator requires the private key file (.pem) to sign the configuration bitstream. You append the generated signature chain (.qky) to your compiled design .sof. Attaching the signature chain to your .sof does not require you to recompile your design.
Complete the following steps to append the signature chain key file to the .sof file and generate the signed bitstream using the Programming File Generator.
-
Choose one of the following options to append the signature
chain key file the configuration bitstream:
- Specify the .qky file using the
Intel®
Quartus® Prime software. On the Assignment
tab, select Device > Device and Pin Options > Security > Quartus Key File. Then browse to your signature key chain file. Figure 9. Specifying the Quartus Key File
-
Alternatively, you can add the following assignment statement to your Intel® Quartus® Prime Settings File (.qsf):
set_global_assignment -name QKY_FILE design1_sign_keychain.qky
- Specify the .qky file using the
Intel®
Quartus® Prime software. On the Assignment
tab, select Device > Device and Pin Options > Security > Quartus Key File. Then browse to your signature key chain file.
-
To generate a .sof that
includes design1_sign_keychain.qky select
Processing > Start > Start Assembler.
The new .sof includes the design1_sign_keychain.qky signature chain.
-
On the
Intel®
Quartus® Prime file menu,
select File > Programming File Generator.
Figure 10. Programming File Generator
- For Device family, select Intel® Stratix® 10
- For Configuration mode, select the configuration mode you plan to use. This example uses AVST x16.
- For Output directory click Browse and navigate to your output files directory.
- On the Output Files tab, select Raw Binary File (.rbf).
-
On the Input Files tab, click Add
Bitstream then browse and select your .sof file.
Figure 11. Input File Properties
- On the Input Files tab, click Add Bitstream and then browse to your bitstream.
-
On the Input Files tab,
click Properties… and make the following
selections under Signing tool
settings:
- Select On for Enable signing tool.
-
For Private key
file, select the final private signing key. For example,
Figure 6
Figure 8
Steps to Create a Signature
Chain shows
a
root private key and two private keys. For this key chain, you would
select the second-level private .pem file.
Note: If your .pem is password-protected, the GUI opens a dialog box to enter the password.
3.6. Step 4b: Signing the Bitstream Using the quartus_sign Command
The quartus_sign command takes the signature chain (.qky), a private signing key (.pem), and the unsigned raw binary file (.rbf) as inputs to generate the signed .rbf.
quartus_pfg -c design.sof unsigned_bitstream.rbf
> quartus_sign --family=stratix10 --operation=sign \ --qky=design1_sign_keychain.qky --pem=design1_sign_private.pem \ unsigned_bitstream.rbf signed_bitstream.rbf
3.7. Step 5: Programming the Owner Root Public Key for Authentication
Your manufacturing process programs the hash of the owner root public key, root_public.qky, into eFuses available on the Intel® Stratix® 10 device. Programming the hash value into actual eFuses on the device is irreversible. During development, you can validate the hash value by programming this value into virtual eFuses. The virtual eFuses are volatile. Values stored in eFuses clear each time you power cycle the Intel® Stratix® 10 device.
You can use the Intel® Quartus® Prime Software to program the public root key for authentication. Alternatively, you can use a command-line command to accomplish this task.
3.8. Step 5a: Programming the Owner Root Public Key
- On the Tools menu, select Programmer.
-
Right click the image of the
Intel®
Stratix® 10 device and select Edit > Add QKY/QEK/Fuse file ....
-
Browse to the
owner
root
public key file and click Open.
Note: Once you have specified the QKY file, the programmer displays the compatible version of firmware that you use to program the device. The version of the Intel® Quartus® Prime Programmer and the firmware must match.
-
You can choose to program the non-volatile eFuses or simulate
the actual hardware using virtual eFuses.
CAUTION:Incorrect fuse programming can make your device unusable. Intel recommends that you test all eFuse programming sequences using virtual fusing before you program physical eFuses on your first device.
- To select virtual eFuses, on the Programmer Tools menu, select Options. Turn on Enable device security using a volatile security key if this option is not already on. By default this option is on. Then, select OK.
- To select the actual non-volatile eFuses, on the Programmer Tools menu, select Options. Turn off the Enable device security using a volatile security key option.
-
To verify that the fuse value and the hash value of the
owner
root public
key match, turn on the Verify option in the
Intel®
Quartus® Prime software.
3.9. Step 5b: Calculating the Owner Root Public Key Hash
quartus_sign --family=stratix10 --operation=fuse_info \ public_root.qky hash_fuse.txt
4. Co-Signing Device Firmware Overview
The Intel® Quartus® Prime Software supports co-signing device firmware. Co-signing adds another layer of protection for device firmware. The joint signature capability allows you to sign device firmware with an owner signing key that you generate. You enable the co-signature by programming the owner root public key hash and the co-signed firmware eFuses. Once you program these security fuses, loading new firmware requires both Intel and owner signatures.
4.1. Using the Co-Signing Feature
Firmware Co-Signing Design Flow
It shows the steps for the following operations:
- Generating an owner firmware key and appending this key owner FW public .pem) to the existing owner keychain (owner FW key.qky).
- Co-signing the firmware. Add the owner signature to nadder.zip using the new keychain and the Owner FW Private
.pem file. Note: The nadder.zip file is available in the <install_dir>/quartus/common/devinfo/programmer/firmware/ directory. This file includes the SDM firmware.
- Programming the Co-Signed Firmware eFuses in the the Intel® Stratix® 10 device using the signed firmware (Signed FW signed_nadder.zip) and owner.fuse as inputs.
4.1.1. Prerequisites for Co-Signing Device Firmware
To generate the owner root key follow the instructions in Using the Authentication Feature Step 1: Creating the Root Key or by using your own custom hardware security module.
//For physical (non_volatile) eFuses on the
Intel®
Stratix® 10 device
quartus_pgm -c 1 -m jtag -o "p;root_public.qky" --non_volatile_key
//For virtual (volatile) eFuses quartus_pgm -c 1 -m jtag -o "p;root_public.qky"
Alternatively, you can use the Intel® Quartus® Prime Programmer to program the owner root key as described in Step 5: Programming the Owner Public Root Key for Authentication.
4.1.2. Generating the Owner Firmware Signing Key
The first two steps generate required inputs to the operation=append_key command shown in Step 3.
-
Run the following command to
generate a
private key you use to sign the
firmware.
quartus_sign --family=stratix10 --operation=make_private_pem --curve=prime256v1 or <secp384r1> owner_fw_private.pem
-
Run the following command to generate the
corresponding
firmware public key from owner_fw_private.pem.
quartus_sign --family=stratix10 --operation=make_public_pem owner_fw_private.pem owner_fw_public.pem
-
Run the following command to append the owner_fw_public.pem
to the owner root keychain
quartus_sign --family=stratix10 --operation=append_key \ --previous_pem=owner_root_private.pem --previous_qky=owner_root_public.qky --permission=0x1 --cancel=1 owner_fw_public.pem owner_fw_key.qky
4.1.3. Co-Signing the Firmware
quartus_sign --family=stratix10 --operation=sign --qky=owner_fw_key.qky \ --pem=owner_fw_private.pem nadder.zip nadder_signed.zip
4.1.4. Powering On In JTAG Mode After Implementing Co-Signed Firmware
Use the co-signed signed_nadder_signed.zip to regenerate the signed_helper_image.rbf. Load the .rbf then, program the .fuse file.
-
Generate a signed helper image for eFuse programming.
quartus_pfg --helper_image -o helper_device=1SG280HN2 -o subtype=FUSE \ -o fw_source=signed_nadder.zip signed_helper_image.rbf
-
Configure your
Intel®
Stratix® 10 device
with the signed_helper_image.rbf file you
just created.
quartus_pgm -c 1 -m jtag -o “p;signed_helper_image.rbf”
5. HPS Debug Using a Certificate
Signing a configuration bitstream with the HPS debug access port (DAP) available without a debug certificate enables that configuration bitstream to load unauthenticated software to the HPS. In response, the Intel® Quartus® Prime Pro Edition Software generates critical warnings. Intel recommends careful consideration before using this option. Intel strongly recommends canceling the signing key ID after this configuration bitstream is no longer needed.
- Requesting the certificate from a configured device.
- Signing the certificate using a keychain with HPS debug permissions.
- Programming the signed certificate back into the device.
You can create an HPS debug certificate when the following conditions are true:
- You
have selected either HPS or SDM pins to access the HPS.Figure 12. Specify Either HPS or SDM Pins for the HPS DAP
- You have not disabled the HPS DAP.
- You have programmed the FPGA with an owner root key. Refer to Step 5: Programming the Owner Public Root Key for Authenticationfor more information.
- You have programmed the device with a signed bitstream with the HPS and FSBL permission set to true. (permission=4 for HPS and FSBL)
- You have not permanently disabled HPS debugging on the device by programming the JTAG disable eFuse. For more information about the available eFuses refer to the Owner Programmable eFuses table in the Using eFuses topic.
- You have not programmed the FPGA with a design that disables HPS debug. HPS debug certificates do not override the setting to disable HPS debug for a given bitstream.
5.1. Enabling HPS JTAG Debugging
- Step 2: Creating the Design Signing Key.
- Step 3: Appending the Design Signature Key to the Signature Chain. Be sure to specify permission=4 for the HPS and FSBL.
-
To create the HPS debug certificate, you must provide a <device> argument to the quartus_pgm command. Use the
Intel®
Quartus® Prime Programmer Device name list to determine the proper <device> argument by completing the
following steps:
- Find the list of Intel® Stratix® 10 devices, in the Intel® Quartus® Prime Programmer, by select Add Device.
-
In the Device
family list, select
Intel®
Stratix® 10
. In the Device name list, find the part number
that matches your device.
Figure 13. User the Programmer to Determine the helper_device Argument
-
Generate an unsigned secure HPS debug certificate from the
programmed device. The <device> argument
is the Device name you identified in the
previous step.
quartus_pgm -c 1 -m jtag -o “ei;unsigned_hps_debug.cert;<device>”
-
Sign the HPS debug certificate using the quartus_sign command:
quartus_sign --family=stratix10 --operation=sign \ --qky=design0_sign_chain.qky --pem=design0_sign_private.pem \ unsigned_hps_debug.cert signed_hps_debug.cert
-
Send the signed HPS debug certificate to the device to enable
HPS debugging.
quartus_pgm -c 1 -m jtag -o “p;signed_hps_debug.cert"
6. Signing Command Detailed Description
- Generates the private and public PEM files
- Generates the signature chain starting with the root public key
- Appends additional public keys to the signature chain
- Signs a bitstream, firmware, or debug certificate
- Calculates the root public key hash from the signature chain file .qky file
quartus_sign --family=stratix10 --operation=<type of operation> [additional arguments]The following table summarizes all the quartus_sign operations. "Creates a new Quartus keychain .qky file with a given public key .pem in the root entry" (eg, this command does not generate a new key)
| Argument | Options | Description |
|---|---|---|
| operation | make_private_pem | Generates a private key in .pem format such as root_private.pem. |
| make_public_pem | Generates a public key in .pem format from the private .pem such as root_public.pem. | |
| make_root | Creates a new Intel® Quartus® Prime keychain .qky file with a given public key .pem in the root entry such as root_public.qky. | |
| append_key |
Signs, appends, and sets the permissions and cancellation ID of an additional public key to an existing signature chain in the Intel® Quartus® Prime keychain .qky format. |
|
| sign | Signs the bitstream with the .pem private key and key chain. | |
| fuse_info | Calculates the root public key hash from the .qky file. |
The following topics provide details on each operation. The operations are listed in the order that you normally run them to create a signature chain, sign the bitstream, and calculate the root public key hash.
6.1. Generate Private PEM Key
The first step in generating the signature chain is creating the private PEM.
| Command |
quartus_sign --family=stratix10 --operation=make_private_pem --curve=<prime256v1 or secp384r1> <output private PEM file> or: quartus_sign --family=stratix10 --operation=make_private_pem --curve=<prime256v1 or secp384r1> --no_passphrase <output private PEM file> |
| Input file | None |
| Output file | Private PEM file |
| Arguments | This command includes 1 required argument and 1
optional argument:
|
6.2. Generate Public PEM Key
The second step in generating the signature chain is generating the public PEM file from the private PEM file.
| Command |
quartus_sign --family=stratix10 --operation=make_public_pem <input private PEM file> <output public PEM file> |
| Input file | input private PEM file: This is the file that the make_private_pem generates. |
| Output file | output public PEM file: make_public_pem generates this file. |
| Arguments | This command has no additional arguments. |
6.3. Generate Root Signature Chain
The third step in generating the signature chain makes the root public key by converting the public key PEM file to the Intel® Quartus® Prime key format.
| Command |
quartus_sign --family=stratix10 --operation=make_root <input root public PEM file> <output root public qky file> |
| Input file | input public PEM file: This is the file that the make_public_pem generates. |
| Output file | output root public qky file: make_root generates this file. |
| Arguments | This command has no additional arguments. |
6.4. Append Key to Signature Chain
The append command implements the following functions:
- Uses the private part of the last-appended public key to sign the new public key
- Appends the specified design signing key to the root public Intel® Quartus® Prime keychain
- Assigns specified permissions and cancellation ID to the appended public key
| Command |
quartus_sign --family=stratix10 --operation=append_key --previous_pem==<private PEM for the public key of last entry in input QKY> --previous_qky=<input QKY> --permission=<permission value to authenticate> --cancel=<cancel ID> <public PEM for new entry> <output QKY> |
| Input files | The append_key
command has 3 input files:
|
| Output file | The append_key
outputs 1 file:
|
| Arguments | This command includes 2 arguments:
|
6.5. Sign the Bitstream, Firmware, or Debug Certificate
The sign operation takes an unsigned image.rbf, firmware.zip, debug.cert as input. The sign operation generates a signed output file, either signed_image.rbf, signed_firmware.zip, or signed_debug.cert.
For .rbf generation, you convert the .sof to an .rbf using either the Intel® Quartus® Prime File > Programming File Generator dialog box or the quartus_pfg command-line command.
| Command |
quartus_sign --family=stratix10 --operation=sign --qky=<qky file> --pem=<private PEM for the public key of last entry in the input QKY> <unsigned rbf, unsigned nadder file, unsigned debug certificate> <signed rbf, nadder file, or signed debug certificate> |
| Input file |
The sign operation supports the following 3 input file types:
|
| Output file |
signed rbf file, signed nadder file, or signed certificate file: This file is the output of the sign operation. |
| Arguments | This command has 2 additional arguments:
|
Refer to Step 4: Signing the Bitstream for the steps to sign the bitstream using the Programing File Generator tool.
6.6. Calculate Root Public Key Hash from QKY
The fuse_info operation returns the hash of the root public key.
| Command |
quartus_sign --family=stratix10 --operation=fuse_info <input QKY> <fuse output text> |
| Input file | input QKY: This is the root public key. |
| Output file | fuse output text: Manufacturing uses this text file to program the specified eFuses of the Intel® Stratix® 10 device. |
| Arguments | This command has no additional arguments. |
7. Encryption and Decryption Overview
Encryption Process
You can store the owner AES Root key in virtual eFuses, physical eFuses, BBRAM, or a PUF-wrapped key. Using the PUF to wrap the AES root key for storage in flash is planned in a future release. To prevent overuse of the AES root key, the root key encrypts a chain of intermediate keys. The root key encrypts the first intermediate key, which encrypts the second intermediate key, and so on. The last intermediate key encrypts the section keys.
Encryption supports up to 20 intermediate keys. By default, the encryption function uses three intermediate keys. These keys mitigate side channel attack risk by limiting the exposure of the final key to encrypt a given section of the bitstream.
Intel recommends that you limit the amount of data encrypted with the same key using AES update mode. You enabled AES update mode by setting the Assignments > Device > Device and Pin Options > Security > Encryption Update Ratio parameter to 31:1. When enabled, the Intel® Quartus® Prime Pro Edition Software inserts keys to limit the amount of data encrypted by a given key to the specified ratio. For example, the 31:1 ratio inserts a new key every 31 * 32 bytes. Different ratios may become available in a future release.
Decryption Process
The section key decrypts the keys block which contains up to 128 keys. Each key is 256 bits and decrypts subsequent encrypted data or another keys block.
The initialization vector (IV) is unencrypted data that is an input to the decryption function.
Understanding Partially Encrypted Configuration Bitstreams
A partially encrypted configuration bitstream has no intermediate keys. The section key is in plaintext. The encryption finalization step creates intermediate keys and replaces the plaintext section key with an encrypted version.
Enable Scrambling
The Enable Scrambling parameter helps to limit any potential side-channel exposure of decrypted configuration data during the configuration process. Enabling this option places a command in the configuration bitstream that the SDM processes at configuration time. The Enable Scrambling parameter does not affect the encryption or decryption process.
7.1. Using the Encryption Feature
- Step 1: Preparing the owner image and AES key files
- Step 2: Generating the programming files
- Step 3: Programming the AES key and configuring the encrypted owner image
7.1.1. Step 1: Preparing the Owner Image and AES Key File
- On the Security page (Assignments > Device > Device and Pin Options > Security), for Quartus Key File specify your root key file or signature key chain, which has the .qky file type.
- Turn on the Enable Programming Bitstream Encryption option.
- Specify the key storage location from Encryption Key Select drop-down list.
-
Generate the AES key using the quartus_encrypt command:
# This example of the quartus_encrypt command specfies the optional # --aes_key parameter and provides the 8-word key value rather than # allowing the quartus_encrypt command to derive the aes_key from # the base_key quartus_encrypt --family=stratix10 --operation=make_aes_key \ --aes_key=mykey.txt --ik_count=4 --max_key_use=32 <output.qek>
As an example, for the quartus_encrypt command shown above, the mykey.txt file contains the following 8 words:0xD6971FC7 0x28932CB0 0x5097E5A7 0x16968C52 0x7BB0AE8E 0x5C2F59E6 0x35B69453 0xC8E357BA
7.1.2. Step 2a: Generating Programming Files Using the Programming File Generator
- Raw Binary File (.rbf)
- JTAG Indirect Configuration File (.jic)
- Programmer Object File (.pof)
- Raw Programming Data File (.rpd)
- On the Intel® Quartus® Prime File menu select Programming File Generator.
-
On the Output Files tab,
specify the output file type for your configuration scheme.
Figure 18. Output File Specification
- On the Input Files tab, click Add Bitstream and browse to your .sof.
-
To specify encryption and authentication options select the
.sof and click Properties.
- Turn Enable signing tool on.
- For Private key file select your signing key private .pem file.
- Turn Finalize encryption on.
-
For Encryption key
file, select your AES .qek file.
Figure 19. Input (.sof) File Properties for Authentication and Encryption
-
To generate the signed and encrypted bitstream, on the
Input Files tab, click Generate.
The password dialog box prompts you to input your passphrase for the .qek. The programming file generator generates top.rbf if the passphrase is correct.
7.1.3. Step 2b: Generating Programming Files Using the Command Line Interface
quartus_pfg -c encryption_enabled.sof top.rbf -o finalize_encryption=ON \ -o qek_file=aes.qek -o signing=ON -o pem_file=design0_sign_private.pem
7.1.4. Step 3a: Specifying Keys and Configuring the Encrypted Image Using the Intel Quartus Prime Programmer
You should already have specified a storage location for your .qek on the Security page of the Assignments > Device > Device and Pin Options. In the current release, you can select Battery Backup RAM (BBRAM) or eFuses. After you make this selection, the Intel® Quartus® Prime Pro Edition Software identifies the .sof file as encryption enabled and records your settings for the Encryption key select and Encryption update ratio.
- Bring up the Intel® Quartus® Prime Programmer.
-
Right click the
Intel®
Stratix® 10 device
and select Add QKY/QEK/FUSE File file.
Navigate to your .qky file and select
it.
Figure 21. Adding .qky, .qek or .fuse files
-
Enable the
Program/Configure option for the .qky file. Disable the
Program/Configure for any other files that may be selected.
Click Start to program the authentication
key into your
Intel®
Stratix® 10 device.
Figure 22. Program/Configure A Key File
- Right click the Intel® Stratix® 10 device and select Add QKY/QEK/FUSE File. Navigate to your .qek file and select it.
- Enable the Program/Configure option for the .qek file. Disable the Program/Configure for any other files that may be selected. Click Start. The Passphrase dialog box appears. Enter your passphrase. The encryption key programs into the BBRAM, virtual eFuses or physical eFuses on the Intel® Stratix® 10 device.
-
With the keys programmed, you can load the signed and encrypted
.rbf bitstream image.
Option Description Using the Intel® Quartus® Prime Programmer: Enable the Program/Configure option for the .rbf file. Disable the Program/Configure for any other files that may be selected. Click Start. Using a Intel® MAX® 10 device or other external host: Instruct the configuration hardware to configure the Intel® Stratix® 10 device from the flash memory.
7.1.5. Step 3b: Programming the AES Key and Configuring the Encrypted Image Using the Command Line
-
You can program the key file using the quartus_pgm command:
CAUTION:Incorrect programming of security eFuses can permanently prevent the device from configuring. Intel strongly recommends before programming any security eFuse that you test using the virtual eFuses to ensure that the values being programmed are correct.
// For BBRAM quartus_pgm -c 1 -m jtag -o "pi;aes.qek" --key_storage "BBRAM" // For virtual eFuses quartus_pgm -c 1 -m jtag -o "pi;aes.qek" --key_storage "Virtual eFuses" // For physical eFuses quartus_pgm -c 1 -m jtag -o "pi;aes.qek" --key_storage "Real eFuses"
The command arguments specify the following information:
- -c: cable number
- -m: mode
-
-o: operation. The
argument to operation is enclosed in quotes. The letters specify the
following operations:
- p: program
- i: load a helper image which loads the SDM firmware so that it can program the aes.qek
- ;: the argument following the ; specifies the programming file
- --key_storage: specifies the location for the encryption key. The following values are available: BBRAM, Virtual eFuses, physical eFuses.
-
Now program the signed encrypted bitstream using the following
commands:
quartus_pgm -c 1 -m jtag -o "p;encrypted.rbf"
7.1.6. Storing the AES Key AES in Physical eFuses
- Power on your design in version 19.3 of the Intel® Quartus® Prime Pro Edition Software.
- Program Intel cancellation IDs 0-4 by programming the corresponding fuses.
- Power cycle your system.
-
Program the AES key eFuses.
The Intel® Stratix® 10 wraps the AES key.
7.1.7. Storing the AES Key in BBRAM using the JTAG Mailbox
8. Encryption Command Detailed Description
The encryption command supports the following functions:
- Making an AES key
- Encrypting the configuration bitstream
| Argument | Options | Description |
|---|---|---|
| operation | make_aes_key | Generates an .qek file. Takes 6 optional arguments. |
| encrypt | Completes the encryption process. When you enable encryption, the Bitstream Assembler always generates a partially-encrypted owner configuration bitstream (.rbf) from the .sof input file. |
8.1. Make AES Key
| Command |
quartus_encrypt --family=stratix10 --operation=make_aes_key <output .qek> |
| Input file | None |
| Output file | .qek |
| Arguments | This command includes the following 6
optionals arguments:
|
8.2. Encrypt the Bitstream
| Command |
quartus_encrypt --family=stratix10 --operation=encrypt --Key=<output .qek> \ <partially-encrypted .rbf> <fully encrypted .rbf> |
| Input file | Partially encrypted .rbf file. |
| Output file | Fully encrypted .rbf file. |
| Arguments | This command includes the following 2
required arguments:
|
9. Using eFuses
You can set many of the eFuses using the More Options button of the Security category on the Assignments > Device > Device and Pin Options menu as shown.
| eFuse Name | Legal Values | Description |
|---|---|---|
| Intel® FPGA public key hash | 384-bit hex | Read-only. |
| Intel® FPGA public key cancellation | 32-bit hex | 32 Intel cancellation IDs are available. Each bit corresponds to the cancellation ID. |
| Co-signed firmware | 1-bit boolean | When you program this fuse, both you and Intel must sign the device firmware. Intel signs the device firmware with the root public key during the manufacturing process. |
| Device not secure | 1-bit boolean | If you receive a device and this fuse is programmed do not use the device and contact Intel. |
| Owner encryption key program done | 1-bit boolean |
The Programmer programs the owner AES key into eFuses. |
| Owner encryption key program start | 1-bit boolean | |
| Owner key cancellation | 32-bit hex | 0-31. The Intel® Stratix® 10 device has 4 redundant cancellation bits of with each fuse. The Programmer programs all 4 copies when you cancel the corresponding fuse. |
| Owner root public key hash | 384-bit hex | Stores the hash value of the owner root public key. |
| Owner public key size | [0, 256, 384] | Specifies owner public key size. Intel recommends using 384-bit keys if possible. |
| JTAG disable | 1-bit boolean | When set, disables JTAG command and configuration. Setting this eFuse eliminates JTAG as mode of attack, but also eliminates boundary scan. |
| Force SDM clock to Internal Oscillator | 1-bit boolean | When set, disables an external clock source for the SDM for bitstream configuration. Forcing the SDM to use an internal oscillator helps to limit potential interruptions or attacks by modifying an external clock during configuration. |
| Force encryption key update | 1-bit boolean | When set, all encrypted bitstreams must specify the Encryption Update Ratio on the Intel® Quartus® Prime Assignments > Device and Pin Options > Security menu. |
| Disable virtual eFuses | 1-bit boolean | When set, disables the eFuse virtual programming capability. |
| Lock security eFuses | 1-bit boolean |
Programming this fuse prevents the future programming of any owner-accessible security policy fuses, not including key cancellation ID fuses. |
| Disable HPS debug | 1-bit boolean | When set, permanently disables debugging using JTAG to access the HPS. |
| eFuse key disable | 1-bit boolean | When set, the device does not use an AES key stored in eFuses. |
| BBRAM key disable | 1-bit boolean | When set, the device does not use AES key stored in BBRAM. |
Simulating the Public Key Hash Virtual eFuses
Because eFuses are non-volatile, Intel recommends validating eFuse programming before programming physical eFuses on the Intel® Stratix® 10 device.
This example provides the steps to validate the public key hash. First, you program the public key hash value into in virtual eFuses. Then, you compare that value to the value that the Examine function stores in hash_fuse.txt:
- Turn on Enable device security using a volatile security key in the Intel® Quartus® Prime Programmer. When you select this option the Intel® Quartus® Prime Pro Edition stores the eFuse values in firmware registers.
- In the Intel® Quartus® Prime Programmer click Add File and browse to your signed bitstream.
- In the Intel® Quartus® Prime Programmer turn on the Program/Configure and Examine options.
- Click Start.
- After programming completes, the Programmer displays the hash value of the signature key stored in firmware. You can now compare that value to the value you generate by creating a hash_fuse.txt file using the quartus_sign command with the operation set to fuse_info.
9.1. Fuse Programming Input Files
-
.qky: Provides the owner public
root key for authentication and the second-level key for firmware authentication. Use this
file for the following functions:
- To program and verify the public root key fuses
- To sign the owner configuration bitstream
- To sign the device firmware
- To sign the HPS debug certificate
-
.qek: Provides the AES key for
encryption. Use this file for the following functions:
- To program the AES key fuses
- To encrypt the owner configuration bitstream
-
.fuse: Specifies all owner fuses.
Also includes the public root key
which
is
read-only. Use this file for the following functions:
- To program and verify security fuses
- To program owner-defined fuses
9.1.1. Fuse File Format
The following example shows the format of the .fuse file.
# Comment <fuse name> = <value> <fuse name> = <value> <fuse name> = <value>
You can use the Intel® Quartus® Prime Programmer Examine option to read all currently programmed fuses in the Intel® Stratix® 10 device and store this information in a .fuse file.
9.1.2. Programming eFuses
You can program eFuses to enable or disable device security features. Before programming eFuses you must check the current state of eFuse programming for your device. This procedure ensures that you add the new eFuse commands to the existing eFuse programming commands, if any.
The example commands specify the helper_device 1SX280LH2. If you are using a different Intel® Stratix® 10 device, provide the appropriate ordering code for that device up to the speed grade designation. Helper images are necessary for flash and fuse programming using the Intel® Quartus® Prime Programmer. The helper image programs the SDM firmware.
- To find the list of helper devices, in the Intel® Quartus® Prime Programmer, select Add Device.
-
In the Device family
list, select
Intel®
Stratix® 10
. In the Device name
list, identify the find the part number that matches your device.
Figure 24. User the Programmer to Determine the helper_device Argument
-
Generate an unsigned helper image for eFuse programming.
quartus_pfg --helper_image -o helper_device=1SG280HN2 -o subtype=FUSE \ -o fw_source=nadder.zip unsigned_helper_image.rbf
-
Configure your
Intel®
Stratix® 10 device
with the helper_image.rbf file you just
created.
quartus_pgm -c 1 -m jtag -o “p;unsigned_helper_image.rbf”
-
Generate the current device fuse status file, programming_file.fuse.
quartus_pgm -c 1 -m jtag -o “e;programming_file.fuse;1SX280LH2”
-
Edit programming_file.fuse
to add the required eFuses. There are four copies of eFuses. Programming
changes all 4 copies from 0 to 1. Add the following command to programming_file.fuse.
<fuse_name> = "0xF"
-
Program the eFuses:
//For physical (non-volatile) eFuses quartus_pgm -c 1 -m jtag -o "p;programming_file.fuse" --non_volatile_key//For virtual (volatile) eFuses quartus_pgm -c 1 -m jtag -o "p;programming_file.fuse"
9.1.3. Canceling eFuses
-
Extract the existing fuse information by running the following
command-line command:
quartus_pgm -c 1 -m jtag -o "ie;my_fuse.fuse;1SX280LH2"
This command generates a my_fuse.fuse text file.
Sample contents of my_fuse.fuse:
# Co-signed firmware = "0xF" # Device not secure = "0x0" # Intel key cancellation = "" # Owner fuses = "0x00000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000" # Owner key cancellation = "" # Owner public key hash = "0x000000000000000000000000000000000CE520B15B082E67ACEBCB8545CE239FDBB8CDE6083F6DF9D3BF542932EA5039" # Owner public key size = "0xF" # QSPI start up delay = "0x0" # SDMIO0 is I2C = "0x0"
-
Using a text editor, update my_fuse.fuse to specify the keys to cancel. Change:
#Intel key cancellation = ""
to:
Intel key cancellation = "0,1,2,3,4"
Note: Be sure to remove the initial #. -
Run the following command to program the cancellation ID
eFuses:
//For physical (non-volatile) eFuses quartus_pgm -c 1 -m jtag -o "p;my_fuse.fuse" --non_volatile_key
//For virtual (volatile) eFuses quartus_pgm -c 1 -m jtag -o "p;my_fuse.fuse"
9.1.4. Converting Key, Encryption, and Fuse Files to Jam Staple File Formats
quartus_pfg Conversion Commands
Here are examples of quartus_pfg conversion commands:
quartus_pfg -c -o helper_device=1SX280LH2 root.qky RootKey.jam quartus_pfg -c -o helper_device=1SX280LH2 root.qky RootKey.jbc quartus_pfg -c -o helper_device=1SX280LH2 nd.qek nd_qek.jam quartus_pfg -c -o helper_device=1SX280LH2 nd.qek nd_qek.jbc quartus_pfg -c -o helper_device=1SX280LH2 cancel_id.fuse nd_fuse.jam quartus_pfg -c -o helper_device=1SX280LH2 cancel_id.fuse nd_fuse.jbc
For more information about the using the Jam STAPL Player for device programming refer to AN 425: Using the Command-Line Jam STAPL Solution for Device Programming.
Using the .jam Files to Program Root Key and AES Encryption Key
The run the following commands to program the owner root public key and AES encryption key:
// To load the helper bitstream into the FPGA. // The helper bitstream include SDM firmware quartus_jli -c 1 -a CONFIGURE RootKey.jam // To program the owner root public key into virtual eFuses auartus_jli -c 1 -a PUBKEY_PROGRAM RootKey.jam //To program the owner root public key into physical eFuses quartus_jli -c 1 -a PUBKEY_PROGRAM -e DO_UNI_ACT_DO_EFUSES_FLAG RootKey.jam // To program the AES Encryption key into BBRAM quartus_jli -c 1 -a AESKEY_PROGRAM -e DO_UNI_ACT_DO_BBRAM_FLAG EncKey.jam
10. Document Revision History for Intel Stratix 10 Device Security User Guide
| Document Version | Intel® Quartus® Prime Version | Changes |
|---|---|---|
| 2020.01.15 | 19.3 | Corrected the pem_file argument in 7.1.3. Step
2b: Generating Programming Files Using the Command Line. The
correct command uses pem_file=design0_sign_private.pem:
quartus_pfg -c encryption_enabled.sof top.rbf \ -o finalize_encryption=ON -o qek_file=aes.qek \ -o signing=ON -o pem_file=design0_sign_private.pem |
| 2020.01.06 | 19.3 | Made the following changes:
|
| 2019.10.30 | 19.3 | Added the following new security features:
|
| 2019.05.30 | 19.1 | Made the following corrections:
|
| 2019.05.10 | 19.1 | Made the following corrections:
|
| 2019.05.07 | 19.1 | Initial release. |