Using PR Bitstream Security Verification (Intel® Stratix® 10 and Intel® Agilex™ Designs)

PR bitstream security verification requires a separate license and .qsf setting to enable. After you license and enable PR bitstream verification, the Compiler generates both a public Secure Mask Settings File (.smsf) and private Partially Masked Settings File (.pmsf) for each PR region during the base compilation.

The .pmsf contains comprehensive information that the Programmer requires to generate the PR bitstream for a Client region, including the actual bit settings, a region mask, and all the auxiliary bit masks. The .smsf contains a region ownership mask and comprehensive information to detect a peek or poke attack by the PR region’s persona.

Thereafter, the Programmer requires both the private .pmsf and public .smsf to generate the PR bitstream for this PR region, ensuring that the PR persona can only change bits that the persona owns. The Platform Owner may or may not release .smsf files to third-party Clients as part of the PR region collateral. The Platform Owner uses the .smsf to generate the PR bitstream from Client's .pmsf for this PR region with the Programmer.

Figure 1. PR Bitstream Security Validation in Programmer
Follow these steps to license, enable, and use PR bitstream security verification:
  1. Obtain the license file to enable generation of .smsf files for PR regions during base compilation, and to perform PR bitstream security verification during PR bitstream generation in the Programmer. To obtain the license, login or register for a My-Intel account, and then submit an Intel® Premier Support case requesting the license key.
  2. To add the license file to the Intel® Quartus® Prime Pro Edition software, click Tools > License Setup and specify the feature License File.
  3. To enable PR security validation features, add the following line to the project .qsf: 
    set_global_assignment -name PR_SECURITY_VALIDATION on
  4. Compile the base revision.
  5. Following base compilation, view the Assembler reports to view the generated .smsf files required for bitstream generation for each PR region.
  6. The Platform Owner may release .smsf files to third-party clients as part of the PR region collateral. The Client provides the private .pmsf to the Platform Owner to verify PR security of the PR Persona configuration and generate validated PR bitstream.
  7. To validate PR security of Client's .pmsf, the Platform Owner specifies the .smsf and corresponding .pmsf files at the Programmer command line to generate the validated PR bitstreams:
    quartus_cpf -c –-smsf=<smsf_file> <pmsf_file> <output_file>