programmer_security_tables

Table 1. Stratix® 10 and Agilex™ 7 Bitstream Authentication Files
Term Description Extension
First Level Signature Chain Key File File you generate that specifies the root key (.pem) and one or more design signing keys (.pem) required to sign the bitstream and allow access to the FPGA when using authentication or encryption. .qky
Root Key File File you generate that anchors the first level signature chain to a known root key. The FPGA calculates the hash of the root entry and checks if it matches the expected hash. The Assembler appends the root key to the programming file and stores the key in eFuses. .qky
Design Signing Key File File you generate and append to the root key that authenticates the bitstream in the SDM to allow configuration of the device with the pending bitstream. Use separate design signing keys for the FPGA and HPS for highest security. .pem
Firmware Co-signing Key File Files provided in <install>\devices\programmer\firmware that includes the owner signature and firmware file that you use to sign the firmware to run on the FPGA or HPS. .zip
Signed HPS Certificate File Specifies a secure HPS debug certificate that permits access to the JTAG interface for HPS debugging. A secure HPS debug certificate is valid until you power down or reconfigure the device. .cert
Table 2. Assembler Security Settings
Option Description
Quartus Key File Specifies the .qek file that the configuration bitstream requires for decryption. The Assembler generates this file in the location you specify.
Encryption key storage select Specifies the location that stores the .qek key file. You can select either Battery Backup RAM or eFuses for storage.
Encryption update ratio Specifies the ratio of configuration bits compared to the number of key updates required for bitstream decryption. You can select either 31:1 (the key must change 1 time every 31 bits) or Disabled (no update required). Encryption supports up to 20 intermediate keys.
Enable scrambling Scrambles the configuration bitstream.
More Options Opens the More Security Options dialog box for specifying additional physical security options.
Table 3. More Security Options Dialog Box Settings
Option Description Values
Disable JTAG Disables JTAG command and configuration of the device. Setting this eliminates JTAG as mode of attack, but also eliminates boundary scan functionality.
  • Off—inactive
  • On—active until wipe of containing design
  • On sticky—active until next POR
  • On check—checks for corresponding blown fuse
Force SDM clock to internal oscillator Disables an external clock source for the SDM. The SDM must use the internal oscillator. Using an internal oscillator is more secure than allowing an external clock source for configuration.
Force encryption key update Specifies that the encryption key must update by the frequency that you specify for the Encryption update ratio option. The default ration value is 31:1. Encryption supports up to 20 intermediate keys.
Disable virtual eFuses Disables the eFuse virtual programming capability.
Lock security eFuses Causes eFuse failure if the eFuse CRC does not match the calculated value.
Disable HPS debug Disables debugging through the JTAG interface to access the HPS.
Disable encryption key in eFuses Specifies that the device cannot use an AES key stored in eFuses. Rather, you can provide an extra level of security by storing the AES key in BBRAM.
Disable encryption key in BBRAM Specifies that the device cannot use AES key stored in BBRAM. Rather, you can provide an extra level of security when you store the AES key in eFuses.
Table 4. Input File Properties Dialog Box (Programming File Generator). Allows you to specify options for bitstream authentication, co-signing, and encryption security. To access, select an .sof or .rbf in the Input files tab in the Programming File Generator, and click Properties.
Option Description
Bootloader Specifies an ASCII text file in Intel hexadecimal format that contains configuration data for programming a parallel data source, such as a configuration device or a mass storage device. The parallel data source in turn configures an SRAM-based Altera® device.
Enable signing tool Enables the signing tool that checks for a required Privacy Enhanced Mail Certificates file (.pem) for the Private key file, and a Quartus Co-Signed Firmware file (.zip) for the Co-signed firmware option.
Private key file Specifies the private .pem file required to sign the configuration bitstream when using the signing tool. If your .pem is password-protected, you are prompted to enter the password.
Co-signed firmware Specifies the firmware source (.zip) required to include the signed firmware in the configuration bitstream.
Finalize encryption Finalizes the configuration bitstream encryption.
Encryption key file Specifies the Encryption Key File (.qek) required to decrypt the configuration bitstream file.
Table 5. SOF File Properties: Bitstream Encryption Dialog Box (Convert Programming Files). Allows you to specify options for compression and encryption key security for the device configuration SRAM Object File (.sof). To access, select an .sof in the Input files to convert list in the Convert Programming Files dialog box, and click Properties.
Option Description
Compression Applies compression to the bitstream to reduce the size of your programming file. The Quartus® Prime Assembler can generate a compressed bitstream image that reduces configuration file size by 30% to 55% (depending on the design). The FPGA device receives the compressed configuration bitstream, and then can decompress the data in real-time during configuration. This option is unavailable whenever Generate encrypted bitstream is enabled.
Enable decompression during partial reconfiguration Enables the option bit for bitstream decompression during Partial Reconfiguration.
Generate encrypted bitstream Generates an encrypted bitstream configuration image. You then generate and specify an encryption key file (.ekp) for device configuration. This option is unavailable whenever Compression is enabled.
Enable volatile security key Allows you to encrypt the .sof file with volatile (enabled) or non-volatile (disabled) security key.
Generate encryption lock file Specifies the name of the encryption lock file (.elk) that Convert Programming Files generates.
Generate key programming file Specifies the name of the key programming file (.key) that Convert Programming Files generates.
Use key file
  • Key 1 file—specifies the name of Key 1 .key file.
  • Key 2 file—specifies the name of Key 2 .key file.
Key entry Specifies the keys for bitstream decryption.
Security options The following options allow you to enable or disable features that impact device security for the configuration bitstream.
  • Disable partial reconfiguration—disables use of partial reconfiguration for the bitstream.
  • Disable key-related JTAG instructions—disables use of key-related JTAG instructions for the bitstream.
  • Disable other extended JTAG instructions—disables use of other JTAG instructions for the bitstream.
  • Force the external JTAG pins into BYPASS mode—forces the external JTAG pins into BYPASS mode.
You can specify Off, Turns On Until the Next Full Configuration, Turns on until the next Power-On-Reset event, Turns on by blowing the corresponding fuses,
Design Security Feature Disclaimer Acknowledges required acceptance of Design Security Disclaimer.