Visible to Intel only — GUID: mwh1410385066394
Ixiasoft
2.1. Generating Primary Device Programming Files
2.2. Generating Secondary Programming Files
2.3. Enabling Bitstream Security for Intel® Stratix® 10 and Intel® Agilex™ 7 Devices
2.4. Enabling Bitstream Encryption or Compression for Intel® Arria® 10 and Intel® Cyclone® 10 GX Devices
2.5. Generating Programming Files for Partial Reconfiguration
2.6. Generating Programming Files for Intel® FPGA Devices with Hard Processor Systems
2.7. Scripting Support
2.8. Generating Programming Files Revision History
3.1. Intel® Quartus® Prime Programmer
3.2. Programming and Configuration Modes
3.3. Basic Device Configuration Steps
3.4. Specifying the Programming Hardware Setup
3.5. Programming with Flash Loaders
3.6. Verifying the Programming File Source with Project Hash
3.7. Using PR Bitstream Security Verification ( Intel® Stratix® 10 Designs)
3.8. Stand-Alone Programmer
3.9. Programmer Settings Reference
3.10. Scripting Support
3.11. Using the Intel® Quartus® Prime Programmer Revision History
3.9.1. Device & Pin Options Dialog Box
3.9.2. More Security Options Dialog Box
3.9.3. Output Files Tab Settings (Programming File Generator)
3.9.4. Input Files Tab Settings (Programming File Generator)
3.9.5. Bitstream Co-Signing Security Settings (Programming File Generator)
3.9.6. Configuration Device Tab Settings
3.9.7. Add Partition Dialog Box (Programming File Generator)
3.9.8. Add Filesystem Dialog Box (Programming File Generator)
3.9.9. Convert Programming File Dialog Box
3.9.10. Compression and Encryption Settings (Convert Programming File)
3.9.11. SOF Data Properties Dialog Box (Convert Programming File)
3.9.12. Select Devices (Flash Loader) Dialog Box
Visible to Intel only — GUID: mwh1410385066394
Ixiasoft
2.3. Enabling Bitstream Security for Intel® Stratix® 10 and Intel® Agilex™ 7 Devices
Intel® Stratix® 10 and Intel® Agilex™ 7 devices provide flexible and robust security features to protect sensitive data, intellectual property, and device hardware from physical and remote attacks. The Intel® Stratix® 10 and Intel® Agilex™ 7 device architectures support bitstream authentication and encryption security features. The Assembler applies bitstream compression automatically to reduce file size whenever you use authentication or encryption.
- Bitstream Authentication—verifies that the configuration bitstream and firmware are from a trusted source. Enable additional co-signing device firmware authentication to ensure that only signed firmware runs on the HPS or FPGA, and to authorize HPS JTAG debugging. Enable authentication security by specifying a first level signature chain file (.qky) for the Quartus Key File option (Device and Pin Options dialog box), as Enabling Bitstream Authentication (Programming File Generator) describes.5
- Bitstream Encryption—protects proprietary or sensitive data from view or extraction in the configuration bitstream using an Advanced Encryption Standard (AES) 256-bit or 384-bit security key. Encryption also provides side-channel protection from non-intrusive attack. You can store the owner AES key in eFuses or BBRAM. Enable encryption by turning on the Enable programming bitstream encryption option (Device and Pin Options dialog box), as Enabling Bitstream Encryption (Programming File Generator) describes.
Term | Description | Extension |
---|---|---|
First Level Signature Chain Key File | File you generate that specifies the root key (.pem) and one or more design signing keys (.pem) required to sign the bitstream and allow access to the FPGA when using authentication or encryption. | .qky |
Root Key File | File you generate that anchors the first level signature chain to a known root key. The FPGA calculates the hash of the root entry and checks if it matches the expected hash. The Assembler appends the root key to the programming file and stores the key in eFuses. | .qky |
Design Signing Key File | File you generate and append to the root key that authenticates the bitstream in the SDM to allow configuration of the device with the pending bitstream. Use separate design signing keys for the FPGA and HPS for highest security. | .pem |
Firmware Co-signing Key File | Files provided in <install>\devices\programmer\firmware that includes the owner signature and firmware file that you use to sign the firmware to run on the FPGA or HPS. | .zip |
Signed HPS Certificate File | Specifies a secure HPS debug certificate that permits access to the JTAG interface for HPS debugging. A secure HPS debug certificate is valid until you power down or reconfigure the device. | .cert |
Note: Intel® Arria® 10 and Intel® Cyclone® 10 GX devices do not support bitstream authentication.
Section Content
Enabling Bitstream Authentication (Programming File Generator)
Specifying Additional Physical Security Settings (Programming File Generator)
Enabling Bitstream Encryption (Programming File Generator)
5 For Intel® Stratix® 10 devices, bitstream authentication is available only for devices that include the AS (Advanced Security) ordering code suffix and all Intel® Stratix® 10 DX devices.