Visible to Intel only — GUID: oby1568408103961
Ixiasoft
1.1. Generating Primary Device Programming Files
1.2. Generating Secondary Programming Files
1.3. Enabling Bitstream Security for Stratix® 10 and Agilex™ 7 Devices
1.4. Enabling Bitstream Encryption or Compression for Arria® 10 and Cyclone® 10 GX Devices
1.5. Generating Programming Files for Partial Reconfiguration
1.6. Generating Programming Files for Intel® FPGA Devices with Hard Processor Systems
1.7. Scripting Support
1.8. Generating Programming Files Revision History
2.1. Quartus® Prime Programmer
2.2. Programming and Configuration Modes
2.3. Basic Device Configuration Steps
2.4. Specifying the Programming Hardware Setup
2.5. Programming with Flash Loaders
2.6. Verifying the Programming File Source with Project Hash
2.7. Using PR Bitstream Security Verification ( Stratix® 10 Designs)
2.8. Stand-Alone Programmer and Tools
2.9. Programmer Settings Reference
2.10. Scripting Support
2.11. Using the Quartus® Prime Programmer Revision History
2.9.1. Device & Pin Options Dialog Box
2.9.2. More Security Options Dialog Box
2.9.3. Output Files Tab Settings (Programming File Generator)
2.9.4. Input Files Tab Settings (Programming File Generator)
2.9.5. Bitstream Co-Signing Security Settings (Programming File Generator)
2.9.6. Configuration Device Tab Settings
2.9.7. Add Partition Dialog Box (Programming File Generator)
2.9.8. Add Filesystem Dialog Box (Programming File Generator)
2.9.9. Convert Programming File Dialog Box
2.9.10. Compression and Encryption Settings (Convert Programming File)
2.9.11. SOF Data Properties Dialog Box (Convert Programming File)
2.9.12. Select Devices (Flash Loader) Dialog Box
Visible to Intel only — GUID: oby1568408103961
Ixiasoft
1.3.3. Enabling Bitstream Encryption (Programming File Generator)
To enable bitstream encryption, you must first generate a first level signature chain (.qky) that enables encryption options in the GUI. Next, you generate the encrypted configuration bitstream in the Assembler. Finally, you generate a secondary programming file that specifies the AES Encryption Key file (.qek) for bitstream decryption.
Follow these steps to enable bitstream encryption:
- Generate a First Level Signature Chain that includes the root key and one or more design signing keys, as Stratix® 10 Device Security User Guide and Agilex™ 7 Device Security User Guide describe.
- Click Assignments > Device > Device and Pin Options > Security.
- For the Quartus key file setting, specify the first level signature chain .qky that contains the root key and one or more design signing keys.
- Turn on Enable programming bitstream encryption, and specify one or more of the following:
Table 9. Assembler Encryption Security Settings Option Description Encryption key storage select Specifies the location that stores the .qek key file. You can select either Battery Backup RAM or eFuses for storage. Encryption update ratio Specifies the ratio of configuration bits compared to the number of key updates required for bitstream decryption. You can select either 31:1 (the key must change 1 time every 31 bits) or Disabled (no update required). Encryption supports up to 20 intermediate keys. Enable scrambling Scrambles the configuration bitstream. More Options Opens the More Security Options dialog box for specifying additional physical security options. - Generate primary device programing files in the Assembler, as Generating Primary Device Programming Files describes.
- Generate a .jic or .rbf secondary programming file, as Generating Secondary Programming Files describes:
- In the Programming File Generator, select the .sof file on the Input Files tab.
- Click the Properties button. The Input File Properties dialog box appears.
Figure 18. Input File Properties
- Set Finalize encryption to On.
- Specify the AES 256-bit or 384-bit Encryption key file (.qek) to decrypt the bitstream in the SDM prior to device configuration.
- Click OK.
Related Information