Visible to Intel only — GUID: uky1555363033194
Ixiasoft
Visible to Intel only — GUID: uky1555363033194
Ixiasoft
1.3.1. Enabling Bitstream Authentication (Programming File Generator)
You can also optionally enable firmware co-signature capability to require signing the version of configuration firmware that runs on your device. The FPGA device then can load only authenticated firmware.
After you specify the .qky in Assembler settings, the Assembler appends the first level signature chain to the configuration .sof that you generate.
Use the Programming File Generator to generate the signed configuration bitstream for an .sof file. The JTAG Indirect Configuration File (.jic) and Raw Programming Data File (.rpd) formats are available for Active Serial (AS) configuration. The Programmer Object File (.pof) and Raw Binary File (.rbf) are available for Avalon® Streaming configuration.
Follow these steps to enable bitstream authentication:
- Generate a first level signature chain (.qky) that includes the root key and one or more design signing keys, as Stratix® 10 Device Security User Guide and Agilex™ 7 Device Security User Guide describe.
- To add the first level signature chain to a configuration bitstream, click Assignments > Device > Device and Pin Options > Security, and then specify the first level signature chain .qky for the Quartus key file option.
- To enable more physical device security options, click the More Options button on the Security page. More Security Options Dialog Box describes all options.
Figure 15. Security Tab (Device and Pin Options)
- Generate primary device programing files in the Assembler, as Generating Primary Device Programming Files describes. The primary device programming file now contains data to enable first level authentication.
- To optionally enable co-signing device firmware authentication, generate a .jic or .rbf secondary programming file with the following options, as Generating Secondary Programming Files describes:
- In Programming File Generator, click the Properties button. The Input File Properties dialog box appears.
Figure 16. Enabling Co-Signing Device Firmware Authentication ( Stratix® 10 Devices)
- Set Enable signing tool to On.
- For Private key file, specify a design signing key Privacy Enhanced Mail Certificates file (.pem) for firmware co-signing. This key can be separate from the FPGA design signing key.
- For Co-signed firmware, specify a Quartus Co-Signed Firmware file (.zip).
- Click OK.
- In Programming File Generator, click the Properties button. The Input File Properties dialog box appears.
- Use the Programmer to configure the device with the .jic or .rbf.