AN 556: Using the Design Security Features in Intel FPGAs

ID 683269
Date 5/21/2021
Public
Document Table of Contents

Generating Single-Device .ekp File and Encrypting Configuration File using Command-Line Interface in Intel® Quartus® Prime Software

There is a command-line interface that allows you to generate a single-device .ekp file and encrypt Raw Binary File (.rbf). The command-line interfaces uses the Intel® Quartus® Prime software command-line executable, quartus_cpf, and requires the following syntax or options:

  • --key/-k <path to key file>:<key identity>
  • A .sof file (user design)
  • An .ekp file (the required encryption key programming file name)

You can create a compressed and uncompressed .rbf for configuration by using the following command with an option file which contains the string compression=on.

quartus_cpf -c --option=<option file> --key <keyfile>:<keyid1>:<keyid2> <input_sof_file> <output_rbf_file>

Note:
  1. Encryption and compression cannot be used simultaneously in 20 nm FPGAs.
  2. For 20 nm FPGAs, use non_volatile_key=off to control the Enable volatile key security option during the .rbf file creation.

You can learn more on the option file from the Intel® Quartus® Prime software command line help. Run quartus_cpf --help=option to learn more on the available options. For 20 nm FPGAs, use the Qcrypt tool command line to encrypt or decrypt the .rbf file. To generate the .ekp or encrypted configuration file other than .rbf, you have to go through quartus_cpf.

The following example shows two sets of keys that are stored in two different key files: key1 in key1.key and key2 in key2.key.

quartus_cpf --key D: \SIV_DS\key1.key:key1 --key

D:\SIV_DS\key2.key:key2 D:\SIV_DS\test.sof D:\SIV_DS\test.ekp

The following example shows two sets of keys that are stored in the same key file: key1 and key2 in key12.key.

quartus_cpf --key

D:\SIV_DS\key12.key:key1:key2 D:\SIV_DS\test.sof D:\SIV_DS\test.ekp