Visible to Intel only — GUID: ujh1616593987861
Ixiasoft
1. Intel Stratix 10 Device Security Overview
2. Authentication and Authorization
3. AES Bitstream Encryption
4. Device Provisioning
5. Advanced Features
6. Troubleshooting
7. Intel® Stratix® 10 Device Security User Guide Archives
8. Document Revision History for Intel® Stratix® 10 Device Security User Guide
3.3.1. Configuration Bitstream Encryption Using the Programming File Generator Graphical Interface
3.3.2. Configuration Bitstream Encryption Using the Programming File Generator Command Line Interface
3.3.3. Partially Encrypted Configuration Bitstream Generation Using the Command Line Interface
3.3.4. Partial Reconfiguration Bitstream Encryption
4.1. Using SDM Provision Firmware
4.2. Authentication Root Key Provisioning
4.3. Using QSPI Factory Default Helper Image on Owned Devices
4.4. Programming Key Cancellation ID Fuses
4.5. Security Setting Fuse Provisioning
4.6. AES Root Key Provisioning
4.7. Converting Owner Root Key, AES Root Key Certificates, and Fuse files to Jam STAPL File Formats
6.1. Using Quartus Commands in a Windows Environment Error
6.2. Generating a Private Key Warning
6.3. Adding a Signing Key to the Quartus Project Error
6.4. Generating Quartus Prime Programming File was Unsuccessful
6.5. Unknown Argument Errors
6.6. Bitstream Encryption Option Disabled Error
6.7. Specifying Correct Path to the Key
6.8. Using Unsupported Output File Type
Visible to Intel only — GUID: ujh1616593987861
Ixiasoft
4.7. Converting Owner Root Key, AES Root Key Certificates, and Fuse files to Jam STAPL File Formats
You may use the quartus_pfg command-line command to convert .qky, AES root key .ccert, and .fuse files to Jam* STAPL Format File (.jam) and Jam Byte Code Format File (.jbc). You can use these files to program Intel FPGAs using the Jam STAPL Player and the Jam STAPL Byte-Code Player, respectively.
A single .jam or .jbc contains several functions including a firmware helper image configuration and program, blank check, and verification of key and fuse programming.
CAUTION:
When you convert the AES root key .ccert file to .jam format, the .jam file contains the AES key in plaintext but obfuscated form. Consequently, you must protect the .jam file when storing the AES key. You can do this by provisioning the AES key in a secure environment.
Here are examples of quartus_pfg conversion commands:
quartus_pfg -c -o helper_device=1SX280LH2 root.qky RootKey.jam quartus_pfg -c -o helper_device=1SX280LH2 root.qky RootKey.jbc quartus_pfg -c -o helper_device=1SX280LH2 aes.ccert aes_ccert.jam quartus_pfg -c -o helper_device=1SX280LH2 aes.ccert aes_ccert.jbc quartus_pfg -c -o helper_device=1SX280LH2 settings.fuse settings_fuse.jam quartus_pfg -c -o helper_device=1SX280LH2 settings.fuse settings_fuse.jbc
For more information about the using the Jam STAPL Player for device programming refer to AN 425: Using the Command-Line Jam STAPL Solution for Device Programming.
Run the following commands to program the owner root public key and AES encryption key:
//To load the helper bitstream into the FPGA. // The helper bitstream include provision firmware quartus_jli -c 1 -a CONFIGURE RootKey.jam
//To program the owner root public key into virtual eFuses quartus_jli -c 1 -a PUBKEY_PROGRAM RootKey.jam
//To program the owner root public key into physical eFuses quartus_jli -c 1 -a PUBKEY_PROGRAM -e DO_UNI_ACT_DO_EFUSES_FLAG RootKey.jam
//To program the AES encryption key CCERT into BBRAM quartus_jli -c 1 -a CCERT_PROGRAM EncKeyBBRAM.jam
//To program the AES encryption key CCERT into physical eFuses quartus_jli -c 1 -a CCERT_PROGRAM -e DO_UNI_ACT_DO_EFUSES_FLAG EncKeyEFuse.jam