Step 1: Creating The Root Key; Step 2: Creating The Design Signing Key - Intel Stratix 10 User Manual

3. Using the Authentication Feature
UG-S10SECURITY | 2019.05.10

3.1. Step 1: Creating the Root Key

The root key includes public and private components. These keys are in the Privacy
Enhanced Mail Certificate (PEM) format and have the
Complete the following steps to generate the root private and public keys:
1. Bring up a Nios
Option
Windows
Linux
2. In the Nios II command shell, change to the directory that includes your
3. Run the following command to create the private key which you use to generate
the root public key.
Note: You can create the private key with or without passphrase protection. The
Option
With passphrase
Without passphrase
4. Run the following command to create the root public key which you use to
generate the root key. The
step is an input to this command. You do not need to protect the root public key.
quartus_sign --family=stratix10 --operation=make_public_pem
<root_private.pem> <root_public.pem>
5. Convert the root key to the Intel Quartus Prime key file format (
Stratix 10 device compares the contents of
public key. The
quartus_sign --family=stratix10 --operation=make_root <root public.pem>
<root_public.qky>

3.2. Step 2: Creating the Design Signing Key

You may need one or more design signing keys. Intel recommends using separate
signing keys for the HPS and FPGA in Intel Stratix 10 SX devices. Creating multiple
keys also gives you the flexibility to cancel keys if you detect an error, uncover a
vulnerability, or need to update the firmware.
1. Run the following command to create the first design signature private key. You
use the design signature private key to create the design signature public key.
Send Feedback
®
II command shell.
Description
On the Start menu, point to Programs
<version> and click Nios II <version> Command Shell.
In a command shell change to the
following command:
./nios2_command_shell.sh
passphrase encrypts the private key. Intel recommends using a strong
passphrase because it makes the key file useless to an attacker. Intel also
recommends changing the permissions on the private
for the owner.
Description
quartus_sign --family=stratix10 --operation=make_private_pem --
curve=<prime256v1 or secp384r1> <root_private.pem>
Enter the passphrase when prompted to do so.
quartus_sign --family=stratix10 --operation=make_private_pem --
curve=<prime256v1 or secp384r1> --no_passphrase <root_private.pem>
root_private.pem
file is a few hundred bytes in size.
.qky
extension.
.pem
Intel FPGA Nios II EDS
<install_dir>/nios2eds
file to read-only
.pem
you generated in the previous
.qky
files to authenticate the root
.qky
® ®
Intel Stratix 10 Device Security User Guide
and run the
file.
.sof
) The Intel
15