Co-Signing The Firmware; Programming The Co-Signed Firmware Efuses - Intel Stratix 10 User Manual

4. Co-Signing Device Firmware Overview
UG-S10SECURITY | 2019.05.10
3. Run the following command to append the
keychain
quartus_sign --family=stratix10 --operation=append_key \
--previous_pem=owner_root_private.pem --previous_qky=owner_root_public.qky
--permission=0x1 --cancel=1 owner_fw_public.pem owner_fw_key.qky

4.1.3. Co-Signing the Firmware

You use the Intel Quartus Prime Signing Tool
with your private firmware key. If you are using your own custom hardware security
module you can co-sign using your own script.
1. Run the following command to co-sign the firmware file. The firmware file is
nadder.zip
<install_dri>/ quartus/common/devinfo/programmer/firmware/
directory.
quartus_sign --family=stratix10 --operation=sign --qky=owner_fw_key.qky \
--pem=owner_fw_private.pem nadder.zip nadder_signed.zip

4.1.4. Programming the Co-Signed Firmware eFuses

You program the Co-Signed Firmware eFuses to enable co-signing.
Before you can program the Co-Signed Firmware eFuses, you must check the current
state of eFuse programming for your device. This procedure ensures that you add the
new eFuse commands to the existing eFuse programming commands, if any.
The example commands specify the
different Intel Stratix 10 device, provide the appropriate ordering code for that device
up to the speed grade designation. Helper images are necessary for flash and fuse
programming using the Intel Quartus Prime Programmer.
1. To find the list of helper devices, in the Intel Quartus Prime Programmer, select
Add Device.
2. In the Device family list, select Intel Stratix 10. In the Device name list,
identify the find the part number that matches your device.
Send Feedback
. The Intel Quartus Prime Software writes this file to the
helper_device 1SX280LH2
owner_fw_public.pem
to sign the firmware
operation=sign
. If you are using a
® ®
Intel Stratix 10 Device Security User Guide
owner root
25