1. Run the following command to create the first design signature private key. You
use the design signature private key to create the design signature public key.
Note: Intel recommends following industry best practices to use a strong, random
Option
With passphrase
Without passphrase
2. Run the following command to create the design signature public key.
quartus_sign --family=stratix10 --operation=make_public_pem
<design0_sign_private.pem> <design0_sign_public.pem>
Enter your passphrase when prompted to do so.
3.3. Step 3: Appending the Design Signature Key to the Signature
Chain
This step appends design signing keys to the signature chain. The append command
implements the following operations:
•
Appends the 1st Level Public Key (
Public Key (
(
design0_sign_public.qky
public key.
•
Signs the new 1st Level Signature Chain (
Root Private Key (
1. Run the following command to append the first design signature key to the root
key, creating a two-level signature chain:
Setting the
FPGA I/O, core, PR, and HPS sections. Setting the
4 creates a signature that can sign only FPGA or HPS sections, respectively.
Setting the
signature. eFuses 0-31 are available for owner cancellation.
quartus_sign --family=stratix10 --operation=append_key \
--previous_pem=<root_private.pem> --previous_qky=<root_public.qky> \
--permission=6 --cancel=0 <design0_sign_public.pem> \
<design0_sign_chain.qky>
2. Use
a. Repeat the commands in Step
design1_sign_private.pem
b. Append
®
®
Intel
Stratix
10 Device Security User Guide
20
passphrase on all private key files. The
must be the same has the one you specified for the root key.
Description
quartus_sign --family=stratix10 --operation=make_private_pem --
curve=<prime256v1 or secp384r1> <design0_sign_private.pem>
Enter the passphrase when prompted to do so.
quartus_sign --family=stratix10 --operation=make_private_pem --
curve=<prime256v1 or secp384r1> --no_passphrase
<design0_sign_private.pem>
root_public.qky
root_private.pem
argument to 6 creates a signature that can sign the
permission
cancellation
again to create a three-level signature chain:
append_key
design1_sign_public.pem
curve
design0_sign_public.pem
) and generates the 1st Level Signature Chain
) that includes the root public key and design0
design0_sign_chain.qky
).
permission
argument to 0 means that eFuse0 can cancel this
1
on page 20, to generate both
and
design1_sign_public.pem
to the signature chain.
3. Using the Authentication Feature
UG-S10SECURITY | 2020.01.15
argument in this command
) to the Root
) using the
argument to 2 or
.
Send Feedback