Intel Agilex 7 Device Security User Manual

Intel e ikemiselitse ho sireletsa sehlahisoa mme e khothaletsa basebelisi ho tloaelana le lisebelisoa tsa ts'ireletso ea sehlahisoa tse fanoeng. Lisebelisoa tsena li lokela ho sebelisoa bophelo bohle ba sehlahisoa sa Intel.

2. Likarolo tsa Tšireletso tse Reriloeng

Lintlha tse latelang tsa ts'ireletso li reriloe bakeng sa tokollo ea nako e tlang ea software ea Intel Quartus Prime Pro Edition:

Netefatso e sa Feleng ea Ts'ireletso ea Bitstream: E fana ka tiisetso e eketsehileng ea hore li-bitstreams tsa Karolo ea Reconfiguration (PR) li ke ke tsa kena kapa tsa kena-kenana le li-bitstreams tse ling tsa PR persona.

Sesebelisoa sa Self-Kill bakeng sa Physical Anti-Tamper: E hlakola sesebelisoa kapa karabelo ea zeroization ea sesebelisoa le mananeo a eFuses ho thibela sesebelisoa hore se se ke sa hlophisoa hape.

3. Litokomane tsa Tšireletso tse fumanehang

Tafole e latelang e thathamisa litokomane tse teng bakeng sa likarolo tsa ts'ireletso ea sesebelisoa ho Intel FPGA le lisebelisoa tsa Structured ASIC:

Lebitso la Tokomane	Morero
Mokhoa oa Ts'ireletso bakeng sa Intel FPGAs le Mosebelisi o hlophisitsoeng oa ASICs Tataiso	Tokomane ea boemo bo holimo e fanang ka litlhaloso tse qaqileng tsa likarolo tsa ts'ireletso le mahlale ho Intel Programmable Solutions Lihlahisoa. E thusa basebelisi ho khetha likarolo tse hlokahalang tsa ts'ireletso ho kopana le maikemisetso a bona a tshireletso.
Intel Stratix 10 Device Security User Guide	Litaelo bakeng sa basebelisi ba lisebelisoa tsa Intel Stratix 10 tseo ba lokelang ho li sebelisa likarolo tsa ts'ireletso tse khethiloeng ho sebelisoa Mokhoa oa Ts'ireletso Bukana ea Mosebelisi.
Intel Agilex 7 Device Security User Guide	Litaelo bakeng sa basebelisi ba lisebelisoa tsa Intel Agilex 7 tse lokelang ho sebelisoa likarolo tsa ts'ireletso tse khethiloeng ho sebelisoa Mokhoa oa Ts'ireletso Bukana ea Mosebelisi.
Intel eASIC N5X Device Security User Guide	Litaelo bakeng sa basebelisi ba lisebelisoa tsa Intel eASIC N5X tseo ba lokelang ho li sebelisa likarolo tsa ts'ireletso tse khethiloeng ho sebelisoa Mokhoa oa Ts'ireletso Bukana ea Mosebelisi.
Intel Agilex 7 le Intel eASIC N5X HPS Cryptographic Services Bukana ea Mosebelisi	Tlhahisoleseding bakeng sa baenjiniere ba mananeo a HPS mabapi le ts'ebetsong le ts'ebeliso ea lilaebrari tsa software ea HPS ho fihlella lits'ebeletso tsa cryptographic e fanoe ke SDM.
AN-968 Black Key Provisioning Service Tataiso ea ho Qala Kapele	Tlatsa sete ea mehato ea ho theha Black Key Provisioning tshebeletso.

Lipotso Tse Botsoang Hangata

P: Sepheo sa Bukana ea Tšebeliso ea Tšireletso ea Tšireletso ke efe?

A: The Security Methodology User Guide e fana ka litlhaloso tse qaqileng tsa likarolo tsa ts'ireletso le mahlale ho Lihlahisoa tsa Intel Programmable Solutions. E thusa basebelisi ho khetha likarolo tse hlokahalang tsa ts'ireletso ho fihlela sepheo sa bona sa ts'ireletso.

P: Nka fumana Tataiso ea Ts'ireletso ea Sesebelisoa sa Intel Agilex 7 hokae?

A: The Intel Agilex 7 Device Security User Guide e ka fumanoa ho Intel Resource le Design Center websebaka.

P: Tšebeletso ea ho fana ka lintlha tsa Black Key ke eng?

A: Ts'ebeletso ea Phano ea Linotlolo tse Ntšo ke ts'ebeletso e fanang ka mehato e felletseng ea ho theha tokiso ea bohlokoa bakeng sa ts'ebetso e sireletsehileng.

View Fullscreen

Intel Agilex® 7 Device Security User Guide
E ntlafalitsoe bakeng sa Intel® Quartus® Prime Design Suite: 23.1

Online Version Romella Maikutlo

UG-20335

683823 2023.05.23

Intel Agilex® 7 Device Security User Guide 2

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 3

683823 | 2023.05.23 Romella Maikutlo
1. Intel Agilex® 7

Sesebediswa Tshireletso Fedileview

Intel® e theha lisebelisoa tsa Intel Agilex® 7 tse nang le lisebelisoa tsa ts'ireletso tse inehetseng, tse lokisehang haholo le firmware.
Tokomane ena e na le litaelo tse u thusang ho sebelisa software ea Intel Quartus® Prime Pro Edition ho kenya tšebetsong likarolo tsa ts'ireletso lisebelisoa tsa hau tsa Intel Agilex 7.
Ntle le moo, Mokhoa oa Ts'ireletso bakeng sa Intel FPGAs le Tataiso ea Mosebelisi ea Structured ASICs e fumaneha ho Intel Resource & Design Center. Tokomane ena e na le litlhaloso tse qaqileng tsa likarolo tsa ts'ireletso le mahlale a fumanehang ka lihlahisoa tsa Intel Programmable Solutions ho u thusa ho khetha likarolo tsa ts'ireletso tse hlokahalang ho fihlela sepheo sa hau sa ts'ireletso. Ikopanye le Ts'ehetso ea Intel ka nomoro ea referense 14014613136 ho fihlella Mokhoa oa Ts'ireletso bakeng sa Intel FPGAs le Tataiso ea Mosebelisi ea ASIC e hlophisitsoeng.
Tokomane e hlophisitsoe ka tsela e latelang: · Netefatso le Tumello: E fana ka litaelo tsa ho theha
linotlolo tsa netefatso le liketane tsa ho saena, sebelisa tumello le ho hlakoloa, lintho tsa ho saena, le likarolo tsa netefatso ea lenaneo ho lisebelisoa tsa Intel Agilex 7. · AES Bitstream Encryption: E fana ka litaelo tsa ho theha senotlolo sa motso oa AES, ho kenyelletsa li-bitstreams tsa tlhophiso, le ho fana ka senotlolo sa AES ho lisebelisoa tsa Intel Agilex 7. · Tokiso ea Lisebelisoa: E fana ka litaelo tsa ho sebelisa Intel Quartus Prime Programmer le Secure Device Manager (SDM) ho fana ka firmware ho lisebelisoa tsa ts'ireletso ea lisebelisoa tsa Intel Agilex 7. · Likarolo tse Hatetseng Pele: E fana ka litaelo tsa ho nolofalletsa likarolo tsa ts'ireletso tse tsoetseng pele, ho kenyelletsa tumello e sireletsehileng ea ho tlosa bothata, ho lokisa bothata ba Hard processor System (HPS), le ntlafatso ea sistimi e hole.
1.1. Boitlamo ho Tšireletso ea Lihlahisoa
Boitlamo ba nako e telele ba Intel ba ts'ireletso ha bo so ka bo ba matla. Intel e khothaletsa ka matla hore o tloaelane le lisebelisoa tsa rona tsa ts'ireletso ea sehlahisoa mme o rera ho li sebelisa bophelo bohle ba sehlahisoa sa hau sa Intel.
Lintlha Tse Amanang · Tšireletso ea Sehlahisoa ho Intel · Intel Product Security Center Advisory

Intel Corporation. Litokelo tsohle li sirelelitsoe. Intel, logo ea Intel, le matšoao a mang a Intel ke matšoao a khoebo a Intel Corporation kapa lithuso tsa eona. Intel e tiisa ts'ebetso ea FPGA ea eona le lihlahisoa tsa semiconductor ho latela litlhaloso tsa hajoale ho latela waranti e tloaelehileng ea Intel, empa e na le tokelo ea ho etsa liphetoho ho lihlahisoa le lits'ebeletso life kapa life ka nako efe kapa efe ntle le tsebiso. Intel ha e nke boikarabello kapa boikarabello bo hlahang ka lebaka la kopo kapa ts'ebeliso ea tlhahisoleseling efe kapa efe, sehlahisoa, kapa ts'ebeletso e hlalositsoeng mona ntle le ha ho lumellane ka ho hlaka ka lengolo ke Intel. Bareki ba Intel ba eletsoa ho fumana mofuta oa morao-rao oa litlhaloso tsa sesebelisoa pele ba itšetleha ka tlhahisoleseling efe kapa efe e phatlalalitsoeng le pele ba kenya liodara tsa lihlahisoa kapa lits'ebeletso. *Mabitso a mang le mabitso a mang a ka nkoa e le thepa ea ba bang.

ISO 9001:2015 E Ngolisitsoe

1. Intel Agilex® 7 Device Security Overview 683823 | 2023.05.23

1.2. Likarolo tsa Tšireletso tse Reriloeng

Likarolo tse boletsoeng karolong ena li reriloe bakeng sa tokollo ea nako e tlang ea software ea Intel Quartus Prime Pro Edition.

Hlokomela:

Lintlha tse karolong ena ke tsa pele.

1.2.1. Netefatso e sa Feleng ea Ts'ireletso ea Bitstream
Netefatso e sa fellang (PR) ea ts'ireletso ea bitstream e thusa ho fana ka tiisetso e eketsehileng ea hore li-bitstreams tsa PR li ke ke tsa kena kapa tsa kena-kenana le tse ling tsa PR persona bitstreams.

1.2.2. Sesebelisoa sa Self-Kill bakeng sa Physical Anti-Tamper
Ho ipolaea ha sesebelisoa ho hlakola sesebelisoa kapa karabelo ea zeroization ea sesebelisoa mme hape le mananeo a eFuses ho thibela sesebelisoa hore se se ke sa hlophisoa hape.

1.3. Litokomane tsa Tšireletso tse fumanehang

Tafole e latelang e na le litokomane tse fumanehang bakeng sa likarolo tsa ts'ireletso ea sesebelisoa ho Intel FPGA le lisebelisoa tse hlophisitsoeng tsa ASIC:

Lethathamo la 1.

Litokomane tse fumanehang tsa Tšireletso ea Sesebediswa

Lebitso la Tokomane
Mokhoa oa Ts'ireletso bakeng sa Intel FPGAs le Tataiso ea Mosebelisi ea ASIC e hlophisitsoeng

Morero
Tokomane ea boemo bo holimo e nang le litlhaloso tse qaqileng tsa likarolo tsa ts'ireletso le mahlale ho Lihlahisoa tsa Intel Programmable Solutions. E reretsoe ho u thusa ho khetha likarolo tsa ts'ireletso tse hlokahalang ho fihlela sepheo sa hau sa ts'ireletso.

Tokomane ea ID 721596

Intel Stratix 10 Device Security User Guide
Intel Agilex 7 Device Security User Guide

Bakeng sa basebelisi ba lisebelisoa tsa Intel Stratix 10, tataiso ena e na le litaelo tsa ho sebelisa software ea Intel Quartus Prime Pro Edition ho kenya ts'ebetsong likarolo tsa ts'ireletso tse khethiloeng ho sebelisoa Setsi sa Tšireletso ea Mosebelisi.
Bakeng sa basebelisi ba lisebelisoa tsa Intel Agilex 7, tataiso ena e na le litaelo tsa ho sebelisa software ea Intel Quartus Prime Pro Edition ho kenya ts'ebetsong likarolo tsa ts'ireletso tse tsejoang ho sebelisoa Setsi sa Tšireletso ea Mosebelisi.

683642 683823

Intel eASIC N5X Device Security User Guide

Bakeng sa basebelisi ba lisebelisoa tsa Intel eASIC N5X, tataiso ena e na le litaelo tsa ho sebelisa software ea Intel Quartus Prime Pro Edition ho kenya ts'ebetsong likarolo tsa ts'ireletso tse khethiloeng ho sebelisoa Setataiso sa Mosebelisi sa Ts'ireletso ea Methodology.

626836

Intel Agilex 7 le Intel eASIC N5X HPS Cryptographic Services Guide Guide

Tataiso ena e na le tlhahisoleseding ho thusa baenjiniere ba mananeo a HPS ho kenya ts'ebetsong le ts'ebelisong ea lilaebrari tsa software ea HPS ho fumana litšebeletso tsa cryptographic tse fanoeng ke SDM.

713026

AN-968 Black Key Provisioning Service Tataiso ea ho Qala Kapele

Tataiso ena e na le sete e felletseng ea mehato ea ho theha ts'ebeletso ea Black Key Provisioning.

739071

Sebaka sa Intel Resource le
Setsi sa Moqapi
Intel.com
Intel.com
Intel Resource le Setsi sa Moralo
Intel Resource le Setsi sa Moralo
Intel Resource le Setsi sa Moralo

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 5

683823 | 2023.05.23 Romella Maikutlo

Netefatso le Authorization

Ho nolofalletsa likarolo tsa netefatso ea sesebelisoa sa Intel Agilex 7, o qala ka ho sebelisa software ea Intel Quartus Prime Pro Edition le lisebelisoa tse amanang le tsona ho aha ketane ea ho saena. Saeno e na le senotlolo sa motso, senotlolo se le seng kapa tse ngata tsa ho saena, le litumello tse sebetsang. U sebelisa ketane ea ho saena morerong oa hau oa Intel Quartus Prime Pro Edition le ho hlophisa mananeo files. Sebelisa litaelo ho Tokiso ea Sesebelisoa ho hlophisa senotlolo sa hau sa motso ho lisebelisoa tsa Intel Agilex 7.
Lintlha Tse Amanang
Ho fana ka lisebelisoa leqepheng la 25

2.1. Ho theha Ketane ea ho Saena
U ka sebelisa sesebelisoa sa quartus_sign kapa ts'ebetsong ea litšupiso tsa agilex_sign.py ho etsa ts'ebetso ea ketane ea ho saena. Tokomane ena e fana ka mohlalaampka ho sebelisa quartus_sign.
Ho sebelisa ts'ebetsong ea litšupiso, o kenya mohala ho mofetoleli oa Python o kenyellelitsoeng le Intel Quartus Prime software mme o siea khetho ea -family=agilex; likhetho tse ling kaofela lia lekana. Bakeng sa mohlalaample, taelo ea quartus_sign e fumanoang hamorao karolong ena
quartus_sign -family=agilex -operation=make_root root_public.pem root.qky e ka fetoloa mohala o lekanang le ts'ebetsong ea litšupiso ka tsela e latelang
pgm_py agilex_sign.py -operation=make_root root_public.pem root.qky

Software ea Intel Quartus Prime Pro Edition e kenyelletsa lisebelisoa tsa quartus_sign, pgm_py, le agilex_sign.py. U ka sebelisa sesebelisoa sa khetla sa Nios® II, se iketsetsang maemo a nepahetseng a tikoloho ho fihlella lisebelisoa.

Latela litaelo tsena ho hlahisa khetla ea taelo ea Nios II. 1. Hlahisa khetla ea taelo ea Nios II.

Khetho ea Windows
Linux

Tlhaloso
Ho Start menu, supa ho Programs Intel FPGA Nios II EDS ebe o tobetsa Nios II Laela Shell.
Ka taelo shell a fetola ho /nios2eds 'me u tsamaise taelo e latelang:
./nios2_command_shell.sh

Examples karolong ena nka ketane ea ho saena le bitstream ea tlhophiso files li fumaneha bukeng ea hajoale ea tšebetso. Haeba u khetha ho latela examples moo senotlolo files li bolokiloe ka file tsamaiso, bao examples nka senotlolo files ke

ISO 9001:2015 E Ngolisitsoe

2. Netefatso le Tumello 683823 | 2023.05.23
e fumanehang bukeng ea hajoale ea tšebetso. U ka khetha hore na ke li-directory life tseo u ka li sebelisang, le lisebelisoa tse tšehetsang kamano file litselana. Haeba u khetha ho boloka senotlolo files ho file Sistimi, o tlameha ho laola ka hloko litumello tsa phihlello ho bao files.
Intel e khothalletsa hore ho sebelisoe Hardware Security Module (HSM) e fumanehang khoebong ho boloka linotlolo tsa cryptographic le ho etsa mesebetsi ea cryptographic. Sesebelisoa sa quartus_sign le ts'ebetsong ea litšupiso li kenyelletsa Public Key Cryptography Standard #11 (PKCS #11) Application Programming Interface (API) ho sebelisana le HSM ha ho ntse ho etsoa li-signature chain. Ts'ebetsong ea litšupiso ea agilex_sign.py e kenyelletsa abstract ea interface hammoho le example sehokelo ho SoftHSM.
U ka sebelisa li-example interfaces ho kenya tšebetsong sebopeho ho HSM ea hau. Sheba litokomane tse tsoang ho morekisi oa hau oa HSM bakeng sa tlhaiso-leseling e batsi mabapi le ho kenya tšebetsong khokahanyo le ho sebelisa HSM ea hau.
SoftHSM ke ts'ebetso ea software ea sesebelisoa sa generic cryptographic se nang le sebopeho sa PKCS #11 se fumanehang ke morero oa OpenDNSSEC®. U ka fumana lintlha tse ling, ho kenyelletsa le litaelo tsa ho khoasolla, ho haha, le ho kenya OpenHSM, morerong oa OpenDNSSEC. ExampLes karolong ena sebelisa SoftHSM version 2.6.1. ExampLes karolong ena hape sebelisa sesebelisoa sa pkcs11 ho tloha OpenSC ho etsa ts'ebetso e eketsehileng ea PKCS #11 ka lets'oao la SoftHSM. U ka fumana lintlha tse ling, ho kenyelletsa le litaelo tsa ho khoasolla, ho haha, le ho kenya pkcs11tool ho tsoa ho OpenSC.
Lintlha Tse Amanang
· The OpenDNSSEC projeke ea ho saena libaka tsa Pholisi bakeng sa ho iketsetsa ts'ebetso ea ho latedisa linotlolo tsa DNSSEC.
· Tlhahisoleseding ea SoftHSM mabapi le ho kenngwa tshebetsong ha lebenkele la cryptographic le fumanehang ka sebopeho sa PKCS #11.
· OpenSC E fana ka pokello ea lilaeborari le lisebelisoa tse khonang ho sebetsa ka likarete tse bohlale.
2.1.1. Ho theha Lipara tsa Bohlokoa tsa Bopaki sebakeng sa heno File Tsamaiso
U sebelisa sesebelisoa sa quartus_sign ho theha lipara tsa bohlokoa tsa netefatso sebakeng sa heno file tsamaiso e sebelisang make_private_pem le make_public_pem lisebelisoa tsa lisebelisoa. U qala ka ho hlahisa senotlolo sa lekunutu ka ts'ebetso ea make_private_pem. U hlakisa lekhalo la elliptic leo u lokelang ho le sebelisa, senotlolo sa lekunutu filelebitso, 'me ka boikhethelo ho sireletsa senotlolo sa poraefete ka poleloana. Intel e khothaletsa tšebeliso ea secp384r1 curve le ho latela mekhoa e metle ea indasteri ho theha poleloana e matla, e sa reroang ho linotlolo tsohle tsa lekunutu. files. Intel e boetse e khothaletsa ho thibela ho file litumello tsa sistimi ho senotlolo sa poraefete .pem files ho baloa ke mong'a feela. U fumana senotlolo sa sechaba ho tsoa ho senotlolo sa lekunutu ka ts'ebetso ea make_public_pem. Ho molemo ho reha senotlolo .pem files ka mokhoa o hlalosang. Tokomane ena e sebelisa kopano _ .pem ho mohlala o latelangamples.
1. Ho khetla ea taelo ea Nios II, tsamaisa taelo e latelang ho theha senotlolo sa poraefete. Senotlolo sa poraefete, se bontšitsoeng ka tlase, se sebelisoa e le senotlolo ho example hore ho theha ketane ea ho saena. Lisebelisoa tsa Intel Agilex 7 li tšehetsa linotlolo tse ngata tsa metso, kahoo uena

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 7

2. Netefatso le Tumello 683823 | 2023.05.23

pheta mohato ona ho theha nomoro ea hau e hlokahalang ea linotlolo tsa motso. ExampLeha ho le joalo, tokomaneng ena kaofela li bua ka senotlolo sa pele sa motso, leha o ka etsa liketane tsa ho saena ka mokhoa o ts'oanang ka senotlolo sa motso.

Kgetho Ka poleloana

Tlhaloso
quartus_sign -family=agilex -operation=make_private_pem -curve=secp384r1 root0_private.pem Kenya poleloana ea ho ngolla lentsoe ha u khothalletsoa ho etsa joalo.

Ntle le poleloana ea lekunutu

quartus_sign -family=agilex -operation=make_private_pem -curve=secp384r1 -no_passphrase root0_private.pem

2. Sebelisa taelo e latelang ho theha senotlolo sa sechaba u sebelisa senotlolo sa poraefete se hlahisitsoeng mohatong o fetileng. Ha ho hlokahale hore u sireletse lekunutu la senotlolo sa sechaba.
quartus_sign -family=agilex -operation=make_public_pem root0_private.pem root0_public.pem
3. Mathisa litaelo hape ho theha para ea linotlolo e sebelisoang e le senotlolo sa ho saena sa ketane.
quartus_sign -family=agilex -operation=make_private_pem -curve=secp384r1 design0_sign_private.pem

quartus_sign -family=agilex -operation=make_public_pem design0_sign_private.pem design0_sign_public.pem

2.1.2. Ho theha lipara tsa bohlokoa tsa netefatso ho SoftHSM
SoftHSM examples khaolong ena li ikamahanya le maemo. Mekhahlelo e itseng e itšetlehile ka ho kenngoa ha SoftHSM ea hau le ho qala ha letšoao ka hare ho SoftHSM.
Sesebelisoa sa quartus_sign se ipapisitse le laeborari ea PKCS #11 API ho tsoa ho HSM ea hau.
Exampha karolo ena e nka hore laeborari ea SoftHSM e kentsoe ho se seng sa libaka tse latelang: · /usr/local/lib/softhsm2.so ho Linux · C:SoftHSM2libsofthsm2.dll on 32-bit version of Windows · C:SoftHSM2libsofthsm2-x64 .dll ho mofuta oa 64-bit oa Windows.
Qala letšoao ka hare ho SoftHSM u sebelisa sesebelisoa sa softhsm2-util:
softhsm2-util -init-token -label agilex-token -pin agilex-token-pin -so-pin agilex-so-pin -mahala
Litlhophiso tsa khetho, haholo-holo label ea token le token pin ke tsa khaleampe sebelisitsoeng sebakeng sena kaofela. Intel e khothalletsa hore u latele litaelo tse tsoang ho morekisi oa hau oa HSM ho theha le ho laola li-tokens le linotlolo.
U theha lipara tsa bohlokoa tsa netefatso u sebelisa sesebelisoa sa pkcs11 ho sebelisana le lets'oao ho SoftHSM. Sebakeng sa ho bua ka ho hlaka ho senotlolo sa poraefete le sa setjhaba .pem files ho file tsamaiso exampLeha ho le joalo, u bua ka para ea bohlokoa ka label ea eona 'me sesebelisoa se khetha senotlolo se nepahetseng ka bohona.

Intel Agilex® 7 Device Security User Guide 8

Romella Maikutlo

2. Netefatso le Tumello 683823 | 2023.05.23

Etsa litaelo tse latelang ho theha para ea linotlolo e sebelisoang e le senotlolo sa motso ho examples hammoho le li-key pair tse sebelisoang e le senotlolo sa ho saena moetsong oa ketane:
pkcs11-tool -module=/usr/local/lib/softhsm/libsofthsm2.so -token-label agilex-token -login -pin agilex-token-pin -keypairgen -mechanism ECDSA-KEY-PAIR-GEN -key-mofuta EC :secp384r1 -usage-sign -label root0 -id 0
pkcs11-tool -module=/usr/local/lib/softhsm/libsofthsm2.so -token-label agilex-token -login -pin agilex-token-pin -keypairgen -mechanism ECDSA-KEY-PAIR-GEN -key-mofuta EC :secp384r1 -usage-sign -label design0_sign -id 1

Hlokomela:

Khetho ea ID mohatong ona e tlameha ho ikhetha ho senotlolo ka seng, empa e sebelisoa feela ke HSM. Khetho ena ea ID ha e amane le senotlolo sa ho hlakoloa sa ID se fanoeng ketane ea tekeno.

2.1.3. Ho theha Motso oa Motso oa Chain Chain
Fetolela motso oa senotlolo sechabeng ho kena motso oa ketane ea saena, e bolokiloeng sebakeng sa heno file tsamaiso ka sebopeho sa Intel Quartus Prime key (.qky). file, ka ts'ebetso ea make_root. Pheta mohato ona bakeng sa senotlolo se seng le se seng seo u se hlahisang.
Etsa taelo e latelang ho theha ketane ea ho saena ka ho kenya motso, u sebelisa senotlolo sa sechaba se tsoang ho file tsamaiso:
quartus_sign -family=agilex -operation=make_root -key_type=mong'a motso0_public.pem root0.qky
Etsa taelo e latelang ho theha ketane ea ho saena ka ho kenya motso, u sebelisa senotlolo sa motso ho tsoa ho tokeneng ea SoftHSM e thehiloeng karolong e fetileng:
quartus_sign –family=agilex –operation=make_root –key_type=owner –module=softHSM –module_args=”–token_label=agilex-token –user_pin=agilex-token-pin –hsm_lib=/usr/local/lib/softhsm2. ” motso0 motso0.qky

2.1.4. Ho theha Phatlalatso ea Phatlalatso ea Phatlalatso ea Phatlalatso
Theha senotlolo se secha sa sechaba bakeng sa ketane ea ho saena ka append_key. U hlakisa ketane ea pele ea ho saena, senotlolo sa lekunutu sa ho qetela ho saena ketane ea pele, senotlolo sa sechaba sa boemo bo latelang, tumello le ID ea ho hlakola tseo u li abelang boemong bo latelang ba senotlolo sa sechaba, le ketane e ncha ea ho saena. file.
Hlokomela hore laebrari ea softHSM ha e fumanehe ka ho kenngoa ha Quartus mme ho e-na le hoo e hloka ho kenngoa ka thōko. Bakeng sa tlhaiso-leseling e batsi mabapi le softHSM sheba Karolo ea ho theha Chain ea Saena ka holimo.

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 9

2. Netefatso le Tumello 683823 | 2023.05.23
Ho ipapisitse le ts'ebeliso ea hau ea linotlolo ho file tsamaisong kapa ho HSM, o sebelisa e 'ngoe ea tse latelangample laela ho kenya konopo ea sechaba ea design0_sign ho ketane ea motso e entsoeng karolong e fetileng:
quartus_sign –family=agilex –operation=append_key –previous_pem=root0_private.pem –previous_qky=root0.qky –permission=6 –cancel=0 –input_pem=design0_sign_public.pem design0_sign_chain.qky
quartus_sign –family=agilex –operation=append_key –module=softHSM –module_args=”–token_label=agilex-token –user_pin=agilex-token-pin –hsm_lib=/usr/local/lib/softhsm/libsofthsmvious_key” root2 –previous_qky=root0.qky –permission=0 –cancel=6 –input_keyname=design0_sign design0_sign_chain.qky
U ka pheta ts'ebetso ea append_key ho fihlela makhetlo a mabeli bakeng sa ho kenya linotlolo tse tharo tsa sechaba lipakeng tsa motso le "head block" ho ketane efe kapa efe e le 'ngoe.
E latelang exampo nka hore o thehile senotlolo se seng sa netefatso sa sechaba se nang le litumello tse ts'oanang 'me u fane ka ID ea 1 ea ho hlakola e bitsoang design1_sign_public.pem,' me u ntse u kenya senotlolo sena ho ketane ea saena ho tsoa ho ex e fetileng.ampLe:
quartus_sign –family=agilex –operation=append_key –previous_pem=design0_sign_private.pem –previous_qky=design0_sign_chain.qky –permission=6 –cancel=1 –input_pem=design1_sign_public.pem design1_sign_chain.qky.qky
quartus_sign –family=agilex –operation=append_key –module=softHSM –module_args=”–token_label=agilex-token –user_pin=agilex-token-pin –hsm_lib=/usr/local/lib/softhsm/libsofthsmvious_key” design2_sign –previous_qky=design0_sign_chain.qky –permission=0 –cancel=6 –input_keyname=design1_sign design1_sign_chain.qky
Lisebelisoa tsa Intel Agilex 7 li kenyelletsa k'hamphani e eketsehileng ea ho hlakola senotlolo ho thusa ho sebelisa senotlolo se ka fetohang nako le nako bophelong bohle ba sesebelisoa se fanoeng. U ka khetha k'haonte ena ea ho hlakola senotlolo ka ho fetola khang ea khetho ea -cancel hore e be pts:pts_value.
2.2. Ho saena Configuration Bitstream
Lisebelisoa tsa Intel Agilex 7 li tšehetsa lisebelisoa tsa Security Version (SVN), tse u lumellang hore u hlakole tumello ea ntho ntle le ho hlakola senotlolo. U fana ka k'hamphani ea SVN le boleng bo nepahetseng ba SVN nakong ea ho saena ntho efe kapa efe, joalo ka karolo ea bitstream, firmware .zip file, kapa setifikeiti se kopaneng. U abela khaontara ea SVN le boleng ba SVN u sebelisa khetho ea -cancel le svn_counter:svn_value joalo ka khang. Lintlha tse sebetsang tsa svn_counter ke svnA, svnB, svnC, le svnD. The svn_value ke palo e felletseng ka har'a mefuta [0,63].

Intel Agilex® 7 Device Security User Guide 10

Romella Maikutlo

2. Netefatso le Tumello 683823 | 2023.05.23
2.2.1. Senotlolo sa Quartus File Kabelo
U hlakisa ketane ea tekeno ho projeke ea hau ea software ea Intel Quartus Prime ho nolofalletsa tšobotsi ea netefatso bakeng sa moralo oo. Ho tsoa ho menu ea likabelo, khetha Sesebelisoa sa Sesebelisoa le Pin Options Security Quartus Key File, ebe u sheba ho saena ketane .qky file u bōpile ho saena moralo ona.
Setšoantšo sa 1. Etsa hore ho be le Tlhophiso ea Bitstream Setting

Ntle le moo, o ka eketsa polelo e latelang ea kabelo ho Intel Quartus Prime Settings ea hau file (.qsf):
set_global_assignment -lebitso QKY_FILE design0_sign_chain.qky
Ho hlahisa .sof file ho tsoa ho moralo o hlophisitsoeng pele, o kenyelletsang tlhophiso ena, ho tsoa ho "Processing" menu, khetha Start Start Assembler. Tlhahiso e ncha .sof file e kenyelletsa likabelo tsa ho lumella netefatso ka ketane e fanoeng ea tekeno.

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 11

2. Netefatso le Tumello 683823 | 2023.05.23
2.2.2. Co-Signing SDM Firmware
U sebelisa sesebelisoa sa quartus_sign ho ntša, ho saena, le ho kenya firmware e sebetsang ea SDM .zip file. The firmware e saenneng ka nako eo e kenyelelitsoe ke lenaneo file sesebelisoa sa jenereithara ha u sokolla .sof file ho kena ka har'a bitstream .rbf file. U sebelisa litaelo tse latelang ho theha ketane e ncha ea ho saena le ho saena firmware ea SDM.
1. Theha konopo e ncha ea ho saena.
a. Theha konopo e ncha ea ho saena ho file tsamaiso:
quartus_sign -family=agilex -operation=make_private_pem -curve=secp384r1 firmware1_private.pem
quartus_sign –family=agilex –operation=make_public_pem firmware1_private.pem firmware1_public.pem
b. Theha lintlha tse ncha tsa ho saena ho HSM:
pkcs11-tool -module=/usr/local/lib/softhsm/libsofthsm2.so -token-label agilex-token -login -pin agilex-token-pin -keypairgen -mechanism ECDSA-KEY-PAIR-GEN -key-mofuta EC :secp384r1 -usage-sign -label firmware1 -id 1
2. Theha ketane e ncha ea tekeno e nang le senotlolo se secha sa sechaba:
quartus_sign –family=agilex –operation=append_key –previous_pem=root0_private.pem –previous_qky=root0.qky –permission=0x1 –cancel=1 –input_pem=firmware1_public.pem firmware1_sign_chain.qky
quartus_sign –family=agilex –operation=append_key –module=softHSM –module_args=”–token_label=agilex-token –user_pin=agilex-token-pin –hsm_lib=/usr/local/lib/softhsm/libsofthsmvious_key” root2 –previous_qky=root0.qky –permission=0 –cancel=1 –input_keyname=firmware1 firmware1_sign_chain.qky
3. Kopitsa firmware .zip file ho tsoa bukeng ea hau ea ho kenya software ea Intel Quartus Prime Pro Edition ( /devices/programmer/firmware/ agilex.zip) bukeng ea hajoale ea ho sebetsa.
quartus_sign –family=agilex –get_firmware=.
4. Saena firmware .zip file. Sesebelisoa se manolla .zip ka bo eona file 'me motho ka mong o saena firmware eohle .cmf files, ebe e tsosolosa .zip file bakeng sa ho sebelisoa ke lisebelisoa likarolong tse latelang:
quartus_sign –family=agilex –operation=sign –qky=firmware1_sign_chain.qky –cancel=svnA:0 –pem=firmware1_private.pem agilex.zip sign_agilex.zip
quartus_sign –family=agilex –operation=sign –module=softHSM –module_args=”–token_label=agilex-token –user_pin=agilex-token-pin –hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so”

Intel Agilex® 7 Device Security User Guide 12

Romella Maikutlo

2. Netefatso le Tumello 683823 | 2023.05.23

–keyname=firmware1 –cancel=svnA:0 –qky=firmware1_sign_chain.qky agilex.zip sign_agilex.zip

2.2.3. Ho saena Configuration Bitstream U sebelisa Taelo ea quartus_sign
Ho saena bitstream ea tlhophiso u sebelisa taelo ea quartus_sign, u qala ho fetolela .sof file ho binary e sa tekenoang e tala file (.rbf) sebopeho. U ka khetha ho khetha firmware e saenneng ka ho sebelisa khetho ea fw_source nakong ea phetoho.
U ka hlahisa bitstream e sa ngolisoang ka mokhoa oa .rbf u sebelisa taelo e latelang:
quartus_pfg c o fw_source=signed_agilex.zip -o sign_later=ON design.sof unsigned_bitstream.rbf
Matha e 'ngoe ea litaelo tse latelang ho saena bitstream u sebelisa sesebelisoa sa quartus_sign ho latela sebaka sa linotlolo tsa hau:
quartus_sign –family=agilex –operation=sign –qky=design0_sign_chain.qky –pem=design0_sign_private.pem –cancel=svnA:0 unsigned_bitstream.rbf sign_bitstream.rbf
quartus_sign –family=agilex –operation=sign –module=softHSM –module_args=”–token_label=agilex-token –user_pin=agilex-token-pin –hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so” –keyname design0_sign –qky=design0_sign_chain.qky –cancel=svnA:0 unsigned_bitstream.rbf sign_bitstream.rbf
O ka fetolela .rbf e saennweng files ho bitstream e 'ngoe ea tlhophiso file mekhoa.
Bakeng sa mohlalaample, haeba u sebelisa Jam* Standard Test and Programming Language (STAPL) Player ho hlophisa mokhoa o itseng ho feta J.TAG, o sebelisa taelo e latelang ho fetolela .rbf file ho sebopeho sa .jam seo Jam STAPL Player e se hlokang:
quartus_pfg -c sign_bitstream.rbf sign_bitstream.jam

2.2.4. Tšehetso e sa Feleng ea Tlhophiso e Ncha ea Matla a Mangata

Lisebelisoa tsa Intel Agilex 7 li tšehetsa karolo e itseng ea netefatso ea matla a mangata, moo mong'a sesebelisoa a bōpang le ho saena "static bitstream", 'me mong'a PR ea fapaneng o theha le ho saena li-bitstreams tsa PR. Lisebelisoa tsa Intel Agilex 7 li kenya ts'ehetso ea bolaoli ba mefuta e mengata ka ho abela li-slots tsa pele tsa netefatso ho sesebelisoa kapa mong'a static bitstream le ho abela senotlolo sa ho qetela sa netefatso ho mong'a karolo e itseng ea motho.
Haeba karolo ea netefatso e lumelletsoe, litšoantšo tsohle tsa PR persona li tlameha ho saena, ho kenyeletsoa le litšoantšo tsa PR persona. Litšoantšo tsa PR persona li ka saenoa ke mong'a sesebelisoa kapa ke mong'a PR; leha ho le joalo, li-bitstreams tsa sebaka sa static li tlameha ho saena ke mong'a sesebelisoa.

Hlokomela:

Karolo ea Reconfiguration Reconfiguration static le persona bitstream encryption ha tšehetso ea batho ba bangata ba nang le matla a mangata e lumelloa e reriloe tokollong e tlang.

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 13

2. Netefatso le Tumello 683823 | 2023.05.23

Setšoantšo sa 2.

Ho kenya ts'ebetsong ts'ehetso ea karolo e itseng ea matla a mangata ho hloka mehato e mengata:
1. Sesebediswa kapa static bitstream mong'a hlahisa e le 'ngoe kapa tse ling tse motso linotlolo tsa netefatso joalokaha ho hlalositsoe ho Ho Etsa Lipara tsa Bopaki ba Bopaki ho SoftHSM leqepheng la 8, moo khetho ea -key_type e nang le boleng ba mong'a eona.
2. Mong'a bitstream oa ho hlophisa bocha o hlahisa senotlolo sa motso empa o fetola boleng ba khetho ea -key_type ho ea bobeli_owner.
3. Ka bobeli, beng ba meralo ea static bitstream le karolo e itseng ea meralo ba etsa bonnete ba hore Lebokose la ho hlahloba la Enable Multi-Authority support le bulehile ho "Assignment Device Device" le "Pin Options Security".
Intel Quartus Prime Noble Multi-Authority Option Settings

4. Ka bobeli beng ba meralo ea static bitstream le karolo e itseng ea meralo ba theha liketane tse saenneng ho ipapisitsoe le linotlolo tsa bona tse fapaneng joalo ka ha ho hlalositsoe ho Ho theha Ketane ea Tshaeno leqepheng la 6.
5. Ka bobeli static bitstream le beng ba meralo e sa fellang ba fetolela meralo ea bona ho sebopeho sa .rbf files le ho saena .rbf files.
6. Sesebediswa kapa static bitstream mong'a hlahisa le ho saena PR public key lenaneo tumello setifikeiti compact.
quartus_pfg -ccert o ccert_type=PR_PUBKEY_PROG_AUTH o mong_qky_file=”root0.qky;root1.qky” unsigned_pr_pubkey_prog.ccert
quartus_sign –family=agilex –operation=sign –qky=design0_sign_chain.qky –pem=design0_sign_private.pem –cancel=svnA:0 unsigned_pr_pubkey_prog.ccert signed_pr_pubkey_prog.ccert
quartus_sign –family=agilex –operation=sign –module=softHSM –module_args=”–token_label=s10-token –user_pin=s10-token-pin –hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so” –keyname design0_sign –qky=design0_sign_chain.qky –cancel=svnA:0 unsigned_pr_pubkey_prog.ccert signed_pr_pubkey_prog.ccert

Intel Agilex® 7 Device Security User Guide 14

Romella Maikutlo

2. Netefatso le Tumello 683823 | 2023.05.23

7. The sesebediswa kapa ee sa fetoleng boemo bitstream mong'a litokisetso tsa bona tsa netefatso motso senotlolo hashes ho sesebediswa, ka nako eo mananeo a PR setjhaba senotlolo lenaneo tumello setifikeiti diseke ee, 'me qetellong litokisetso karolo ea reconfiguration bitstream mong'a motso senotlolo ho sesebediswa. Karolo ea Tokiso ea Lisebelisoa e hlalosa mokhoa ona oa ho fana.
8. Sesebelisoa sa Intel Agilex 7 se lokiselitsoe ka sebaka se tsitsitseng .rbf file.
9. Sesebelisoa sa Intel Agilex 7 se lokisoe bocha ka sebopeho sa motho .rbf file.
Lintlha Tse Amanang
· Ho theha Ketane ea Tšebetso leqepheng la 6
· Ho theha Lipara tsa Bohlokoa tsa Bopaki ho SoftHSM leqepheng la 8
· Tokiso ea lisebelisoa leqepheng la 25

2.2.5. Ho netefatsa Liketane tsa Signature tsa Bitstream
Ka mor'a hore u thehe liketane tse saenneng le li-bitstreams tse saenneng, u ka netefatsa hore bitstream e saenneng e lokisa ka nepo sesebelisoa se nang le senotlolo se fanoeng. U qala ka ho sebelisa fuse_info ts'ebetso ea taelo ea quartus_sign ho hatisa hash ea senotlolo sa sechaba ho mongolo. file:
quartus_sign -family=agilex -operation=fuse_info root0.qky hash_fuse.txt

Joale u sebelisa khetho ea check_integrity ea taelo ea quartus_pfg ho hlahloba ketane ea ho saena karolong e 'ngoe le e' ngoe ea bitstream e saenneng ka mokhoa oa .rbf. Khetho ea check_integrity e hatisa lintlha tse latelang:
· Boemo ba ka kakaretso bitstream botšepehi hlahloba
· Likahare tsa ho kena ka 'ngoe ka ketane e 'ngoe le e 'ngoe ea ho saena e khomaretsoeng karolong e' ngoe le e 'ngoe ea bitstream .rbf file,
· Boleng bo lebelletsoeng ba fuse bakeng sa hashe ea senotlolo sa sechaba bakeng sa ketane e 'ngoe le e 'ngoe ea ho saena.
Boleng bo tsoang ho fuse_info e hlahisoang e lokela ho lumellana le mela ea Fuse ho check_integrity output.
quartus_pfg –check_integrity sign_bitstream.rbf

Ex ke enaample ea tlhahiso ea taelo ea check_integrity:

Tlhahisoleseding: Taelo: quartus_pfg -check_integrity sign_bitstream.rbf Boemo ba botšepehi: OK

Karolo

Mofuta: CMF

Setlhaloso sa Tshaeno…

Saeno ketane #0 (likenyo: -1, offset: 96)

Keno #0

Fuse: 34FD3B5F 7829001F DE2A24C7 3A7EAE29 C7786DB1 D6D5BC3C 52741C79

72978B22 0731B082 6F596899 40F32048 AD766A24

Hlahisa senotlolo…

Mokokotlo: secp384r1

: 29C39C3064AE594A36DAA85602D6AF0B278CBB0B207C4D97CFB6967961E5F0ECA

456FF53F5DBB3A69E48A042C62AB6B0

: 3E81D40CBBBEAC13601247A9D53F4A831308A24CA0BDFFA40351EE76438C7B5D2

2826F7E94A169023AFAE1D1DF4A31C2

Hlahisa senotlolo…

Mokokotlo: secp384r1

: 29C39C3064AE594A36DAA85602D6AF0B278CBB0B207C4D97CFB6967961E5F0ECA

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 15

2. Netefatso le Tumello 683823 | 2023.05.23

456FF53F5DBB3A69E48A042C62AB6B0

: 3E81D40CBBBEAC13601247A9D53F4A831308A24CA0BDFFA40351EE76438C7B5D2

2826F7E94A169023AFAE1D1DF4A31C2

Keno #1

Hlahisa senotlolo…

Mokokotlo: secp384r1

: 015290C556F1533E5631322953E2F9E91258472F43EC954E05D6A4B63D611E04B

C120C7E7A744C357346B424D52100A9

: 68696DEAC4773FF3D5A16A4261975424AAB4248196CF5142858E016242FB82BC5

08A80F3FE7F156DEF0AE5FD95BDFE05

Kena #2 Tumello ea ketane ea linotlolo: SIGN_CODE Ketane ea linotlolo e ka hlakoloa ka ID: 3 Ketane ea tekeno #1 (likenyo: -1, offset: 648)

Keno #0

Fuse: FA6528BE 9281F2DB B787E805 6BF6EE0E 28983C56 D568B141 8EEE4BF6

DAC2D422 0A3A0F27 81EFC6CD 67E973BF AC286EAE

Hlahisa senotlolo…

Mokokotlo: secp384r1

: 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765

0411C4592FAFFC71DE36A105B054781

: 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8

6B7312EEE8241189474262629501FCD

Hlahisa senotlolo…

Mokokotlo: secp384r1

: 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765

0411C4592FAFFC71DE36A105B054781

: 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8

6B7312EEE8241189474262629501FCD

Keno #1

Hlahisa senotlolo…

Mokokotlo: secp384r1

: 1E8FBEDC486C2F3161AFEB028D0C4B426258293058CD41358A164C1B1D60E5C1D

74D982BC20A4772ABCD0A1848E9DC96

: 768F1BF95B37A3CC2FFCEEB071DD456D14B84F1B9BFF780FC5A72A0D3BE5EB51D

0DA7C6B53D83CF8A775A8340BD5A5DB

Keno #2

Hlahisa senotlolo…

Mokokotlo: secp384r1

: 13986DDECAB697A2EB26B8EBD25095A8CC2B1A0AB0C766D029CDF2AFE21BE3432

76896E771A9C6CA5A2D3C08CF4CB83C

: 0A1384E9DD209238FF110D867B557414955354EE6681D553509A507A78CFC05A1

49F91CABA72F6A3A1C2D1990CDAEA3D

Kena #3 Tumello ya Ketane ya Dinotlolo: SIGN_CODE Ketane ya dikonopo e ka hlakolwa ka ID: 15 Ketane ya tshaeno #2 (dikenyo: -1, offset: 0) Ketane ya tshaeno #3 (dikenyo: -1, offset: 0) Saena chain #4 (likenyo: -1, offset: 0) Signature chain #5 (likenyo: -1, offset: 0) Signature chain #6 (likenyo: -1, offset: 0) Signature chain #7 (likenyo: -1, offset: 0)

Mofuta oa Karolo: Tlhaloso ea Tshaeno ea IO ... Ketane ea tekeno #0 (likenyo: -1, offset: 96)

Keno #0

Fuse: FA6528BE 9281F2DB B787E805 6BF6EE0E 28983C56 D568B141 8EEE4BF6

DAC2D422 0A3A0F27 81EFC6CD 67E973BF AC286EAE

Hlahisa senotlolo…

Mokokotlo: secp384r1

: 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765

0411C4592FAFFC71DE36A105B054781

Intel Agilex® 7 Device Security User Guide 16

Romella Maikutlo

2. Netefatso le Tumello 683823 | 2023.05.23

: 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8

6B7312EEE8241189474262629501FCD

Hlahisa senotlolo…

Mokokotlo: secp384r1

: 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765

0411C4592FAFFC71DE36A105B054781

: 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8

6B7312EEE8241189474262629501FCD

Keno #1

Hlahisa senotlolo…

Mokokotlo: secp384r1

: 646B51F668D8CC365D72B89BA8082FDE79B00CDB750DA0C984DC5891CDF57BD21

44758CA747B1A8315024A8247F12E51

: 53513118E25E16151FD55D7ECDE8293AF6C98A74D52E0DA2527948A64FABDFE7C

F4EA8B8E229218D38A869EE15476750

Keno #2

Hlahisa senotlolo…

Mokokotlo: secp384r1

: 13986DDECAB697A2EB26B8EBD25095A8CC2B1A0AB0C766D029CDF2AFE21BE3432

76896E771A9C6CA5A2D3C08CF4CB83C

: 0A1384E9DD209238FF110D867B557414955354EE6681D553509A507A78CFC05A1

49F91CABA72F6A3A1C2D1990CDAEA3D

Kena #3 Tumello ya Ketane ya Dinotlolo: SIGN_CORE Ketane ya dikonopo e ka hlakolwa ka ID: 15 Ketane ya tshaeno #1 (dikenyo: -1, offset: 0) Ketane ya tshaeno #2 (dikenyo: -1, offset: 0) Saena chain #3 (likenyo: -1, offset: 0) Signature chain #4 (likenyo: -1, offset: 0) Signature chain #5 (likenyo: -1, offset: 0) Signature chain #6 (likenyo: -1, offset: 0) Signature ketane #7 (likenyo: -1, offset: 0)

Karolo

Mofuta: HPS

Setlhaloso sa Tshaeno…

Saeno ketane #0 (likenyo: -1, offset: 96)

Keno #0

Fuse: FA6528BE 9281F2DB B787E805 6BF6EE0E 28983C56 D568B141 8EEE4BF6

DAC2D422 0A3A0F27 81EFC6CD 67E973BF AC286EAE

Hlahisa senotlolo…

Mokokotlo: secp384r1

: 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765

0411C4592FAFFC71DE36A105B054781

: 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8

6B7312EEE8241189474262629501FCD

Hlahisa senotlolo…

Mokokotlo: secp384r1

: 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765

0411C4592FAFFC71DE36A105B054781

: 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8

6B7312EEE8241189474262629501FCD

Keno #1

Hlahisa senotlolo…

Mokokotlo: secp384r1

: FAF423E08FB08D09F926AB66705EB1843C7C82A4391D3049A35E0C5F17ACB1A30

09CE3F486200940E81D02E2F385D150

: 397C0DA2F8DD6447C52048CD0FF7D5CCA7F169C711367E9B81E1E6C1E8CD9134E

5AC33EE6D388B1A895AC07B86155E9D

Keno #2

Hlahisa senotlolo…

Mokokotlo: secp384r1

: 13986DDECAB697A2EB26B8EBD25095A8CC2B1A0AB0C766D029CDF2AFE21BE3432

76896E771A9C6CA5A2D3C08CF4CB83C

: 0A1384E9DD209238FF110D867B557414955354EE6681D553509A507A78CFC05A1

49F91CABA72F6A3A1C2D1990CDAEA3D

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 17

2. Netefatso le Tumello 683823 | 2023.05.23

Kena #3 Tumello ya Ketane ya Dikonopo: SIGN_HPS Ketane ya Dikonopo e ka hlakolwa ka ID: 15 Ketane ya tshaeno #1 (dikenyo: -1, offset: 0) Ketane ya tshaeno #2 (dikenyo: -1, offset: 0) Saena chain #3 (likenyo: -1, offset: 0) Signature chain #4 (likenyo: -1, offset: 0) Signature chain #5 (likenyo: -1, offset: 0) Signature chain #6 (likenyo: -1, offset: 0) Signature ketane #7 (likenyo: -1, offset: 0)

Mofuta oa Karolo: CORE Signature Descriptor … Signature chain #0 (likenyo: -1, offset: 96)

Keno #0

Fuse: FA6528BE 9281F2DB B787E805 6BF6EE0E 28983C56 D568B141 8EEE4BF6

DAC2D422 0A3A0F27 81EFC6CD 67E973BF AC286EAE

Hlahisa senotlolo…

Mokokotlo: secp384r1

: 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765

0411C4592FAFFC71DE36A105B054781

: 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8

6B7312EEE8241189474262629501FCD

Hlahisa senotlolo…

Mokokotlo: secp384r1

: 47A453474A8D886AB058615EB1AB38A75BAC9F0C46E564CB5B5DCC1328244E765

0411C4592FAFFC71DE36A105B054781

: 6087D3B4A5C8646B4DAC6B5C863CD0E705BD0C9D2C141DE4DE7BDDEB85C0410D8

6B7312EEE8241189474262629501FCD

Keno #1

Hlahisa senotlolo…

Mokokotlo: secp384r1

: 646B51F668D8CC365D72B89BA8082FDE79B00CDB750DA0C984DC5891CDF57BD21

44758CA747B1A8315024A8247F12E51

: 53513118E25E16151FD55D7ECDE8293AF6C98A74D52E0DA2527948A64FABDFE7C

F4EA8B8E229218D38A869EE15476750

Keno #2

Hlahisa senotlolo…

Mokokotlo: secp384r1

: 13986DDECAB697A2EB26B8EBD25095A8CC2B1A0AB0C766D029CDF2AFE21BE3432

76896E771A9C6CA5A2D3C08CF4CB83C

: 0A1384E9DD209238FF110D867B557414955354EE6681D553509A507A78CFC05A1

49F91CABA72F6A3A1C2D1990CDAEA3D

Intel Agilex® 7 Device Security User Guide 18

Romella Maikutlo

683823 | 2023.05.23 Romella Maikutlo

AES Bitstream Encryption

Advanced Encryption Standard (AES) bitstream encryption ke tšobotsi e nolofalletsang mong'a sesebelisoa ho sireletsa makunutu a thepa ea mahlale a bitstream configuration.
Ho thusa ho sireletsa lekunutu la linotlolo, tlhophiso ea bitstream encryption e sebelisa ketane ea linotlolo tsa AES. Linotlolo tsena li sebelisetsoa ho patala data ea mong'a tlhophiso ea bitstream, moo senotlolo sa pele sa bohareng se kentsoeng ka senotlolo sa AES.

3.1. Ho theha AES Root Key

U ka sebelisa sesebelisoa sa quartus_encrypt kapa stratix10_encrypt.py referense ho theha senotlolo sa AES ka mokhoa oa Intel Quartus Prime encryption key (.qek) file.

Hlokomela:

The stratix10_encrypt.py file e sebelisoa bakeng sa lisebelisoa tsa Intel Stratix® 10, le Intel Agilex 7.

U ka khetha ka boikhethelo ho hlalosa senotlolo sa motheo se sebelisetsoang ho fumana senotlolo sa motso sa AES le senotlolo sa ho fumana senotlolo, boleng ba senotlolo sa AES ka ho toba, palo ea linotlolo tse bohareng, le tšebeliso e phahameng ka ho fetisisa ea senotlolo sa bohareng.

O tlameha ho hlakisa lelapa la sesebelisoa, tlhahiso .qek file sebaka, le poleloana ea mantsoe ha u khothalletsoa.
Etsa taelo e latelang ho hlahisa senotlolo sa motso oa AES u sebelisa data e sa reroang bakeng sa senotlolo sa motheo le litekanyetso tsa kamehla bakeng sa palo ea linotlolo tse mahareng le tšebeliso e phahameng ea linotlolo.
Ho sebelisa ts'ebetsong ea litšupiso, o kenya mohala ho mofetoleli oa Python o kenyellelitsoeng le Intel Quartus Prime software mme o siea khetho ea -family=agilex; likhetho tse ling kaofela lia lekana. Bakeng sa mohlalaample, taelo ea quartus_encrypt e fumanoang hamorao karolong

quartus_encrypt –family=agilex –operation=MAKE_AES_KEY aes_root.qek

e ka fetoloa mohala o ts'oanang le ts'ebetsong ea litšupiso ka tsela e latelang pgm_py stratix10_encrypt.py -operation=MAKE_AES_KEY aes_root.qek

3.2. Litlhophiso tsa Quartus Encryption
Ho etsa hore bitstream encryption e be moralo, o tlameha ho hlakisa likhetho tse nepahetseng o sebelisa sesebelisoa sa Assignments Device le Pin Options Security phanele. U khetha "Enable configuration bitstream encryption checkbox", le sebaka sa polokelo se lakatsehang sa Encryption ho tsoa ho menu e theoha.

ISO 9001:2015 E Ngolisitsoe

Setšoantšo sa 3. Intel Quartus Prime Encryption Settings

3. AES Bitstream Encryption 683823 | 2023.05.23

Ntle le moo, o ka eketsa polelo e latelang ea kabelo ho litlhophiso tsa Intel Quartus Prime file .qsf:
set_global_assignment -name ENCRYPT_PROGRAMMING_BITSTREAM on set_global_assignment -name PROGRAMMING_BITSTREAM_ENCRYPTION_KEY_SELECT eFuses
Haeba u batla ho etsa hore ho be le phokotso ea tlatsetso khahlano le li-vector tse hlaselang ka lehlakoreng le leng, u ka nolofalletsa ho theoha ha tekanyo ea Encryption le ho nolofatsa lebokose la ho hlahloba.

Intel Agilex® 7 Device Security User Guide 20

Romella Maikutlo

3. AES Bitstream Encryption 683823 | 2023.05.23

Liphetoho tse nyallanang ho .qsf ke:
set_global_assignment -name PROGRAMMING_BITSTREAM_ENCRYPTION_CNOC_SCRAMBLING on set_global_assignment -name PROGRAMMING_BITSTREAM_ENCRYPTION_UPDATE_RATIO 31

3.3. Encrypting a Configuration Bitstream
O kentse bitstream tlhophiso pele o saena bitstream. Intel Quartus Prime Programming File Sesebelisoa sa jenereithara se ka koala le ho saena bitstream ea tlhophiso ho sebelisa sebopeho sa mosebelisi kapa mohala oa taelo.
U ka ikhethela hore u thehe bitstream e kentsoeng ka mokhoa o itseng bakeng sa tšebeliso ea lisebelisoa tsa quartus_encrypt le quartus_sign kapa tse lekanang le ts'ebetsong ea litšupiso.

3.3.1. Configuration Bitstream Encryption U sebelisa Lenaneo File Jenereithara Graphical Interface
U ka sebelisa Programming File Jenereithara ho encrypt le ho saena setšoantšo sa mong'a sona.

Setšoantšo sa 4.

1. Ho Intel Quartus Prime File menu ya khetha Programming File Jenereithara. 2. Ka Sephetho Files, hlalosa tlhahiso file thaepa bakeng sa tlhophiso ea hau
leano.
Sephetho File Tlhaloso

Sekema sa tlhophiso Output file tab ya
Sephetho file mofuta

3. Ho Kenyelletso Files, tobetsa Add Bitstream 'me u shebelle ho .sof ea hau. 4. Ho hlakisa likhetho tsa encryption le netefatso khetha .sof ebe o tobetsa
Thepa. a. Bulela ho bulela sesebelisoa sa ho saena. b. Bakeng sa senotlolo sa Private file khetha senotlolo sa hau sa ho saena lekunutung .pem file. c. Laeta ho Finalize encryption.

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 21

3. AES Bitstream Encryption 683823 | 2023.05.23

Setšoantšo sa 5.

d. Bakeng sa senotlolo sa Encryption file, khetha AES ea hau .qek file. Kenyo (.sof) File Thepa bakeng sa Netefatso le Encryption

Numella netefatso Hlalosa motso oa poraefete .pem
Lumella mokhoa oa ho hlakisa Hlakisa senotlolo sa ho ngolla
5. Ho hlahisa bitstream e saenneng le e patiloeng, ho Input Files, tobetsa Hlahisa. Mabokose a li-password a hlaha hore u kenye poleloana ea hau ea lekunutu bakeng sa senotlolo sa hau sa AES .qek file le ho saena senotlolo sa lekunutu .pem file. The programming file jenereithara e etsa tlhahiso e patiloeng le e saenneng_file.rbf.
3.3.2. Configuration Bitstream Encryption U sebelisa Lenaneo File Jenereithara Command Line Interface
Hlahisa bitstream e encrypted le e saennweng ka sebopeho sa .rbf ka quartus_pfg command line interface:
quartus_pfg -c encryption_enabled.sof top.rbf -o finalize_encryption=ON -o qek_file=aes_root.qek -o signing=ON -o pem_file=design0_sign_private.pem
U ka fetolela bitstream ea tlhophiso e patiloeng le e saennoeng ka sebopeho sa .rbf hore e be se seng sa bitstream. file mekhoa.
3.3.3. Moloko oa tlhophiso o kentsoeng ka mokhoa o sa Feleng oa Bitstream o Sebelisa Sebui sa Taelo ea Taelo
U ka hlahisa lenaneo le patiloeng ka mokhoa o itseng file ho phethela encryption le ho saena setšoantšo hamorao. Hlahisa lenaneo le kentsoeng ka mokhoa o itseng file ka sebopeho sa .rbf se nang le thequartus_pfgcommand line interface: quartus_pfg -c -o finalize_encryption_later=ON -o sign_later=ON top.sof top.rbf

Intel Agilex® 7 Device Security User Guide 22

Romella Maikutlo

3. AES Bitstream Encryption 683823 | 2023.05.23
U sebelisa sesebelisoa sa mola oa taelo oa quartus_encrypt ho phethela encryption ea bitstream:
quartus_encrypt –family=agilex –operation=ENCRYPT –key=aes_root.qek top.rbf encrypted_top.rbf
U sebelisa sesebelisoa sa line sa taelo ea quartus_sign ho saena bitstream ea tlhophiso e kentsoeng:
quartus_sign –family=agilex –operation=SIGN –qky=design0_sign_chain.qky –pem=design0_sign_private.pem –cancel=svnA:0 encrypted_top.rbf sign_encrypted_top.rbf
quartus_sign –family=agilex –operation=sign –module=softHSM –module_args=”–token_label=agilex-token –user_pin=agilex-token-pin –hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so” –keyname design0_sign –qky=design0_sign_chain.qky –cancel=svnA:0 encrypted_top.rbf sign_encrypted_top.rbf
3.3.4. Phatlalatso e sa Feleng ea Bitstream Encryption
U ka khona ho etsa encryption ea bitstream ho meralo e meng eaIntel Agilex 7 FPGA e sebelisang ntlafatso e sa lekanyetsoang.
Meralo e sa fellang ea ntlafatso e sebelisang Hierarchical Partial Reconfiguration (HPR), kapa Static Update Partial Reconfiguration (SUPR) ha e tšehetse mokhoa oa ho ngola o fokolang. Haeba moralo oa hau o na le libaka tse ngata tsa PR, o tlameha ho patala batho bohle.
Ho etsa hore ho behoe mokhoa o sa fellang oa bitstream encryption, latela mokhoa o ts'oanang lintlafatsong tsohle tsa moralo. 1. Ho Intel Quartus Prime File menu, khetha Assignments Device Device
le Pin Options Security. 2. Khetha sebaka sa polokelo se lakatsehang sa encryption.
Setšoantšo sa 6. Phetoho e sa Feleng ea Setlhophiso sa Bitstream Encryption Setting

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 23

3. AES Bitstream Encryption 683823 | 2023.05.23
Ntle le moo, o ka eketsa setatemente se latelang sa mosebetsi ho li-setting tsa Quartus Prime file .qsf:
set_global_assignment -name -ENABLE_PARTIAL_RECONFIGURATION_BITSTREAM_ENCRYPTION ho
Ka mor'a hore u hlophise moralo oa hau oa motheo le lintlafatso, software e hlahisa a.soffile le ngoe kapa ho feta.pmsffiles, e emelang batho. 3. Etsa mananeo a encryption le a saenneng files ho tsoa.sof le.pmsf files ka mokhoa o ts'oanang le oa meralo o sa lumelloang ho hlophisa bocha. 4. Fetolela e hlophisitsoeng persona.pmsf file ho mokhoa o kentsoeng ka mokhoa o itseng.rbf file:
quartus_pfg -c -o finalize_encryption_later=ON -o sign_later=ON encryption_enabled_persona1.pmsf persona1.rbf
5. Qetella ts'ebeliso ea bitstream u sebelisa sesebelisoa sa line sa taelo ea quartus_encrypt:
quartus_encrypt –family=agilex –operation=ENCRYPT –key=aes_root.qek persona1.rbf encrypted_persona1.rbf
6. Saena bitstream ea tlhophiso e kentsoeng u sebelisa sesebelisoa sa line sa taelo ea quartus_sign:
quartus_sign –family=agilex –operation=SIGN –qky=design0_sign_chain.qky –pem=design0_sign_private.pem encrypted_persona1.rbf sign_encrypted_persona1.rbf
quartus_sign –family=agilex –operation=SIGN –module=softHSM –module_args=”–token_label=agilex-token –user_pin=agilex-token-pin –hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so” design0_sign_chain.qky –cancel=svnA:0 –keyname=design0_sign encrypted_persona1.rbf sign_encrypted_persona1.rbf

Intel Agilex® 7 Device Security User Guide 24

Romella Maikutlo

683823 | 2023.05.23 Romella Maikutlo

Ho fana ka lisebelisoa

Tokisetso ea pele ea ts'ireletso ea ts'ireletso e tšehetsoa feela ho firmware ea SDM. Sebelisa Intel Quartus Prime Programmer ho kenya firmware ea SDM le ho etsa mesebetsi ea ho fana.
U ka sebelisa mofuta ofe kapa ofe oa JTAG khoasolla cable ho hokahanya Quartus Programmer ho sesebelisoa sa Intel Agilex 7 ho etsa ts'ebetso ea ho fana.
4.1. Ho sebelisa SDM Provision Firmware
Intel Quartus Prime Programmer e iketsetsa le ho kenya setšoantšo sa mothusi oa feme ha u khetha ts'ebetso ea ho qala le taelo ea ho hlophisa ntho e 'ngoe ntle le bitstream ea tlhophiso.
Ho latela taelo ea lenaneo e boletsoeng, setšoantšo sa mothusi oa feme ke e 'ngoe ea mefuta e' meli:
· Ho fana ka setšoantšo sa mothusi-e na le karolo e le 'ngoe ea bitstream e nang le firmware ea SDM.
Setšoantšo sa mothusi oa QSPI-e na le likarolo tse peli tsa bitstream, e 'ngoe e na le firmware ea SDM le karolo e le' ngoe ea I/O.
U ka etsa setšoantšo sa mothusi oa feme ea kamehla file ho kenya sesebelisoa sa hau pele o etsa taelo efe kapa efe ea lenaneo. Ka mor'a ho etsa lenaneo la hash ea senotlolo sa ho netefatsa, u tlameha ho theha le ho saena setšoantšo sa mothusi oa feme ea QSPI ka lebaka la karolo ea I/O e kenyellelitsoeng. Haeba hape o kenya lenaneo la tshireletso ya firmware e saennweng ka kopanelo eFuse, o tlameha ho etsa tokisetso le ditshwantsho tse thusang feme ya QSPI ka firmware e saennweng ka kopanelo. U ka sebelisa sets'oants'o sa fektheri se saenneng ka kopanelo sesebelisoa se sa reroang kaha sesebelisoa se sa lokisoang se iphapanyetsa liketane tse saenneng tsa Intel ho feta firmware ea SDM. Sheba ho Sebelisa Sets'oants'o sa Mothusi sa QSPI sa Fektheri ho Lisebelisoa Tse Nang le Tsona leqepheng la 26 bakeng sa lintlha tse ling mabapi le ho theha, ho saena, le ho sebelisa setšoantšo sa mothusi sa kamehla sa feme ea QSPI.
Setšoantšo sa thuso ea kamehla ea feme se etsa lintho tse ling, joalo ka ho hlophisa hash ea senotlolo sa ho netefatsa, li-fuse tsa litlhophiso tsa ts'ireletso, ho ngolisa PUF, kapa ho fana ka linotlolo tse ntšo. U sebelisa Intel Quartus Prime Programming File Sesebelisoa sa mohala oa taelo ea jenereithara ho etsa setšoantšo sa mothusi oa ho fana, ho hlakisa khetho ea mothusi_setšoantšo, lebitso la sesebelisoa sa mothusi, mofuta o monyenyane oa setšoantšo sa mothusi, 'me ka boikhethelo, firmware e saenetsoeng hammoho .zip file:
quartus_pfg -helper_image -o helper_device=AGFB014R24A -o subtype=PROVISION -o fw_source=signed_agilex.zip signed_provision_helper_image.rbf
Etsa setšoantšo sa mothusi u sebelisa sesebelisoa sa Intel Quartus Prime Programmer:
quartus_pgm -c 1 -mjtag -o “p;signed_provision_helper_image.rbf” –force

ISO 9001:2015 E Ngolisitsoe

4. Ho fana ka lisebelisoa 683823 | 2023.05.23

Hlokomela:

O ka tlohela ts'ebetso ea ho qala ho tsoa ho litaelo, ho kenyeletsoa le examptse fanoeng khaolong ena, ka mor'a ho hlophisa setšoantšo sa mothusi oa tokisetso kapa ho sebelisa taelo e nang le ts'ebetso ea ho qala.

4.2. Ho sebelisa setšoantšo sa QSPI Factory Default Helper ho lisebelisoa tse ruiloeng
Intel Quartus Prime Programmer e iketsetsa le ho kenya setšoantšo sa mothusi oa feme ea QSPI ha u khetha ts'ebetso ea ho qala lenaneo la QSPI flash. file. Ka mor'a ho hlophisa "hashi" ea "tiiso ea motso", u tlameha ho theha le ho saena setšoantšo sa mothusi oa feme ea QSPI, 'me u hlophise setšoantšo sa mothusi sa fektheri sa QSPI ka thoko pele u ka hlophisa lebone la QSPI. 1. U sebelisa Intel Quartus Prime Programming File Sesebelisoa sa mola oa taelo ea jenereithara ho
theha setšoantšo sa mothusi oa QSPI, u hlakise khetho ea mothusi_setšoantšo, mofuta oa sesebelisoa sa hau sa thuso, mofuta o monyane oa setšoantšo sa QSPI, 'me ka boikhethelo ke firmware e saenneng .zip file:
quartus_pfg -helper_image -o helper_device=AGFB014R24A -o subtype=QSPI -o fw_source=signed_agilex.zip qspi_helper_image.rbf
2. U saena setšoantšo sa mothusi oa kamehla oa feme ea QSPI:
quartus_sign –family=agilex –operation=sign –qky=design0_sign_chain.qky –pem=design0_sign_private.pem qspi_helper_image.rbf sign_qspi_helper_image.rbf
3. U ka sebelisa lenaneo lefe kapa lefe la QSPI flash file sebopeho. E latelang exampLes sebelisa bitstream tlhophiso e fetoletsoeng ho .jic file sebopeho:
quartus_pfg -c sign_bitstream.rbf sign_flash.jic -o device=MT25QU128 -o flash_loader=AGFB014R24A -o mode=ASX4
4. U hlophisa setšoantšo sa mothusi se saenneng u sebelisa sesebelisoa sa Intel Quartus Prime Programmer:
quartus_pgm -c 1 -mjtag -o “p;signed_qspi_helper_image.rbf” –force
5. U hlophisa setšoantšo sa .jic hore se benye u sebelisa sesebelisoa sa Intel Quartus Prime Programmer:
quartus_pgm -c 1 -mjtag -o “p; saenne_flash.jic”

4.3. Netefatso ea Motso Key Provisioning
Ho lenaneo mong'a motso senotlolo hashes ho fuse 'meleng, pele u lokela ho laela tokisetso firmware, latelang lenaneo mong'a motso senotlolo hashes, ebe hang-hang etsa matla-on reset. Ho tsosolosa matla ha ho hlokahale haeba motsoako oa motsoako oa li-hashe ho li-fuse tsa sebele.

Intel Agilex® 7 Device Security User Guide 26

Romella Maikutlo

4. Ho fana ka lisebelisoa 683823 | 2023.05.23
Ho kenya li-hashes tsa senotlolo sa netefatso, o hlophisa setšoantšo sa "firmware" sa mothusi 'me u tsamaise e 'ngoe ea litaelo tse latelang ho hlophisa senotlolo sa motso .qky files.
// Bakeng sa mmele (o sa fetoheng) eFuses quartus_pgm -c 1 -mjtag -o “p;root0.qky;root1.qky;root2.qky” –non_volatile_key
// Bakeng sa sebele (ho fetoha) eFuses quartus_pgm -c 1 -mjtag -o “p;root0.qky;root1.qky;root2.qky”
4.3.1. Karolo e 'ngoe ea Reconfiguration Multi-Authority Root Key Programming
Ka mor'a ho fana ka sesebelisoa kapa libaka tse tsitsitseng bitstream mong'a motso linotlolo, u boetse u kenya setšoantšo sa mothusi oa tokisetso ea sesebelisoa, lenaneo le saennoeng la PR public key program permit certificate compact, ebe u fana ka senotlolo sa PR persona bitstream mong'a motso.
// Bakeng sa mmele (o sa fetoheng) eFuses quartus_pgm -c 1 -mjtag -o "p;root_pr.qky" -pr_pubkey -non_volatile_key
// Bakeng sa sebele (ho fetoha) eFuses quartus_pgm -c 1 -mjtag -o “p;p;root_pr.qky” –pr_pubkey
4.4. Li-Fuse tsa ho Hlakola ID tsa Mananeo
Ho qala ka Intel Quartus Prime Pro Edition software version 21.1, Intel le li-fuse tsa senotlolo sa ho hlakola ID li hloka tšebeliso ea setifikeiti sa kompone se saenneng. O ka saena setifikeiti sa kompone sa senotlolo sa ho hlakolwa ka ketane e saenneng e nang le ditumello tsa ho saena karolong ya FPGA. U theha setifikeiti sa compact ka lenaneo file jenereithara taelo mola sesebelisoa. U saena setifikeiti se sa saenang u sebelisa sesebelisoa sa quartus_sign kapa ts'ebetsong ea litšupiso.
Lisebelisoa tsa Intel Agilex 7 li tšehetsa libanka tse arohaneng tsa li-ID tsa ho hlakola senotlolo bakeng sa senotlolo se seng le se seng sa motso. Ha setifikeiti sa compact ID sa mong'a senotlolo se hlophisoa ho Intel Agilex 7 FPGA, SDM e etsa qeto ea hore na ke senotlolo sefe sa motso se saenetseng setifikeiti sa compact ebe se otla fuse ea ID ea senotlolo e tsamaellanang le senotlolo seo sa motso.
E latelang exampre thehe setifikeiti sa ho hlakoloa ha senotlolo sa Intel bakeng sa Intel key ID 7. O ka nkela 7 sebaka ka ID e sebetsang ea ho hlakola key ho tloha ho 0-31.
Etsa taelo e latelang ho theha setifikeiti sa compact sa ID se sa ngolisoang sa Intel:
quartus_pfg –ccert -o ccert_type=CANCEL_INTEL_KEY -o cancel_key=7 unsigned_cancel_intel7.ccert
Etsa e 'ngoe ea litaelo tse latelang ho saena setifikeiti sa komporo sa ho hlakola senotlolo sa Intel se sa ngolisoang:
quartus_sign –family=agilex –operation=SIGN –qky=design0_sign_chain.qky –pem=design0_private.pem –cancel=svnA:0 unsigned_cancel_intel7.ccert signed_cancel_intel7.ccert
quartus_sign –family=agilex –operation=sign –module=softHSM –module_args=”–token_label=agilex-token –user_pin=agilex-token-pin –hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so”

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 27

4. Ho fana ka lisebelisoa 683823 | 2023.05.23
–keyname=design0_sign –qky=design0_sign_chain.qky –cancel=svnA:0 unsigned_cancel_intel7.ccert signed_cancel_intel7.ccert
Etsa taelo e latelang ho theha setifikeiti sa compact sa ID se sa saeneloang sa mong'a sona:
quartus_pfg -ccert -o ccert_type=CANCEL_OWNER_KEY -o cancel_key=2 unsigned_cancel_owner2.ccert
Etsa e 'ngoe ea litaelo tse latelang ho saena setifikeiti sa ho hlakoloa sa ID ea motho ea sa saeneloang:
quartus_sign –family=agilex –operation=SIGN –qky=design0_sign_chain.qky –pem=design0_private.pem –cancel=svnA:0 unsigned_cancel_owner2.ccert signed_cancel_owner2.ccert
quartus_sign –family=agilex –operation=sign –module=softHSM –module_args=”–token_label=agilex-token –user_pin=agilex-token-pin –hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so” –keyname design0_sign –qky=design0_sign_chain.qky –cancel=svnA:0 unsigned_cancel_owner2.ccert signed_cancel_owner2.ccert
Kamora hore o thehe setifikeiti sa compact sa senotlolo se saenneng sa ID, o sebelisa Intel Quartus Prime Programmer ho hlophisa setifikeiti sa komporo ea sesebelisoa ka J.TAG.
// Bakeng sa 'mele (e sa fetoheng) eFuses quartus_pgm -c 1 -mjtag -o “pi; signed_cancel_intel7.ccert” –non_volatile_key quartus_pgm -c 1 -mjtag -o “pi; saenne_cancel_owner2.cert” –non_volatile_key
// Bakeng sa sebele (ho fetoha) eFuses quartus_pgm -c 1 -mjtag -o “pi; signed_cancel_intel7.ccert” quartus_pgm -c 1 -mjtag -o “pi; saenne_cancel_owner2.cert”
Hape o ka romella setifikeiti sa komporo ho SDM o sebelisa sebopeho sa lebokose la poso la FPGA kapa HPS.
4.5. Ho hlakola Linotlolo tsa Motso
Lisebelisoa tsa Intel Agilex 7 li u lumella ho hlakola li-hashes tsa senotlolo sa motso ha hashi e 'ngoe ea motso e sa hlakoloang e le teng. U hlakola "root key hash" ka ho qala ka ho lokisa sesebelisoa ka moralo oo ketane ea eona e saenneng e theiloeng ka har'a motso o fapaneng oa senotlolo, ebe o kenya setifikeiti sa compact sa senotlolo se saennoeng. U tlameha ho saena setifikeiti sa ho hlakola hash senotlolo sa ho hlakola setifikeiti se nang le ketane ea tekeno e metsoeng ka har'a senotlolo sa motso hore e hlakoloe.
Etsa taelo e latelang ho hlahisa setifikeiti sa compact sa senotlolo se sa ngolisoang sa hash:
quartus_pfg –ccert -o –ccert_type=CANCEL_KEY_HASH unsigned_root_cancel.ccert

Intel Agilex® 7 Device Security User Guide 28

Romella Maikutlo

4. Ho fana ka lisebelisoa 683823 | 2023.05.23

Etsa e 'ngoe ea litaelo tse latelang ho saena setifikeiti sa komporo sa senotlolo se sa ngolisoang sa hash:
quartus_sign –family=agilex –operation=SIGN –qky=design0_sign_chain.qky –pem=design0_private.pem –cancel=svnA:0 unsigned_root_cancel.ccert signed_root_cancel.ccert
quartus_sign –family=agilex –operation=sign –module=softHSM –module_args=”–token_label=agilex-token –user_pin=agilex-token-pin –hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so” –keyname design0_sign –qky=design0_sign_chain.qky –cancel=svnA:0 unsigned_root_cancel.ccert signed_root_cancel.ccert
U ka hlophisa setifikeiti sa ho hlakola hash hash ka ho sebelisa JTAG, FPGA, kapa li-mailbox tsa HPS.

4.6. Mananeo Counter Fuse
U nchafatsa Nomoro ea Phetolelo ea Tšireletso (SVN) le Pseudo Time Stamp (PTS) li-fuse tse sebelisang litifikeiti tse saennoeng tsa compact.

Hlokomela:

SDM e boloka tlaleho ea boleng ba k'haontareng bo bonoang nakong ea phetisetso e itseng 'me ha e amohele litifikeiti tsa k'haontareng ha theko ea k'haontareng e le nyane ho feta boleng bo tlase. O tlameha ho nchafatsa lintho tsohle tse abetsoeng khaontareng le ho lokisa sesebelisoa bocha pele o etsa lenaneo la setifikeiti sa khaonta ea increment compact.

Etsa e 'ngoe ea litaelo tse latelang tse tsamaellanang le setifikeiti sa increment ea counter eo u batlang ho e hlahisa.
quartus_pfg –ccert -o ccert_type=PTS_COUNTER -o counter=<-1:495> unsigned_pts.ccert

quartus_pfg -ccert -o ccert_type=SVN_COUNTER_A -o counter=<-1:63> unsigned_svnA.ccert

quartus_pfg –ccert -o ccert_type=SVN_COUNTER_B -o counter=<-1:63> unsigned_svnB.ccert

quartus_pfg -ccert -o ccert_type=SVN_COUNTER_C -o counter=<-1:63> unsigned_svnC.ccert

quartus_pfg –ccert -o ccert_type=SVN_COUNTER_D -o counter=<-1:63> unsigned_svnD.ccert

Boleng ba counter ea 1 bo theha setifikeiti sa tumello ea k'hamera. Ho hlophisa setifikeiti sa tumellano ea tumello ea k'hamera ho u thusa ho hlophisa litifikeiti tse ling tse sa ngolisoang tsa k'hamera ho ntlafatsa k'haontareng e fapaneng. U sebelisa sesebelisoa sa quartus_sign ho saena litifikeiti tsa komporo ea k'haontareng ka mokhoa o ts'oanang le litifikeiti tsa komporo ea ID ea senotlolo.
U ka hlophisa setifikeiti sa ho hlakola hash hash ka ho sebelisa JTAG, FPGA, kapa li-mailbox tsa HPS.

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 29

4. Ho fana ka lisebelisoa 683823 | 2023.05.23

4.7. Secure Data Object Service Root Key Provisioning
U sebelisa Intel Quartus Prime Programmer ho fana ka senotlolo sa Motso oa Secure Data Object Service (SDOS). Lenaneo le jarisa setšoantšo sa mothusi oa firmware ho fana ka senotlolo sa motso oa SDOS.
quartus_pgm c 1 mjtag –service_root_key –non_volatile_key

4.8. Tshireletso Setting Fuse Provisioning
Sebelisa Intel Quartus Prime Programmer ho hlahloba li-fuse tsa ts'ireletso ea sesebelisoa ebe u li ngolla ho .fuse e thehiloeng ho mongolo. file ka mokoa o latelang:
quartus_pgm -c 1 -mjtag -o “ei;programming_file.fuse;AGFB014R24B”

Dikgetho · i: The Programmer laela tokisetso firmware mothusi setšoantšo ho sesebediswa. · e: The Programmer bala fuse ho tswa ho sesebediswa le ho boloka ka .fuse file.

The .fuse file e na le lethathamo la lipara tsa boleng ba mabitso a fuse. Boleng bo bolela hore na fuse e feletsoe ke moea kapa likahare tsa lebala la fuse.

E latelang example bontsha sebopeho sa .fuse file:

# Firmware e saenneng hammoho

= "Ha e felisoe"

# Bolaea tumello ea Sesebelisoa

= "Ha e felisoe"

# Sesebelisoa ha se sireletsehe

= "Ha e felisoe"

# Tlosa HPS debug

= "Ha e felisoe"

# Thibela ho ngolisoa ha Intrinsic ID PUF

= "Ha e felisoe"

# Tlosa JTAG

= "Ha e felisoe"

# Tlosa senotlolo sa encryption se phuthetsoeng ka PUF

= "Ha e felisoe"

# Tlosa senotlolo sa ho patala mong'a BBRAM = "Ha e felisoe"

# Tlosa senotlolo sa ho patala mong'a eFuses = "Ha e felisoe"

# Tlosa senotlolo sa sechaba sa mong'a hash 0

= "Ha e felisoe"

# Tlosa senotlolo sa sechaba sa mong'a hash 1

= "Ha e felisoe"

# Tlosa senotlolo sa sechaba sa mong'a hash 2

= "Ha e felisoe"

# Tlosa li-eFuses tse fumanehang

= "Ha e felisoe"

# Qobella oache ea SDM ho oscillator ea ka hare = "Ha e felisoe"

# Qobella ntlafatso ea senotlolo sa encryption

= "Ha e felisoe"

# Ho hlakoloa ha linotlolo tsa Intel tse hlakileng

= "0"

# Notlela li-eFuses tsa ts'ireletso

= "Ha e felisoe"

# Lenaneo la senotlolo sa mong'a lona le entsoe

= "Ha e felisoe"

# Lenaneo la senotlolo sa mong'a lona le qala

= "Ha e felisoe"

# Ho hlakoloa ha senotlolo ka ho hlaka 0

= ""

# Ho hlakoloa ha senotlolo ka ho hlaka 1

= ""

# Ho hlakoloa ha senotlolo ka ho hlaka 2

= ""

# Fuse ea mong'a ntlo

"0x00000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000

0000000000000000000000”

# Motso oa senotlolo sa sechaba hash 0

"0x00000000000000000000000000000000000000000000000000000

0000000000000000000000000000000000000000000”

# Motso oa senotlolo sa sechaba hash 1

"0x00000000000000000000000000000000000000000000000000000

0000000000000000000000000000000000000000000”

# Motso oa senotlolo sa sechaba hash 2

"0x00000000000000000000000000000000000000000000000000000

0000000000000000000000000000000000000000000”

# Boholo ba linotlolo tsa motso oa mong'a sechaba

= "Ha ho letho"

# PTS counter

= "0"

# PTS counter base

= "0"

Intel Agilex® 7 Device Security User Guide 30

Romella Maikutlo

4. Ho fana ka lisebelisoa 683823 | 2023.05.23

# QSPI qala tieho # RMA Counter # SDMIO0 ke I2C # SVN counter A # SVN counter B # SVN counter C # SVN counter D

= “10ms” = “0” = “Ha e foketsoe” = “0” = “0” = “0” = “0”

Fetola .fuse file ho seta li-fuse tseo u li batlang tsa ts'ireletso. Mohala o qalang ka # o nkuoa joalo ka maikutlo. Ho hlophisa fuse ea ts'ireletso, tlosa e etellang pele # ebe u beha boleng ho Blown. Bakeng sa mohlalaample, ho nolofalletsa fuse ea ts'ireletso ea Co-signed Firmware, fetola mohala oa pele oa fuse file ho tse latelang:
Firmware e saenneng ka kopanelo = "E foka"

U ka boela ua aba le ho hlophisa Li-Fuse tsa Owner ho latela litlhoko tsa hau.
U ka sebelisa taelo e latelang ho etsa tlhahlobo e se nang letho, lenaneo, le ho netefatsa senotlolo sa sechaba sa mong'a sona:
quartus_pgm -c 1 -mjtag -o "ibpv;root0.qky"

Dikgetho · i: E kenya tokisetso ea firmware mothusi setšoantšo ho sesebediswa. · b: E etsa cheke e se nang letho ho netefatsa hore li-fuse tse lakatsehang tsa ts'ireletso ha li joalo
e se e butsoe. · p: Mananeo a fuse. · v: E netefatsa senotlolo se hlophisitsoeng sesebelisoa.
Ka mor'a ho etsa lenaneo la .qky file, o ka hlahloba lintlha tsa fuse ka ho sheba lintlha tsa fuse hape ho netefatsa hore mong'a senotlolo sa sechaba hashe le mong'a linotlolo tsa sechaba ba na le litekanyetso tse se nang zero.
Le hoja masimo a latelang a sa ngoloe ka .fuse file mokhoa, li kenyelelitsoe nakong ea tlhahiso ea ts'ebetso ea tlhahlobo bakeng sa netefatso: · Sesebediswa ha se sireletsehe · Device permit kill · Disable owner root public key hash 0 · Disable owner root public key hash 1 · Disable owner root public key hash 2 · Intel key cancellation · Owner encryption key program start · Owner encryption key programme · Owner key cancellation · Owner public key hash · Owner public key size · Owner root public key hash 0 · Owner root public key hash 1 · Owner root public key hash 2

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 31

4. Ho fana ka lisebelisoa 683823 | 2023.05.23
· PTS counter · PTS counter base · QSPI start up delay · RMA counter · SDMIO0 is I2C · SVN counter A · SVN counter B · SVN counter C · SVN counter D
Sebelisa Intel Quartus Prime Programmer ho hlophisa .fuse file khutlela ho sesebelisoa. Haeba o eketsa khetho ea i, Programmer e jarisa firmware ea ho fana ka boiketsetso ho hlophisa li-fuse tsa ts'ireletso.
// Bakeng sa 'mele (e sa fetoheng) eFuses quartus_pgm -c 1 -mjtag -o “pi;programming_file.fuse” –non_volatile_key
// Bakeng sa sebele (ho fetoha) eFuses quartus_pgm -c 1 -mjtag -o “pi;programming_file.fuse”
U ka sebelisa taelo e latelang ho netefatsa hore na motso oa senotlolo hash o tšoana le .qky e fanoeng taelong:
quartus_pgm -c 1 -mjtag -o “v;root0_another.qky”
Haeba linotlolo li sa tsamaellane, Lenaneo le hloleha ka molaetsa oa phoso oa Ts'ebetso.
4.9. AES Root Key Tokisetso
U tlameha ho sebelisa setifikeiti se saenneng sa motsoako oa motsoako oa AES ho hlophisa senotlolo sa motso sa AES ho sesebelisoa sa Intel Agilex 7.
4.9.1. Setifikeiti sa AES Root Key Compact
U sebelisa quartus_pfg line line tool to convert your AES root key .qek file ho setifikeiti sa compact .cert format. U hlalosa sebaka sa bohlokoa sa polokelo ha u ntse u theha setifikeiti sa compact. U ka sebelisa sesebelisoa sa quartus_pfg ho etsa setifikeiti se sa saenang bakeng sa ho saena hamorao. U tlameha ho sebelisa ketane ea saena e nang le tumello ea ho saena ea setifikeiti sa AES motso, tumello bit 6, e nolofalitsoeng e le hore u atlehe ho saena setifikeiti sa motsoako oa motsoako oa motsoako oa AES.

Intel Agilex® 7 Device Security User Guide 32

Romella Maikutlo

4. Ho fana ka lisebelisoa 683823 | 2023.05.23
1. Theha li-key pair tse ling tse sebelisetsoang ho saena setifikeiti sa AES sa senotlolo u sebelisa e 'ngoe ea litaelo tse latelangamphanyane:
quartus_sign -family=agilex -operation=make_private_pem -curve=secp384r1 aesccert1_private.pem
quartus_sign -family=agilex -operation=make_public_pem aesccert1_private.pem aesccert1_public.pem
pkcs11-tool -module=/usr/local/lib/softhsm/libsofthsm2.so -token-label agilex-token -login -pin agilex-token-pin -keypairgen mechanism ECDSA-KEY-PAIR-GEN -key-type EC: secp384r1 -usage-sign -label aesccert1 -id 2
2. Etsa ketane ea tekeno ka sete ea tumello e nepahetseng u sebelisa e 'ngoe ea litaelo tse latelang:
quartus_sign –family=agilex –operation=append_key –previous_pem=root0_private.pem –previous_qky=root0.qky –permission=0x40 –cancel=1 –input_pem=aesccert1_public.pem aesccert1_sign_chain.
quartus_sign –family=agilex –operation=append_key –module=softHSM -module_args=”–token_label=agilex-token –user_pin=agilex-token-pin –hsm_lib=/usr/local/lib/softhsm/libsofthsmvious_key” root2 –previous_qky=root0.qky –permission=0x0 –cancel=40 –input_keyname=aesccert1 aesccert1_sign_chain.qky
3. Etsa setifikeiti sa compact sa AES se sa ngolisoang bakeng sa sebaka se lakatsehang sa polokelo ea motso oa AES. Likhetho tse latelang tsa polokelo ea motso oa AES lia fumaneha:
· EFUSE_WRAPPED_AES_KEY
· IID_PUF_WRAPPED_AES_KEY
· UDS_IID_PUF_WRAPPED_AES_KEY
· BBRAM_WRAPPED_AES_KEY
· BBRAM_IID_PUF_WRAPPED_AES_KEY
· BBRAM_UDS_IID_PUF_WRAPPED_AES_KEY
// Theha setifikeiti sa motso sa eFuse AES se sa ngolisoang quartus_pfg -ccert -o ccert_type=EFUSE_WRAPPED_AES_KEY -o qek_file=aes.qek unsigned_efuse1.cert
4. Saena setifikeiti sa compact ka taelo ea quartus_sign kapa ts'ebetsong ea litšupiso.
quartus_sign –family=agilex –operation=sign –pem=aesccert1_private.pem –qky=aesccert1_sign_chain.qky unsigned_ 1.cert e saennoe_ 1.cert
quartus_sign –family=agilex –operation=sign –module=softHSM –module_args=”–token_label=agilex-token –user_pin=agilex-token-pin –hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so”

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 33

4. Ho fana ka lisebelisoa 683823 | 2023.05.23

–keyname=aesccert1 –qky=aesccert1_sign_chain.qky unsigned_ 1.cert e saennoe_ 1.cert
5. Sebelisa Intel Quartus Prime Programmer ho hlophisa setifikeiti sa motsoako oa motsoako oa motsoako oa AES ho sesebelisoa sa Intel Agilex 7 ka J.TAG. Intel Quartus Prime Programmer e hloleha ho hlophisa li-eFuse tsa sebele ha o sebelisa EFUSE_WRAPPED_AES_KEY mofuta oa setifikeiti sa compact.
U eketsa khetho ea -non_volatile_key ho hlakisa li-fuse tsa 'mele.
// Bakeng sa 'mele (o sa fetoheng) eFuse AES motso key quartus_pgm -c 1 -mjtag -o “pi;signed_efuse1.cert” –non_volatile_key

// Bakeng sa lintho tse bonahalang (tse sa tsitsang) eFuse AES motso key quartus_pgm -c 1 -mjtag -o “pi;signed_efuse1.cert”

// Bakeng sa BBRAM AES senotlolo sa motso quartus_pgm -c 1 -mjtag -o “pi; saennwe_bbram1.ccert”

Firmware ea ho fana ka SDM le ts'ehetso ea mantlha ea firmware ea AES root key certificate programming. U kanna ua sebelisa sebopeho sa lebokose la poso la SDM ho tsoa lesela la FPGA kapa HPS ho hlophisa setifikeiti sa senotlolo sa AES.

Hlokomela:

Taelo ya quartus_pgm ha e tshehetse dikgetho tsa b le v bakeng sa disetifikeiti tse kopanang(.ccert).

4.9.2. Intrinsic ID® PUF AES Root Key Provisioning
Ho kenya tshebetsong Intrinsic* ID PUF e phuthetsweng AES Key e kenyelletsa mehato e latelang: 1. Ho Ngodisa Intrinsic ID PUF ka J.TAG. 2. Ho phuthela senotlolo sa motso oa AES. 3. Ho hlophisa lintlha tsa mothusi le senotlolo se phuthetsoeng ka har'a memori ea quad SPI flash. 4. Ho botsa boemo ba Intrinsic ID PUF activated.
Tšebeliso ea theknoloji ea Intrinsic ID e hloka tumellano e arohaneng ea laesense le Intrinsic ID. Software ea Intel Quartus Prime Pro Edition e thibela ts'ebetso ea PUF ntle le laesense e loketseng, joalo ka ho ingolisa, ho phuthela linotlolo, le mananeo a data a PUF ho flash ea QSPI.

4.9.2.1. Intrinsic ID PUF Ngoliso
Ho ngolisa PUF, o tlameha ho sebelisa firmware ea ho fana ka SDM. Firmware ea ho fana e tlameha ho ba firmware ea pele e jarollotsoeng ka mor'a potoloho ea matla, 'me u tlameha ho fana ka taelo ea ngoliso ea PUF pele ho taelo efe kapa efe. Firmware ea ho fana e ts'ehetsa litaelo tse ling ka mor'a ho ngolisoa ha PUF, ho kenyeletsoa ho phuthela ha motsoako oa AES le lenaneo la quad SPI, leha ho le joalo, o tlameha ho potoloha sesebelisoa ho kenya sekhahla sa tlhophiso.
U sebelisa Intel Quartus Prime Programmer ho qala ho ingolisa ho PUF le ho hlahisa data ea mothusi oa PUF .puf file.

Intel Agilex® 7 Device Security User Guide 34

Romella Maikutlo

4. Ho fana ka lisebelisoa 683823 | 2023.05.23

Setšoantšo sa 7.

Intrinsic ID PUF Ngoliso
quartus_pgm Ngoliso ea PUF

Lintlha tsa ho ngolisa PUF tsa mothusi

Sireletsa Selaoli sa Sesebelisoa (SDM)

wrapper.puf Helper Data
The Programmer e kenya ka bo eona setšoantšo sa mothusi oa firmware ha o hlakisa bobeli ts'ebetso ea i le khang ea .puf.
quartus_pgm -c 1 -mjtag -o “ei;help_data.puf;AGFB014R24A”
Haeba u sebelisa firmware e saenneng ka kopanelo, u hlophisa setšoantšo sa mothusi oa firmware se saenneng ka kopanelo pele u sebelisa taelo ea ngoliso ea PUF.
quartus_pgm -c 1 -mjtag -o “p;signed_provision_helper_image.rbf” –force quartus_pgm -c 1 -mjtag -o “e;help_data.puf;AGFB014R24A”
UDS IID PUF e ngolisitsoe nakong ea tlhahiso ea lisebelisoa, 'me ha e fumanehe bakeng sa ho ngolisoa hape. Ho e-na le hoo, u sebelisa Programmer ho fumana sebaka sa data ea mothusi oa UDS PUF ho IPCS, khoasolla .puf file ka ho toba, ebe o sebelisa UDS .puf file ka tsela e tšoanang le ea .puf file e ntšitsoeng ho sesebelisoa sa Intel Agilex 7.
Sebelisa taelo e latelang ea Programmer ho hlahisa mongolo file e nang le lenane la URLs e supang sesebelisoa se ikhethileng files ho IPCS:
quartus_pgm -c 1 -mjtag -o “e;ipcs_urls.txt;AGFB014R24B” –ipcs_urls
4.9.2.2. Ho phuthela senotlolo sa AES Root
U hlahisa IID PUF e phuthetsoeng ka senotlolo sa motso sa AES .wkey file ka ho romela setifikeiti se saenneng ho SDM.
U ka sebelisa Intel Quartus Prime Programmer ho iketsetsa, ho saena, le ho romela setifikeiti ho phuthela senotlolo sa hau sa AES, kapa u ka sebelisa Intel Quartus Prime Programming. File Jenereithara ho hlahisa setifikeiti se sa saenneng. U saena setifikeiti se sa saenang u sebelisa lisebelisoa tsa hau kapa sesebelisoa sa ho saena sa Quartus. Ebe o sebelisa Programmer ho romella setifikeiti se saenneng le ho thatela senotlolo sa hau sa motso sa AES. Setifikeiti se saenneng se ka sebelisoa ho hlophisa lisebelisoa tsohle tse ka netefatsang ketane ea tekeno.

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 35

4. Ho fana ka lisebelisoa 683823 | 2023.05.23

Setšoantšo sa 8.

Ho phuthela Senotlolo sa AES Ho Sebelisa Intel Quartus Prime Programmer
.pem Poraefete
Senotlolo

.qky

quartus_pgm

Koahela senotlolo sa AES

AES.QSKigYnature RootCPuabilnic Key

Hlahisa senotlolo se phuthetsoeng sa PUF

E phuthetsoe ka Senotlolo sa AES

SDM

.qek Encryption
Senotlolo

.wkey PUF-E phuthetsoe
Senotlolo sa AES

1. U ka hlahisa IID PUF e phuthetsoeng ka senotlolo sa motso sa AES (.wkey) ka Programmer u sebelisa likhang tse latelang:
· The .qky file e nang le ketane ea saena e nang le tumello ea setifikeiti sa senotlolo sa AES
· The private .pem file bakeng sa senotlolo sa ho qetela sa ketane ea ho saena
· The .qek file u tšoere senotlolo sa motso sa AES
· Vector ea ho qala ea 16-byte (iv).

quartus_pgm -c 1 -mjtag –qky_file=aes0_sign_chain.qky –pem_file=aes0_sign_private.pem -qek_file=aes.qek –iv=1234567890ABCDEF1234567890ABCDEF -o “ei;aes.wkey;AGFB014R24A”

2. Ntle le moo, o ka hlahisa setifikeiti se sa ngolisoang sa IID PUF se phuthelang AES ka Lenaneo. File Jenereithara e sebelisa likhang tse latelang:

quartus_pfg –ccert -o ccert_type=IID_PUF_WRAPPED_AES_KEY -o qek_file=aes.qek –iv=1234567890ABCDEF1234567890ABCDEF unsigned_aes.ccert

3. U saena setifikeiti se sa saenang ka lisebelisoa tsa hau tsa ho saena kapa sesebelisoa sa quartus_sign u sebelisa taelo e latelang:

quartus_sign –family=agilex –operation=sign –qky=aes0_sign_chain.qky –pem=aes0_sign_private.pem unsigned_aes.ccert sign_aes.ccert

4. Joale u sebelisa Programmer ho romela setifikeiti sa AES se saenneng le ho khutlisetsa senotlolo se phuthetsoeng (.wkey) file:

quarts_pgm -c 1 -mjtag -cert_file=signed_aes.ccert -o “ei;aes.wkey;AGFB014R24A”

Tlhokomeliso: Ts'ebetso ea i ha e hlokahale haeba u kile ua kenya setšoantšo sa mothusi oa firmware, mohlalaample, ho ngolisa PUF.

4.9.2.3. Lintlha tsa Thuso ea Lenaneo le Senotlolo se Koetsoeng ho QSPI Flash Memory
U sebelisa lenaneo la Quartus File Sebopeho sa setšoantšo sa jenereithara ho aha setšoantšo sa pele sa QSPI se nang le karohano ea PUF. U tlameha ho hlahisa le ho hlophisa setšoantšo sa lenaneo la flash ho kenya karohano ea PUF ho flash ea QSPI. Ho thehoa ha PUF

Intel Agilex® 7 Device Security User Guide 36

Romella Maikutlo

4. Ho fana ka lisebelisoa 683823 | 2023.05.23

Setšoantšo sa 9.

karohano ea data le ts'ebeliso ea data ea mothusi oa PUF le senotlolo se phuthetsoeng files bakeng sa tlhahiso ea litšoantšo tsa flash ha e tšehetsoe ka Lenaneo File Jenereithara taelo line segokanyimmediamentsi sa sebolokigolo.
Mehato e latelang e bonts'a ho aha setšoantšo sa lenaneo la flash ka data ea mothusi oa PUF le senotlolo se phuthetsoeng:
1. Holima File menu, tobetsa Programming File Jenereithara. Ka Sephetho Files tab etsa likhetho tse latelang:
a. Bakeng sa Lelapa la Sesebelisoa khetha Agilex 7.
b. Bakeng sa Mokgwa wa Tlhophiso, kgetha Active Serial x4.
c. Bakeng sa Output directory sheba ho tlhahiso ea hau file directory. Example sebelisa output_files.
d. Bakeng sa Lebitso, bolela lebitso la lenaneo file ho etsoa. Example sebelisa output_file.
e. Tlas'a Tlhaloso khetha lenaneo files ho hlahisa. Exampe hlahisa JTAG Tlhophiso e sa tobang File (.jic) bakeng sa tlhophiso ea sesebelisoa le Binary e tala File ea Setšoantšo sa Mothusi oa Lenaneo (.rbf) bakeng sa setšoantšo sa mothusi oa sesebelisoa. Examphape e khetha 'Mapa oa Memori oa boikhethelo File (.mapa) le Raw Programming Data File (.rpd). Lintlha tsa mananeo a tala file e hlokahala feela ha o rera ho sebelisa lenaneo la mokha oa boraro nakong e tlang.
Lenaneo File Jenereithara – Sephetho Files Tab – Kgetha JTAG Tlhophiso e sa Tobang

Sesebediswa Family Configuration mode
Sephetho file tab ya
Sephetho sa bukana
JTAG 'Mapa oa memori o sa tobang (.jic). File Lenaneo la Thuso ea Raw Programming Data
Tse Kentsweng Files, etsa likhetho tse latelang: 1. Tobetsa Add Bitstream 'me u shebelle ho .sof ea hau. 2. Khetha .sof ea hau file ebe o tobetsa Properties.

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 37

4. Ho fana ka lisebelisoa 683823 | 2023.05.23
a. Bulela Numella sesebelisoa sa ho saena. b. Bakeng sa senotlolo sa Private file khetha .pem ea hau file. c. Bulela Final encryption. d. Bakeng sa senotlolo sa Encryption file khetha .qek file. e. Tobetsa OK ho khutlela fensetereng e fetileng. 3. Ho hlakisa lintlha tsa hau tsa mothusi oa PUF file, tobetsa Add Raw Data. Fetola the Files ea mofuta oa menu e theohang ho Quartus Physical Uncloble Function File (*.puf). Batla ho .puf ea hau file. Haeba u sebelisa ka bobeli IID PUF le UDS IID PUF, pheta mohato ona hore .puf files bakeng sa PUF ka 'ngoe li eketsoa joalo ka kenyelletso files. 4. Ho hlakisa senotlolo sa hau sa AES se phuthetsoeng file, tobetsa Add Raw Data. Fetola the Files ea mofuta oa menu e theohang ho Quartus Wrapped Key File (*.wkey). Batla ho .wkey ea hau file. Haeba u phuthetse linotlolo tsa AES u sebelisa IID PUF le UDS IID PUF, pheta mohato ona hore .wkey files bakeng sa PUF ka 'ngoe li eketsoa joalo ka kenyelletso files.
Setšoantšo sa 10. Hlalosa Kenyeletso Files bakeng sa Tlhophiso, Netefatso, le Encryption

Kenya Bitstream Kenya Raw Data
Thepa
Senotlolo sa lekunutu file
Qetella senotlolo sa encryption
Ho tab ya Sesebediswa sa Configuration, etsa dikgetho tse latelang: 1. Tobetsa Add Device ebe o kgetha sesebediswa sa hao sa flash ho tswa lenaneng la flash e teng.
lisebelisoa. 2. Khetha sesebelisoa sa tlhophiso seo u sa tsoa se kenya ebe u tobetsa Add Partition. 3. Ka hara Edit Partition dialog box for the Input file ebe o kgetha .sof ya hao ho tswa ho
lethathamo la litheolelo. U ka boloka li-default kapa ua hlophisa liparamente tse ling lebokoseng la puisano la Edit Partition.

Intel Agilex® 7 Device Security User Guide 38

Romella Maikutlo

4. Ho fana ka lisebelisoa 683823 | 2023.05.23
Setšoantšo sa 11. Ho hlalosa karolo ea hau ea .sof Configuration Bitstream Partition

Sesebediswa sa Tlhophiso
Fetola Partition Add .sof file

Kenya karohano

4. Ha o kenya .puf le .wkey e le ho kenya files, Lenaneo la File Jenereithara e iketsetsa karohano ea PUF ka har'a sesebelisoa sa hau sa Configuration. Ho boloka .puf le .wkey karolong ea PUF, khetha karolo ea PUF ebe o tobetsa Edita. Ka har'a lebokose la puisano la Edit Partition, khetha .puf le .wkey ea hau files ho tsoa mananeng a theoha. Haeba o tlosa karohano ea PUF, o tlameha ho tlosa le ho eketsa sesebelisoa sa tlhophiso bakeng sa Lenaneo. File Jenereithara ho theha karolo e 'ngoe ea PUF. U tlameha ho etsa bonnete ba hore u khetha .puf le .wkey e nepahetseng file bakeng sa IID PUF le UDS IID PUF, ka ho latellana.
Setšoantšo sa 12. Eketsa .puf le .wkey files ho Karolo ea PUF

Karohano ea PUF

Fetola

Fetola karohano

Flash Loader

Kgetha Hlahisa

5. Bakeng sa parameter ea Flash Loader khetha lelapa la sesebelisoa sa Intel Agilex 7 le lebitso la sesebelisoa le lumellanang le Intel Agilex 7 OPN ea hau.

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 39

4. Ho fana ka lisebelisoa 683823 | 2023.05.23
6. Tobetsa Hlahisa ho hlahisa tlhahiso files eo u e boletseng ho Output Filetab.
7. Lenaneo File Jenereithara e bala .qek ea hau file mme e o tsebisa poleloana ea hau ea lekunutu. Ngola poleloana ea hau ho latela molaetsa oa Enter QEK. Tobetsa konopo ea Enter.
8. Click OK ha Programming File Jenereithara e tlaleha tlhahiso e atlehileng.
U sebelisa Intel Quartus Prime Programmer ho ngola setšoantšo sa lenaneo la QSPI ho memori ea flash ea QSPI. 1. Ho menu ea Intel Quartus Prime Tools khetha Programmer. 2. Ho Programmer, tobetsa Hardware Setup ebe u khetha Intel e hokahaneng
FPGA Khoasolla Cable. 3. Tobetsa Add File ebe u sheba ho .jic ea hau file.
Setšoantšo sa 13. Lenaneo .jic

Lenaneo file

Lenaneo/ Hlophisa

JTAG ketane ea scan
4. Tlosa ho khetha lebokose le amanang le setšoantšo sa Mothusi. 5. Kgetha Lenaneo/Configure bakeng sa tlhahiso ya .jic file. 6. Bulela konopo ea Qala ho hlophisa memori ea hau ea quad SPI flash. 7. Power cycle boto ea hau. Moralo o hlophiselitsoe mohopolong oa quad SPI flash
Ka mor'a moo, sesebelisoa se kena ho FPGA e reriloeng.
U tlameha ho hlahisa le ho hlophisa sets'oants'o sa flash programming ho kenya karohano ea PUF ho flash ea quad SPI.
Ha karohano ea PUF e se e ntse e le teng ka khanya, hoa khonahala ho sebelisaIntel Quartus Prime Programmer ho fihlella ka kotloloho data ea mothusi oa PUF le senotlolo se phuthetsoeng. files. Bakeng sa mohlalaample, haeba ts'ebetso e sa atlehe, hoa khoneha ho ngolisa PUF hape, ho phuthela senotlolo sa AES, 'me ka mor'a moo ho be le lenaneo la PUF feela. files ntle le ho hlakola lebone kaofela.

Intel Agilex® 7 Device Security User Guide 40

Romella Maikutlo

4. Ho fana ka lisebelisoa 683823 | 2023.05.23
Intel Quartus Prime Programmer e tšehetsa khang e latelang ea ts'ebetso bakeng sa PUF files karolong e neng e le teng ea PUF:
· p: lenaneo
· v: netefatsa
· r: hlakola
· b: cheke e se nang letho
U tlameha ho latela lithibelo tse tšoanang bakeng sa ho ingolisa PUF, le haeba karohano ea PUF e le teng.
1. Sebelisa khang ea ts'ebetso ea i ho kenya setšoantšo sa mothusi oa firmware bakeng sa ts'ebetso ea pele. Bakeng sa mohlalaample, tatelano e latelang ea taelo e ngolisa PUF, hape e phuthela senotlolo sa motso oa AES, hlakola data ea khale ea mothusi oa PUF le senotlolo se phuthetsoeng, ebe u hlophisa le ho netefatsa lintlha tse ncha tsa mothusi oa PUF le senotlolo sa motso sa AES.
quartus_pgm -c 1 -mjtag -o “ei;new.puf;AGFB014R24A” quartus_pgm -c 1 -mjtag -cert_file=signed_aes.ccert -o “e;new.wkey;AGFB014R24A” quartus_pgm -c 1 -mjtag -o “r;old.puf” quartus_pgm -c 1 -mjtag -o “r;old.wkey” quartus_pgm -c 1 -mjtag -o “p;new.puf” quartus_pgm -c 1 -mjtag -o “p;new.wkey” quartus_pgm -c 1 -mjtag -o “v;new.puf” quartus_pgm -c 1 -mjtag -o "v; new.wkey"
4.9.2.4. Ho botsa Boemo ba Ts'ebetso ea ID ea Intrinsic PUF
Ka mor'a hore u ngolise Intrinsic ID PUF, koahela senotlolo sa AES, hlahisa lenaneo la flash files, 'me u ntlafatse quad SPI flash, u potlakisa sesebelisoa sa hau ho kenya ts'ebetso ea PUF le tlhophiso ho tsoa ho bitstream e patiloeng. SDM e tlaleha boemo ba ts'ebetso ea PUF hammoho le boemo ba tlhophiso. Haeba ts'ebetso ea PUF e hloleha, SDM e tlaleha boemo ba phoso ea PUF. Sebelisa taelo ea quartus_pgm ho botsa boemo ba tlhophiso.
1. Sebelisa taelo e latelang ho botsa boemo ba ho kenya tshebetsong:
quartus_pgm -c 1 -mjtag -boemo -mofuta_mofuta = "CONFIG"
Mona ke sample tlhahiso ho tsoa ts'ebetsong e atlehileng:
Info (21597): Karabo ea CONFIG_STATUS Sesebediswa se sebetsa ka mokgwa wa mosebedisi 00006000 RESPONSE_CODE=OK, LENGTH=6 00000000 STATE=IDLE 00160300 Version C000007B MSEL=QSPI_USG=1, nSTACONTVID=1, nSTACONTVID=1, nSTACONTVID=XNUMX,
CLOCK_SOURCE=INTERNAL_PLL 0000000B CONF_DONE=1, INIT_DONE=1, CVP_DONE=0, SEU_ERROR=1 00000000 Sebaka sa phoso 00000000 Lintlha tsa phoso Karabo ea PUF_STATUS 00002000 USER_STATUS 2 USER_SETH_00000500REENSETH_XNUMX BOEMO BA ID=PUF_ACTIVATION_SUCCESS,
RELIABILITY_DIAGNOSTIC_SCORE=5, TEST_MODE=0 00000500 UDS_IID STATUS=PUF_ACTIVATION_SUCCESS,
RELIABILITY_DIAGNOSTIC_SCORE=5, TEST_MODE=0

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 41

4. Ho fana ka lisebelisoa 683823 | 2023.05.23

Haeba o sebedisa feela IID PUF kapa UDS IID PUF, mme o so ka o etsa lenaneo la boitsebiso bo thusang .puf file bakeng sa PUF ho flash ea QSPI, PUF eo ha e sebetse 'me boemo ba PUF bo bontša hore data ea mothusi oa PUF ha e sebetse. E latelang exampe bonts'a boemo ba PUF ha data ea mothusi oa PUF e ne e sa hlophisoa bakeng sa PUF:
Karabo ea PUF_STATUS 00002000 RESPONSE_CODE=OK, LENGTH=2 00000002 USER_IID STATUS=PUF_DATA_CORRUPTED,
RELIABILITY_DIAGNOSTIC_SCORE=0, TEST_MODE=0 00000002 UDS_IID STATUS=PUF_DATA_CORRUPTED,
RELIABILITY_DIAGNOSTIC_SCORE=0, TEST_MODE=0

4.9.2.5. Sebaka sa PUF ho Flash Memory
Sebaka sa PUF file e fapane bakeng sa meralo e tšehetsang RSU le meralo e sa tšehetseng tšobotsi ea RSU.

Bakeng sa meralo e sa tshehetseng RSU, o tlameha ho kenyelletsa .puf le .wkey files ha o theha litšoantšo tse ntlafalitsoeng tsa flash. Bakeng sa meralo e tšehetsang RSU, SDM ha e hlakole likarolo tsa data tsa PUF nakong ea liapdeite tsa litšoantšo tsa feme kapa tsa ts'ebeliso.

Lethathamo la 2.

Moralo oa likaroloana tsa Flash ntle le tšehetso ea RSU

Flash Offset (ka li-byte)

Boholo (ka li-byte)

Litaba

Tlhaloso

0K 256K

256K 256K

Firmware ea Tsamaiso ea Tlhophiso ea Tlhophiso ea Firmware

Firmware e sebetsang ho SDM.

512K

256K

Firmware ea Tsamaiso ea Litlhophiso

768K

256K

Firmware ea Tsamaiso ea Litlhophiso

32K

PUF kopi ea lintlha tsa 0

Sebopeho sa data bakeng sa ho boloka data ea mothusi oa PUF le kopi ea motso oa AES e phuthetsoeng ka PUF 0

1M+32K

32K

PUF kopi ea lintlha tsa 1

Sebopeho sa data bakeng sa ho boloka data ea mothusi oa PUF le kopi ea motso oa AES e phuthetsoeng ka PUF 1

Lethathamo la 3.

Moralo oa likaroloana tsa Flash tse nang le Tšehetso ea RSU

Flash Offset (ka li-byte)

Boholo (ka li-byte)

Litaba

Tlhaloso

0K 512K

512K 512K

Qeto firmware Qeto firmware

Firmware ea ho khetholla le ho kenya setšoantšo sa bohlokoa ka ho fetisisa.

EA-1M 1.5M

512K 512K

Qeto firmware Qeto firmware

8K + 24K

Qeto firmware data

Padding

E boloketsoe tšebeliso ea firmware ea Qeto.

2M + 32K

32K

E boloketsoe SDM

E boloketsoe SDM.

2M + 64K

E fetohang

Setšoantšo sa feme

Setšoantšo se bonolo seo u se etsang e le bekapo haeba litšoantšo tse ling tsohle tsa ts'ebeliso li hloleha ho kenya. Setšoantšo sena se kenyelletsa CMF e sebetsang ho SDM.

E 'ngoe

32K

PUF kopi ea lintlha tsa 0

Sebopeho sa data bakeng sa ho boloka data ea mothusi oa PUF le kopi ea motso oa AES e phuthetsoeng ka PUF 0
e tsoela pele…

Intel Agilex® 7 Device Security User Guide 42

Romella Maikutlo

4. Ho fana ka lisebelisoa 683823 | 2023.05.23

Flash Offset (ka li-byte)

Boholo (ka li-byte)

E latelang +32K 32K

Litaba tsa PUF kopi ea data 1

E latelang + 256K 4K E latelang +32K 4K E latelang +32K 4K

Khopi ea tafole ea karohano e nyane 0 Khopi ea tafole ea karolo e nyane 1 kopi ea block ea CMF 0

E latelang +32K _

CMF pointer block kopi 1

E feto-fetohang

Setšoantšo sa ts'ebeliso 1 Setšoantšo sa ts'ebeliso 2

4.9.3. Phano ea Senotlolo sa Black Key

Tlhaloso
Sebopeho sa data bakeng sa ho boloka data ea mothusi oa PUF le kopi ea motso oa AES e phuthetsoeng ka PUF 1
Sebopeho sa data ho nolofatsa tsamaiso ea polokelo ea flash.
Lethathamo la lisupa litšoantšo tsa ts'ebeliso ho latela maemo a tlang pele. Ha o eketsa setšoantšo, setšoantšo seo e ba se phahameng ka ho fetisisa.
Kopi ea bobeli ea lethathamo la lisupa litšoantšo tsa ts'ebeliso.
Setšoantšo sa hau sa pele sa ts'ebeliso.
Setšoantšo sa hau sa bobeli sa ts'ebeliso.

Hlokomela:

TheIntel Quartus PrimeProgrammer e thusa ho theha khokahano e sireletsehileng e netefalitsoeng lipakeng tsaIntel Agilex 7device le ts'ebeletso ea phepelo ea linotlolo tse ntšo. Khokahano e sireletsehileng e thehiloe ka https mme e hloka litifikeiti tse 'maloa tse hloailoeng ho sebelisoa mongolo file.
Ha u sebelisa Black Key Provisioning, Intel e khothalletsa hore u qobe ho hokahanya pini ea TCK ka ntle ho hula kapa ho theola khanyetso ha u ntse u e sebelisa bakeng sa J.TAG. Leha ho le joalo, o ka hokela phini ea TCK ho phepelo ea motlakase ea VCCIO SDM o sebelisa sehanyetsi sa 10k. Tataiso e teng ho Litaelo tsa Khokahano ea Pin ho hokahanya TCK ho 1 k e thibelang ho hula fatše e kenyelelitsoe bakeng sa ho thibela lerata. Phetoho ea tataiso ho 10k pull-up resistor ha e ame sesebelisoa ts'ebetsong. Bakeng sa tlhaiso-leseling e batsi mabapi le ho hokela phini ea TCK, sheba ho Intel Agilex 7 Pin Connection Guidelines.
Thebkp_tls_ca_certcertificate e netefatsa mohlala oa hau oa ho fana ka linotlolo tse ntšo ho mohlala oa hau oa ho fana ka linotlolo tse ntšo. Litifikeiti tsa Thebkp_tls_* li netefatsa mohlala oa hau oa ho fana ka linotlolo tse ntšo molemong oa ts'ebeletso ea hau ea ho fana ka linotlolo tse ntšo.
O etsa mongolo file e nang le tlhaiso-leseling e hlokahalang bakeng saIntel Quartus Prime Programmer ho hokela ts'ebeletso ea ho fana ka linotlolo tse ntšo. Ho qala ho fana ka linotlolo tse ntšo, sebelisa sebopeho sa mola oa taelo ea Programmer ho hlakisa mongolo oa likhetho tsa ho fana ka linotlolo tse ntšo file. Tokisetso ea konopo e ntšo e tla itsoella pele. Bakeng sa ho fumana litšebeletso tsa ho fana ka linotlolo tse ntšo le litokomane tse amanang le tsona, ka kopo ikopanye le Intel Support.
O ka etsa hore tokiso ea senotlolo se ntšo u sebelise thequartus_pgmcommand:
quartus_pgm -c -m – sesebelisoa –bkp_options=bkp_options.txt
Litaelo tsa litaelo li totobatsa lintlha tse latelang:

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 43

4. Ho fana ka lisebelisoa 683823 | 2023.05.23

· -c: nomoro ea mohala · -m: e hlalosa mokhoa oa ho etsa lenaneo joalo ka JTAG · -device: e totobatsa index ea sesebelisoa ho JTAG ketane. Boleng ba kamehla ke 1. · –bkp_options: e hlalosa mongolo file e nang le likhetho tsa ho fana ka linotlolo tse ntšo.
Lintlha tse amanang le Intel Agilex 7 Device Family Pin Connection Guidelines

4.9.3.1. Likhetho tsa ho fana ka lintlha tse ntšo
Likhetho tsa ho fana ka linotlolo tse ntšo ke mongolo file fetisetsoa ho Programmer ka taelo ea quartus_pgm. The file e na le tlhaiso-leseling e hlokahalang ho qala ho fana ka linotlolo tse ntšo.
Se latelang ke example ea bkp_options.txt file:
bkp_cfg_id = 1 bkp_ip = 192.167.1.1 bkp_port = 10034 bkp_tls_ca_cert = root.cert bkp_tls_prog_cert = prog.cert bkp_tls_prog_key = prog_key.pexy_prog_key = prog_key.passpk https://1234:192.167.5.5 bkp_proxy_user = proxy_user bkp_proxy_password = proxy_password

Lethathamo la 4.

Likhetho tsa ho fana ka lintlha tse ntšo
Tafole ena e bonts'a likhetho tse hlokahalang ho qala ho fana ka linotlolo tse ntšo.

Lebitso la Khetho

Mofuta

Tlhaloso

bkp_ip

Ho hlokahala

E totobatsa aterese ea IP ea seva e tsamaisang litšebeletso tsa ho fana ka linotlolo tse ntšo.

bkp_boema-kepe

Ho hlokahala

E totobatsa boema-kepe ba lits'ebeletso tsa ho fana ka linotlolo tse ntšo tse hlokahalang ho hokela seva.

bkp_cfg_id

Ho hlokahala

E tsebahatsa ID ea tokiso ea konopo e ntšo.
Ts'ebeletso ea ho fana ka linotlolo tse ntšo e theha phallo ea tlhophiso ea linotlolo tse ntšo ho kenyelletsa senotlolo sa AES, litlhophiso tse lakatsehang tsa eFuse, le likhetho tse ling tsa tumello ea ho fana ka linotlolo tse ntšo. Nomoro e abetsoeng nakong ea ts'ebetso ea ho fana ka lits'ebeletso tsa "black key provider" e supa phallo ea tlhophiso ea tokiso ea linotlolo tse ntšo.
Tlhokomeliso: Lisebelisoa tse ngata li ka bua ka phallo e tšoanang ea litšebeletso tsa linotlolo tse ntšo.

bkp_tls_ca_cert

Ho hlokahala

Setifikeiti sa motso sa TLS se sebelisetsoang ho tsebahatsa lits'ebeletso tsa phepelo ea linotlolo tse ntšo ho Intel Quartus Prime Programmer (Programmer). Bolaoli bo tšeptjoang ba Setifikeiti bakeng sa ketsahalo ea litšebeletso tsa phepelo ea senotlolo sa batho ba batšo bo fana ka setifikeiti sena.
Haeba o tsamaisa Lenaneo khomphuteng ka sistimi e sebetsang ya Microsoft® Windows® (Windows), o tlameha ho kenya setifikeiti sena lebenkeleng la setifikeiti sa Windows.

bkp_tls_prog_cert

Ho hlokahala

Setifikeiti se entsoeng bakeng sa mohlala oa "black key provisioning Programmer" (BKP Programmer). Sena ke setifikeiti sa bareki ba https se sebelisitsoeng ho tsebahatsa mohlala oa mohlophisi oa BKP
e tsoela pele…

Intel Agilex® 7 Device Security User Guide 44

Romella Maikutlo

4. Ho fana ka lisebelisoa 683823 | 2023.05.23

Lebitso la Khetho

Mofuta

bkp_tls_prog_key

Ho hlokahala

bkp_tls_prog_key_pass Boikhethelo

bkp_proxy_address bkp_proxy_user bkp_proxy_password

Khetho ea Boikhethelo Boikhethelo

Tlhaloso
ho tšebeletso ea ho fana ka linotlolo tse ntšo. U tlameha ho kenya le ho fana ka tumello ea setifikeiti sena ho ts'ebeletso ea ho fana ka linotlolo tse ntšo pele u qala lenaneo la ho fana ka linotlolo tse ntšo. Haeba o tsamaisa Lenaneo ho Windows, khetho ena ha e fumanehe. Tabeng ena, bkp_tls_prog_key e se e kenyelletsa setifikeiti sena.
Senotlolo sa lekunutu se tsamaellanang le setifikeiti sa BKP Programmer. Senotlolo se tiisa boitsebahatso ba mohlala oa BKP Programmer ho ts'ebeletso ea ho fana ka linotlolo tse ntšo. Haeba o tsamaisa Lenaneo ho Windows, .pfx file e kopanya setifikeiti sa bkp_tls_prog_cert le senotlolo sa lekunutu. Khetho ea bkp_tlx_prog_key e fetisa .pfx file ho bkp_options.txt file.
Senotlolo sa senotlolo sa bkp_tls_prog_key. Ha e hlokehe ho khetho ea litlhophiso tsa konopo e ntšo (bkp_options.txt). file.
E totobatsa seva ea proxy URL aterese.
E totobatsa lebitso la mosebelisi la seva ea moemeli.
E hlakisa password ea netefatso ea moemeli.

4.10. Ho Fetolela Owner Root Key, AES Root Key Certificates, le Fuse files ho Jam STAPL File Mefuta

U ka sebelisa taelo ea mola oa taelo ea quartus_pfg ho fetolela .qky, AES root key .cert, le .fuse files ho Jam STAPL Format File (.jam) le Jam Byte Code Format File (.jbc). U ka sebelisa tsena files ho hlophisa Intel FPGAs ho sebelisa Jam STAPL Player le Jam STAPL Byte-Code Player, ka ho latellana.

.jam e le 'ngoe kapa .jbc e na le mesebetsi e mengata e kenyeletsang tlhophiso ea setšoantšo sa firmware helper le lenaneo, cheke e se nang letho, le netefatso ea key and fuse programming.

Tlhokomeliso:

Ha u fetola AES motso senotlolo .ccert file to .jam format, the .jam file e na le senotlolo sa AES ka mokhoa o hlakileng empa o sa hlaka. Ka lebaka leo, o tlameha ho sireletsa .jam file ha u boloka senotlolo sa AES. U ka etsa sena ka ho fana ka senotlolo sa AES sebakeng se sireletsehileng.

Mona ke tsa khaleamplitaelo tsa phetoho ea quartus_pfg:

Quartus_PFG -C -C -C -C c -o helper_device=AGFB014R24A aes.ccert aes_ccert.jam quartus_pfg -c -o helper_device=AGFB0R1A aes.ccert aes_ccert.jbc quartus_pfg -c -o mothusi_litlhophiso tsa_ffurse_fg2_fgse_fg014_ffg_setting_24 g -c -o helper_device=AGFB0R1A litlhophiso. fuse setting_fuse.jbc

Bakeng sa tlhaiso-leseling e batsi mabapi le ho sebelisa Jam STAPL Player bakeng sa mananeo a sesebelisoa, sheba AN 425: Ho sebelisa Taelo ea Taelo ea Jam STAPL bakeng sa Lenaneo la Sesebelisoa.

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 45

4. Ho fana ka lisebelisoa 683823 | 2023.05.23
Etsa litaelo tse latelang ho hlophisa senotlolo sa sechaba sa mong'a sona le senotlolo sa AES sa encryption:
// Ho kenya bitstream ea mothusi ho FPGA. // The helper bitstream kenyeletsa ho fana ka firmware quartus_jli -c 1 -a CONFIGURE RootKey.jam
//Ho hlophisa mong'a senotlolo sa sechaba ho eFuses e fumanehang quartus_jli -c 1 -a PUBKEY_PROGRAM RootKey.jam
//Ho hlophisa mong'a senotlolo sa sechaba ho eFuses quartus_jli -c 1 -a PUBKEY_PROGRAM -e DO_UNI_ACT_DO_EFUSES_FLAG RootKey.jam
//Ho hlophisa mong'a PR senotlolo sa sechaba ho eFuses e fumanehang quartus_jli -c 1 -a PUBKEY_PROGRAM -e DO_UNI_ACT_DO_PR_PUBKEY_FLAG pr_rootkey.jam
//Ho hlophisa mong'a PR senotlolo sa sechaba ho eFuses ea 'mele quartus_jli -c 1 -a PUBKEY_PROGRAM -e DO_UNI_ACT_DO_PR_PUBKEY_FLAG -e DO_UNI_ACT_DO_EFUSES_FLAG pr_rootkey.jam
// Ho hlophisa senotlolo sa encryption sa AES CCERT ho BBRAM quartus_jli -c 1 -a CCERT_PROGRAM EncKeyBBRAM.jam
//Ho kenya konopo ea AES encryption CCERT ho eFuses ea 'mele quartus_jli -c 1 -a CCERT_PROGRAM -e DO_UNI_ACT_DO_EFUSES_FLAG EncKeyEFuse.jam
Lintlha tse amanang le AN 425: Ho sebelisa Taelo-Line Jam STAPL Tharollo bakeng sa Lenaneo la Sesebelisoa

Intel Agilex® 7 Device Security User Guide 46

Romella Maikutlo

683823 | 2023.05.23 Romella Maikutlo

Lintlha tse tsoetseng pele

5.1. Sireletsehile Debug Authorization
Ho nolofalletsa Tumello e Sireletsehileng ea Debug, mong'a sesebelisoa o hloka ho hlahisa li-key pair tsa netefatso le ho sebelisa Intel Quartus Prime Pro Programmer ho hlahisa tlhaiso-leseling ea sesebelisoa. file bakeng sa sesebelisoa se tsamaisang setšoantšo sa debug:
quartus_pgm -c 1 -mjtag -o "ei;device_info.txt;AGFB014R24A" -dev_info
Mong'a sesebelisoa o sebelisa sesebelisoa sa quartus_sign kapa ts'ebetsong ea litšupiso ho kenyelletsa senotlolo sa sechaba se nang le maemo ho saena se reretsoeng ho rarolla bothata a sebelisa senotlolo sa sechaba ho tsoa ho mong'a tharollo, tumello e hlokahalang, mongolo oa lintlha tsa sesebelisoa. file, le lithibelo tse ling tse sebetsang:
quartus_sign –family=agilex –operation=append_key –previous_pem=debug_chain_private.pem –previous_qky=debug_chain.qky –permission=0x6 –cancel=1 –dev_info=device_info.txt –restriction=”1,2,17,18t,XNUMX, debug_authorization_public_key.pem secure_debug_auth_chain.qky
Mong'a sesebelisoa o khutlisetsa ketane e felletseng ho mong'a tharollo, ea sebelisang ketane ea ho saena le senotlolo sa bona sa lekunutu ho saena setšoantšo sa tharollo:
quartus_sign –family=agilex –operation=sign –qky=secure_debug_auth_chain.qky –pem=debug_authorization_private_key.pem unsigned_debug_design.rbf authorized_debug_design.rbf
U ka sebelisa taelo ea quartus_pfg ho hlahloba ketane ea ho saena ea karolo ka 'ngoe ea bitstream e saenneng e sireletsehileng ea debug ka tsela e latelang:
quartus_pfg -check_integrity authorized_debug_design.rbf
Sephetho sa taelo ena se hatisa litekanyetso tsa thibelo 1,2,17,18 ea senotlolo sa sechaba se nang le maemo se sebelisitsoeng ho hlahisa bitstream e saenneng.
Joale mong'a tharollo a ka hlophisa moralo o lumelletsoeng ka mokhoa o sireletsehileng oa ho tlosa bothata:
quartus_pgm -c 1 -mjtag -o “p;authorized_debug_design.rbf”
Mong'a sesebelisoa a ka hlakola tumello e sireletsehileng ea ho lokisa bothata ka ho hlakola ID e hlakileng ea ho hlakola senotlolo e fanoeng ho ketane e sireletsehileng ea tumello ea ho tlosa bothata.
5.2. Setifikeiti sa HPS sa Debug
E lumella feela phihlello e lumelletsoeng ea boema-kepe ba phihlello ea HPS (DAP) ka JTAG interface e hloka mehato e mengata:

ISO 9001:2015 E Ngolisitsoe

5. Likarolo tse Tsoetseng Pele 683823 | 2023.05.23
1. Tobetsa menu ea Intel Quartus Prime Software Assignments ebe u khetha Thebo ea Sesebediswa le Pin Options Configuration.
2. Ho tab ya Configuration, etsa hore sebaka sa phihlello sa HPS debug (DAP) ka ho kgetha HPS Pins kapa SDM Pins ho tswa ho menu e theoha, le ho etsa bonnete ba hore Lebokose la ho lokisa HPS ntle le disetifikeiti ha le a kgethwa.
Setšoantšo sa 14. Hlalosa Ebang HPS kapa SDM Pins bakeng sa HPS DAP

Boemakepe ba phihlello ba HPS (DAP)
Ntle le moo, o ka seta mosebetsi o ka tlase ho Quartus Prime Settings .qsf file:
set_global_assignment -name HPS_DAP_SPLIT_MODE "SDM PINS"
3. Kopanya le ho kenya moralo ka li-setting tsena. 4. Theha ketane ea ho saena ka tumello e nepahetseng ea ho saena HPS debug
setifikeiti:
quartus_sign –family=agilex –operation=append_key –previous_pem=root_private.pem –previous_qky=root.qky –permission=0x8 –cancel=1 –input_pem=hps_debug_cert_public_key.pem hps_debug_certain.qps_debug_cert
5. Kopa setifikeiti sa ho tlosa bothata sa HPS se sa saenang sesebedisweng seo moralo wa debug o kentsweng ho sona:
quartus_pgm -c 1 -mjtag -o “e;unsigned_hps_debug.cert;AGFB014R24A”
6. Saena setifikeiti sa ho lokisa bothata ba HPS se sa tekenoang u sebelisa sesebelisoa sa quartus_sign kapa ts'ebetsong ea litšupiso le ketane ea ho tlosa bothata ba HPS:
quartus_sign –family=agilex –operation=sign –qky=hps_debug_cert_sign_chain.qky –pem=hps_debug_cert_private_key.pem unsigned_hps_debug.cert signed_hps_debug.cert

Intel Agilex® 7 Device Security User Guide 48

Romella Maikutlo

5. Likarolo tse Tsoetseng Pele 683823 | 2023.05.23
7. Romela setifikeiti sa ho lokisa bothata se saenneng sa HPS sesebedisweng ho dumella ho fihlella boemakepe ba HPS (DAP):
quartus_pgm -c 1 -mjtag -o "p; signed_hps_debug.cert"
Setifikeiti sa ho lokisa HPS se sebetsa feela ho tloha ha se ne se hlahisoa ho fihlela potolohong e latelang ea matla a sesebelisoa kapa ho fihlela mofuta o fapaneng kapa mofuta o fapaneng oa firmware ea SDM e kentsoe. O tlameha ho hlahisa, ho saena, le ho hlophisa setifikeiti sa ho tlosa bothata ba HPS se saenneng, le ho etsa lits'ebetso tsohle tsa ho lokisa bothata, pele o sebelisa sesebelisoa sa motlakase. U ka etsa hore setifikeiti sa ho rarolla bothata sa HPS se saennoe ka ho tsamaisa sesebelisoa ka motlakase.
5.3. Bopaki ba Sethala
U ka hlahisa pontšo ea botšepehi (.rim) file ho sebelisa lenaneo file sesebelisoa sa jenereithara:
quartus_pfg -c sign_encrypted_top.rbf top_rim.rim
Latela mehato ena ho netefatsa bopaki ba sethaleng moralong oa hau: 1. Sebelisa Intel Quartus Prime Pro Programmer ho lokisa sesebelisoa sa hau ka
moralo oo u o entseng pontšo ea botšepehi ba litšupiso bakeng sa. 2. Sebelisa sethala sa netefatso ea bopaki ho ngolisa sesebelisoa ka ho fana ka litaelo ho
SDM ka lebokose la poso la SDM ho theha setifikeiti sa ID ea sesebelisoa le setifikeiti sa firmware ha o kenya hape. 3. Sebelisa Intel Quartus Prime Pro Programmer ho lokisa sesebelisoa sa hau ka moralo. 4. Sebelisa sethala sa netefatso ea bopaki ho fana ka litaelo ho SDM ho fumana ID ea sesebelisoa sa bopaki, firmware, le alias certificates. 5. Sebelisa netefatso ea bopaki ho fana ka taelo ea lebokose la poso la SDM ho fumana bopaki ba bopaki mme mohlahlobi o hlahloba bopaki bo khutlisitsoeng.
O ka kenya tshebetsong tshebeletso ya hao ya ho netefatsa o sebedisa ditaelo tsa lebokose la poso la SDM, kapa wa sebedisa tshebeletso ya senetefatsa bopaki ba sethala sa Intel. Bakeng sa tlhaiso-leseling e batsi mabapi le software ea ts'ebeletso ea netefatso ea sethala sa Intel, boteng, le litokomane, ikopanye le Intel Support.
Lintlha tse amanang le Intel Agilex 7 Device Family Pin Connection Guidelines
5.4. Physical Anti-Tamper
U nolofalletsa 'mele anti-tamplikarolo tse sebelisang mehato e latelang: 1. Ho khetha karabo e lakatsehang ho tamper ketsahalo 2. Ho lokisa se batloang tamper mekhoa ea ho lemoha le litekanyetso 3. Ho kenyeletsoa le anti-tamper IP ho moralo oa hau oa moralo ho thusa ho laola anti-tamper
diketsahalo

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 49

5. Likarolo tse Tsoetseng Pele 683823 | 2023.05.23
5.4.1. Anti-Tamper Likarabo
U nolofalletsa 'mele anti-tamper ka ho khetha karabo ho tsoa ho Anti-tamper karabo: lethathamo le theolelang ho Sesebediswa sa Kabelo Sesebediswa le Pin Options Security Anti-Tamptab ea. Ka kamehla, anti-tampKarabo ea hau e koetsoe. Lihlopha tse hlano tsa anti-tamplikarabo tsa tsona lia fumaneha. Ha u khetha karabo eo u e batlang, likhetho tsa ho nolofalletsa mokhoa o le mong kapa tse ngata tsa ho lemoha lia buleha.
Setšoantšo sa 15. E fumaneha Anti-Tamper Likhetho tsa Karabo

Mosebetsi o tsamaellanang ho di-setting tsa Quartus Prime .gsf file ke tse latelang:
set_global_assignment -lebitso ANTI_TAMPER_RESPONSE “SESEBETSI SA TSEBISO HLAKOLA LOCK EA SESEBETSI LE ZEROIZATION”
Ha o nolofalletsa anti-tamper karabo, o ka khetha tse peli tse fumanehang tsa SDM tse inehetseng tsa I/O ho hlahisa tampho lemoha ketsahalo le boemo ba karabelo ho sebelisoa Sesebediswa sa Mosebetsi le Dikgetho tsa Pin Options Configuration Pin Options fensetere.

Intel Agilex® 7 Device Security User Guide 50

Romella Maikutlo

5. Likarolo tse Tsoetseng Pele 683823 | 2023.05.23
Setšoantšo sa 16. SDM e fumanehang e inehetseng ea I/O Pins bakeng sa Tamper Ho Fumana Ketsahalo

U ka boela ua etsa likabelo tse latelang tsa phini litlhophisong file: set_global_assignment -lebitso USE_TAMPER_DETECT SDM_IO15 set_global_assignment -lebitso ANTI_TAMPER_RESPONSE_FAILED SDM_IO16

5.4.2. Anti-Tamper Ho lemoha

U ka khona ho lumella ka bomong frequency, mocheso, le voltage lemoha likarolo tsa SDM. Ho fumanoa ha FPGA ho ipapisitse le ho kenyelletsa Anti-Tamper Lite Intel FPGA IP moralong oa hau.

Hlokomela:

SDM frequency le voltagleampMekhoa ea ho lemoha e itšetlehile ka litšupiso tsa ka hare le lisebelisoa tsa ho metha tse ka fapana ho ea ka lisebelisoa. Intel e khothalletsa hore u tšoaee boitšoaro ba tamplitlhophiso tsa ho lemoha.

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 51

5. Likarolo tse Tsoetseng Pele 683823 | 2023.05.23
Khafetsa tampho lemoha ho sebetsa mohloling oa lioache tsa tlhophiso. Ho nolofalletsa khafetsa tampHa u fumana, u tlameha ho hlakisa khetho e 'ngoe ntle le Internal Oscillator ho theolelo ea mohloli oa oache ea Configuration ho Thebo ea Sesebelisoa sa Kabelo le Likhetho tsa Pin Kakaretso. U tlameha ho etsa bonnete ba hore Run configuration CPU ho tloha lebokoseng la ho hlahloba la oscillator e ka hare e nolofalitsoe pele o lumella maqhubu a t.ampho lemoha. Setšoantšo sa 17. Ho beha SDM ho Oscillator ea ka hare
Ho nolofalletsa khafetsa tampho fumana, khetha Enable frequency tamplebokose la tlhahlobo ebe u khetha Frequency e lakatsehang tampho fumanoa ho tsoa ho menu e theoha. Setšoantšo sa 18. E nolofalletsang Maqhubu a Tamper Ho lemoha

Intel Agilex® 7 Device Security User Guide 52

Romella Maikutlo

5. Likarolo tse Tsoetseng Pele 683823 | 2023.05.23
Ntle le moo, o ka etsa hore Frequency Tamper Ho lemoha ka ho etsa liphetoho tse latelang ho Quartus Prime Settings .qsf file:
set_global_assignment -lebitso AUTO_RESTART_CONFIGURATION OFF set_global_assignment -lebitso DEVICE_INITIALIZATION_CLOCK OSC_CLK_1_100MHZ set_global_assignment -lebitso RUN_CONFIG_CPU_FROMCY_INT_OSC ON set_nameFENLE_assignmentAMPER_DETECTION HO set_global_assignment -lebitso FREQUENCY_TAMPER_DETECTION_RANGE 35
Ho nolofalletsa mocheso tampho lemoha, khetha Enable mocheso tamper hlahloba lebokose la ho hlahloba 'me u khethe mocheso o lakatsehang ka holimo le ka tlaase ho libaka tse tsamaellanang. Meeli e ka holimo le e ka tlaase e kenngoa ka ho sa feleng le mocheso o amanang le mocheso oa mochine o khethiloeng moqapong.
Ho nolofalletsa voltagleampho lemoha, o khetha e 'ngoe kapa ka bobeli ba Enable VCCL voltagleampho lemoha kapa Numella VCCL_SDM voltagleamper fumana li-checkbox ebe u khetha Voltagleamper discovery trigger percencetage tšimong e tsamaellanang.
Setšoantšo sa 19. Ho nolofalletsa Moqtage Tamper Ho lemoha

Ntle le moo, o ka etsa hore Moqtage Tamper Ho lemoha ka ho totobatsa likabelo tse latelang ho .qsf file:
set_global_assignment -lebitso ENABLE_TEMPERATURE_TAMPER_DETECTION HO set_global_assignment -lebitso TEMPERATURE_TAMPER_UPPER_BOUND 100 set_global_assignment -lebitso ENABLE_VCCL_VOLTAGE_TAMPER_DETECTION HO set_global_assignment -lebitso ENABLE_VCCL_SDM_VOLTAGE_TAMPER_DETECTION ON
5.4.3. Anti-Tamper Lite Intel FPGA IP
Anti-Tamper Lite Intel FPGA IP, e fumanehang lethathamong la IP ho software ea Intel Quartus Prime Pro Edition, e thusa ho buisana ka mahlakore a mabeli pakeng tsa moralo oa hau le SDM bakeng sa t.ampr liketsahalo.

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 53

Setšoantšo sa 20. Anti-Tamper Lite Intel FPGA IP

5. Likarolo tse Tsoetseng Pele 683823 | 2023.05.23

IP e fana ka matšoao a latelang a hore u hokela moralo oa hau ha ho hlokahala:

Lethathamo la 5.

Khahlano le Tamper Lite Intel FPGA IP I/O Lipontšo

Lebitso la Letshwao

Tataiso

Tlhaloso

gpo_sdm_at_event gpi_fpga_at_event

Keletso Input

Letšoao la SDM ho FPGA lesela la logic leo SDM e le fumaneng hoampketsahalo ea. FPGA logic e na le hoo e ka bang 5ms ea ho hloekisa le ho araba SDM ka gpi_fpga_at_response_done le gpi_fpga_at_zeroization_done. SDM e tsoela pele ka tampliketso tsa karabelo ha gpi_fpga_at_response_done e tiisitsoe kapa ka mor'a hore ho se ke ha fumanoa karabo ka nako e behiloeng.
FPGA e sitisa SDM e etselitsoeng anti-tamper discovery circuitry e fumane kaampketsahalo le SDM tampkarabo ea eona e lokela ho hlahisoa.

gpi_fpga_at_response_done

Kenyeletso

FPGA e sitisa SDM hore mohopolo oa FPGA o entse tlhoekiso e lakatsehang.

gpi_fpga_at_zeroization_d e le 'ngoe

Kenyeletso

Letšoao la FPGA ho SDM hore mohopolo oa FPGA o phethetse zeroization efe kapa efe e lakatsehang ea data ea moralo. Letšoao lena ke sampe etelletsoe pele ha gpi_fpga_at_response_done e boleloa.

5.4.3.1. Tlhahisoleseding ea Phallo

Nomoro ea phetolelo ea IP (XYZ) e fetoha ho tloha ho mofuta o mong oa software ho ea ho o mong. Phetoho ho:
· X e bontša phetoho e kholo ea IP. Haeba u nchafatsa software ea hau ea Intel Quartus Prime, u tlameha ho nchafatsa IP.
· Y e bonts'a IP e kenyelletsa likarolo tse ncha. Nchafatsa IP ea hau ho kenyelletsa likarolo tsena tse ncha.
· Z e bonts'a IP e kenyelletsa liphetoho tse nyane. Hlahisa IP ea hau bocha ho kenyelletsa liphetoho tsena.

Lethathamo la 6.

Khahlano le Tamper Lite Intel FPGA IP Release Information

IP Version

Ntho

Tlhaloso 20.1.0

Intel Quartus Prime Version

21.2

Letsatsi la ho nšoa

2021.06.21

Intel Agilex® 7 Device Security User Guide 54

Romella Maikutlo

5. Likarolo tse Tsoetseng Pele 683823 | 2023.05.23
5.5. Ho sebelisa Likarolo tsa Ts'ireletso ea Design tse nang le Remote System Update
Remote System Update (RSU) ke karolo ea Intel Agilex 7 FPGAs e thusang ho ntlafatsa tlhophiso. files ka tsela e matla. RSU e tsamaellana le likarolo tsa ts'ireletso ea moralo joalo ka netefatso, ho saena ka firmware, le encryption ea bitstream kaha RSU ha e itšetlehe ka litaba tsa moralo oa li-bitstreams tsa tlhophiso.
Ho aha Litšoantšo tsa RSU ka .sof Files
Haeba u boloka linotlolo tsa lekunutu sebakeng sa heno filesistimi, o ka hlahisa litšoantšo tsa RSU tse nang le likarolo tsa ts'ireletso ea moralo o sebelisa phallo e nolofalitsoeng ka .sof files joalo ka lintho tse kenang. Ho hlahisa litšoantšo tsa RSU ka .sof file, u ka latela litaelo tse ho Karolo e Hlahisang Setšoantšo sa Apdeita ea Remote System Files Ho Sebelisa Lenaneo File Jenereithara ea Intel Agilex 7 Configuration User Guide. Bakeng sa .sof file e boletsoeng ho Input Files, tobetsa ea Properties… konopo 'me u hlalose litlhophiso le linotlolo tse nepahetseng bakeng sa lisebelisoa tsa ho saena le tsa encryption. The programming file Sesebelisoa sa jenereithara se saena le ho koala litšoantšo tsa feme le ts'ebeliso ha se ntse se theha lenaneo la RSU files.
Ntle le moo, haeba u boloka linotlolo tsa poraefete ho HSM, u tlameha ho sebelisa sesebelisoa sa quartus_sign, kahoo u sebelise .rbf. files. Karolo e setseng ea karolo ena e fana ka lintlha tsa liphetoho tsa phallo ho hlahisa litšoantšo tsa RSU ka .rbf files joalo ka lintho tse kenang. O tlameha ho kwalla le ho saena sebopeho sa .rbf files pele u li khetha joalo ka tlhahiso files bakeng sa litšoantšo tsa RSU; leha ho le joalo, lintlha tsa boot tsa RSU file ha ea tlameha ho ngoloa ka mokhoa o patiloeng empa e saennoe feela. The Programming File Jenereithara ha e tšehetse lisebelisoa tsa ho feto-fetoha tsa sebopeho sa .rbf files.
E latelang examples bonts'a liphetoho tse hlokahalang ho litaelo tse Karolong e Hlahisang Remote System Update Image Files Ho Sebelisa Lenaneo File Jenereithara ea Intel Agilex 7 Configuration User Guide.
Ho Hlahisa Sets'oants'o sa Pele sa RSU Ho Sebelisa .rbf Files: Ho Fetola Taelo
Ho Tsoa ho Hlahisa setšoantšo sa RSU sa Pele se Sebelisang .rbf Files, fetola litaelo ho Mohato oa 1. ho nolofalletsa likarolo tsa ts'ireletso ea moralo kamoo ho lakatsoang kateng ho sebelisa litaelo tse tsoang likarolong tse pejana tsa tokomane ena.
Bakeng sa mohlalaample, o tla hlakisa firmware e saenneng file haeba u ne u sebelisa firmware cosigning, joale sebelisa Quartus encryption tool to encrypt each .rbf file, 'me qetellong sebelisa sesebelisoa sa quartus_sign ho saena e' ngoe le e 'ngoe file.
Mohato oa 2, haeba u nolofalitse ho saena ha firmware, u tlameha ho sebelisa khetho e eketsehileng ha u theha boot .rbf ho tloha setšoantšong sa fektheri. file:
quartus_pfg -c factory.sof boot.rbf -o rsu_boot=ON -o fw_source=signed_agilex.zip
Ka mor'a hore u thehe boitsebiso ba boot .rbf file, sebelisa sesebelisoa sa quartus_sign ho saena .rbf file. Ha oa tlameha ho ngolla lintlha tsa ho qala .rbf file.

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 55

5. Likarolo tse Tsoetseng Pele 683823 | 2023.05.23
Ho hlahisa Setšoantšo sa Kopo: Tokiso ea Taelo
Ho hlahisa setšoantšo sa ts'ebeliso se nang le likarolo tsa ts'ireletso ea moralo, o fetola taelo ho Hlahisa Sets'oants'o sa Kopo ho sebelisa .rbf e nang le likarolo tsa ts'ireletso tsa moralo tse lumelletsoeng, ho kenyeletsoa firmware e saenneng ka kopanelo haeba ho hlokahala, ho fapana le sesebelisoa sa mantlha .sof. file:
quartus_pfg -c cosigned_fw_signed_encrypted_application.rbf secured_rsu_application.rpd -o mode=ASX4 -o bitswap=ON
Ho Hlahisa Setšoantšo sa Tsoelo-pele ea Feme: Phetoho ea Taelo
Ka mor'a hore u thehe boitsebiso ba boot .rbf file, o sebelisa sesebelisoa sa quartus_sign ho saena .rbf file. Ha oa tlameha ho ngolla lintlha tsa ho qala .rbf file.
Ho hlahisa setšoantšo sa ntlafatso ea feme ea RSU, o fetola taelo ho tsoa ho Hlahisa setšoantšo sa ntlafatso ea feme ho sebelisa .rbf file ka likarolo tsa ts'ireletso ea moralo o lumelletsoe mme o kenye khetho ea ho bonts'a ts'ebeliso ea firmware e saenneng:
quartus_pfg -c cosigned_fw_signed_encrypted_factory.rbf secured_rsu_factory_update.rpd -o mode=ASX4 -o bitswap=ON -o rsu_upgrade=ON -o fw_source=signed_agilex.zip
Lintlha tse amanang le Intel Agilex 7 Configuration User Guide
5.6. Litšebeletso tsa Cryptographic tsa SDM
SDM e ho lisebelisoa tsa Intel Agilex 7 e fana ka lits'ebeletso tsa cryptographic tseo FPGA ea lesela la logic kapa HPS e ka li kopang ka sebopeho sa lebokose la poso la SDM. Bakeng sa tlhaiso-leseling e batsi mabapi le litaelo tsa lebokose la poso le lifomate tsa data bakeng sa lits'ebeletso tsohle tsa cryptographic tsa SDM, sheba Sehlomathiso sa B ho Mokhoa oa Ts'ireletso bakeng sa Intel FPGAs le Tataiso ea Mosebelisi ea Structured ASICs.
Ho fihlella segokanyimmediamentsi sa lebokose la poso la SDM ho logic ea lesela la FPGA bakeng sa lits'ebeletso tsa cryptographic tsa SDM, o tlameha ho tiisa Lebokose la Mail Client Intel FPGA IP moralong oa hau.
Khoutu ea litšupiso ea ho fihlella sebopeho sa lebokose la poso la SDM ho tsoa ho HPS e kenyelelitsoe ho khoutu ea ATF le Linux e fanoeng ke Intel.
Tlhahisoleseding e Amanang Lebokose la lengolo-tsoibila Client Intel FPGA IP User Guide
5.6.1. Morekisi Authorized Boot
Intel e fana ka ts'ebetsong ea litšupiso bakeng sa software ea HPS e sebelisang sesebelisoa se lumelletsoeng ke morekisi ho netefatsa software ea boot ea HPS ho tloha qalong.tage kenya bootloader ho ea ho Linux kernel.
Lintlha tse amanang le Intel Agilex 7 SoC Secure Boot Demo Design

Intel Agilex® 7 Device Security User Guide 56

Romella Maikutlo

5. Likarolo tse Tsoetseng Pele 683823 | 2023.05.23
5.6.2. Secure Data Object Service
U romella litaelo ka lebokose la poso la SDM ho etsa encryption ea ntho ea SDOS le ho e hlakola. U ka sebelisa tšobotsi ea SDOS ka mor'a ho fana ka senotlolo sa motso oa SDOS.
Tlhahisoleseding e Amanang le Ts'ebeletso e Sireletsehileng ea Lintlha tsa Ts'ebeletso ea Motso oa Motso leqepheng la 30
5.6.3. SDM Cryptographic Primitive Services
U romella litaelo ka lebokose la poso la SDM ho qala ts'ebetso ea litšebeletso tsa khale tsa SDM. Litšebeletso tse ling tsa khale tsa "cryptographic primitive" li hloka hore lintlha tse ngata li fetisetsoe ho SDM ho feta kamoo sebopeho sa lebokose la poso se ka amohelang. Maemong ana, taelo ea sebopeho e fetoha ho fana ka lintlha ho data mohopolong. Ho feta moo, o tlameha ho fetola ts'ebetso ea Lebokose la Mail Client Intel FPGA IP ho sebelisa lits'ebeletso tsa khale tsa SDM ho tsoa ho logic ea lesela la FPGA. Hape o tlameha ho seta paramethara ea Enable Crypto Service ho 1 ebe o hokela sehokelo se sa tsoa pepesoa sa AXI mohopolong oa moralo oa hau.
Setšoantšo sa 21. Ho nolofalletsa Litšebeletso tsa SDM Cryptographic ka lebokoseng la Mail Client Intel FPGA IP

5.7. Litlhophiso tsa Ts'ireletso ea Bitstream (FM/S10)
Likhetho tsa FPGA Bitstream Security ke pokello ea maano a thibelang tšobotsi e boletsoeng kapa mokhoa oa ts'ebetso ka nako e boletsoeng.
Likhetho tsa Ts'ireletso tsa Bitstream li kenyelletsa lifolakha tseo u li behileng ho software ea Intel Quartus Prime Pro Edition. Lifolakha tsena li kopitsoa ka bo eona ho li-bitstreams tsa tlhophiso.
O ka qobella ka ho sa feleng dikgetho tsa tshireletso sesebedisweng ka tshebediso e tsamaellanang le tlhophiso ya tshireletso ya eFuse.
Ho sebelisa litlhophiso life kapa life tsa ts'ireletso ho bitstream kapa sesebelisoa sa eFuses, o tlameha ho nolofalletsa tšobotsi ea netefatso.

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 57

5. Likarolo tse Tsoetseng Pele 683823 | 2023.05.23
5.7.1. Ho khetha le ho nolofatsa Likhetho tsa Tšireletso
Ho khetha le ho nolofalletsa mekhoa ea ts'ireletso, etsa ka tsela e latelang: Ho tswa ho menu ya Mosebetsi, kgetha Sesebediswa mme o Pine Dikgetho tsa Tshireletso Dikgetho tse ding…

Ebe u khetha boleng ho tsoa lethathamong le theoha bakeng sa likhetho tsa ts'ireletso tseo u batlang ho li lumella joalo ka ha ho bonts'itsoe ho ex e latelang.ampLe:
Setšoantšo sa 23. Ho Khetha Boleng ba Likhetho tsa Tšireletso

Intel Agilex® 7 Device Security User Guide 58

Romella Maikutlo

5. Likarolo tse Tsoetseng Pele 683823 | 2023.05.23
Tse latelang ke liphetoho tse tsamaellanang ho Quartus Prime Settings .qsf file:
set_global_assignment -lebitso SECU_OPTION_DISABLE_JTAG "Ka cheke" set_global_assignment-Emenales EF efsus on Set_global_assign_ke_ke_ketso_Dalestouble _Key_efuduses on set_global_assign SECU_OPTION_DISABLE_ENCRYPTION_KEY_IN_EFUSES ON set_global_assignment -lebitso SECU_OPTION_DISABLE_ENCRYPTION_KEY_IN_BBRAM ON set_global_assignment -lebitso SECU_OPTION_DISABLE_PUF_WRAPPED_ENCRYPTION

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 59

683823 | 2023.05.23 Romella Maikutlo

Ho batle phoso

Khaolo ena e hlalosa liphoso tse tloaelehileng le melaetsa ea temoso eo u ka kopanang le eona ha u leka ho sebelisa likarolo tsa ts'ireletso ea sesebelisoa le mehato ea ho li rarolla.
6.1. Ho sebelisa Litaelo tsa Quartus ka Phoso ea Tikoloho ea Windows
Phoso quartus_pgm: taelo ha e fumanehe Tlhaloso Phoso ena e hlaha ha u leka ho sebelisa litaelo tsa Quartus ho NIOS II Shell tikolohong ea Windows ka ho sebelisa WSL. Qeto Taelo ena e sebetsa tikolohong ea Linux; Bakeng sa mabotho a Windows, sebelisa taelo e latelang: quartus_pgm.exe -h Ka mokhoa o ts'oanang, sebelisa syntax e tšoanang ho litaelo tse ling tsa Quartus Prime tse kang quartus_pfg, quartus_sign, quartus_encrypt har'a litaelo tse ling.

ISO 9001:2015 E Ngolisitsoe

6. Ho rarolla mathata 683823 | 2023.05.23

6.2. Ho Hlahisa Tlhokomeliso ea Senotlolo sa Botho

Tlhokomeliso:

Phasewete e boletsoeng e nkuoa e sa sireletseha. Intel e khothalletsa hore bonyane ho sebelisoe litlhaku tse 13 tsa password. U khothaletsoa ho fetola phasewete ka ho sebelisa OpenSSL e phethisoang.

openssl ec -in -tsoa - joalo ka 256

Tlhaloso
Temoso ena e amana le matla a password le lipontšo ha u leka ho hlahisa senotlolo sa lekunutu ka ho fana ka litaelo tse latelang:

quartus_sign -family=agilex -operation=make_private_pem -curve=secp3841 root.pem

Resolution Sebelisa openssl e ka phethisoang ho hlakisa password e telele le e matla.

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 61

6. Ho rarolla mathata 683823 | 2023.05.23
6.3. Eketsa Senotlolo sa ho Saena Phosong ea Morero oa Quartus
Phoso...File e na le lintlha tsa bohlokoa tsa motso…
Tlhaloso
Kamora ho kenya senotlolo sa ho saena .qky file ho morero oa Quartus, o hloka ho kopanya hape .sof file. Ha o eketsa sena se tsosolositsoeng .sof file ho sesebelisoa se khethiloeng ka ho sebelisa Quartus Programmer, molaetsa o latelang oa phoso o bontša hore file e na le lintlha tsa bohlokoa tsa motso:
E hlolehile ho kenyafile-path-name> ho Programmer. The file e na le lintlha tsa motso (.qky). Leha ho le joalo, Programmer ha e tšehetse karolo ea ho saena ea bitstream. U ka sebelisa Programming File jenereithara ho fetola file ho Raw Binary e saennoeng file (.rbf) bakeng sa tlhophiso.
Qeto
Sebelisa lenaneo la Quartus file jenereithara ho sokolla file ho kena ka har'a Raw Binary e saennoeng File .rbf bakeng sa tlhophiso.
Tlhahisoleseding e amanang le Ho saena Configuration Bitstream Ho sebelisa quartus_sign Taelo leqepheng la 13

Intel Agilex® 7 Device Security User Guide 62

Romella Maikutlo

6. Ho rarolla mathata 683823 | 2023.05.23
6.4. Ho hlahisa Quartus Prime Programming File ha ea atleha
Phoso
Phoso (20353): X ea senotlolo sa sechaba ho tsoa QKY ha e tsamaellane le senotlolo sa lekunutu sa PEM file.
Phoso (20352): E hlolehile ho saena bitstream ka python script agilex_sign.py.
Phoso: Quartus Prime Programming File Jenereithara ha e ea atleha.
Tlhaloso Haeba u leka ho saena bitstream ea tlhophiso u sebelisa senotlolo sa lekunutu se fosahetseng .pem file kapa .pem file e sa lumellaneng le .qky e kentsoeng morerong, liphoso tse tloaelehileng tse ka holimo li bonts'a. Qeto Netefatsa hore o sebelisa senotlolo se nepahetseng sa lekunutu .pem ho saena bitstream.

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 63

6. Ho rarolla mathata 683823 | 2023.05.23
6.5. Liphoso Tse sa Tsejoeng Tsa Khang
Phoso
Phoso (23028): Khang e sa tsejoeng "ûc". Sheba -thuso bakeng sa likhang tsa molao.
Phoso (213008): Khoele ea khetho ea "ûp" ha e molaong. Sheba -help bakeng sa lifomate tsa khetho ea mananeo a molao.
Tlhaloso Haeba u kopitsa le ho beha likhetho tsa mela-taelo ho tsoa ho .pdf file ho Windows NIOS II Shell, u ka 'na ua kopana le liphoso tse sa tsejoeng tsa likhang joalokaha ho bontšitsoe ka holimo. Qeto Maemong a joalo, o ka kenya litaelo ka bowena ho fapana le ho manamisa ho tsoa letlapeng la ho pata.

Intel Agilex® 7 Device Security User Guide 64

Romella Maikutlo

6. Ho rarolla mathata 683823 | 2023.05.23
6.6. Phoso e holofetseng ea Bitstream Encryption Option
Phoso
Ha e khone ho phethela encryption bakeng sa file design .sof hobane e hlophisitsoe ka khetho ea bitstream encryption e koetsoe.
Tlhaloso Haeba u leka ho koala bitstream ka GUI kapa taelo ea taelo ka mor'a hore u bokelle morero ka khetho ea bitstream encryption e thibetsoe, Quartus e hana taelo joalokaha e bontšitsoe ka holimo.
Qeto Netefatsa hore o hlophisa morero ka khetho ea bitstream encryption e lumelletsoeng ka GUI kapa mola oa taelo. Ho nolofalletsa khetho ena ho GUI, o tlameha ho hlahloba lebokose la khetho bakeng sa khetho ena.

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 65

6. Ho rarolla mathata 683823 | 2023.05.23
6.7. Ho Hlalosa Tsela e Nepahetseng ea Senotlolo
Phoso
Phoso (19516): Lenaneo le lemohileng File Phoso ea litlhophiso tsa jenereithara: Ha e fumane 'key_file'. Etsa bonnete ba hore file e sebakeng se lebeletsoeng kapa nchafatsa tlhophiso.sec
Phoso (19516): Lenaneo le lemohileng File Phoso ea litlhophiso tsa jenereithara: Ha e fumane 'key_file'. Etsa bonnete ba hore file e sebakeng se lebelletsoeng kapa nchafatsa maemo.
Tlhaloso
Haeba u sebelisa linotlolo tse bolokiloeng ho file Sistimi, o hloka ho etsa bonnete ba hore ba hlakisa tsela e nepahetseng bakeng sa linotlolo tse sebelisoang ho encryption le ho saena. Haeba Programming File Jenereithara ha e khone ho bona tsela e nepahetseng, melaetsa ea liphoso e kaholimo e bonts'a.
Qeto
Sheba ho Quartus Prime Settings .qsf file ho fumana litsela tse nepahetseng tsa linotlolo. Etsa bonnete ba hore u sebelisa litsela tse lekanyelitsoeng ho e-na le litsela tse feletseng.

Intel Agilex® 7 Device Security User Guide 66

Romella Maikutlo

6. Ho rarolla mathata 683823 | 2023.05.23
6.8. Ho Sebelisa Output e sa Tšehetsoeng File Mofuta
Phoso
quartus_pfg -c design.sof output_file.ebf -o finalize_operation=ON -o qek_file=ae.qek -o signing=ON -o pem_file=sign_private.pem
Phoso (19511): Sephetho se sa tšehetsoeng file mofuta (ebf). Sebelisa "-l" kapa "-list" khetho ho bontša e tšehetsoeng file thaepa tlhahisoleseding.
Tlhaloso Ha u ntse u sebelisa Quartus Programming File Jenereithara ho hlahisa bitstream e patiloeng le e saennoeng, u ka bona phoso e ka holimo haeba tlhahiso e sa tšehetsoeng. file mofuta o boletsoeng. Qeto Sebelisa khetho ea -l kapa ea -list ho bona lenane la tse tšehelitsoeng file mefuta.

Romella Maikutlo

Intel Agilex® 7 Device Security User Guide 67

683823 | 2023.05.23 Romella Maikutlo
7. Intel Agilex 7 Device Security User Guide Archives
Bakeng sa liphetolelo tsa morao-rao le tse fetileng tsa tataiso ena ea basebelisi, sheba Intel Agilex 7 Device Security User Guide. Haeba IP kapa mofuta oa software o sa thathamisoa, ho sebetsa tataiso ea mosebelisi bakeng sa IP e fetileng kapa mofuta oa software.

ISO 9001:2015 E Ngolisitsoe

683823 | 2023.05.23 Romella Maikutlo

8. Histori ea Phetoho bakeng sa Intel Agilex 7 Device Security User Guide

Phetolelo ea Tokomane 2023.05.23
2022.11.22 2022.04.04 2022.01.20
2021.11.09

Litokomane / Lisebelisoa

Intel Agilex 7 Sesebelisoa sa Tšireletso [pdf] Bukana ea Mosebelisi
Tšireletso ea Sesebelisoa sa Agilex 7, Agilex 7, Tšireletso ea Sesebelisoa, Tšireletso

Litšupiso

Bukana ea Mosebelisi

Intel Agilex 7 Sesebelisoa sa Tšireletso

Tlhahisoleseding ya Sehlahiswa

Litaelo tsa Tšebeliso ea Sehlahisoa

Lipotso Tse Botsoang Hangata

Sesebediswa Tshireletso Fedileview

Netefatso le Authorization

AES Bitstream Encryption

Ho fana ka lisebelisoa

Lintlha tse tsoetseng pele

Ho batle phoso

Litokomane / Lisebelisoa

Litšupiso

Tlohela maikutlo

Hlakola karabo