1.2. Firmware Co-Signing
Intel® Stratix® 10 FPGA firmware co-signing is a feature that allows an Intel® Stratix® 10 device owner to require the FPGA to validate both, the Intel signature and an owner signature, prior to loading and executing firmware. A detailed description of the feature is available in the Co-Signing Device Firmware Overview section of the Intel® Stratix® 10 Device Security User Guide.
If you enabled firmware co-signing, you perform the following steps to co-sign firmware:
- Locate the firmware file Stratix_10.zip and sign it with a signature chain that begins with your root key and ends with a code signing key with the SIGN_CODE permission and an appropriate key cancellation ID.
- You need to specify the signed Stratix_10.zip in the Quartus Programming File Generator GUI, or in any Quartus Programming File Generator command line operation with the -o fw_source= option as you continue through the following sections.
- You may use a new code signing key and advance the key cancellation ID in order to utilize both, the Intel and your key cancellation ID-based anti-rollback mechanisms. If you choose to use a new key cancellation ID, you need to cancel the your key cancellation ID assigned to the key that was previously used to sign firmware in addition to canceling the appropriate Intel key cancellation ID, after you have completed the firmware updates. Instructions to cancel key cancellation IDs are in the Intel® Stratix® 10 FPGA Firmware Cancellation IDs section.