Programmable Devices
CPLDs, FPGAs, SoC FPGAs, Configuration, and Transceivers
Announcements
The Intel sign-in experience is changing in February to support enhanced security controls. If you sign in, click here for more information.
19679 Discussions

MAX10 RSU with encrypted .pof

rt52
Beginner
544 Views

I have a design that relies on RSU for remote updates.  I currently encrypt the .pof file for JTAG programming.  When generating that encrypted .pof file, I also choose to generate the .rpd files that go into CFM1.  When downloading the .rpd files with the encrypted .pof and .ekp programmed via JTAG,  the RSU is unsuccessful.  I see a revert to application image 0, which my design will only go to if there is a problem with application image 1.  The encrypted .pof file does not seem to like downloading a n.rpd file.  

Is there any way to get an .rpd file to download with an encrypted .pof 

0 Kudos
16 Replies
Farabi
Employee
523 Views

Hello,


if referring to : https://www.intel.com/content/www/us/en/docs/programmable/683762/21-4/generating-the-initial-rsu-ima...


"For security application when you need to generate a signed or encrypted .rbf file, you need to first generate .rbf file from a .sof file, and only then generate the initial RSU image from the .rbf file."


Is it possible to follow above instruction for security application?


regards,

Farabi




rt52
Beginner
512 Views

That document refers to a Stratix10, I am using a Max10.  I can try the equivalent on Max10.  

The process for generating the encrypted files is as follows:

1. Compile design, .sof is created

2. Take .sof into Convert Programming Files

3. Using .key file, generate encrypted .pof and encrypted .rpd and .ekp file from the base .sof

4. JTAG program the encrypted .pof with the .ekp 

 

What you're telling me to do is add a step in step 3 where I would generate a .rbf file from the .sof, then encrypt that .rbf to make an .rpd file that is encrypted that can be downloaded into flash?

rt52
Beginner
457 Views

This does not work.  Please advice.  Is there a way, on a MAX10, to perform a remote update with encryption enabled?

Fakhrul
Employee
437 Views

Hi rt52,


Could you please provide any error message or screenshot when the issue occurred?


Regards,

Fakhrul



rt52
Beginner
430 Views

There is no option for "Internal Configuration" when trying to convert programming files with .rbf.  The design uses MAX10 internal flash, not a QSPI.

rt52_0-1670603038894.png

 

Fakhrul
Employee
386 Views

Hi rt52,


Sorry for the late reply. Could you please take a look at the following steps on Generating files for Remote System Upgrade on page 8:


Generating files for Remote System Upgrade



Regards,

Fakhrul


rt52
Beginner
370 Views

Thank you for the document.  Currently I am able to successfully perform an RSU with an .rpd file without encryption.

As soon as I choose to use an encrypted .pof, the .rpd file generated in the same step (from checking the generate .rpd box)  does not work.  I do a readback of the boot source register in the dual boot IP and the device is booting from the fallback image.  This only happens when using the encrypted option.

Fakhrul
Employee
300 Views

Hi rt52,

 

I'm not sure you have taken a look the following steps on generating .ekp File and Encrypt Configuration File in the User Guide on page 41 as I'm assuming there could be some problems on the file generation.

 

https://www.intel.com/content/dam/support/cn/zh/programmable/support-resources/bulk-container/pdfs/l...

 

Regards,

Fakhrul

 

rt52
Beginner
282 Views

Hello,  this is the .cof file I am using to generate the encrypted .pof and .rpd.  I have a script that replaces the generic values with the inputs to the script that are the respective .sof, . ekp and .key file.  The generated .pof is labeled as "encrypted" and the CFM 1 .rpd file is used and the other 2 are removed because I do not use those.  This .cof is identical to how the unencrypted one works except for the .key/.ekp fields which are excluded.  The same process is used to give me the final .rpd and .pof but the unencrypted version works perfectly and the encrypted one does not. 

 

rt52_0-1671817604625.png

 

Fakhrul
Employee
201 Views

Hi rt52,


My apologies for the late reply. I am checking this internally for more clarification

Will get to you once there are any findings.


Regards,

Fakhrul


Fakhrul
Employee
160 Views

Hi rt52,


Sorry for the delay in response. From your flow, nothing sounds out of the ordinary to me.

  1. May I know if this is a singular case or are you seeing the same issue in other new devices?
  2. Can you consistently replicate this issue?
  3. Can you try to perform a full chip erase and see if the issue still persists?


Please let me know if this works for you. Thank you.


Regards,

Fakhrul


rt52
Beginner
148 Views

1. This issue follows other boards, although they are all the same board design.

2. Yes this issue will always happen.  Downloading the .rpd will work and boot into the application image every time without encryption but will not work when trying with encryption.

3. Full chip erase does not help the issue

Fakhrul
Employee
115 Views

Hi rt52,


Sorry for the delay in response. I couldn't replicate your issue on my end. What version of Quartus you're using and cand you try to use the latest version?


Regards,

Fakhrul


Fakhrul
Employee
98 Views

Hi rt52,


Just want to check whether you have tried the 3.8.3.2. Integrate the .ekp into .pof Programming (Page 55) when programming the FPGA with Initial Image using JTAG using the Programmer window?


Also, please check the Configuration Image Outcome Based on Encryption Settings (Page 56) from the same document as the Encryption Settings may affect the result for this process.


Regards,

Fakhrul



rt52
Beginner
57 Views

I am using Quartus 21.1 but I can try the latest version.

 

Yes, I have been using 3.8.3.2 o on the document you linked to do all the programming so far.  I tried 3.8.3.1 but my device would not boot.

I select the encrypted .pof image, right click and add the .ekp file generated in the same step, and also select an .ips file.  I am not sure if the .ips file affects this but the .pof programming will fail without using an .ips file.  This is done with an EtherBlaster. I can try a USB blaster but that should not make a difference.

 

If I am reading that table right, both images are encrypted with key x, and key x is loaded while programming.  Config_sel pin is set to 1 so the device should boot into image 1, which it does without encryption

Fakhrul
Employee
24 Views

Hi rt52,


We are consulting engineering on this request. I'm planning to get back to you once I receive the update.


Sorry for the inconvenience caused.


Regards,

Fakhrul


Reply