Encrypt or Sign Bitstreams from the Command Line

The Efinity software includes a Python script you can use to encrypt and/or sign bitstreams from the command line. You use the script $EFINITY_HOME/security/bin/AddSecurityTitanium.py.

AddSecurityTitanium.py [--help] [--sign] [--encrypt] [--iv IV] [--output OUTPUT] 
    [--verbose] [--timeout TIMEOUT] [--keypair KEYPAIR] [--passphrase PASSPHRASE] 
    [--public_key PUBLIC_KEY] [--signature_file SIGNATURE_FILE]
    bitstream keyfile

Table 1. AddSecurityTitanium.py Positional Arguments
Argument	Description
bitstream	Bitstream hex file name.
keyfile	Keyfile name.

Table 2. AddSecurityTitanium.py Options
Option (Long)	Option (Short)	Input	Description
--help	-h	None	Show help.
--sign	-s	None	RSA sign the bitstream. Required if target device has enabled RSA in non-volatile memory. With this option, you must also specify the RSA PEM key file containing the RSA private key.
--encrypt	-e	None	Encrypt the bitstream. Optional regardless if target device has had decryption key programmed in non-volatile memory.
--iv IV	-i IV	None	Manually specify 96-bit bit IV value, for obfuscation. If not specified, one will be auto-generated. Ignored if encryption not used.
--output	-o	Filename	Use the specified output security-enabled HEX file name instead of default name.
--verbose	N/A	None	Print out detailed information.
--timeout	N/A	Number	Timeout in seconds, defaults no timeout.
--keypair	-p	Key pair	RSA keypair PEM file (must match that used with GenKeyFileTitanium.py tool).
--passphrase	-x	Pass phrase	Passphrase associated with RSA private key, contained in RSA PEM key pair file. If the private key is passphrase-protected, then this option is required.
--public_key	N/A	Filename	RSA public key PEM file.

Sign and Encrypt a File

%EFINITY_HOME%\bin\python3
%EFINITY_HOME%\security\bin\AddSecurityTitanium.py --sign --encrypt
    --iv 0123456789ABCDEF01234567 --output my_secured_bitstream.hex --device_version 1 
    --keypair my_private_key.pem my_raw_unsecured_bitstream.hex my_keyfile.bin