Intel® Stratix® 10 Device Security User Guide

ID 683642
Date 12/15/2021
Public
Download
Document Table of Contents

4.4. Programming Key Cancellation ID Fuses

Starting with Intel® Quartus® Prime Pro Edition software version 21.1, programming Intel and owner key cancellation ID fuses requires the use of a signed compact certificate. You may sign the key cancellation ID compact certificate with a signature chain that has FPGA section signing permissions. You create the compact certificate with the programming file generator command line tool. You sign the unsigned certificate using the quartus_sign tool or reference implementation.

The following examples create an Intel key cancellation certificate for Intel key ID 7. You may replace 7 with the applicable Intel key cancellation ID from 0-31.

Run the following command to create an unsigned Intel key cancellation ID compact certificate:
quartus_pfg --ccert -o ccert_type=CANCEL_INTEL_KEY -o cancel_key=7 \
unsigned_cancel_intel7.ccert 
Run one of the following commands to sign the unsigned Intel key cancellation ID compact certificate:
quartus_sign --family=stratix10 --operation=SIGN \
--qky=design0_sign_chain.qky \
--pem=design0_private.pem \
unsigned_cancel_intel7.ccert signed_cancel_intel7.ccert
quartus_sign --family=stratix10 --operation=sign --module=softHSM \
--module_args="--token_label=s10-token \
--user_pin=s10-token-pin \
--hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" \
--keyname=design0_sign \
--qky=design0_sign_chain.qky \
unsigned_cancel_intel7.ccert signed_cancel_intel7.ccert
Run the following command to create an unsigned owner key cancellation ID compact certificate:
quartus_pfg --ccert -o ccert_type=CANCEL_OWNER_KEY \
-o cancel_key=2 \
unsigned_cancel_owner2.ccert
Run one of the following commands to sign the unsigned owner key cancellation ID compact certificate:
quartus_sign --family=stratix10 --operation=SIGN \
--qky=design0_sign_chain.qky \
--pem=design0_private.pem \
unsigned_cancel_owner2.ccert signed_cancel_owner2.ccert
quartus_sign --family=stratix10 --operation=sign --module=softHSM \
--module_args="--token_label=s10-token \
--user_pin=s10-token-pin \
--hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" \
--keyname=design0_sign \
--qky=design0_sign_chain.qky \
unsigned_cancel_owner2.ccert signed_cancel_owner2.ccert
After you have created a signed key cancellation ID compact certificate, you use the Intel® Quartus® Prime Programmer to program the compact certificate to the device via JTAG.
//For physical (non-volatile) eFuses 
quartus_pgm -c 1 -m jtag -o "pi;signed_cancel_intel7.ccert" --non_volatile_key 
quartus_pgm -c 1 -m jtag -o “pi;signed_cancel_owner2.ccert” --non_volatile_key 
//For virtual (volatile) eFuses 
quartus_pgm -c 1 -m jtag -o "pi;signed_cancel_intel7.ccert"  
quartus_pgm -c 1 -m jtag -o “pi;signed_cancel_owner2.ccert”

You may additionally send the compact certificate to the SDM using the FPGA or HPS mailbox interface.