Intel® Stratix® 10 Device Security User Guide

ID 683642
Date 7/20/2022
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

2.1.2. Creating Authentication Key Pairs in SoftHSM

The SoftHSM examples in this chapter are self-consistent. Certain parameters depend on your SoftHSM installation and a token initialization within SoftHSM.

The quartus_sign tool depends on the PKCS #11 API library from your HSM.

The examples in this section assume that the SoftHSM library is installed to one of the following locations:
  • /usr/local/lib/softhsm2.so on Linux
  • C:\SoftHSM2\lib\softhsm2.dll on 32-bit version of Windows
  • C:\SoftHSM2\lib\softhsm2-x64.dll on 64-bit version of Windows.
Initialize a token within SoftHSM using the softhsm2-util tool:
softhsm2-util --init-token --label s10-token --pin s10-token-pin \
--so-pin s10-so-pin --free

The option parameters, particularly the token label and token pin are examples used throughout this chapter. Intel recommends that you follow instructions from your HSM vendor to create and manage tokens and keys.

You create authentication key pairs using the pkcs11-tool utility to interact with the token in SoftHSM. Instead of explicitly referring to the private and public key .pem files in the file system examples, you refer to the key pair by its label and the tool selects the appropriate key automatically.

Run the following commands to create a key pair used as the root key in later examples as well as a key pair used as a design signing key in the signature chain:
pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \
--token-label s10-token --login --pin s10-token-pin --keypairgen \
--mechanism ECDSA-KEY-PAIR-GEN --key-type EC:secp384r1 --usage-sign \
--label root --id 0
pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \
--token-label s10-token --login --pin s10-token-pin --keypairgen \
--mechanism ECDSA-KEY-PAIR-GEN --key-type EC:secp384r1 --usage-sign \
--label design0_sign --id 1
Note: The ID option in this step must be unique to each key, but it is used only by the HSM. This ID option is unrelated to the key cancellation ID assigned in the signature chain.