Visible to Intel only — GUID: xkd1616589001214
Ixiasoft
Visible to Intel only — GUID: xkd1616589001214
Ixiasoft
4.8.1. AES Root Key Compact Certificate
You use the quartus_pfg command line tool to convert your AES root key .qek file into the compact certificate .ccert format. You specify the key storage location while creating the compact certificate. You may use the quartus_pfg tool to create an unsigned certificate for later signing. You must use a signature chain with the AES root key certificate signing permission, permission bit 6, enabled in order to successfully sign an AES root key compact certificate.
quartus_sign --family=agilex--operation=make_private_pem \
--curve=secp384r1 aesccert1_private.pem
quartus_sign --family=agilex --operation=make_public_pem \
aesccert1_private.pem aesccert1_public.pem>
pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \
--token_label agilex-token --login --pin agilex-token-pin \
--keypairgen –mechanism ECDSA-KEY-PAIR-GEN \
--key-type EC:secp384r1 --usage-sign --label aesccert1 --id 2
quartus_sign --family=agilex--operation=append_key \
--previous_pem=root_private.pem --previous_qky=root.qky \
--permission=0x40 --cancel=1 \
aesccert1_public.pem aesccert1_sign_chain.qky
quartus_sign --family=agilex--operation=append_key \
--module=softHSM –module_args="--token_label=agilex-token \
--user_pin=agilex-token-pin --hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" \
--previous_pem=root --previous_qky=root.qky \
--permission=0x40 --cancel=1 aesccert1 aesccert1_sign_chain.qky
//Create eFuse AES root key unsigned certificate
quartus_pfg --ccert -o ccert_type=EFUSE_WRAPPED_AES_KEY \
-o qek_file=aes.qek unsigned_efuse1.ccert
//Create BBRAM AES root key unsigned certificate
quartus_pfg --ccert -o ccert_type=BBRAM_WRAPPED_AES_KEY \
-o qek_file=aes.qek unsigned_bbram1.ccert
quartus_sign --family=agilex--operation=sign \
--pem=aesccert1_private.pem --qky=aesccert1_sign_chain.qky \
unsigned_<location>1.ccert signed_<location>1.ccert
quartus_sign --family=agilex --operation=sign --module=softHSM \
--module_args="--token_label=agilex-token --user_pin=agilex-token-pin \
--hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" --pem=aesccert1 \
--qky=aesccert1_sign_chain.qky \
unsigned_<location>1.ccert signed_<location>1.ccert
//For physical (non-volatile) eFuse AES root key
quartus_pgm -c 1 -m jtag -o "pi;signed_efuse1.ccert" --non_volatile_key
//For virtual (volatile) eFuse AES root key
quartus_pgm -c 1 -m jtag -o “pi;signed_efuse1.ccert”
//For BBRAM AES root key
Quartus_pgm -c 1 -m jtag -o “pi;signed_bbram1.ccert”
The SDM provision firmware and main firmware support AES root key certificate programming. You may also use the SDM mailbox interface from the FPGA fabric or HPS to program an AES root key certificate.