Intel® Agilex™ Device Security User Guide

ID 683823
Date 11/09/2021

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

4.8.1. AES Root Key Compact Certificate

You use the quartus_pfg command line tool to convert your AES root key .qek file into the compact certificate .ccert format. You specify the key storage location while creating the compact certificate. You may use the quartus_pfg tool to create an unsigned certificate for later signing. You must use a signature chain with the AES root key certificate signing permission, permission bit 6, enabled in order to successfully sign an AES root key compact certificate.

Run one of the following command examples to create an additional key pair used to sign AES key compact certificate.
quartus_sign --family=agilex--operation=make_private_pem \
--curve=secp384r1 aesccert1_private.pem
quartus_sign --family=agilex --operation=make_public_pem \
aesccert1_private.pem aesccert1_public.pem>
pkcs11-tool --module=/usr/local/lib/softhsm/ \
--token_label agilex-token --login --pin agilex-token-pin \
--keypairgen –mechanism ECDSA-KEY-PAIR-GEN \
--key-type EC:secp384r1 --usage-sign --label aesccert1 --id 2
Run one of the following commands to create a signature chain with the correct permission bit set.
quartus_sign --family=agilex--operation=append_key \
--previous_pem=root_private.pem --previous_qky=root.qky \
--permission=0x40 --cancel=1 \
aesccert1_public.pem aesccert1_sign_chain.qky
quartus_sign --family=agilex--operation=append_key \
--module=softHSM –module_args="--token_label=agilex-token \
--user_pin=agilex-token-pin --hsm_lib=/usr/local/lib/softhsm/" \
--previous_pem=root --previous_qky=root.qky \
--permission=0x40 --cancel=1 aesccert1 aesccert1_sign_chain.qky
Run one of the following commands to create an unsigned AES compact certificate depending on the desired AES root key storage location.
//Create eFuse AES root key unsigned certificate 
quartus_pfg --ccert -o ccert_type=EFUSE_WRAPPED_AES_KEY \ 
-o qek_file=aes.qek unsigned_efuse1.ccert 

//Create BBRAM AES root key unsigned certificate 
quartus_pfg --ccert -o ccert_type=BBRAM_WRAPPED_AES_KEY \
-o qek_file=aes.qek unsigned_bbram1.ccert
You use the quartus_sign command or reference implementation to sign the compact certificate.
quartus_sign --family=agilex--operation=sign \
--pem=aesccert1_private.pem --qky=aesccert1_sign_chain.qky \
unsigned_<location>1.ccert signed_<location>1.ccert
quartus_sign --family=agilex --operation=sign --module=softHSM \
--module_args="--token_label=agilex-token --user_pin=agilex-token-pin \
--hsm_lib=/usr/local/lib/softhsm/" --pem=aesccert1 \
--qky=aesccert1_sign_chain.qky \
unsigned_<location>1.ccert signed_<location>1.ccert
You use the Intel® Quartus® Prime Programmer to program the AES root key compact certificate to the Intel® Agilex® device via JTAG. The Quartus Programmer defaults to programming virtual eFuses when using the EFUSE_WRAPPED_AES_KEY compact certificate type. You add the --non_volatile_key option to specify programming physical fuses.
//For physical (non-volatile) eFuse AES root key 
quartus_pgm -c 1 -m jtag -o "pi;signed_efuse1.ccert" --non_volatile_key  

//For virtual (volatile) eFuse AES root key 
quartus_pgm -c 1 -m jtag -o “pi;signed_efuse1.ccert”   

//For BBRAM AES root key  
Quartus_pgm -c 1 -m jtag -o “pi;signed_bbram1.ccert” 

The SDM provision firmware and main firmware support AES root key certificate programming. You may also use the SDM mailbox interface from the FPGA fabric or HPS to program an AES root key certificate.

Did you find the information on this page useful?

Characters remaining:

Feedback Message