Intel® Agilex™ Device Security User Guide

Download PDF
ID 683823
Date 11/09/2021
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents
Document Table of Contents x
1. Intel® Agilex® Device Security Overview 2. Authentication and Authorization 3. AES Bitstream Encryption 4. Device Provisioning 5. Advanced Features 6. Intel® Agilex™ Device Security User Guide Archives 7. Revision History for the Intel® Agilex® Device Security User Guide
1. Intel® Agilex® Device Security Overview x
1.1. Commitment to Product Security 1.2. Planned Security Features
1.2. Planned Security Features x
1.2.1. Physical Anti-Tamper 1.2.2. Black Key Provisioning 1.2.3. Intrinsic ID® Physically Unclonable Function (PUF) 1.2.4. Partial Reconfiguration Bitstream Security Verification
2. Authentication and Authorization x
2.1. Creating a Signature Chain 2.2. Signing a Configuration Bitstream
2.1. Creating a Signature Chain x
2.1.1. Creating Authentication Key Pairs on the Local Filesystem 2.1.2. Creating Authentication Key Pairs in SoftHSM 2.1.3. Creating the Signature Chain Root Entry 2.1.4. Creating a Signature Chain Public Key Entry
2.2. Signing a Configuration Bitstream x
2.2.1. Quartus Key File Assignment 2.2.2. Co-Signing SDM Firmware 2.2.3. Configuring Bitstream Signing Using the quartus_sign Command 2.2.4. Partial Reconfiguration Multi-Authority Support 2.2.5. Verifying Configuration Bitstream Signature Chains
3. AES Bitstream Encryption x
3.1. Creating the AES Root Key 3.2. Quartus Encryption Settings 3.3. Encrypting a Configuration Bitstream
3.3. Encrypting a Configuration Bitstream x
3.3.1. Configuration Bitstream Encryption Using the Programming File Generator Graphical Interface 3.3.2. Configuration Bitstream Encryption Using the Programming File Generator Command Line Interface 3.3.3. Partially Encrypted Configuration Bitstream Generation Using the Command Line Interface 3.3.4. Partial Reconfiguration Bitstream Encryption
4. Device Provisioning x
4.1. Using SDM Provision Firmware 4.2. Authentication Root Key Provisioning 4.3. Programming Key Cancellation ID Fuses 4.4. Canceling Root Keys 4.5. Programming Counter Fuses 4.6. Secure Data Object Service Root Key Provisioning 4.7. Security Setting Fuse Provisioning 4.8. AES Root Key Provisioning 4.9. Converting Owner Root Key, AES Root Key Certificates, and Fuse files to Jam STAPL File Formats
4.2. Authentication Root Key Provisioning x
4.2.1. Partial Reconfiguration Multi-Authority Root Key Programming
4.8. AES Root Key Provisioning x
4.8.1. AES Root Key Compact Certificate
5. Advanced Features x
5.1. Secure Debug Authorization 5.2. HPS Debug Certificates 5.3. Platform Attestation 5.4. Using Design Security Features with Remote System Update 5.5. SDM Cryptographic Services
5.5. SDM Cryptographic Services x
5.5.1. Vendor Authorized Boot 5.5.2. Secure Data Object Service 5.5.3. SDM Cryptographic Primitive Services
1. Intel® Agilex® Device Security Overview
2. Authentication and Authorization
3. AES Bitstream Encryption
4. Device Provisioning
5. Advanced Features
6. Intel® Agilex™ Device Security User Guide Archives
7. Revision History for the Intel® Agilex® Device Security User Guide

4.8.1. AES Root Key Compact Certificate

You use the quartus_pfg command line tool to convert your AES root key .qek file into the compact certificate .ccert format. You specify the key storage location while creating the compact certificate. You may use the quartus_pfg tool to create an unsigned certificate for later signing. You must use a signature chain with the AES root key certificate signing permission, permission bit 6, enabled in order to successfully sign an AES root key compact certificate.

Run one of the following command examples to create an additional key pair used to sign AES key compact certificate. 
quartus_sign --family=agilex--operation=make_private_pem \
--curve=secp384r1 aesccert1_private.pem
quartus_sign --family=agilex --operation=make_public_pem \
aesccert1_private.pem aesccert1_public.pem>

pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \
--token_label agilex-token --login --pin agilex-token-pin \
--keypairgen –mechanism ECDSA-KEY-PAIR-GEN \
--key-type EC:secp384r1 --usage-sign --label aesccert1 --id 2
Run one of the following commands to create a signature chain with the correct permission bit set. 
quartus_sign --family=agilex--operation=append_key \
--previous_pem=root_private.pem --previous_qky=root.qky \
--permission=0x40 --cancel=1 \
aesccert1_public.pem aesccert1_sign_chain.qky
quartus_sign --family=agilex--operation=append_key \
--module=softHSM –module_args="--token_label=agilex-token \
--user_pin=agilex-token-pin --hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" \
--previous_pem=root --previous_qky=root.qky \
--permission=0x40 --cancel=1 aesccert1 aesccert1_sign_chain.qky
Run one of the following commands to create an unsigned AES compact certificate depending on the desired AES root key storage location. 
//Create eFuse AES root key unsigned certificate 
quartus_pfg --ccert -o ccert_type=EFUSE_WRAPPED_AES_KEY \ 
-o qek_file=aes.qek unsigned_efuse1.ccert 

//Create BBRAM AES root key unsigned certificate 
quartus_pfg --ccert -o ccert_type=BBRAM_WRAPPED_AES_KEY \
-o qek_file=aes.qek unsigned_bbram1.ccert
You use the quartus_sign command or reference implementation to sign the compact certificate. 
quartus_sign --family=agilex--operation=sign \
--pem=aesccert1_private.pem --qky=aesccert1_sign_chain.qky \
unsigned_<location>1.ccert signed_<location>1.ccert
quartus_sign --family=agilex --operation=sign --module=softHSM \
--module_args="--token_label=agilex-token --user_pin=agilex-token-pin \
--hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" --pem=aesccert1 \
--qky=aesccert1_sign_chain.qky \
unsigned_<location>1.ccert signed_<location>1.ccert
You use the Intel® Quartus® Prime Programmer to program the AES root key compact certificate to the Intel® Agilex® device via JTAG. The Quartus Programmer defaults to programming virtual eFuses when using the EFUSE_WRAPPED_AES_KEY compact certificate type. You add the --non_volatile_key option to specify programming physical fuses. 
//For physical (non-volatile) eFuse AES root key 
quartus_pgm -c 1 -m jtag -o "pi;signed_efuse1.ccert" --non_volatile_key  

//For virtual (volatile) eFuse AES root key 
quartus_pgm -c 1 -m jtag -o “pi;signed_efuse1.ccert”   

//For BBRAM AES root key  
Quartus_pgm -c 1 -m jtag -o “pi;signed_bbram1.ccert”

The SDM provision firmware and main firmware support AES root key certificate programming. You may also use the SDM mailbox interface from the FPGA fabric or HPS to program an AES root key certificate.

Level Two Title