Intel® Agilex™ Device Security User Guide

ID 683823
Date 11/09/2021
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

2.1.4. Creating a Signature Chain Public Key Entry

You use the append_key operation to create a new public key entry for a signature chain. You specify the prior signature chain, the private key for the last entry in the prior signature chain, the next level public key, the permissions and cancellation ID you assign to the next level public key, and the new signature chain file.

Depending on your use of keys on the filesystem or in an HSM, you use one of the following example commands to append the design0_sign public key to the root signature chain created in the prior section.
quartus_sign --family=agilex--operation=append_key \
--previous_pem=root0_private.pem --previous_qky=root0.qky \
--permission=6 --cancel=0 design0_sign_public.pem \
design0_sign_chain.qky
quartus_sign --family=agilex --operation=append_key --module=softHSM \
--module_args="--token_label=agilex-token --user_pin=agilex-token-pin \
--hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" \
--previous_pem=root0 --previous_qky=root0.qky \
--permission=6 --cancel=0 design0_sign design0_sign_chain.qky

You may repeat the append_key operation up to two more times for a maximum of three public key entries between the root entry and header block entry in any one signature chain.

The following example assumes you created another authentication public key with the same permissions and assigned cancellation ID 1 called design1_sign_public.pem, and are appending this key to the signature chain from the previous example.
quartus_sign --family=agilex --operation=append_key \ 
--previous_pem=design0_sign_private.pem \ 
--previous_qky=design0_sign_chain.qky \
--permission=6 \
--cancel=1 design1_sign_public.pem design1_sign_chain.qky 
quartus_sign --family=agilex --operation=append_key --module=softHSM \
--module_args="--token_label=agilex-token --user_pin=agilex-token-pin \
--hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" \
--previous_pem=design0_sign \
--previous_qky=design0_sign_chain.qky \
--permission=6 \
--cancel=1 design1_sign design1_sign_chain.qky

Intel® Agilex™ devices support an additional key cancellation counter to facilitate the use of a key that may change periodically throughout the life of a given device. You may select this key cancellation counter by changing the argument of the --cancel option to pts:pts_value.