Intel® Agilex™ Device Security User Guide

ID 683823
Date 10/31/2022
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

4.5. Canceling Root Keys

Intel® Agilex® devices let you cancel the root key hashes when another uncanceled root key hash is present. You cancel a root key hash by first configuring the device with a design whose signature chain is rooted in a different root key hash, then program a signed root key hash cancellation compact certificate. You must sign the root key hash cancellation compact certificate with a signature chain rooted in the root key to be canceled.
Run the following command to generate an unsigned root key hash cancellation compact certificate:
quartus_pfg --ccert -o --ccert_type=CANCEL_KEY_HASH \
unsigned_root_cancel.ccert
Run one of the following commands to sign the unsigned root key hash cancellation compact certificate:
quartus_sign --family=agilex --operation=SIGN \
--qky=design0_sign_chain.qky \
--pem=design0_private.pem \
--cancel=svnA:0 \
unsigned_root_cancel.ccert signed_root_cancel.ccert
quartus_sign --family=agilex --operation=sign --module=softHSM \
--module_args="--token_label=agilex-token \
--user_pin=agilex-token-pin \
--hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" \
--keyname=design0_sign \
--qky=design0_sign_chain.qky \
--cancel=svnA:0 \
unsigned_root_cancel.ccert signed_root_cancel.ccert

You may program a root key hash cancellation compact certificate via JTAG, FPGA, or HPS mailboxes.