Intel® Agilex™ Device Security User Guide

ID 683823
Date 11/22/2022
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

4.9.1. AES Root Key Compact Certificate

You use the quartus_pfg command line tool to convert your AES root key .qek file into the compact certificate .ccert format. You specify the key storage location while creating the compact certificate. You may use the quartus_pfg tool to create an unsigned certificate for later signing. You must use a signature chain with the AES root key certificate signing permission, permission bit 6, enabled in order to successfully sign an AES root key compact certificate.

  1. Create an additional key pair used to sign AES key compact certificate using one of the following command examples:
    quartus_sign --family=agilex --operation=make_private_pem \
    --curve=secp384r1 aesccert1_private.pem
    quartus_sign --family=agilex --operation=make_public_pem \
    aesccert1_private.pem aesccert1_public.pem
    
    pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \
    --token-label agilex-token \
    --login --pin agilex-token-pin \
    --keypairgen –mechanism ECDSA-KEY-PAIR-GEN \
    --key-type EC:secp384r1 --usage-sign --label aesccert1 --id 2
  2. Create a signature chain with the correct permission bit set using one of the following commands:
    quartus_sign --family=agilex --operation=append_key \
    --previous_pem=root0_private.pem \
    --previous_qky=root0.qky \
    --permission=0x40 \
    --cancel=1 \
    --input_pem=aesccert1_public.pem \
    aesccert1_sign_chain.qky
    quartus_sign --family=agilex --operation=append_key --module=softHSM \
    -–module_args="--token_label=agilex-token \
    --user_pin=agilex-token-pin \
    --hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" \
    --previous_keyname=root0 \
    --previous_qky=root0.qky \
    --permission=0x40 --cancel=1 \
    --input_keyname=aesccert1 \
    aesccert1_sign_chain.qky
  3. Create an unsigned AES compact certificate for the desired AES root key storage location. The following AES root key storage options are available:
    • EFUSE_WRAPPED_AES_KEY
    • IID_PUF_WRAPPED_AES_KEY
    • UDS_IID_PUF_WRAPPED_AES_KEY
    • BBRAM_WRAPPED_AES_KEY
    • BBRAM_IID_PUF_WRAPPED_AES_KEY
    • BBRAM_UDS_IID_PUF_WRAPPED_AES_KEY
    //Create eFuse AES root key unsigned certificate 
    quartus_pfg --ccert -o ccert_type=EFUSE_WRAPPED_AES_KEY \ 
    -o qek_file=aes.qek unsigned_efuse1.ccert 
  4. Sign the compact certificate with the quartus_sign command or reference implementation.
    quartus_sign --family=agilex --operation=sign \
    --pem=aesccert1_private.pem \
    --qky=aesccert1_sign_chain.qky \
    unsigned_<location>1.ccert signed_<location>1.ccert
    quartus_sign --family=agilex --operation=sign --module=softHSM \
    --module_args="--token_label=agilex-token \
    --user_pin=agilex-token-pin \
    --hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" \
    --keyname=aesccert1 \
    --qky=aesccert1_sign_chain.qky \
    unsigned_<location>1.ccert signed_<location>1.ccert
  5. Use the Intel® Quartus® Prime Programmer to program the AES root key compact certificate to the Intel® Agilex® device via JTAG. The Intel® Quartus® Prime Programmer defaults to program virtual eFuses when using the EFUSE_WRAPPED_AES_KEY compact certificate type. You add the --non_volatile_key option to specify programming physical fuses.
    //For physical (non-volatile) eFuse AES root key 
    quartus_pgm -c 1 -m jtag -o "pi;signed_efuse1.ccert" --non_volatile_key  
    
    //For virtual (volatile) eFuse AES root key 
    quartus_pgm -c 1 -m jtag -o “pi;signed_efuse1.ccert”   
    //For BBRAM AES root key  
    quartus_pgm -c 1 -m jtag -o “pi;signed_bbram1.ccert” 

The SDM provision firmware and main firmware support AES root key certificate programming. You may also use the SDM mailbox interface from the FPGA fabric or HPS to program an AES root key certificate.