Intel® Agilex™ Device Security User Guide

ID 683823
Date 11/22/2022
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

4.6. Programming Counter Fuses

You update the Security Version Number (SVN) and Pseudo Time Stamp (PTS) counter fuses using signed compact certificates.
Note: The SDM keeps track of the minimum counter value seen during a given configuration and does not accept counter increment certificates when the counter value is smaller than the minimum value. You must update all objects assigned to a counter and reconfigure the device prior to programming a counter increment compact certificate.
Run one of the following commands that corresponds to the counter increment certificate you want to generate.
quartus_pfg --ccert -o ccert_type=PTS_COUNTER -o counter=<-1:495> unsigned_pts.ccert
quartus_pfg --ccert -o ccert_type=SVN_COUNTER_A -o counter=<-1:63> unsigned_svnA.ccert
quartus_pfg --ccert -o ccert_type=SVN_COUNTER_B -o counter=<-1:63> unsigned_svnB.ccert
quartus_pfg --ccert -o ccert_type=SVN_COUNTER_C -o counter=<-1:63> unsigned_svnC.ccert
quartus_pfg --ccert -o ccert_type=SVN_COUNTER_D -o counter=<-1:63> unsigned_svnD.ccert

A counter value of –1 creates a counter increment authorization certificate. Programming a counter increment authorization compact certificate enables you to program further unsigned counter increment certificates to update the respective counter. You use the quartus_sign tool to sign the counter compact certificates in a similar fashion to key cancellation ID compact certificates.

You may program a root key hash cancellation compact certificate via JTAG, FPGA , or HPS mailboxes.