Intel Agilex® 7 Device Security User Guide

ID 683823
Date 7/07/2023
Public
Document Table of Contents

4.9.3.1. Black Key Provisioning Options

The black key provisioning options is a text file passed to the Programmer through the quartus_pgm command. The file contains required information to trigger black key provisioning.

The following is an example of the bkp_options.txt file:

bkp_cfg_id = 1
bkp_ip = 192.167.1.1
bkp_port = 10034
bkp_tls_ca_cert = root.cert
bkp_tls_prog_cert = prog.cert
bkp_tls_prog_key = prog_key.pem
bkp_tls_prog_key_pass = 1234
bkp_proxy_address = https://192.167.5.5:5000
bkp_proxy_user = proxy_user
bkp_proxy_password = proxy_password
Table 4.  Black Key Provisioning OptionsThis table displays the options required to trigger black key provisioning.
Option Name Type Description
bkp_ip Required Specifies the server IP address running the black key provisioning service.
bkp_port Required Specifies black key provisioning service port required to connect to the server.
bkp_cfg_id Required Identifies the black key provisioning configuration flow ID.

Black key provisioning service creates the black key provisioning configuration flows including an AES root key, desired eFuse settings, and other black key provisioning authorization options. The number assigned during the black key provisioning service setup identifies the black key provisioning configuration flows.

Note: Multiple devices may refer to the same black key provisioning service configuration flow.
bkp_tls_ca_cert Required

The root TLS certificate used to identify the black key provisioning services to the Intel® Quartus® Prime Programmer (Programmer). A trusted Certificate Authority for the black key provisioning service instance issues this certificate.

If you run the Programmer on a computer with Microsoft® Windows® operating system (Windows), you must install this certificate in the Windows certificate store.

bkp_tls_prog_cert

Required

A certificate created for the instance of the black key provisioning Programmer (BKP Programmer). This is the https client certificate used to identify this BKP programmer instance to the black key provisioning service. You must install and authorize this certificate in the black key provisioning service prior to initiating a black key provisioning session.

If you run the Programmer on Windows, this option is not available. In this case, the bkp_tls_prog_key already includes this certificate.

bkp_tls_prog_key Required The private key corresponding to the BKP Programmer certificate. The key validates the identity of the BKP Programmer instance to black key provisioning service.

If you run the Programmer on Windows, the .pfx file combines the bkp_tls_prog_cert certificate and the private key. The bkp_tlx_prog_key option passes the .pfx file in the bkp_options.txt file.

bkp_tls_prog_key_pass Optional The password for the bkp_tls_prog_key private key. Not required in the black key provisioning configuration options (bkp_options.txt) text file.
bkp_proxy_address Optional Specifies the proxy server URL address.
bkp_proxy_user Optional Specifies the proxy server username.
bkp_proxy_password Optional Specifies the proxy authentication password.