Intel Agilex® 7 Device Security User Guide

ID 683823
Date 7/07/2023
Public
Document Table of Contents

2.1.2. Creating Authentication Key Pairs in SoftHSM

The SoftHSM examples in this chapter are self-consistent. Certain parameters depend on your SoftHSM installation and a token initialization within SoftHSM.

The quartus_sign tool depends on the PKCS #11 API library from your HSM.

The examples in this section assume that the SoftHSM library is installed to one of the following locations:
  • /usr/local/lib/softhsm2.so on Linux
  • C:\SoftHSM2\lib\softhsm2.dll on 32-bit version of Windows
  • C:\SoftHSM2\lib\softhsm2-x64.dll on 64-bit version of Windows.
Initialize a token within SoftHSM using the softhsm2-util tool:
softhsm2-util --init-token --label agilex-token --pin agilex-token-pin \
--so-pin agilex-so-pin --free

The option parameters, particularly the token label and token pin are examples used throughout this chapter. Intel recommends that you follow instructions from your HSM vendor to create and manage tokens and keys.

You create authentication key pairs using the pkcs11-tool utility to interact with the token in SoftHSM. Instead of explicitly referring to the private and public key .pem files in the file system examples, you refer to the key pair by its label and the tool selects the appropriate key automatically.

Run the following commands to create a key pair used as the root key in later examples as well as a key pair used as a design signing key in the signature chain:
pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \
--token-label agilex-token --login --pin agilex-token-pin --keypairgen \
--mechanism ECDSA-KEY-PAIR-GEN --key-type EC:secp384r1 --usage-sign \
--label root0 --id 0
pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \
--token-label agilex-token --login --pin agilex-token-pin --keypairgen \
--mechanism ECDSA-KEY-PAIR-GEN --key-type EC:secp384r1 --usage-sign \
--label design0_sign --id 1
Note: The ID option in this step must be unique to each key, but it is used only by the HSM. This ID option is unrelated to the key cancellation ID assigned in the signature chain.