Intel Agilex® 7 Device Security User Guide

ID 683823
Date 7/07/2023
Public
Document Table of Contents

4.9.2.2. Wrapping the AES Root Key

You generate the IID PUF wrapped AES root key .wkey file by sending a signed certificate to the SDM.

You can use the Intel® Quartus® Prime Programmer to automatically generate, sign, and send the certificate to wrap your AES root key, or you may use the Intel® Quartus® Prime Programming File Generator to generate an unsigned certificate. You sign the unsigned certificate using your own tools or the Quartus signing tool. You then use the Programmer to send the signed certificate and wrap your AES root key. The signed certificate may be used to program all devices that can validate the signature chain.

Figure 8. Wrapping the AES Key Using the Intel® Quartus® Prime Programmer
  1. You may generate the IID PUF wrapped AES root key (.wkey) with the Programmer using the following arguments:
    • The .qky file containing a signature chain with AES root key certificate permission
    • The private .pem file for the last key in the signature chain
    • The .qek file holding the AES root key
    • The 16-byte initialization vector (iv).
    quartus_pgm -c 1 -m jtag --qky_file=aes0_sign_chain.qky \
    --pem_file=aes0_sign_private.pem --qek_file=aes.qek \
    --iv=1234567890ABCDEF1234567890ABCDEF -o "ei;aes.wkey;AGFB014R24A"
  2. Alternatively, you may generate an unsigned IID PUF wrapping AES root key certificate with the Programming File Generator using the following arguments:
    quartus_pfg --ccert -o ccert_type=IID_PUF_WRAPPED_AES_KEY \
    -o qek_file=aes.qek --iv=1234567890ABCDEF1234567890ABCDEF unsigned_aes.ccert
  3. You sign the unsigned certificate with your own signing tools or the quartus_sign tool using the following command:
    quartus_sign --family=agilex --operation=sign \
    --qky=aes0_sign_chain.qky --pem=aes0_sign_private.pem \
    unsigned_aes.ccert signed_aes.ccert
  4. You then use the Programmer to send the signed AES certificate and return the wrapped key (.wkey) file:
    quarts_pgm -c 1 -m jtag --ccert_file=signed_aes.ccert \
    -o "ei;aes.wkey;AGFB014R24A"
    Note: The i operation is not necessary if you previously loaded the provision firmware helper image, for example, to enroll the PUF.