Hello,
Yes, the FPGA is compatible for design encryption.
If you are using the quartus_pfg command line tool to convert your AES root key .qek file into the compact certificate .ccert format. You need to specify the key storage location while creating the compact certificate. You may use the quartus_pfg tool to create an unsigned certificate for later signing. You must use a signature chain with the AES root key certificate signing permission, permission bit 6, enabled in order to successfully sign an AES root key compact certificate.
1. Create an additional key pair used to sign AES key compact certificate using one of the following command examples:
quartus_sign --family=stratix10 --operation=make_private_pem \
--curve=secp384r1 aesccert1_private.pem
quartus_sign --family=stratix10 --operation=make_public_pem \
aesccert1_private.pem aesccert1_public.pem
pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \
--token-label s10-token --login --pin s10-token-pin \
--keypairgen –mechanism ECDSA-KEY-PAIR-GEN \
--key-type EC:secp384r1 --usage-sign --label aesccert1 --id 2
2. Create a signature chain with the correct permission bit set using one of the following commands:
quartus_sign --family=stratix10 --operation=append_key \
--previous_pem=root_private.pem \
--previous_qky=root.qky \
--permission=0x40 --cancel=1 \
--input_pem=aesccert1_public.pem \
aesccert1_sign_chain.qky
quartus_sign --family=stratix10 --operation=append_key --module=softHSM \
-–module_args="--token_label=s10-token \
--user_pin=s10-token-pin \
--hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" \
--previous_keyname=root \
--previous_qky=root.qky \
--permission=0x40 --cancel=1 \
--input_keyname=aesccert1 \
aesccert1_sign_chain.qky
regards,
Farabi
New Contributor
