Forum Discussion

grspbr's avatar
grspbr
Icon for Occasional Contributor rankOccasional Contributor
1 year ago
Solved

quartus_sign fails to generate signed ccert

Following Intel Agilex® 7 Device Security User Guide for AES Root Key Provisioning, the quartus_sign command fails with Error (20354) but this is no help. Executing the following two commands fails on the second command - all the necessary input files have been generated successfully:

## Create an unsigned AES compact certificate for the desired AES root key storage location:

quartus_pfg --ccert -o ccert_type=EFUSE_WRAPPED_AES_KEY -o password=passphrase.txt -o qek_file=aes_root.qek unsigned_efuse1.ccert

## Sign the compact certificate with the quartus_sign command or reference implementation:
quartus_sign --family=agilex7 --operation=sign --pem=aesccert1_private.pem --qky=aesccert1_sign_chain.qky unsigned_efuse1.ccert signed_efuse1.ccert
Hdl
  • grspbr's avatar
    grspbr
    1 year ago

    Hi @Farabi , I was able to get help from Intel via our FAE. Basically the answer was the permission settings (should have been 0x40) which are part of the "Security Methodology for Intel FPGAs and Structured ASICs User Guide". However, this document is restricted. But for others reading this post, the correct settings were actually part of the " Intel Agilex® 7 Device Security User Guide", Page 33.

    I will close this case. Thank you.

6 Replies

  • Farabi's avatar
    Farabi
    Icon for Regular Contributor rankRegular Contributor
    1 year ago

    Hello,


    Sorry for late reply. I am still checking with our internal team to get the details of this error.

    I will get back to you asap when I have the information.


    regards,

    Farabi


    • grspbr's avatar
      grspbr
      Icon for Occasional Contributor rankOccasional Contributor
      1 year ago

      I'm looking forward to your response. We are quite stalled on this. Thanks!

    • grspbr's avatar
      grspbr
      Icon for Occasional Contributor rankOccasional Contributor
      1 year ago

      Hello @Farabi , I have not heard from you and we still have this problem. We are going to be shipping our product in about a month and need a resolution. I look forward to hearing from you.

  • grspbr's avatar
    grspbr
    Icon for Occasional Contributor rankOccasional Contributor
    1 year ago

    By the way, there is a case number for this that has been opened by our FAE: 00885849

  • grspbr's avatar
    grspbr
    Icon for Occasional Contributor rankOccasional Contributor
    1 year ago

    Hi @Farabi , I was able to get help from Intel via our FAE. Basically the answer was the permission settings (should have been 0x40) which are part of the "Security Methodology for Intel FPGAs and Structured ASICs User Guide". However, this document is restricted. But for others reading this post, the correct settings were actually part of the " Intel Agilex® 7 Device Security User Guide", Page 33.

    I will close this case. Thank you.

  • Farabi's avatar
    Farabi
    Icon for Regular Contributor rankRegular Contributor
    1 year ago

    KDB(Knowledge Database) has been established to share the solution to more users. I am transferring this case to community back to open access for community support.