Knowledge Base Article

Why quartus_sign fails to generate a signed ccert for Agilex™ 7 FPGA when running an AES root key provisioning command?

Description

When running the quartus_sign command for Agilex™ 7 AES Root Key Provisioning, Quartus® Prime Pro Software fails with Error (20354).

Executing the following two commands fails when running the commands below:

## Create an unsigned AES compact certificate for the desired AES root key storage location:

quartus_pfg --ccert -o ccert_type=EFUSE_WRAPPED_AES_KEY -o password=passphrase.txt -o qek_file=aes_root.qek unsigned_efuse1.ccert

## Sign the compact certificate with the quartus_sign command or reference implementation:

quartus_sign --family=agilex7 --operation=sign --pem=aesccert1_private.pem --qky=aesccert1_sign_chain.qky unsigned_efuse1.ccert signed_efuse1.ccert

Resolution

You need to set the permission=0x40 when running this command.

Full command as below:

quartus_sign --family=agilex --operation=append_key \

--previous_pem=root0_private.pem \

--previous_qky=root0.qky \

--permission=0x40 \

--cancel=1 \

--input_pem=aesccert1_public.pem \

aesccert1_sign_chain.qky

Additional Information

Please refer to Intel Agilex™ 7 FPGA Device Security User Guide page 33 for more details. 

Updated 6 days ago
Version 3.0
agilex™ 7 fpgas and socs
fpga dev tools quartus® prime software pro
troubleshooting
No CommentsBe the first to comment