Visible to Intel only — GUID: yvf1616566358315
Ixiasoft
Visible to Intel only — GUID: yvf1616566358315
Ixiasoft
4.4. Programming Key Cancellation ID Fuses
Starting with Intel® Quartus® Prime Pro Edition software version 21.1, programming Intel and owner key cancellation ID fuses requires the use of a signed compact certificate. You may sign the key cancellation ID compact certificate with a signature chain that has FPGA section signing permissions. You create the compact certificate with the programming file generator command line tool. You sign the unsigned certificate using the quartus_sign tool or reference implementation.
The following examples create an Intel key cancellation certificate for Intel key ID 7. You may replace 7 with the applicable Intel key cancellation ID from 0-31.
quartus_pfg --ccert -o ccert_type=CANCEL_INTEL_KEY -o cancel_key=7 \ unsigned_cancel_intel7.ccert
quartus_sign --family=stratix10 --operation=SIGN \ --qky=design0_sign_chain.qky \ --pem=design0_private.pem \ unsigned_cancel_intel7.ccert signed_cancel_intel7.ccert
quartus_sign --family=stratix10 --operation=sign --module=softHSM \ --module_args="--token_label=s10-token \ --user_pin=s10-token-pin \ --hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" \ --keyname=design0_sign \ --qky=design0_sign_chain.qky \ unsigned_cancel_intel7.ccert signed_cancel_intel7.ccert
quartus_pfg --ccert -o ccert_type=CANCEL_OWNER_KEY \ -o cancel_key=2 \ unsigned_cancel_owner2.ccert
quartus_sign --family=stratix10 --operation=SIGN \ --qky=design0_sign_chain.qky \ --pem=design0_private.pem \ unsigned_cancel_owner2.ccert signed_cancel_owner2.ccert
quartus_sign --family=stratix10 --operation=sign --module=softHSM \ --module_args="--token_label=s10-token \ --user_pin=s10-token-pin \ --hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" \ --keyname=design0_sign \ --qky=design0_sign_chain.qky \ unsigned_cancel_owner2.ccert signed_cancel_owner2.ccert
//For physical (non-volatile) eFuses quartus_pgm -c 1 -m jtag -o "pi;signed_cancel_intel7.ccert" --non_volatile_key quartus_pgm -c 1 -m jtag -o “pi;signed_cancel_owner2.ccert” --non_volatile_key
//For virtual (volatile) eFuses quartus_pgm -c 1 -m jtag -o "pi;signed_cancel_intel7.ccert" quartus_pgm -c 1 -m jtag -o “pi;signed_cancel_owner2.ccert”
You may additionally send the compact certificate to the SDM using the FPGA or HPS mailbox interface.