The documents mention "unsecured root key" that doesn't need to be stored in the device and is supposed to be present in the boot header.
But I can't find any procedure to achieve this.
Sorry for the delay. But I couldn't find the procedure to place KAK in boot header in that document. I also noticed that It's mentioned we need to get NDA to get complete document. By any chance that document has the procedure I need or are you referring to the publicly available document ?
In the AN759. You need python and the secure boot tools (https://github.com/altera-opensource/alt-secure-boot)
python -B -E secure_boot_tools/alt-secure-boot/bin/\
alt_authtool.py sign -t user -k root_key.pem -i\
u-boot_w_dtb-single-mkimage.bin -o u-boot_w_dtb-signed.abin
The User is the Unsecure key.