Can the HPS perform decryption of the boot image instead of the FPGA...

AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices

Download PDF

ID 683060

Date 3/29/2021

Version 20.4

Public

Visible to Intel only — GUID: wcz1499787390986

Ixiasoft

View Details

Document Table of Contents

Document Table of Contents x

AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices

AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices x

Prerequisites References Secure Boot Stages Intel® Arria® 10 SoC Secure Boot Architecture Software Image Authentication Overview of the Secure Boot Flow Software Image Encryption Software Image Authentication and Encryption Intel® Arria® 10 SoC FPGA Authentication Signing Utility Secure Boot Examples Appendix A: Secure Boot Image Python Script: alt_authtool.py Appendix B: Frequently Asked Questions Document Revision History for the AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices

Secure Boot Stages x

Root of Trust First-Stage Boot Loader (ROM) Second-Stage Boot Loader Third and Fourth Stages

Software Image Authentication x

Digital Signing Root of Trust and Root Key Authentication of the Second-Stage Boot Loader Security Level Staging Signed Image Root Key Types Root Public Key Authentication Test Secure Boot Authentication Programming the Secure Signing Key Generating the Signing Key Pair with OpenSSL

Programming the Secure Signing Key x

Boot Image Signing Flow Boot Image Authentication

Overview of the Secure Boot Flow x

Creating a Secure Boot System

Software Image Encryption x

AES Encryption and Decryption Encrypting the Boot Image and Configuration File Boot Image Encryption Flow Programming the AES Encryption Key

Intel® Arria® 10 SoC FPGA Authentication Signing Utility x

Secure Boot Image Tool Boot Image Format Tool

Secure Boot Examples x

Prerequisites Creating a Signed First-Stage Boot Loader Image Creating an Encrypted First-Stage Boot Loader Image Creating a Signed and Encrypted First-Stage Boot Loader Image

Appendix B: Frequently Asked Questions x

What are the secure configurations for HPS JTAG debug and access? Can the HPS perform decryption of the boot image instead of the FPGA CSS? What happens if the first stage boot ROM is unsuccessful in authenticating the second-stage boot loader? Can you use the first-stage root key as the subsequent stage root key? When the second-stage image is authenticated, is the image header only copied to on-chip RAM for authentication? Can the AES encryption key be updated by the HPS using JTAG hosting? How does U-Boot (SSBL) authenticate next stage boot images? Which elliptical cryptography is used for boot image signing and authentication? How do I generate a signing key pair? Where can I store the signing keys for second-stage boot loader authentication? What type of cryptography is used for boot image encryption and decryption? What FPGA locations are available for AES key storage? How do I generate an AES key to encrypt a boot image? How is secure boot defined within the Intel® Arria® 10 SoC product family? What security choices are available for the second-stage boot image or user software? Where is the authentication of the boot image performed? Where is decryption of the boot image performed? How can I configure the Intel® Arria® 10 SoC device so that it always performs authentication or authentication and decryption? How can I program the key authentication key (KAK) into the Intel® Arria® 10 SoC device? How can I configure the second stage boot loader image for the correct authentication signing key type? How do I configure the second-stage boot loader image for encryption using the pre-generated AES key? Is the ECDSA private and public key pair that is used for signing the boot image also used for authentication of the FPGA image?

AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices

Prerequisites

References

Secure Boot Stages

Root of Trust

First-Stage Boot Loader (ROM)

Second-Stage Boot Loader

Third and Fourth Stages

Intel® Arria® 10 SoC Secure Boot Architecture

Software Image Authentication

Digital Signing

Root of Trust and Root Key

Authentication of the Second-Stage Boot Loader

Security Level Staging

Signed Image

Root Key Types

Root Public Key Authentication

Test Secure Boot Authentication

Programming the Secure Signing Key

Boot Image Signing Flow

Boot Image Authentication

Generating the Signing Key Pair with OpenSSL

Overview of the Secure Boot Flow

Creating a Secure Boot System

Software Image Encryption

AES Encryption and Decryption

Encrypting the Boot Image and Configuration File

Boot Image Encryption Flow

Programming the AES Encryption Key

Software Image Authentication and Encryption

Intel® Arria® 10 SoC FPGA Authentication Signing Utility

Secure Boot Image Tool

Boot Image Format Tool

Secure Boot Examples

Prerequisites

Creating a Signed First-Stage Boot Loader Image

Creating an Encrypted First-Stage Boot Loader Image

Creating a Signed and Encrypted First-Stage Boot Loader Image

Appendix A: Secure Boot Image Python Script: alt_authtool.py

Appendix B: Frequently Asked Questions

What are the secure configurations for HPS JTAG debug and access?

Can the HPS perform decryption of the boot image instead of the FPGA CSS?

What happens if the first stage boot ROM is unsuccessful in authenticating the second-stage boot loader?

Can you use the first-stage root key as the subsequent stage root key?

When the second-stage image is authenticated, is the image header only copied to on-chip RAM for authentication?

Can the AES encryption key be updated by the HPS using JTAG hosting?

How does U-Boot (SSBL) authenticate next stage boot images?

Which elliptical cryptography is used for boot image signing and authentication?

How do I generate a signing key pair?

Where can I store the signing keys for second-stage boot loader authentication?

What type of cryptography is used for boot image encryption and decryption?

What FPGA locations are available for AES key storage?

How do I generate an AES key to encrypt a boot image?

How is secure boot defined within the Intel® Arria® 10 SoC product family?

What security choices are available for the second-stage boot image or user software?

Where is the authentication of the boot image performed?

Where is decryption of the boot image performed?

How can I configure the Intel® Arria® 10 SoC device so that it always performs authentication or authentication and decryption?

How can I program the key authentication key (KAK) into the Intel® Arria® 10 SoC device?

How can I configure the second stage boot loader image for the correct authentication signing key type?

How do I configure the second-stage boot loader image for encryption using the pre-generated AES key?

Is the ECDSA private and public key pair that is used for signing the boot image also used for authentication of the FPGA image?

Document Revision History for the AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices

Visible to Intel only — GUID: wcz1499787390986

Ixiasoft

View Details

Can the HPS perform decryption of the boot image instead of the FPGA CSS?

The HPS portion of the SoC does not support AES operations. It can only perform public key-based authentication. The HPS can, however, push the boot image into the FPGA CSS and perform the same decryption used in the FPGA configuration flow.

When decryption is complete, the CSS returns the image to the HPS and the HPS uses that image as the boot image. The HPS and FPGA share the same AES root key which is stored in efuse. The CSS uses a simple key derivation function, AES (efuse or BBRAM key, #constant) for the HPS and FPGA configuration images.

Level Two Title

Select Your Language

Using Intel.com Search

Quick Links

Recent Searches

Advanced Search

Only search in

AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices

Can the HPS perform decryption of the boot image instead of the FPGA CSS?