AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices

Download PDF
ID 683060
Date 3/29/2021
Public
Document Table of Contents
Document Table of Contents x
AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices
AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices x
Prerequisites References Secure Boot Stages Intel® Arria® 10 SoC Secure Boot Architecture Software Image Authentication Overview of the Secure Boot Flow Software Image Encryption Software Image Authentication and Encryption Intel® Arria® 10 SoC FPGA Authentication Signing Utility Secure Boot Examples Appendix A: Secure Boot Image Python Script: alt_authtool.py Appendix B: Frequently Asked Questions Document Revision History for the AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices
Secure Boot Stages x
Root of Trust First-Stage Boot Loader (ROM) Second-Stage Boot Loader Third and Fourth Stages
Software Image Authentication x
Digital Signing Root of Trust and Root Key Authentication of the Second-Stage Boot Loader Security Level Staging Signed Image Root Key Types Root Public Key Authentication Test Secure Boot Authentication Programming the Secure Signing Key Generating the Signing Key Pair with OpenSSL
Programming the Secure Signing Key x
Boot Image Signing Flow Boot Image Authentication
Overview of the Secure Boot Flow x
Creating a Secure Boot System
Software Image Encryption x
AES Encryption and Decryption Encrypting the Boot Image and Configuration File Boot Image Encryption Flow Programming the AES Encryption Key
Intel® Arria® 10 SoC FPGA Authentication Signing Utility x
Secure Boot Image Tool Boot Image Format Tool
Secure Boot Examples x
Prerequisites Creating a Signed First-Stage Boot Loader Image Creating an Encrypted First-Stage Boot Loader Image Creating a Signed and Encrypted First-Stage Boot Loader Image
Appendix B: Frequently Asked Questions x
What are the secure configurations for HPS JTAG debug and access? Can the HPS perform decryption of the boot image instead of the FPGA CSS? What happens if the first stage boot ROM is unsuccessful in authenticating the second-stage boot loader? Can you use the first-stage root key as the subsequent stage root key? When the second-stage image is authenticated, is the image header only copied to on-chip RAM for authentication? Can the AES encryption key be updated by the HPS using JTAG hosting? How does U-Boot (SSBL) authenticate next stage boot images? Which elliptical cryptography is used for boot image signing and authentication? How do I generate a signing key pair? Where can I store the signing keys for second-stage boot loader authentication? What type of cryptography is used for boot image encryption and decryption? What FPGA locations are available for AES key storage? How do I generate an AES key to encrypt a boot image? How is secure boot defined within the Intel® Arria® 10 SoC product family? What security choices are available for the second-stage boot image or user software? Where is the authentication of the boot image performed? Where is decryption of the boot image performed? How can I configure the Intel® Arria® 10 SoC device so that it always performs authentication or authentication and decryption? How can I program the key authentication key (KAK) into the Intel® Arria® 10 SoC device? How can I configure the second stage boot loader image for the correct authentication signing key type? How do I configure the second-stage boot loader image for encryption using the pre-generated AES key? Is the ECDSA private and public key pair that is used for signing the boot image also used for authentication of the FPGA image?
AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices

Creating an Encrypted First-Stage Boot Loader Image

The following example demonstrates how to perform the following tasks:

  • Create a secure encryption key for boot loader image authentication.
  • Generate and build an encrypted boot loader image with the secure encryption key, using the Intel® Arria® 10 SoC FPGA Authentication Signing Utility.
  • Demonstrate secure boot using the encrypted boot loader image from SD card
  1. Follow steps Step 1 and Step 2 for Bootloader generation as explained in the Creating a Signed First-Stage Boot Loader Image section.
  2. Retrieve the Secure Boot tools by cloning the git tree. 
    cd $TOP_FOLDER/a10_soc_devkit_ghrd/\
software/bootloader/
mkdir secure_boot_tools
cd secure_boot_tools
git clone https://github.com/altera-opensource/\
alt-secure-boot
  3. Generate Encryption Key—Create a new file named as key_file.key, give a name to the encrypt key say "key1" and give a random 32 bytes of hex number to the key1 the contain looks like this: key1 0a0b0c0d0e0f1122334455667788990a0b0c0d0e0f112233445566778899aabb 
    touch key_file.key
echo key1 0a0b0c0d0e0f1122334455667788990a0b0c0d0e0f\
112233445566778899aabb > key_file.key
  4. Create ubootmkimage: 
    create u-boot_w_dtb-single-mkimage.bin
mkimage -T socfpgaimage_v1 -d  u-boot-spl-dtb.bin u-boot_w_dtb-single-mkimage.bin
  5. Encrypt image 
    cd $TOP_FOLDER/a10_soc_devkit_ghrd/software/bootloader/
ln -s u-boot-socfpga/spl/u-boot-spl-dtb.bin

./u-boot-socfpga/tools/mkimage -T socfpgaimage_v1 -d\  
u-boot-spl-dtb.bin u-boot_w_dtb-single-mkimage.bin

~/intelFPGA_pro/20.4/nios2eds/nios2_command_shell.sh

python -B -E secure_boot_tools/alt-secure-boot/bin/alt_authtool.py\ 
encrypt -k key_file.key:key1 -i u-boot_w_dtb-single-mkimage.bin\ 
-o u-boot_w_dtb-encrypted.abin
  6. Generate the four copies of the image in one file:
    Note: Refer to your toolchain directory where you get the cross compiler. 
    ../../../../Toolchain/gcc-arm-10.2-2020.11-x86_64\
-arm-none-linux-gnueabihf/bin/arm-none-linux-gnueabihf-objcopy\ 
-I binary -O binary --gap-fill 0x00 --pad-to 0x40000\ 
u-boot_w_dtb-encrypted.abin u-boot_w_dtb-encrypted-256KB.abin

cat u-boot_w_dtb-encrypted-256KB.abin u-boot_w_dtb-encrypted-256KB.abin\ 
u-boot_w_dtb-encrypted-256KB.abin u-boot_w_dtb-encrypted-256KB.abin\ 
> u-boot_w_dtb-encrypted-x4.abin
  7. Program the Encryption key file (key_file.key) into the BBRAM on the board. 
    quartus_pgm --key "key_file.key:key1"\ 
ghrd_10as066n2.sof key.ekp
quartus_pgm -c 1 -m jtag -o p;key.ekp,10AS066H2ES -o
  8. Copy the u-boot_w_dtb-signed-x4.abin to the board flash:
    • SD/MMC—Use the A2 (raw) partition

      For more information about where to place this image, refer to the Intel® Arria® 10 SoC - Boot from SD Card section on RocketBoards.

    • QSPI
    • NAND
  9. Boot the board.
Related Information
Level Two Title