AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices

ID 683060
Date 3/29/2021
Public
Document Table of Contents

AES Encryption and Decryption

The Intel® Arria® 10 SoC device family supports secure boot with Advanced Encryption Standard (AES) encryption with a 256 bit key length. AES is a symmetric-key algorithm. AES decryption support is provided by the CSS in the FPGA portion of the device. AES decryption is enabled through user fuse settings and software programming.

For information about the CSS, refer to the SoC Security chapter in the Intel® Arria® 10 Hard Processor System Technical Reference Manual.

Figure 9. AES Encryption and Decryption

The FPGA portion of the secured device has a dedicated decryption block that uses the AES algorithm to decrypt the boot loader image with a 256 bit AES key that you define. Before receiving the encrypted data, you must write the 256 bit key that you define into the device.

The AES algorithm is a symmetrical block cipher that encrypts and decrypts data in blocks of 256 bits. The decryption block uses the AES algorithm to decrypt the boot loader image and configuration data before configuring the FPGA portion of the device. If encryption is not used, the AES decryptor is bypassed.

Figure 10. Encrypted Second-Stage Boot Loader and the AES Decryptor