Visible to Intel only — GUID: sqw1499777198790
Ixiasoft
Prerequisites
References
Secure Boot Stages
Intel® Arria® 10 SoC Secure Boot Architecture
Software Image Authentication
Overview of the Secure Boot Flow
Software Image Encryption
Software Image Authentication and Encryption
Intel® Arria® 10 SoC FPGA Authentication Signing Utility
Secure Boot Examples
Appendix A: Secure Boot Image Python Script: alt_authtool.py
Appendix B: Frequently Asked Questions
Document Revision History for the AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices
What are the secure configurations for HPS JTAG debug and access?
Can the HPS perform decryption of the boot image instead of the FPGA CSS?
What happens if the first stage boot ROM is unsuccessful in authenticating the second-stage boot loader?
Can you use the first-stage root key as the subsequent stage root key?
When the second-stage image is authenticated, is the image header only copied to on-chip RAM for authentication?
Can the AES encryption key be updated by the HPS using JTAG hosting?
How does U-Boot (SSBL) authenticate next stage boot images?
Which elliptical cryptography is used for boot image signing and authentication?
How do I generate a signing key pair?
Where can I store the signing keys for second-stage boot loader authentication?
What type of cryptography is used for boot image encryption and decryption?
What FPGA locations are available for AES key storage?
How do I generate an AES key to encrypt a boot image?
How is secure boot defined within the Intel® Arria® 10 SoC product family?
What security choices are available for the second-stage boot image or user software?
Where is the authentication of the boot image performed?
Where is decryption of the boot image performed?
How can I configure the Intel® Arria® 10 SoC device so that it always performs authentication or authentication and decryption?
How can I program the key authentication key (KAK) into the Intel® Arria® 10 SoC device?
How can I configure the second stage boot loader image for the correct authentication signing key type?
How do I configure the second-stage boot loader image for encryption using the pre-generated AES key?
Is the ECDSA private and public key pair that is used for signing the boot image also used for authentication of the FPGA image?
Visible to Intel only — GUID: sqw1499777198790
Ixiasoft
What are the secure configurations for HPS JTAG debug and access?
Two efuse bits, dbg_disable_access and dbg_lock_JTAG, control the secure JTAG debug configurations. You can read the programmed efuse values for your device through the HPS_fusesec register. A bit value of 1 in the HPS_fusesec register represents a "blown" fuse state and a 0 represents an "unblown" fuse state.
The table below describes the possible HPS configurations with JTAG. The dbg_access_f and dbg_lock_JTAG columns reflect the efuse value of these bits in the HPS_fusesec register. If both efuse are unblown then after the device exits reset, full JTAG access is possible. This configuration is the default configuration.
| JTAG Configuration | dbg_disable_access | dbg_lock_JTAG | Description |
|---|---|---|---|
| HPS JTAG include | 0 | 1 |
|
| HPS JTAG exclude | 1 | 1 | Permanently exclude the HPS from the JTAG chain. |
| Default | 0 | 0 | Enable JTAG with software debug programmability. |