Hard Processor System Technical Reference Manual: Agilex™ 5 SoCs

ID 814346
Date 7/19/2024
Public
Document Table of Contents

A.3.5. HPS Secure Boot

The SDM provides several cryptographic services that may be used by HPS software to implement a secure boot after the FSBL. Vendor Authorized Boot allows the HPS to request authentication and validation of HPS software according to the security state stored in the SDM. The HPS can use the Secure Data Object Storage to provide device-unique encryption of small data objects, such as encryption keys or passwords used for disk encryption. Finally, the HPS can utilize SDM cryptographic primitive services for other encryption, hashing, or elliptic curve digital signature operations.

The SDM applies bitstream security policies to the FSBL, then places the FSBL in HPS OCRAM and releases the HPS from reset. The bidirectional bridge between the SDM and the HPS allows the SDM to control the HPS reset. The HPS may use this bridge to transfer data used for cryptographic services provided by the SDM.