AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices

Download
ID 683060
Date 3/29/2021
Public
Document Table of Contents

Appendix A: Secure Boot Image Python Script: alt_authtool.py

Secure Boot Image Tool Usage for Boot Image Authentication (Signing)

python -E -B alt_authtool.py --help
usage: 
  python -E -B alt_authtool.py sign [-h] \
    --inputfile INPUTFILE --outputfile OUTPUTFILE \
    [--fuseout FUSEOUT] [--pubkeyout PUBKEYOUT] \
    [--rootkey-type {fuse,fpga,user}] \
    [--keypair KEYPAIR] \
    [--fpga-key-offset FPGA_KEY_OFFSET]

Sign a bootloader image to allow BootROM verification

optional arguments:
  -h, --help            show this help message and exit
  --inputfile INPUTFILE, -i INPUTFILE
                        Bootloader image to sign
  --outputfile OUTPUTFILE, -o OUTPUTFILE
                        Signed output image
  --fuseout FUSEOUT, -fo FUSEOUT
                        Hash of root public key, to be burned into device
                        fuses
  --pubkeyout PUBKEYOUT, -pko PUBKEYOUT
                        Root public key in raw data form. This data may then
                        be built into the FPGA image for usage with 
                        --rootkey-type=fpga
  --rootkey-type {fuse,fpga,user}, -t {fuse,fpga,user}
                        The trusted root key's type. (default: fuse) 'fuse':
                        embed root pubkey in image. BootROM verifies its hash
                        against device fuses. 'fpga': fetch trusted root
                        pubkey from location in FPGA memory. 'user': embed
                        root pubkey in image. BootROM does not verify.
  --keypair KEYPAIR, -k KEYPAIR
                        Signature keypairs specified in order from the 
                        trusted root key to final user key
  --fpga-key-offset FPGA_KEY_OFFSET
                        Offset from H2F bridge base address (0xC0000000) to
                        location of logic-embedded root public key. Used for
                        '--rootkey-type fpga' authentication.

Secure Boot Image Tool Usage for Boot Image Encryption

python -E -B alt_authtool.py encrypt --help
usage: 
  python -E -B alt_authtool.py encrypt [-h] \
    --inputfile INPUTFILE --outputfile OUTPUTFILE \
    --key KEY [--non-volatile]

Convert a pimage into an encrypted boot image

optional arguments:
  -h, --help            show this help message and exit
  --inputfile INPUTFILE, -i INPUTFILE
                        Bootloader image to encrypt
  --outputfile OUTPUTFILE, -o OUTPUTFILE
                        Encrypted output image
  --key KEY, -k KEY     File containing symmetric key to use for encryption
  --non-volatile        Decryption key stored in non-volatile fuses, instead
                        of battery-backed storage

Did you find the information on this page useful?

Characters remaining:

Feedback Message