Visible to Intel only — GUID: cru1452898162759
Ixiasoft
Prerequisites
References
Secure Boot Stages
Intel® Arria® 10 SoC Secure Boot Architecture
Software Image Authentication
Overview of the Secure Boot Flow
Software Image Encryption
Software Image Authentication and Encryption
Intel® Arria® 10 SoC FPGA Authentication Signing Utility
Secure Boot Examples
Appendix A: Secure Boot Image Python Script: alt_authtool.py
Appendix B: Frequently Asked Questions
Document Revision History for the AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices
What are the secure configurations for HPS JTAG debug and access?
Can the HPS perform decryption of the boot image instead of the FPGA CSS?
What happens if the first stage boot ROM is unsuccessful in authenticating the second-stage boot loader?
Can you use the first-stage root key as the subsequent stage root key?
When the second-stage image is authenticated, is the image header only copied to on-chip RAM for authentication?
Can the AES encryption key be updated by the HPS using JTAG hosting?
How does U-Boot (SSBL) authenticate next stage boot images?
Which elliptical cryptography is used for boot image signing and authentication?
How do I generate a signing key pair?
Where can I store the signing keys for second-stage boot loader authentication?
What type of cryptography is used for boot image encryption and decryption?
What FPGA locations are available for AES key storage?
How do I generate an AES key to encrypt a boot image?
How is secure boot defined within the Intel® Arria® 10 SoC product family?
What security choices are available for the second-stage boot image or user software?
Where is the authentication of the boot image performed?
Where is decryption of the boot image performed?
How can I configure the Intel® Arria® 10 SoC device so that it always performs authentication or authentication and decryption?
How can I program the key authentication key (KAK) into the Intel® Arria® 10 SoC device?
How can I configure the second stage boot loader image for the correct authentication signing key type?
How do I configure the second-stage boot loader image for encryption using the pre-generated AES key?
Is the ECDSA private and public key pair that is used for signing the boot image also used for authentication of the FPGA image?
Visible to Intel only — GUID: cru1452898162759
Ixiasoft
Creating a Signed First-Stage Boot Loader Image
The following example shows how to perform the following tasks:
- Create a secure signing key for boot loader image authentication, with the user signing key type.
- Generate and build a boot loader image with the secure signing key, using the Intel® Arria® 10 SoC FPGA Authentication Signing Utility.
- Demonstrate secure boot using the signed boot loader image from SD card.
Compile hardware design
- Create top folder:
mkdir a10_secure_boot_sign cd a10_secure_boot_sign export TOP_FOLDER=`pwd` - Bring a copy of the hardware design that is already compiled and remove the software folder:
cd $TOP_FOLDER rm -rf a10_soc_devkit_ghrd ghrd-socfpga-ACDS-20.4pro-20.1std\ ACDS-20.4pro-20.1std.zip wget https://github.com/altera-opensource/ghrd-socfpga/archive/\ ACDS-20.4pro-20.1std.zip unzip ACDS-20.4pro-20.1std.zip mv ghrd-socfpga-ACDS-20.4pro-20.1std/\ a10_soc_devkit_ghrd_pro a10_soc_devkit_ghrd rm -rf ghrd-socfpga-ACDS-20.4pro-20.1std ACDS-20.4pro-20.1std.zip cd a10_soc_devkit_ghrd make clean && make scrub_clean && rm -rf software ~/intelFPGA_pro/20.4/nios2eds/nios2_command_shell.sh \ make generate_from_tcl ~/intelFPGA_pro/20.4/nios2eds/nios2_command_shell.sh \ make rbf
Build U-Boot
- Retrieve the U-Boot source code by cloning the git tree and checking out the supported branch:
cd $TOP_FOLDER/a10_soc_devkit_ghrd/ mkdir -p software/bootloader cd software/bootloader/ git clone https://github.com/altera-opensource/u-boot-socfpga cd u-boot-socfpga git checkout -b test-bootloader -t origin/socfpga_v2020.10 - Convert hps.xml handoff file to include the file to be used by the device tree:
cd $TOP_FOLDER/a10_soc_devkit_ghrd/software/\ bootloader/u-boot-socfpga ./arch/arm/mach-socfpga/qts-filter-a10.sh \ ../../../hps_isw_handoff/hps.xml \ arch/arm/dts/socfpga_arria10_socdk_sdmmc_handoff.h - Configure and build U-Boot.
Note: For the toolchain setup used to build U-Boot, refer to: Building Bootloader web page on RocketBoards.
cd $TOP_FOLDER/a10_soc_devkit_ghrd/software/\ bootloader/u-boot-socfpga export CROSS_COMPILE=arm-none-linux-gnueabihf- make socfpga_arria10_defconfig make -j 24
Authenticate Image
Retrieve the Secure Boot tools by cloning the git tree:
cd $TOP_FOLDER/a10_soc_devkit_ghrd/software/bootloader/
mkdir secure_boot_tools
cd secure_boot_tools
git clone https://github.com/altera-opensource/\
alt-secure-boot
Generate Key Pair
cd $TOP_FOLDER/a10_soc_devkit_ghrd/software/\
bootloader/
openssl ecparam -genkey -name prime256v1 -out root_key.pem
The key file contents should be similar to the following:
openssl ec -in root_key.pem -noout -text
read EC key
Private-Key: (256 bit)
priv:
ef:a4:fa:45:d9:9d:f8:27:06:f3:d6:48:9b:e3:aa:
f5:f7:e6:0f:bb:ee:51:44:fe:7b:fb:3f:2a:02:64:
65:1b
pub:
04:e5:13:8f:7d:df:0b:83:8c:35:b5:5d:64:3f:f3:
b6:7a:2f:31:b9:5b:4f:5c:d3:55:18:2a:fa:c1:08:
e7:be:7e:aa:b0:c8:e7:ea:93:71:3a:62:20:69:3e:
59:50:60:6e:18:65:d9:a9:95:4c:1e:88:93:06:33:
b8:cc:05:26:aa
ASN1 OID: prime256v1
NIST CURVE: P-256
- Authenticate image:
cd $TOP_FOLDER/a10_soc_devkit_ghrd/software/bootloader/ ln -s u-boot-socfpga/spl/u-boot-spl-dtb.bin ./u-boot-socfpga/tools/mkimage -T socfpgaimage_v1 -d\ u-boot-spl-dtb.bin u-boot_w_dtb-single-mkimage.bin python -B -E secure_boot_tools/alt-secure-boot/bin/\ alt_authtool.py sign -t user -k root_key.pem -i\ u-boot_w_dtb-single-mkimage.bin -o u-boot_w_dtb-signed.abinThe key file contents should be similar to the following:openssl ec -in root_key.pem -noout -text read EC key Private-Key: (256 bit) priv: ef:a4:fa:45:d9:9d:f8:27:06:f3:d6:48:9b:e3:aa: f5:f7:e6:0f:bb:ee:51:44:fe:7b:fb:3f:2a:02:64: 65:1b pub: 04:e5:13:8f:7d:df:0b:83:8c:35:b5:5d:64:3f:f3: b6:7a:2f:31:b9:5b:4f:5c:d3:55:18:2a:fa:c1:08: e7:be:7e:aa:b0:c8:e7:ea:93:71:3a:62:20:69:3e: 59:50:60:6e:18:65:d9:a9:95:4c:1e:88:93:06:33: b8:cc:05:26:aa ASN1 OID: prime256v1 NIST CURVE: P-256 - After running the Python script with the Intel® Arria® 10 SoC FPGA Authentication Signing Utility, expect a SHA256 digest similar to the one below:
SHA256 digest of root public key: 233c42a16266942910d801bf717006148fc869bf96027ef76e478731d59e3a6d - Generate the four copies of the image in one file:
Note: Refer to your toolchain directory where you get the cross compiler.
../../../../Toolchain/gcc-arm-10.2-2020.11-x86_64\ -arm-none-linux-gnueabihf/bin/arm-none-linux-gnueabihf-objcopy\ -I binary -O binary --gap-fill 0x00 --pad-to 0x40000\ u-boot_w_dtb-signed.abin u-boot_w_dtb-signed-256KB.abin cat u-boot_w_dtb-signed-256KB.abin u-boot_w_dtb-signed-256KB.abin\ u-boot_w_dtb-signed-256KB.abin u-boot_w_dtb-signed-256KB.abin >\ u-boot_w_dtb-signed-x4.abin - Since we are using user mode, program the authentication key file (root_key.pem) into the board (virtually), because it is part of the image.
- Copy the u-boot_w_dtb-signed-x4.abin to the board flash:
- SD/MMC—Use the A2 (raw) partition
For more information about where to place this image, refer to the Intel® Arria® 10 SoC - Boot from SD Card section on RocketBoards.
- QSPI
- NAND
- SD/MMC—Use the A2 (raw) partition
- Boot the board.
Did you find the information on this page useful?
Feedback Message
Characters remaining: