AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices

ID 683060
Date 3/29/2021
Public
Document Table of Contents

Creating a Signed First-Stage Boot Loader Image

The following example shows how to perform the following tasks:

  • Create a secure signing key for boot loader image authentication, with the user signing key type.
  • Generate and build a boot loader image with the secure signing key, using the Intel® Arria® 10 SoC FPGA Authentication Signing Utility.
  • Demonstrate secure boot using the signed boot loader image from SD card.

Compile hardware design

  1. Create top folder:
    mkdir a10_secure_boot_sign
    cd a10_secure_boot_sign
    export TOP_FOLDER=`pwd`
    
  2. Bring a copy of the hardware design that is already compiled and remove the software folder:
    cd $TOP_FOLDER
    rm -rf a10_soc_devkit_ghrd ghrd-socfpga-ACDS-20.4pro-20.1std\ 
    ACDS-20.4pro-20.1std.zip
    wget https://github.com/altera-opensource/ghrd-socfpga/archive/\
    ACDS-20.4pro-20.1std.zip
    unzip ACDS-20.4pro-20.1std.zip
    mv ghrd-socfpga-ACDS-20.4pro-20.1std/\
    a10_soc_devkit_ghrd_pro a10_soc_devkit_ghrd
    rm -rf ghrd-socfpga-ACDS-20.4pro-20.1std ACDS-20.4pro-20.1std.zip
    cd a10_soc_devkit_ghrd
    make clean && make scrub_clean && rm -rf software
    ~/intelFPGA_pro/20.4/nios2eds/nios2_command_shell.sh \
    make generate_from_tcl
    ~/intelFPGA_pro/20.4/nios2eds/nios2_command_shell.sh \
    make rbf

Build U-Boot

  1. Retrieve the U-Boot source code by cloning the git tree and checking out the supported branch:
    cd $TOP_FOLDER/a10_soc_devkit_ghrd/
    mkdir -p software/bootloader
    cd software/bootloader/
    git clone https://github.com/altera-opensource/u-boot-socfpga
    cd u-boot-socfpga
    git checkout -b test-bootloader -t origin/socfpga_v2020.10
    
  2. Convert hps.xml handoff file to include the file to be used by the device tree:
    cd $TOP_FOLDER/a10_soc_devkit_ghrd/software/\
    bootloader/u-boot-socfpga
    ./arch/arm/mach-socfpga/qts-filter-a10.sh \
    ../../../hps_isw_handoff/hps.xml \
    arch/arm/dts/socfpga_arria10_socdk_sdmmc_handoff.h
    
  3. Configure and build U-Boot.
    Note: For the toolchain setup used to build U-Boot, refer to: Building Bootloader web page on RocketBoards.
    cd $TOP_FOLDER/a10_soc_devkit_ghrd/software/\
    bootloader/u-boot-socfpga
    export CROSS_COMPILE=arm-none-linux-gnueabihf-
    make socfpga_arria10_defconfig
    make -j 24
    

Authenticate Image

Retrieve the Secure Boot tools by cloning the git tree:
cd $TOP_FOLDER/a10_soc_devkit_ghrd/software/bootloader/
mkdir secure_boot_tools
cd secure_boot_tools
git clone https://github.com/altera-opensource/\
alt-secure-boot

Generate Key Pair

cd $TOP_FOLDER/a10_soc_devkit_ghrd/software/\
bootloader/
openssl ecparam -genkey -name prime256v1 -out root_key.pem

The key file contents should be similar to the following:
openssl ec -in root_key.pem  -noout -text
read EC key
Private-Key: (256 bit)
priv:
    ef:a4:fa:45:d9:9d:f8:27:06:f3:d6:48:9b:e3:aa:
    f5:f7:e6:0f:bb:ee:51:44:fe:7b:fb:3f:2a:02:64:
    65:1b
pub:
    04:e5:13:8f:7d:df:0b:83:8c:35:b5:5d:64:3f:f3:
    b6:7a:2f:31:b9:5b:4f:5c:d3:55:18:2a:fa:c1:08:
    e7:be:7e:aa:b0:c8:e7:ea:93:71:3a:62:20:69:3e:
    59:50:60:6e:18:65:d9:a9:95:4c:1e:88:93:06:33:
    b8:cc:05:26:aa
ASN1 OID: prime256v1
NIST CURVE: P-256
  1. Authenticate image:
    cd $TOP_FOLDER/a10_soc_devkit_ghrd/software/bootloader/
    ln -s u-boot-socfpga/spl/u-boot-spl-dtb.bin
    
    ./u-boot-socfpga/tools/mkimage -T socfpgaimage_v1 -d\  
    u-boot-spl-dtb.bin u-boot_w_dtb-single-mkimage.bin
    
    python -B -E secure_boot_tools/alt-secure-boot/bin/\
    alt_authtool.py sign -t user -k root_key.pem -i\
    u-boot_w_dtb-single-mkimage.bin -o u-boot_w_dtb-signed.abin 
    The key file contents should be similar to the following:
    openssl ec -in root_key.pem  -noout -text
    read EC key
    Private-Key: (256 bit)
    priv:
        ef:a4:fa:45:d9:9d:f8:27:06:f3:d6:48:9b:e3:aa:
        f5:f7:e6:0f:bb:ee:51:44:fe:7b:fb:3f:2a:02:64:
        65:1b
    pub:
        04:e5:13:8f:7d:df:0b:83:8c:35:b5:5d:64:3f:f3:
        b6:7a:2f:31:b9:5b:4f:5c:d3:55:18:2a:fa:c1:08:
        e7:be:7e:aa:b0:c8:e7:ea:93:71:3a:62:20:69:3e:
        59:50:60:6e:18:65:d9:a9:95:4c:1e:88:93:06:33:
        b8:cc:05:26:aa
    ASN1 OID: prime256v1
    NIST CURVE: P-256
    
  2. After running the Python script with the Intel® Arria® 10 SoC FPGA Authentication Signing Utility, expect a SHA256 digest similar to the one below:
    SHA256 digest of root public key: 
    233c42a16266942910d801bf717006148fc869bf96027ef76e478731d59e3a6d 
  3. Generate the four copies of the image in one file:
    Note: Refer to your toolchain directory where you get the cross compiler.
    ../../../../Toolchain/gcc-arm-10.2-2020.11-x86_64\
    -arm-none-linux-gnueabihf/bin/arm-none-linux-gnueabihf-objcopy\ 
    -I binary -O binary --gap-fill 0x00 --pad-to 0x40000\ 
    u-boot_w_dtb-signed.abin u-boot_w_dtb-signed-256KB.abin
    
    cat u-boot_w_dtb-signed-256KB.abin u-boot_w_dtb-signed-256KB.abin\ 
    u-boot_w_dtb-signed-256KB.abin u-boot_w_dtb-signed-256KB.abin >\ 
    u-boot_w_dtb-signed-x4.abin
    
  4. Since we are using user mode, program the authentication key file (root_key.pem) into the board (virtually), because it is part of the image.
  5. Copy the u-boot_w_dtb-signed-x4.abin to the board flash:
    • SD/MMC—Use the A2 (raw) partition

      For more information about where to place this image, refer to the Intel® Arria® 10 SoC - Boot from SD Card section on RocketBoards.

    • QSPI
    • NAND
  6. Boot the board.