AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices

Download
ID 683060
Date 3/29/2021
Public
Document Table of Contents

Creating an Encrypted First-Stage Boot Loader Image

The following example demonstrates how to perform the following tasks:

  • Create a secure encryption key for boot loader image authentication.
  • Generate and build an encrypted boot loader image with the secure encryption key, using the Intel® Arria® 10 SoC FPGA Authentication Signing Utility.
  • Demonstrate secure boot using the encrypted boot loader image from SD card
  1. Follow steps Step 1 and Step 2 for Bootloader generation as explained in the Creating a Signed First-Stage Boot Loader Image section.
  2. Retrieve the Secure Boot tools by cloning the git tree.
    cd $TOP_FOLDER/a10_soc_devkit_ghrd/\
    software/bootloader/
    mkdir secure_boot_tools
    cd secure_boot_tools
    git clone https://github.com/altera-opensource/\
    alt-secure-boot
    
  3. Generate Encryption Key—Create a new file named as key_file.key, give a name to the encrypt key say "key1" and give a random 32 bytes of hex number to the key1 the contain looks like this: key1 0a0b0c0d0e0f1122334455667788990a0b0c0d0e0f112233445566778899aabb
    touch key_file.key
    echo key1 0a0b0c0d0e0f1122334455667788990a0b0c0d0e0f\
    112233445566778899aabb > key_file.key
    
  4. Create ubootmkimage:
    create u-boot_w_dtb-single-mkimage.bin
    mkimage -T socfpgaimage_v1 -d  u-boot-spl-dtb.bin u-boot_w_dtb-single-mkimage.bin
    
  5. Encrypt image
    cd $TOP_FOLDER/a10_soc_devkit_ghrd/software/bootloader/
    ln -s u-boot-socfpga/spl/u-boot-spl-dtb.bin
    
    ./u-boot-socfpga/tools/mkimage -T socfpgaimage_v1 -d\  
    u-boot-spl-dtb.bin u-boot_w_dtb-single-mkimage.bin
    
    ~/intelFPGA_pro/20.4/nios2eds/nios2_command_shell.sh
    
    python -B -E secure_boot_tools/alt-secure-boot/bin/alt_authtool.py\ 
    encrypt -k key_file.key:key1 -i u-boot_w_dtb-single-mkimage.bin\ 
    -o u-boot_w_dtb-encrypted.abin
    
  6. Generate the four copies of the image in one file:
    Note: Refer to your toolchain directory where you get the cross compiler.
    ../../../../Toolchain/gcc-arm-10.2-2020.11-x86_64\
    -arm-none-linux-gnueabihf/bin/arm-none-linux-gnueabihf-objcopy\ 
    -I binary -O binary --gap-fill 0x00 --pad-to 0x40000\ 
    u-boot_w_dtb-encrypted.abin u-boot_w_dtb-encrypted-256KB.abin
    
    cat u-boot_w_dtb-encrypted-256KB.abin u-boot_w_dtb-encrypted-256KB.abin\ 
    u-boot_w_dtb-encrypted-256KB.abin u-boot_w_dtb-encrypted-256KB.abin\ 
    > u-boot_w_dtb-encrypted-x4.abin
    
  7. Program the Encryption key file (key_file.key) into the BBRAM on the board.
    quartus_pgm --key "key_file.key:key1"\ 
    ghrd_10as066n2.sof key.ekp
    quartus_pgm -c 1 -m jtag -o p;key.ekp,10AS066H2ES -o
    
  8. Copy the u-boot_w_dtb-signed-x4.abin to the board flash:
    • SD/MMC—Use the A2 (raw) partition

      For more information about where to place this image, refer to the Intel® Arria® 10 SoC - Boot from SD Card section on RocketBoards.

    • QSPI
    • NAND
  9. Boot the board.

Did you find the information on this page useful?

Characters remaining:

Feedback Message