AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices

ID 683060
Date 3/29/2021
Document Table of Contents

First-Stage Boot Loader (ROM)

After hardware system initialization is complete, the Intel® Arria® 10 SoC boot ROM firmware decrypts, authenticates, and executes the next boot stage. The boot ROM firmware is the root of trust: the trusted, inherently secure starting point for booting the Intel® Arria® 10 SoC.

To decrypt and authenticate the next boot stage, the boot ROM firmware performs these tasks:
  1. Determine which boot device contains the next boot stage image, the second-stage boot loader
  2. Discover the final code signing key (CSK) through a key chain service
  3. Use the CSK to authenticate the boot loader image
  4. If the boot loader image is encrypted, the boot ROM sends the image to the Configuration Subsystem (CSS) for decryption.
  5. If boot loader authentication and decryption is successful, load the boot loader into on-chip RAM and execute it

For details about secure system initialization, refer to "Secure Initialization Overview" in the SoC Security chapter of the Intel® Arria® 10 Hard Processor System Technical Reference Manual.