AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices

ID 683060
Date 3/29/2021
Document Table of Contents

Root Key Types

The boot ROM requires the root public key programmed in eFuse and its associated public key to authenticate the second-stage boot loader if the key contained within eFuse, the FPGA or header file (test only) mandates an authenticated flow. Several root key types are available that you can store on the device or second-stage boot loader image.
Note: Using the image itself for storage of the root key is not considered a secure method. Intel recommends that you use this method for testing purposes only.
Table 1.  Root Key Types
Root Key Is it stored on the device? Description
Secure User Key Yes You generate secure key pair for boot ROM to attempt authentication. The SHA256 hash of the public key is stored in the User Access Fuses (UAF) of the device. This configuration provides a secure boot.
FPGA Key Yes The public key originates from your bitstream. The key is stored in FPGA on-chip RAM and accessed by the first stage boot ROM for image authentication. When you store the FPGA key in on-chip RAM, you must turn on the Enable boot from fpga signals option on the FPGA Interfaces tab of the Intel® Arria® 10 Hard Processor System Intel® Arria® 10 FPGA IP GUI.
Unsecured User Key No You generate a secure key pair but it is not stored on the device. This configuration is considered unsecure. You include the root key result in the image header and the boot ROM uses it for authentication.