AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices

ID 683060
Date 3/29/2021
Document Table of Contents

What security choices are available for the second-stage boot image or user software?

Authentication is provided for the second-stage boot loader code and both the HPS and FPGA can utilize the AES algorithms in the CSS to decrypt boot images and POF files, respectively.

Three levels of boot are available to the device:

  • Authentication only: The second-stage boot loader code is not encrypted, but there are public key signatures attached to the image and the code only executes if all of the signatures pass. ECDSA256 (SHA 256) is used for authenticated boot.
  • Decryption only: The user boot code is encrypted and must be decrypted before execution. AES-based algorithms in the FPGA are used for decryption.
  • Authentication and Decryption: The user boot code is encrypted and signed.

If authentication and decryption are enabled, the data is first authenticated and then decrypted using the AES algorithms. Authentication is performed using the public key authorization key (KAK) held in the user fuses. The KAK can be 256 or 512 bits. You can lock the KAK public key authentication fuses in groups of 64 bits or less.