AN 759: Using Secure Boot in Intel® Arria® 10 SoC Devices

Download
ID 683060
Date 3/29/2021
Public
Document Table of Contents

Where can I store the signing keys for second-stage boot loader authentication?

You can store the signing keys for second-stage boot loader authentication by the Intel® Arria® 10 SoC device in:

Table 6.  Root Key Types
Root Key Key Type Description
Secure User Key Fuse

You generate secure key pair for boot ROM to attempt authentication. The SHA256 hash of the public key is stored in the User Access Fuses (UAF) of the device. This configuration provides a secure boot.

For information about secure fuses, refer to the Secure Fuses section in the SoC Security chapter of the Intel® Arria® 10 Hard Processor System Technical Reference Manual.

FPGA Key FPGA The public key originates from your bitstream. The key is stored in FPGA on-chip RAM and accessed by the first stage boot ROM for image authentication. When you store the FPGA key in on-chip RAM, you must turn on the Enable boot from fpga signals option on the FPGA Interfaces tab of the Intel® Arria® 10 Hard Processor System Intel® Arria® 10 FPGA IP GUI.
Unsecured User Key User You generate a secure key pair but it is not stored on the device. This configuration is unsecure and is for testing only. You include the root key result in the image header and the boot ROM uses it for authentication.

Did you find the information on this page useful?

Characters remaining:

Feedback Message