5.1.13. Security Design Considerations
The Intel® Arria® 10 SoC provides a framework for implementing secure systems through a layered hardware and software solution. When designing a secure system, you can implement several security levels depending on your system's security requirements.
GUIDELINE: Determine which parts of your design must be encrypted. Determine which parts of your design must be authenticated.
Secure Boot – Chain Of Trust and Image Authentication
Secure Boot ensures that a Chain of Trust is established for all boot stages. Each boot stage must authenticate subsequent stages prior to loading and executing by verifying the image's signed certificate.
The boot stages can span from the initial Second Stage Bootloader to the final application loaded by the OS.
For more information, refer to the Intel® Arria® 10 SoC Secure Boot User Guide.
Securing the Design IP - AES Encryption
To secure the FPGA design IP, use AES encryption. Encrypt the design IP before storing it on the intended boot device storage area. If the AES security keys are verified by the SoC, then the image is decrypted during configuration load time.
Secured Boot and IP - Authentication and Encryption
This level offers the most security because all runtime SW and Data IP is authenticated and successfully decrypted during system bring up.
This Security Level uses a defined logic to post notification when an attempt to tamper the device has been detected.