Intel® Arria® 10 Hard Processor System Technical Reference Manual

ID 683711
Date 8/28/2023
Public
Document Table of Contents

A.4.9. Secure Boot

The boot ROM supports both non-secure and secure boot.

Secure boot allows the HPS to release from reset into a known state and then validate the authenticity and integrity of the second-stage boot loader code prior to executing it. Secure boot can ensure that only authorized code is executed on the system. In addition, the system has the option to configure the FPGA from the HPS, which provides a secure boot mechanism for the FPGA portion of the SoC. In this mode, the HPS boot code can authenticate the FPGA POF prior to loading it.

The boot ROM determines the security level based on user fuse values that are stored in the Security Manager during initialization. The second-stage boot loader may provide a security header to indicate authentication or decryption for the image. Based on the merged data from security manager and the security header, the boot ROM can load the following images:

  • Clear text: No authentication or decryption is required
  • Secure, Authenticated - Authentication but no decryption is required on the image
  • Secure, Encrypted - Decryption, but no authentication is required. During the decryption process, the boot ROM looks for an encrypted image on the flash device and decrypts it into the on-chip RAM
  • Full Secure - Both authentication and decryption are required

The authentication process is independent of the decryption process. However, if authentication and decryption are both required, authentication is done before the decryption process.

For more information regarding Secure Boot, please refer to the SoC Security Chapter.