FPGA, SoC, And CPLD Boards And Kits
FPGA Evaluation and Development Kits
5925 Discussions

Intel Agilex Secure boot

rajasekarselva
Novice
‎02-15-2022 02:21 PM
563 Views

How to cancel the root keys in intel agilex series?

If root keys got compromised, how to cancel the rot keys ID from HPS linux userspace mailboxes or via FPGA mailbox client?

 

You may program a root key hash cancellation compact certificate via JTAG, FPGA, or
HPS mailboxes.
 
# Owner fuses =
"0x00000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000
0000000000000000000000"
# Owner root public key hash 0 =
"0x00000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000"
# Owner root public key hash 1 =
"0x00000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000"
# Owner root public key hash 2 =
"0x00000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000
 
0 Kudos

Link Copied

7 Replies
rajasekarselva
Novice
‎02-21-2022 08:42 AM
540 Views
In response to aikeu

Thanks for your reply, Aik Eu.

 

Unfortunately, I can't able to open the link. Replied with 'Access Denied'  

<Error>
<Code>AccessDenied</Code>
<Message>Access denied</Message>
</Error>

Do I need any additional login authentication to view this document? 
In response to aikeu
0 Kudos
Copy link
rajasekarselva
Novice
‎02-21-2022 08:54 AM
539 Views
In response to rajasekarselva

As a reference, are you pointing the below document in the previous link?


Intel® Agilex™ Device Security User Guide

 

4.4. Canceling Root Keys

 

If you are pointing the above then there is no detailed explanation/brief on, How to do that from the FPGA mailbox IP or HPS mailbox IP client? Could you point that document, if possible?

 

 

Thanks

Raj

In response to rajasekarselva
0 Kudos
Copy link
aikeu
Employee
‎02-21-2022 08:09 PM
536 Views

Hi rajasekarselva,


Yes, I am pointing to that document.

I will get back to you on more info regarding cancellation of root keys from HPS Linux userspace or FPGA mailbox client.


Thanks.

Regards,

Aik Eu


0 Kudos
Copy link
aikeu
Employee
‎02-27-2022 07:05 PM
530 Views

Hi rajasekarselva,


I get the info from the software security team as below:


Firstly you would need to create the certificate to cancel the root key hash. This is detailed in section 4.5 “Canceling Root Keys” of the Agilex Device Security UG.

To create the certificate, you would send the Certificate Command (0x0B) through the mailbox (HPS/FPGA)  

This command is not currently documented, but will be soon in the Security Methodology UG.

The Security Methodology UG will be out in at least one month time.


Do let me know if you have further questions or concern from the info above.



Thanks.

Regards,

Aik Eu


0 Kudos
Copy link
aikeu
Employee
‎03-03-2022 07:05 PM
511 Views

Hi rajasekarselva,


Any follow up with the previous comment?


Thanks.

Regards,

Aik Eu


0 Kudos
Copy link
aikeu
Employee
‎03-07-2022 10:19 PM
496 Views

Hi rajasekarselva,


I will close this thread if no further question.


Thanks.

Regards,

Aik Eu


0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.