FPGA, SoC, And CPLD Boards And Kits
FPGA Evaluation and Development Kits

Intel Agilex Secure boot

rajasekarselva
671 Views

How to cancel the root keys in intel agilex series?

If root keys got compromised, how to cancel the rot keys ID from HPS linux userspace mailboxes or via FPGA mailbox client?

 

You may program a root key hash cancellation compact certificate via JTAG, FPGA, or
HPS mailboxes.
 
# Owner fuses =
"0x00000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000
0000000000000000000000"
# Owner root public key hash 0 =
"0x00000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000"
# Owner root public key hash 1 =
"0x00000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000"
# Owner root public key hash 2 =
"0x00000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000
 
0 Kudos
7 Replies
rajasekarselva
648 Views

Thanks for your reply, Aik Eu.

 

Unfortunately, I can't able to open the link. Replied with 'Access Denied'  

<Error>
<Code>AccessDenied</Code>
<Message>Access denied</Message>
</Error>

Do I need any additional login authentication to view this document? 
0 Kudos
rajasekarselva
647 Views

As a reference, are you pointing the below document in the previous link?


Intel® Agilex™ Device Security User Guide

 

4.4. Canceling Root Keys

 

If you are pointing the above then there is no detailed explanation/brief on, How to do that from the FPGA mailbox IP or HPS mailbox IP client? Could you point that document, if possible?

 

 

Thanks

Raj

0 Kudos
aikeu
Employee
644 Views

Hi rajasekarselva,


Yes, I am pointing to that document.

I will get back to you on more info regarding cancellation of root keys from HPS Linux userspace or FPGA mailbox client.


Thanks.

Regards,

Aik Eu


0 Kudos
aikeu
Employee
638 Views

Hi rajasekarselva,


I get the info from the software security team as below:


Firstly you would need to create the certificate to cancel the root key hash. This is detailed in section 4.5 “Canceling Root Keys” of the Agilex Device Security UG.

To create the certificate, you would send the Certificate Command (0x0B) through the mailbox (HPS/FPGA)  

This command is not currently documented, but will be soon in the Security Methodology UG.

The Security Methodology UG will be out in at least one month time.


Do let me know if you have further questions or concern from the info above.



Thanks.

Regards,

Aik Eu


0 Kudos
aikeu
Employee
619 Views

Hi rajasekarselva,


Any follow up with the previous comment?


Thanks.

Regards,

Aik Eu


0 Kudos
aikeu
Employee
604 Views

Hi rajasekarselva,


I will close this thread if no further question.


Thanks.

Regards,

Aik Eu


0 Kudos
Reply