The background on this is the KAK, sometimes referred to Root Public Key, or the SHA256 of the public key, is used by the ROM bootloader to authenticate the 2nd stage bootloader. This is done by checking the signed 2nd stage boot loader with a Root Public Key stored in the User Access Fuses.
This should not be confused with the AES key used to decrypt the FPGA programming file, since it is completely different. The FPGA programming file decryption key can be programmed using a .ekp file, and documented in the Intel Arria 10 Soc Secure Boot User Guide. The KAK is also mentioned there in the Intel Arria 10 Soc Secure Boot User Guide, in the Root Public Key Authentication section, but how it is programmed in the FPGA is not detailed at all. Exactly why any details on this are missing is a mystery, but the details are completely missing.
I know how to generate the root public/private key pair:
openssl ecparam -genkey -name prime256v1 -out root_key.pem
I know how to use the tools to sign the 2nd stage bootloader:
alt-secure-boot sign --inputfile bootloader --keypair root_key.pem --rootkey-type fuse --outputfile bootloader.signed
SHA256 digest of root public key: -------------------------------------------------------------------------------------
The missing information is how to put this SHA256 digest into the UAF so the ROM bootloader can authenticate the 2nd stage on every startup. This is very specific so the answer should be very easy for the right person who knows. Can you help?
You can refer the to the application note below for programming the fuses with keys.
Also as mentioned in the Intel Arria 10 Soc Secure Boot Guide use the Intel® FPGA Download Cable and the programmer tool installed with the Design Tool Suite.
Thanks and Regards
Thank you for the reply.
I already know how to program the AES key for securing the FPGA programming file. As I mentioned, it is done with a .ekp file just as your referenced app note indicates. My question was how to program the KAK / Root Public Key / SHA256 of the public key, which is used to authenticate the 2nd stage boot loader. Can you point out which section of this app note describes the KAK / Root Public Key / SHA256 of the public key, and specifically how it is programmed, such as by .ekp file or other?
The information on programming the KAK seems to only be available with a NDA. I now have that information from a document entitled "Arria 10 SoC Secure Fuse Programming User Guide", UG-20022
2016.11.07. I am providing the title, document number, and date here, not to usurp the NDA, but to assist others who might need this information and will now know the document to request.
Glad to know that the solution has been found, Thanks for sharing with the community.
Thanks and Regards