Solved: SDM based encryption?

LowLevelGuy · ‎07-09-2024

For the Stratix 10, I see there is an encryption feature where the SDM decrypts the bitstream. Is there any possibility of using the SDM to support an encrypted FSBL? I’m basically interested in encrypting the bootloader software, not just the FPGA bitstream.

Fakhrul · ‎08-08-2024

Hi LowLevelGuy,

Apologies for the delay. I was consulting with the internal team to get clarification on this matter.

When we enabling bitstream encryption on HPS FSBL (included the hex file in the PFG tool), FSBL will be encrypted as well.

Sorry for the confusion.

Thank you for your patience.

Regards,

Fakhrul

View solution in original post

Fakhrul · ‎07-18-2024

Hi LowLevelGuy,

Sorry for the delay, I may overlooked your post. The Secure Device Manager (SDM) on the Stratix 10 can decrypt the FPGA bitstream, but it does not support decrypting an encrypted First Stage Boot Loader (FSBL). The SDM's encryption features are designed specifically for the FPGA configuration bitstream and not for general-purpose software decryption. For more detailed information, please refer to the Stratix® 10 Configuration User Guide.

Regards,

Fakhrul

LowLevelGuy · ‎07-19-2024

Related to the FSBL part, just to make sure I understand your answer, does it mean that enabling "bitstream encryption" on -AS devices does not result in the FSBL being encrypted?

By FSBL, I'm refering to the ".hex" file content specified using "-o hps_path" with quartus_pfg -- the first code executed by the HPS.

Thanks

Fakhrul · ‎07-23-2024

Hi LowLevelGuy,

From my understanding, yes, enabling bitstream encryption on -AS devices does not automatically encrypt the FSBL. The bitstream encryption specifically targets the FPGA configuration bitstream and does not extend to other software or bootloader code like the FSBL. The Stratix 10's SDM encryption focuses on protecting the FPGA configuration bitstream, not the FSBL or other HPS-related code.

Regards,

Fakhrul

Fakhrul · ‎07-29-2024

As we haven't received a response to our previous notification, this thread will be transitioned to community support. We hope all your concerns have been addressed. If you have any new questions, please feel free to open a new thread to receive support from Intel experts. Otherwise, community users will continue to assist you here. Thank you.

LowLevelGuy · ‎07-31-2024

Sorry, I'm really having trouble accepting this answer and meant to reply earlier... Are you suggesting that the FSBL is not part of the bitstream? This seems highly counterintuitive given the way the Quartus tooling is used...

Fakhrul · ‎08-08-2024

Hi LowLevelGuy,

Apologies for the delay. I was consulting with the internal team to get clarification on this matter.

When we enabling bitstream encryption on HPS FSBL (included the hex file in the PFG tool), FSBL will be encrypted as well.

Sorry for the confusion.

Thank you for your patience.

Regards,

Fakhrul

Fakhrul · ‎08-18-2024

As we haven't received a response to our previous notification, this thread will be transitioned to community support. We hope all your concerns have been addressed. If you have any new questions, please feel free to open a new thread to receive support from Intel experts. Otherwise, community users will continue to assist you here. Thank you.

SDM based encryption?

SW Dev (UEFI Bootloader|First|Second Stage Bootloader|MPL|U-Boot SPL|Preloader)