FPGA, SoC, And CPLD Boards And Kits
FPGA Evaluation and Development Kits
5341 Discussions

Arria10 HPS secure boot from FPGA

RVCA
Beginner
428 Views

Hi,

For bootstrapping in production and as a rescue mechanism for 'bricked' boards, we use an FPGA image, with a U-boot image embedded in ROM. The FPGA image is loaded over JTAG and forces the HPS to boot the embedded image. This is working fine as long as we don't enforce secure boot of the HPS. To enforce secure boot, we program the encryption key and KAK and set the following fuses:

kak_src_uaf=0x01
kak_len=0
kak_key=...
authen_en=0x01
aes_en=0x01
dbg_disable_access=0x01
dbg_lock_JTAG=0x01
dbg_lock_DAP=0x01
dbg_lock_CPU0=0x01
dbg_lock_CPU1=0x01
dbg_lock_CS=0x01
dbg_lock_FPGA=0x01

With these settings, we can boot the signed and encrypted U-boot image from flash, but not if it's embedded in the FPGA ROM. I have also tried this on a board without the authen_en and aes_en fuses set. On such a board only the unsigned, unencrypted U-boot image successfully boots from FPGA. Trying signed and encrypted, signed and not encrypted or encrypted but not signed images all fail to boot.

How can we make this work? Are there any special steps we must perform to prepare a signed and encrypted bootloader to boot from FPGA? Do we need to enable something in the FPGA image itself?

 

Kind regards,

Robbe

0 Kudos
9 Replies
aikeu
Employee
409 Views

Hi RVCA,


Are you referring to this document for the secure booting related info?

https://www.intel.com/content/www/us/en/docs/programmable/683060/20-4/document-revision-history-for-...


Thanks.

Regards,

Aik Eu


RVCA
Beginner
404 Views

Hi aikeu,

 

That is indeed one of the documents describing the HPS secure boot process on Arria10. However, I have noticed that these documents usually discuss only authentication and/or decryption of the second-stage bootloader image from flash. How secure boot from FPGA works is never touched upon in the documentation I have encountered.

 

Kind regards,

Robbe

aikeu
Employee
349 Views

Hi RVCA,


  1. The boot ROM determines the boot flash partition and verifies the security header settings of the second-stage boot loader image. The second-stage boot loader requires a signed certificate to be authenticated.
  2. The Boot ROM determines the source of the root key by reading the security header.


From the above statement, the boot ROM may not support booting from FPGA ROM.

The link from the above information:

https://www.intel.com/content/www/us/en/docs/programmable/683060/20-4/an-759-using-secure-boot-in-so...


May I know if there is any error logs from the boot up failure?


Thanks.

Regards,

Aik Eu


RVCA
Beginner
346 Views

Hi,

 

There are no boot logs, the device refuses to boot.

We know the Boot ROM supports booting from FPGA ROM when secure boot is not enforced (authen_en=0 and aes_en=0) and the bootloader in the FPGA ROM is not encrypted or signed. My question is:

Is there a way to boot from FPGA ROM when secure boot is enforced by the HPS secure fuses?

 

Kind regards,

Robbe

aikeu
Employee
317 Views

Hi RVCA,


From consulting the team so far I didnt get to know any of the method to boot up from the ROM of FPGA. I afraid the Boot ROM may not support that. Any particular requirement reason that you are going to boot from the ROM of FPGA instead of other flash location?


Thanks.

Regards,

Aik Eu


RVCA
Beginner
265 Views

Hi aikeu,

We always boot from a ROM embedded in an FPGA image to bootstrap fresh boards on the production line. This is before we flash the keys and enforce secure boot.

We would like to have a way to re-start this process in case a problem occurs during production test. Flashing the secure fuses cannot be re-done, but it seems there is no way to rescue a board if it has issues booting from flash, once secure boot is enabled.

I am also in contact with Intel Premier Support now to get a final answer.

Kind regards,

Robbe

aikeu
Employee
272 Views

Hi RVCA,


Any follow up from the previous comment?


Thanks.

Regards,

Aik Eu


aikeu
Employee
241 Views

Hi RVCA,


One thing to take note is where your root key is stored where the boot ROM is able to find it on the location as it was designed to do.

Referring to the Table 1. Root Key Types of this document:

https://www.intel.com/content/www/us/en/docs/programmable/683060/20-4/an-759-using-secure-boot-in-so...


Thanks.

Regards,

Aik Eu


aikeu
Employee
204 Views

Hi RVCA,


I will close this thread since there is a case opened in IPS platform.


Thanks.

Regards,

Aik Eu


Reply