Arria10 HPS secure boot from FPGA

Question

Hi,
For bootstrapping in production and as a rescue mechanism for 'bricked' boards, we use an FPGA image, with a U-boot image embedded in ROM. The FPGA image is loaded over JTAG and forces the HPS to boot the embedded image. This is working fine as long as we don't enforce secure boot of the HPS. To enforce secure boot, we program the encryption key and KAK and set the following fuses:
kak_src_uaf=0x01kak_len=0kak_key=...authen_en=0x01aes_en=0x01dbg_disable_access=0x01dbg_lock_JTAG=0x01dbg_lock_DAP=0x01dbg_lock_CPU0=0x01dbg_lock_CPU1=0x01dbg_lock_CS=0x01dbg_lock_FPGA=0x01
With these settings, we can boot the signed and encrypted U-boot image from flash, but not if it's embedded in the FPGA ROM. I have also tried this on a board without the authen_en and aes_en fuses set. On such a board only the unsigned, unencrypted U-boot image successfully boots from FPGA. Trying signed and encrypted, signed and not encrypted or encrypted but not signed images all fail to boot.
How can we make this work? Are there any special steps we must perform to prepare a signed and encrypted bootloader to boot from FPGA? Do we need to enable something in the FPGA image itself?

Kind regards,
Robbe

aikeu · Answer

Hi RVCA,Are you referring to this document for the secure booting related info?https://www.intel.com/content/www/us/en/docs/programmable/683060/20-4/document-revision-history-for-the-an.htmlThanks.Regards,Aik Eu

rvca · Answer

Hi aikeu,

That is indeed one of the documents describing the HPS secure boot process on Arria10. However, I have noticed that these documents usually discuss only authentication and/or decryption of the second-stage bootloader image from flash. How secure boot from FPGA works is never touched upon in the documentation I have encountered.

Kind regards,
Robbe

aikeu · Answer

Hi RVCA,The boot ROM determines the boot flash partition and verifies the security header settings of the second-stage boot loader image. The second-stage boot loader requires a signed certificate to be authenticated.The Boot ROM determines the source of the root key by reading the security header.From the above statement, the boot ROM may not support booting from FPGA ROM.The link from the above information:https://www.intel.com/content/www/us/en/docs/programmable/683060/20-4/an-759-using-secure-boot-in-soc-devices.htmlMay I know if there is any error logs from the boot up failure?Thanks.Regards,Aik Eu

rvca · Answer

Hi,

There are no boot logs, the device refuses to boot.
We know the Boot ROM supports booting from FPGA ROM when secure boot is not enforced (authen_en=0 and aes_en=0) and the bootloader in the FPGA ROM is not encrypted or signed. My question is:
Is there a way to boot from FPGA ROM when secure boot is enforced by the HPS secure fuses?

Kind regards,
Robbe

aikeu · Answer

Hi RVCA,From consulting the team so far I didnt get to know any of the method to boot up from the ROM of FPGA. I afraid the Boot ROM may not support that. Any particular requirement reason that you are going to boot from the ROM of FPGA instead of other flash location?Thanks.Regards,Aik Eu

Forum Discussion

Arria10 HPS secure boot from FPGA

9 Replies

Recent Discussions

Mandelbrot viewer on Cyclone V - Platform Designer layout

Slow Runtime Performance in FIL Implementation on DE2-115 Using Ethernet

Device stopped receiving config data: Internal error (0x0000, 0x00000000, 0x1800).

Stratix 10 GX SI Board - issue with the Board Test System (BTS)

Stratix 10 Development Kit HiLo connector