Forum Discussion

rdrr's avatar
rdrr
Icon for Occasional Contributor rankOccasional Contributor
2 months ago

Agilex 5 with HPS Cryptographic services and bootflow

Hi I have a question regarding boot flow on agilex 5 with HPS with security in mind. I am aware how this is typically implemented on other SoCs like NXP but as for the Agilex - I just started working...
Arm Processor
embedded peripheral
Hps Arch
Hps Boot
rdrr's avatar
rdrr
Icon for Occasional Contributor rankOccasional Contributor
2 months ago

Thanks, but still have some questions.

  1. Engineering sample, it's code is MK-A5E065BB32AES1, when you look at the doc I attached (here is the link https://cdrdv2-public.intel.com/820978/ug-820977-820978.pdf) in the Table 1 you see that for the following engineering sample MK-A5E065BB32AES1, the device part number is A5ED065BB32AE6SR0. Decoding the 4tf digit of the ordering number and looking at the part number decoder we have A5ED, with D implying Quad HPS and Cryptographic Services. Where can I find the information that Cryptographic Services are disabled on ES?
  2. As for the A5EC065BB32AE6S, looking at the 4th digit and part number decoder it seems that this variant does not feature Cryptographic Services am I right?
  3. As for the Terasic board (https://www.terasic.com.tw/cgi-bin/page/archive.pl?Language=English&CategoryNo=123&No=1384&PartNo=2#contents) with FPGA: A5EB013BB23BE4SCS and again looking at the 4th digit and product table code it seems that this product should have HPS as well as Cryptographic services, yes?

 

The thing I'm the most interested in is - whether or not will I be able to run full chain on trust on HPS on these particular product numbers. I guess that on the variant with no Cryptographic services I will be only able to authenticate fsbl only, but won't be able to authenticate further boot stages - BL31, BL33, Linux, yes?

I will be very grateful for some guidance. 

Ps. sorry for spamming your mailbox but I've sent I guess 20 replies and each of them got deleted I guess due to the fact I originally used Cryptographic without "graphic" thus the content was filtered.

rdrr's avatar
rdrr
Icon for Occasional Contributor rankOccasional Contributor
2 months ago

SueC_Altera​ kindly asking for some replay regarding my question.

  • FawazJ_Altera's avatar
    FawazJ_Altera
    Icon for Frequent Contributor rankFrequent Contributor
    2 months ago

    Hello,
    Kindly see my replies provided below for your reference:

    1. Engineering sample, it's code is MK-A5E065BB32AES1, when you look at the doc I attached (here is the link https://cdrdv2-public.intel.com/820978/ug-820977-820978.pdf) in the Table 1 you see that for the following engineering sample MK-A5E065BB32AES1, the device part number is A5ED065BB32AE6SR0. Decoding the 4tf digit of the ordering number and looking at the part number decoder we have A5ED, with D implying Quad HPS and Cryptographic Services. Where can I find the information that Cryptographic Services are disabled on ES?
      >> All the engineering sample devices are non-security enabled. The Agilex5 device security user guide used this R0 for demo only. This will be updated with a production OPN.
    2. As for the A5EC065BB32AE6S, looking at the 4th digit and part number decoder it seems that this variant does not feature Cryptographic Services am I right?
      >> Yes, you are right.
    3. As for the Terasic board (https://www.terasic.com.tw/cgi-bin/page/archive.pl?Language=English&CategoryNo=123&No=1384&PartNo=2#contents) with FPGA: A5EB013BB23BE4SCS and again looking at the 4th digit and product table code it seems that this product should have HPS as well as Cryptographic services, yes?
      >> Yes, you are right.

      For production devices, the available security features depend on the specific device variant. In general, bitstream authentication and encryption are supported. If CryptoServices are not available, it indicates that the corresponding cryptographic primitives are not supported on that particular device. For full security functionality, you should select a device variant that includes CryptoServices.
      Regarding HPS secure boot, all production devices support authentication of the complete HPS software stack. This includes the FSBL (as part of bitstream authentication), followed by the SSBL (U‑Boot), the Linux kernel image, and the Device Tree (DTB file).