Agilex 5 with HPS Cryptographic services and bootflow

rdrr

Occasional Contributor

2 months ago

Thanks.

So to sum, the secure boot looks roughly as follows:

SDM verifies FSBL
FSBL laods BL31 and verifies its signature using VAB AUTHENTICATION (implemented in TF-A), that uses mailobx to communicate with SDM
FSBL loads BL33 and verifies its signature using VAB AUTHENTICATION (implemented in TF-A), that uses mailobx to communicate with SDM

All the above is possible WITHOUT Cryptographic services, am I right?

Assuming all the above - there is one more thing. On other platforms like NXP Layerscape, the SoC features CAAM (Cryptographic Acceleration and Assurance Module). On of the functionality of this is that it allows to deploy and use so called black keys and black blobs. In a nutshell - black keys and black blobs are keys and data encrypted with the SoC’s hardware-fused root key, so they can be stored or transmitted only in encrypted form and can be decrypted exclusively inside the secure hardware module (e.g., CAAM).

We use such functionality on our NXP based board to encrypt and decrypt kernel image as well as keys used to setup dm-crypt (enc/dec rootfs).

Is something like this available on Agilex 5? If so - on variant with or without Cryptographic services?

Forum Discussion

Agilex 5 with HPS Cryptographic services and bootflow

Recent Discussions

Why does the system report an error when generating rbf from sof files and fsbl files?

Agilex5 HPS running bare-metal code does not access FPGA fabric

RTEMS for Agilex

Zephyr and FreeRTOS for Agilex7/9

Operating system kernel-level FPGA bridge communication