Hi I have a question regarding boot flow on agilex 5 with HPS with security in mind. I am aware how this is typically implemented on other SoCs like NXP but as for the Agilex - I just started working on this SoCFrom what I understand (based on the docs and tf-a source code in particular VAB part) the flow is the following:SDM verfies fsbl signature and loads itSDM releses HPS from resetFsbl loads next stages (BL31 BL33) each time communicating with SDM through mailbox asking SDM to verify the image signaturureThen we can be sure that we only use legitimate binaries. Am I right?I have found in the agilex 5 product table that some variants are equipped with Cryptographic services and some not.Are these Cryptographic services needed to perform the above flow?If the variant I have is not equipped with such IP is there any other way to securely boot all boot chain up to Linux?

Hi rdrr,Your understanding is correct. Please see Security Overview for SDM-Based FPGA Devices for more information on what devices support these features.Sue

Thanks, I have a question regarding part numbers because I feel I'm kinda lost.I have the following devkit: MK-A5E065BB32AES1 which according to this document https://cdrdv2-public.intel.com/820978/ug-820977-820978.pdf uses the following part number: A5ED065BB32AE6SR0 Looking at the table in Security Overview it seems that variant "D" should feature the CryptographicServices. Also I found the following table that also states that it should feature Quad HPS and CryptographicServices. Am I right? Does my devkit have the Cryptographic services?Also how about:A5EC065BB32AE6SA5EB013BB23BE4SCS https://www.terasic.com.tw/cgi-bin/page/archive.pl?Language=English&CategoryNo=123&No=1384&PartNo=2#contentsDo they have crypto_services?Will be grateful for some information.BR

Thanks, I have a question regarding part numbers because I feel I'm kinda lost.I have the following devkit: MK-A5E065BB32AES1 which according to this document https://cdrdv2-public.intel.com/820978/ug-820977-820978.pdf uses the following part number: A5ED065BB32AE6SR0 Looking at the table in Security Overview it seems that variant "D" should feature the Cryptographic Services. Also I found the following table that also states that it should feature Quad HPS and Cryptographic Services. Am I right? Does my devkit have the Cryptographic services?Also how about A5EC065BB32AE6S - does it have cryptographic services or not? Will be grateful for some information.BR

Thanks, I have a question regarding part numbers because I feel I'm kinda lost.I have the following devkit: MK-A5E065BB32AES1 which according to this document https://cdrdv2-public.intel.com/820978/ug-820977-820978.pdf uses the following part number: A5ED065BB32AE6SR0 Looking at the table in Security Overview it seems that variant "D" should feature the CryptographicServices. Also I found the following table that also states that it should feature Quad HPS and CryptographicServices. Am I right? Does my devkit have the Cryptographic_services?Also how about:A5EC065BB32AE6SA5EB013BB23BE4SCS https://www.terasic.com.tw/cgi-bin/page/archive.pl?Language=English&CategoryNo=123&No=1384&PartNo=2#contentsDo they have crypto_services?Will be grateful for some information.BR

Thanks, I have a question regarding part numbers because I feel I'm kinda lost.I have the following devkit: MK-A5E065BB32AES1 which according to this document https://cdrdv2-public.intel.com/820978/ug-820977-820978.pdf uses the following part number: A5ED065BB32AE6SR0 Looking at the table in Security Overview it seems that variant "D" should feature the Cry_pto_graphic Services. Also I found the following table that also states that it should feature Quad HPS and Cry_pto_graphic Services. Am I right? Does my devkit have the Cry_pto_graphic services?Also how about:A5EC065BB32AE6SA5EB013BB23BE4SCS https://www.terasic.com.tw/cgi-bin/page/archive.pl?Language=English&CategoryNo=123&No=1384&PartNo=2#contentsDo they have cry_pto services?Will be grateful for some information.Ps. please do something with post filtering, as its ridiculous. I had to write this post several times because each time it was deleted due to prohibited word namely c_r_y_p_t_o without "_".BR

Agilex 5 with HPS Cryptographic services and bootflow

22 Replies

SueC_Altera
Contributor
2 months ago
Yes - we have Black Key Provisioning available. All of the security documentation is available on RDC if you have an NDA with Altera.
Sue
tehjingy_Altera
Regular Contributor
2 months ago
Hi rdrr

The SDM handles the secure boot chain and authenticate the FSBL,BL31and BL33.

The Cryptographic service is not needed for the secure boot, it mainly support added feature such as Key mangement, SHA2/3 hashing functions and others.
- rdrr
  Occasional Contributor
  2 months ago
  Thanks.
  So to sum, the secure boot looks roughly as follows:
  SDM verifies FSBL
  FSBL laods BL31 and verifies its signature using VAB AUTHENTICATION (implemented in TF-A), that uses mailobx to communicate with SDM
  FSBL loads BL33 and verifies its signature using VAB AUTHENTICATION (implemented in TF-A), that uses mailobx to communicate with SDM
  All the above is possible WITHOUT Cryptographic services, am I right?
  Assuming all the above - there is one more thing. On other platforms like NXP Layerscape, the SoC features CAAM (Cryptographic Acceleration and Assurance Module). On of the functionality of this is that it allows to deploy and use so called black keys and black blobs. In a nutshell - black keys and black blobs are keys and data encrypted with the SoC’s hardware-fused root key, so they can be stored or transmitted only in encrypted form and can be decrypted exclusively inside the secure hardware module (e.g., CAAM).
  We use such functionality on our NXP based board to encrypt and decrypt kernel image as well as keys used to setup dm-crypt (enc/dec rootfs).
  Is something like this available on Agilex 5? If so - on variant with or without Cryptographic services?
  - tehjingy_Altera
    Regular Contributor
    1 month ago
    Dear Customer,
    
    Since no further clarification is needed on this thread, it will be transitioned to community support for further help on doubts in this thread.
    Please login to the Altera Community Forum and post a feed/response within the next 15 days to allow me to continue to support you. After 15 days, this thread will be transitioned to community support. The community users will be able to help you on your follow-up questions.
    Thank you for the questions and as always pleasure having you here.
    
    Best Wishes
    tehjingy
SueC_Altera
Contributor
2 months ago
Hi rdrr,
Your replies disappeared - I don't know why. I will alert the forum team. But I got the emails.
I'm so sorry you are confused! The part number decoder shows this, in part:
The dev kit is not shown on here because it is an ES device. You can see this by the 0 in the 4th digit place and the ES at the end. Security features are not enabled on ES devices.
For the other two devices you showed, you should look at the Agilex 5 C column for the first one and the Agilex 5 B column for the second device (using the 4th digit again) in the document I linked above.
All security features except for the Cryptographic Services are available on both B and C devices. The table in part shows:

Does that help?
Sue
- rdrr
  Occasional Contributor
  2 months ago
  Thanks, but still have some questions.
  Engineering sample, it's code is MK-A5E065BB32AES1, when you look at the doc I attached (here is the link https://cdrdv2-public.intel.com/820978/ug-820977-820978.pdf) in the Table 1 you see that for the following engineering sample MK-A5E065BB32AES1, the device part number is A5ED065BB32AE6SR0. Decoding the 4tf digit of the ordering number and looking at the part number decoder we have A5ED, with D implying Quad HPS and Cryptographic Services. Where can I find the information that Cryptographic Services are disabled on ES?
  As for the A5EC065BB32AE6S, looking at the 4th digit and part number decoder it seems that this variant does not feature Cryptographic Services am I right?
  As for the Terasic board (https://www.terasic.com.tw/cgi-bin/page/archive.pl?Language=English&CategoryNo=123&No=1384&PartNo=2#contents) with FPGA: A5EB013BB23BE4SCS and again looking at the 4th digit and product table code it seems that this product should have HPS as well as Cryptographic services, yes?
  
  The thing I'm the most interested in is - whether or not will I be able to run full chain on trust on HPS on these particular product numbers. I guess that on the variant with no Cryptographic services I will be only able to authenticate fsbl only, but won't be able to authenticate further boot stages - BL31, BL33, Linux, yes?
  I will be very grateful for some guidance.
  Ps. sorry for spamming your mailbox but I've sent I guess 20 replies and each of them got deleted I guess due to the fact I originally used Cryptographic without "graphic" thus the content was filtered.
  - rdrr
    Occasional Contributor
    2 months ago
    SueC_Altera kindly asking for some replay regarding my question.
- rdrr
  Occasional Contributor
  2 months ago
  <Duplicate> can't remove. See question below. https://community.altera.com/discussions/soc-system/agilex-5-with-hps-cryptographic-services-and-bootflow/348877/replies/348903
- rdrr
  Occasional Contributor
  2 months ago
  Thanks, but still have some questions.
  Engineering sample, it's code is MK-A5E065BB32AES1, when you look at the doc I attached (here is the link https://cdrdv2-public.intel.com/820978/ug-820977-820978.pdf) in the Table 1 you see that for the following engineering sample MK-A5E065BB32AES1, the device part number is A5ED065BB32AE6SR0.
  Decoding the 4tf digit of the ordering number and looking at the part number decoder we have A5ED, with D implying Quad HPS and Cryptographic Services. Where can I find the information that Cryptographic Services are disabled on ES?
  As for the A5EC065BB32AE6S, looking at the 4th digit and part number decoder it seems that this variant does not feature Cryptographic Services am I right?
  As for the Terasic board (https://www.terasic.com.tw/cgi-bin/page/archive.pl?Language=English&CategoryNo=123&No=1384&PartNo=2#contents) with FPGA: A5EB013BB23BE4SCS and again looking at the 4th digit and product table code it seems that this product should have HPS as well as Cryptographic services, yes?
  The thing I'm the most interested in is - whether or not will I be able to run full chain on trust on HPS on these particular product numbers.
  I guess that on the variant with no Cryptographic services I will be only able to authenticate fsbl only, but won't be able to authenticate further boot stages - BL31, BL33, Linux, yes?
  I will be very grateful for some guidance.
  Ps. sorry for spamming your mailbox but I've sent I guess 20 replies and each of them got deleted I guess due to the fact I originally used Cryptographic without "graphic" thus the content was filtered.
SueC_Altera
Contributor
2 months ago
Hi rdrr,
Your understanding is correct. Please see Security Overview for SDM-Based FPGA Devices for more information on what devices support these features.
Sue
- rdrr
  Occasional Contributor
  2 months ago
  Thanks, I have a question regarding part numbers because I feel I'm kinda lost.
  I have the following devkit: MK-A5E065BB32AES1 which according to this document https://cdrdv2-public.intel.com/820978/ug-820977-820978.pdf uses the following part number: A5ED065BB32AE6SR0
  Looking at the table in Security Overview it seems that variant "D" should feature the Crptographic Services.
  Also I found the following table that also states that it should feature Quad HPS and Crptographic Services.
  Am I right? Does my devkit have the Crptographic services?
  Also how about:
  A5EC065BB32AE6S
  A5EB013BB23BE4SCS https://www.terasic.com.tw/cgi-bin/page/archive.pl?Language=English&CategoryNo=123&No=1384&PartNo=2#contents
  Do they have crpto services?
  Will be grateful for some information.
  Ps. please do something with post filtering, as its ridiculous. I had to write this post several times because each time it was deleted due to prohibited word namely c_r_p_t_o without "_".
  BR
- rdrr
  Occasional Contributor
  2 months ago
  Thanks, I have a question regarding part numbers because I feel I'm kinda lost.
  I have the following devkit: MK-A5E065BB32AES1 which according to this document https://cdrdv2-public.intel.com/820978/ug-820977-820978.pdf uses the following part number: A5ED065BB32AE6SR0
  Looking at the table in Security Overview it seems that variant "D" should feature the Crptographic Services.
  Also I found the following table that also states that it should feature Quad HPS and Crptographic Services.
  
  Am I right? Does my devkit have the Crptographic services?
  Also how about:
  A5EC065BB32AE6S
  A5EB013BB23BE4SCS https://www.terasic.com.tw/cgi-bin/page/archive.pl?Language=English&CategoryNo=123&No=1384&PartNo=2#contents
  Do they have crpto services?
  Will be grateful for some information.
  Ps. please do something with post filtering, as its ridiculous. I had to write this post several times because each time it was deleted due to prohibited word namely c_r_p_t_o without "_".
  BR
- rdrr
  Occasional Contributor
  2 months ago
  Thanks, I have a question regarding part numbers because I feel I'm kinda lost.
  I have the following devkit: MK-A5E065BB32AES1 which according to this document https://cdrdv2-public.intel.com/820978/ug-820977-820978.pdf uses the following part number: A5ED065BB32AE6SR0
  Looking at the table in Security Overview it seems that variant "D" should feature the Crptographic Services.
  Also I found the following table that also states that it should feature Quad HPS and Crptographic Services.
  
  Am I right? Does my devkit have the Crptographic services?
  Also how about:
  A5EC065BB32AE6S
  A5EB013BB23BE4SCS https://www.terasic.com.tw/cgi-bin/page/archive.pl?Language=English&CategoryNo=123&No=1384&PartNo=2#contents
  Do they have crpto services?
  Will be grateful for some information.
  Ps. please do something with post filtering, as its ridiculous. I had to write this post several times because each time it was deleted due to prohibited word namely c_r_p_t_o without "_".
  BR