How do I program the KAK (Key Authorization Key) in User Access Fuses (UAF).

Question

The background on this is the KAK, sometimes referred to Root Public Key, or the SHA256 of the public key, is used by the ROM bootloader to authenticate the 2nd stage bootloader. This is done by checking the signed 2nd stage boot loader with a Root Public Key stored in the User Access Fuses.

This should not be confused with the AES key used to decrypt the FPGA programming file, since it is completely different. The FPGA programming file decryption key can be programmed using a .ekp file, and documented in the Intel Arria 10 Soc Secure Boot User Guide. The KAK is also mentioned there in the Intel Arria 10 Soc Secure Boot User Guide, in the Root Public Key Authentication section, but how it is programmed in the FPGA is not detailed at all. Exactly why any details on this are missing is a mystery, but the details are completely missing.

I know how to generate the root public/private key pair:

openssl ecparam -genkey -name prime256v1 -out root_key.pem

I know how to use the tools to sign the 2nd stage bootloader:

alt-secure-boot sign --inputfile bootloader --keypair root_key.pem --rootkey-type fuse --outputfile bootloader.signed

SHA256 digest of root public key: -------------------------------------------------------------------------------------

The missing information is how to put this SHA256 digest into the UAF so the ROM bootloader can authenticate the 2nd stage on every startup. This is very specific so the answer should be very easy for the right person who knows. Can you help?

kklei5 · Answer

The information on programming the KAK seems to only be available with a NDA. I now have that information from a document entitled "Arria 10 SoC Secure Fuse Programming User Guide", UG-20022

2016.11.07. I am providing the title, document number, and date here, not to usurp the NDA, but to assist others who might need this information and will now know the document to request.

anilerinch_a_intel · Answer

Hi ,You can refer the to the application note below for programming the fuses  with keys. https://www.intel.com/content/dam/www/programmable/us/en/pdfs/literature/an/an556.pdfAlso as mentioned in the Intel Arria 10 Soc Secure Boot Guide use  the Intel® FPGA Download Cable and the programmer tool installed with the Design Tool Suite.Thanks and RegardsAnil

kklei5 · Answer

Thank you for the reply.

I already know how to program the AES key for securing the FPGA programming file. As I mentioned, it is done with a .ekp file just as your referenced app note indicates. My question was how to program the KAK / Root Public Key / SHA256 of the public key, which is used to authenticate the 2nd stage boot loader. Can you point out which section of this app note describes the KAK / Root Public Key / SHA256 of the public key, and specifically how it is programmed, such as by .ekp file or other?

anilerinch_a_intel · Answer

Hi Glad to know that the solution has been found, Thanks for sharing with the community. Thanks and RegardsAnil

Forum Discussion

How do I program the KAK (Key Authorization Key) in User Access Fuses (UAF).

4 Replies

Recent Discussions

Unique ID registers in Cyclone V

Audio interface with Agilex 5 A5ED065BB32AI4S

Operating system kernel-level FPGA bridge communication

Routing PL DDR to PS

Validating ECC Functionality on Custom Agilex 5 SOM in Linux Kernel