Secure Boot from AES Encrypted Firmware on EPCS/EPCQ for the Nios II ecosystemA short Lab for Intel's Cyclone 10 LP FPGA evaluation board that can be readily adapted for use with any COTS development board

Introduction

Synaptic Labs enables developers to implement a Secure Boot Process from EPCS/Q flash for Nios II and ARM Cortex cores within the Intel Quartus Prime Development Environment. S/Labs offers two types of ECPS/Q secure boot solutions: (a) Boot from cryptographically encrypted firmware; and (b) Boot from cryptographically authenticated and encrypted firmware. This short lab will walk you through the process of booting from cryptographically encrypted firmware stored on EPCQ flash on Intels' Cyclone 10 LP FPGA Board. Additional in-depth documentation and tutorials for the secure boot process are available from S/Labs.

WWW.SYNAPTIC-LABS.COM 03 SEPTEMBER 2017 VER. 01-001 PAGE �1

An easy to implement solution for encrypting the code and data located in EPCS/Q flash memory.

Additional Resources: ~200 ALM + 1 M10K

S/Labs offers additional IP to increase clock speeds, reduce resource usage and greatly

improve software performance when executing code from off-chip flash

Contact S/Labs for more info: info@synaptic-labs.com

Configure an existing

design to boot from EPCS/Q

Add S/Labs'Security IP in Qsys

to automatically encrypt firmware

Program the EPCS/Q

with encryptedfirmware

Boot from the encrypted firmware

that is stored on EPCS/Q

Cyclone 10 LPFPGA Evaluation kit

Prerequisites

• A Windows/Linux PC with two USB ports.

• Intel Quartus Prime with NIOS II EDS installed.

• You must have basic experience with Quartus Prime and Qsys

• This guide was completed with v17.0 of the software but should work with later versions of the Intel Quartus Prime development environment.

• OpenSSL installed

• The Intel Cyclone 10 LP FPGA development board:

• This lab can be trivially adapted by the reader to work with any Intel FPGA development board with EPCS/Q support. To do this, please start the project with the vendor’s EPCS/ECPQ enabled Golden Hardware Reference Design (GHRD) project for your development board.

• Installed S/Labs IP:

• Please email Synaptic Labs on info@synaptic-labs.com to request a FREE time-limited, trial license of S/Labs' Secured Off-chip Flash IP. • Please include a copy of your Network Interface Card (NIC) ID in that email. In Quartus Prime, in

the menu bar, click on Tools, then License Setup. The value of the NIC ID can be then located in the bottom half of the License Setup panel of the Options window.

• If approved, you will receive a copy of the encrypted IP tethered to your NIC ID by email. You will also receive an installation guide.

• Please complete the steps described in that installation guide for this IP before proceeding to execute this short lab.

WWW.SYNAPTIC-LABS.COM 03 SEPTEMBER 2017 VER. 01-001 PAGE �2

Disclaimer

THIS SOFTWARE, SOURCE CODE AND ASSOCIATED MATERIALS INCLUDING BUT NOT LIMITED TO TUTORIALS, GUIDES AND COMMENTARY PROVIDED WITH THIS EXERCISE ARE ONLY DESIGNED FOR REFERENCE PURPOSES TO GIVE AN EXAMPLE TO LICENSEE FOR THEIR OWN NECESSARY DEVELOPMENT OF THEIR OWN SOFTWARE AND/OR APPLICATION. IT IS NOT DESIGNED FOR ANY SPECIAL PURPOSE, SERIAL PRODUCTION OR USE IN MEDICAL, MILITARY, AIR CRAFT, AVIATION, SPACE OF LIFE SUPPORT EQUIPMENT.

TO THE EXTENT PERMITTED BY LAW, THE EXERCISE SOFTWARE AND/OR SOURCE CODE AND/OR AND ASSOCIATED MATERIALS IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND AND ONLY FOR REFERENCE PURPOSES.

SYNAPTIC LABORATORIES LTD. MAKES NO WARRANTIES, EITHER EXPRESS OR IMPLIED, WITH RESPECT TO THE LICENSED SOFTWARE AND/OR SOURCE CODE AND/OR ASSOCIATED MATERIALS, CONFIDENTIAL INFORMATION AND DOCUMENTATION PROVIDED HEREUNDER. 

SYNAPTIC LABORATORIES LTD. SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY AGAINST INFRINGEMENT OF ANY INTELLECTUAL PROPERTY RIGHT OF ANY THIRD PARTY WITH REGARD TO THE SOFTWARE, DOCUMENTATION (SCHEMATICS ETC.), SOURCE CODE AND ASSOCIATED MATERIALS, CONFIDENTIAL INFORMATION AND DOCUMENTATION.

ANY USE, COMPILATION AND TESTING OF THE SOFTWARE AND/OR SOURCE CODE IS AT LICENSEE`S OWN RISK AND LICENSEE IS OBLIGED TO CONDUCT EXTENSIVE TESTS TO AVOID ANY ERRORS AND FAILURE IN THE COMPILED SOURCE CODE, DOCUMENTATION (SCHEMATICS ETC.) AND THE HEREFROM GENERATED SOFTWARE OF LICENSEE.

EXCEPT FOR WILFULL INTENT SYNAPTIC LABORATORIES LTD. SHALL IN NO EVENT BE ENTITLED TO OR LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND OR NATURE, INCLUDING, WITHOUT LIMITATION, BUSINESS INTERRUPTION COSTS, LOSS OF PROFIT OR REVENUE, LOSS OF DATA, PROMOTIONAL OR MANUFACTURING EXPENSES, OVERHEAD, COSTS OR EXPENSES ASSOCIATED WITH WARRANTY OR INTELLECTUAL PROPERTY INFRINGEMENT CLAIMS, INJURY TO REPUTATION OR LOSS OF CUSTOMERS.

WWW.SYNAPTIC-LABS.COM 03 SEPTEMBER 2017 VER. 01-001 PAGE �3

Table of Contents

Secure Boot from AES Encrypted Firmware on EPCS/EPCQ for the Nios II ecosystem 1Introduction 1Stage 1.a: Configure an existing design to boot from EPCS/Q 5Stage 2.a:Add S'Labs Inline Memory Encryptor for ECPS/Q 6Stage 2.b: Recompile the software in Eclipse 8Stage 2.c: Encrypt the Firmware 8Stage 2.d: Convert the Programming Files 9Stage 2.e: Program the EPCQ Flash device 11Stage 2.f: Program the Cyclone 10 LP FPGA device 12Stage 2.g: Running the Nios II terminal application 12

WWW.SYNAPTIC-LABS.COM 03 SEPTEMBER 2017 VER. 01-001 PAGE �4

Stage 1.a: Configure an existing design to boot from EPCS/Q

For this lab, we will start with an EPCQ based Hardware Reference Design (HRD) project for the Intel Cyclone 10 LP development board. More information can be found on Intel design store website:

https://cloud.altera.com/devstore/platform/17.0.0/Standard/boot-from-epcq-serial-flash-example/

The original reference project can be downloaded from

http://media.synaptic-labs.com/pub/2017-Designs/SynapticLabs-HBMC-Tutorial-004/HyperRAM_EPCQ_Project_C10LP.zip

Please follow Tutorial 004A: Boot from EPCQ (Serial Flash) if you have not done so already.

http://media.synaptic-labs.com/pub/2017-Designs/SynapticLabs-HBMC-Tutorial-004/SynapticLabs-HBMC-Tutorial004A-NiosII-HyperRam_Boot_EPCQ.pdf

The above project employs Altera’s Serial Flash Controller IP. Be sure to read the readme.txt file. The above project is based on the second boot method described in Altera’s Application Note 736: Nios II Processor Booting From Altera Serial Flash (EPCQ)

https://www.altera.com/en_US/pdfs/literature/an/an736.pdf

You MUST ensure that your initial system can successfully execute code in place from Flash before adding the inline memory encryptor! If you are not using the above mentioned EPCQ enabled HRD project, please contact your development board vendor for the most suitable baseline Qsys project with regard to executing software from flash memory. The remaining sections in stage 1 describe how to successfully execute the HyperRAM_EPCQ_Project_C10LP.zip project.

WWW.SYNAPTIC-LABS.COM 03 SEPTEMBER 2017 VER. 01-001 PAGE �5

Stage 2.a:Add S'Labs Inline Memory Encryptor for ECPS/Q1. Ensure S/Labs Inline Memory Encryptor IP is installed in your system, or in this quartus project’s folder

before proceeding further.

2. Open up Qsys. Find S/Labs’ Secured Off-chip Flash IP in the Qsys IP Catalog panel under: Synaptic Labs → Crypto → Secured Memory → AES Secured Off-chip Flash IP (CA-SMEM-T001).Click the [ + Add… ] button to instantiate a copy of this IP into your qsys project.

3. Configure the IP as illustrated in red boxes below:

4. Set the number of s-boxes to 1 or 4.

5. Copy and paste the value of the Random number generated by OpenSSL into the KEY#0 field. For the demo IP edition, this field is fixed and cannot be changed.

6. In the Firmware security section, locate the hex file (epcq_controller2_0.hex) previously generated by NIOS II SBT for Eclipse. This is located in the Project_dir/software/HelloWorld/mem_int folder. This is the firmware application to be encrypted and stored in the EPCQ memory. NOTE: The file browser will generate an “Absolute Path” for the .hex file. Do NOT convert the absolute path to a path that is relative to the current project folder.

7. In the Avalan Target and Mater Port configuration,

• set the Burst Mode field to "Avalon pipeline read and write with a burst of 1"

WWW.SYNAPTIC-LABS.COM 03 SEPTEMBER 2017 VER. 01-001 PAGE �6

8. Wire up sll_ca_ssrt_smem_t001 as illustrated in the diagram below. Take special note of the regions in red box. In particular,

• connect the iavs_0 avalon slave port of S/Labs Secure Flash IP to the Avalon master (m0) on the pipeline bride.

• connect the Avalon slave data port (avl_mem) of Intel's Serial Flash controller IP to the Avalon master (eavm_m0) on S/Labs Secure Flash IP.

9. Set the Avalon slave (iavs_0) Base address on S/Labs' Secure Offchip Flash IP to 0x0100_0000

10.Set the Avalon slave (avl_mem) Base address on Intel's Serial Flash controller IP to 0x0

11. Save your Qsys project.

12. In the Qsys window, click on the [ Generate HDL… ] button.

13. In the Quartus Prime window, run the Compile Design task.

WWW.SYNAPTIC-LABS.COM 03 SEPTEMBER 2017 VER. 01-001 PAGE �7

Stage 2.b: Recompile the software in Eclipse

Nios II software must always be recompiled after the regenerating a Qsys project: 1. Select the Eclipse Window.

2. In the menu bar of Eclipse, select Project → Clean… Ensure that [ ] Start a build immediately is not ticked.Click the [ OK ] button.

3. In the Project Explorer tab, right click on HelloWorld_bsp. Select Nios II → Generate BSP .

4. In the Project Explorer tab, right click on HelloWorld Select Make Targets → Build…

5. In the Make Targets window, select mem_init_generate. Click the [ Build ] button.

a. This will regenerate the unencrypted .hex files corresponding to the memories that need to be initialised.

6. The project is compiled, and the unencrypted .hex files should be generated successfully.

Stage 2.c: Encrypt the Firmware1. Select the Quartus Prime Window.

2. If required, wait for the project to complete compilation.

3. In the Menu bar of the Quartus Prime window, select Tool, then select TCL Scripts.

4. Find and select the _encrypt_firmware.tcl script in the submodules tree list view, under the Project folder.

5. Click on the “Run" button to execute that script.

6. A epcq_controller2_0_encrypted.hex file has now been generated in the software/HelloWorld/mem_init/ folder. In particular, the contents of

• epcq_controller2_0.hex has been parsed, encrypted, and then re-encoded as

• epcq_controller2_0_encrypted.hex

7. You will need to run the encrypt firmware TCL script each time you regenerate the unencrypted .hex file.

WWW.SYNAPTIC-LABS.COM 03 SEPTEMBER 2017 VER. 01-001 PAGE �8

Stage 2.d: Convert the Programming Files

The Intel Cyclone 10 LP FPGA board employs a 64 Mbit EPCQ device.

1. In the Quartus Prime software, go to the menu bar. Select File → Convert Programming Files to open the Convert Programming File tool.

2. Under Output programming file section, set the following items:

a. Programming file type: JTAG Indirect Configuration File (.jic)

b. Configuration device: EPCQ64

c. Mode: Active Serial x1

d. File name: helloworld_encrypted.jic

e. Keep the default settings for Create Memory Map File and Create config data RPD.

f. In the input files to convert group select Flash Loader. Click on [ Add device…].

g. In the “Select Devices” window, tick [x] Cyclone 10 LP. Then tick [x] 10CL025Y. Click on [ OK ].

h. In the input files to convert group select Add Hex Data. In the Add Hex Data window:

i. Click on Absolute Addressing.

ii. In the Hex file group, click on the […] button. Navigate to the software/HelloWorld/mem_init folder of your Qsys project. Select epcq_controller2_0_encrypted.hex file. This is the encrypted .hex file used to program the firmware into the off-chip flash memory. Click [ Open ].

iii. Click [ OK ].

WWW.SYNAPTIC-LABS.COM 03 SEPTEMBER 2017 VER. 01-001 PAGE �9

i. In this tutorial we are not going to save the FPGA bitstream to the off-chip flash.

i. In the input files to convert, select SOF Data. Click on the [ Remove ] button.

j. Click on [Save Conversion Setup…] in the Conversion setup files group at the top of the Convert Programming File tab/window. Set the value of the filename filed to: helloworld_encrypted.cof . Click the [ Save ] button.

k. Click on the [ Generate ] button to generate the helloworld_encrypted.jic file.

WWW.SYNAPTIC-LABS.COM 03 SEPTEMBER 2017 VER. 01-001 PAGE �10

Stage 2.e: Program the EPCQ Flash device1. In the Quartus Prime software, double click on Program Device (Open Programmer) in the task panel.

2. Click on the [ Hardware Setup… ] button and select the device to program.

3. If any programming file has been automatically loaded, use the Delete button to remove it. Make sure there is no programming file present inside the dialog box.

4. Click on the [ Add File… ] button. Select helloworld_encrypted.jic and click the [ open ] button.

5. Tick the [ x ] Program/Configure field beside helloworld_encrypted.jic

6. Click the [ Start ] button.

7. Programming the flash device on the Cyclone 10 LP FPGA board may take a few seconds.

WWW.SYNAPTIC-LABS.COM 03 SEPTEMBER 2017 VER. 01-001 PAGE �11

Stage 2.f: Program the Cyclone 10 LP FPGA device1. In the Quartus Prime software, double click on Program Device (Open Programmer) in the task panel.

2. Click on the [ Add File… ] button. Navigate to the output_files folder in your Qsys project. Select the .sof file and click the [ open ] button.

3. Click on the [ Start ] button in the Programmer window.

4. Programming the FPGA device on the C10LP FPGA board may take a few seconds.

5. A window called “OpenCore Plus Status” should open.

6. If programming is successful, the Nios II core will boot from encrypted firmware.

Stage 2.g: Running the Nios II terminal application❖ In Linux: Open a Linux command shell / terminal

❖ In Windows: Run the Nios II Command Shell application from the Windows start menu.

❖ Run the nios2-terminal command from the terminal.

❖ Messages similar to the one below should be displayed in the command shell.

This completes the lab.

WWW.SYNAPTIC-LABS.COM 03 SEPTEMBER 2017 VER. 01-001 PAGE �12