This document provides comprehensive information on Unified
Extensible Firmware Interface (UEFI) boot loader for Intel Stratix 10 SoC.
The Intel Stratix 10 SoC provides a secure boot flow,
The boot ROM
The secure device manager (SDM)
The Secure Monitor
The UEFI boot loader
The Intel Stratix 10 SoC secure boot flow ensures that
the system boot loader is signed with a cryptographic key, validated by the firmware.
The Secure Monitor stage also implements the
model of secure partitioning. This model divides the software
environment into two isolated partitions, called the secure world and the non-secure world.
The two worlds can only communicate with each other through the Secure Monitor.
The binary image of the UEFI boot loader can be stored on Quad SPI flash
SD/MMC card. On board power-up, the secure device manager (SDM) loads the Secure Monitor
directly onto Hard Processor System (HPS) on-chip RAM. Then the Secure Monitor loads the UEFI
boot loader in HPS DDR memory.
Initializing DDR SDRAM memory
Configuring low level hardware, such as PLL, IOs, and pin MUXes, needed
by nonsecure world software
The UEFI boot loader tasks include:
Providing Ethernet support
Supporting basic hardware diagnostic features
Fetching subsequent boot software such as the operating system package or
Note: For non-secure boot, the operating system
package can include kernel image, device tree blob and filesystem. For secure boot it can be a
Figure 1. UEFI Boot Flow Overview
2. System Requirements
To load and execute the Intel Stratix 10 SoC
Unified Extensible Firmware Interface (UEFI) boot loader, your system must meet the
2.1. Minimum Hardware Requirements
workstation with the following configuration:
Serial terminal, such as Minicom for
microSD card slot or microSD card writer or SD capable writer with SD
to microSD converter
Table 1. Platform Capabilities
Able to compile the UEFI boot loader
Able to compile the Secure Monitor
2.2. Minimum Software Requirements
Intel® SoC FPGA Embedded
Development Suite (SoC EDS)
3. Getting Started
3.1. Installing Software Components
3.1.1. Installing the Intel SoC EDS
You must install the Intel
SoC EDS on your machine.
As security becomes more and more important, a secured boot solution
becomes a requirement in the embedded world. To ensure comprehensive security and a
trusted platform, secure partitioning is required. The Intel Stratix 10 device achieves secure partitioning by implementing the TrustZone
Trusted Firmware (ATF). The TrustZone
model splits the computing environment into two isolated worlds, the secure world and
normal world, which are linked by a software monitor called the Secure Monitor. The two
worlds have separated logical address space and peripherals. Communication between the
two worlds is only possible by calling the privileged Secure Monitor call (SMC)
The full secure boot solution is:
Secure Device Manager
Secure Monitor mode is a privileged mode and is always secure regardless
of the state of the NS bit. The Secure Monitor is code that runs in Secure Monitor mode
and processes switches to and from the Secure world. The overall security of the
software relies on the security of this code along with the Secure boot code.
The following messages appear when the ATF build is successful:
The table below lists the Secure Monitor output files.
Table 2. Descriptions of Secure Monitor Files
File Path and Name
Generated binary file
Generated elf file
Generated binary file
Generated elf file
3.3. Building the UEFI Boot Loader
To build a UEFI boot loader, you
obtain the UEFI
source code and compile the UEFI source with the supported toolchain.
The Unified Extensible Firmware Interface (UEFI) is a standardized firmware specification
that simplifies and secures platform initialization and firmware bootstrap operations. UEFI is
currently developed and supported by representatives from more than 250 industry-leading
and the Linaro Enterprise Group are also
promoting the use of UEFI on
architecture, because the UEFI
specification helps standardize the boot process for
UEFI technology is future-proofed through standardization of firmware design rather than
proprietary firmware design. UEFI specifications promote business and technological
efficiency, improve performance and security, facilitate interoperability between devices,
platforms and systems and comply with next-generation technologies. The UEFI specification is
peer-reviewed and published, allowing developers to write firmware once per platform and reuse
it without much modification. This reuse results in cost and time savings during boot loader
This framework uses the BSD license, permitting you to optionally commercialize your
implementation with minimal legal issues.
You can compile the UEFI source code either in a Windows or in a Linux system.
Building the UEFI requires additional Linux packages. Depending on
your Linux distribution, the command to install the packages is different:
If you are using a Ubuntu distribution, type:
$ sudo apt-get install uuid-dev build-essential
If you using a Fedora distribution, type:
$ sudo yum install uuid-devel libuuid-devel
For building UEFI, the Python package is required. If Python is not
already available on your system, running the commands from the SoC EDS Embedded
Command Shell provides the required Python dependency.
3.3.2. Obtaining the UEFI Source Code
The UEFI source code is located in GitHub. The following steps show you how to get the UEFI