FSBL Required?

[jctullos]

I'm using the modified FU540 FSBL for some of the FPGA builds to boot Keystone. On one of my builds, it'll take some extra work to get it added in. Is the SM specific code in the FSBL required for correct operation? I know the test keys are in the lds for riscv-pk, so it saves me some time if I don't have to implement the FSBL portion.

Thank you!

[dayeol]

FSBL is required only for getting the valid remote attestation report.
Keystone framework itself doesn't include any hardware components such as secure booting (e.g., hardware hashes the boot image and then signs it) so we're basically emulating it via FSBL (or bootrom). The only thing FSBL does is to provide the security monitor key and then generate the report.

Attestation will not be valid until you have solid hardware that does all of these. We're "emulating" all of these processes anyways, so if you're not interested in the attestation-related features, then you can just skip the FSBL part.
You'll still be able to create/launch an enclave, but the attestation will never succeed (as the attestation key will be all 0s).

Note that we don't emulate bootrom in FireSim as well, so attestation will not work in FireSim.

[dayeol]

Closing

[jctullos]

@dayeol That's great, thank you for the info!