Security User Guide: Intel® Programmable Acceleration Card with Intel® Arria® 10 GX FPGA

ID 683453
Date 3/06/2020
Document Table of Contents

2.4. Authentication

To enable authentication:
  1. Use the PACSign tool to create a root entry hash bitstream.
  2. Use the fpgasupdate tool to program the bitstream onto the Intel® FPGA PAC.
    $ sudo fpgasupdate [--log-level=<level>] file [bdf]
Note: After the root entry hash bitstream is programmed, the Intel® FPGA PAC must be power cycled.

All key operations are done using PACSign. PACSign is a standalone tool that is not required to be run on a machine with the Intel FPGA PAC installed. Key creation, signing, and cancellation bitstream creation are not runtime operations and can be performed at any time. The signing process prepends the signature to the AFU image file. The TCM RoT does not need access to the HSM at any point to verify a signature.

The signing process requires a root key and a Code Signing Key (CSK). PACSign first signs the CSK with the root key, and then signs the image with the CSK. The signature process prepends two “blocks” of data to the image file.
Note: If you are using an Intel Acceleration Stack version 1.2.1 or greater, your AFUs must have prepended signature blocks, even if the corresponding root entry hash bitstream has not been programmed. PACSign allows you to prepend the required blocks with an empty signature chain.