Security User Guide: Intel® Programmable Acceleration Card with Intel® Arria® 10 GX FPGA

ID 683453
Date 3/06/2020
Public
Document Table of Contents

3.1. Installing PACSign

PACSign is a standalone tool that interfaces with your HSM to manage root entry hash bitstream creation, image signing, and cancellation bitstream creation. PACSign is implemented in Python and requires Python 3. Using PACSign with the PKCS11 interface requires the python-pkcs11 package. PACSign does not need an Intel® FPGA PAC installed in the system to run. Systems where signed images are being deployed to an Intel® FPGA PAC do not need PACSign installed nor access to the HSM.
Note: You must install Python 3 to use PACSign.
Note: The Acceleration Stack includes the PACSign package. You can check if you already have this package by typing: rpm -qa| grep opae.
  1. Unpack the opae.pac_sign-1.0.3.tar.gz tarball, which contains the opae.pac_sign-1.0.3-1.x86_64.rpm package.
    sudo yum install opae.pac_sign-1.0.3-1.x86_64.rpm
  2. Ensure you have installed Python 3, the Python 3 development libraries, and the Python 3 version of the python-pkcs11 package on your system.
  3. Use your system package installer to install the .rpm package.
    PACSign installs to your /usr/local/bin directory and the necessary Python3.6 modules install to your /usr/local/lib directory.
    Note:

    PACSign depends on a Python3 interpreter version 3.6 or later. You must either install Python3 to, or create a symlink in, /usr/local/bin for PACSign to work. You must also ensure that the python modules PACSign depends on are visible to your python3 interpreter. You can do this by including the path /usr/local/lib/python3.6/site-packages/ in the PYTHONPATH environment variable.

    export PYTHONPATH=/usr/local/lib/python3.6/site-packages/