Security User Guide: Intel® Programmable Acceleration Card with Intel® Arria® 10 GX FPGA

Download PDF
ID 683453
Date 3/06/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.7. Signing Images x
3.7.1. Creating OpenCL* Bitstreams
3.7.1. Creating OpenCL* Bitstreams x
3.7.1.1. Sourcing the init_env.sh Script 3.7.1.2. Creating the OpenCL* Bitstream 3.7.1.3. Programming the Image File
3.7.1.2. Creating the OpenCL* Bitstream x
3.7.1.2.1. Example: Creating a Signed .aocx File Using OpenSSL Manager 3.7.1.2.2. Example: Creating an Unsigned .aocx File Using OpenSSL Manager 3.7.1.2.3. Example: Creating a Signed .aocx File Using PKCS11 Manager 3.7.1.2.4. Example: Creating an Unsigned .aocx File Using PKCS11 Manager
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History

3. Intel FPGA PAC Security Flow

The following steps describe the flow to enable Intel® FPGA PAC security. See the corresponding sections in this chapter for detailed instructions on each step.
  1. Install PACSign.
  2. If you are in development, you may optionally create an unsigned AFU image to test and validate the functionality of your AFU image prior to fully signing the image for deployment into a production environment. Please refer to the Creating Unsigned Images section for more information.
  3. Create your root key and CSK(s). You can use OpenSSL or an HSM for this action.
    Figure 2. Key Creation Using OpenSSL
    Figure 3. Key Creation Using HSM pkcs11_tool
  4. Create your root entry hash bitstream.
    Figure 4. Creating Root Entry Hash Bitstream with OpenSSL
    Figure 5. Creating Root Entry Hash Bitstream with HSM pkcs11_manager
  5. Program your root entry hash bitstream onto the Intel® FPGA PAC. You must power cycle the Intel® FPGA PAC after you have programmed the root entry hash bitstream.
  6. Sign your AFU.
    Figure 6. Signing your image with OpenSSL
    Figure 7. Signing your image with pkcs11_manager
  7. Program your AFU into the Intel® FPGA PAC. For directions on how to program your AFU, refer to the Using fpgasupdate chapter.
Related Information
Level Two Title