3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page
3. Intel FPGA PAC Security Flow
The following steps describe the flow to enable Intel® FPGA PAC security. See the corresponding sections in this chapter for detailed instructions on each step.
- Install PACSign.
- If you are in development, you may optionally create an unsigned AFU image to test and validate the functionality of your AFU image prior to fully signing the image for deployment into a production environment. Please refer to the Creating Unsigned Images section for more information.
- Create your root key and CSK(s). You can use OpenSSL or an HSM for this action.
Figure 2. Key Creation Using OpenSSLFigure 3. Key Creation Using HSM pkcs11_tool
- Create your root entry hash bitstream.
Figure 4. Creating Root Entry Hash Bitstream with OpenSSLFigure 5. Creating Root Entry Hash Bitstream with HSM pkcs11_manager
- Program your root entry hash bitstream onto the Intel® FPGA PAC. You must power cycle the Intel® FPGA PAC after you have programmed the root entry hash bitstream.
- Sign your AFU.
Figure 6. Signing your image with OpenSSLFigure 7. Signing your image with pkcs11_manager
- Program your AFU into the Intel® FPGA PAC. For directions on how to program your AFU, refer to the Using fpgasupdate chapter.
Did you find the information on this page useful?