Security User Guide: Intel® Programmable Acceleration Card with Intel® Arria® 10 GX FPGA

Download PDF
ID 683453
Date 3/06/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.7. Signing Images x
3.7.1. Creating OpenCL* Bitstreams
3.7.1. Creating OpenCL* Bitstreams x
3.7.1.1. Sourcing the init_env.sh Script 3.7.1.2. Creating the OpenCL* Bitstream 3.7.1.3. Programming the Image File
3.7.1.2. Creating the OpenCL* Bitstream x
3.7.1.2.1. Example: Creating a Signed .aocx File Using OpenSSL Manager 3.7.1.2.2. Example: Creating an Unsigned .aocx File Using OpenSSL Manager 3.7.1.2.3. Example: Creating a Signed .aocx File Using PKCS11 Manager 3.7.1.2.4. Example: Creating an Unsigned .aocx File Using PKCS11 Manager
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History

3.5.1. OpenSSL Key Creation

When using OpenSSL, create a private key and then create the corresponding public key. The PACSign OpenSSL manager requires specific tags in the key file names using a format: key_<image_type>_<key_type>_<key_visibility>_key.pem.
Table 4.  PACSign OpenSSL Manager Key File Name Requirements
Filename Tag Options Description
image_type
  • pr
  • sr
Identifies image type, partial reconfiguration or static region, for which the key is intended.
  • For Intel® PAC with Intel® Arria® 10 GX FPGA, use; key_pr_<key_type>_<key_section>_key.pem
key_type
  • root
  • csk<x>
Identifies key type. <x> specifies an ID that you use for cancellation.
  • Example: key_pr_csk12_private_key.pem
key_visibility
  • public
  • private
Identifies the key visibility.

The following example creates a root key and two code signing keys using OpenSSL.

  1. Create the root private key: 
    [PACSign_Demo]$ openssl ecparam -name secp256r1 -genkey -noout \
-out key_pr_root_private_key.pem
    Output: 
    using curve name prime256v1 instead of secp256r1
  2. Create the root public key: 
    [PACSign_Demo]$ openssl ec -in key_pr_root_private_key.pem -pubout \
-out key_pr_root_public_key.pem
    Output: 
    read EC key
writing EC key
  3. Create private CSK1: 
    [PACSign_Demo]$ openssl ecparam -name secp256r1 -genkey -noout \
-out key_pr_csk1_private_key.pem
    Output: 
    using curve name prime256v1 instead of secp256r1
  4. Create public CSK1: 
    [PACSign_Demo]$ openssl ec -in key_pr_csk1_private_key.pem -pubout \
-out key_pr_csk1_public_key.pem
    Output: 
    read EC key
writing EC key
  5. Create private CSK2: 
    [PACSign_Demo]$ openssl ecparam -name secp256r1 -genkey -noout \
-out key_pr_csk2_private_key.pem
    Output: 
    using curve name prime256v1 instead of secp256r1
  6. Create public CSK2: 
    [PACSign_Demo]$ openssl ec -in key_pr_csk2_private_key.pem -pubout \
-out key_pr_csk2_public_key.pem
    Output: 
    read EC key
writing EC key
Level Two Title