Security User Guide: Intel® Programmable Acceleration Card with Intel® Arria® 10 GX FPGA

Download PDF
ID 683453
Date 3/06/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.7. Signing Images x
3.7.1. Creating OpenCL* Bitstreams
3.7.1. Creating OpenCL* Bitstreams x
3.7.1.1. Sourcing the init_env.sh Script 3.7.1.2. Creating the OpenCL* Bitstream 3.7.1.3. Programming the Image File
3.7.1.2. Creating the OpenCL* Bitstream x
3.7.1.2.1. Example: Creating a Signed .aocx File Using OpenSSL Manager 3.7.1.2.2. Example: Creating an Unsigned .aocx File Using OpenSSL Manager 3.7.1.2.3. Example: Creating a Signed .aocx File Using PKCS11 Manager 3.7.1.2.4. Example: Creating an Unsigned .aocx File Using PKCS11 Manager
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History

3.6. Root Entry Hash Bitstream Creation

In order to program the root entry hash to an Intel® FPGA PAC, you must use PACSign to create a root entry hash bitstream.

  1. In your PACSign command, specify the type RK_256 and select the appropriate HSM manager and configuration.
    • To create a root entry hash bitstream using OpenSSL and the key generated in the OpenSSL Key Creation topic, type:
      [PACSign_Demo]$ PACSign AFU -t RK_256 -H openssl_manager \
-r key_pr_root_public_key.pem -o root_public_program_ssl.gbs
    • To create a root entry hash bitstream using a SoftHSM and the root key generated in the HSM Key Creation topic, type:
      [PACSign_Demo]$ PACSign AFU -t RK_256 -H pkcs11_manager \
-C softhsm.json -r root_key -o root_public_program_hsm.gbs
      Note: PACSign requires an HSM configuration *.json file to request the correct key from the HSM. For more information about the structure and contents of the *.json file, refer to the PACSign PKCS11 Manager .json Reference topic.
  2. After creating the root entry hash bitstream, program the bitstream to an Intel® FPGA PAC using the fpgasupdate command as follows: 
    $ sudo fpgasupdate root_public_program_ssl.gbs 05:00.0
    This operation is permanent and irreversible. After an AFU root entry hash bitstream is programmed, the Intel® FPGA PAC validates an AFU signature prior to loading. For more details on key management, see the Key Management topic. For more information on how to use fpgasupdate, refer to the Intel Acceleration Stack Quick Start Guide for Intel® Programmable Acceleration Card with Intel® Arria® 10 GX FPGA.
Related Information
Level Two Title