Security User Guide: Intel® Programmable Acceleration Card with Intel® Arria® 10 GX FPGA

ID 683453
Date 3/06/2020
Public
Document Table of Contents

3.6. Root Entry Hash Bitstream Creation

In order to program the root entry hash to an Intel® FPGA PAC, you must use PACSign to create a root entry hash bitstream.

  1. In your PACSign command, specify the type RK_256 and select the appropriate HSM manager and configuration.
    • To create a root entry hash bitstream using OpenSSL and the key generated in the OpenSSL Key Creation topic, type:
      [PACSign_Demo]$ PACSign AFU -t RK_256 -H openssl_manager \
      -r key_pr_root_public_key.pem -o root_public_program_ssl.gbs
    • To create a root entry hash bitstream using a SoftHSM and the root key generated in the HSM Key Creation topic, type:
      [PACSign_Demo]$ PACSign AFU -t RK_256 -H pkcs11_manager \
      -C softhsm.json -r root_key -o root_public_program_hsm.gbs
      Note: PACSign requires an HSM configuration *.json file to request the correct key from the HSM. For more information about the structure and contents of the *.json file, refer to the PACSign PKCS11 Manager .json Reference topic.
  2. After creating the root entry hash bitstream, program the bitstream to an Intel® FPGA PAC using the fpgasupdate command as follows:
    $ sudo fpgasupdate root_public_program_ssl.gbs 05:00.0
    This operation is permanent and irreversible. After an AFU root entry hash bitstream is programmed, the Intel® FPGA PAC validates an AFU signature prior to loading. For more details on key management, see the Key Management topic. For more information on how to use fpgasupdate, refer to the Intel Acceleration Stack Quick Start Guide for Intel® Programmable Acceleration Card with Intel® Arria® 10 GX FPGA.

Did you find the information on this page useful?

Characters remaining:

Feedback Message