Security User Guide: Intel® Programmable Acceleration Card with Intel® Arria® 10 GX FPGA

ID 683453
Date 3/06/2020
Public
Document Table of Contents

2.1. Secure Image Updates

The TCM RoT requires that all BMC firmware and FIM images are authenticated using ECDSA before loading and executing on the card. The TCM RoT may optionally require that AFU images are authenticated before loading and executing as well. The TCM RoT achieves this by storing the root entry hashes for the three image types in a write-once location in on-board flash memory, and subsequently verifying the signature of all images against these hashes. The board manufacturer provides the root entry hash for the BMC firmware. Intel® provides the root entry hash for FIM images. You create and program the root entry hash bitstream for AFU images. Until you program the AFU root entry hash bitstream, the Intel® FPGA PAC does not authenticate an AFU image prior to loading and executing the image
Table 3.  Keys and Authentication
Root Key Origin Used to Authenticate
BMC root key Intel® FPGA PAC manufacturer BMC Firmware Updates
Intel® FIM root key Intel Intel® FIM Updates
Partial reconfiguration (PR) AFU root key Customer AFUs

When you are in the development or validation phase and have not programmed your root entry hash bitstream, you create AFU images that contain the appropriate headers but are not signed using keys. This process is called creating an unsigned image. An Intel® FPGA PAC that has not had the AFU root entry hash bitstream programmed runs any unsigned or signed AFU image. This capability allows you to test and validate the functionality of your AFU image prior to fully signing the image for deployment into a production environment. Please refer to the Creating Unsigned Images section for more information.

You program your AFU root entry hash bitstream to enable AFU image authentication. This process establishes you as the owner of the Intel® PAC with Intel® Arria® 10 GX FPGA. The Intel® PAC with Intel® Arria® 10 GX FPGA then requires you to create signatures based on this root entry for each AFU you intend to load on the Intel® FPGA PAC. Intel® strongly recommends that you program the root entry hash bitstream for Intel® FPGA PACs used in production environments. You must follow the following flow to enable user AFU image authentication on your Intel® FPGA PAC.

Figure 1. Secure User Image Flow

The chapters within this user guide cover the steps in this flow:

  1. Create your keys: Create your keys using a Hardware Security Module (HSM) or OpenSSL. You need at least two keys, one which you designate as a root key and another you designate as a code signing key (CSK). These keys are asymmetric keys, meaning they consist of an underlying pair of keys. The first is called a private key and the second is a public key that is derived from the private key. A private key is used to create signatures over objects that can be verified with the corresponding public key. The private key must be kept confidential, as anyone in possession of the private key can create a signature; conversely, if you maintain the confidentiality of the private key, then signatures can be trusted to originate only from you. The public key cannot create signatures or be used to derive the original private key. Therefore, it is not required nor important to protect the confidentiality of the public key; the public key is considered public information.
  2. Create your root entry hash bitstream: Use the PACSign tool to create a bitstream that contains the root entry hash. You create a root entry hash bitstream from your root public key. This hash is a representation of your root public key and can only be created with an exact copy of the root public key. The root entry hash bitstream is then programmed to the Intel® FPGA PAC. The Intel FPGA PAC then uses this hash to verify the integrity of the root public key, which is included with all images transmitted to an Intel® FPGA PAC. After the integrity of the root public key is confirmed, it can be used in the signature verification process.
  3. Program your root entry hash bitstream into the Intel® FPGA PAC . You must use the fpgasupdate command to program the bitstream containing your root entry hash into the flash on the board. Until you program the root entry hash bitstream, the Intel FPGA PAC loads and executes any signed or unsigned image. Intel strongly recommends that you create and program a root entry hash bitstream for Intel® FPGA PACs deployed in production environments. Please refer to the Using fpgasupdate chapter for more information.
    Note: Only the owner who is deploying the Intel® FPGA PAC must program the root entry hash bitstream.
  4. Sign your AFU image. Using PACSign you can sign your image with the root public key and code signing key. Please refer to the Intel® FPGA PAC Security Flow chapter for more information.
  5. Program your AFU image onto the Intel® FPGA PAC. Use the fpgasupdate command to program your AFU into flash. The Intel® FPGA PAC verifies the AFU to ensure only an authorized bitstream is loaded. The root public key, code signing public key, signature of the code signing public key, and signature of the code or design are all attached to the image transmitted to the Intel® FPGA PAC. The card first verifies the integrity of the root public key, then verifies the signature of the code signing public key using the root public key, and finally proceeds to verify the signature of the code or design using the code signing public key. The code or design is only accepted if all three of these steps are completed successfully.

Did you find the information on this page useful?

Characters remaining:

Feedback Message