Security User Guide: Intel® Programmable Acceleration Card with Intel® Arria® 10 GX FPGA

ID 683453
Date 3/06/2020
Document Table of Contents

2. Intel® FPGA PAC Security Features

The Intel® Programmable Acceleration Card with Intel® Arria® 10 GX FPGA contains logic in the static region (SR) called the Trusted Control Module (TCM). The TCM acts as a Root of Trust (RoT) and enables the secure update features of the Intel® FPGA PAC. The TCM RoT includes features that may help prevent the following:

  • Loading or executing of unauthorized code or designs.
  • Disruptive operations attempted by unprivileged software, privileged software, or the host BMC.
  • Unintended execution of older code or designs with known bugs or vulnerabilities by enabling the TCM to revoke authorization.

The TCM RoT also enforces several other security policies relating to access through various interfaces, as well as protecting the on-board flash through write rate limitation.

The TCM RoT verifies:

  • Board Management Controller (BMC) firmware updates
  • FIM images.
  • AFU (partial reconfiguration region) images.
The TCM RoT is programmed with Intel root entry hashes for Intel FIM images during a one-time secure update (OTSU) to preproduction units or at manufacturing, but does not contain a root entry hash for AFUs. You must create your AFU root entry hash bitstream using the PACSign tool provided by Intel. The TCM RoT accepts and programs exactly one AFU root entry hash bitstream.
Note: This operation cannot be reversed, and after this operation, AFUs without correct signatures are refused by the Intel® PAC with Intel® Arria® 10 GX FPGA. A correct signature is one created by a Code Signing Key (CSK) that is both signed by the root key and not yet canceled.

In cases where you have a pre-security production Intel® FPGA PAC, you must perform a one-time secure update. Please refer to the One-Time Secure Update section in the Intel Acceleration Stack Quick Start Guide for Intel® Programmable Acceleration Card with Intel® Arria® 10 GX FPGA for more information.

Did you find the information on this page useful?

Characters remaining:

Feedback Message