3.7. Signing Images
After the root and code signing keys have been created, you may sign your AFU. Use the PR bitstream type with the UPDATE identifier to perform this operation, and specify the HSM configuration, root key, code signing key, and image input and output file names.
[PACSign_Demo]$ PACSign PR -t UPDATE -H openssl_manager \
-r key_pr_root_public_key.pem -k key_pr_csk1_public_key.pem -i hello_afu.gbs \
[PACSign_Demo]$ PACSign PR -t UPDATE -H pkcs11_manager -C softhsm.json \
-r root_key -k csk_1 -i hello_afu.gbs -o hello_afu_signed_hsm.gbs
You can program signed bitstreams on your Intel® FPGA PAC by using the fpgasupdate tool and performing a remote system update. An Intel® FPGA PAC only authenticates signed bitstreams after a root entry hash bitstream has been programmed. An Intel® FPGA PAC that has not been programmed with a root entry hash bitstream accepts a signed bitstream and ignores the contents of the signature chain.
If you sign your image with a canceled CSK and attempt to program the Intel® FPGA PAC, the BMC recognizes the bitstream as corrupted, reports an error and you must power cycle the Intel® FPGA PAC to recover the card.