Security User Guide: Intel® Programmable Acceleration Card with Intel® Arria® 10 GX FPGA

ID 683453
Date 3/06/2020
Public
Document Table of Contents

3.7. Signing Images

After the root and code signing keys have been created, you may sign your AFU. Use the PR bitstream type with the UPDATE identifier to perform this operation, and specify the HSM configuration, root key, code signing key, and image input and output file names.

The following example demonstrates image signing using OpenSSL and the root and code signing keys generated in OpenSSL Key Creation topic.
[PACSign_Demo]$ PACSign PR -t UPDATE -H openssl_manager \
-r key_pr_root_public_key.pem -k key_pr_csk1_public_key.pem -i hello_afu.gbs \
-o hello_afu_signed_ssl.gbs
The following example demonstrates image signing using SoftHSM PKCS11 and the root and code signing keys generated in HSM Key Creation topic. Refer to the PACSign PKCS11 Manager .json Reference topic for more information on the *.json file used.
[PACSign_Demo]$ PACSign PR -t UPDATE -H pkcs11_manager -C softhsm.json \
-r root_key -k csk_1 -i hello_afu.gbs -o hello_afu_signed_hsm.gbs

You can program signed bitstreams on your Intel® FPGA PAC by using the fpgasupdate tool and performing a remote system update. An Intel® FPGA PAC only authenticates signed bitstreams after a root entry hash bitstream has been programmed. An Intel® FPGA PAC that has not been programmed with a root entry hash bitstream accepts a signed bitstream and ignores the contents of the signature chain.

If you sign your image with a canceled CSK and attempt to program the Intel® FPGA PAC, the BMC recognizes the bitstream as corrupted, reports an error and you must power cycle the Intel® FPGA PAC to recover the card.

Did you find the information on this page useful?

Characters remaining:

Feedback Message