Security User Guide: Intel® FPGA Programmable Acceleration Card N3000 Variants

ID 683519
Date 9/08/2020
Public
Document Table of Contents

2.4. Authentication

To enable authentication:
  1. Use the PACSign tool to create a root entry hash bitstream.
  2. Use the fpgasupdate tool to program the bitstream onto the Intel® FPGA PAC.
    $ sudo fpgasupdate [--log-level=<level>] file [bdf]
  3. Power cycle your card to load the new bitstream by running the following command:
    $ sudo rsu bmcimg 3e:00.0
    Note: In this example, the [bdf] is 3e:00.0. You must provide the BDF assigned to the PCIe* DevID 0b30 on your system.

All key operations are done using PACSign. PACSign is a standalone tool that is not required to be run on a machine with the Intel FPGA PAC installed. Key creation, signing, and cancellation bitstream creation are not runtime operations and can be performed at any time. The signing process prepends the signature to the FPGA SR User image file. The BMC RoT does not need access to the HSM at any point to verify a signature.

The signing process requires a root key and a Code Signing Key (CSK). PACSign first signs the CSK with the root key, and then signs the image with the CSK. The signature process prepends two “blocks” of data to the image file.
Note: If you are using an Intel Acceleration Stack version 1.1 production or greater, your FPGA SR user image must have prepended signature blocks, even if the corresponding root entry hash bitstream has not been programmed. PACSign allows you to prepend the required blocks with an empty signature chain.