Security User Guide: Intel® FPGA Programmable Acceleration Card N3000 Variants

Download PDF
ID 683519
Date 9/08/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History for Security User Guide A. bitstreaminfo Tool Examples
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page 3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information x
3.12.1. Using fpgainfo security Command 3.12.2. Reading sysfs Files for Identifying Information 3.12.3. Using bitstreaminfo Tool
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History for Security User Guide
A. bitstreaminfo Tool Examples

3.8. Creating a CSK ID Cancellation Bitstream

To cancel a CSK ID on an Intel® FPGA PAC, you must use PACSign to create a CSK ID cancellation bitstream. To do this, you must specify the type CANCEL, select the appropriate HSM manager and root key, and provide the CSK ID number to cancel. For OpenSSL, the CSK ID used during image signing is derived from the CSK filename. For PKCS11, the CSK ID used during image signing is extracted from the csk_id field in the configuration .json discussed in the next section.

  1. Create a cancellation bitstream.
    Using OpenSSL: 
    PACSign SR -t CANCEL -H openssl_manager -r key_fim_root_public_key.pem -d 1 -o ssl_csk1_cancel.bin
    Using PKCS11: 
    PACSign SR -t CANCEL -H pkcs11_manager -C softhsm.json -r root_key -d 1 -o hsm_csk1_cancel.bin
  2. Program the CSK ID cancellation on the Intel® FPGA PAC using the fpgasupdate tool. 
    fpgasupdate ssl_csk1_cancel.bin b2:00.0

    CSK ID cancellation bitstreams are only valid on Intel® FPGA PACs that have been programmed with the corresponding root entry hash bitstream.

  3. After you program a CSK ID cancellation bitstream, you must power cycle the Intel® FPGA PAC. 
    [PACSign_Demo]$ sudo rsu bmcimg b2:00.0
Level Two Title