Security User Guide: Intel® FPGA Programmable Acceleration Card N3000 Variants

Download PDF
ID 683519
Date 9/08/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History for Security User Guide A. bitstreaminfo Tool Examples
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page 3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information x
3.12.1. Using fpgainfo security Command 3.12.2. Reading sysfs Files for Identifying Information 3.12.3. Using bitstreaminfo Tool
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History for Security User Guide
A. bitstreaminfo Tool Examples

3.1. Installing PACSign

PACSign is a standalone tool that interfaces with your HSM to manage root entry hash bitstream creation, image signing, and cancellation bitstream creation. PACSign is implemented in Python and requires Python 3. Using PACSign with the PKCS11 interface requires the python-pkcs11 package. PACSign does not need an Intel® FPGA PAC installed in the system to run. Systems where signed images are being deployed to an Intel® FPGA PAC do not need PACSign installed nor access to the HSM.
Note: You must install Python 3 to use PACSign.
Note: The Acceleration Stack includes the PACSign package. You can check if you already have this package by typing: rpm -qa| grep opae.
  1. Unpack the opae.pac_sign-1.0.1.tar.gz tarball, which contains the opae.pac_sign-1.0.4-2.x86_64.rpm package. 
    sudo yum install opae.pac_sign-1.0.4-2.x86_64.rpm
    You can use the RTE installer with this command to extract and just install PACSign: 
    ./n3000-1.3.8-rte-setup.sh -t pacsign -n
~/n3000_ias_1_1_pv_rte_installer
Running setup
Do you wish to install OPAE PACSign ?
  2. Ensure you have installed Python 3, the Python 3 development libraries, and the Python 3 version of the python-pkcs11 package on your system.
  3. Use your system package installer to install the .rpm package.
    PACSign installs to your /usr/local/bin directory and the necessary Python3.6 modules install to your /usr/local/lib directory.
    Note:

    PACSign depends on a Python3 interpreter version 3.6 or later. You must either install Python3 to, or create a symlink in, /usr/local/bin for PACSign to work. You must also ensure that the python modules PACSign depends on are visible to your python3 interpreter. You can do this by including the path /usr/local/lib/python3.6/site-packages/ in the PYTHONPATH environment variable. 

    export PYTHONPATH=/usr/local/lib/python3.6/site-packages/
Level Two Title