Security User Guide: Intel® FPGA Programmable Acceleration Card N3000 Variants

Download PDF
ID 683519
Date 9/08/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History for Security User Guide A. bitstreaminfo Tool Examples
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page 3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information x
3.12.1. Using fpgainfo security Command 3.12.2. Reading sysfs Files for Identifying Information 3.12.3. Using bitstreaminfo Tool
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History for Security User Guide
A. bitstreaminfo Tool Examples

2.3. Key Management

The Intel® MAX® 10 BMC RoT uses ECDSA with a key length of 256 bits to authenticate:
  • Intel® MAX® 10 BMC Nios® firmware and Intel® MAX® 10 FPGA images
  • FPGA static region (SR) user image
The Intel® MAX® 10 BMC RoT supports separate key chains for each image, and each key chain must consist of a root key and a CSK.
The Intel® MAX® 10 BMC RoT does not support a signature of any image with a root key. You must use a key designated as a CSK to sign your image. Steps you are responsible for when creating keys, root entry hashes and programming your image on the Intel® FPGA PAC are:
  • You must manage assigning CSK IDs to CSKs and consistently using the same ID for a given CSK. Neither an Intel® FPGA PAC nor the PACSign tool associate a particular key's value with its ID. It is possible to assign a given CSK multiple IDs, or multiple CSKs to a given ID. This may result in unintended consequences when attempting to cancel a CSK. Intel recommends exclusive ID assignments for each CSK.
  • You are responsible for creating the appropriate key cancellation bitstreams. You must use the same ID number for key cancellation as the one you assigned to the CSK at key creation. Key cancellation bitstreams must be signed with the applicable root key. This helps avoid denial of service through an unintended cancellation of all key values.

  • You are responsible for generating and managing your FPGA static region image root key and CSKs. You generate the FPGA SR user image root entry hash bitstream using your root key.

  • You are also responsible for programming this root entry hash bitstream on the Intel® FPGA PAC. If your Intel® FPGA PAC does not have a programmed FPGA SR user image root entry hash bitstream stored, it executes any signed or unsigned image.
    Note: Intel strongly recommends programming an image root entry hash bitstream. You must protect the confidentiality of the root private key throughout the life of the Intel FPGA PAC.
The Intel® MAX® 10 BMC RoT bitstreams in the on-board flash for:
  1. BMC Nios® firmware and Intel® MAX® 10 FPGA images
  2. FPGA SR user image

The BMC is architected so that all root entry hashes cannot be revoked, changed, or erased once programmed.

In the future, Intel-provided updates to the Intel® MAX® 10 BMC firmware or Intel® MAX® 10 images may necessitate an Intel key cancellation in order to help prevent an unintended rollback to a prior version. In this case, Intel provides the update with a signed CSK that has a different ID than all prior updates. Intel provides a separate key cancellation bitstream to cancel the appropriate Intel keys. You may test an update by applying it before programming the key cancellation bitstream. The prior BMC firmware or update images continue to be accepted as valid updates until the new key cancellation bitstream is applied.

Level Two Title