Visible to Intel only — GUID: ccj1569345459321
Ixiasoft
3.1. Installing PACSign
3.2. PACSign Tool
3.3. Creating Unsigned Images
3.4. Using an HSM Manager
3.5. Creating Keys
3.6. Root Entry Hash Bitstream Creation
3.7. Signing Images
3.8. Creating a CSK ID Cancellation Bitstream
3.9. PACSign PKCS11 Manager *.json Reference
3.10. Creating a Custom HSM Manager
3.11. PACSign Man Page
3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information
Visible to Intel only — GUID: ccj1569345459321
Ixiasoft
3.7. Signing Images
After the root and code signing keys have been created, you may sign your FPGA SR user image. Use the appropriate SR bitstream type with the UPDATE identifier to perform this operation, and specify the HSM configuration, root key, code signing key, and image input and output file names.
The following example demonstrates image signing using OpenSSL and the root and code signing keys generated in OpenSSL Key Creation topic.
[PACSign_Demo]$ PACSign SR -t UPDATE -H openssl_manager -r key_fim_root_public_key.pem -k key_fim_csk1_public_key.pem -i hello_afu.bin -o hello_afu_signed_ssl.bin
Note: Even though public keys are specified in the above OpenSSL signing process, the bitstream is indeed signed with the private keys. The OpenSSL signing requires the private keys and they must be the same name with ‘public’ replaced with ‘private’. The reason public keys are specified is because private keys are usually maintained by an HSM and are not available to you.
The following example demonstrates image signing using SoftHSM PKCS11 and the root and code signing keys generated in HSM Key Creation topic. Using this method, you must create a softhsm.json file. Refer to the PACSign PKCS11 Manager .json Reference topic for more information on the *.json file.
[PACSign_Demo]$ PACSign SR -t UPDATE -H pkcs11_manager -C softhsm.json -r root_key -k csk_1 -i hello_afu.bin -o hello_afu_signed_hsm.bin
You can program signed bitstreams on your Intel® FPGA PAC by using the fpgasupdate tool and power cycle the card.
[PACSign_Demo]$ sudo fpgasupdate <signed bitstream> B:D.F [PACSign_Demo]$ sudo rsu bmcimg B:D.FAn Intel® FPGA PAC only authenticates signed bitstreams after a root entry hash bitstream has been programmed. An Intel® FPGA PAC that has not been programmed with a root entry hash bitstream accepts a signed bitstream and ignores the contents of the signature chain.
If your fpgasudate fails, refer to section Troubleshooting for guidance on interpretation of the error and for corrective action.