Security User Guide: Intel® FPGA Programmable Acceleration Card N3000 Variants

Download PDF
ID 683519
Date 9/08/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History for Security User Guide A. bitstreaminfo Tool Examples
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page 3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information x
3.12.1. Using fpgainfo security Command 3.12.2. Reading sysfs Files for Identifying Information 3.12.3. Using bitstreaminfo Tool
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History for Security User Guide
A. bitstreaminfo Tool Examples

3.7. Signing Images

After the root and code signing keys have been created, you may sign your FPGA SR user image. Use the appropriate SR bitstream type with the UPDATE identifier to perform this operation, and specify the HSM configuration, root key, code signing key, and image input and output file names.

The following example demonstrates image signing using OpenSSL and the root and code signing keys generated in OpenSSL Key Creation topic. 
[PACSign_Demo]$ PACSign SR -t UPDATE -H openssl_manager -r key_fim_root_public_key.pem -k key_fim_csk1_public_key.pem -i hello_afu.bin -o hello_afu_signed_ssl.bin
Note: Even though public keys are specified in the above OpenSSL signing process, the bitstream is indeed signed with the private keys. The OpenSSL signing requires the private keys and they must be the same name with ‘public’ replaced with ‘private’. The reason public keys are specified is because private keys are usually maintained by an HSM and are not available to you.
The following example demonstrates image signing using SoftHSM PKCS11 and the root and code signing keys generated in HSM Key Creation topic. Using this method, you must create a softhsm.json file. Refer to the PACSign PKCS11 Manager .json Reference topic for more information on the *.json file. 
[PACSign_Demo]$ PACSign SR -t UPDATE -H pkcs11_manager -C softhsm.json -r root_key -k csk_1 -i hello_afu.bin -o hello_afu_signed_hsm.bin
You can program signed bitstreams on your Intel® FPGA PAC by using the fpgasupdate tool and power cycle the card. 
[PACSign_Demo]$ sudo fpgasupdate <signed bitstream> B:D.F
[PACSign_Demo]$ sudo rsu bmcimg B:D.F
An Intel® FPGA PAC only authenticates signed bitstreams after a root entry hash bitstream has been programmed. An Intel® FPGA PAC that has not been programmed with a root entry hash bitstream accepts a signed bitstream and ignores the contents of the signature chain.

If your fpgasudate fails, refer to section Troubleshooting for guidance on interpretation of the error and for corrective action.

Related Information
Level Two Title