Security User Guide: Intel® FPGA Programmable Acceleration Card D5005
ID
683877
Date
8/25/2020
Public
3.1. Installing PACSign
3.2. PACSign Tool
3.3. Creating Unsigned Images
3.4. Using an HSM Manager
3.5. Creating Keys
3.6. Root Entry Hash Bitstream Creation
3.7. Signing Images
3.8. Creating a CSK ID Cancellation Bitstream
3.9. PACSign PKCS11 Manager *.json Reference
3.10. Creating a Custom HSM Manager
3.11. PACSign Man Page
3.3. Creating Unsigned Images
The BMC secure firmware does not accept an AFU without the prepended authentication blocks generated by PACSign, even if an AFU root entry hash bitstream has not been programmed. If you want to operate an Intel® FPGA PAC without a root entry hash bitstream programmed, such as in a development environment, you must still use PACSign to prepend the authentication blocks but you may do so with an empty signature chain. An image with prepended authentication blocks containing an empty signature chain is called an unsigned image. PACSign supports the creation of an unsigned image by using the UPDATE operation without specifying keys. Intel recommends using signed images in production deployments.
- Create unsigned bitstream.
Using OpenSSL:
[PACSign_Demo]$ PACSign PR -t UPDATE -H openssl_manager -i hello_afu.gbs -o hello_afu_unsigned_ssl.gbs
Using HSM:[PACSign_Demo]$ PACSign PR -t UPDATE -H pkcs11_manager -C softhsm.json -i hello_afu.gbs -o hello_afu_unsigned_hsm.gbs
The output prompts you to enter Y or N to continue generating an unsigned bitstream.No root key specified. Generate unsigned bitstream? Y = yes, N = no: Y No CSK specified. Generate unsigned bitstream? Y = yes, N = no: Y
- Program the unsigned bitstream.
[PACSign_Demo]$ sudo fpgasupdate unsigned_AFU_RSU.gbs b2:00.0