Security User Guide: Intel® FPGA Programmable Acceleration Card D5005

Download PDF
ID 683877
Date 8/25/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History for Security User Guide
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.7. Signing Images x
3.7.1. Signing OpenCL* Images
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History for Security User Guide

2.3. Key Management

The Intel® MAX® 10 BMC RoT uses ECDSA with a key length of 256 bits to authenticate:
  • Intel® MAX® 10 BMC Nios® firmware and Intel® MAX® 10 FPGA images
  • FIM images
  • AFU (partial reconfiguration) images
The Intel® MAX® 10 BMC RoT supports separate key chains for each image, and each key chain must consist of a root key and a CSK.
The Intel® MAX® 10 BMC RoT does not support a signature of any image with a root key. You must use a key designated as a CSK to sign your image. Steps you are responsible for when creating keys, root entry hashes and programming your image on the Intel® FPGA PAC are:
  • You must manage assigning CSK IDs to CSKs and consistently using the same ID for a given CSK. Neither an Intel® FPGA PAC nor the PACSign tool associate a particular key's value with its ID. It is possible to assign a given CSK multiple IDs, or multiple CSKs to a given ID. This may result in unintended consequences when attempting to cancel a CSK. Intel recommends exclusive ID assignments for each CSK.
  • You are responsible for creating the appropriate key cancellation bitstreams. You must use the same ID number for key cancellation as the one you assigned to the CSK at key creation. Key cancellation bitstreams must be signed with the applicable root key. This helps avoid denial of service through an unintended cancellation of all key values.
    Note: The Intel FPGA PAC D5005 has the capability to cancel up to 32 AFU CSK IDs. Only CSK IDs 0-31 are valid for an Intel FPGA PAC D5005 AFU CSK.

  • You are responsible for generating and managing your AFU image root key and CSKs. You generate the AFU image root entry hash bitstream using your root key.

  • You are also responsible for programming this root entry hash bitstream on the Intel® FPGA PAC. If your Intel® FPGA PAC does not have a programmed AFU root entry hash bitstream stored, it executes any signed or unsigned AFU.
    Note: Intel strongly recommends programming an AFU root entry hash bitstream. You must protect the confidentiality of the root private key throughout the life of the Intel FPGA PAC.
The Intel® MAX® 10 BMC RoT bitstreams in the on-board flash for:
  1. BMC Nios® firmware and Intel® MAX® 10 FPGA images
  2. FIM images
  3. AFU (partial reconfiguration region) images

The BMC is architected so that all root entry hashes cannot be revoked, changed, or erased once programmed.

If you have a board that has not been updated with the Intel® MAX® 10 RoT, you must use the one-time secure update to program the Intel root entry hash bitstreams for the BMC firmware, RTL and Intel FIM images on your existing Intel® FPGA PAC. New Intel® FPGA PACs come with these root entry hashes programmed at manufacturing time. For more information about using one-time secure update, refer to the Intel Acceleration Stack Quick Start Guide: Intel® FPGA Programmable Acceleration Card D5005

In the future, Intel-provided updates to the Intel® MAX® 10 BMC firmware, RTL, or FIM images may necessitate an Intel key cancellation in order to help prevent an unintended rollback to a prior version. In this case, Intel provides the update with a signed CSK that has a different ID than all prior updates. Intel provides a separate key cancellation bitstream to cancel the appropriate Intel keys. You may test an update by applying it before programming the key cancellation bitstream. The prior BMC firmware or FIM update images continue to be accepted as valid updates until the new key cancellation bitstream is applied.

Level Two Title