Security User Guide: Intel® FPGA Programmable Acceleration Card D5005

ID 683877
Date 8/25/2020
Public

3.9. PACSign PKCS11 Manager *.json Reference

The PACSign PKCS11 Manager uses a *.json file that stores information on how to interact with your HSM.
It contains information specific to your HSM, as well as a description of the token and keys that you created for use with PACSign. The PKCS11 examples in this chapter use softhsm.json, which contains the following:
{
	"cryptoki_version": [2, 40],
	"library_version": [2, 5],
	"platform-name" : "DCP",
	"lib_path" : “/usr/local/lib/softhsm/libsofthsm2.so”,
	"curve": "secp256r1",
	"token": {
		"label": "pac-hsm",
		"user_password": "pac-afu-signer",
		"keys":
			[
				{
					"label": "root_key",
					"key_id": "0",
					"type": "PR",
					"permissions": "0xFFFFFFFF",
					"csk_id": "0xFFFFFFFF",
					"is_root": true
				},
				{
					"label": "csk_1",
					"key_id": "1",
					"type": "PR",
					"permissions": "0x4",
					"csk_id": "0x1",
					"is_root": false
				},
				{
					"label": "csk_2",
					"key_id": "2",
					"type": "PR",
					"permissions": "0x4",
					"csk_id": "0x2",
					"is_root": false
				}
			]
		}
}
The cryptoki_version and library_version information is determined by your HSM and can be reported by pkcs11-tool:
[PACSign_Demo]$ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so -I
Output:
Cryptoki version 2.40
Manufacturer SoftHSM
Library Implementation of PKCS11 (ver 2.5)
Using slot 0 with a present token (0x55eb4b4e)
  • platform-name: Always set to DCP.
  • lib_path: Your HSM software library installation determines this path.
  • curve: Always set to secp256r1 because this is the only elliptic curve currently supported by the BMC.
  • The token entry contains:
    • label: determined when you initialize the token in your HSM
    • user_password: determined when you initialize the token in your HSM
    • keys: lists the keys in the token available for use by PACSign
  • Within the key field are:
    • label: determined when you initialize the token in your HSM
    • key_id: determined when you initialize the token in your HSM
      Note: Each label and key_id must match what you used when you created the key.
    • type: Either PR or SR for partial reconfiguration or static region, respectively.
    • permissions: Set to 0x1 for static region signing; 0x2 for BMC signing; 0x4 for partial reconfiguration region signing.
    • csk_id: What PACSign uses when signing an AFU; does not need to match the key_id field. Valid values are 0xFFFFFFFF for root keys and 0x0-0x1F for Intel® FPGA PAC D5005 code signing keys.
    • is_root: Allows you to designate to PACSign the intended use of the key as a root key or code signing key.