Security User Guide: Intel® FPGA Programmable Acceleration Card D5005

Download PDF
ID 683877
Date 8/25/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History for Security User Guide
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.7. Signing Images x
3.7.1. Signing OpenCL* Images
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History for Security User Guide

3.6. Root Entry Hash Bitstream Creation

In order to program the root entry hash to an Intel® FPGA PAC, you must use PACSign to create a root entry hash bitstream.

  1. In your PACSign command, specify the type RK_256 and select the appropriate HSM manager and configuration.
    • To create a root entry hash bitstream using OpenSSL and the key generated in the OpenSSL Key Creation topic, type:
      [PACSign_Demo]$ PACSign AFU -t RK_256 -H openssl_manager -r key_pr_root_public_key.pem -o root_public_program_ssl.gbs
    • To create a root entry hash bitstream using a SoftHSM and the root key generated in the HSM Key Creation topic, type:
      [PACSign_Demo]$ PACSign AFU -t RK_256 -H pkcs11_manager -C softhsm.json -r root_key -o root_public_program_hsm.gbs
      Note: PACSign requires an HSM configuration *.json file to request the correct key from the HSM. For more information about the structure and contents of the *.json file, refer to the PACSign PKCS11 Manager .json Reference topic.
  2. After creating the root entry hash bitstream, program the bitstream to an Intel® FPGA PAC using the fpgasupdate command. This operation is permanent and irreversible. After an AFU root entry hash bitstream is programmed, the Intel® FPGA PAC validates an AFU signature prior to loading. For more details on key management, see the Key Management topic. For more information on how to use fpgasupdate, refer to the Intel Acceleration Stack User Guide: Intel® FPGA PAC D5005.
  3. After you program the root entry hash bitstream, you must power cycle your Intel® FPGA PAC.
Related Information
Level Two Title