Security User Guide: Intel® FPGA Programmable Acceleration Card D5005

Download PDF
ID 683877
Date 8/25/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History for Security User Guide
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.7. Signing Images x
3.7.1. Signing OpenCL* Images
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History for Security User Guide

2. Intel® FPGA PAC Security Features

The Intel® MAX® 10 board management controller (BMC) acts as a Root of Trust (RoT) and enables the secure update features of the Intel® FPGA PAC. The RoT includes features that may help prevent the following:

  • Loading or executing of unauthorized code or designs.
  • Disruptive operations attempted by unprivileged software, privileged software, or the host BMC.
  • Unintended execution of older code or designs with known bugs or vulnerabilities by enabling the BMC to revoke authorization.
The Intel® FPGA PAC BMC also enforces several other security policies relating to access through various interfaces, as well as protecting the on-board flash through write rate limitation.
Note: The terms BMC or BMC RoT refer to the Intel® FPGA PAC's Intel® MAX® 10 BMC (as opposed to another BMC, such as the host or motherboard BMC) unless otherwise noted.

In cases where you have a pre-security production Intel® FPGA PAC, you must perform a one-time secure update. For more information, refer to the Updating the FIM and BMC using the fpgaotsu section in the Intel Acceleration Stack User Guide: Intel® FPGA Programmable Acceleration Card D5005 .


Section Content
Secure Image Updates
Anti-Rollback Capability
Key Management
Authentication
Encryption

Level Two Title