Security User Guide: Intel® FPGA Programmable Acceleration Card D5005

ID 683877
Date 8/25/2020
Public

4. Using fpgasupdate

Use the fpgasupdate command to securely update the following files in flash:
  • BMC Nios® firmware and Intel® MAX® 10 FPGA images
  • FIM images
  • AFU (partial reconfiguration) images
When you call fpgasupdate the BMC orchestrates the update.
  • The BMC restricts all access to the flash until the fpgasupdate tool sends a request to the BMC to begin the update process.
  • The BMC rejects an update request if another update is currently in progress. The BMC monitors flash write and update counts and delays an update 30 seconds if more than 1,000 updates have occurred, and 60 seconds if more than 2,000 updates have occurred.
  • The BMC grants access only to a staging area in the flash, and only for enough time for the host to write an update into the staging area.
  • The BMC then restricts all flash write access to ensure the update image cannot be changed during or after the authentication process.
  • During the fpgasupdate process, the Nios® in the BMC stops polling the sensors and updating the platform level data model (PLDM) registers but responds to PLDM requests. Thus, any PLDM reads or fpgad polling during fpgasupdate returns stale data from before the update began.
  • If authentication is successful, the BMC copies the image from the staging area into the appropriate section in flash.
To use the command type:
$ sudo fpgasupdate [--log-level=<level>] file [bdf]
where the following options are as follows:
Table 6.  fpgasupdate Options
Parameters Options Notes
level state, ioctl, debug, info, warning, error, critical. Default value is state. N/A
file The secure update file that you program in the Intel® FPGA PAC N/A
[bdf]
Note: You must provide the BDF assigned to the PCIe* DevID 0b30 on your system.
[ssss:]bb:dd:f, corresponding to PCIe segment, bus, device, function. The segment is optional; if omitted, a segment of 0000 is assumed. If there is only one Intel® FPGA PAC in the system, then bdf may be omitted. In this case, fpgasupdate determines the address automatically.