Visible to Intel only — GUID: xbj1578533626857
Ixiasoft
Visible to Intel only — GUID: xbj1578533626857
Ixiasoft
3.8. Creating a CSK ID Cancellation Bitstream
To cancel a CSK ID on an Intel® FPGA PAC, you must use PACSign to create a CSK ID cancellation bitstream. To do this, you must specify the type CANCEL, select the appropriate HSM manager and root key, and provide the key ID number to cancel. For OpenSSL, the key ID used during image signing is derived from the CSK filename. For PKCS11, the key ID used during image signing is extracted from the configuration .json.
- Create a cancellation bitstream.
Using OpenSSL:
[PACSign_Demo]$ PACSign AFU -t CANCEL -H openssl_manager \ -r key_pr_root_public_key.pem -d 1 -o ssl_csk1_cancel.gbs
Using PKCS11:[PACSign_Demo]$ PACSign AFU -t CANCEL -H pkcs11_manager -C softhsm.json \ -r root_key -d 1 -o hsm_csk1_cancel.gbs
- Program the CSK ID cancellation on the Intel® FPGA PAC using the fpgasupdate tool.
$ sudo fpgasupdate ssl_csk1_cancel.gbs b2:00.0
CSK ID cancellation bitstreams are only valid on Intel® FPGA PACs that have been programmed with the corresponding root entry hash bitstream. After you program a CSK ID cancellation bitstream, you must power cycle the Intel® FPGA PAC.