Security User Guide: Intel® Programmable Acceleration Card with Intel® Arria® 10 GX FPGA

Download PDF
ID 683453
Date 3/06/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.7. Signing Images x
3.7.1. Creating OpenCL* Bitstreams
3.7.1. Creating OpenCL* Bitstreams x
3.7.1.1. Sourcing the init_env.sh Script 3.7.1.2. Creating the OpenCL* Bitstream 3.7.1.3. Programming the Image File
3.7.1.2. Creating the OpenCL* Bitstream x
3.7.1.2.1. Example: Creating a Signed .aocx File Using OpenSSL Manager 3.7.1.2.2. Example: Creating an Unsigned .aocx File Using OpenSSL Manager 3.7.1.2.3. Example: Creating a Signed .aocx File Using PKCS11 Manager 3.7.1.2.4. Example: Creating an Unsigned .aocx File Using PKCS11 Manager
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History

1.4. Glossary

Table 2.  Glossary

Acronym/Term

 Expansion

Description

AFU

Accelerator Functional Unit

Hardware Accelerator implemented in FPGA logic which offloads a computational operation for an application from the CPU to improve performance.

ASE

AFU Simulation Environment

Co-simulation environment that allows you to use the same host application and AF in a simulation environment. ASE is part of the Intel Acceleration Stack for FPGAs.

BIP Bitstream Authentication IP Module loaded into the Intel® Arria® 10 GX FPGA PR region that contains the cryptographic blocks necessary to perform bitstream authentication operations.
CCI-P Core Cache Interface

CCI-P is the standard interface AFUs use to communicate with the host.

CSK Code Signing Key A key used to validate integrity and authenticity of a block of code. Authenticity of this key is established through signing with a root key.
ECDSA Elliptical Curve Digital Signature Algorithm An algorithm based on elliptic curve cryptography to create signatures that can be used to evaluate the authenticity of an object.

FIU

FPGA Interface Unit

FIU is a platform interface layer that acts as a bridge between platform interfaces like PCIe* and AFU-side interfaces such as CCI-P.

FIM

FPGA Interface Manager

The FPGA functional block containing the FPGA Interface Unit (FIU) and external interfaces for memory, networking, etc.

The FIM may also be referred to as BBS (Blue-Bits, Blue Bit Stream) in the Acceleration Stack installation directory tree and in source code comments.

The Accelerator Function (AF) interfaces with the FIM at run time.

The FIM is provided with the Intel® PAC with Intel® Arria® 10 GX FPGA.

HSM Hardware Security Module A secure hardware device to hold, protect, and allow access to cryptographic objects; performs cryptographic operations in a trusted environment.
NIST p Curve National Institute of Standards and Technology prime Curve P256 is used throughout this document. Without any other associations added, P256 means NIST P256 curves, where p is a 256-bit prime.

OPAE

Open Programmable Acceleration Engine

The OPAE is a software framework for managing and accessing AFs. 

PACSign PAC image signing tool A standalone tool to manage root entry hash bitstream creation, image signing, and cancellation bitstream creation
PKCS Public Key Cryptography Standard PKCS#11 is used throughout this document. PKCS#11 is a commonly used interface for commercial hardware security modules (HSMs).

PR

 Partial Reconfiguration

The ability to dynamically reconfigure a portion of an FPGA while the remaining FPGA design continues to function.

Root Key - A key designated as the primary, constant value for authentication. Typically only used to sign other keys, forming the root of all key chains.
RoT Root of Trust A source that can be trusted, such as the TCM in the Intel® FPGA PAC.
RSU Remote System Update Ability to update firmware and FPGA bitstreams over PCIe* .
SR Static Region Portion of the FPGA design that does not change. In the Intel® PAC with Intel® Arria® 10 GX FPGA, the static region is the FIM
TCM Trusted Control Module Functionality implemented in the SR of the Intel® PAC with Intel® Arria® 10 GX FPGA to manage the secure updates of BMC firmware, FIM updates, GBS updates, and key cancellation.
Level Two Title