Visible to Intel only — GUID: yzw1569355474588
Ixiasoft
3.1. Installing PACSign
3.2. PACSign Tool
3.3. Creating Unsigned Images
3.4. Using an HSM Manager
3.5. Creating Keys
3.6. Root Entry Hash Bitstream Creation
3.7. Signing Images
3.8. Creating a CSK ID Cancellation Bitstream
3.9. PACSign PKCS11 Manager *.json Reference
3.10. Creating a Custom HSM Manager
3.11. PACSign Man Page
Visible to Intel only — GUID: yzw1569355474588
Ixiasoft
3.9. PACSign PKCS11 Manager *.json Reference
The PACSign PKCS11 Manager uses a *.json file that stores information on how to interact with your HSM.
It contains information specific to your HSM, as well as a description of the token and keys that you created for use with PACSign. The PKCS11 examples in this chapter use softhsm.json, which contains the following:
{
"cryptoki_version": [2, 40],
"library_version": [2, 5],
"platform-name" : "DCP",
"lib_path" : “/usr/local/lib/softhsm/libsofthsm2.so”,
"curve": "secp256r1",
"token": {
"label": "pac-hsm",
"user_password": "pac-afu-signer",
"keys":
[
{
"label": "root_key",
"key_id": "0",
"type": "PR",
"permissions": "0xFFFFFFFF",
"csk_id": "0xFFFFFFFF",
"is_root": true
},
{
"label": "csk_1",
"key_id": "1",
"type": "PR",
"permissions": "0x4",
"csk_id": "0x1",
"is_root": false
},
{
"label": "csk_2",
"key_id": "2",
"type": "PR",
"permissions": "0x4",
"csk_id": "0x2",
"is_root": false
}
]
}
}
The cryptoki_version and library_version information is determined by your HSM and can be reported by pkcs11-tool:
Output:
[PACSign_Demo]$ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so -I
Cryptoki version 2.40
Manufacturer SoftHSM
Library Implementation of PKCS11 (ver 2.5)
Using slot 0 with a present token (0x55eb4b4e)
- platform-name: Always set to DCP.
- lib_path: Your HSM software library installation determines this path.
- curve: Always set to secp256r1 because this is the only elliptic curve currently supported by the BMC.
- The token entry contains:
- label: determined when you initialize the token in your HSM
- user_password: determined when you initialize the token in your HSM
- keys: lists the keys in the token available for use by PACSign
- Within the key field are:
- label: determined when you initialize the token in your HSM
- key_id: determined when you initialize the token in your HSM
Note: Each label and key_id must match what you used when you created the key.
- type: Either PR or SR for partial reconfiguration or static region, respectively.
- permissions: Set to 0x1 for static region signing; 0x2 for BMC signing; 0x4 for partial reconfiguration region signing.
- csk_id: What PACSign uses when signing an AFU; does not need to match the key_id field. Valid values are 0xFFFFFFFF for root keys and 0x0-0x7F for Intel® FPGA PAC D5005 code signing keys.
- is_root: Allows you to designate to PACSign the intended use of the key as a root key or code signing key.