Security User Guide: Intel® Programmable Acceleration Card with Intel® Arria® 10 GX FPGA

Download PDF
ID 683453
Date 3/06/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.7. Signing Images x
3.7.1. Creating OpenCL* Bitstreams
3.7.1. Creating OpenCL* Bitstreams x
3.7.1.1. Sourcing the init_env.sh Script 3.7.1.2. Creating the OpenCL* Bitstream 3.7.1.3. Programming the Image File
3.7.1.2. Creating the OpenCL* Bitstream x
3.7.1.2.1. Example: Creating a Signed .aocx File Using OpenSSL Manager 3.7.1.2.2. Example: Creating an Unsigned .aocx File Using OpenSSL Manager 3.7.1.2.3. Example: Creating a Signed .aocx File Using PKCS11 Manager 3.7.1.2.4. Example: Creating an Unsigned .aocx File Using PKCS11 Manager
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History

3.2. PACSign Tool

The PACSign utility is installed on your path.

  • Use PACSign by simply calling it directly with the command PACSign
  • Calling PACSign with the -h option shows a help message describing the tool usage.
  • Typing PACsign <image_type> -h shows options available for that image type. 
[PACSign_Demo]$ PACSign -h
usage: PACSign [-h] {SR,FIM,BBS,BMC,BMC_FW,PR,AFU,GBS} ...

Sign PAC bitstreams

optional arguments:
-h, --help show this help message and exit

Commands:
Image types
{SR,FIM,BBS,BMC,BMC_FW,PR,AFU,GBS}
Allowable image types
SR (FIM, BBS)   Static FPGA image
BMC (BMC_FW)    BMC image
PR (AFU, GBS)   Reconfigurable FPGA image

[PACSign_Demo]$ PACSign AFU -h
usage: PACSign PR [-h] -t {UPDATE,CANCEL,RK_256,RK_384} -H HSM_MANAGER
                  [-C HSM_CONFIG] [-r ROOT_KEY] [-k CODE_SIGNING_KEY]
                  [-d CSK_ID] [-i INPUT_FILE] [-o OUTPUT_FILE] [-y] [-v]

optional arguments:
  -h, --help            show this help message and exit
  -t {UPDATE,CANCEL,RK_256,RK_384}, --cert_type {UPDATE,CANCEL,RK_256,RK_384}
                        Type of certificate to generate
  -H HSM_MANAGER, --HSM_manager HSM_MANAGER
                        Module name for key / signing manager
  -C HSM_CONFIG, --HSM_config HSM_CONFIG
                        Config file name for key / signing manager (optional)
  -r ROOT_KEY, --root_key ROOT_KEY
                        Identifier for the root key. Provided as-is to the key
                        manager
  -k CODE_SIGNING_KEY, --code_signing_key CODE_SIGNING_KEY
                        Identifier for the CSK. Provided as-is to the key
                        manager
  -d CSK_ID, --csk_id CSK_ID
                        CSK number. Only required for cancellation certificate
  -i INPUT_FILE, --input_file INPUT_FILE
                        File name for the image to be acted upon
  -o OUTPUT_FILE, --output_file OUTPUT_FILE
                        File name in which the result is to be stored
  -y, --yes             Answer all questions with "yes"
  -v, --verbose         Increase verbosity. Can be specified multiple times
Level Two Title