Visible to Intel only — GUID: iup1569385458190
Ixiasoft
3.1. Installing PACSign
3.2. PACSign Tool
3.3. Creating Unsigned Images
3.4. Using an HSM Manager
3.5. Creating Keys
3.6. Root Entry Hash Bitstream Creation
3.7. Signing Images
3.8. Creating a CSK ID Cancellation Bitstream
3.9. PACSign PKCS11 Manager *.json Reference
3.10. Creating a Custom HSM Manager
3.11. PACSign Man Page
3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information
Visible to Intel only — GUID: iup1569385458190
Ixiasoft
2.4. Authentication
To enable authentication:
- Use the PACSign tool to create a root entry hash bitstream.
- Use the fpgasupdate tool to program the bitstream onto the Intel® FPGA PAC.
$ sudo fpgasupdate [--log-level=<level>] file [bdf]
- Power cycle your card to load the new bitstream by running the following command:
$ sudo rsu bmcimg 3e:00.0
Note: In this example, the [bdf] is 3e:00.0. You must provide the BDF assigned to the PCIe* DevID 0b30 on your system.
All key operations are done using PACSign. PACSign is a standalone tool that is not required to be run on a machine with the Intel FPGA PAC installed. Key creation, signing, and cancellation bitstream creation are not runtime operations and can be performed at any time. The signing process prepends the signature to the FPGA SR User image file. The BMC RoT does not need access to the HSM at any point to verify a signature.
The signing process requires a root key and a Code Signing Key (CSK). PACSign first signs the CSK with the root key, and then signs the image with the CSK. The signature process prepends two “blocks” of data to the image file.
Note: If you are using an Intel Acceleration Stack version 1.1 production or greater, your FPGA SR user image must have prepended signature blocks, even if the corresponding root entry hash bitstream has not been programmed. PACSign allows you to prepend the required blocks with an empty signature chain.