Security User Guide: Intel® FPGA Programmable Acceleration Card N3000 Variants

Download PDF
ID 683519
Date 9/08/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History for Security User Guide A. bitstreaminfo Tool Examples
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page 3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information x
3.12.1. Using fpgainfo security Command 3.12.2. Reading sysfs Files for Identifying Information 3.12.3. Using bitstreaminfo Tool
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History for Security User Guide
A. bitstreaminfo Tool Examples

3.3. Creating Unsigned Images

The BMC secure firmware does not accept an FPGA SR user image without the prepended authentication blocks generated by PACSign, even if an FPGA SR user image root entry hash bitstream has not been programmed. If you want to operate an Intel® FPGA PAC without a root entry hash bitstream programmed, such as in a development environment, you must still use PACSign to prepend the authentication blocks but you may do so with an empty signature chain. An image with prepended authentication blocks containing an empty signature chain is called an unsigned image. PACSign supports the creation of an unsigned image by using the UPDATE operation without specifying keys. Intel recommends using signed images in production deployments.

  1. Create unsigned bitstream.
    Using OpenSSL: 
    [PACSign_Demo]$ PACSign SR -t UPDATE -H openssl_manager -i pac-n3000-secure-update-raw.bin -o unsigned_N3000_RSU.bin
    Using HSM: 
    [PACSign_Demo]$ PACSign SR -t UPDATE -H pkcs11_manager -C softhsm.json -i \
pac-n3000-secure-update-raw.bin -o pac-n3000-secure-update-raw.bin
    The output prompts you to enter Y or N to continue generating an unsigned bitstream. 
    No root key specified. Generate unsigned bitstream? Y = yes, N = no: Y
No CSK specified. Generate unsigned bitstream? Y = yes, N = no: Y
  2. Program the unsigned bitstream. 
    [PACSign_Demo]$ sudo fpgasupdate pac-n3000-secure-update-raw.bin b2:00.0
  3. Perform remote system update to power cycle the Intel® FPGA PAC N3000 and load the updated image into the FPGA. 
    [PACSign_Demo]$ sudo rsu bmcimg b2:00.0
Level Two Title