Security User Guide: Intel® FPGA Programmable Acceleration Card N3000 Variants

Download PDF
ID 683519
Date 9/08/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History for Security User Guide A. bitstreaminfo Tool Examples
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page 3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information x
3.12.1. Using fpgainfo security Command 3.12.2. Reading sysfs Files for Identifying Information 3.12.3. Using bitstreaminfo Tool
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History for Security User Guide
A. bitstreaminfo Tool Examples

3. Intel FPGA PAC Security Flow

The following steps describe the flow to enable Intel® FPGA PAC security. See the corresponding sections in this chapter for detailed instructions on each step.
  1. Install PACSign.
  2. If you are in development, you may optionally create an unsigned FPGA SR user image to test and validate the functionality of your image prior to fully signing the image for deployment into a production environment. Please refer to the Creating Unsigned Images section for more information.
  3. Create your root key and CSK(s). You can use OpenSSL or an HSM for this action.
    Figure 2. Key Creation Using OpenSSL
    Figure 3. Key Creation Using HSM pkcs11_tool
  4. Create your root entry hash bitstream.
    Figure 4. Creating Root Entry Hash Bitstream with OpenSSL
    Figure 5. Creating Root Entry Hash Bitstream with HSM pkcs11_manager
  5. Program your root entry hash bitstream onto the Intel® FPGA PAC.
  6. Sign your FPGA SR user image.
    Figure 6. Signing your image with OpenSSL
    Figure 7. Signing your image with pkcs11_manager
  7. Program your FPGA SR user image into the Intel® FPGA PAC. For directions on how to program your FPGA SR user image, refer to the Using fpgasupdate chapter.

Section Content
Installing PACSign
PACSign Tool
Creating Unsigned Images
Using an HSM Manager
Creating Keys
Root Entry Hash Bitstream Creation
Signing Images
Creating a CSK ID Cancellation Bitstream
PACSign PKCS11 Manager *.json Reference
Creating a Custom HSM Manager
PACSign Man Page
Accessing Intel FPGA PAC N3000 Version and Authentication Information

Related Information
Level Two Title