Security User Guide: Intel® FPGA Programmable Acceleration Card N3000 Variants

Download PDF
ID 683519
Date 9/08/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History for Security User Guide A. bitstreaminfo Tool Examples
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page 3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information x
3.12.1. Using fpgainfo security Command 3.12.2. Reading sysfs Files for Identifying Information 3.12.3. Using bitstreaminfo Tool
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History for Security User Guide
A. bitstreaminfo Tool Examples

3.5.1. OpenSSL Key Creation

When using OpenSSL, create a private key and then create the corresponding public key. The PACSign OpenSSL manager requires specific tags in the key file names using a format: key_<image_type>_<key_type>_<key_visibility>_key.pem.
Table 4.  PACSign OpenSSL Manager Key File Name Requirements
Filename Tag Options Description
image_type
  • pr
  • fim
Identifies image type, partial reconfiguration or static region, for which the key is intended.
  • For Intel® FPGA PAC N3000, use; key_fim_<key_type>_<key_section>_key.pem
key_type
  • root
  • csk<x>
Identifies key type. <x> specifies an ID that you use for cancellation.
  • Example: key_fim_csk12_private_key.pem
key_visibility
  • public
  • private
Identifies the key visibility.

The following example creates a root key and two code signing keys using OpenSSL.

  1. Create the root private key: 
    [PACSign_Demo]$ openssl ecparam -name secp256r1 -genkey -noout -out key_fim_root_private_key.pem
    Output: 
    using curve name prime256v1 instead of secp256r1
  2. Create the root public key: 
    [PACSign_Demo]$ openssl ec -in key_fim_root_private_key.pem -pubout -out key_fim_root_public_key.pem
    Output: 
    read EC key
writing EC key
  3. Create private CSK1: 
    [PACSign_Demo]$ openssl ecparam -name secp256r1 -genkey -noout -out key_fim_csk1_private_key.pem
    Output: 
    using curve name prime256v1 instead of secp256r1
  4. Create public CSK1: 
    [PACSign_Demo]$ openssl ec -in key_fim_csk1_private_key.pem -pubout -out key_fim_csk1_public_key.pem
    Output: 
    read EC key
writing EC key
  5. Create private CSK2: 
    [PACSign_Demo]$ openssl ecparam -name secp256r1 -genkey -noout -out key_fim_csk2_private_key.pem
    Output: 
    using curve name prime256v1 instead of secp256r1
  6. Create public CSK2: 
    [PACSign_Demo]$ openssl ec -in key_fim_csk2_private_key.pem -pubout -out key_fim_csk2_public_key.pem
    Output: 
    read EC key
writing EC key
Level Two Title