Security User Guide: Intel® FPGA Programmable Acceleration Card N3000 Variants

Download PDF
ID 683519
Date 9/08/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History for Security User Guide A. bitstreaminfo Tool Examples
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page 3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information x
3.12.1. Using fpgainfo security Command 3.12.2. Reading sysfs Files for Identifying Information 3.12.3. Using bitstreaminfo Tool
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History for Security User Guide
A. bitstreaminfo Tool Examples

3.9. PACSign PKCS11 Manager *.json Reference

The PACSign PKCS11 Manager uses a *.json file that stores information on how to interact with your HSM.
It contains information specific to your HSM, as well as a description of the token and keys that you created for use with PACSign. The PKCS11 examples in this chapter use softhsm.json, which contains the following: 
{
	"cryptoki_version": [2, 40],
	"library_version": [2, 5],
	"platform-name" : "DCP",
	"lib_path" : “/usr/local/lib/softhsm/libsofthsm2.so”,
	"curve": "secp256r1",
	"token": {
		"label": "pac-hsm",
		"user_password": "pac-afu-signer",
		"keys":
			[
				{
					"label": "root_key",
					"key_id": "0",
					"type": "PR",
					"permissions": "0xFFFFFFFF",
					"csk_id": "0xFFFFFFFF",
					"is_root": true
				},
				{
					"label": "csk_1",
					"key_id": "1",
					"type": "PR",
					"permissions": "0x4",
					"csk_id": "0x1",
					"is_root": false
				},
				{
					"label": "csk_2",
					"key_id": "2",
					"type": "PR",
					"permissions": "0x4",
					"csk_id": "0x2",
					"is_root": false
				}
			]
		}
}
The cryptoki_version and library_version information is determined by your HSM and can be reported by pkcs11-tool: 
[PACSign_Demo]$ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so -I
Output: 
Cryptoki version 2.40
Manufacturer SoftHSM
Library Implementation of PKCS11 (ver 2.5)
Using slot 0 with a present token (0x55eb4b4e)
  • platform-name: Always set to DCP.
  • lib_path: Your HSM software library installation determines this path.
  • curve: Always set to secp256r1 because this is the only elliptic curve currently supported by the BMC.
  • The token entry contains:
    • label: determined when you initialize the token in your HSM
    • user_password: determined when you initialize the token in your HSM
    • keys: lists the keys in the token available for use by PACSign
  • Within the key field are:
    • label: determined when you initialize the token in your HSM
    • key_id: determined when you initialize the token in your HSM
      Note: Each label and key_id must match what you used when you created the key.
    • type: Either PR or SR for partial reconfiguration or static region, respectively.
    • permissions: Set to 0x1 for static region signing; 0x2 for BMC signing; 0x4 for partial reconfiguration region signing.
    • csk_id: What PACSign uses when signing a FPGA SR user image; does not need to match the key_id field. Valid values are 0xFFFFFFFF for root keys and 0x0-0x7F for Intel® FPGA PAC N3000 code signing keys.
    • is_root: Allows you to designate to PACSign the intended use of the key as a root key or code signing key.
Level Two Title