Security User Guide: Intel® FPGA Programmable Acceleration Card N3000 Variants

Download PDF
ID 683519
Date 9/08/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History for Security User Guide A. bitstreaminfo Tool Examples
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page 3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information x
3.12.1. Using fpgainfo security Command 3.12.2. Reading sysfs Files for Identifying Information 3.12.3. Using bitstreaminfo Tool
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History for Security User Guide
A. bitstreaminfo Tool Examples

3.12.2. Reading sysfs Files for Identifying Information

The information provided by the fpgainfo security command is also available in sysfs entries. The sysfs entries are found in two locations:
  1. /sys/class/ifpga_sec_mgr/ifpga_sec<X>/security
  2. /sys/class/fpga/intel-fpga-dev.<X>/intel-fpga-fme.<X>/spi-altera.<X>.auto/spi_master/spiX/spi<X>.<X>/ifpga_sec_mgr/ifpga_sec<X>/security
Note: The <X> found in the following paths is a numeric value that is assigned by the kernel and is indeterminate.
The first pathname above uses a symlink to reference the same location as the second pathname. To correlate the two pathnames above, type: 
ls -l /sys/security/ifpga_sec_mgr/ifpga_sec<X>
A listing of this directory displays the files in the table below:
Table 7.   Sysfs File List
Sysfs File Output Description File Data Format
sr_root_hash SR root entry hash Root entry hash programmed by you. If you have not programmed the FPGA SR user image root entry hash, this output reports as “hash not programmed.” Long hexadecimal output prefixed with “0x” or “hash not programmed” if the bitstreams is unsigned.
bmc_root_hash BMC root entry hash Root entry hash programmed by Intel® . Long hexadecimal output prefixed with “0x".
pr_root_hash PR root entry hash Not applicable for Intel® FPGA PAC N3000 and reports “hash not programmed” in output. N/A
user_flash_update_counter User Flash update counter
Indicates how many times the staging area flash is updated. has been updated. This data can be useful in detecting threats.
Note: When the staging area flash counter reaches 1000, the Intel® MAX® 10 BMC does not allow writes for 30 seconds after device startup and between updates. When the BMC flash counter reaches 2000, the Intel® MAX® 10 BMC does not allow writes for 60 seconds after device startup and between updates.
Single, numeric value
sr_canceled_csks SR CSK IDs canceled Indicates the IDs of the FIM code signing keys that are cancelled. Comma-separated list of decimal numbers and ranges, such as: 0, 3-6, 8-10
bmc_canceled_csks BMC CSK IDs canceled Indicates the IDs of the BMC code signing keys that are cancelled. Comma-separated list of decimal numbers and ranges, such as: 0, 3-6, 8-10
pr_canceled_csks AFU CSK IDs canceled Not applicable for Intel® FPGA PAC N3000. Comma-separated list of decimal numbers and ranges, such as: 0, 3-6, 8-10
Level Two Title