Security User Guide: Intel® FPGA Programmable Acceleration Card N3000 Variants

Download PDF
ID 683519
Date 9/08/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History for Security User Guide A. bitstreaminfo Tool Examples
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page 3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information x
3.12.1. Using fpgainfo security Command 3.12.2. Reading sysfs Files for Identifying Information 3.12.3. Using bitstreaminfo Tool
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History for Security User Guide
A. bitstreaminfo Tool Examples

3.6. Root Entry Hash Bitstream Creation

In order to program the root entry hash bitstream to an Intel® FPGA PAC, you must use PACSign to create a root entry hash bitstream.

  1. In your PACSign command, specify the type RK_256 and select the appropriate HSM manager and configuration.
    • To create a root entry hash bitstream using OpenSSL and the key generated in the OpenSSL Key Creation topic, type:
      [PACSign_Demo]$ PACSign SR -t RK_256 -H openssl_manager -r key_fim_root_public_key.pem -o root_public_program_ssl.bin
    • To create a root entry hash bitstream using a SoftHSM and the root key generated in the HSM Key Creation topic, type:
      [PACSign_Demo]$ PACSign SR -t RK_256 -H pkcs11_manager -C softhsm.json -r root_key -o root_public_program_hsm.bin
      Note: PACSign requires an HSM configuration *.json file to request the correct key from the HSM. For more information about the structure and contents of the *.json file, refer to the PACSign PKCS11 Manager .json Reference topic.
  2. After creating the root entry hash bitstream, program the bitstream to an Intel® FPGA PAC using the fpgasupdate command. 
    [PACSign_Demo]$ sudo fpgasupdate <root entry hash bitstream> b2:00.0

    This operation is permanent and irreversible. After a FPGA SR user image root entry hash bitstream is programmed, the Intel® FPGA PAC validates a FPGA SR user image signature prior to loading. For more details on key management, see the Key Management topic. For more information on how to use fpgasupdate, refer to the Using fpgasupdate section.

  3. After you program the root entry hash bitstream, power cycle your Intel® FPGA PAC. 
    [PACSign_Demo]$ sudo rsu bmcimg b2:00.0
Level Two Title