3.12.3. Using bitstreaminfo Tool
The bitstreaminfo tool also displays authentication information for *.bin files. Information includes any JSON header strings and authentication header block information. For FPGA SR user image bitstreams, the bitstreaminfo command also displays a small portion of the payload for FPGA SR user image bitstreams. The bitstreaminfo tool requires sudo or root privileges on your host:
$ sudo bitstreaminfo <file>
An example:
$ sudo bistreaminfo firmware.bin
This command displays the Block 0 and Block 1 content prepended by the PACSign tool to the FPGA SR user image. Depending on if your bitstream is signed or unsigned Block 1 output varies:
- Unsigned bitstream: Block 1 output reports 0x0 for Root public key X,Y and Code signing key X,Y.
- Signed bitstream: Block 1 output reports a value for Root public key X,Y and Code Signing key X,Y.
The magic number output in Block 0 and 1 are static values populated by PACSign.
| Parameter | Description |
|---|---|
| Content length | Indicates the length of the FPGA SR user image. PACSign performs an internal check to see if the length is within the maximum length for Intel® FPGA PAC N3000. |
| Content type | SR or BMC |
| Cert type |
For an FPGA SR user image, Cert type can be:
For an Intel® -provided bitstream, Cert type can be:
|
| Protected content SHA-256 | SHA-256 is computed over the entire protected bitstream and it is compared against the SHA-256 calculated by PACSign and programmed into Block 0. You can check if bitstreaminfo reports a Match as shown below. |
| Protected content SHA-384 | SHA-384 is computed over the entire protected bitstream and it is compared against the SHA-256 calculated by PACSign and programmed into Block 0. You can check if bitstreaminfo reports a Match as shown below.
Note: Current Intel® FPGA PAC N3000 versions do not support 384 bit root key but the tool computes the SHA-384 on the protected content.
|
| Parameter | Description |
|---|---|
| Root Entry Permissions | Constant value: 0xffffffff |
| Root Entry Key ID | Constant value: 0xffffffff |
| Root public key x,y | Value populated if bitstream was signed using root key and CSK. |
| Expected root entry hash | Hash of all the root fields in Block 1 are computed. You can visually compare this against the FPGA SR user image root entry hash that is programmed into the card. fpgainfo security displays the FPGA SR user image root entry hash. If fpgainfo security reports "FIM/SR root entry hash not programmed", then the bitstreaminfo tool skips the compatibility check. |
| CSK key ID | The CSK ID can range from 0 - 127. fpgainfo security displays a list of CSK IDs canceled. If bitstream uses a CSK ID that matches the cancelled CSK ID, fpgasupdate prohibits programming the bitstream. |
| Code signing key x,y | Value reported if Bitstream was signed using root key and CSK. |
| Signature R, S | Signature over hash of CSK Public Key using private root key. Your HSM populates this signature. |
| Expected CSK hash | This field varies when the CSK ID changes. It is a hash of the CSK fields. |
| Signature R, S | Signature over hash of Block 0 using CSK private key. |
The signature along with CSK fields help verify the bitstream.
The sample below show bitstreaminfo output using the signed 2 x 2 x 25G factory bitstream:
$ sudo bitstreaminfo $N3000_PLATFORM_ROOT/bin/sr_vista_rot_2x2x25G-v1.3.16.bin File $N3000_PLATFORM_ROOT/bin/sr_vista_rot_2x2x25G-v1.3.16.binBlock 0: Block 0 magic = 0xb6eafd19 Content length = 0x02a86000 Content type = SR Cert type = UPDATE Protected content SHA-256: 0xc10a77f9162945ab45dd943ca136e13f1b6d5278be722ad7519fbafacdedc73f Calculated protected content SHA-256: 0xc10a77f9162945ab45dd943ca136e13f1b6d5278be722ad7519fbafacdedc73f Match Protected content SHA-384: 0x226a5f616c7b69f806da8b03316307c19e364449b46787d24e57bedadd9c9c3aa0510fa958b0d04fa5fec8b5465eb90c Calculated protected content SHA-384: 0x226a5f616c7b69f806da8b03316307c19e364449b46787d24e57bedadd9c9c3aa0510fa958b0d04fa5fec8b5465eb90c Match Block 1: Block 1 magic = 0xf27f28d7 Root Entry magic = 0xa757a046 Root Entry curve magic = 0xc7b88c74 Root Entry permissions = 0xffffffff Root Entry key ID = 0xffffffff Root public key X = 0x0000000000000000000000000000000000000000000000000000000000000000 Root public key Y = 0x0000000000000000000000000000000000000000000000000000000000000000 Expected root entry hash = 0xf8ff7e0a52a378483c85301df49c7d55ffd26f794121bdb8b102d7e1c3132bb9 CSK magic = 0x14711c2f CSK curve magic = 0xc7b88c74 CSK permissions = 0xffffffff CSK key ID = 0x00000000 Code signing key X = 0x0000000000000000000000000000000000000000000000000000000000000000 Code signing key Y = 0x0000000000000000000000000000000000000000000000000000000000000000 CSK signature magic = 0xde64437d Signature R = 0x0000000000000000000000000000000000000000000000000000000000000000 Signature S = 0x0000000000000000000000000000000000000000000000000000000000000000 Expected CSK hash = 0xbe8a02e7932d98aff66584598978d84412e3c641927efac2cb786a1754cfcd4e Block 0 Entry magic = 0x15364367 Block 0 Entry signature magic = 0xde64437d Signature R = 0x0000000000000000000000000000000000000000000000000000000000000000 Signature S = 0x0000000000000000000000000000000000000000000000000000000000000000 Payload: 80 20 01 00 3a 65 80 00 20 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ... ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffFor more examples of bitstreaminfo command, see Appendix A.