Security User Guide: Intel® FPGA Programmable Acceleration Card N3000 Variants

Download PDF
ID 683519
Date 9/08/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History for Security User Guide A. bitstreaminfo Tool Examples
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page 3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
3.12. Accessing Intel® FPGA PAC N3000 Version and Authentication Information x
3.12.1. Using fpgainfo security Command 3.12.2. Reading sysfs Files for Identifying Information 3.12.3. Using bitstreaminfo Tool
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History for Security User Guide
A. bitstreaminfo Tool Examples

3.12.1. Using fpgainfo security Command

The fpgainfo security command provides the following key identifying information for your Intel® FPGA PAC and bitstreams:
Output Description
FIM/SR root entry hash Root entry hash programmed by you. If you have not programmed the FPGA SR user image root entry hash, this output reports as “hash not programmed.”
BMC root entry hash Root entry hash programmed by Intel® .
PR root entry hash Not applicable for Intel® FPGA PAC N3000 and reports “hash not programmed” in output.
BMC flash update counter Indicates how many times the BMC flash has been updated. This data can be useful in detecting threats.
Note: When the BMC flash counter reaches 1000, the Intel® MAX® 10 BMC does not allow writes for 30 seconds after device startup and between updates. When the BMC flash counter reaches 2000, the Intel® MAX® 10 BMC does not allow writes for 60 seconds after device startup and between updates.
FIM/SR CSK IDs cancelled Indicates the IDs of the FIM code signing keys that are cancelled.
BMC CSK IDs cancelled Indicates the IDs of the BMC code signing keys that are cancelled.
AFU CSK IDs cancelled Not applicable for Intel® FPGA PAC N3000 and reports “None”

Because partial reconfiguration is not supported for the Intel® FPGA PAC N3000, you can ignore the output for “PR root entry hash” and “AFU CSK IDs cancelled”.

Using this command requires sudo or root privileges on your host. 
$ sudo fpgainfo security 

Board Management Controller, MAX10 NIOS FW version D.2.1.24
Board Management Controller, MAX10 Build version D.2.0.7
//****** SECURITY ******//
Object Id                     : 0xEC00001
PCIe s:b:d.f                  : 0000:8a:00.0
Device Id                     : 0x0b30
Numa Node                     : 1
Ports Num                     : 01
Bitstream Id                  : 0x2300011001030F
Bitstream Version             : 0.2.3
Pr Interface Id               : f3c99413-5081-4aad-bced-07eb84a6d0bb
FIM/SR root entry hash        : hash not programmed
BMC root entry hash           : 0xec0f42d3af138e3eca7141107f7fed5f7c13846fadbba884e51ad26bf36a3d21
PR root entry hash            : hash not programmed
SMB parameters update counter2 : 0
User flash update counter     : 1
FIM/SR CSK IDs canceled       : None
BMC CSK IDs canceled          : None
AFU CSK IDs canceled          : None
2 The SMB parameters update counter is not used and does not increment.
Level Two Title