Security User Guide: Intel® FPGA Programmable Acceleration Card D5005

Download PDF
ID 683877
Date 8/25/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History for Security User Guide
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.7. Signing Images x
3.7.1. Signing OpenCL* Images
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History for Security User Guide

1.4. Glossary

Table 2.  Glossary

Acronym/Term

 Expansion

Description

AFU

Accelerator Functional Unit

Hardware Accelerator implemented in FPGA logic which offloads a computational operation for an application from the CPU to improve performance.

CCI-P Core Cache Interface

CCI-P is the standard interface AFUs use to communicate with the host.

CSK Code Signing Key A key used to validate integrity and authenticity of a block of code. Authenticity of this key is established through signing with a root key.
ECDSA Elliptical Curve Digital Signature Algorithm An algorithm based on elliptic curve cryptography to create signatures that can be used to evaluate the authenticity of an object.

FIU

FPGA Interface Unit

FIU is a platform interface layer that acts as a bridge between platform interfaces like PCIe* and AFU-side interfaces such as CCI-P.

FIM

FPGA Interface Manager

The FPGA functional block containing the FPGA Interface Unit (FIU) and external interfaces for memory, networking, etc.

The FIM may also be referred to as BBS (Blue-Bits, Blue Bit Stream) in the Acceleration Stack installation directory tree and in source code comments.

The Accelerator Function (AF) interfaces with the FIM at run time.

HSM Hardware Security Module A secure hardware device to hold, protect, and allow access to cryptographic objects; performs cryptographic operations in a trusted environment.
NIST p Curve National Institute of Standards and Technology prime Curve P256 is used throughout this document. Without any other associations added, P256 means NIST P256 curves, where p is a 256-bit prime.

OPAE

Open Programmable Acceleration Engine

The OPAE is a software framework for managing and accessing AFs. 

PACSign PAC image signing tool A standalone tool to manage root entry hash bitstream creation, image signing, and cancellation bitstream creation
PKCS Public Key Cryptography Standard PKCS#11 is used throughout this document. PKCS#11 is a commonly used interface for commercial hardware security modules (HSMs).

PR

 Partial Reconfiguration

The ability to dynamically reconfigure a portion of an FPGA while the remaining FPGA design continues to function.

Root Key - A key designated as the primary, constant value for authentication. Typically only used to sign other keys, forming the root of all key chains.
RoT Root of Trust A source that can be trusted, such as the TCM in the Intel® FPGA PAC.
RSU Remote System Update Ability to update firmware and FPGA bitstreams over PCIe* .
SR Static Region Portion of the FPGA design that does not change.
Level Two Title