Security User Guide: Intel® FPGA Programmable Acceleration Card D5005

Download PDF
ID 683877
Date 8/25/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History for Security User Guide
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.7. Signing Images x
3.7.1. Signing OpenCL* Images
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History for Security User Guide

3.5.2. HSM Key Creation

If you are using an HSM, you need one token to create and store the root and code signing keys. The following example initializes a token using SoftHSM, with separate security officer and user PINs. 

[PACSign_Demo]$ softhsm2-util --init-token --label pac-hsm --so-pin hsm-owner \
--pin pac-afu-signer --free
Output: 
Slot 0 has a free/uninitialized token.
The token has been initialized and is reassigned to slot 1441483598

After you create a token, you can create keys in that token. The following example initializes a root and two code signing keys in the token created above, similarly using pkcs11-tool to interact with SoftHSM. The HSM, not PACSign, uses the key ID provided in this example. PACSign uses CSK IDs from a configuration *.json file in PKCS11 mode. You must manage consistency across ID values in the HSM and those used by PACSign. See the PACSign PKCS11 Manager *.json Reference topic for more information on the *.json file format.

  1. Initialize the root key: 
    [PACSign_Demo]$ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \
--token-label pac-hsm --login --pin pac-afu-signer --keypairgen \
--mechanism ECDSA-KEY-PAIR-GEN --key-type EC:secp256r1 \
--usage-sign --label root_key --id 0
    Output: 
    Key pair generated:
Private Key Object; EC
label: root_key
ID: 00
Usage: decrypt, sign, unwrap
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 0441043d3756347e6c257dac085574cc1cd984cdeee2c1059a0f035dabc3ad6e1950c8717dc7ac8451a90c2471e95f4a69d6517f02f678830280f90a479c76a3e95d64
EC_PARAMS: 06082a8648ce3d030107
label: root_key
ID: 00
Usage: encrypt, verify, wrap
  2. Initialize the CSK1: 
    [PACSign_Demo]$ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \
--token-label pac-hsm --login --pin pac-afu-signer --keypairgen \
--mechanism ECDSA-KEY-PAIR-GEN --key-type EC:secp256r1 \
--usage-sign --label csk_1 --id 1
    Output: 
    Key pair generated:
Private Key Object; EC
label: csk_1
ID: 01
Usage: decrypt, sign, unwrap
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 0441041a827c903b5da8478c81fe652208704f0621b984190cd961ee154ac5c3ba772d1caa26964a189262ee31b8e5d77898f293c0589b350103037b664d31adf68924
EC_PARAMS: 06082a8648ce3d030107
label: csk_1
ID: 01
Usage: encrypt, verify, wrap
  3. Initialize CSK2: 
    [PACSign_Demo]$ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \
--token-label pac-hsm --login --pin pac-afu-signer --keypairgen \
--mechanism ECDSA-KEY-PAIR-GEN --key-type EC:secp256r1 \
--usage-sign --label csk_2 --id 2
    Output: 
    Key pair generated:
Private Key Object; EC
label: csk_2
ID: 02
Usage: decrypt, sign, unwrap
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 04410495f7556912d8753cf873be7a54e7d88c28bca672496abd90d9b44cc95cf50df9169b7ad043a7340003a2bf96cb461e0575319b541ceb5d873d06334b30d208cc
EC_PARAMS: 06082a8648ce3d030107
label: csk_2
ID: 02
Usage: encrypt, verify, wrap
  4. After keys are created in your token, it may be useful to inspect the token to verify the expected keys, labels, and IDs are present. 
    [PACSign_Demo]$ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \
--token-label pac-hsm --login --pin pac-afu-signer -O
    Output: 
    Public Key Object; EC EC_POINT 256 bits
EC_POINT: 04410495f7556912d8753cf873be7a54e7d88c28bca672496abd90d9b44cc95cf50df9169b7ad043a7340003a2bf96cb461e0575319b541ceb5d873d06334b30d208cc
EC_PARAMS: 06082a8648ce3d030107
label: csk_2
ID: 02
Usage: encrypt, verify, wrap
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 0441043d3756347e6c257dac085574cc1cd984cdeee2c1059a0f035dabc3ad6e1950c8717dc7ac8451a90c2471e95f4a69d6517f02f678830280f90a479c76a3e95d64
EC_PARAMS: 06082a8648ce3d030107
label: root_key
ID: 00
Usage: encrypt, verify, wrap
Private Key Object; EC
label: root_key
ID: 00
Usage: decrypt, sign, unwrap
Private Key Object; EC
label: csk_2
ID: 02
Usage: decrypt, sign, unwrap
Private Key Object; EC
label: csk_1
ID: 01
Usage: decrypt, sign, unwrap
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 0441041a827c903b5da8478c81fe652208704f0621b984190cd961ee154ac5c3ba772d1caa26964a189262ee31b8e5d77898f293c0589b350103037b664d31adf68924
EC_PARAMS: 06082a8648ce3d030107
label: csk_1
ID: 01
Usage: encrypt, verify, wrap
Related Information
Level Two Title