Security User Guide: Intel® FPGA Programmable Acceleration Card D5005

Download PDF
ID 683877
Date 8/25/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History for Security User Guide
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.7. Signing Images x
3.7.1. Signing OpenCL* Images
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History for Security User Guide

3. Intel FPGA PAC Security Flow

The following steps describe the flow to enable Intel® FPGA PAC security. See the corresponding sections in this chapter for detailed instructions on each step.
  1. Install PACSign.
  2. If you are in development, you may optionally create an unsigned AFU image to test and validate the functionality of your AFU image prior to fully signing the image for deployment into a production environment. Please refer to the Creating Unsigned Images section for more information.
  3. Create your root key and CSK(s). You can use OpenSSL or an HSM for this action.
    Figure 2. Key Creation Using OpenSSL
    Figure 3. Key Creation Using HSM pkcs11_tool
  4. Create your root entry hash bitstream.
    Figure 4. Creating Root Entry Hash Bitstream with OpenSSL
    Figure 5. Creating Root Entry Hash Bitstream with HSM pkcs11_manager
  5. Program your root entry hash bitstream onto the Intel® FPGA PAC. You must power cycle the Intel® FPGA PAC by power cycling the server after you have programmed the root entry hash bitstream.
  6. Sign your AFU.
    Figure 6. Signing your image with OpenSSL
    Figure 7. Signing your image with pkcs11_manager
  7. Program your AFU into the Intel® FPGA PAC. For directions on how to program your AFU, refer to the Using fpgasupdate chapter.

Section Content
Installing PACSign
PACSign Tool
Creating Unsigned Images
Using an HSM Manager
Creating Keys
Root Entry Hash Bitstream Creation
Signing Images
Creating a CSK ID Cancellation Bitstream
PACSign PKCS11 Manager *.json Reference
Creating a Custom HSM Manager
PACSign Man Page

Related Information
Level Two Title