Security User Guide: Intel® FPGA Programmable Acceleration Card D5005

ID 683877
Date 8/25/2020
Public

2.3. Key Management

The Intel® MAX® 10 BMC RoT uses ECDSA with a key length of 256 bits to authenticate:
  • Intel® MAX® 10 BMC Nios® firmware and Intel® MAX® 10 FPGA images
  • FIM images
  • AFU (partial reconfiguration) images
The Intel® MAX® 10 BMC RoT supports separate key chains for each image, and each key chain must consist of a root key and a CSK.
The Intel® MAX® 10 BMC RoT does not support a signature of any image with a root key. You must use a key designated as a CSK to sign your image. Steps you are responsible for when creating keys, root entry hashes and programming your image on the Intel® FPGA PAC are:
  • You must manage assigning CSK IDs to CSKs and consistently using the same ID for a given CSK. Neither an Intel® FPGA PAC nor the PACSign tool associate a particular key's value with its ID. It is possible to assign a given CSK multiple IDs, or multiple CSKs to a given ID. This may result in unintended consequences when attempting to cancel a CSK. Intel recommends exclusive ID assignments for each CSK.
  • You are responsible for creating the appropriate key cancellation bitstreams. You must use the same ID number for key cancellation as the one you assigned to the CSK at key creation. Key cancellation bitstreams must be signed with the applicable root key. This helps avoid denial of service through an unintended cancellation of all key values.
    Note: The Intel FPGA PAC D5005 has the capability to cancel up to 32 AFU CSK IDs. Only CSK IDs 0-31 are valid for an Intel FPGA PAC D5005 AFU CSK.
  • You are responsible for generating and managing your AFU image root key and CSKs. You generate the AFU image root entry hash bitstream using your root key.

  • You are also responsible for programming this root entry hash bitstream on the Intel® FPGA PAC. If your Intel® FPGA PAC does not have a programmed AFU root entry hash bitstream stored, it executes any signed or unsigned AFU.
    Note: Intel strongly recommends programming an AFU root entry hash bitstream. You must protect the confidentiality of the root private key throughout the life of the Intel FPGA PAC.
The Intel® MAX® 10 BMC RoT bitstreams in the on-board flash for:
  1. BMC Nios® firmware and Intel® MAX® 10 FPGA images
  2. FIM images
  3. AFU (partial reconfiguration region) images

The BMC is architected so that all root entry hashes cannot be revoked, changed, or erased once programmed.

If you have a board that has not been updated with the Intel® MAX® 10 RoT, you must use the one-time secure update to program the Intel root entry hash bitstreams for the BMC firmware, RTL and Intel FIM images on your existing Intel® FPGA PAC. New Intel® FPGA PACs come with these root entry hashes programmed at manufacturing time. For more information about using one-time secure update, refer to the Intel Acceleration Stack Quick Start Guide: Intel® FPGA Programmable Acceleration Card D5005

In the future, Intel-provided updates to the Intel® MAX® 10 BMC firmware, RTL, or FIM images may necessitate an Intel key cancellation in order to help prevent an unintended rollback to a prior version. In this case, Intel provides the update with a signed CSK that has a different ID than all prior updates. Intel provides a separate key cancellation bitstream to cancel the appropriate Intel keys. You may test an update by applying it before programming the key cancellation bitstream. The prior BMC firmware or FIM update images continue to be accepted as valid updates until the new key cancellation bitstream is applied.