Visible to Intel only — GUID: aoz1572371874766
Ixiasoft
3.1. Installing PACSign
3.2. PACSign Tool
3.3. Creating Unsigned Images
3.4. Using an HSM Manager
3.5. Creating Keys
3.6. Root Entry Hash Bitstream Creation
3.7. Signing Images
3.8. Creating a CSK ID Cancellation Bitstream
3.9. PACSign PKCS11 Manager *.json Reference
3.10. Creating a Custom HSM Manager
3.11. PACSign Man Page
Visible to Intel only — GUID: aoz1572371874766
Ixiasoft
3.7.1. Signing OpenCL* Images
Signing OpenCL* bitstreams requires some additional steps because the AFU to be signed is inside the *.aocx file derived from an OpenCL* compile. In the following steps described below, you accomplish the following:
- Extract the AFU from the *.aocx file
- Sign the AFU (*.gbs).
- Pack the signed AFU back into the *.aocx file.
After you have generated the keys and have a compiled the *.aocx file for your OpenCL* kernel, follow the steps below to create a signed *.aocx.
- Source the init_env.sh script to initialize the environment for Intel Acceleration Stack and OpenCL* .
source <DEV install path>/init_env.sh
- Copy the *.aocx file and rename it at a new location to follow the signing procedure. In this example, the file is renamed <signed_file_name>.aocx. By doing renaming at a new location, you are able to keep an unsigned copy of the *.aocx file if you need to start the signing process over again. Review the contents of the *.aocx file in the compile directory:
aocl binedit <signed_file_name>.aocx list
- Extract the *.bin file from the *.aocx that contains the AFU and list the contents of it:
aocl binedit <signed_file_name>.aocx get .acl.fpga.bin <temp_filename>.fpga.bin aocl binedit <temp_filename>.fpga.bin list
- Extract the *.gzip compressed *.gbs file from the *.bin and uncompress it to get the *.gbs file.
aocl binedit <temp_filename>.fpga.bin get .acl.gbs.gz <file_name>.gbs.gz gunzip <file_name>.gbs.gz
- Sign the *.gbs using the PACSign tool :
Using OpenSSL:
PACSign PR -t UPDATE -H openssl_manager -r <path_to_key>/<root_public_key_name>.pem -k <path_to_key>/<csk_public_key_name>.pem -i <path_to_gbs_file>/<file_name>.gbs -o <signed_file_name>.gbs
Using pkcs11_manager:PACSign PR -t UPDATE -H pkcs11_manager -C softhsm.json -r root_key -k csk_1 -i <file_name>.gbs -o <signed_file_name>.gbs
- Compress the signed *.gbs file:
gzip <signed_file_name>.gbs -r
- Add the signed *.gbs gzip compressed file to fpga.bin :
aocl binedit <temp_filename>.fpga.bin set .acl.gbs.gz <signed_file_name>.gbs.gz
- Add the fpga.bin file back into *.aocx file. The *.aocx formed after this step is a signed file.
aocl binedit <signed_file_name>.aocx set .acl.fpga.bin <temp_filename>.fpga.bin
- Program this *.aocx with the following command :
aocl program <device_name> <signed_file_name>.aocx