Security User Guide: Intel® FPGA Programmable Acceleration Card D5005

Download PDF
ID 683877
Date 8/25/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History for Security User Guide
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.7. Signing Images x
3.7.1. Signing OpenCL* Images
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History for Security User Guide

3.7.1. Signing OpenCL* Images

Signing OpenCL* bitstreams requires some additional steps because the AFU to be signed is inside the *.aocx file derived from an OpenCL* compile. In the following steps described below, you accomplish the following:
  1. Extract the AFU from the *.aocx file
  2. Sign the AFU (*.gbs).
  3. Pack the signed AFU back into the *.aocx file.

After you have generated the keys and have a compiled the *.aocx file for your OpenCL* kernel, follow the steps below to create a signed *.aocx.

  1. Source the init_env.sh script to initialize the environment for Intel Acceleration Stack and OpenCL* . 
    source <DEV install path>/init_env.sh
  2. Copy the *.aocx file and rename it at a new location to follow the signing procedure. In this example, the file is renamed <signed_file_name>.aocx. By doing renaming at a new location, you are able to keep an unsigned copy of the *.aocx file if you need to start the signing process over again. Review the contents of the *.aocx file in the compile directory: 
    aocl binedit <signed_file_name>.aocx list
  3. Extract the *.bin file from the *.aocx that contains the AFU and list the contents of it: 
    aocl binedit <signed_file_name>.aocx get .acl.fpga.bin <temp_filename>.fpga.bin

aocl binedit <temp_filename>.fpga.bin list
  4. Extract the *.gzip compressed *.gbs file from the *.bin and uncompress it to get the *.gbs file. 
    aocl binedit <temp_filename>.fpga.bin get .acl.gbs.gz <file_name>.gbs.gz
gunzip <file_name>.gbs.gz
  5. Sign the *.gbs using the PACSign tool :
    Using OpenSSL: 
    PACSign PR -t UPDATE -H openssl_manager -r <path_to_key>/<root_public_key_name>.pem -k <path_to_key>/<csk_public_key_name>.pem -i 
<path_to_gbs_file>/<file_name>.gbs -o <signed_file_name>.gbs
    Using pkcs11_manager: 
    PACSign PR -t UPDATE -H pkcs11_manager -C softhsm.json -r root_key -k csk_1 -i <file_name>.gbs -o <signed_file_name>.gbs
  6. Compress the signed *.gbs file: 
    gzip <signed_file_name>.gbs -r
  7. Add the signed *.gbs gzip compressed file to fpga.bin : 
    aocl binedit <temp_filename>.fpga.bin set .acl.gbs.gz <signed_file_name>.gbs.gz
  8. Add the fpga.bin file back into *.aocx file. The *.aocx formed after this step is a signed file. 
    aocl binedit <signed_file_name>.aocx set .acl.fpga.bin <temp_filename>.fpga.bin
  9. Program this *.aocx with the following command : 
    aocl program <device_name> <signed_file_name>.aocx
Related Information
Level Two Title