Security User Guide: Intel® Programmable Acceleration Card with Intel® Arria® 10 GX FPGA

Download PDF
ID 683453
Date 3/06/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.7. Signing Images x
3.7.1. Creating OpenCL* Bitstreams
3.7.1. Creating OpenCL* Bitstreams x
3.7.1.1. Sourcing the init_env.sh Script 3.7.1.2. Creating the OpenCL* Bitstream 3.7.1.3. Programming the Image File
3.7.1.2. Creating the OpenCL* Bitstream x
3.7.1.2.1. Example: Creating a Signed .aocx File Using OpenSSL Manager 3.7.1.2.2. Example: Creating an Unsigned .aocx File Using OpenSSL Manager 3.7.1.2.3. Example: Creating a Signed .aocx File Using PKCS11 Manager 3.7.1.2.4. Example: Creating an Unsigned .aocx File Using PKCS11 Manager
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History

3.7.1.2.2. Example: Creating an Unsigned .aocx File Using OpenSSL Manager

Command syntax:

$AOCL_BOARD_PACKAGE_ROOT/linux64/libexec/sign_aocx.sh -H openssl_manager \
-i <path_to_input_file/input_filename.aocx> -r NULL -k NULL \
-o <path_to_output_file/output_filename.aocx>

Because no root key or code signing key is provided, the script asks if you would like to create unsigned bitstream, as shown below. Type Y to accept an unsigned bitstream. 

No root key specified.  Generate unsigned bitstream? Y = yes, N = no: Y
No CSK specified.  Generate unsigned bitstream? Y = yes, N = no: Y

Example output:

$ $AOCL_BOARD_PACKAGE_ROOT/linux64/libexec/sign_aocx.sh -H openssl_manager \
-i vector_add.aocx -r NULL -k NULL -o unsigned_vector_add.aocx

The script assumes the PACsign and Intel Acceleration Stack environment is setup. If not run the command : <stack_installation_path>/init_env.sh
hsm_manager=openssl_manager
aocx filename/path=vector_add.aocx
root_public_key=NULL
csk_public_key=NULL
output filename/path=unsigned_vector_add.aocx
null=1
openssl hsm_manager_options=openssl_manager 
input path =.
input filename =vector_add.aocx
output path =.
output filename =unsigned_vector_add.aocx
Extracted the filename as unsigned_vector_add 
1. Extracted the bin from the aocx 
2. Extracted the gzip compressed GBS file from the .bin
3. Uncompressed .gz it to get the GBS file
Initiating PACSign tool to sign the GBS. This process will take a couple of minutes...
Creating unsigned aocx file by signing a NULL key 
No root key specified.  Generate unsigned bitstream? Y = yes, N = no: Y
No CSK specified.  Generate unsigned bitstream? Y = yes, N = no: Y
2020-01-13 17:57:17,052 - PACSign.log - WARNING - Bitstream is already signed - removing signature blocks
4. Signed the GBS 
5. Compressed the gbs file 
6. Added the signed gzip file to fpga.bin 
7. Added the fpga.bin file back into aocx file
The signed file unsigned_vector_add.aocx has been generated. Use the command aocl program <device_name> <filename>.aocx to program it on the FPGA card
Level Two Title