Security User Guide: Intel® Programmable Acceleration Card with Intel® Arria® 10 GX FPGA

Download PDF
ID 683453
Date 3/06/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.7. Signing Images x
3.7.1. Creating OpenCL* Bitstreams
3.7.1. Creating OpenCL* Bitstreams x
3.7.1.1. Sourcing the init_env.sh Script 3.7.1.2. Creating the OpenCL* Bitstream 3.7.1.3. Programming the Image File
3.7.1.2. Creating the OpenCL* Bitstream x
3.7.1.2.1. Example: Creating a Signed .aocx File Using OpenSSL Manager 3.7.1.2.2. Example: Creating an Unsigned .aocx File Using OpenSSL Manager 3.7.1.2.3. Example: Creating a Signed .aocx File Using PKCS11 Manager 3.7.1.2.4. Example: Creating an Unsigned .aocx File Using PKCS11 Manager
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History

3.7.1.2.4. Example: Creating an Unsigned .aocx File Using PKCS11 Manager

Command syntax:

$AOCL_BOARD_PACKAGE_ROOT/linux64/libexec/sign_aocx.sh -H pkcs11_manager \
-i <path_to_input_file/input_filename.aocx> -r NULL -k NULL \
-o <path_to_output_file/output_filename.aocx>

PKCS11 Manager gets the keys information from a .json file. If you follow the instructions in HSM Key Creation, your file is named softhsm.json.

Provide the .json file path and name when the script prompts you as follows: 

For using pkcs11_manager please give the .json filename with the path:

Because no root key or code signing key is provided, the script asks if you would like to create unsigned bitstream, as shown below. Type Y to accept an unsigned bitstream. 

No root key specified.  Generate unsigned bitstream? Y = yes, N = no: Y
No CSK specified.  Generate unsigned bitstream? Y = yes, N = no: Y

Example output:

$  $AOCL_BOARD_PACKAGE_ROOT/linux64/libexec/sign_aocx.sh -H pkcs11_manager \
-i vector_add.aocx -r NULL -k NULL -o pkcs_vector.aocx
The script assumes the PACsign and Intel Acceleration Stack environment is setup. If not run the command : <stack_installation_path>/init_env.sh
hsm_manager=pkcs11_manager
aocx filename/path=vector_add.aocx
root_public_key=NULL
csk_public_key=NULL
output filename/path=pkcs_vector.aocx
null=1
    
For using pkcs11_manager please give the .json filename with the path:

<filepath>/softhsm.json

pkcs hsm_manager_options=pkcs11_manager -C softhsm.json
input path =.
input filename =vector_add.aocx
output path =.
output filename =pkcs_vector.aocx
Extracted the filename as pkcs_vector
1. Extracted the bin from the aocx
2. Extracted the gzip compressed GBS file from the .bin
gzip: temp_pkcs_vector.gbs already exists; do you wish to overwrite (y or n)? y
3. Uncompressed .gz it to get the GBS file
Initiating PACSign tool to sign the GBS. This process will take a couple of minutes...
Creating unsigned aocx file by signing a NULL key

No root key specified.  Generate unsigned bitstream? Y = yes, N = no: y
No CSK specified.  Generate unsigned bitstream? Y = yes, N = no: y

2020-01-07 15:59:16,726 - PACSign.log - WARNING - Bitstream is already signed - removing signature blocks
4. Signed the GBS
gzip: signed_pkcs_vector.gbs.gz already exists; do you wish to overwrite (y or n)? y
5. Compressed the gbs file
6. Added the signed gzip file to fpga.bin
7. Added the fpga.bin file back into aocx file
The signed file pkcs_vector.aocx has been generated. Use the command aocl program <device_name> <filename>.aocx to program it on the FPGA card
Related Information
Level Two Title