For production, FPGAs use the HSM mode, and can also be used in Standard mode.
Standard Mode
Standard mode generates a bitstream which has the authentication signature embedded. In this mode, the secret keys are supposed to be available to the user for generating the authenticated bitstream. Run Bootgen as follows:
bootgen -arch fpga -image all.bif -o rsa_ref.bit -w on -log error
The following steps listed below describe how to generate an authenticated bitstream in HSM mode, where the secret keys are maintained by secure team and not available with the user. The following figure shows the HSM mode flow:
Stage 0: Authenticate with dummy key
This is a one time task for a given bit stream. For stage 0, Bootgen generates the stage0.bif file.
bootgen -arch fpga -image stage0.bif -w -o dummy.bit -log error
The content of stage0.bif
is as follows. Refer to the next stages
for format.
the_ROM_image:
{
[sskfile] dummykey.pem
[authentication=rsa] plain.bit
}
Stage 1: Generate hashes
bootgen -arch fpga
-image stage1.bif -generate_hashes -log error
Stage1.bif is as follows:
the_ROM_image:
{
[authentication=rsa] dummy.bit
}
Stage 2: Sign the hash HSM
Here, OpenSSL is used for demonstration.
openssl rsautl -sign
-inkey rsaPrivKeyInfo.pem -in dummy.sha384 > dummy.sha384.sig
Stage 3: Update the RSA certificate with Actual Signature
The Stage3.bif is as follows:
bootgen -arch fpga -image stage3.bif -w -o rsa_rel.bit -log error
the_ROM_image:
{
[spkfile] rsaPubKeyInfo.pem
[authentication=rsa, presign=dummy.sha384.sig]dummy.bit
}