For production, FPGAs use the HSM mode, and can also be used in Standard mode.
Standard Mode
Standard mode generates a bitstream which has the authentication signature embedded. In this mode, the secret keys are supposed to be available to the user for generating the authenticated bitstream. Run Bootgen as follows:
bootgen -arch fpga -image all.bif -o rsa_ref.bit -w on -log error
The following steps listed below describe how to generate an authenticated bitstream in HSM mode, where the secret keys are maintained by secure team and not available with the user. The following figure shows the HSM mode flow:
Figure 1. HSM Mode Flow
Stage 0: Authenticate with dummy key
This is a one time task for a given bit stream. For stage 0, Bootgen generates the stage0.bif file.
the_ROM_image:
{
[sskfile] dummykey.pem
[authentication=rsa] plain.bit
}
Note: The authenticated bitstream
has a header, an actual bitstream, a signature and a footer. This dummy.bit is created to get a bitstream in the format
of authenticated bitstream, with a dummy signature. Now, when the dummy bit file is
given to Bootgen, it calculates the signature and inserts at the offset to give an
authenticated bitstream.
Stage 1: Generate hashes
bootgen -arch fpga
-image stage1.bif -generate_hashes -log error
Stage1.bif is as follows:
the_ROM_image:
{
[authentication=rsa] dummy.bit
}
Stage 2: Sign the Hash HSM, here OpenSSL is used for Demonstration
openssl rsautl -sign
-inkey rsaPrivKeyInfo.pem -in dummy.sha384 > dummy.sha384.sig
Stage 3: Update the RSA certificate with Actual Signature
The Stage3.bif is as follows:
bootgen -arch fpga -image stage3.bif -w -o rsa_rel.bit -log error
the_ROM_image:
{
[spkfile] rsaPubKeyInfo.pem
[authentication=rsa, presign=dummy.sha384.sig]dummy.bit
}
Note: The public key digest, which
must be burnt into eFUSEs, can be found in the generated rsaPubKeyInfo.pem.nky file in Stage3 of HSM mode.