Data Sheet

ManualsBrandsIntel ManualsComputing & OfficeIntel Intel Ethernet Server Adapter I210-T1 - Network adapter 1 Gbps LAN (10/100/1000 Mbps), PCI-Express

Ethernet Controller I210 —Interconnects

Integrity validation of Flash updates is provided by means of a digital signature. The digital signature is

a SHA256 Hash computed over the protected content (long by 256-bits), which is then encrypted by a

2048-bits RSA encryption using an Intel private key. This digital signature is stored in what is called the

manifest in the Flash module image. Also stored in the manifest is the corresponding RSA Modulus (the

public key) and RSA Exponent parameters to be used for decrypting the digital signature.

To verify the authenticity of the digital signature, firmware must first verify that the RSA Modulus and

RSA Exponent fields in the new firmware image loaded are identical to those in the old FW image. If the

RSA Modulus and Exponent fields are the same, firmware decrypts the digital signature using the 2048-

bit RSA Modulus and Exponent fields stored in the manifest of the old firmware image to extract the

expected SHA256 Hash of content (stored hash). Firmware then performs an independent SHA256

Hash over the protected content (computed hash). If the stored hash matches the computed hash, the

digital signature is accepted, and the Flash update is applied.

Flash updates are validated prior to invalidating the old Flash configuration, such that the old Flash

configuration is still usable if the update fails to validate. After the new Flash is successfully verified, the

firmware switches to the new image.

Figure 3-8. Sign and Verify Procedures for Authenticated Flash Modules

3.3.10.1 Digital Signature Algorithm Details

As previously mentioned, the digital signature generation is a hash computation followed by an RSA

encryption. This is performed within Intel as part of the Flash update image generation process and not

performed by Intel software in the field, nor by the I210.

The algorithms used are described in the following locations:

• PKCS #1 v2.1: RSA Cryptography Standard, RSA Laboratories, June 14, 2002 -

• SHA family definition -

• SHA usage with digital signatures -

• SHA validation vectors -

Protected

Module

Contents

Digest

SHA256

Hash

Verify

CSS Header

Digital

Signature

Module’s

Manifest

2048-bits

RSA Modulus

RSA Exponent

Private key

RSA encryption

Protected

Module

Contents

Digest

SHA256

Hash

CSS Header

2048-bits

RSA Modulus

RSA Exponent

Public key

RSA decryption

= ?

Sign

New = Old ?

www.rsa.com

http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf

http://csrc.nist.gov/publications/nistpubs/800-107/NIST-SP-800-107.pdf

http://csrc.nist.gov/groups/STM/cavp/documents/shs/SHAVS.pdf