Build: Add RSA-3072 support
PSA TBSA-M recommends to use RSA signature for firmware
authentication with at least 3072 bits length key size.
Change-Id: I0689123d61b55167b3efab90fe520e94d9586055
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
diff --git a/docs/user_guides/tfm_secure_boot.rst b/docs/user_guides/tfm_secure_boot.rst
index 9097538..066d916 100644
--- a/docs/user_guides/tfm_secure_boot.rst
+++ b/docs/user_guides/tfm_secure_boot.rst
@@ -20,14 +20,14 @@
Bootloader is started when CPU is released from reset. It runs in secure mode.
It authenticates the firmware image by hash (SHA-256) and digital signature
-(RSA-2048) validation. Public key, that the checks happens against, is built
+(RSA-3072) validation. Public key, that the checks happens against, is built
into the bootloader image. Metadata of the image is delivered together with the
image itself in a header and trailer section. In case of successful
authentication, bootloader passes execution to the secure image. Execution never
returns to bootloader until next reset.
A default RSA key pair is stored in the repository, public key is in ``keys.c``
-and private key is in ``root-rsa-2048.pem``.
+and private key is in ``root-rsa-3072.pem``.
.. Warning::
DO NOT use them in production code, they are exclusively for testing!
@@ -37,7 +37,7 @@
The bootloader handles the secure and non-secure images as a single blob which
is contiguous in the device memory. At compile time these images are
-concatenated and signed with RSA-2048 digital signature. Preparation of payload
+concatenated and signed with RSA-3072 digital signature. Preparation of payload
is done by Python scripts: ``bl2/ext/mcuboot/scripts/``. At the end of a
successful build signed TF-M payload can be found in:
``<build_dir>/install/outputs/fvp/tfm_sign.bin``
@@ -196,6 +196,15 @@
``MCUBOOT_UPGRADE_STRATEGY`` configuration variable in the top-level
configuration file, or include this macro definition in the command line
+********************
+Signature algorithms
+********************
+MbedTLS library is used to sign the images. The list of supported signing
+algorithms:
+ - RSA-2048
+ - RSA-3072 (default)
+Example keys stored in ``root-rsa-2048.pem`` and ``root-rsa-3072.pem``.
+
************************
Build time configuration
************************
@@ -219,6 +228,9 @@
- **"RAM_LOADING":** Activate RAM loading firmware upgrade operation, where
latest image is copied to RAM and runs from there instead of being
executed in-place.
+- MCUBOOT_SIGNATURE_TYPE (default: RSA-3072):
+ - **RSA-3072** Image is signed with RSA-3072 algorithm
+ - **RSA-2048** Image is signed with RSA-2048 algorithm
Image versioning
================