Summary of Crypto Keys Used by FoundriesFactory

This page provides a brief summary cryptographic keys used by FoundriesFactory®. For detailed information on each key, please check the relevant page under Security.

Secure Connection to Cloud Services

These certificates are required to access the FoundriesFactory CI servers.

Table 3 Device Gateway Certificates Summary
Keys Type Owner
Root of Trust key (factory_ca.key) NIST P-256 Owned and managed by the customer (offline key)
TLS key NIST P-256 Owned and managed by Foundries.io (used for mTLS handshake)
Online CA private key (online-ca.key) NIST P-256 If enabled (required by lmp-device-register for performing the device CSR), owned and managed by Foundries.io
Local CA private key (local-ca.key) NIST P-256 If enabled, owned and managed by the customer (used for performing the device CSR)

Secure Boot (Hardware Root of Trust)

Table 4 Secure Boot Certificates Summary
Keys Type Owner
Hardware Root of Trust Key Depends on the SoC Owned and managed by the customer (offline key)

The Hardware Root of Trust depends on the SoC used. Please refer to Secure Boot (Hardware Root of Trust) pages and to the vendor reference manual for more information.

Secure Online Keys for Boot Stack

The exact list of keys used for the boot stack depends on the hardware used. Some platforms will not make use of all keys. A list of available keys for an LmP build can be found below:

Table 5 LmP Build Certificates Summary
Keys Type Owner LmP Variable
SPL Verification Key RSA 2048 Owned by the customer, available as an online key for FoundriesFactory CI UBOOT_SPL_SIGN_KEYNAME
U-Boot Proper Verification Key RSA 2048 Owned by the customer, available as an online key for FoundriesFactory CI UBOOT_SIGN_KEYNAME
OP-TEE Verification Key RSA 2048 Owned by the customer, available as an online key for FoundriesFactory CI OPTEE_TA_SIGN_KEY
Kernel Modules Verification Key RSA 2048 Owned by the customer, available as an online key for FoundriesFactory CI MODSIGN_PRIVKEY
UEFI Verification Key RSA 2048 Owned by the customer, available as an online key for FoundriesFactory CI ${UEFI_SIGN_KEYDIR}/DB.key
TF-A Verification Key ECDSA (prime256v1) Owned by the customer, available as an online key for FoundriesFactory CI TF_A_SIGN_KEY_PATH

The detailed description for the LmP Build certificates, including diagrams for the boot flow, is in Crypto Keys Used by FoundriesFactory at Build Time.

Secure Over the Air Updates

Table 6 Secure OTA Certificates Summary
Keys Type Owner
Offline TUF Root Key Ed25519 (default) or RSA 4096 (*) Owned and managed by the customer (offline key)
Online TUF Snapshot Key Ed25519 (default) or RSA 4096 (*) Owned and managed by FoundriesFactory CI
Online TUF Timestamp Key Ed25519 (default) or RSA 4096 (*) Owned and managed by FoundriesFactory CI
Online TUF Targets Signing Key Ed25519 (default) or RSA 4096 (*) Owned and managed by FoundriesFactory CI
Offline TUF Targets Signing Key Ed25519 (default) or RSA 4096 (*) Owned and managed by the customer (offline key)
OTA Client (aktualizr-lite/fioconfig) mTLS Key NIST P-256 Owned by the device (unique per device), created during registration (CSR)

Note

(*) Can be selected at Factory creation or changed later.

Factories created before v89 use RSA 4096 by default but can switch to use Ed25519.