Summary of Crypto Keys Used by FoundriesFactory

This page provides a brief summary of cryptographic keys used by your Factory.

Secure Connection to Cloud Services

The following certificates are required to access the FoundriesFactory® CI servers. For detailed information, check Secure Connection to Cloud Services.

Table 3 Device Gateway Certificates Summary
Keys Type Owner
Root of Trust key (factory_ca.key) NIST P-256 Owned and managed by the customer (offline key)
TLS key NIST P-256 Owned and managed by Foundries.io (used for mTLS handshake)
Online CA private key (online-ca.key) NIST P-256 If enabled (required by lmp-device-register for performing the device CSR), owned and managed by Foundries.io
Local CA private key (local-ca.key) NIST P-256 If enabled, owned, and managed by the customer (used for performing the device CSR)

Secure Boot (Hardware Root of Trust)

The Hardware Root of Trust depends on the SoC used. Please refer to the Secure Boot (Hardware Root of Trust) pages and to your vendor’s reference manual for more information.

Table 4 Secure Boot Certificates Summary
Keys Type Owner
Hardware Root of Trust Key Depends on the SoC Owned and managed by the customer (offline key)

Secure Online Keys for Boot Stack

A detailed description of LmP build certificates, including diagrams for the boot flow, is in Crypto Keys Used by FoundriesFactory at Build Time.

The exact list of keys used for the boot stack depends on the hardware. Some platforms will not make use of all keys. A list of available keys for an LmP build can be found below:

Table 5 LmP Build Certificates Summary
Keys Type Owner LmP Variable
SPL Verification Key RSA 2048 Owned by the customer, available as an online key for FoundriesFactory CI UBOOT_SPL_SIGN_KEYNAME
U-Boot Proper Verification Key RSA 2048 Owned by the customer, available as an online key for FoundriesFactory CI UBOOT_SIGN_KEYNAME
OP-TEE Verification Key RSA 2048 Owned by the customer, available as an online key for FoundriesFactory CI OPTEE_TA_SIGN_KEY
Kernel Modules Verification Key RSA 2048 Owned by the customer, available as an online key for FoundriesFactory CI MODSIGN_PRIVKEY
UEFI Verification Key RSA 2048 Owned by the customer, available as an online key for FoundriesFactory CI ${UEFI_SIGN_KEYDIR}/DB.key
TF-A Verification Key ECDSA (prime256v1) Owned by the customer, available as an online key for FoundriesFactory CI TF_A_SIGN_KEY_PATH

Secure Over the Air Updates

Keys used to deliver secure software updates to Factory devices. Additional information can be found in Secure Over the Air Updates.

Table 6 Secure OTA Certificates Summary
Keys Type Owner
Offline TUF Root Signing Keys Ed25519 (default) or RSA 4096 (*) Owned and managed by the customer (offline keys)
Online TUF Snapshot Signing Key Ed25519 (default) or RSA 4096 (*) Owned and managed by FoundriesFactory CI
Online TUF Timestamp Signing Key Ed25519 (default) or RSA 4096 (*) Owned and managed by FoundriesFactory CI
Online TUF Targets Signing Key Ed25519 (default) or RSA 4096 (*) Owned and managed by FoundriesFactory CI
Offline TUF Targets Signing Keys Ed25519 (default) or RSA 4096 (*) Owned and managed by the customer (offline keys)
OTA Client (aktualizr-lite/fioconfig) mTLS Key NIST P-256 Owned by the device (unique per device), created during registration (CSR)

Note

(*) Can be selected at Factory creation or changed later.

Factories created before v89 use RSA 4096 by default and can switch to use Ed25519.