Summary of Crypto Keys Used by FoundriesFactory
This page provides a brief summary of cryptographic keys used by your Factory.
Secure Connection to Cloud Services
The following certificates are required to access the FoundriesFactory® CI servers. For detailed information, check Secure Connection to Cloud Services.
| Keys | Type | Owner |
|---|---|---|
Root of Trust key (factory_ca.key) |
NIST P-256 | Owned and managed by the customer (offline key) |
| TLS key | NIST P-256 | Owned and managed by Foundries.io (used for mTLS handshake) |
Online CA private key (online-ca.key) |
NIST P-256 | If enabled (required by lmp-device-register for performing the device CSR), owned and managed by Foundries.io |
Local CA private key (local-ca.key) |
NIST P-256 | If enabled, owned, and managed by the customer (used for performing the device CSR) |
Secure Boot (Hardware Root of Trust)
The Hardware Root of Trust depends on the SoC used. Please refer to the Secure Boot (Hardware Root of Trust) pages and to your vendor’s reference manual for more information.
| Keys | Type | Owner |
|---|---|---|
| Hardware Root of Trust Key | Depends on the SoC | Owned and managed by the customer (offline key) |
Secure Online Keys for Boot Stack
A detailed description of LmP build certificates, including diagrams for the boot flow, is in Crypto Keys Used by FoundriesFactory at Build Time.
The exact list of keys used for the boot stack depends on the hardware. Some platforms will not make use of all keys. A list of available keys for an LmP build can be found below:
| Keys | Type | Owner | LmP Variable |
|---|---|---|---|
| SPL Verification Key | RSA 2048 | Owned by the customer, available as an online key for FoundriesFactory CI | UBOOT_SPL_SIGN_KEYNAME |
| U-Boot Proper Verification Key | RSA 2048 | Owned by the customer, available as an online key for FoundriesFactory CI | UBOOT_SIGN_KEYNAME |
| OP-TEE Verification Key | RSA 2048 | Owned by the customer, available as an online key for FoundriesFactory CI | OPTEE_TA_SIGN_KEY |
| Kernel Modules Verification Key | RSA 2048 | Owned by the customer, available as an online key for FoundriesFactory CI | MODSIGN_PRIVKEY |
| UEFI Verification Key | RSA 2048 | Owned by the customer, available as an online key for FoundriesFactory CI | ${UEFI_SIGN_KEYDIR}/DB.key |
| TF-A Verification Key | ECDSA (prime256v1) | Owned by the customer, available as an online key for FoundriesFactory CI | TF_A_SIGN_KEY_PATH |
Secure Over the Air Updates
Keys used to deliver secure software updates to Factory devices. Additional information can be found in Secure Over the Air Updates.
| Keys | Type | Owner |
|---|---|---|
| Offline TUF Root Signing Keys | Ed25519 (default) or RSA 4096 (*) | Owned and managed by the customer (offline keys) |
| Online TUF Snapshot Signing Key | Ed25519 (default) or RSA 4096 (*) | Owned and managed by FoundriesFactory CI |
| Online TUF Timestamp Signing Key | Ed25519 (default) or RSA 4096 (*) | Owned and managed by FoundriesFactory CI |
| Online TUF Targets Signing Key | Ed25519 (default) or RSA 4096 (*) | Owned and managed by FoundriesFactory CI |
| Offline TUF Targets Signing Keys | Ed25519 (default) or RSA 4096 (*) | Owned and managed by the customer (offline keys) |
OTA Client (aktualizr-lite/fioconfig) mTLS Key |
NIST P-256 | Owned by the device (unique per device), created during registration (CSR) |
Note
(*) Can be selected at Factory creation or changed later.
Factories created before v89 use RSA 4096 by default and can switch to use Ed25519.