Summary of Crypto Keys Used by FoundriesFactory

This page provides a brief summary of cryptographic keys used by your Factory.

Secure Connection to Cloud Services

The following certificates are required to access the FoundriesFactory™ Platform CI servers. For detailed information, check Secure Connection to Cloud Services.

Table 6 Device Gateway Certificates Summary
Keys	Type	Owner
Root of Trust key (`factory_ca.key`)	NIST P-256	Owned and managed by the customer (offline key)
TLS key	NIST P-256	Owned and managed by Foundries.io (used for mTLS handshake)
Online CA private key (`online-ca.key`)	NIST P-256	If enabled (required by `lmp-device-register` for performing the device CSR), owned and managed by Foundries.io
Local CA private key (`local-ca.key`)	NIST P-256	If enabled, owned, and managed by the customer (used for performing the device CSR)

Secure Boot (Hardware Root of Trust)

The Hardware Root of Trust depends on the SoC used. Please refer to the Secure Boot (Hardware Root of Trust) pages and to your vendor’s reference manual for more information.

Table 7 Secure Boot Certificates Summary
Keys	Type	Owner
Hardware Root of Trust Key	Depends on the SoC	Owned and managed by the customer (offline key)

Secure Online Keys for Boot Stack

A detailed description of LmP build certificates, including diagrams for the boot flow, is in Crypto Keys Used by FoundriesFactory at Build Time.

The exact list of keys used for the boot stack depends on the hardware. Some platforms will not make use of all keys. A list of available keys for an LmP build can be found below:

Table 8 LmP Build Certificates Summary
Keys	Type	Owner	LmP Variable
SPL Verification Key	RSA 2048	Owned by the customer, available as an online key for FoundriesFactory CI	`UBOOT_SPL_SIGN_KEYNAME`
U-Boot Proper Verification Key	RSA 2048	Owned by the customer, available as an online key for FoundriesFactory CI	`UBOOT_SIGN_KEYNAME`
OP-TEE Verification Key	RSA 2048	Owned by the customer, available as an online key for FoundriesFactory CI	`OPTEE_TA_SIGN_KEY`
Kernel Modules Verification Key	RSA 2048	Owned by the customer, available as an online key for FoundriesFactory CI	`MODSIGN_PRIVKEY`
UEFI Verification Key	RSA 2048	Owned by the customer, available as an online key for FoundriesFactory CI	`${UEFI_SIGN_KEYDIR}/DB.key`
TF-A Verification Key	ECDSA (prime256v1)	Owned by the customer, available as an online key for FoundriesFactory CI	`TF_A_SIGN_KEY_PATH`

Secure Over the Air Updates

Keys used to deliver secure software updates to Factory devices. Additional information can be found in Secure Over the Air Updates.

Table 9 Secure OTA Certificates Summary
Keys	Type	Owner
Offline TUF Root Signing Keys	Ed25519 (default) or RSA 4096 *()**	Owned and managed by the customer (offline keys)
Online TUF Snapshot Signing Key	Ed25519 (default) or RSA 4096 *()**	Owned and managed by FoundriesFactory CI
Online TUF Timestamp Signing Key	Ed25519 (default) or RSA 4096 *()**	Owned and managed by FoundriesFactory CI
Online TUF Targets Signing Key	Ed25519 (default) or RSA 4096 *()**	Owned and managed by FoundriesFactory CI
Offline TUF Targets Signing Keys	Ed25519 (default) or RSA 4096 *()**	Owned and managed by the customer (offline keys)
OTA Client (`aktualizr-lite`/`fioconfig`) mTLS Key	NIST P-256	Owned by the device (unique per device), created during registration (CSR)

Note

(*) Can be selected at Factory creation or changed later.

Factories created before v89 use RSA 4096 by default and can switch to use Ed25519.