-----------------------------------
To create a new public key, size 2048 bits:
-$ openssl genrsa -F4 -out keys/dev.key 2048
+$ openssl genpkey -algorithm RSA -out keys/dev.key \
+ -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
To create a certificate for this:
- rsa,num-bits: Number of key bits (e.g. 2048)
- rsa,modulus: Modulus (N) as a big-endian multi-word integer
+- rsa,exponent: Public exponent (E) as a 64 bit unsigned integer
- rsa,r-squared: (2^num-bits)^2 as a big-endian multi-word integer
- rsa,n0-inverse: -1 / modulus[0] mod 2^32
CONFIG_FIT_SIGNATURE - enable signing and verfication in FITs
CONFIG_RSA - enable RSA algorithm for signing
+WARNING: When relying on signed FIT images with required signature check
+the legacy image format is default disabled by not defining
+CONFIG_IMAGE_FORMAT_LEGACY
Testing
-------
Sign images
Test Verified Boot Run: signed config: OK
check signed config on the host
+Signature check OK
OK
Test Verified Boot Run: signed config: OK
Test Verified Boot Run: signed config with bad hash: OK
Sign images
Test Verified Boot Run: signed config: OK
check signed config on the host
+Signature check OK
OK
Test Verified Boot Run: signed config: OK
Test Verified Boot Run: signed config with bad hash: OK
Test passed
+
Future Work
-----------
- Roll-back protection using a TPM is done using the tpm command. This can