diff options
author | Soby Mathew <soby.mathew@arm.com> | 2019-09-13 12:00:59 +0000 |
---|---|---|
committer | TrustedFirmware Code Review <review@review.trustedfirmware.org> | 2019-09-13 12:00:59 +0000 |
commit | c428fbaeab3191a5b7fda38fc2aa8da3d716ab97 (patch) | |
tree | d45974a3798396c1e0c56ccc9287ed0c3b625cab /docs | |
parent | 76eac18647f3bb81e029309ea61f8c4c5336ca27 (diff) | |
parent | 6a415a508ea6acec321e4609d3f8e5c03ba67664 (diff) |
Merge changes from topic "jc/rsa-pkcs" into integration
* changes:
Remove RSA PKCS#1 v1.5 support from cert_tool
Add documentation for new KEY_SIZE option
Add cert_create tool support for RSA key sizes
Support larger RSA key sizes when using MBEDTLS
Diffstat (limited to 'docs')
-rw-r--r-- | docs/design/auth-framework.rst | 18 | ||||
-rw-r--r-- | docs/getting_started/user-guide.rst | 18 |
2 files changed, 25 insertions, 11 deletions
diff --git a/docs/design/auth-framework.rst b/docs/design/auth-framework.rst index da958b7c..7de8ee1e 100644 --- a/docs/design/auth-framework.rst +++ b/docs/design/auth-framework.rst @@ -704,7 +704,7 @@ Each image descriptor must specify: In the ``tbbr_cot.c`` file, a set of buffers are allocated to store the parameters extracted from the certificates. In the case of the TBBR CoT, these parameters -are hashes and public keys. In DER format, an RSA-2048 public key requires 294 +are hashes and public keys. In DER format, an RSA-4096 public key requires 550 bytes, and a hash requires 51 bytes. Depending on the CoT and the authentication process, some of the buffers may be reused at different stages during the boot. @@ -946,12 +946,16 @@ three functions: int verify_hash(void *data_ptr, unsigned int data_len, void *digest_info_ptr, unsigned int digest_info_len); -The mbedTLS library algorithm support is configured by the -``TF_MBEDTLS_KEY_ALG`` variable which can take in 3 values: `rsa`, `ecdsa` or -`rsa+ecdsa`. This variable allows the Makefile to include the corresponding -sources in the build for the various algorithms. Setting the variable to -`rsa+ecdsa` enables support for both rsa and ecdsa algorithms in the mbedTLS -library. +The mbedTLS library algorithm support is configured by both the +``TF_MBEDTLS_KEY_ALG`` and ``TF_MBEDTLS_KEY_SIZE`` variables. + +- ``TF_MBEDTLS_KEY_ALG`` can take in 3 values: `rsa`, `ecdsa` or `rsa+ecdsa`. + This variable allows the Makefile to include the corresponding sources in + the build for the various algorithms. Setting the variable to `rsa+ecdsa` + enables support for both rsa and ecdsa algorithms in the mbedTLS library. + +- ``TF_MBEDTLS_KEY_SIZE`` sets the supported RSA key size for TFA. Valid values + include 1024, 2048, 3072 and 4096. .. note:: If code size is a concern, the build option ``MBEDTLS_SHA256_SMALLER`` can diff --git a/docs/getting_started/user-guide.rst b/docs/getting_started/user-guide.rst index 3828d0b4..015de9a6 100644 --- a/docs/getting_started/user-guide.rst +++ b/docs/getting_started/user-guide.rst @@ -594,10 +594,20 @@ Common build options - ``KEY_ALG``: This build flag enables the user to select the algorithm to be used for generating the PKCS keys and subsequent signing of the certificate. - It accepts 3 values: ``rsa``, ``rsa_1_5`` and ``ecdsa``. The option - ``rsa_1_5`` is the legacy PKCS#1 RSA 1.5 algorithm which is not TBBR - compliant and is retained only for compatibility. The default value of this - flag is ``rsa`` which is the TBBR compliant PKCS#1 RSA 2.1 scheme. + It accepts 2 values: ``rsa`` and ``ecdsa``. The default value of this flag + is ``rsa`` which is the TBBR compliant PKCS#1 RSA 2.1 scheme. + +- ``KEY_SIZE``: This build flag enables the user to select the key size for + the algorithm specified by ``KEY_ALG``. The valid values for ``KEY_SIZE`` + depend on the chosen algorithm. + + +-----------+------------------------------------+ + | KEY_ALG | Possible key sizes | + +===========+====================================+ + | rsa | 1024, 2048 (default), 3072, 4096 | + +-----------+------------------------------------+ + | ecdsa | unavailable | + +-----------+------------------------------------+ - ``HASH_ALG``: This build flag enables the user to select the secure hash algorithm. It accepts 3 values: ``sha256``, ``sha384`` and ``sha512``. |