This section contains a summary of all the keys used in TrustFence.
Signature keys
When not provided, Digi Embedded Yocto generates the following keys at the specified TRUSTFENCE_SIGN_KEYS_PATH
location (by default, a subfolder in the project called trustfence/
):
-
A PKI tree to sign the boot artifacts (under subfolder
keys/
) -
A couple of key pairs (public/private) to sign FIT images (under subfolder
fit/
)-
One key pair to sign the FIT image nodes
-
One key pair to sign the FIT configuration nodes
-
The folder contains the following:
-
fit/fitcfg.crt
: public key for FIT configuration nodes -
fit/fitcfg.key
: private key for FIT configuration nodes -
fit/fitimg.crt
: public key for FIT image nodes -
fit/fitimg.key
: private key for FIT image nodes -
keys/key_pass.txt
: the eight randomly generated passwords in plain text -
keys/privateKey00..07.pem
: the eight private keys -
keys/publicKey00..07.pem
: the eight public keys -
keys/publicKeyHash00..07.bin
: hashes of the eight ECC public keys -
keys/publicKeysHashHashes.bin
: hash of the eight ECC public keys hashes table
If the key is compromised, you can revoke it and replace it with another one. See Revoke a key.
You must securely back up the entire PKI tree. Digi might require this PKI tree in order to accept RMAs of secured devices. Alternatively, you will be required to perform the signing of custom images and provide them to Digi. |