README
1About
2=====
3
4Firmware binary signing is for audio DSP is mandatory on Intel products from
5Skylake onwards. i.e. no code signing on Baytrail, Cherrytrail, Braswell,
6Haswell and Broadwell but mandatory on Skylake, Kabylake, Apollolake,
7Cannonlake Icelake and Tigerlake.
8
9rimage can now sign firmware binaries for Apollolake,
10Cannonlake and Icelake targets.
11This is done automatically as part of the "make bin" part of the build.
12
13
14Key Pairs
15=========
16
17The key included here is the Intel OTC (Opensource Technology Center) community
18development key. It can be freely used by anyone and is intended for reference
19board makers and firmware developers.
20
21** This key is NOT intended for locking down firmware on end user production
22devices since the "private" key has been published here. A new key pair must
23be genrated for securing firmware ! **
24
25RSA Private and Public keys are generated as follows :-
26
27For cavs 1.5-2.0 platforms, 2k key is needed with following:
28openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
29
30For cavs 2.5+ (TigerLake), 3k key is needed with following:
31openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:3072
32
33openssl rsa -pubout -in private_key.pem -out public_key.pem
34
35The public key needs to be programmed into the OEM Key manifest (cavsManifest0)
36within the BIOS in order to verify code signed with the private key.
37Intel supplies tools to board makers to stitch the public key into the BIOS.
38
39The private key is used by rimage to sign the SOF binary. It should be kept
40secret and secure for production signing.
41