File tree Expand file tree Collapse file tree 1 file changed +19
-1
lines changed
Expand file tree Collapse file tree 1 file changed +19
-1
lines changed Original file line number Diff line number Diff line change @@ -134,7 +134,25 @@ Beside `KEY_VERIFY_ALL`, pre-defined mask values can also be used here:
134134
135135### Importing public keys
136136
137- Work in progress.
137+ The "-i" option is used to import existing public keys into the keyvault. The usage is identical to the '-g' option, except that
138+ the file provided must exist and contain a valid public key of the given algorithm and key size.
139+
140+ ### Generating and importing keys of different types
141+
142+ By default, wolfBoot hardcodes the type of key used for all the signature verification operations into the keystore format.
143+
144+ Alternatively, wolfBoot can be compiled with the option ` WOLFBOOT_UNIVERSAL_KEYSTORE=1 ` , which disables the check at compile
145+ time and allows adding keys of different types to the keystore. For example, if we want to create two keypairs with different ECC curves,
146+ and additionally store a pre-existing RSA2048 public key file ` rsa-pub.der ` , we could run the following:
147+
148+ ` keygen --ecc256 -g a.key --ecc384 -g b.key --rsa2048 -i rsa-pub.der `
149+
150+ The command above generates a keystore with three public keys that are accessible by the bootloader at runtime.
151+
152+ Please note that by default wolfBoot does not include any public key algorithm implementations besides the one
153+ selected via the option ` SIGN= ` , so usually this feature is reserved to specific use cases where other policies or components
154+ in the chain-of-trust require to store different key types for different purposes.
155+
138156
139157## Using KeyStore with external Key Vaults
140158
You can’t perform that action at this time.
0 commit comments