Add documentation for new KEY_SIZE option

This patch adds documentation for the new KEY_SIZE build option that is
exposed by cert_create, and instructions on how to use it.

Change-Id: I09b9b052bfdeeaca837e0f0026e2b01144f2472c
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>

diff --git a/docs/design/auth-framework.rst b/docs/design/auth-framework.rst
index da958b7c2a94b636bd8d00c9627995c4cf3500d7..7de8ee1e23e85e254195d5dd662c81a04464ae49 100644 (file)
--- a/docs/design/auth-framework.rst
+++ b/docs/design/auth-framework.rst
@@ -704,7 +704,7 @@ Each image descriptor must specify:
 
 In the ``tbbr_cot.c`` file, a set of buffers are allocated to store the parameters
 extracted from the certificates. In the case of the TBBR CoT, these parameters
-are hashes and public keys. In DER format, an RSA-2048 public key requires 294
+are hashes and public keys. In DER format, an RSA-4096 public key requires 550
 bytes, and a hash requires 51 bytes. Depending on the CoT and the authentication
 process, some of the buffers may be reused at different stages during the boot.
 
@@ -946,12 +946,16 @@ three functions:
     int verify_hash(void *data_ptr, unsigned int data_len,
                     void *digest_info_ptr, unsigned int digest_info_len);
 
-The mbedTLS library algorithm support is configured by the
-``TF_MBEDTLS_KEY_ALG`` variable which can take in 3 values: `rsa`, `ecdsa` or
-`rsa+ecdsa`. This variable allows the Makefile to include the corresponding
-sources in the build for the various algorithms. Setting the variable to
-`rsa+ecdsa` enables support for both rsa and ecdsa algorithms in the mbedTLS
-library.
+The mbedTLS library algorithm support is configured by both the
+``TF_MBEDTLS_KEY_ALG`` and ``TF_MBEDTLS_KEY_SIZE`` variables.
+
+-  ``TF_MBEDTLS_KEY_ALG`` can take in 3 values: `rsa`, `ecdsa` or `rsa+ecdsa`.
+   This variable allows the Makefile to include the corresponding sources in
+   the build for the various algorithms. Setting the variable to `rsa+ecdsa`
+   enables support for both rsa and ecdsa algorithms in the mbedTLS library.
+
+-  ``TF_MBEDTLS_KEY_SIZE`` sets the supported RSA key size for TFA. Valid values
+   include 1024, 2048, 3072 and 4096.
 
 .. note::
    If code size is a concern, the build option ``MBEDTLS_SHA256_SMALLER`` can

diff --git a/docs/getting_started/user-guide.rst b/docs/getting_started/user-guide.rst
index 48cbdb9f444c65016afd131a27d6b5999c5d53a2..89157386e96417d0f973f5036f8e1bdd005c890c 100644 (file)
--- a/docs/getting_started/user-guide.rst
+++ b/docs/getting_started/user-guide.rst
@@ -593,6 +593,18 @@ Common build options
    compliant and is retained only for compatibility. The default value of this
    flag is ``rsa`` which is the TBBR compliant PKCS#1 RSA 2.1 scheme.
 
+-  ``KEY_SIZE``: This build flag enables the user to select the key size for
+   the algorithm specified by ``KEY_ALG``. The valid values for ``KEY_SIZE``
+   depend on the chosen algorithm.
+
+   +-----------+------------------------------------+
+   |  KEY_ALG  |        Possible key sizes          |
+   +===========+====================================+
+   |    rsa    |  1024, 2048 (default), 3072, 4096  |
+   +-----------+------------------------------------+
+   |   ecdsa   |            unavailable             |
+   +-----------+------------------------------------+
+
 -  ``HASH_ALG``: This build flag enables the user to select the secure hash
    algorithm. It accepts 3 values: ``sha256``, ``sha384`` and ``sha512``.
    The default value of this flag is ``sha256``.