Use RSA 4096

[a1lu]

Hi, thanks for this project, it helped a lot setting up secure boot. I compared your key building routine with the one in arch wiki

openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Platform Key/" -out PK.crt

They use RSA with 4096 bit whereas you use 2048bit. Any reason for this? AFAIK 2048 bit should be fine until 2030, though it's never to early to step up. Best Regards

[gdamjan]

I might have tried that, but I can't be sure that secure boot worked with 4096bit keys/certs. What's your experience?

OTOH, I guess the arch wiki is more correct than my memory :)

[a1lu]

Works on my machine (ASROCK X300M-STX). Keysize is increased from ~800B to ~1300B, as expected.

Microsoft says the keys should be 2048 or better (https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance) but kind of recommend 2048.

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance#21-metrics-used

Does it support RSA 2048 or higher? - The UEFI specification 2.3.1 Errata C recommends the keys to be RSA-2048 or better.

[maximbaz]

I can also confirm that 4096bit keys work well on my Dell XPS 13 laptop, thanks for bringing this up @a1lu!

[gdamjan]

I'm gonna schedule this for a 2.0 release, and probably make it optional

[a1lu]

This is fixed. I close it.