Upgrade signing key generation (#379)

* adds the upgrade signing key generation and the partition offset

* use openssl in build.rs instead

docs/install.md

@@ -124,16 +124,18 @@ All the generated certificates and private keys are stored in the directory
 
 This is the expected content after running our `setup.sh` script:
 
-File              | Purpose
------------------ | --------------------------------------------------------
-`aaguid.txt`      | Text file containaing the AAGUID value
-`opensk_ca.csr`   | Certificate sign request for the Root CA
-`opensk_ca.key`   | ECC secp256r1 private key used for the Root CA
-`opensk_ca.pem`   | PEM encoded certificate of the Root CA
-`opensk_ca.srl`   | File generated by OpenSSL
-`opensk_cert.csr` | Certificate sign request for the attestation certificate
-`opensk_cert.pem` | PEM encoded certificate used for the authenticator
-`opensk.key`      | ECC secp256r1 private key used for the autenticator
+File                     | Purpose
+------------------------ | --------------------------------------------------------
+`aaguid.txt`             | Text file containaing the AAGUID value
+`opensk_ca.csr`          | Certificate sign request for the Root CA
+`opensk_ca.key`          | ECC secp256r1 private key used for the Root CA
+`opensk_ca.pem`          | PEM encoded certificate of the Root CA
+`opensk_ca.srl`          | File generated by OpenSSL
+`opensk_cert.csr`        | Certificate sign request for the attestation certificate
+`opensk_cert.pem`        | PEM encoded certificate used for the authenticator
+`opensk.key`             | ECC secp256r1 private key used for the autenticator
+`opensk_upgrade.key`     | Private key for signing upgrades through CTAP
+`opensk_upgrade_pub.pem` | Public key added to the firmware for verifying upgrades
 
 If you want to use your own attestation certificate and private key, simply
 replace `opensk_cert.pem` and `opensk.key` files.