diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig
index 19cde87397..d0886b7071 100644
--- a/configs/sandbox_defconfig
+++ b/configs/sandbox_defconfig
@@ -312,3 +312,4 @@ CONFIG_TEST_FDTDEC=y
 CONFIG_UNIT_TEST=y
 CONFIG_UT_TIME=y
 CONFIG_UT_DM=y
+CONFIG_SHA384=y
diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h
index 01b480d0f3..b9634e38d9 100644
--- a/include/u-boot/rsa.h
+++ b/include/u-boot/rsa.h
@@ -111,6 +111,7 @@ int padding_pss_verify(struct image_sign_info *info,
 #define RSA_DEFAULT_PADDING_NAME		"pkcs-1.5"
 
 #define RSA2048_BYTES	(2048 / 8)
+#define RSA3072_BYTES	(3072 / 8)
 #define RSA4096_BYTES	(4096 / 8)
 
 /* This is the minimum/maximum key size we support, in bits */
diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
index 32c7507024..112664059c 100644
--- a/lib/rsa/rsa-verify.c
+++ b/lib/rsa/rsa-verify.c
@@ -595,6 +595,12 @@ U_BOOT_CRYPTO_ALGO(rsa2048) = {
 	.verify = rsa_verify,
 };
 
+U_BOOT_CRYPTO_ALGO(rsa3072) = {
+	.name = "rsa3072",
+	.key_len = RSA3072_BYTES,
+	.verify = rsa_verify,
+};
+
 U_BOOT_CRYPTO_ALGO(rsa4096) = {
 	.name = "rsa4096",
 	.key_len = RSA4096_BYTES,
diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
index 095e00cce3..b080d482af 100644
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@@ -45,6 +45,8 @@ TESTDATA = [
     ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False],
     ['sha256-pss-required', 'sha256', '-pss', None, True, False],
     ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True],
+    ['sha384-basic', 'sha384', '', None, False, False],
+    ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False],
 ]
 
 @pytest.mark.boardspec('sandbox')
@@ -180,10 +182,16 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
             name: Name of of the key (e.g. 'dev')
         """
         public_exponent = 65537
+
+        if sha_algo == "sha384":
+            rsa_keygen_bits = 3072
+        else:
+            rsa_keygen_bits = 2048
+
         util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %s%s.key '
-                     '-pkeyopt rsa_keygen_bits:2048 '
+                     '-pkeyopt rsa_keygen_bits:%d '
                      '-pkeyopt rsa_keygen_pubexp:%d' %
-                     (tmpdir, name, public_exponent))
+                     (tmpdir, name, rsa_keygen_bits, public_exponent))
 
         # Create a certificate containing the public key
         util.run_and_log(cons, 'openssl req -batch -new -x509 -key %s%s.key '
diff --git a/test/py/tests/vboot/sign-configs-sha384.its b/test/py/tests/vboot/sign-configs-sha384.its
new file mode 100644
index 0000000000..2869401991
--- /dev/null
+++ b/test/py/tests/vboot/sign-configs-sha384.its
@@ -0,0 +1,45 @@
+/dts-v1/;
+
+/ {
+	description = "Chrome OS kernel image with one or more FDT blobs";
+	#address-cells = <1>;
+
+	images {
+		kernel {
+			data = /incbin/("test-kernel.bin");
+			type = "kernel_noload";
+			arch = "sandbox";
+			os = "linux";
+			compression = "none";
+			load = <0x4>;
+			entry = <0x8>;
+			kernel-version = <1>;
+			hash-1 {
+				algo = "sha384";
+			};
+		};
+		fdt-1 {
+			description = "snow";
+			data = /incbin/("sandbox-kernel.dtb");
+			type = "flat_dt";
+			arch = "sandbox";
+			compression = "none";
+			fdt-version = <1>;
+			hash-1 {
+				algo = "sha384";
+			};
+		};
+	};
+	configurations {
+		default = "conf-1";
+		conf-1 {
+			kernel = "kernel";
+			fdt = "fdt-1";
+			signature {
+				algo = "sha384,rsa3072";
+				key-name-hint = "dev";
+				sign-images = "fdt", "kernel";
+			};
+		};
+	};
+};
diff --git a/test/py/tests/vboot/sign-images-sha384.its b/test/py/tests/vboot/sign-images-sha384.its
new file mode 100644
index 0000000000..be1a9a653c
--- /dev/null
+++ b/test/py/tests/vboot/sign-images-sha384.its
@@ -0,0 +1,42 @@
+/dts-v1/;
+
+/ {
+	description = "Chrome OS kernel image with one or more FDT blobs";
+	#address-cells = <1>;
+
+	images {
+		kernel {
+			data = /incbin/("test-kernel.bin");
+			type = "kernel_noload";
+			arch = "sandbox";
+			os = "linux";
+			compression = "none";
+			load = <0x4>;
+			entry = <0x8>;
+			kernel-version = <1>;
+			signature {
+				algo = "sha384,rsa3072";
+				key-name-hint = "dev";
+			};
+		};
+		fdt-1 {
+			description = "snow";
+			data = /incbin/("sandbox-kernel.dtb");
+			type = "flat_dt";
+			arch = "sandbox";
+			compression = "none";
+			fdt-version = <1>;
+			signature {
+				algo = "sha384,rsa3072";
+				key-name-hint = "dev";
+			};
+		};
+	};
+	configurations {
+		default = "conf-1";
+		conf-1 {
+			kernel = "kernel";
+			fdt = "fdt-1";
+		};
+	};
+};
diff --git a/tools/image-sig-host.c b/tools/image-sig-host.c
index 8ed6998dab..d0133aec4c 100644
--- a/tools/image-sig-host.c
+++ b/tools/image-sig-host.c
@@ -55,6 +55,13 @@ struct crypto_algo crypto_algos[] = {
 		.add_verify_data = rsa_add_verify_data,
 		.verify = rsa_verify,
 	},
+	{
+		.name = "rsa3072",
+		.key_len = RSA3072_BYTES,
+		.sign = rsa_sign,
+		.add_verify_data = rsa_add_verify_data,
+		.verify = rsa_verify,
+	},
 	{
 		.name = "rsa4096",
 		.key_len = RSA4096_BYTES,