The Zynq UltraScale+ MPSoC hardware root of trust is based on the RSA-4096 asymmetric authentication algorithm in conjunction with SHA-3/384. There are two key pairs used in the Zynq UltraScale+ MPSoC, and consequently two public key types: the primary public key (PPK) and the secondary public key (SPK). Table: Public Keys lists the characteristics of each public key type.
There are two PPKs; the full public key is stored in external memory (e.g., flash) and a SHA-3/384 hash of the public key is stored in eFUSEs on the device. The CSU, during the boot process, validates the integrity of the public key stored in external memory using the hash stored in eFUSEs. The PPKs can be revoked. The main purpose of the PPK is to authenticate the SPK.
There are 32 SPKs available for the bootloader (FSBL) and up to 256 SPKs available for all other partitions depending on which SPK revocation method is used (standard or enhanced). The SPK is delivered via the authenticated boot image, and is consequently protected against modification. The SPKs can also be revoked and are used to authenticate everything else.
There are a number of considerations when utilizing the hardware root of trust capabilities. These are discussed in detail in Device Provisioning, Boot Operation, and Key Revocation.