Additional RSA Private/Public Key Pairs - 2025.1 English

Additional RSA Private/Public Key Pairs - 2025.1 English - UG1209

Zynq UltraScale+ MPSoC Embedded Design Tutorial (UG1209)

Document ID

UG1209

Release Date

2025-07-30

Version

2025.1 English

Follow the steps in this section to generate the secondary RSA private/public key pair required for key revocation, which requires the programming of eFUSE. For more information, see Programming BBRAM and eFUSEs (XAPP1319). You can skip this section if you do not intend to use key revocation.

Repeat the steps from Creating RSA Private/Public Key Pairs and Generating SHA3 of Public Key in an RSA Private/Public Key Pair to generate the second RSA private/public key pair and the SHA3 of the second PPK.

Perform the steps from the prior section, replacing psk0.pem, ssk0.pem, and ppk0_digest.txt with psk1.pem, ssk1.pem, and ppk1_digest.pem respectively. Save this file as key_generation_1.bif. That BIF file will look like the following:

the_ROM_image:
{
[pskfile]psk1.pem
[sskfile]ssk1.pem
[auth_params]spk_id = 1; ppk_select = 1 [fsbl_config]a53_x64
[bootloader]fsbl_a53.elf [destination_cpu = pmu]pmufw.elf
[destination_device = pl]edt_zcu102_wrapper.bit
[destination_cpu = a53-0, exception_level = el-3, trustzone]bl31.elf
[destination_cpu = r5-0]tmr_psled_r5.elf
[destination_cpu = a53-0, exception_level = el-2]u-boot.elf [load = 0x1000000, destination_cpu = a53-0]image.ub
}

Run the bootgen command to create the RSA private/public key pairs.

bootgen -p zu9eg -arch zynqmp -generate_keys auth pem -image key_generation_1.bif

Add authentication = rsa attributes to the key_generation_1.bif file. The BIF file will look like the following:

the_ROM_image:
{
[pskfile]psk1.pem
[sskfile]ssk1.pem
[auth_params]spk_id = 1; ppk_select = 1
[fsbl_config]a53_x64
[bootloader, authentication = rsa]fsbl_a53.elf
[destination_cpu = pmu, authentication = rsa]pmufw.elf
[destination_device = pl, authentication = rsa]edt_zcu102_wrapper.bit
[destination_cpu = a53-0, exception_level = el-3, trustzone, authentication = rsa]bl31.elf
[destination_cpu = r5-0, authentication = rsa]tmr_psled_r5.elf
[destination_cpu = a53-0, exception_level = el-2, authentication = rsa]u-boot.elf
[load = 0x1000000, destination_cpu = a53-0, authentication = rsa]image.ub
}

Run the bootgen command to generate the hash of the primary RSA public key.

bootgen -p zcu9eg -arch zynqmp -efuseppkbits ppk1_digest.txt -image key_generation_1.bif``

Verify that the files ppk1.pem, spk1.pem, and ppk1_digest.txt are all generated at the location specified (c:\edt\secure_boot\keys).