In eFUSEs, you have three or five PPK choices to store the hash value of the primary public key and up to two of those values can be revoked. If another revocation occurs, the device is no longer bootable. If a PPK is compromised, you can revoke the public key by setting the corresponding PPK revocation bit in eFUSEs. See the Versal Adaptive SoC Security Manual (UG1508) for more information.
To revoke an SPK, you program the corresponding eFUSE bit in the revocation ID. There are 256-bits [0-255] in total, so you can revoke up to 255 SPKs. Another revocation will result in a device that will no longer be bootable. The 0-bit of the revocation ID represents SPK 0, the 32nd bit of the revocation ID represents SPK 32, etc.