Enhanced RSA Key Revocation Support
The RSA key provides the ability to revoke the secondary keys of one partition without revoking the secondary keys for all partitions.
Note: The primary key should be the
same across all partitions.
This is achieved by using USER_FUSE0
to USER_FUSE7
eFUSEs with the BIF parameter spk_select.
Note: You can revoke up to 256 keys, if all are not required for their usage.
The following BIF file sample shows enhanced user fuse revocation. Image header and FSBL uses different SSKs for authentication (ssk1.pem and ssk2.pem respectively) with the following BIF input.
the_ROM_image:
{
[auth_params]ppk_select = 0
[pskfile]psk.pem
[sskfile]ssk1.pem
[
bootloader,
authentication = rsa,
spk_select = spk-efuse,
spk_id = 0x8,
sskfile = ssk2.pem
] zynqmp_fsbl.elf
[
destination_cpu = a53-0,
authentication = rsa,
spk_select = user-efuse,
spk_id = 0x100,
sskfile = ssk3.pem
] application.elf
[
destination_cpu = a53-0,
authentication = rsa,
spk_select = user-efuse,
spk_id = 0x8,
sskfile = ssk4.pem
] application2.elf
}
-
spk_select = spk-efuse
indicates thatspk_id
eFUSE will be used for that partition. -
spk_select = user-efuse
indicates that user eFUSE will be used for that partition.
Partitions loaded by CSU ROM will always use
spk_efuse
.Note: The secondary keys for the FSBL
and application2 can be revoked separately, since one is checked against the
SPK_ID efuse and the other is checked against user efuse.
Note: The
spk_id
eFUSE specifies which key is valid. Hence, the ROM checks the
entire field of spk_id
eFUSE against the SPK ID to
make sure its a bit for bit match.The user eFUSE specifies which key ID is NOT valid (has been revoked).
Therefore, the firmware (non-ROM) checks to see if a given user eFUSE that
represents the SPK ID has been programmed.
Note: In
the above example, FSBL and application2 use the same spk_id. But these two keys
can be revoked separately, since one is checked against the SPK_ID eFUSE and the
other is checked against User eFUSE.