The OP key has an added benefit in that it can be used to protect the device key in a development environment where some team members are responsible for managing the device key and other team members are not.
For example, Team A (Secure Team) and Team B (Not Secure Team) work collaboratively to build an encrypted image without sharing the secret red key. Team A manages the secret red key. Team B builds encrypted images for development and test but does not have access to the secret red key. Team A encrypts the boot loader with the device key (using the OP key option) and delivers the encrypted bootloader to Team B. Team B encrypts all the other partitions using the OP key. Team B takes the encrypted partitions they created and the encrypted boot loader from Team A and uses bootgen to combine everything into a single boot.bin. For more details, see “Using OP Key to Protect the Device Key in a Development Environment” in Chapter 8 of the Zynq UltraScale+ MPSoC Software Developer’s Guide UG1137 [Ref 3].