Forcing RSA Authentication

Key Revocation Lab (XAPP1344)
Document ID
XAPP1344
Release Date
2022-03-14
Revision
v1.1 English
After successfully programming both PPK eFUSES, the device is ready for secure-only boot and the RSA_EN eFUSE needs to be programmed.
  1. Power cycle the board or ensure you are in the main menu.
  2. Open the main menu.
  3. Press s to select s = Print eFUSE Status.
  4. Compare the PPK0 and PPK1 hash values displayed on the serial terminal along with the two hashes provided in Program the PPK0 and PPK1 Digest eFUSEs. The values should match.
    Note: The eFUSE information associated with this lab is displayed in the figure below. The PPK hash fuses are programmed. The User fuses are all zero indicating that nothing has been revoked using the enhanced revocation. The SPK revocation ID is zero indicating that no SPK's have been revoked using the standard revocation. PPK0 and 1 are showing that they are valid so neither have been revoked at this stage of the lab.
    Figure 1. PPK0 and PPK1 Verification X26198-Page-1 Sheet.1 Sheet.2 X26198-020122 X26198-020122
  5. Power cycle the board.
  6. Select f = RSA always authentication.
  7. Enter y to confirm.
  8. Verify the PPK hash values.
  9. Enter y to program the RSA_EN eFUSE.
    Note: The eFUSE should be programmed successfully, as shown in the following figure.
Figure 2. RSA Enable eFUSE Write X26199-Page-1 Sheet.1 Sheet.2 X26199-020122 X26199-020122