Generating a PKC Key Pair Using OpenSSL
Use these procedures to generate a PKC key pair using OpenSSL.
To install OpenSSL
- If you are generating only the RSA pair, install the OpenSSL package with the
command:
sudo apt-get install openssl
To generate an EdDSA or RSA 3K key pair for NVIDIA DRIVE AGX Orin
- Download and extract the OpenSSL EdDSA/ED25519 key support OpenSSL Version 11.1
Pre-8 available at:
https://openssl.org
- Build OpenSSL as follows:
- In a terminal window, navigate to the directory where you extracted OpenSSL
and execute these commands:
./config make
- Once the OpenSSL build is completed, copy
libcrypto.so*
andlibssl.so*
to your local/lib/
directory. - To generate the keys, execute OpenSSL from the application folder in the
directory where you extracted OpenSSL.
For more information, consult the OpenSSL README file in the extracted source directory.
- In a terminal window, navigate to the directory where you extracted OpenSSL
and execute these commands:
- Generate EdDSA private key with the
command:
openssl genpkey -algorithm Ed25519 --out keyfile.pem
- Generate RSA 3K key pair with the
command:
openssl genrsa -out rsa_priv.pem 3072
You are now ready to generate the signed binaries and PKC hash.
To generate a PKC hash
- Run these commands on the host to generate a public key and a PKC hash.
- For NVIDIA DRIVE AGX Orin RSA 3072-bit keys:
$# cd drive-foundation $# ./tools/flashtools/flash/tegrakeyhash --pkc <private_key_filename> --chip 0x23
Where
<private_key_filename>
depends on the tool used to generate the key.- For PolarSSL, use
rsa_priv.txt
. - For OpenSSL, use
rsa_priv.pem
.
- For PolarSSL, use
- For NVIDIA DRIVE AGX Orin EdDSA
$ cd drive-foundation $ ./tools/flashtools/flash/tegrasign_v3 --key <private_key_filename> --pubkeyhash <public_key_filename> $ ./tools/flashtools/flash/tegrakeyhash –ed25519 <public_key_filename> --chip 0x23
-
Where:
<public_key_filename>
is the name you want to give the public key file.<private_key_filename>
depends on the tool used to generate the key. For OpenSSL, usekeyfile.pem
.
-
- For NVIDIA DRIVE AGX Orin RSA 3072-bit keys:
Example Output
Example of the output of the tegrakeyhash
command, when a PolarSSL key
is supplied, is as follows:
# PKC key in PolarSSL format
# sha512 hash:
# bytes:
# 0xef, 0xcd, 0xab, 0x89, 0x67, 0x45, 0x23, 0x01,
# 0xef, 0xcd, 0xab, 0x89, 0x67, 0x45, 0x23, 0x01,
# 0xef, 0xcd, 0xab, 0x89, 0x67, 0x45, 0x23, 0x01,
# 0xef, 0xcd, 0xab, 0x89, 0x67, 0x45, 0x23, 0x01,
# 0xef, 0xcd, 0xab, 0x89, 0x67, 0x45, 0x23, 0x01,
# 0xef, 0xcd, 0xab, 0x89, 0x67, 0x45, 0x23, 0x01,
# 0xef, 0xcd, 0xab, 0x89, 0x67, 0x45, 0x23, 0x01,
# 0xef, 0xcd, 0xab, 0x89, 0x67, 0x45, 0x23, 0x01,
#
# tegra-fuse format: 0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
#
# fuse bypass format:
# FAB_ENTRY(PUBLIC_KEY0, PUBLIC_KEY0, 0x89abcdef),
# FAB_ENTRY(PUBLIC_KEY1, PUBLIC_KEY1, 0x01234567),
# FAB_ENTRY(PUBLIC_KEY2, PUBLIC_KEY2, 0x89abcdef),
# FAB_ENTRY(PUBLIC_KEY3, PUBLIC_KEY3, 0x01234567),
# FAB_ENTRY(PUBLIC_KEY4, PUBLIC_KEY4, 0x89abcdef),
# FAB_ENTRY(PUBLIC_KEY5, PUBLIC_KEY5, 0x01234567),
# FAB_ENTRY(PUBLIC_KEY6, PUBLIC_KEY6, 0x89abcdef),
# FAB_ENTRY(PUBLIC_KEY7, PUBLIC_KEY7, 0x01234567),
# FAB_ENTRY(PUBLIC_KEY8, PUBLIC_KEY8, 0x89abcdef),
# FAB_ENTRY(PUBLIC_KEY9, PUBLIC_KEY9, 0x01234567),
# FAB_ENTRY(PUBLIC_KEY10, PUBLIC_KEY10, 0x89abcdef),
# FAB_ENTRY(PUBLIC_KEY11, PUBLIC_KEY11, 0x01234567),
# FAB_ENTRY(PUBLIC_KEY12, PUBLIC_KEY12, 0x89abcdef),
# FAB_ENTRY(PUBLIC_KEY13, PUBLIC_KEY13, 0x01234567),
# FAB_ENTRY(PUBLIC_KEY14, PUBLIC_KEY14, 0x89abcdef),
# FAB_ENTRY(PUBLIC_KEY15, PUBLIC_KEY15, 0x01234567),
- The tegra-fuse format can be used in FSKP Fuse Burning Tool.
<fuse name="PublicKeyHash" size="64"
value="0x0123456789abcdef0123456789abcdef0123456789abcdef
0123456789abcdef0x0123456789abcdef0123456789abcdef0123456789abcdef
0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
0123456789abcdef0x0123456789abcdef0123456789abcdef0123456789abcdef
0123456789abcdef"/>