Generating a PKC Key Pair using OpenSSL

Follow these steps to generate a PKC key pair using OpenSSL.

To install OpenSSL

1. To generate the RSA pair only, install the OpenSSL package with the following command:

   sudo apt-get install openssl

To generate an EdDSA or RSA 3K key pair for NVIDIA DRIVE AGX Orin

1. Build OpenSSL as follows:
   • In a terminal window, navigate to the directory where you extracted OpenSSL and execute these commands:

     ./config
     make

   • When the OpenSSL build is completed, copy libcrypto.so* and libssl.so* to your local /lib/ directory.
   • To generate the keys, execute OpenSSL from the application folder in the directory where you extracted OpenSSL.

     For more information, consult the OpenSSL README file in the extracted source directory.

2. Generate EdDSA private key with the command:

   openssl genpkey -algorithm Ed25519 --out keyfile.pem

3. Generate RSA 3K key pair with the command:

   openssl genrsa -out rsa_priv.pem 3072

You can now generate the signed binaries and PKC hash.

To generate a PKC hash

1. Run the following commands on the host to generate a public key and a PKC hash.
   • For NVIDIA DRIVE AGX Orin? RSA 3072-bit keys:

     $# cd drive-foundation
     $# ./tools/flashtools/flash/tegrakeyhash --pkc 
     <private_key_filename> --chip 0x23

     Where <private_key_filename> depends on the tool used to generate the key.

     • For PolarSSL, use rsa_priv.txt.
     • For OpenSSL, use rsa_priv.pem.
   • For NVIDIA DRIVE AGX Orin EdDSA

     $ cd drive-foundation
     $ ./tools/flashtools/flash/tegrasign_v3.py --key 
     <private_key_filename> --pubkeyhash <public_key_filename> <hash_filename>
     

     • Where:

       <public_key_filename> is the name you want to give the public key file.

       <hash_filename> is the name that you want to give the public key hash file.

       <private_key_filename> depends on the tool used to generate the key. For OpenSSL, use keyfile.pem.

     • Without the EdDSA private key as the input:
     Note: This use case is for OEMS who want to keep the private key secure, and who only want to use the existing public key to generate the hash. The public key format should be in OpenSSL der format.
     • Following is the example command to create the expected der format:

       openssl pkey -in keyfile.pem  -pubout -outform
                 DER  > pubkey.der

Example Output

Following is example output of the tegrasign_v3.py command. The tegra-fuse format can be used in FSKP Fuse Burning Tool.

<fuse name="PublicKeyHash" size="64" 
value="0x0123456789abcdef0123456789abcdef0123456789abcdef
0123456789abcdef0x0123456789abcdef0123456789abcdef0123456789abcdef
0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
0123456789abcdef0x0123456789abcdef0123456789abcdef0123456789abcdef
0123456789abcdef"/>