Generating a PKC Key Pair Using OpenSSL

Use these procedures to generate a PKC key pair using OpenSSL.

To install OpenSSL

If you are generating only the RSA pair, install the OpenSSL package with the command:
```
sudo apt-get install openssl
```

To generate an EdDSA or RSA 3K key pair for NVIDIA DRIVE AGX Orin

Download and extract the OpenSSL EdDSA/ED25519 key support OpenSSL Version 11.1 Pre-8 available at:
```
https://openssl.org
```
Build OpenSSL as follows:
- In a terminal window, navigate to the directory where you extracted OpenSSL and execute these commands:
```
./config
make
```
- Once the OpenSSL build is completed, copy libcrypto.so* and libssl.so* to your local /lib/ directory.
- To generate the keys, execute OpenSSL from the application folder in the directory where you extracted OpenSSL.
  For more information, consult the OpenSSL README file in the extracted source directory.
Generate EdDSA private key with the command:
```
openssl genpkey -algorithm Ed25519 --out keyfile.pem
```
Generate RSA 3K key pair with the command:
```
openssl genrsa -out rsa_priv.pem 3072
```

You are now ready to generate the signed binaries and PKC hash.

To generate a PKC hash

Run these commands on the host to generate a public key and a PKC hash.
- For NVIDIA DRIVE AGX Orin? RSA 3072-bit keys:
```
$# cd drive-foundation
$# ./tools/flashtools/flash/tegrakeyhash --pkc 
<private_key_filename> --chip 0x23
```
  Where <private_key_filename> depends on the tool used to generate the key.
  - For PolarSSL, use rsa_priv.txt.
  - For OpenSSL, use rsa_priv.pem.
- For NVIDIA DRIVE AGX Orin EdDSA
```
$ cd drive-foundation
$ ./tools/flashtools/flash/tegrasign_v3.py --key 
<private_key_filename> --pubkeyhash <public_key_filename> <hash_filename>
```
  - Where:
    
    <public_key_filename> is the name you want to give the public key file.
    
    <hash_filename> is the name you want to give the public key hash file.
    
    <private_key_filename> depends on the tool used to generate the key. For OpenSSL, use keyfile.pem.
  - For usage of not having the EdDSA private key as the input:
  Note: This usage is for OEMS who wish to keep the private key secure and only want to use the existing public key to generate the hash. Note that the public key format here is expected to be in OpenSSL der format.
  - This is the example command to create the expected der format:
```
openssl pkey -in keyfile.pem  -pubout -outform
          DER  > pubkey.der
```

Example Output

Example of the output of the tegrasign_v3.py command:

#
# tegra-fuse format (big-endian): 0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
# If --verbose flag is used, then the following will be shown as well:
# fuse bypass format:
# FAB_ENTRY(PUBLIC_KEY0, PUBLIC_KEY0, 0x89abcdef),
# FAB_ENTRY(PUBLIC_KEY1, PUBLIC_KEY1, 0x01234567),
# FAB_ENTRY(PUBLIC_KEY2, PUBLIC_KEY2, 0x89abcdef),
# FAB_ENTRY(PUBLIC_KEY3, PUBLIC_KEY3, 0x01234567),
# FAB_ENTRY(PUBLIC_KEY4, PUBLIC_KEY4, 0x89abcdef),
# FAB_ENTRY(PUBLIC_KEY5, PUBLIC_KEY5, 0x01234567),
# FAB_ENTRY(PUBLIC_KEY6, PUBLIC_KEY6, 0x89abcdef),
# FAB_ENTRY(PUBLIC_KEY7, PUBLIC_KEY7, 0x01234567),
# FAB_ENTRY(PUBLIC_KEY8, PUBLIC_KEY8, 0x89abcdef),
# FAB_ENTRY(PUBLIC_KEY9, PUBLIC_KEY9, 0x01234567),
# FAB_ENTRY(PUBLIC_KEY10, PUBLIC_KEY10, 0x89abcdef),
# FAB_ENTRY(PUBLIC_KEY11, PUBLIC_KEY11, 0x01234567),
# FAB_ENTRY(PUBLIC_KEY12, PUBLIC_KEY12, 0x89abcdef),
# FAB_ENTRY(PUBLIC_KEY13, PUBLIC_KEY13, 0x01234567),
# FAB_ENTRY(PUBLIC_KEY14, PUBLIC_KEY14, 0x89abcdef),
# FAB_ENTRY(PUBLIC_KEY15, PUBLIC_KEY15, 0x01234567),

The tegra-fuse format can be used in FSKP Fuse Burning Tool.

<fuse name="PublicKeyHash" size="64" 
value="0x0123456789abcdef0123456789abcdef0123456789abcdef
0123456789abcdef0x0123456789abcdef0123456789abcdef0123456789abcdef
0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
0123456789abcdef0x0123456789abcdef0123456789abcdef0123456789abcdef
0123456789abcdef"/>