Although securing the device involves programming the hash of four public keys into the eFuses, only one key (number 0 by default) is used in the secure boot process. If the key gets compromised, it can be revoked and a different key used.
To use a different key for the signature of bootloader images, configure the signature process with the environment variable CONFIG_KEY_INDEX
.
You can also define this variables in a file .config
located inside trustfence-tools-ccimx8mmdvk-trusty
(see 5. Sign the bootloader images):
CONFIG_KEY_INDEX="N"
N
(range 0 - 3) is the key number to use.
Revoking a key is an irreversible process. |
To revoke a key, use the trustfence revoke
U-Boot command.
This burns the appropriate bit in the SRK Revoke fuse word.
For example, to revoke the key with index 0:
=> trustfence revoke 0
The last key (index 3) cannot be revoked.
On closed devices, the SRK Revoke fuse word is write-protected, and thus keys cannot be revoked by default.
In order to be able to revoke keys in closed devices, you must define the CONFIG_UNLOCK_SRK_REVOKE
environment variable during the signature process:
CONFIG_UNLOCK_SRK_REVOKE="1"
This variable configures U-Boot not to protect the SRK Revoke fuse word, which makes it possible to revoke keys.
You can check the revocation status of the keys by using the trustfence status
command.