Although securing the device involves programming the hash of four public keys into the eFuses, only one key (number 0 by default) is used in the secure boot process. If the key gets compromised, it can be revoked and a different key used.

To use a different key for the signature of bootloader images, configure the signature process with the environment variable CONFIG_KEY_INDEX. You can also define this variables in a file .config located inside trustfence-tools-ccimx8xsbcpro-trusty (see 5. Sign the bootloader images):

.config
CONFIG_KEY_INDEX="N"

N (range 0 - 3) is the key number to use.

Revoking a key is an irreversible process.

To revoke a key:

  1. Define a revoke mask at build time.

    Set the key or keys you want to revoke in the SRK_REVOKE_MASK environment variable. The mask consists of 1 bit per key, where key N revocation is mapped as (1 << N).

    For example, to revoke the key with index 1:

    .config
    SRK_REVOKE_MASK="0x2"   #(0010b)

    The last key (index 3) cannot be revoked.

  2. Program the new bootloader file into the internal eMMC.

    For the device to boot correctly, the key selected for secure boot must not be among those in the revoke mask. Program the new bootloader image and reset the device. Up to this point, the process is still reversible.

  3. Permanently revoke the keys in the revoke mask.

    To permanently revoke the keys, use the trustfence revoke U-Boot command. This burns the appropriate bits in the SRK Revoke fuse word based on the keys selected at build time in SRK_REVOKE_MASK.

    If the device is booting from the internal eMMC, the command can read out the revoke mask and show the keys to be revoked before asking for confirmation. If booting from USB-recovery or other external media, the command asks for confirmation directly.

    You can identify the revoke mask that is going to be burnt by looking on the header of the bootloader image:

    $ hexdump -n 1 -s 0x405 <{bootloader file>
    0000405 0002
    0000406

    Continuing with the example above:

    => trustfence revoke
    Following keys will be permanently revoked:
       Key 1
    Warning: Programming fuses is an irreversible operation!
             This may brick your system.
             Use this command only if you are sure of what you are doing!
    
    Really perform this fuse programming? <y/N>
    y
    Revoking keys...[OK]
       Key 1 revoked
After a key has been permanently revoked, always include it in SRK_REVOKE_MASK when building new images. Otherwise, the device will refuse to boot.

You can check the revocation status of the keys by using the trustfence status command.