Although securing the device involves programming the hash of four public keys into the eFuses, only one key (number 0 by default) is used in the secure boot process. If the key gets compromised, it can be revoked and a different key used.
To use a different key for the signature of firmware images, set your conf/local.conf project configuration file as follows:
TRUSTFENCE_KEY_INDEX = "N"
N (range 0 - 3) is the key number to use.
Revoking a key is an irreversible process. |
To revoke a key, use the trustfence revoke U-Boot command. This burns the appropriate bit in the SRK Revoke fuse word. For example, to revoke the key with index 0:
=> trustfence revoke 0
The last key (index 3) cannot be revoked.
On closed devices, the SRK Revoke fuse word is write-protected, and thus keys cannot be revoked by default. In order to be able to revoke keys in closed devices, you must define the following Digi Embedded Yocto macro:
TRUSTFENCE_UNLOCK_KEY_REVOCATION = "1"
The macro configures U-Boot not to protect the SRK Revoke fuse word, making key revocation possible.
You can check the revocation status of the keys by using the trustfence status command.