Although securing the device involves programming the hash of four public keys into the eFuses, only one key (number 0 by default) is used in the secure boot process. If the key gets compromised, it can be revoked and a different key used.
To use a different key for the signature of firmware images, set your conf/local.conf
project configuration file as follows:
TRUSTFENCE_KEY_INDEX = "N"
N (range 0 - 3) is the key number to use.
Revoking a key is an irreversible process. |
To revoke a key:
-
Define a revoke mask at build time.
Set the key or keys you want to revoke in the
TRUSTFENCE_SRK_REVOKE_MASK
Yocto macro. The mask consists of 1 bit per key, where key N revocation is mapped as (1 << N).For example, to revoke the key with index 1:
TRUSTFENCE_SRK_REVOKE_MASK = "0x2" #(0010b)
The last key (index 3) cannot be revoked.
-
Program the new imx-boot file into the internal eMMC.
For the device to boot correctly, the key selected for secure boot must not be among those in the revoke mask. Program the new imx-boot file and reset the device. Up to this point, the process is still reversible.
-
Permanently revoke the keys in the revoke mask.
To permanently revoke the keys, use the
trustfence revoke
U-Boot command. This burns the appropriate bits in the SRK Revoke fuse word based on the keys selected at build time inTRUSTFENCE_SRK_REVOKE_MASK
.If the device is booting from the internal eMMC, the command can read out the revoke mask and show the keys to be revoked before asking for confirmation. If booting from USB-recovery or other external media, the command asks for confirmation directly.
If unsure about the revoke mask that’s going to be burnt, check it out on the header of the imx-boot image:
$ hexdump -n 1 -s 0x405 <imx-boot file> 0000405 0002 0000406
Continuing with the above example:
=> trustfence revoke Following keys will be permanently revoked: Key 1 Warning: Programming fuses is an irreversible operation! This may brick your system. Use this command only if you are sure of what you are doing! Really perform this fuse programming? <y/N> y Revoking keys...[OK] Key 1 revoked
After a key has been permanently revoked, always include it in TRUSTFENCE_SRK_REVOKE_MASK when building new images.
Otherwise, the device will refuse to boot.
|
You can check the revocation status of the keys by using the trustfence status
command.