The final step in configuring secure boot for a device is burning the secure eFuse configuration.

The secure eFuse configuration can only be written once and is irreversible.

To secure the device:

1. Program the SRK eFuse

The SRK fuses hold the hash of the SRK public keys. In open devices, they are never used. In closed devices, they are used to validate the public key contained in signed firmware images.

Before closing the device, you must store the hash of the public keys in the SRK OTP bits on the device. This allows the ROM loader to validate the public key included in signed firmware images. The signing script generates a file named SRK_efuses.bin, which can be used to program the SRK efuses from the U-Boot shell in a safe way following this procedure:

  1. Verify there are no HAB events (as explained at 6. Program the signed bootloader).

  2. From the U-Boot prompt, load the SRK_efuses.bin file to memory using TFTP:

    => tftp ${loadaddr} SRK_efuses.bin
    Using FEC device
    TFTP from server; our IP address is
    Filename 'SRK_efuses.bin'.
    Load address: 0x12000000
    Loading: #
             15.6 KiB/s
    Bytes transferred = 32 (20 hex)
    Information in the console log may vary.
  3. Program the device using the trustfence prog_srk command:

    => trustfence prog_srk ${loadaddr} ${filesize}
    Warning: Programming fuses is an irreversible operation!
             This may brick your system.
             Use this command only if you are sure of what you are doing!
    Really perform this fuse programming? <y/N>

    The filesize environment variable is automatically calculated from the previous tftp command to be equal to the size (in bytes) of the SRK_efuses.bin file.

To simplify key management, Digi recommends you program all devices with the same set of four keys.

When a signed U-Boot is used in an open device, the ROM loader attempts to validate it and generates events if the bootloader image is not properly signed. You can use this behavior to verify the images before you close a device.

See Revoke a bootloader sign key for steps to take if any of these keys are compromised.

2. Close the device

This step is irreversible and could brick your device.

Before closing the device:

  • Verify you have programmed a signed, not encrypted, bootloader image.

  • Run hab_status and:

    • Verify there are no HAB events

    • Verify the SRK eFuses are programmed. The SRK OTP bits are not verified on open devices. For a closed device to boot, all the SRK OTP bits must be burned. An open device booting with no HAB events stops booting after being closed if the SRK OTP bits are invalid, not burned, or only partially burned.

To close a device, issue Digi’s U-Boot trustfence close command as follows and then reset the target:

=> trustfence close
=> reset

After that, the device only boots properly signed images.

After you have closed the device, consider the following ways to further secure your device:

  • U-Boot drops to a console after an unsuccessful firmware authentication for debugging purposes. Since a user could use this console for booting the system, Digi recommends you disable this console in production firmware. See Secure console modes.