Although securing the device involves programming the hash of four public keys into the eFuses, only one key (number 0 by default) is used in the secure boot process. If the key gets compromised, it can be revoked and a different key used.

To use a different key for the signature of firmware images, set your conf/local.conf project configuration file as follows:

TRUSTFENCE_KEY_INDEX = "N"

N (range 0 - 3) is the key number to use.

Revoking a key is an irreversible process.

To revoke a key, use the trustfence revoke U-Boot command. This burns the appropriate bit in the SRK Revoke fuse word. For example, to revoke the key with index 0:

=> trustfence revoke 0

The last key (index 3) cannot be revoked.

On closed devices, the SRK Revoke fuse word is write-protected, and thus keys cannot be revoked by default. In order to be able to revoke keys in closed devices, you must define the following Digi Embedded Yocto macro:

TRUSTFENCE_UNLOCK_KEY_REVOCATION = "1"

The macro configures U-Boot not to protect the SRK Revoke fuse word, making key revocation possible.

You can check the revocation status of the keys by using the trustfence status command.