Although securing the device involves programming the hash of four public keys into the eFuses, only one key (number 0 by default) is used in the secure boot process. If the key gets compromised, it can be revoked and a different key used.

To use a different key for the signature of firmware images, set your conf/local.conf project configuration file as follows:

TRUSTFENCE_KEY_INDEX = "N"

N (range 0 - 3) is the key number to use.

Revoking a key is an irreversible process.

To revoke a key:

  1. Define a revoke mask at build time.

    Set the key or keys you want to revoke in the TRUSTFENCE_SRK_REVOKE_MASK Yocto macro. The mask consists of 1 bit per key, where key N revocation is mapped as (1 << N).

    For example, to revoke the key with index 1:

    TRUSTFENCE_SRK_REVOKE_MASK = "0x2"   #(0010b)

    The last key (index 3) cannot be revoked.

  2. Program the new imx-boot file into the internal eMMC.

    For the device to boot correctly, the key selected for secure boot must not be among those in the revoke mask. Program the new imx-boot file and reset the device. Up to this point, the process is still reversible.

  3. Permanently revoke the keys in the revoke mask.

    To permanently revoke the keys, use the trustfence revoke U-Boot command. This burns the appropriate bits in the SRK Revoke fuse word based on the keys selected at build time in TRUSTFENCE_SRK_REVOKE_MASK.

    If the device is booting from the internal eMMC, the command can read out the revoke mask and show the keys to be revoked before asking for confirmation. If booting from USB-recovery or other external media, the command asks for confirmation directly.

    If unsure about the revoke mask that’s going to be burnt, check it out on the header of the imx-boot image:

    $ hexdump -n 1 -s 0x405 <imx-boot file>
    0000405 0002
    0000406

    Continuing with the above example:

    => trustfence revoke
    Following keys will be permanently revoked:
       Key 1
    Warning: Programming fuses is an irreversible operation!
             This may brick your system.
             Use this command only if you are sure of what you are doing!
    
    Really perform this fuse programming? <y/N>
    y
    Revoking keys...[OK]
       Key 1 revoked
After a key has been permanently revoked, always include it in TRUSTFENCE_SRK_REVOKE_MASK when building new images. Otherwise, the device will refuse to boot.

You can check the revocation status of the keys by using the trustfence status command.