Revoke a key

Although securing the device involves programming the hash of four public keys into the eFuses, only one key (number 0 by default) is used in the secure boot process. If the key gets compromised, it can be revoked and a different key used.

To use a different key for the signature of firmware images, set your localconf.mk project configuration file as follows: 

TRUSTFENCE_KEY_INDEX := "N"

N (range 0 - 3) is the key number to use.

To revoke a key,  use the trustfence revoke command. That will burn the appropriate bit in the SRK Revoke fuse word. For example, to revoke the key with index 0:

trustfence revoke 0

The last key (index 3) cannot be revoked.

CAUTION! Revoking a key is an irreversible process.

On closed devices, the SRK Revoke fuse word is write-protected, and thus keys cannot be revoked by default. In order to be able to revoke keys in closed devices, you must define the following macro:

TRUSTFENCE_UNLOCK_KEY_REVOCATION := "1"

The macro configures U-Boot not to protect the SRK Revoke fuse word, making key revocation possible.

You can check the revocation status of the keys by using the trustfence status command.