Yes, that means all your T2080 with the same SRKH value must use the same
list of all public keys. However, you can choose to use any one of the
maximum four keys. i.e. Since the SRKH is based on your keys, once the SRKH
is burned, you cannot add more keys to the list as it will alter the SRKH
value and make the checking fail.
In any of the input_files in the CST folder(e.g.
cst/input_files/uni_sign/t1_t2_t4/input_uboot_nor_secure) , you can:
#####
# USAGE (for 4080/5020/5040/3041/2041/1010/913x): PRI_KEY = <key1.pri>
# USAGE (for 1040/C290/9164/4240): PRI_KEY = <key1.pri>, <key2.pri>,
<key3.pri>, <key4.pri>
# PRI_KEY (Default private key :srk.pri) - [Optional]
PRI_KEY=srk1.pri, srk2.pri, srk3.pri, srk4.pri
# PUB_KEY (Default public key :srk.pub) - [Optional]
PUB_KEY=srk1.pub, srk2.pub, srk3.pub, srk4.pub,
# Please provide KEY_SELECT(between 1 to 4) (Required for
1040/C290/9164/4240 only) - [Optional]
KEY_SELECT=3
#####
In this case, it will use srk3.pri and srk3.pub to sign the image. If later
you revoke key #3, then the secure boot will fail with the image you sign by
srk3.pri/pub. You still can use key1,2, or 4 to sign image and run on your
T2080.
