How to fuse prog revoke SRK from uboot or user space

starlabsstas · ‎01-18-2023

Hi,

I successfully set up secure boot with the imx8mm similar to this post: https://community.nxp.com/t5/i-MX-Processors-Knowledge-Base/Steps-to-enable-secure-boot-in-i-MX8M-Na...

Secure boot works. Now I want to revoke a single SRK key permanently within the SoC. From the imx7 I know that I need to write a bitmask to some memory mapped area. This info was retrieved from the security documentation back then.

Now for the imx8mm I do not have access to the security documentation yet.

Can someone tell me how to revoke an SRK for the imx8mm within u-boot or linux user space?

I have an NDA if this helps in speeding this up.

jbhaijy · ‎03-04-2024

Hi @starlabsstas,

I am using i.MX8MM.SRK1 signed is able to flash & authenticate the SRK signed image on i.MX8MM without any HAB events. But uuu doesn't allow to flash images signed with SRK2. What could be the problem here?

I have some questions, I request if you could share experience here.

Are you able to revoke the SRK key from uboot?
What command you used to revoked the SRK key?
Which key you revoked?
Which SRK key signed image you were used while SRK key revocation?
Can we used SRK1 signed image while revoking SRK1 from uboot?
What CSF changes we need to have to revoke the SRK key?
Do we need SRK revocation changes in SPL, FIT & Kernel CSF files?

Thanks for your support.

Regards,

jbhaijy

Harvey021 · ‎01-29-2023

Hi @starlabsstas

The way of revoking SRK for i.MX8MM is similar to imx7. Like fuse prog 9 3 bits[0:3].

More details can be found at B SRK revocation on HABv4 of i.MX Secure Boot on HABv4 Supported Devices (nxp.com)

Best regards

Harvey