Hi,
I have revoked an SRK key and after some research I am left with a few questions. The HAB code signing tool users guide Rev 3.1.0 09/2018 and page 47/48 states:
"HAB or AHAB authenticates the SRK using the SRK hash (SRK_HASH) fuses. HAB4 or AHAB allows revocation of individual keys within the SRK table using the SRK revocation (SRK_REVOKE) fuses."
However, the table below states that in HAB4 the "Revocations" argument is "not present" for the [Install SRK] block. Without this setting it seems that we are required to update the boot loader twice, once to enable SRK revocation and to revoke the key, and once to disable SRK revocation.
Q1.1) Is this attribute available in the HABv4 ROM (version 4.3)?
Q1.2) Can I disable the lock in csf_spl.bin and re-enable the lock in csf_fit.bin to prohibit SRK revocations in the insecure world (i.e. U-Boot and Linux) or am I always prone to a second U-Boot update?
