imx8x manually revoke key

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

imx8x manually revoke key

1,535 Views
jonaspersson
Contributor II

Hello,

Is it possible to revoke a key "manually" on the imx8x soc:s?

This was possible on the imx6 -parts by issuing a special unlock command in the CSF to allow writes to that fuse bank. For the imx8x the documentation seems to indicate that the _only_ way to revoke key's are by setting the revoke parameter in the csf in combination with the "commit" command.

Is it possible to access the revocation fuses without changing the csf?

Jonas

Tags (3)
0 Kudos
Reply
2 Replies

1,433 Views
AldoG
NXP TechSupport
NXP TechSupport

Hello,

 

Unfortunately no, It is possible to revoke an SRK only after successful authentication of the header that contains the SRK revocation command and the receipt of the COMMIT command with the corresponding argument.

 

As specified in the AN12312, Secure Boot on i.MX 8 and i.MX 8X Families using AHAB section 4.5 SRK revocation.

 

You'll find the app note here:

https://www.nxp.com/docs/en/application-note/AN12312.pdf

 

Hope this helps,

Best regards,

Aldo.

1,336 Views
Gandalf-kern
Contributor IV

Running into the same question: "only after successful authentication of the header that contains the SRK revocation command and the receipt of the COMMIT command with the corresponding argument. It can be performed with the Code Signing Tool and the SCU API."

This short section isn't very clear. After a boot time successful authentication of the header that contains the SRK revocation command, can the COMMIT command be performed when the CST text file sets the Revocation = 0x1 flag and the SCU API based on the flag will do a commit during boot instead of through the SCU port if the flag is set?

Another reading of AN12312 might be to suggest that the 'and' means these are alternate ways of issuing the commit. Either way, they could have written this a bit more precisely. Something this significant shouldn't be this ambiguous for developers.

0 Kudos
Reply