imx8x manually revoke key

jonaspersson · ‎04-19-2020

Hello,

Is it possible to revoke a key "manually" on the imx8x soc:s?

This was possible on the imx6 -parts by issuing a special unlock command in the CSF to allow writes to that fuse bank. For the imx8x the documentation seems to indicate that the _only_ way to revoke key's are by setting the revoke parameter in the csf in combination with the "commit" command.

Is it possible to access the revocation fuses without changing the csf?

Jonas

AldoG · ‎04-23-2020

Hello,

Unfortunately no, It is possible to revoke an SRK only after successful authentication of the header that contains the SRK revocation command and the receipt of the COMMIT command with the corresponding argument.

As specified in the AN12312, Secure Boot on i.MX 8 and i.MX 8X Families using AHAB section 4.5 SRK revocation.

You'll find the app note here:

https://www.nxp.com/docs/en/application-note/AN12312.pdf

Hope this helps,

Best regards,

Aldo.

Gandalf-kern · ‎04-19-2021

Running into the same question: "only after successful authentication of the header that contains the SRK revocation command and the receipt of the COMMIT command with the corresponding argument. It can be performed with the Code Signing Tool and the SCU API."

This short section isn't very clear. After a boot time successful authentication of the header that contains the SRK revocation command, can the COMMIT command be performed when the CST text file sets the Revocation = 0x1 flag and the SCU API based on the flag will do a commit during boot instead of through the SCU port if the flag is set?

Another reading of AN12312 might be to suggest that the 'and' means these are alternate ways of issuing the commit. Either way, they could have written this a bit more precisely. Something this significant shouldn't be this ambiguous for developers.

mgarcia2313 · ‎03-11-2025

What do you mean when you say COMMIT command?

imx8x manually revoke key

imx8x manually revoke key

i.MX 8 Family | i.MX 8QuadMax (8QM) | 8QuadPlus