Revoke a Fused PKC Key#

The NVIDIA IGX Orin SoC supports three PKC public keys for secure boot. For more information, see Enable Secure Boot for Pre-UEFI Phases.

IGX provides a revoking mechanism if a key is compromised after the product is shipped. The keys are always active until they are revoked, and SoC will accept images signed with any of the non-revoked keys. The last key (FUSE_PK_H2) is not revocable, and the system can always boot with images signed with the private key of the last key.

To revoke the first key (FUSE_PUBLIC_KEY), do the following.

  1. Open <Linux_for_Tegra> bootloader/generic/BCT/tegra234-br-bct-p3701-0002-p3740-0002.dts file with an editor.

  2. Add revoke_pk_h0 = <1> to the brbct section.

 1/dts-v1/;
 2
 3/ {
 4    brbct {
 5        . . .
 6        revoke_pk_h0 = <1>;
 7        bf_bl_allbits {
 8            . . .
 9        }
10    };
11};
  1. Reflash the QSPI image with the second PKC private key (rsa3k-1.pem) as the signing key. Provided sbk.key if the optional encryption was applied in the previous flashing. For details, see 4. Sign and Flash QSPI Boot Firmware Images.

1sudo ./flash.sh  -u rsa3k-1.pem [-v sbk.key] p3740-0002-p3701-0008-qspi external