Revoke a Fused PKC Key#
The NVIDIA IGX Orin SoC supports three PKC public keys for secure boot. For more information, see Enable Secure Boot for Pre-UEFI Phases.
IGX provides a revoking mechanism if a key is compromised after the product is shipped. The keys are always active until they are revoked, and SoC will accept images signed with any of the non-revoked keys. The last key (FUSE_PK_H2) is not revocable, and the system can always boot with images signed with the private key of the last key.
To revoke the first key (FUSE_PUBLIC_KEY), do the following.
Open <Linux_for_Tegra> bootloader/generic/BCT/tegra234-br-bct-p3701-0002-p3740-0002.dts file with an editor.
Add
revoke_pk_h0 = <1>
to thebrbct
section.
1/dts-v1/;
2
3/ {
4 brbct {
5 . . .
6 revoke_pk_h0 = <1>;
7 bf_bl_allbits {
8 . . .
9 }
10 };
11};
Reflash the QSPI image with the second PKC private key (rsa3k-1.pem) as the signing key. Provided sbk.key if the optional encryption was applied in the previous flashing. For details, see 4. Sign and Flash QSPI Boot Firmware Images.
1sudo ./flash.sh -u rsa3k-1.pem [-v sbk.key] p3740-0002-p3701-0008-qspi external