Revoke a Fused PKC Key#
The NVIDIA IGX SoC supports three PKC public keys for secure boot. For more information, see Enable Secure Boot for Pre-UEFI Phases.
IGX provides a revoking mechanism if a key is compromised after the product is shipped. The keys are always active until they are revoked, and SoC will accept images signed with any of the non-revoked keys. The last key (FUSE_PK_H2) is not revocable, and the system can always boot with images signed with the private key of the last key.
To revoke the first key (FUSE_PUBLIC_KEY), do the following.
Open <LINUX_FOR_TEGRA>/bootloader/generic/BCT/tegra234-br-bct-p3701-0002-p3740-0002.dts file with an editor.
Add
revoke_pk_h0 = <1>to thebrbctsection.1dts-v1; 2 3{ 4 brbct { 5 . . . 6 revoke_pk_h0 = <1>; 7 bf_bl_allbits { 8 . . . 9 } 10 }; 11};
Run the command below to reflash the QSPI image with the second PKC private key (rsa3k-1.pem) as the signing key. Use the optional encryption with the provided sbk.key if the optional encryption was applied in the previous flashing. For details, see 4. Sign and Flash QSPI Boot Firmware Images.
sudo ./flash.sh -u rsa3k-1.pem [-v sbk.key] p3740-0002-p3701-0008-qspi external