[PATCH] i.MX: hab: always lock SRK hash after fusing
Marco Felsch
m.felsch at pengutronix.de
Fri Mar 6 02:50:17 PST 2026
On 26-03-06, Ulrich Ölmann wrote:
> The flag IMX_SRK_HASH_WRITE_LOCK has been present since the introduction of
> barebox' hab command in [1], but only got its first user recently. Keeping SRK
> hash locking optional is dangerous though: after programming the SRK hash,
> leaving it writable allows later manipulations which can render a device
> unbootable.
>
> Make SRK hash programming always burn the corresponding lock fuses on all
> supported i.MX variants (IIM/OCOTP), and remove IMX_SRK_HASH_WRITE_LOCK.
>
> [1] 9dc622d5622c ("i.MX: hab: Add HAB fusebox related convenience functions / command")
>
> Signed-off-by: Ulrich Ölmann <u.oelmann at pengutronix.de>
Reviewed-by: Marco Felsch <m.felsch at pengutronix.de>
More information about the barebox
mailing list