[PATCH] i.MX: hab: always lock SRK hash after fusing
Sascha Hauer
s.hauer at pengutronix.de
Mon Mar 9 01:07:45 PDT 2026
On Mon, Mar 09, 2026 at 08:50:38AM +0100, Sascha Hauer wrote:
>
> On Fri, 06 Mar 2026 11:38:12 +0100, Ulrich Ölmann wrote:
> > The flag IMX_SRK_HASH_WRITE_LOCK has been present since the introduction of
> > barebox' hab command in [1], but only got its first user recently. Keeping SRK
> > hash locking optional is dangerous though: after programming the SRK hash,
> > leaving it writable allows later manipulations which can render a device
> > unbootable.
> >
> > Make SRK hash programming always burn the corresponding lock fuses on all
> > supported i.MX variants (IIM/OCOTP), and remove IMX_SRK_HASH_WRITE_LOCK.
> >
> > [...]
>
> Applied, thanks!
>
> [1/1] i.MX: hab: always lock SRK hash after fusing
> https://git.pengutronix.de/cgit/barebox/commit/?id=1f4d4a2b75b7 (link may not be stable)
Also added a note to the migration guide.
Sascha
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
More information about the barebox
mailing list