diff --git a/scripts/fit.sh b/scripts/fit.sh
index 3f34ac5ac1..3b5da371f9 100755
--- a/scripts/fit.sh
+++ b/scripts/fit.sh
@@ -92,7 +92,7 @@ function check_its()
 function validate_arg()
 {
 	case $1 in
-		--no-check|--spl-new)
+		--no-check|--spl-new|--burn-key-hash)
 			shift=1
 			;;
 		--ini-trust|--ini-loader|--rollback-index-boot|--rollback-index-uboot|--boot_img|--version-uboot|--version-boot)
@@ -162,6 +162,10 @@ function fit_process_args()
 				arg_check_decimal $2
 				shift 2
 				;;
+			--burn-key-hash)
+				ARG_BURN_KEY_HASH="y"
+				shift 1
+				;;
 			*)
 				help
 				exit 1
@@ -224,6 +228,11 @@ function fit_gen_uboot_itb()
 			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_UBOOT}>;/g" ${ITS_UBOOT}
 		fi
 
+		# burn-key-hash
+		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
+			sed -i "s/burn-key-hash = <0>;/burn-key-hash = <1>;/g" ${ITS_UBOOT}
+		fi
+
 		# u-boot.dtb must contains rsa key
 		if ! fdtget -l ${UBOOT_DTB} /signature >/dev/null 2>&1 ; then
 			${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_S_UBOOT} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
@@ -243,6 +252,14 @@ function fit_gen_uboot_itb()
 			fi
 		fi
 
+		# burn-key-hash read back check
+		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
+			if [ "`fdtget -ti ${ITB_UBOOT} /configurations/conf burn-key-hash`" != "1" ]; then
+				echo "ERROR: Failed to set burn-key-hash for ${ITB_UBOOT}";
+				exit 1
+			fi
+		fi
+
 		# host check signature
 		if [ "${ARG_NO_CHECK}" != "y" ]; then
 			if [ "${ARG_SPL_NEW}" == "y" ]; then
@@ -434,6 +451,11 @@ function fit_msg_uboot()
 		MSG_VER=", version=${VERSION}"
 	fi
 
+	if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
+		echo "uboot.img: burn-key-hash=1"
+		echo
+	fi
+
 	if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
 		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_UBOOT}):  ${IMG_UBOOT} (with uboot, trust...) is ready"
 	else