diff --git a/boot/bootutil/src/ed25519_psa.c b/boot/bootutil/src/ed25519_psa.c
index c7e3910b1..9a8f2e5bf 100644
--- a/boot/bootutil/src/ed25519_psa.c
+++ b/boot/bootutil/src/ed25519_psa.c
@@ -45,7 +45,8 @@ static psa_key_id_t key_ids[] =  {
 
 #if defined(CONFIG_BOOT_KMU_KEYS_REVOCATION)
 #include <bootutil/key_revocation.h>
-static psa_key_id_t *validated_with = NULL;
+#define VALIDATED_WITH_UNINITIALIZED INT32_MAX
+static int32_t validated_with = VALIDATED_WITH_UNINITIALIZED;
 #endif
 
 BUILD_ASSERT(CONFIG_BOOT_SIGNATURE_KMU_SLOTS <= ARRAY_SIZE(key_ids),
@@ -142,7 +143,9 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
                                     EDDSA_SIGNAGURE_LENGTH);
         if (status == PSA_SUCCESS) {
 #if defined(CONFIG_BOOT_KMU_KEYS_REVOCATION)
-            validated_with = key_ids + i;
+            if(i < validated_with) {
+                validated_with = i;
+            }
 #endif
             return 1;
         }
@@ -159,7 +162,7 @@ int exec_revoke(void)
     int ret = BOOT_KEY_REVOKE_OK;
     psa_status_t status = psa_crypto_init();
 
-    if (!validated_with) {
+    if (validated_with == VALIDATED_WITH_UNINITIALIZED) {
         ret = BOOT_KEY_REVOKE_INVALID;
         goto out;
     }
@@ -170,7 +173,7 @@ int exec_revoke(void)
             goto out;
     }
     for (int i = 0; i < CONFIG_BOOT_SIGNATURE_KMU_SLOTS; i++) {
-        if ((key_ids + i) == validated_with) {
+        if ( i == validated_with) {
             break;
         }
         BOOT_LOG_DBG("Invalidating key ID %d", i);
@@ -179,7 +182,7 @@ int exec_revoke(void)
         if (status == PSA_SUCCESS) {
             BOOT_LOG_DBG("Success on key ID %d", i);
         } else {
-            BOOT_LOG_ERR("Key invalidation failed with: %d", status);
+            BOOT_LOG_DBG("Key invalidation failed with: %d", status);
         }
     }
 out:
diff --git a/boot/zephyr/firmware_loader_bm.c b/boot/zephyr/firmware_loader_bm.c
index 14d5c96bd..e8f43a9d1 100644
--- a/boot/zephyr/firmware_loader_bm.c
+++ b/boot/zephyr/firmware_loader_bm.c
@@ -15,6 +15,7 @@
 #include "bootutil/bootutil_public.h"
 #include "bootutil/fault_injection_hardening.h"
 #include <bm_installs.h>
+#include "bootutil/key_revocation.h"
 
 #include "io/io.h"
 #include "mcuboot_config/mcuboot_config.h"
@@ -249,6 +250,15 @@ boot_go(struct boot_rsp *rsp)
     }
 #endif
 
+#if defined(CONFIG_BOOT_KEYS_REVOCATION)
+    if (softdevice_image_valid == true && firmware_loader_image_valid == true) {
+        allow_revoke();
+        if (revoke() != BOOT_KEY_REVOKE_OK) {
+            return -1;
+        }
+    }
+#endif /*CONFIG_BOOT_KEYS_REVOCATION*/
+
     if (app_installer_image_valid == true && app_installer_is_installer_image == true) {
         /* Installer image is present, this gets priority */
         BOOT_LOG_DBG("Booting installer");