Hi,
I have raspberry 4B and I managed to enable signed (secure) boot using rpiboot mode and from device itself. Works perfectly.
From on-device secure boot can be enabled using these commands (for bookworm and later firmware path is /usr/lib/firmware/raspberrypi/bootloader-2711/stable/pieeprom-*):
boot.conf is pretty standard:The questions I got during the setup and I cannot find answers for them:
1 When enabling signed boot I put pub key into the pieeprom so I can safely add program_pubkey=1 to config.txt. And then reboot device. Q is - can I add revoke_devkey=1 to the config.txt before first reboot after which signed boot will be enabled and my pubkey will be written to otp? Like one-step task - write pub key to otp, enable signed boot, disable devkey.
2 Is there any way to update pieeprom from on-device after enabling signed boot? I see that docs says that after program_pubkey=1 the only way to update pieeprom is rpiboot or self-update. And I need the clarification of *self-update* because I probably don't understand what does it means. I want to be able to keep updating signed pieeprom on remote device when I will not be able to physically access to it.
3 After enabling signed boot - can I disable it? AFAIK - I can disable it unless program_pubkey=1 will be set. Since documentation says "Once secure boot is enabled via OTP" - and program_pubkey=1 that the say to set it via OTP. Correct me if I wrong.
Thank you and appreciate your help,
Serhii M.
I have raspberry 4B and I managed to enable signed (secure) boot using rpiboot mode and from device itself. Works perfectly.
From on-device secure boot can be enabled using these commands (for bookworm and later firmware path is /usr/lib/firmware/raspberrypi/bootloader-2711/stable/pieeprom-*):
Code:
rpi-eeprom-digest -k /run/private.pem -i /etc/signed_boot/boot.conf -o /run/bootconf.sigrpi-eeprom-config --config /etc/signed_boot/boot.conf --digest /run/bootconf.sig --pubkey /etc/signed_boot/public.pub --out /run/pieeprom-signed.bin $(ls -t /usr/lib/firmware/raspberrypi/bootloader/stable/pieeprom-* | tail -n1) rpi-eeprom-update -d -f /run/pieeprom-signed.binCode:
[all]BOOT_UART=1WAKE_ON_GPIO=0POWER_OFF_ON_HALT=1HDMI_DELAY=0BOOT_ORDER=0xf25641ENABLE_SELF_UPDATE=1SIGNED_BOOT=11 When enabling signed boot I put pub key into the pieeprom so I can safely add program_pubkey=1 to config.txt. And then reboot device. Q is - can I add revoke_devkey=1 to the config.txt before first reboot after which signed boot will be enabled and my pubkey will be written to otp? Like one-step task - write pub key to otp, enable signed boot, disable devkey.
2 Is there any way to update pieeprom from on-device after enabling signed boot? I see that docs says that after program_pubkey=1 the only way to update pieeprom is rpiboot or self-update. And I need the clarification of *self-update* because I probably don't understand what does it means. I want to be able to keep updating signed pieeprom on remote device when I will not be able to physically access to it.
3 After enabling signed boot - can I disable it? AFAIK - I can disable it unless program_pubkey=1 will be set. Since documentation says "Once secure boot is enabled via OTP" - and program_pubkey=1 that the say to set it via OTP. Correct me if I wrong.
Thank you and appreciate your help,
Serhii M.
Statistics: Posted by serhiimi — Thu Jun 27, 2024 10:30 am