Hello,
I have a Raspberry pi4-b
i'm trying to "lock" secure-boot in OTP, but I fail to understand how to do this.
I tried different ways, but none of them seem to work. I can perfectly enable signed boot, everything seems to work.
But not the "locking"...
I tried following https://github.com/raspberrypi/usbboot/ ... /README.md
In step 1, I manage to erase my EEPROM, using a blank SD-CARD with recovery.bin on it and a config.txt with "erase_eeprom=1"
This works. My Raspberry Pi shows a black screen. No boot messages. Nothing.
Then I want to update the bootloader using "self-update".
My boot.conf:
I copy: pieeprom.bin, pieeprom.sig and recovery.bin to an empty 2GB FAT32 SD-CARD.
Here is how i generate my pieeprom files:
I also put config.txt on the SD-CARD to embed the public key in OTP and revoke devkeys:But this always gives me a red screen. When i reboot after this, the bootloader seems to be installed, but nothing is locked in OTP. It simply ignores the config.txt parameters "revoke_devkey=1" and "program_pubkey=1".
It loads my signed boot.img, but nothing is locked in OTP :
I can simply restore the factory pieeprom.bin from the rpi-imager.
"vcgencmd otp_dump" also shows me nothing is burned into OTP.
I know the manual on https://github.com/raspberrypi/usbboot/ ... t-recovery uses "rpiboot" (and even a "CM400"), but i'm not using that. I want to use simple SD-CARDS and use the "self-update" concept. I understand "self update" as putting the pieeprom.upd, pieeprom.bin and recovery.bin on the SD-CARD. It does work to enable signed boot. But not to lock it in OTP...
I probably can not use rpiboot anyway (?), because I have no access to the USB-C connector. It's embedded in a casing.
We use raspberry pi's as a part of our product (ventilation/automation). Screwing them open during production is not an option.
Can someone please explain how I can set "revoke_devkey=1" and "program_pubkey=1" into my bootloader?
I would be very grateful, everything seems to work, but not this last step... It seems so trivial but no luck so far.
I have a Raspberry pi4-b
i'm trying to "lock" secure-boot in OTP, but I fail to understand how to do this.
I tried different ways, but none of them seem to work. I can perfectly enable signed boot, everything seems to work.
But not the "locking"...
I tried following https://github.com/raspberrypi/usbboot/ ... /README.md
In step 1, I manage to erase my EEPROM, using a blank SD-CARD with recovery.bin on it and a config.txt with "erase_eeprom=1"
This works. My Raspberry Pi shows a black screen. No boot messages. Nothing.
Then I want to update the bootloader using "self-update".
My boot.conf:
Code:
[all]# If 1 then enable UART debug output on GPIO 14 and 15. Configure the receiving debug terminal at 115200bps, 8 bits, no parity bits, 1BOOT_UART=0# If 1 then sudo halt will run in a lower power mode until either GPIO3 or GLOBAL_EN are shorted to ground.WAKE_ON_GPIO=0POWER_OFF_ON_HALT=1HDMI_DELAY=0 # Boot Order Codes, from https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#BOOT_ORDER# Only allow SD Card boot, repeat on failBOOT_ORDER=0xf1 # Enable self-update modeENABLE_SELF_UPDATE=1 # Select signed-boot mode in the EEPROM. This can be used to during development# to test the signed boot image. Once secure boot is enabled via OTP this setting# has no effect i.e. it is always 1.SIGNED_BOOT=1I copy: pieeprom.bin, pieeprom.sig and recovery.bin to an empty 2GB FAT32 SD-CARD.
Here is how i generate my pieeprom files:
Code:
echo "> Signing the bootloader configuration..."rpi-eeprom-digest -k ${PRIVATE_KEY} -i ${BOOT_CONF} -o ${BOOT_CONF_SIG}echo "> Create signed bootloader..."rpi-eeprom-config -p ${PRIVATE_KEY} -c ${BOOT_CONF} -d ${BOOT_CONF_SIG} -o ${PIEEPROM_UPD} ${PIEEPROM_FACT}echo "> Create bootloader signature..."rpi-eeprom-digest -i ${PIEEPROM_UPD} -o ${PIEEPROM_SIG}echo "> Exporting recovery.bin..."cp -v ${PIEEPROM_DIR}/recovery.bin ${OUTPUT_FOLDER}I also put config.txt on the SD-CARD to embed the public key in OTP and revoke devkeys:
Code:
uart_2ndstage=0# Mark the EEPROM as write protected when the EEPROM /WIP pin is pulled low.# See https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#eeprom_write_protecteeprom_write_protect=1# Uncomment to write to enable secure-boot by writing. This# locks the device to the public key in the EEPROM by storing the# sha256 hash of the public key in OTP.## This option also prevents the ROM from loading recovery.bin from SD/EMMC# which means that [b]the bootloader can only be updated via RPIBOOT or self-update[/b].## Uncomment program_pubkey=1 to enable this# WARNING: THIS OPTION MODIFIES THE BCM2711 CHIP AND IS IRREVERSIBLE.program_pubkey=1# Uncomment to revoke the ROM development key via OTP preventing older# bootloader or recovery.bin releases from running on this Pi# WARNING: THIS OPTION MODIFIES THE BCM2711 CHIP AND IS IRREVERSIBLE.## DO NOT SET THIS OPTION UNTIL THE BOOTLOADER IS SIGNED WITH THE SECURE# BOOT KEY. IT WILL PREVENT THE PI FROM BOOTING.revoke_devkey=1# Pi 4B and Pi400 do not have a dedicated RPIBOOT jumper so a different GPIO# must be used to enable RPIBOOT if pulled low. The options are 2,4,5,6,7,8.## This option has no effect on CM4.# WARNING: THIS OPTION MODIFIES THE BCM2711 CHIP AND IS IRREVERSIBLE.#program_rpiboot_gpio=8# Permanently disable VideoCore JTAG access.# Warning: This option limits the ability to do failure analysis on # boards returned to resellers or Raspberry Pi Trading Ltd.#program_jtag_lock=1It loads my signed boot.img, but nothing is locked in OTP :
I can simply restore the factory pieeprom.bin from the rpi-imager.
"vcgencmd otp_dump" also shows me nothing is burned into OTP.
I know the manual on https://github.com/raspberrypi/usbboot/ ... t-recovery uses "rpiboot" (and even a "CM400"), but i'm not using that. I want to use simple SD-CARDS and use the "self-update" concept. I understand "self update" as putting the pieeprom.upd, pieeprom.bin and recovery.bin on the SD-CARD. It does work to enable signed boot. But not to lock it in OTP...
I probably can not use rpiboot anyway (?), because I have no access to the USB-C connector. It's embedded in a casing.
We use raspberry pi's as a part of our product (ventilation/automation). Screwing them open during production is not an option.
Can someone please explain how I can set "revoke_devkey=1" and "program_pubkey=1" into my bootloader?
I would be very grateful, everything seems to work, but not this last step... It seems so trivial but no luck so far.
Statistics: Posted by waterlemonmelon — Thu Mar 14, 2024 3:05 pm