However, the otp.json file in the CMake build binary directory, which contains the data to be programmed into the decryption key OTP rows , is simply a copy of the otp.json in the example directory.
This can be confusing to the user since, if (the CMake binary directory copy of) otp.json is used to program OTP, the example key will be permanently burned into OTP, when they might expect the new key to be used instead.
This is particularly confusing as the signing key is correctly filed out (by picotool) to hello_serial_enc.otp.json.
I believe that there should either be a note indicating that the key in otp.json will not be updated with a newly-generated key, or some script/instructions for generating a decryption key OTP file (from privateaes.bin) should be added.
will-v-pi
commented
1 month ago
In the example at
bootloaders/encrypted, the README.md file gives instructions on how to generate a new AES key with the command:However, the
otp.jsonfile in the CMake build binary directory, which contains the data to be programmed into the decryption key OTP rows , is simply a copy of theotp.jsonin the example directory. This can be confusing to the user since, if (the CMake binary directory copy of)otp.jsonis used to program OTP, the example key will be permanently burned into OTP, when they might expect the new key to be used instead.This is particularly confusing as the signing key is correctly filed out (by picotool) to
hello_serial_enc.otp.json. I believe that there should either be a note indicating that the key inotp.jsonwill not be updated with a newly-generated key, or some script/instructions for generating a decryption key OTP file (fromprivateaes.bin) should be added.