Closed Vijay-P1999 closed 2 years ago
signed boot will only require boot.img and boot.sig. The img file contains the files needed. It looks like you haven't enabled signed boot SIGNED_BOOT=1? See https://github.com/raspberrypi/usbboot/blob/master/secure-boot-recovery/README.md
Thanks, I didn't enable it because it was mentioned optional in the document.
Optional. Customize the EEPROM config.
I tried booting cm4 after enabling SIGNED_BOOT=1
in boot.conf
. I get this.
And also which steps should i follow for secure-boot in cm4 - usbboot or secure-boot-recovery ?
You need to use secure-boot-recovery to flash the an EEPROM with secure-boot locked to your private key.
N.B. I'm assuming that you have already decided how your OS image will work i.e. initramfs etc
Thanks @timg236 I have no idea about how OS image will internally work. I'm just following this repo for secure-boot in CM4.
You need to use secure-boot-recovery to flash the an EEPROM with secure-boot locked to your private key.
So i guess this is next step after booting with signed boot.img
. But do you have any idea why i'm getting this error(Refer Image)?
For an OS image I'd recommend starting with the secure-boot-example which is self contained busybox image using an initframfs for the boot partition. To be secure the Kernel + m odules need to be loaded from a file-system that is verified by the signature and the easiest way to do that is have all of that in an initframfs that is loaded from boot.img https://github.com/raspberrypi/usbboot/tree/master/secure-boot-example
I suspect that the EEPROM config file doesn't have SIGNED_BOOT=1 so it will be looking for start.elf instead OR it does contain that and the SD-card is missing boot.img or boot.sig
For debugging secure-boot it's worth having a USB serial adapter because there's a lot more debug information available if you specify BOOT_UART=1 in config.txt
I suspect that the EEPROM config file doesn't have SIGNED_BOOT=1 so it will be looking for start.elf instead OR it does contain that and the SD-card is missing boot.img or boot.sig
I enabled SIGNED_BOOT=1 and i have boot.img
& boot.sig
in /boot
of RPI. But still the same error persists. This is what confusing me.
@timg236 When i was trying various options of secure-boot in CM4,Suddenly now I'm having problem with running sudo ./rpiboot
At this point, it get stuck
user1@my-pc:$ sudo ./rpiboot
RPIBOOT: build-date Apr 19 2022 version 20220315~121405 445356e1
Waiting for BCM2835/6/7/2711...
Loading embedded: bootcode4.bin
Sending bootcode.bin
Successful read 4 bytes
Waiting for BCM2835/6/7/2711...
Loading embedded: bootcode4.bin
Second stage boot server
But when i run lsusb
the PI gets detected.
user1@my-pc:$ lsusb
Bus 006 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 005 Device 002: ID 3938:1031 MOSART Semi. 2.4G Wireless Mouse
Bus 005 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 004: ID 1462:7c91 Micro Star International MYSTIC LIGHT
Bus 001 Device 012: ID 046d:c31c Logitech, Inc. Keyboard K120
Bus 001 Device 026: ID 0a5c:2711 Broadcom Corp. BCM2711 Boot
I couldn't re-flash any OS into the CM4 also. Is the board bricked? Any suggestions?
Running rpiboot with no arguments will put the device into mass-storage mode that's the normal behaviour.
You can then copy boot.img / boot.sig to the sd-card (CM4 lite) or EMMC
Closing since this does not appear to be a bug https://forums.raspberrypi.com/viewtopic.php?p=1997280#p1997280
Hey, Tried secure-boot for RPI Compute module 4. Followed all the steps mentioned in this Repo. But ended up with an error.
Is the documentation provided in this repo are accurate and up-to-date?
Question 1: Which
/boot
content should i copy intosecure-boot-files
for generating img?/Firmware/boot
or/boot
partition in Raspberry pi OS?Question 2: What should be the final content of
/boot
? Should it contain only these files?boot.img
,boot.sig
Already tried:
Tried flashing both 32 & 64 bit OS to the CM4 and generated
boot.img
from respectiveboot
partition. Signed the img with private.pem and copied it to CM4. But still, the same error. Couldn't find any relevant issues/fix related to this.Environment:
Ubuntu 20.04.3 LTS Waveshare CM4-IO-Base-A with Raspberry Pi compute module 4