Closed ertsth closed 1 month ago
Have you use gpio 6 for the nRPIBOOT gpio? If this is the case I think you might need to add "program_rpiboot_gpio=6" to config.txt as well.
Yes, I'm using GPIO6 to boot in RPIBOOT mode, it was programmed previously. But I though that config program_rpiboot_gpio=6
enables gpio6 in OTP memory and therefore has no effect after it was programmed, at least that's what documentation says. Do I need to have this line in config.txt every time I want to change something in signed bootloader?
I think you need it when enabling secure boot. It's playing safe to make sure OTP is set correctly for the GPIO you have chosen because a side effect of enabling secure-boot is that SD boot by the BOOTROM is disabled, i.e. you can only update the eeprom with rpiboot via the nRPIBOOT gpio. Hope that makes sense.
Thanks for the quick answer! I can confirm that everything works as expected after I've added program_rpiboot_gpio=6
to my config.txt file. However, I'd like to clarify something since I haven't found anything about it in the documentation. So, the 'correct' workflow for locking secure boot is:
Does N need to be the same? For example what if I've programmed GPIO6 but changed config to program_rpiboot_gpio=4 when locking secure boot? Is this option only required to be presented or to match currently OTP programmed nRPIBOOT?
And the most important, it should be documented somewhere, right? Because that's a very simple but not very obvious detail.
Yes, the documentation could be improved. I've not tried it but I suspect steps 2 and 3 could be combined. But doing these steps separately might be safer as it's reducing the possibility of bricking a device during testing.
Does N need to be the same?
Yes it absolutely must be the same. Once OTP has been programmed it will generate an error if there's an attempt to change the GPIO again. It will however succeed in programming an OTP field to the same value.
Describe the bug
I want to lock secure mode on my Raspberry Pi 4B completely, to have bootloader that ignores any recovery.bin that is not signed with my RSA private key. I followed instructions in this repo (https://github.com/raspberrypi/usbboot/blob/master/secure-boot-recovery/README.md#locking-secure-boot-mode) and general secure boot instructions (https://pip.raspberrypi.com/categories/685-whitepapers-app-notes/documents/RP-003466-WP/Boot-Security-Howto.pdf). When I'm trying to lock bootloader with program_pubkey=1, recovery fails (red screen and error in logs). Similar issue: #143
Steps to reproduce the behaviour
Changed secure-boot-recovery/config.txt to the following:
cd secure-boot-recovery
../tools/update-pieeprom.sh -k ../private.pem
sudo ../rpiboot -d .
Device(s)
Other
Compute Module IO board.
No response
RPIBOOT logs
Kernel logs
no kernel
Device UART logs