search

raspberrypi / usbboot

Raspberry Pi USB booting code, moved from tools repository
Apache License 2.0
926 stars 239 forks source link

Writing eeprom with secure boot on RPi5 make the device unbootable #259

Open dandrej opened 8 hours ago

dandrej commented 8 hours ago

Describe the bug

The recovery procedure is applied to the Raspberry Pi 5 8GB. It is described in secure-boot-recovery5/readme.md and ends with success (green HDMI display, green LED flashes rapidly). After the power is off and on again the board LED flashes 1 long 2 short. The hardware doesn't boot images but is still in nRPIBOOT mode. Applying the same eeprom image again produces the same results (eeprom flashing with success indication). Applying the recovery5 without the secure boot makes the device bootable again. This behavior repeats on three different RPi5 boards.

Steps to reproduce the behaviour

git clone --recurse-submodules --shallow-submodules --depth=1 https://github.com/raspberrypi/usbboot cd usbboot make cd secure-boot-recovery5 _# fix the wrong symlink recovery.original.bin -> ../recovery5/recovery.bin rm recovery.original.bin ln -s ../firmware/2712/recovery.bin recovery.original.bin ../tools/update-pieeprom.sh -f -k ../secure-boot-example/example-private.pem ../rpiboot -d .

Device(s)

Other

Compute Module IO board.

No response

RPIBOOT logs

No response

Kernel logs

No response

Device UART logs

No response

timg236 commented 8 hours ago

Not sure what you are asking for here. The original bootcode5.bin must NOT be signed with the customer key but enabling secure boot it MUST be signed with the customer key. The bootrom will not boot a non-secure system with a signed image and will also not boot a secure-system with an unsigned image.

pelwell commented 8 hours ago

It might be helpful for you to explain:

  1. what you are trying to achieve,
  2. how what you have described fits into that, and
  3. what you would have expected to happen?
dandrej commented 7 hours ago

  1. what you are trying to achieve I try to switch on the secure boot. So the bootloader may check the boot.img sign.

  2. how what you have described fits into that I have RPi4 and RPi5 system. When I apply instructions in secure-boot-recovery/readme.md to RPi4 I have the system that (after power off/on) tries to boot from SD card, SSD, etc. And it can boot from the SD card with boot.img signed properly. When I apply instructions in secure-boot-recovery5/readme.md to RPi5 I have the system that (after power off/on) still in nRPIBOOT mode. It doesn't try to boot from anything.

  3. what you would have expected to happen? I would expected be able to boot the properly signed image on RPi5 after activation procedure described in secure-boot-recovery5/readme.md like as secure-boot-recovery/readme.md works in the case of RPi4.

timg236 commented 7 hours ago

If you are able to revert the change and use recovery5 then it suggests that secure-boot was never enabled.

Please can you post the full sequence of rpiboot commands and corresponding UART logs from Pi5 for each stage.

dandrej commented 6 hours ago

The full sequence of rpiboot command is in Steps to reproduce the behavior. There is no UART log of this process. The log is empty. I connect the same USB TTL converter on the same RPi5 pins as on RPi4. And RPi4 produces the debug log and RPi5 produces no log. The uart_2ndstage=1 exists in the both config.txt. BOOT_UART=1 exists in the both boot.conf.

pelwell commented 6 hours ago

Pi 5 debug output is on the 3-pin connector labelled UART (between the two HDMI connectors).

timg236 commented 5 hours ago

I forgot to add, when designing a secure-boot system we recommend using the higher level sb-provisioner tool because it supports provisioning of LUKS encrypted file-systems. It's built on top of these low level tools and is open-source shell script if a bespoke solution is required.

https://github.com/raspberrypi/rpi-sb-provisioner