Hello,
In regards of secure boot on CM4 we have the following situation:
We have a signed image (build with pi-gen) and a signed bootloader (EEPROM). Secure boot without the OTP hash verification works as expected.
-> We now want to write the SHA256 hash of the public key inside the OTP, to make sure only bootloaders with our public key are allowed to proceed.
-> We know this can be set using the 'program_pubkey=1' flag insides the config.txt when using rpiboot (cm4 connected through USB). This also works as expected.
However, in regards of automating our process, we use cmprovision (ethernet instead of USB) to flash the eeprom and install our images. Is there a way to write the hash in the OTP using cmprovision, or by writing the OTP with a script at first boot, ... or something similar?
It seems that only customer OTP records can be manually overwritten. We have also tried a few more things, like adding 'program_pubkey=1' to the config.txt of the image that gets installed.
Thanks in advance.
In regards of secure boot on CM4 we have the following situation:
We have a signed image (build with pi-gen) and a signed bootloader (EEPROM). Secure boot without the OTP hash verification works as expected.
-> We now want to write the SHA256 hash of the public key inside the OTP, to make sure only bootloaders with our public key are allowed to proceed.
-> We know this can be set using the 'program_pubkey=1' flag insides the config.txt when using rpiboot (cm4 connected through USB). This also works as expected.
However, in regards of automating our process, we use cmprovision (ethernet instead of USB) to flash the eeprom and install our images. Is there a way to write the hash in the OTP using cmprovision, or by writing the OTP with a script at first boot, ... or something similar?
It seems that only customer OTP records can be manually overwritten. We have also tried a few more things, like adding 'program_pubkey=1' to the config.txt of the image that gets installed.
Thanks in advance.
Statistics: Posted by nachte — Thu Dec 05, 2024 2:57 pm — Replies 1 — Views 33