I'm trying to implement Secure Boot for Raspberry Pi 5 and struggling to connect the dots in RPi's manuals to get working image.
The tutorial (https://github.com/raspberrypi/usbboot#secure-boot) suggests using RPi Buildroot config (https://github.com/raspberrypi/buildroo ... igned-boot) to obtain OS boot.img I can sign and flash onto SD card.
I'm new to Buildroot and such systems altogether, so unfamiliar with the way to customize config and what affects what.
I have copied raspberrypi-defconfig from clean Buildroot as raspberrypi-signed-boot and cherry-picked commits on top of it accepting conflicts in favour of signed boot commits.
Then, I've changed all bcm2711 to bcm2712 for Device Tree files, changed config and cmdline files as config_5b.txt and cmdline_5.txt
make raspberrypi-signed-boot_defconfig works and following make fails at post-image.sh, where it cannot find zImage file:
Buildroot generates kernel8.img instead:
I tried cp output/images/kernel8.img output/images/zImage and Buildroot was happy to accept it and build finishes successfully. Though I feel like this is not how it supposed to be done and I should make Buildroot generate zImage (which is missing as a choice in `make menuconfig`) or make board config use kernel8.img instead.
I flashed sdcard.img, did ./rpiboot -d secure-boot-recovery5 but RPi did not boot. I feel like this is not how it supposed to be done and like I'm missing something. Maybe specifying somewhere which kernel image to use - either somewhere in board configs I couldn't find or Buildroot menuconfig to generete image I'd like to use.
1. Can I use kernel8.img, zImage and Image interchangeably? How do I generate zImage or use kernel8.img?
2. cmdline_5.txt looks like "rootwait console=tty0 console=serial0,115200 root=/dev/ram0". Does root=/dev/ram0 mean there will be loaded initramfs for kernel to use as root?
3. Should I see UART output on GPIO UART pins or separate connector new to RPi5?
4. Is `make raspberrypi-signed-boot_defconfig` needed every time I change anything in config/ and board/ files?
5. How can I modify initramfs, if I would like to have encrypted rootfs? I suppose for this I need to include scripts to mount luksOpen'ed partition to use as /
The tutorial (https://github.com/raspberrypi/usbboot#secure-boot) suggests using RPi Buildroot config (https://github.com/raspberrypi/buildroo ... igned-boot) to obtain OS boot.img I can sign and flash onto SD card.
I'm new to Buildroot and such systems altogether, so unfamiliar with the way to customize config and what affects what.
I have copied raspberrypi-defconfig from clean Buildroot as raspberrypi-signed-boot and cherry-picked commits on top of it accepting conflicts in favour of signed boot commits.
Then, I've changed all bcm2711 to bcm2712 for Device Tree files, changed config and cmdline files as config_5b.txt and cmdline_5.txt
make raspberrypi-signed-boot_defconfig works and following make fails at post-image.sh, where it cannot find zImage file:
Code:
>>> Executing post-image script board/raspberrypi-signed-boot/post-image.shINFO: cmd: "mkdir -p "/home/user/foss-projects/buildroot/output/build/genimage.tmp"" (stderr):INFO: cmd: "rm -rf "/home/user/foss-projects/buildroot/output/build/genimage.tmp"/*" (stderr):INFO: cmd: "mkdir -p "/home/user/foss-projects/buildroot/output/build/genimage.tmp"" (stderr):INFO: cmd: "cp -a "/tmp/tmp.6OLTC8CHhM" "/home/user/foss-projects/buildroot/output/build/genimage.tmp/root"" (stderr):ERROR: file(zImage): stat(/home/user/foss-projects/buildroot/output/images/zImage) failed: No such file or directoryERROR: vfat(boot.img): could not setup zImagemake[1]: *** [Makefile:832: target-post-image] Error 1make: *** [Makefile:86: _all] Error 2Code:
$ ls -1F output/images/bcm2712d0-rpi-5-b.dtb*bcm2712-rpi-5-b.dtb*kernel8.imgrootfs.cpiorootfs.cpio.zstrpi-firmware/Code:
$ ls -1F output/imagesautoboot.txtbcm2712d0-rpi-5-b.dtb*bcm2712-rpi-5-b.dtb*boot.imgboot.sigboot.vfatconfig.txtkernel8.imgrootfs.cpiorootfs.cpio.zstrpi-firmware/sdcard.imgzImage1. Can I use kernel8.img, zImage and Image interchangeably? How do I generate zImage or use kernel8.img?
2. cmdline_5.txt looks like "rootwait console=tty0 console=serial0,115200 root=/dev/ram0". Does root=/dev/ram0 mean there will be loaded initramfs for kernel to use as root?
3. Should I see UART output on GPIO UART pins or separate connector new to RPi5?
4. Is `make raspberrypi-signed-boot_defconfig` needed every time I change anything in config/ and board/ files?
5. How can I modify initramfs, if I would like to have encrypted rootfs? I suppose for this I need to include scripts to mount luksOpen'ed partition to use as /
Statistics: Posted by llmsrhl — Wed Jul 24, 2024 7:44 am — Replies 0 — Views 46