Hello again. I had a secure boot setup working for days, finally decided to enable the program_pubkey=1 option to write the key to the OTP.
Just for the record this is how I generated my files:
So I have a signed eeprom config (boot.conf.sig), I create a new eeprom image using it and also sign it (pieeprom.upd + pieeprom.sig). I create and sign boot.img and boot.sig, everything is using the same key. I also have config.txt in the first partition with program_pubkey=1 set
With such a prepared sdcard the eeprom and otp was written but now the board seems stuck. On power on i get 3 orange flashes (1 long, 2 short). Here's the log I saw in the UART
It gets stuck here so I counter signed recovery.bin to flash eeprom againSo my recovery.bin ran and didn't do anything since the eeprom image didnt' change. At this point no more logs are printed on the uart. Even if I place a signed recovery.bin again nothing is printed on UART, though I see the led turn green for a moment, so I assume it is executed, then goes back to getting stuck.
It seems like it fails to read boot.img or something but why ? It is signed correctly, it passes validation by rpi-eeprom-digest tool. Besides, in the past I would see the logs that this file is bad or theres some problem with SD card, I still have all the default boot order values, it should try to boot from USB next but nothing happens. Just 3 orange flashes which are not documented in the led status table. Please help.
Just for the record this is how I generated my files:
Code:
BOOT_SRC="boot-img-dir"SRC_DIR="usbboot/secure-boot-recovery5"DST_DIR="boot-partition-dir"PRV_KEY="secret-keys/rpi5-secure-boot/private.pem"PUB_KEY="secret-keys/rpi5-secure-boot/public.pem"TOOLS="usbboot/tools"mkdir -p ${BOOT_SRC}mkdir -p ${DST_DIR}echo "Generate boot.img"sudo ${TOOLS}/make-boot-image -d ${BOOT_SRC} -o ${DST_DIR}/boot.imgecho "Sign bootloader config"${TOOLS}/rpi-eeprom-digest -k ${PRV_KEY} -i ${SRC_DIR}/boot.conf -o ${DST_DIR}/boot.conf.sigecho "Generate ${DST_DIR}/pieeprom.upd"${TOOLS}/rpi-eeprom-config -c ${SRC_DIR}/boot.conf -d ${DST_DIR}/boot.conf.sig -p ${PUB_KEY} -o ${DST_DIR}/pieeprom.upd ${SRC_DIR}/pieeprom.original.binecho "Sign eeprom image to ${DST_DIR}/pieeprom.sig"${TOOLS}/rpi-eeprom-digest -i ${DST_DIR}/pieeprom.upd -o ${DST_DIR}/pieeprom.sigecho "Sign boot.img to ${DST_DIR}/boot.sig"${TOOLS}/rpi-eeprom-digest -i ${DST_DIR}/boot.img -o ${DST_DIR}/boot.sig -k ${PRV_KEY}With such a prepared sdcard the eeprom and otp was written but now the board seems stuck. On power on i get 3 orange flashes (1 long, 2 short). Here's the log I saw in the UART
Code:
SIG pieeprom.sig <hash> 1724505847Reading EEPROM: 2097152 bytes 0xc11600002483msWriting EEPROM...........................................................................................................................................................................+...................................................................................................................................................................................................................................................................................................................................................+575msVerify BOOT EEPROMReading EEPROM: 2097152 bytes 0xc11600002483msBOOT-EEPROM: UPDATEDRSA verifyrsa-verify pass (0x0)Public key hash <hash>OTP updated for key <hash>rename recovery.bin to RECOVERY.000Code:
SIG pieeprom.sig <hash> 1724505847Reading EEPROM: 2097152 bytes 0xc11600002483msBootloader EEPROM is up to dateRSA verifyrsa-verify pass (0x0)Public key hash <hash>OTP updated for key <hash>rename recovery.bin to RECOVERY.000'RECOVERY.000' already existsrename recovery.bin to RECOVERY.001It seems like it fails to read boot.img or something but why ? It is signed correctly, it passes validation by rpi-eeprom-digest tool. Besides, in the past I would see the logs that this file is bad or theres some problem with SD card, I still have all the default boot order values, it should try to boot from USB next but nothing happens. Just 3 orange flashes which are not documented in the led status table. Please help.
Statistics: Posted by pseregiet — Sat Aug 24, 2024 2:03 pm — Replies 0 — Views 60