Skip to content

Commit

Permalink
docs: rpi-secure-boot: update with USB booting re-provisioning process
Browse files Browse the repository at this point in the history 
Also, remove mentioning that write protecting further OTP changes is
globally possible as only the customer OTP registers have this feature
and these are not used by the secure boot implementation.

Change-type: patch
Signed-off-by: Alex Gonzalez <alexg@balena.io>
  • Loading branch information
@alexgg
alexgg committed Jul 8, 2024
1 parent ed78948 commit 9a9357a
Showing 1 changed file with 2 additions and 4 deletions.
6 changes: 2 additions & 4 deletions docs/rpi-secure-boot.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,22 +49,20 @@ The partitions are mounted under `/mnt/boot` and `/mnt/rpi` respectively.

## Device locking

RaspberryPi devices require post-installation setup to lock the device after the installer image completes programming. This locking process needs to write to OTP and requires a USB connection and the `rpiboot` utility loading a dedicated signed `boot.img` file with the following `config.txt` settings:
RaspberryPi devices require post-installation setup to lock the device after the installer image completes programming. This locking process needs to write to OTP and requires a USB connection and the `rpiboot` utility loading a dedicated signed EEPROM image file with the following `config.txt` settings:

* **revoke_devkey=1**: Prevents EEPROM downgrades to versions that don't support secure boot
* **program_pubkey=1**: Programs the digest of the EEPROM's public key to OTP
* **program_jtag_lock=1**: Disables the GPU JTAG interface
* **eeprom_write_protect=1**: Sets the EEPROM to write protect

Finally, further OTP changes can be locked down to prevent mangling of OTP data.

## EEPROM updates on locked devices

Once a device is secure boot enabled and is locked down, `rpiboot` driven EEPROM updates will no longer work. Only EEPROM self-updates are possible.

## Re-programming of locked devices

Once a device is secure boot enabled and is locked down, `rpiboot` needs to use a dedicated signed `boot.img` to expose the encrypted internal storage and allow re-programming.
Once a device is secure boot enabled and is locked down, re-programming can be done by USB booting a signed flasher images. The use of `rpiboot` to expose internal storage is not supported.

## Debugging

Expand Down

0 comments on commit 9a9357a

Please sign in to comment.