As a customer rpi-sign-bootcode does nothing on Raspberry Pi 4 / 2711 the bootROM only accepts a single RSA signature for the VPU firmware which must match one of the 4 public keys owned by Raspberry Pi which are baked into the chip.
i.e. There's some source code there used by the internal build system but it's basically useless except for reference to anyone outside of Raspberry Pi.
Secure-boot on BCM2711 allows the end user to specify the RSA key which signs the EEPROM config and boot.img files but not the bootcode.bin firmware.
On BCM2712 the customer key key is used to sign boot.img but the bootROM also requires this key to sign the VPU firmware 'bootcode.bin' in addition to Raspberry Pi.
update-pieeprom.sh mostly hides this extra step but I'd recommend using the secure-boot provisioner to drive this at a higher level e.g. updating already provisioned images and extracting diagnostics from rpiboot.
See 'chain of trust' diagrams in the secure-boot repo.
i.e. There's some source code there used by the internal build system but it's basically useless except for reference to anyone outside of Raspberry Pi.
Secure-boot on BCM2711 allows the end user to specify the RSA key which signs the EEPROM config and boot.img files but not the bootcode.bin firmware.
On BCM2712 the customer key key is used to sign boot.img but the bootROM also requires this key to sign the VPU firmware 'bootcode.bin' in addition to Raspberry Pi.
update-pieeprom.sh mostly hides this extra step but I'd recommend using the secure-boot provisioner to drive this at a higher level e.g. updating already provisioned images and extracting diagnostics from rpiboot.
See 'chain of trust' diagrams in the secure-boot repo.
Statistics: Posted by timg236 — Wed Aug 14, 2024 8:40 pm