Greetings,
I've been trying to learn how to enable secure boot and firmware signing on an RP2350.
But I haven't been successful.
Maybe, some of the steps are incorrect
For information purposes,
development platform is Windows 10,
Picotool version is: picotool v2.2.0-a4 (Windows, GNU-15.1.0, Release)
For key generation OpenSSL ( https://slproweb.com/products/Win32OpenSSL.html ) is being used
=>The followed steps are:
Previous steps: Obtain a simple LED blinking compiled example in .uf2 format
(Using arduino support for RP2350, in the background it uses Pico SDK,
destination CPU is ARM-Cortex M33)
The RP2350 board works ok using the simple LED unsigned blinking example,
both GPIO24 and GPIO25 have a LED connected.
1) Private key generation. Using this command at command prompt:
openssl ecparam -name secp256k1 -genkey -noout -out private_key.pem
2) Seal the .uf2 firmware
picotool seal --verbose --sign --major 1 --minor 0 blinking_firmware.uf2 blinking_firmware_signed.uf2 private_key.pem otp_config.json
Contents of generated otp_config.json :
{
"boot_flags1": {
"key_valid": 1
},
"bootkey0": [
5,
... ( in total 32 comma separated values )
134
],
"crit1": {
"secure_boot_enable": 1
}
}
3) Copy or set the OTP config to the RP2350
picotool otp load otp_config.json
4) Enable secure boot in the RP2350
picotool otp set OTP_DATA_CRIT1.SECURE_BOOT_ENABLE 1
5) Disable SWD interface (maybe not needed until production stage)
picotool otp set OTP_DATA_CRIT1.DEBUG_DISABLE 1
6) Flash the signed binary
picotool load -v -x blinking_firmware_signed.uf2
----------------------------------------------------------------------------------------------
As result, the RP2350 now doesn´t execute non signed firmwares (as expected),
but also does not execute the signed blinking example ??
The signed firmware is intended to be executed from external flash, as usual.
Any idea what is happening?
Thanks in advance,
Best,
I've been trying to learn how to enable secure boot and firmware signing on an RP2350.
But I haven't been successful.
Maybe, some of the steps are incorrect
For information purposes,
development platform is Windows 10,
Picotool version is: picotool v2.2.0-a4 (Windows, GNU-15.1.0, Release)
For key generation OpenSSL ( https://slproweb.com/products/Win32OpenSSL.html ) is being used
=>The followed steps are:
Previous steps: Obtain a simple LED blinking compiled example in .uf2 format
(Using arduino support for RP2350, in the background it uses Pico SDK,
destination CPU is ARM-Cortex M33)
The RP2350 board works ok using the simple LED unsigned blinking example,
both GPIO24 and GPIO25 have a LED connected.
1) Private key generation. Using this command at command prompt:
openssl ecparam -name secp256k1 -genkey -noout -out private_key.pem
2) Seal the .uf2 firmware
picotool seal --verbose --sign --major 1 --minor 0 blinking_firmware.uf2 blinking_firmware_signed.uf2 private_key.pem otp_config.json
Contents of generated otp_config.json :
{
"boot_flags1": {
"key_valid": 1
},
"bootkey0": [
5,
... ( in total 32 comma separated values )
134
],
"crit1": {
"secure_boot_enable": 1
}
}
3) Copy or set the OTP config to the RP2350
picotool otp load otp_config.json
4) Enable secure boot in the RP2350
picotool otp set OTP_DATA_CRIT1.SECURE_BOOT_ENABLE 1
5) Disable SWD interface (maybe not needed until production stage)
picotool otp set OTP_DATA_CRIT1.DEBUG_DISABLE 1
6) Flash the signed binary
picotool load -v -x blinking_firmware_signed.uf2
----------------------------------------------------------------------------------------------
As result, the RP2350 now doesn´t execute non signed firmwares (as expected),
but also does not execute the signed blinking example ??
The signed firmware is intended to be executed from external flash, as usual.
Any idea what is happening?
Thanks in advance,
Best,
Statistics: Posted by masteries — Tue Feb 10, 2026 9:00 am