This directory contains the beta bootcode4.bin (recovery.bin) and pieeprom-2021-05-19.bin bootloader release. Older bootloader and recovery.bin releases do not support secure boot.
Steps for enabling secure boot:
Raspberry Pi 4B and Pi400 do not have a dedicated RPIBOOT jumper so a different GPIO must be used to enable RPIBOOT if pulled low. The available GPIOs are 2,4,5,6,7,8 since these are high by default.
In order to avoid this OTP configuration being accidently set on Pi 4B / Pi 400 this option can only be set via RPIBOOT. To force RPIBOOT on a Pi 4B / Pi 400 erase the SPI EEPROM.
Copy recovery.bin to a blank FAT32 formatted SD card with the following config.txt file.
Then insert the SD card and boot the Pi and wait at least 10 seconds for the green
LED to flash rapidly.
erase_eeprom=1
Then use rpiboot config.txt specify the GPIO to use for nRPIBOOT. For example:
program_rpiboot_gpio=8
The OTP setting for nRPIBOOT will then be set in the next steps when the EEPROM / secure-boot configuration is programmed.
Alternatively, specify the path when invoking the helper scripts.
export KEY_FILE="${HOME}/private.pem"Custom with the desired bootloader settings. See: Bootloader configuration
Setting SIGNED_BOOT=1 enables signed-boot mode so that the bootloader will only
boot.img files signed with the specified RSA key. Since this is an EEPROM config
option secure-boot can be tested and reverted via RPIBOOT at this stage.
cd secure-boot-recovery
../tools/update-pieeprom.sh -k "${KEY_FILE}"pieeprom.bin can then be flashed to the bootloader EEPROM via rpiboot.
- Power off CM4
- Set nRPIBOOT jumper and remove EEPROM WP protection
cd secure-boot-recovery
../rpiboot -d .- Power ON CM4
After verifying that the signed OS image boots successfully the system can be locked into secure-boot mode. This writes the hash of the customer public key to "one time programmable" (OTP) bits. From then onwards:
- The bootloader will only load OS images signed with the customer private key.
- The EEPROM configuration file must be signed with the customer private key.
- It is not possible to install an old version of the bootloader that does support secure boot.
- It is NOT possible to use a different private key to signed the OS images
WARNING: THESE OPTIONS PERMANENTLY THE BCM2711 CHIP AND ARE IRREVERSIBLE.
To enable this edit the config.txt file in this directory and set
program_pubkey=1
program_pubkey- If 1, write the hash of the customer's public key to OTP.revoke_devkey- If 1, revoke the ROM bootloader development key which requires secure-boot mode and prevents downgrades to bootloader versions that don't support secure boot.
** DO NOT SET THIS revoke_devkey UNTIL THE BOOTLOADER IS SIGNED WITH THE SECURE
BOOT KEY. IT WILL PREVENT THE PI FROM BOOTING.**
VideoCore JTAG may be permentantly disabled by setting program_jtag_lock in
config.txt. This option has no effect unless revoke_revkey=1 is set and
the EEPROM and customer OTP key were programmed successfully.
See config.txt