Start with a working image.
To enable signed boot, you need to move everything in your boot partition into a boot.img file and create a boot.sig with the private key which is the private key for the public key you will include in the EEPROM config.
This is all that is needed if you are going to enable signed boot. But you should test it first.
Without signed boot fully enabled you can create a config.txt in the boot partition at the same level as boot.img and boot.sig with the following value:boot_ramdisk=1 says to load boot.img as a ramdisk, and use that for all further files.
OR instead of creating that extra config.txt in the root of the boot partition you can edit the EEPROM config to haveSo it will behave as if signed boot has been written to write-once memory and load boot.img.
When you have tested you can write the hash of the public key to the write-once memory and signed boot will be enabled.
To enable signed boot, you need to move everything in your boot partition into a boot.img file and create a boot.sig with the private key which is the private key for the public key you will include in the EEPROM config.
Code:
truncate -s 70m boot.img # 70MB since FAT won't resizemkfs.fat boot.imglsblksudo losetup -Pf boot.img# New loop device will show up in lsblklsblk# Assuming loop0sudo mount /dev/loop0 /mnt/loop0sudo cp -r /path/to/bootfs/* /mnt/loop0/sudo umount /mnt/loop0cd /path/to/bootfs/sudo cp boot.img .# Private key in /path/to/private.pem# /path/to/rpi-eeprom-digest is https://github.com/raspberrypi/rpi-eeprom/blob/master/rpi-eeprom-digestsudo /path/to/rpi-eeprom-digest -i boot.img -o boot.sig -k /path/to/private.pem# This will create boot.sigWithout signed boot fully enabled you can create a config.txt in the boot partition at the same level as boot.img and boot.sig with the following value:
Code:
boot_ramdisk=1OR instead of creating that extra config.txt in the root of the boot partition you can edit the EEPROM config to have
Code:
SIGNED_BOOT=1When you have tested you can write the hash of the public key to the write-once memory and signed boot will be enabled.
Statistics: Posted by BerryPiUser — Thu May 02, 2024 6:56 pm