Hi,
I'm at the stage where I want to lock down my Pi 4 to only allow secure boot and to burn in my key details. I understand that that process can be done with the update-pieeprom.sh script.
What concerns me and why I'm holding off to I hear back from this is that inside the update-pieeprom.sh script it make's a call to rpi-sign-bootcode from the sign_firmware_blob function in the following snippert:
However, this call is passing 2712 unconditionally which surely would be wrong for the Raspberry Pi 4?
Looking inside rpi-sign-bootcode, I see that if you had set 2711 then the effect is that it uses SHA1 instead of SHA256.
Considering that i've been doing all of my testing with code that uses sha256 my guess is that you unconditionally pass in 2712 now because even for a Pi 4 you now use firmware that uses sha256 instead of SHA1, is that correct?
Kim Hendrikse
I'm at the stage where I want to lock down my Pi 4 to only allow secure boot and to burn in my key details. I understand that that process can be done with the update-pieeprom.sh script.
What concerns me and why I'm holding off to I hear back from this is that inside the update-pieeprom.sh script it make's a call to rpi-sign-bootcode from the sign_firmware_blob function in the following snippert:
Code:
sign_firmware_blob() { [ -f "${PEM_FILE}" ] || die "sign-firmware: key-file ${PEM_FILE} not found" rpi-sign-bootcode \ -c 2712 \ -i "${1}" \ -o "${2}" \ -n 16 \ -v 0 \ -k "${PEM_FILE}"}Looking inside rpi-sign-bootcode, I see that if you had set 2711 then the effect is that it uses SHA1 instead of SHA256.
Considering that i've been doing all of my testing with code that uses sha256 my guess is that you unconditionally pass in 2712 now because even for a Pi 4 you now use firmware that uses sha256 instead of SHA1, is that correct?
Kim Hendrikse
Statistics: Posted by hcfman — Sun Aug 11, 2024 1:26 pm