Thanks for your reply!
I figured out that the only way to enable "revoke_devkey" and "program_pubkey" is via rpiboot.
(And pulling a certain GPIO down to "activate" rpiboot) https://www.raspberrypi.com/documentati ... iboot_gpio
"These changes are irreversible and can only be programmed via RPIBOOT when flashing the bootloader EEPROM image"
source: https://www.raspberrypi.com/documentati ... config-txt
I figured out that the only way to enable "revoke_devkey" and "program_pubkey" is via rpiboot.
(And pulling a certain GPIO down to "activate" rpiboot) https://www.raspberrypi.com/documentati ... iboot_gpio
It clearly statesThe following config.txt properties are used to program the secure-boot OTP settings. These changes are irreversible and can only be programmed via RPIBOOT when flashing the bootloader EEPROM image. This ensures that secure-boot cannot be set remotely or by accidentally inserting a stale SD card image.
For more information about enabling secure-boot please see the Secure Boot readme and the Secure Boot tutorial in the USBBOOT repo.
program_pubkey
If this property is set to 1 then recovery.bin will write the hash of the public key in the EEPROM image to OTP. Once set, the bootloader will reject EEPROM images signed with different RSA keys or unsigned images.
Default: 0
revoke_devkey
If this property is set to 1 then recovery.bin will write a value to OTP that prevents the ROM from loading old versions of the second stage bootloader which do not support secure-boot. This prevents secure-boot from being turned off by reverting to an older release of the bootloader.
Default: 0
"These changes are irreversible and can only be programmed via RPIBOOT when flashing the bootloader EEPROM image"
source: https://www.raspberrypi.com/documentati ... config-txt
Statistics: Posted by waterlemonmelon — Fri Mar 15, 2024 7:37 am