dodain
Posts: 7
Joined: Fri Oct 01, 2021 7:12 am

Write a small custom code in the EEPROM

Thu Oct 14, 2021 6:45 am

I want to add a small piece of code in the EEPROM of Raspi Compute Module 4, that basically verifies the hash of the start.elf file so I can ensure the boot order is protected or verified. The goal is not to modify the Pi's bootloader or do anything with it but add a small custom code to the EEPROM to verify the hash of the boot order and later write protect it.

Any kind of help would be appreciated on how to write my own code in the EEPROM. I don't wanna mess with the bootloader of PI, it would be as it is, but another small piece of code (hash verification) will also go in the EEPROM. If an NDA is required to share such info, please let me know. We can sign an NDA.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 29574
Joined: Sat Jul 30, 2011 7:41 pm

Re: Write a small custom code in the EEPROM

Thu Oct 14, 2021 10:49 am

We already provide secure boot on the CM4. The process is under NDA though, please email applications@raspberrypi.com for further details.

There are no facilities for using the EEPROM on the CM4 for this sort of thing outside the official process.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Working in the Applications Team.

cleverca22
Posts: 4623
Joined: Sat Aug 18, 2012 2:33 pm

Re: Write a small custom code in the EEPROM

Thu Oct 14, 2021 9:50 pm

jamesh wrote:
Thu Oct 14, 2021 10:49 am
The process is under NDA though

then why are the full directions in plain view on github?

https://github.com/raspberrypi/usbboot/ ... t-recovery

is there something extra your not allowed to say still, or is it just a matter things moving faster then you expected?
The OTP aspects are still under test/review and if major changes are required (e.g. to fix address a security issue) then those boards won't be upgradable. Some of the OTP settings are disabled in that recovery.bin. There are other slightly orthogonal aspects related to discussions with partners etc but eventually, it should be open to everyone.

Setting SIGNED_BOOT=1in the EEPROM config and then write-protecting the EEPROM gives you a reasonable level of security so long as you can control physical access to the device i.e. everything up to and including init-ramfs is verified by your RSA key. Although clearly, you still have to think about OS security which has a much larger attack surface and is outside the scope of this i.e. it's just step 1

Return to “Compute Module”