secure boot

[pipierre]

Hello,
I would like to use "secure boot" following the documentation :
https://pip.raspberrypi.com/categories/ ... -Howto.pdf
Everything seems to work but after the last reboot the screen goes black.
Here are the boot logs. Do you know what I'm missing?
Thanks

RPi: BOOTLOADER release VERSION:4fd8f1f3 DATE: 2023/05/11 TIME: 07:26:03
BOOTMODE: 0x06 partition 0 build-ts BUILD_TIMESTAMP=1683786363 serial 32501020 b oardrev b03115 stc 458123
PM_RSTS: 0x00001000
part 00000000 reset_info 00000000
uSD voltage 3.3V
Initialising SDRAM 'Samsung' 16Gb x1 total-size: 16 Gbit 3200
DDR 3200 0 0 16 152

XHCI-STOP
xHC ver: 256 HCS: 05000420 fc000031 00e70004 HCC: 002841eb
USBSTS 11
xHC ver: 256 HCS: 05000420 fc000031 00e70004 HCC: 002841eb
xHC ports 5 slots 32 intrs 4
Boot mode: SD (01) order f2564
HDMI1 edid block 0 offset 0
00ffffffffffff0010ac38424c484643
0d200103803c2278eeee95a3544c9926
0f5054a54b00714f8180010101010101
010101010101e73100a050a029503020
3a0055502100001a000000ff0037544d
483948330a2020202020000000fc0044
454c4c20553237323244450a000000fd
00314c1e5a19000a2020202020200179
HDMI1 edid block 1 offset 128
020325f150101f200514040302071601
061112151323097f078301000067030c
001000383c011d007251d01e206e2855
0055502100001e000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
000000000000000000000000000000c7
HDMI1: best-mode 1 (limit 1) 1280x720 60 Hz CEA modes fe007f80010000000000000000 000000 extensions 1
USB2[1] 400202e1 connected
USB2 root HUB port 1 init
DEV [01:00] 2.16 000000:01 class 9 VID 2109 PID 3431
HUB init [01:00] 2.16 000000:01
HUB [01:00] 2.16 000000:01 init port 3 speed 1
DEV [02:01] 2.00 000003:01 class 0 VID 413c PID 2514
HID [02:01] 2.00 000003:01 register HID
SD HOST: 200000000 CTL0: 0x00800000 BUS: 400000 Hz actual: 390625 HZ div: 512 (2 56) status: 0x1fff0000 delay: 276
SD HOST: 200000000 CTL0: 0x00800f00 BUS: 400000 Hz actual: 390625 HZ div: 512 (2 56) status: 0x1fff0000 delay: 276
OCR c0ff8000 [111]
CID: 00035344534433324785fd4ea8a20166
CSD: 400e00325b590000eddf7f800a400000
SD: bus-width: 4 spec: 2 SCR: 0x02358083 0x01006432
SD HOST: 200000000 CTL0: 0x00800f04 BUS: 50000000 Hz actual: 50000000 HZ div: 4 (2) status: 0x1fff0000 delay: 2
MBR: 0x00002000, 524288 type: 0x0c
MBR: 0x00082000,61825024 type: 0x83
MBR: 0x00000000, 0 type: 0x00
MBR: 0x00000000, 0 type: 0x00
Trying partition: 0
type: 32 lba: 8192 oem: 'mkfs.fat' volume: ' bootfs '
rsc 32 fat-sectors 1020 c-count 130554 c-size 4
root dir cluster 2 sectors 0 entries 0
FAT32 clusters 130554
Trying partition: 0
type: 32 lba: 8192 oem: 'mkfs.fat' volume: ' bootfs '
rsc 32 fat-sectors 1020 c-count 130554 c-size 4
root dir cluster 2 sectors 0 entries 0
FAT32 clusters 130554
secure-boot
Loading boot.img ...
SIG boot.sig 722dacdf9ea14900cd4c8f132017b7f953be8fa9ccc240d90bd6b945c7398b42 16 85438793
Verifying
RSA verify
rsa-verify pass (0x0)
MBR: 0x00000000, 0 type: 0x00
MBR: 0x00000000, 0 type: 0x00
MBR: 0x00000000, 0 type: 0x00
MBR: 0x00000000, 0 type: 0x00
Trying partition: 0
type: 12 lba: 0 oem: 'mkfs.fat' volume: ' V ^ '
rsc 4 fat-sectors 12 c-count 3576 c-size 4
root dir cluster 1 sectors 16 entries 256
FAT12 clusters 3576
Read config.txt bytes 2109 hnd 0x8c
Read start4.elf bytes 2251392 hnd 0x2d6
Read fixup4.dat bytes 5399 hnd 0x8e
0x00b03115 0x00000000 0x00001fff
MEM GPU: 76 ARM: 948 TOTAL: 1024
Firmware: 82f3750a65fadae9a38077e3c2e217ad158c8d54 Mar 17 2023 10:50:39
Starting start4.elf @ 0xfec00200 partition 0
XHCI-STOP
xHC ver: 256 HCS: 05000420 fc000031 00e70004 HCC: 002841eb
USBSTS 18
+

[B.Goode]

Everything seems to work but after the last reboot the screen goes black.
Here are the boot logs. Do you know what I'm missing?

If you install exactly the same Operating System via the conventional (non-secured) method, do you get the same result?

Could it be that the default video settings in your display/monitor and the OS are mutually incompatible?


{Edit: obsoleted by current information from a Raspberry Pi engineer.}

[pipierre]

Here's what I did :
- I install raspberry pi os lite(64 bit) with pi imager on my sd card.
- apt update + upgrade and configure eeprom to latest
- I follow the documentation. I use the original /boot to build boot.img and I left the file cmdline.txt unchanged
- I copy pieeprom.bin .sig and recovery.bin to /boot
- reboot : green screen
- insert sd card on my computer to remove pieeprom.bin .sig and recovery.bin from /boot (because they remain)
- reinsert sd card on my raspberry pi
- rpi quickly displays some information then display a blak (dark gray) screen
- use serial output to retrieve debug information
Thanks

[timg236]

The secure-boot example (minimal buildroot) is documented here
https://github.com/raspberrypi/usbboot/ ... ot-example

Those PDF instructions should probably be retired because it's just an early example for the chain of trust. RPi OS doesn't support secure-boot so you'd need to create your own buildroot/yocto style OS image.

[pipierre]

Thanks,
I follow this tuto https://rr-developer.github.io/LUKS-on-Raspberry-Pi/ to create an initramfs.
Then I sign my /boot and enable secure boot.
but it doesn't work : same blank dark screen.
I try to find information in usbboot/secure-boot-example/boot.img (config.txt, cmdline.txt) and README.md, without success
Can anyone help me ?


I set uart_2ndstage=1 and I have the following logs :
MESS:00:00:06.741075:0: brfs: File read: /mfs/sd/config.txt
MESS:00:00:06.744555:0: brfs: File read: 2161 bytes
MESS:00:00:06.769815:0: HDMI0:EDID error reading EDID block 0 attempt 0
MESS:00:00:06.774320:0: HDMI0:EDID giving up on reading EDID block 0
MESS:00:00:06.838462:0: brfs: File read: /mfs/sd/config.txt
MESS:00:00:07.610129:0: gpioman: gpioman_get_pin_num: pin DISPLAY_DSI_PORT not d efined
MESS:00:00:07.617440:0: *** Restart logging
MESS:00:00:07.618844:0: brfs: File read: 2161 bytes
MESS:00:00:07.628666:0: hdmi: HDMI0:EDID error reading EDID block 0 attempt 0
MESS:00:00:07.633689:0: hdmi: HDMI0:EDID giving up on reading EDID block 0
MESS:00:00:07.644312:0: hdmi: HDMI0:EDID error reading EDID block 0 attempt 0
MESS:00:00:07.649341:0: hdmi: HDMI0:EDID giving up on reading EDID block 0
MESS:00:00:07.654940:0: hdmi: HDMI:hdmi_get_state is deprecated, use hdmi_get_di splay_state instead
MESS:00:00:07.722002:0: HDMI0: hdmi_pixel_encoding: 300000000
MESS:00:00:07.724639:0: HDMI1: hdmi_pixel_encoding: 300000000
MESS:00:00:07.834259:0: brfs: File read: /mfs/sd/initramfs.gz
MESS:00:00:07.836902:0: Loaded 'initramfs.gz' to 0x0 size 0x9e08ce
MESS:00:00:07.853164:0: initramfs loaded to 0x2e61f000 (size 0x9e08ce)
MESS:00:00:07.856627:0: kernel=
MESS:00:00:07.859496:0: brfs: File read: 10356942 bytes
MESS:00:00:07.869558:0: dtb_file 'bcm2711-rpi-4-b.dtb'
MESS:00:00:07.872491:0: brfs: File read: /mfs/sd/bcm2711-rpi-4-b.dtb
MESS:00:00:07.877706:0: Loaded 'bcm2711-rpi-4-b.dtb' to 0x100 size 0xcd71
MESS:00:00:07.917429:0: brfs: File read: 52593 bytes
MESS:00:00:07.922736:0: brfs: File read: /mfs/sd/overlays/overlay_map.dtb
MESS:00:00:08.118764:0: brfs: File read: 2347 bytes
MESS:00:00:08.120890:0: brfs: File read: /mfs/sd/config.txt
MESS:00:00:08.126710:0: dtparam: audio=on
MESS:00:00:08.141088:0: brfs: File read: 2161 bytes
MESS:00:00:08.148165:0: brfs: File read: /mfs/sd/overlays/vc4-kms-v3d-pi4.dtbo
MESS:00:00:08.306415:0: Loaded overlay 'vc4-kms-v3d'
MESS:00:00:08.705697:0: brfs: File read: 3913 bytes
MESS:00:00:08.707780:0: brfs: File read: /mfs/sd/cmdline.txt
MESS:00:00:08.712936:0: Read command line from file 'cmdline.txt':
MESS:00:00:08.718789:0: 'console=serial0,115200 console=tty1 root=/dev/mapper/sdcard rootfstype=ext4 fsck.repair=yes rootwait cryptdevice=/dev/mmcblk0p2:sdcard'
MESS:00:00:09.048450:0: brfs: File read: 135 bytes
MESS:00:00:09.050516:0: No compatible kernel found
MESS:00:00:09.054685:0: Device tree loaded to 0x2e611a00 (size 0xd503)

[hortimech]

Thanks,
I follow this tuto https://rr-developer.github.io/LUKS-on-Raspberry-Pi/ to create an initramfs.
Then I sign my /boot and enable secure boot.
but it doesn't work : same blank dark screen.
I try to find information in usbboot/secure-boot-example/boot.img (config.txt, cmdline.txt) and README.md, without success
Can anyone help me ?

You seem to be mixing up secure-boot and disk encryption. You have been told that secure-boot doesn't work on a standard rpi, yet you still seem to be blindly following old, out of date instructions. Before expecting the disk encryption to work with secure-boot, you first need to get secure-boot to work, try searching the internet. From what I have read, you risk bricking your rpi if you get it wrong.

[pipierre]

I try to add kernel=kernel8.img (config.txt in signed boot.img and kernel8.img file exists)

new logs are :
MESS:00:00:06.712820:0: brfs: File read: /mfs/sd/config.txt
MESS:00:00:06.716302:0: brfs: File read: 2180 bytes
MESS:00:00:06.741557:0: HDMI0:EDID error reading EDID block 0 attempt 0
MESS:00:00:06.746061:0: HDMI0:EDID giving up on reading EDID block 0
MESS:00:00:06.810205:0: brfs: File read: /mfs/sd/config.txt
MESS:00:00:07.615921:0: gpioman: gpioman_get_pin_num: pin DISPLAY_DSI_PORT not defined
MESS:00:00:07.623232:0: *** Restart logging
MESS:00:00:07.624635:0: brfs: File read: 2180 bytes
MESS:00:00:07.634458:0: hdmi: HDMI0:EDID error reading EDID block 0 attempt 0
MESS:00:00:07.639481:0: hdmi: HDMI0:EDID giving up on reading EDID block 0
MESS:00:00:07.650103:0: hdmi: HDMI0:EDID error reading EDID block 0 attempt 0
MESS:00:00:07.655133:0: hdmi: HDMI0:EDID giving up on reading EDID block 0
MESS:00:00:07.660731:0: hdmi: HDMI:hdmi_get_state is deprecated, use hdmi_get_display_state instead
MESS:00:00:07.727801:0: HDMI0: hdmi_pixel_encoding: 300000000
MESS:00:00:07.730437:0: HDMI1: hdmi_pixel_encoding: 300000000
MESS:00:00:07.840073:0: brfs: File read: /mfs/sd/initramfs.gz
MESS:00:00:07.842716:0: Loaded 'initramfs.gz' to 0x0 size 0x9e08ce
MESS:00:00:07.858970:0: initramfs loaded to 0x2e61f000 (size 0x9e08ce)
MESS:00:00:07.862434:0: kernel=kernel8.img
MESS:00:00:07.866257:0: brfs: File read: 10356942 bytes
MESS:00:00:07.871502:0: kernel file kernel8.img does not exist
MESS:00:00:07.881873:0: dtb_file 'bcm2711-rpi-4-b.dtb'
MESS:00:00:07.884781:0: brfs: File read: /mfs/sd/bcm2711-rpi-4-b.dtb
MESS:00:00:07.890025:0: Loaded 'bcm2711-rpi-4-b.dtb' to 0x100 size 0xcd71
MESS:00:00:07.929533:0: brfs: File read: 52593 bytes
MESS:00:00:07.934797:0: brfs: File read: /mfs/sd/overlays/overlay_map.dtb
MESS:00:00:08.130995:0: brfs: File read: 2347 bytes
MESS:00:00:08.133126:0: brfs: File read: /mfs/sd/config.txt
MESS:00:00:08.138943:0: dtparam: audio=on
MESS:00:00:08.153225:0: brfs: File read: 2180 bytes
MESS:00:00:08.160307:0: brfs: File read: /mfs/sd/overlays/vc4-kms-v3d-pi4.dtbo
MESS:00:00:08.318193:0: Loaded overlay 'vc4-kms-v3d'
MESS:00:00:08.717462:0: brfs: File read: 3913 bytes
MESS:00:00:08.719548:0: brfs: File read: /mfs/sd/cmdline.txt
MESS:00:00:08.724705:0: Read command line from file 'cmdline.txt':
MESS:00:00:08.730558:0: 'console=serial0,115200 console=tty1 root=/dev/mapper/sdcard rootfstype=ext4 fsck.repair=yes rootwait cryptdevice=/dev/mmcblk0p2:sdcard'
MESS:00:00:09.060652:0: brfs: File read: 135 bytes
MESS:00:00:09.062713:0: No compatible kernel found
MESS:00:00:09.066881:0: Device tree loaded to 0x2e611a00 (size 0xd503)

if secure boot is disabled (with default eeprom) my boot works with kernel8.img and encryption
If secure boot is enabled, (updated eeprom) boot.sig is ok but my rpi 4b won't start
I read on https://github.com/raspberrypi/usbboot/ ... -trust.pdf that it should work.

[pipierre]

I renamed file kernel8.img to zImage (and set kernel=zImage in config.txt) and now it works

[why_me]

Hi,
I'm in the same situation as you were. Need to enable secure boot with encrypted filesystem on a RPI 4 B.
Could you please describe what steps you did/instructions you followed. And what issues you encountered on your way?

I've read:
The howto pdf
https://github.com/raspberrypi/usbboot/ ... ot-example
https://rr-developer.github.io/LUKS-on-Raspberry-Pi/

But the secure boot instructions always refer to CM4 and I'm a little bit stuck at the nRPIBOOT part. Which is present and needed on the CM4, but do I need this GPIO on the PI4B and how do you set the gpio pin?

Dont want to continue at this step and make my PI4B unusable because I missed something there.

[timg236]

For Pi4B / Pi400 you need to pick a GPIO that will cause the ROM to go into USB device boot mode. This must be one of the ones that are pulled high by default by the SOC and must NOT conflict with a HAT if you have one.

https://github.com/raspberrypi/usbboot/ ... 4b--pi-400

secure-boot is somewhat niche on Pi4/Pi400 but does work.

I would recommend

• Erase the EEPROM (erase_eeprom=1) and verify that RPIBOOT works on your Pi4 first.
• Program the nRPIBOOT OTP and check it still works as expected
• Only then think about the other OTP steps
• Finally revoke the devkey if once you are ready to ship the device.

[why_me]

https://github.com/raspberrypi/usbboot/ ... 4b--pi-400

Ahhh there is the part with the GPIO. I remembered reading about this, but coudlnt find it any more.
Got the GPIO working to send the PI into rpiboot mode.

[manicka1006]

https://github.com/raspberrypi/usbboot/ ... 4b--pi-400

Ahhh there is the part with the GPIO. I remembered reading about this, but coudlnt find it any more.
Got the GPIO working to send the PI into rpiboot mode.

Hi why_me, were you able to get things working?
I am exactly in the same situation looking for a way to enable secure boot + encryption on the RPI 4B so would be greatful for any hints and advice here.

My biggest struggle right now is how to get the boot.img. I dont need much there, I am looking for a standard raspbian lite 64b with gstreamer, ssh and some extra overlays to enable i2c, some hat overlay, hdmi to csi bridge overlay, maybe some specific HDMI timings, but that all would go into the config.txt of the boot.img i suppose. I am following the https://github.com/raspberrypi/buildroo ... /README.md but the process it very time consuming it seems even on my powerfull gaming laptop, to be honest i haven't finished building the img/kernel yet.
The best for me would be taking the existing boot partition I have on the sdcard and make the boot.img somehow out of it.
Yeah, and I havent even got the the encryption part yet.

Thanks

[why_me]

Hi why_me, were you able to get things working?
I am exactly in the same situation looking for a way to enable secure boot + encryption on the RPI 4B so would be greatful for any hints and advice here.

My biggest struggle right now is how to get the boot.img. I dont need much there, I am looking for a standard raspbian lite 64b...

Got a little bit further and managed to get raspberry pi os lite 64bit booting with secure boot. But there is probably a better way to do this.

I tried different things to generate an boot.img file, but for whatever reason nothing worked.

What I ended up with, was mounting the boot.img of the example folder, removing everything inside the bin except the config.txt and copying all the files from a freshly installed rasberry pi os sd card into the img file. Renaming kernel8.img to zImage and merging the two config.txt files together.
And then I copied the new boot.bin plus the generated signature to the fresh sdcard.

Probably not the way to do this, but it atleast worked for me.

The only thing missing is the encryption. Need to figure out how to get this working with secure boot.