Add note on writing OTP to enc bootloader #553
Conversation
|
Would it be sensible for this README to refer people to chapter 10 of https://datasheets.raspberrypi.com/rp2350/rp2350-datasheet.pdf for more information about secure boot ? |
|
Maybe chapter 5.10.1 instead, as that has more details on how to actually sign binaries? Or could point to both chapters |
I'll leave that decision entirely up to you, as you understand all of this much better than I do! |
bootloaders/encrypted/README.md
Outdated
| @@ -4,12 +4,19 @@ Replace private.pem and privateaes.bin with your own keys - your signing key mus | |||
| openssl ecparam -name secp256k1 -genkey -out private.pem | |||
| ``` | |||
|
|
|||
| The AES key is just be a 32 byte binary file - you can create one with | |||
| The AES key is just a 32 byte binary file - you can create one with | |||
bootloaders/encrypted/README.md
Outdated
|
|
||
| ```bash | ||
| dd if=/dev/urandom of=privateaes.bin bs=1 count=32 | ||
| ``` | ||
|
|
||
| You will need to program your OTP using the generated `otp.json` file in the build folder. Note that this will enable secure boot on your device, so only signed binaries can run, and will also lock down the OTP page the AES key is stored in. If you wish to test without enabling secure boot then you can load the `otp.json` file in the source folder, which will just program the AES key and lock down that OTP page. |
There was a problem hiding this comment.
is it clear what "the source folder" and "the build folder" are?
There was a problem hiding this comment.
I wonder if it's worth adding a note telling the user that it's important that they don't lose the private.pem and privateaes.bin files?
Add a note on how to write the AES key to OTP to the encrypted bootloader readme - prompted by #552