Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add note on writing OTP to enc bootloader #553

Open
wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

Add note on writing OTP to enc bootloader #553

Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c0a7bba
Add note on writing OTP to enc bootloader
will-v-pi Sep 25, 2024
1328e02
"the page" -> "the OTP page"
will-v-pi Sep 25, 2024
86936fc
Add note about datasheet
will-v-pi Sep 25, 2024
10361d7
Update README.md
kilograham Nov 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion bootloaders/encrypted/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,19 @@ Replace private.pem and privateaes.bin with your own keys - your signing key mus
openssl ecparam -name secp256k1 -genkey -out private.pem
```

The AES key is just be a 32 byte binary file - you can create one with
The AES key is just a 32 byte binary file - you can create one with
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

: at the end


```bash
dd if=/dev/urandom of=privateaes.bin bs=1 count=32
```

You will need to program your OTP using the generated `otp.json` file in the build folder. Note that this will enable secure boot on your device, so only signed binaries can run, and will also lock down the OTP page the AES key is stored in. If you wish to test without enabling secure boot then you can load the `otp.json` file in the source folder, which will just program the AES key and lock down that OTP page.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it clear what "the source folder" and "the build folder" are?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if it's worth adding a note telling the user that it's important that they don't lose the private.pem and privateaes.bin files?

```bash
picotool otp load otp.json
```

will-v-pi marked this conversation as resolved.
Show resolved Hide resolved
> For more information on security see chapter 10 of the [RP2350 datasheet](https://datasheets.raspberrypi.com/rp2350/rp2350-datasheet.pdf), and for information on how to sign other binaries to run on a secure chip see chapter 5.10

Then either drag & drop the UF2 files to the device in order (enc_bootloader first, then hello_serial_enc) waiting for a reboot in-between, or run
```bash
picotool load enc_bootloader.uf2
Expand Down
Loading