How to secure boot raspberry pi4 with u-boot yocto image
0
votes
0
answers
84
views
**The goal is to sign the mender yocto image and run it on secure boot enabled raspberry pi**.
I have raspberrypi-4 and the yocto image from mender (open source OTA platform).
To give a quick try here is the link: **Image and Modified Files ** of generated image flash to sd card using **rasbperry pi imager **, sign with private key and **step-2** flash secure-boot-recovery pieeprom via rpiboot and boot.
Referred to **Secure Boot Example Readme ** enabled secure boot on rasberrypi-4.
**Step-1 Generate private key for generating signed images**
Source python virtual environment, install the pycryptodmex and generate private key, then export variable KEY_FILE.
source path/to/python/virtual_env/activate
pip install pycryptodomex
openssl genrsa 2048 > private.pem
export KEY_FILE=$(pwd)/private.pem
**Step-2 Secure-boot-recovery for flashing signed pieeprom to raspberrypi-4**
Once the private key is generated, cloned the secure boot git reposistory and complied to get rpiboot binary.
git clone https://github.com/raspberrypi/usbboot secure-boot
cd secure-boot
git submodule update --init
make
To enabled rpiboot mode, updated the program_rpiboot_gpio=5 in secure-boot/secure-boot-recovery/config.txt and connected it GND pin, then connected the raspberrypi-4 to host with usb type-C
Then in secure boot directory sign the pieeprom image with generate private key in step-1 and flash it to eeprom.
cd secure-boot-recovery
../tools/update-pieeprom.sh -k "${KEY_FILE}"
cd ..
./rpiboot -d secure-boot-recovery
Now secure boot is enabled on raspberrypi-4 it will only run signed images and refereeing to document **Raspberry Pi 4 Boot Security ** raspberrypi4 expects singed boot.img.
**Step-3 Process to create a signed mender yocto image**
In this process the mender yocto image is modified, the mender yocto image create a sdcard flashable imagename.sdimg which contain boot partition, Root A/B partition and data parition, so to flash boot files to boot partition it creates imagename.bootimg and then it is packaged to imagename.sdimg, to make it work with rasberrypi-4 secure boot enabled i modified files two yocto recipe file **mender-bootimg.bbclass** and **mender-part-images.bbclass** from **classes ** here are the modified files **Image and Modified Files ** that made **imagename.bootimg** to **boot.img** also added the image signing code by refereeing **sign.sh** script secure-boot/secure-boot-example and **rpi-eeprom-digest.sh** script secure-boot/tools/rpi-eeprom.
Dependencies: python virtual env and kas need to be installed
source /path/to/python/venv/activate
pip install kas
mkdir mender-raspberrypi4 && cd mender-raspberrypi4
git clone https://github.com/theyoctojester/meta-mender-community -b scarthgap
cd meta-mender-community
mkdir my-raspberrypi4 && cd my-raspberrypi4
After modification of files to build image
**Build Command**
kas build ../kas/demos/raspberrypi4-64-wifi.yml
After build is complete flash imagename.sdimg to sdcard using raspberry pi Imager, below are the boot logs captured serially where got the error complaining boot.img not found on sdcard, please let me know if anything I'm missing in it.
**Errors Logs:**
2.62 RPi: BOOTLOADER release VERSION:69471177 DATE: 2025/05/08 TIME: 16:21:35
2.62 BOOTMODE: 0x06 partition 0 build-ts BUILD_TIMESTAMP=1746717695 serial 7c2
2.36 Unsupported boot order 6
2.61 Boot mode: SD (01) order f254
2.82 SD HOST: 200000000 CTL0: 0x00800000 BUS: 400000 Hz actual: 390625 HZ div6
2.83 SD HOST: 200000000 CTL0: 0x00800f00 BUS: 400000 Hz actual: 390625 HZ div6
2.98 OCR c0ff8000
CID: 000353444a554c494580d5b740550127
CSD: 400e00325b59000076b27f800a404000
2.98 SD: bus-width: 4 spec: 2 SCR: 0x02358043 0x00000000
2.99 SD HOST: 200000000 CTL0: 0x00800f04 BUS: 50000000 Hz actual: 50000000 HZ2
3.00 MBR: 0x0000c000, 206848 type: 0x0c
3.01 MBR: 0x00040000, 770048 type: 0x83
3.01 MBR: 0x000fc000, 770048 type: 0x83
3.01 MBR: 0x001b8000, 262144 type: 0x83
3.21 Trying partition: 0
3.49 type: 16 lba: 49152 'mkfs.fat' ' V ^ ' clusters 51603 (4)
3.05 rsc 4 fat-sectors 200 root dir cluster 1 sectors 32 entries 512
3.06 FAT16 clusters 51603
3.06 [sdcard] autoboot.txt not found
3.06 Select partition rsts 0 C(boot_partition) 0 EEPROM config 0 result 1
3.71 Trying partition: 1
3.76 type: 16 lba: 49152 'mkfs.fat' ' V ^ ' clusters 51603 (4)
3.08 rsc 4 fat-sectors 200 root dir cluster 1 sectors 32 entries 512
3.08 FAT16 clusters 51603
3.89 secure-boot
3.91 Loading boot.img ...
3.09 boot.sig
3.09 hash: b70a74e651e9bde92dd921ac6b26c9704077bcec431518c384aafd0c39f98fc7
3.10 ts: 1750829740
3.10 rsa2048: 7937a7eeacf12d1433011cc1fcbd57901e0d0796fafce03d811a44e54f255f8c
3.15 [sdcard] boot.img not found
3.53 Error 6 loading boot.img
3.55 Boot mode: USB-MSD (04) order f25
3.17 PCI0 init
3.17 PCI0 reset
3.34 PCIe scan 00001106:00003483
3.46 XHCI-STOP
3.46 xHC0 ver: 256 HCS: 05000420 fc000031 00e70004 HCC: 002841eb
3.47 USBSTS 11
3.47 xHC0 ver: 256 HCS: 05000420 fc000031 00e70004 HCC: 002841eb
3.48 xHC0 ports 5 slots 32 intrs 4
3.18 USB2[3] 400202e1 connected
3.33 USB2 root HUB port 1 init
3.53 DEV [01:00] 2.16 000000:01 class 9 VID 2109 PID 3431
3.53 HUB init [01:00] 2.16 000000:01
Then in secure boot directory sign the pieeprom image with generate private key in step-1 and flash it to eeprom.
cd secure-boot-recovery
../tools/update-pieeprom.sh -k "${KEY_FILE}"
cd ..
./rpiboot -d secure-boot-recovery
Now secure boot is enabled on raspberrypi-4 it will only run signed images and refereeing to document **Raspberry Pi 4 Boot Security ** raspberrypi4 expects singed boot.img.
**Step-3 Process to create a signed mender yocto image**
In this process the mender yocto image is modified, the mender yocto image create a sdcard flashable imagename.sdimg which contain boot partition, Root A/B partition and data parition, so to flash boot files to boot partition it creates imagename.bootimg and then it is packaged to imagename.sdimg, to make it work with rasberrypi-4 secure boot enabled i modified files two yocto recipe file **mender-bootimg.bbclass** and **mender-part-images.bbclass** from **classes ** here are the modified files **Image and Modified Files ** that made **imagename.bootimg** to **boot.img** also added the image signing code by refereeing **sign.sh** script secure-boot/secure-boot-example and **rpi-eeprom-digest.sh** script secure-boot/tools/rpi-eeprom.
Dependencies: python virtual env and kas need to be installed
source /path/to/python/venv/activate
pip install kas
mkdir mender-raspberrypi4 && cd mender-raspberrypi4
git clone https://github.com/theyoctojester/meta-mender-community -b scarthgap
cd meta-mender-community
mkdir my-raspberrypi4 && cd my-raspberrypi4
After modification of files to build image
**Build Command**
kas build ../kas/demos/raspberrypi4-64-wifi.yml
After build is complete flash imagename.sdimg to sdcard using raspberry pi Imager, below are the boot logs captured serially where got the error complaining boot.img not found on sdcard, please let me know if anything I'm missing in it.
**Errors Logs:**
2.62 RPi: BOOTLOADER release VERSION:69471177 DATE: 2025/05/08 TIME: 16:21:35
2.62 BOOTMODE: 0x06 partition 0 build-ts BUILD_TIMESTAMP=1746717695 serial 7c2
2.36 Unsupported boot order 6
2.61 Boot mode: SD (01) order f254
2.82 SD HOST: 200000000 CTL0: 0x00800000 BUS: 400000 Hz actual: 390625 HZ div6
2.83 SD HOST: 200000000 CTL0: 0x00800f00 BUS: 400000 Hz actual: 390625 HZ div6
2.98 OCR c0ff8000
CID: 000353444a554c494580d5b740550127
CSD: 400e00325b59000076b27f800a404000
2.98 SD: bus-width: 4 spec: 2 SCR: 0x02358043 0x00000000
2.99 SD HOST: 200000000 CTL0: 0x00800f04 BUS: 50000000 Hz actual: 50000000 HZ2
3.00 MBR: 0x0000c000, 206848 type: 0x0c
3.01 MBR: 0x00040000, 770048 type: 0x83
3.01 MBR: 0x000fc000, 770048 type: 0x83
3.01 MBR: 0x001b8000, 262144 type: 0x83
3.21 Trying partition: 0
3.49 type: 16 lba: 49152 'mkfs.fat' ' V ^ ' clusters 51603 (4)
3.05 rsc 4 fat-sectors 200 root dir cluster 1 sectors 32 entries 512
3.06 FAT16 clusters 51603
3.06 [sdcard] autoboot.txt not found
3.06 Select partition rsts 0 C(boot_partition) 0 EEPROM config 0 result 1
3.71 Trying partition: 1
3.76 type: 16 lba: 49152 'mkfs.fat' ' V ^ ' clusters 51603 (4)
3.08 rsc 4 fat-sectors 200 root dir cluster 1 sectors 32 entries 512
3.08 FAT16 clusters 51603
3.89 secure-boot
3.91 Loading boot.img ...
3.09 boot.sig
3.09 hash: b70a74e651e9bde92dd921ac6b26c9704077bcec431518c384aafd0c39f98fc7
3.10 ts: 1750829740
3.10 rsa2048: 7937a7eeacf12d1433011cc1fcbd57901e0d0796fafce03d811a44e54f255f8c
3.15 [sdcard] boot.img not found
3.53 Error 6 loading boot.img
3.55 Boot mode: USB-MSD (04) order f25
3.17 PCI0 init
3.17 PCI0 reset
3.34 PCIe scan 00001106:00003483
3.46 XHCI-STOP
3.46 xHC0 ver: 256 HCS: 05000420 fc000031 00e70004 HCC: 002841eb
3.47 USBSTS 11
3.47 xHC0 ver: 256 HCS: 05000420 fc000031 00e70004 HCC: 002841eb
3.48 xHC0 ports 5 slots 32 intrs 4
3.18 USB2[3] 400202e1 connected
3.33 USB2 root HUB port 1 init
3.53 DEV [01:00] 2.16 000000:01 class 9 VID 2109 PID 3431
3.53 HUB init [01:00] 2.16 000000:01
Asked by URegal
(1 rep)
Jun 26, 2025, 05:46 AM
Last activity: Jun 28, 2025, 03:42 AM
Last activity: Jun 28, 2025, 03:42 AM