Currently, secure-boot is typically used with lightweight buildroot images for embedded applications. Typically a read-only rootfs that runs an application e.g. docker from an encrypted rootfs.
Enabling secure-boot instructs the firmware to load files from a signed boot.img ramdisk instead of the boot partition. This must contain at least config.txt, kernel, device-tree plus optionally initramfs and overlays.
A simple example based on the mass-storage-gadget buildroot is available here.
https://github.com/raspberrypi/buildroo ... README.md
The sign.sh script for the mass-storage-gadget64 can be used to sign boot.img
https://github.com/raspberrypi/usbboot/ ... d-bcm2712
Right now, this is the only example for Pi5. It's a good starting point for exploring secure-boot.
However, I would re-iterate (for other users) that the first step for secure-boot is to get the OS running from a boot.img ramdisk before locking the Pi into secure-boot mode by programming the OTP.
Thank you, for your reply. i have tried mass- storage-gadget64 to sign the boot.img file
using :
KEY_FILE=$HOME/private.pem
./sign.sh ${KEY_FILE}
But i encounterd the error:
KEY_FILE=$HOME/private.pem
./sign.sh ${KEY_FILE}
Signing OS image /Users/pojitha.k/Desktop/Vault IoT/untitled folder/usbboot/mass-storage-gadget64/bootfiles.original.bin
Signing 2712/bootcode5.bin
Signing firmware in 2712/bootcode5.bin
./sign.sh: line 21: rpi-sign-bootcode: command not found
Failed to sign bootcode5.bin
Statistics: Posted by pojitha99 — Fri May 03, 2024 9:40 am