raspberrypi/rpi-eeprom
1
0
Fork 0
mirror of https://github.com/raspberrypi/rpi-eeprom.git synced 2026-01-21 06:13:33 +08:00
Code Issues Packages Projects Releases Wiki Activity

tools: rpi-eeprom-digest: Improve docs for secure-boot

Browse Source 
Make it clearer that rpi-eeprom-digest is used create optionally
signed hashes for binary files.

For secure-boot the update-pieeprom.sh wrapper must be used
because only the boot configuration is signed by the customer
key rather than the entire SPI flash image.
This commit is contained in:
Tim Gover
2024-03-27 10:48:02 +00:00
committed by Tim Gover
parent 07bf72a919
commit 14f05613b4
1 changed files with 21 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
rpi-eeprom-digest
View File

@@ -41,11 +41,20 @@ usage() {
cat <<EOF cat <<EOF
rpi-eeprom-digest [-k RSA_KEY] -i IMAGE -o OUTPUT rpi-eeprom-digest [-k RSA_KEY] -i IMAGE -o OUTPUT
Creates a .sig file containing the sha256 digest of the IMAGE and an optional Tool to generate .sig files containing the SHA256 digest and optional
RSA signature of that hash. RSA signature. Typically this tool is used by rpi-eeprom-update to
generate a hash to guard against file-system corruption for EEPROM updates
OR for signing OS images (boot.img) for secure-boot.
This tool CANNOT be used directly to sign an bootloader EEPROM image
for secure-boot because the signed data is bootloader configuration file
rather than the entire flash image.
To create signed bootloader images please see
https://github.com/raspberrypi/usbboot/tree/master/secure-boot-recovery/README.md
Options: Options:
-i The source image. -i The source image e.g. boot.img
-o The name of the digest/signature file. -o The name of the digest/signature file.
-k Optional RSA private key. -k Optional RSA private key.
@@ -58,16 +67,20 @@ The bootloader only verifies RSA signatures in signed boot mode
Examples: Examples:
# Generate RSA signature for the EEPROM config file.
rpi-eeprom-digest -k private.pem -i bootconf.txt -o bootconf.sig
# Generate the normal sha256 hash to guard against file-system corruption # Generate the normal sha256 hash to guard against file-system corruption
rpi-eeprom-digest -i pieeprom.bin -o pieeprom.sig rpi-eeprom-digest -i pieeprom.bin -o pieeprom.sig
rpi-eeprom-digest -i vl805.bin -o vl805.sig rpi-eeprom-digest -i vl805.bin -o vl805.sig
# Generate a signed OS ramdisk image for secure-boot
rpi-eeprom-digest -k private.pem -i boot.img -o boot.sig
# Generate RSA signature for the EEPROM config file
# As used by update-pieeprom.sh in usbboot/secure-boot-recovery
rpi-eeprom-digest -k private.pem -i bootconf.txt -o bootconf.sig
# To verify the signature of an existing .sig file using the public key. # To verify the signature of an existing .sig file using the public key.
# N.B The key file must be the PUBLIC key in PEM format. # N.B The key file must be the PUBLIC key in PEM format.
rpi-eeprom-digest -k public.pem -i pieeprom.bin -v pieeprom.sig rpi-eeprom-digest -k public.pem -i boot.bin -v boot.sig
EOF EOF
exit 0 exit 0