mirror of
https://github.com/raspberrypi/rpi-eeprom.git
synced 2026-01-20 21:13:36 +08:00
3a16bd016f
In production setups, it is quite normal that the private key does not
exist as a file in the file system, but is kept inside some HSM,
remote signing service or similar, and only accessed via some pkcs#11
interface; moreover, by design, the private key _cannot_ be extracted
from the HSM or signing service.
In such a case, the user will have set OPENSSL_CONF to some
configuration file setting up the appropriate engine, and the "key" is
simply the pkcs#11 URI, e.g. "pkcs11:model=foo;object=bar".
In order to support this use case, automatically infer the appropriate
options to pass to openssl-dgst if "${KEY}" begins with
"pkcs11:". Doing this at the top level avoids duplicating the logic in
both writeSig and verifySig. While here, this also adds a sanity check
that -v can only be used while also providing a (public) key to check
against.
This drops the -keyform argument in the non-pkcs#11 case, as openssl
automatically infers the type, and this then in fact allows one to use
a private key in e.g. DER format.
Signed-off-by: Rasmus Villemoes <ravi@prevas.dk>
rpi-eeprom
This repository contains the scripts and pre-compiled binaries used to create the rpi-eeprom package which is used to update the Raspberry Pi 4 and Raspberry Pi 5 bootloaders EEPROM images.
Support
Please check the Raspberry Pi general discussion forum if you have a support question.
Reset to factory defaults
To reset the bootloader back to factory defaults use Raspberry Pi Imager to write an EEPROM update image to a spare SD card. Select Misc utility images under the Operating System tab.