mirror of
https://github.com/raspberrypi/rpi-eeprom.git
synced 2026-01-20 21:13:36 +08:00
b08dff7e46
* 2711: (recovery) Automatically set revoke_devkey if program_pubkey=1 Previously, on BCM2711 products it was possible to program the key hash without revoking the development key. This can be useful for testing but should never be used in production because it is possible to an install an older version of the bootloader which doesn't support secure-boot. Since the secure-boot tools are stable and have improved usability (RPi secure-boot provisioner) this test feature not necessary and is just a security risk so the behaviour is changed to always revoke the development key if program_pubkey=1. This change is not relevant on BCM2712 because secure-boot requires that the second stage bootloader is counter-signed with the customer's private key.
512 KiB
512 KiB