auracaster/beacon-buildroot
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

secure boot working

Browse Source
This commit is contained in:
pstruebi
2026-03-04 17:43:11 +01:00
parent 48444c029c
commit 9d05be4d32
4 changed files with 69 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
AGENTS.md
View File

@@ -17,7 +17,10 @@ make -C rpi-buildroot-fork O=$(pwd)/output BR2_EXTERNAL=$(pwd)/beacon-buildroot
## SSH / find IP ## SSH / find IP
```bash ```bash
# Non-secure-boot CM4 (MAC e4:5f:01:e9:13:96):
CM4=$(ip neigh show dev enp0s31f6 | awk '/e4:5f:01:e9:13:96/{print $1}') CM4=$(ip neigh show dev enp0s31f6 | awk '/e4:5f:01:e9:13:96/{print $1}')
# Secure-boot CM4 (MAC 2c:cf:67:fd:93:1a):
CM4=$(ip neigh show dev enp0s31f6 | awk '/2c:cf:67:fd:93:1a/{print $1}')
sshpass -p beacon ssh user@$CM4 # login: user / beacon sshpass -p beacon ssh user@$CM4 # login: user / beacon
``` ```
@@ -27,9 +30,11 @@ sshpass -p beacon ssh user@$CM4 # login: user / beacon
sshpass -p beacon ssh user@$CM4 'sudo tee /upload/rootfs.raucb >/dev/null' \ sshpass -p beacon ssh user@$CM4 'sudo tee /upload/rootfs.raucb >/dev/null' \
< output/images/rootfs.raucb < output/images/rootfs.raucb
# install + reboot: # install + reboot:
sshpass -p beacon ssh user@$CM4 'rauc install /upload/rootfs.raucb && sudo reboot' sshpass -p beacon ssh -tt user@$CM4 'rauc install /upload/rootfs.raucb && sudo reboot'
# after reboot — find new IP, then: # after reboot — find new IP, then mark-good (REQUIRED on every new boot to confirm slot):
sshpass -p beacon ssh user@$CM4 'rauc status mark-good && rauc status' sshpass -p beacon ssh -tt user@$CM4 'rauc status mark-good && rauc status'
# NOTE: rauc commands need -tt (PTY) on Dropbear SSH or output is silently dropped
# NOTE: mark-good MUST be called after each OTA reboot — without it RAUC falls back to previous slot
``` ```
## UART ## UART
@@ -41,7 +46,26 @@ socat -u /dev/ttyUSB1,b115200,rawer,crnl OPEN:/tmp/uart.log,creat,trunc & # hea
## Rescue ## Rescue
Short GPIO4 (pin 7) → GND (pin 9) during power-on → boots `/dev/mmcblk0p2`. Short GPIO4 (pin 7) → GND (pin 9) during power-on → boots `/dev/mmcblk0p2`.
## Secure Boot (Milestone 2) ## Secure Boot — Unlock as MSD
```bash
# Sign the MSD boot image with private.pem (once, or after rpi-eeprom submodule init):
cd usbboot/secure-boot-msd
../tools/rpi-eeprom-digest -i boot.img -o boot.sig -k ../../private.pem
# Expose eMMC as USB mass storage (user must bridge EMMC_DISABLE jumper first):
sudo ./usbboot/rpiboot -d usbboot/secure-boot-msd
# Flash:
sudo bmaptool copy output/images/sdcard.img.xz /dev/sda
```
## UART / Power Cycle
> **The user handles power cycling and UART logging manually.**
> Ask user to: remove EMMC_DISABLE jumper → power-cycle → connect picocom.
```bash
picocom -b 115200 /dev/ttyUSB1 # user runs this to see boot log
```
Expected secure boot log lines: `secure-boot`, `rsa-verify pass (0x0)`, then U-Boot.
## Secure Boot — Provision (burn OTP)
```bash ```bash
update-pieeprom.sh -k private.pem && rpiboot -d secure-boot-recovery update-pieeprom.sh -k private.pem && rpiboot -d secure-boot-recovery
``` ```

4
board/beacon-cm4/genbootfs.cfg
View File

@@ -1,4 +1,4 @@
image boot.vfat { image boot.img {
vfat { vfat {
files = { files = {
"bcm2711-rpi-cm4.dtb", "bcm2711-rpi-cm4.dtb",
@@ -12,6 +12,6 @@ image boot.vfat {
} }
} }
size = 256M size = 64M
} }

12
board/beacon-cm4/genouterfs.cfg Normal file
View File

@@ -0,0 +1,12 @@
image boot.vfat {
vfat {
files = {
"config.txt",
"boot.img",
"boot.sig",
"boot.scr"
}
}
size = 256M
}

28
board/beacon-cm4/post-image.sh
View File

@@ -7,6 +7,9 @@ BOARD_NAME="$(basename ${BOARD_DIR})"
GENIMAGE_CFG="${BOARD_DIR}/genimage.cfg" GENIMAGE_CFG="${BOARD_DIR}/genimage.cfg"
GENIMAGE_TMP="${BUILD_DIR}/genimage.tmp" GENIMAGE_TMP="${BUILD_DIR}/genimage.tmp"
GENBOOTFS_CFG="${BOARD_DIR}/genbootfs.cfg" GENBOOTFS_CFG="${BOARD_DIR}/genbootfs.cfg"
GENOUTERFS_CFG="${BOARD_DIR}/genouterfs.cfg"
PRIVATE_KEY="${BR2_EXTERNAL_BEACON_PATH}/../private.pem"
EEPROM_DIGEST="${BR2_EXTERNAL_BEACON_PATH}/../usbboot/tools/rpi-eeprom-digest"
RAUC_COMPATIBLE="${2:-beacon-cm4}" RAUC_COMPATIBLE="${2:-beacon-cm4}"
# Pass VERSION as an environment variable (eg: export from a top-level Makefile) # Pass VERSION as an environment variable (eg: export from a top-level Makefile)
@@ -23,7 +26,7 @@ ROOTPATH_TMP="$(mktemp -d)"
rm -rf "${GENIMAGE_TMP}" rm -rf "${GENIMAGE_TMP}"
# Generate the boot filesystem image # Generate the inner boot filesystem image (boot.img)
genimage \ genimage \
--rootpath "${ROOTPATH_TMP}" \ --rootpath "${ROOTPATH_TMP}" \
@@ -32,6 +35,29 @@ genimage \
--outputpath "${BINARIES_DIR}" \ --outputpath "${BINARIES_DIR}" \
--config "${GENBOOTFS_CFG}" --config "${GENBOOTFS_CFG}"
# Sign boot.img for secure boot (SIGNED_BOOT=1 EEPROM)
if [ -f "${PRIVATE_KEY}" ] && [ -f "${EEPROM_DIGEST}" ]; then
echo "==> Signing boot.img with ${PRIVATE_KEY}"
"${EEPROM_DIGEST}" -i "${BINARIES_DIR}/boot.img" -o "${BINARIES_DIR}/boot.sig" -k "${PRIVATE_KEY}"
else
echo "WARNING: private.pem or rpi-eeprom-digest not found — boot.img unsigned (will not boot on secure-boot locked CM4)"
sha256sum "${BINARIES_DIR}/boot.img" | awk '{print $1}' > "${BINARIES_DIR}/boot.sig"
fi
# Create outer boot.vfat: config.txt (boot_ramdisk=1) + boot.img + boot.sig
cat > "${BINARIES_DIR}/config.txt" << 'OUTER_CONFIG'
boot_ramdisk=1
uart_2ndstage=1
OUTER_CONFIG
rm -rf "${GENIMAGE_TMP}"
genimage \
--rootpath "${ROOTPATH_TMP}" \
--tmppath "${GENIMAGE_TMP}" \
--inputpath "${BINARIES_DIR}" \
--outputpath "${BINARIES_DIR}" \
--config "${GENOUTERFS_CFG}"
# Generate a RAUC update bundle for the full system (bootfs + rootfs) # Generate a RAUC update bundle for the full system (bootfs + rootfs)
[ -e ${BINARIES_DIR}/update.raucb ] && rm -rf ${BINARIES_DIR}/update.raucb [ -e ${BINARIES_DIR}/update.raucb ] && rm -rf ${BINARIES_DIR}/update.raucb
[ -e ${BINARIES_DIR}/temp-update ] && rm -rf ${BINARIES_DIR}/temp-update [ -e ${BINARIES_DIR}/temp-update ] && rm -rf ${BINARIES_DIR}/temp-update