diff --git a/.gitignore b/.gitignore index 90fb74e..bdb1f96 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ src/.env .vscode/settings.json src/provision.log *.img +usbboot/ diff --git a/README.md b/README.md index c6eb326..b820e03 100644 --- a/README.md +++ b/README.md @@ -52,3 +52,8 @@ For production, the devices need to be provisoned uniquely - start the application (script if custom device, server and frontend if ui version) - set mac add of secondary eth port in /etc/systemd/network/10-eth1-mac.link - activate overlayfs (?) -probably not because we need persistent storage for stream states + +## Secure-boot CM4: unlock secure USB mass-storage +bash gen-secure-msd-sig.sh +bash rpi-boot-secure.sh + diff --git a/gen-secure-msd-sig.sh b/gen-secure-msd-sig.sh new file mode 100644 index 0000000..721687d --- /dev/null +++ b/gen-secure-msd-sig.sh @@ -0,0 +1,49 @@ +#!/usr/bin/env bash + +set -euo pipefail + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +USBBOOT_DIR="${SCRIPT_DIR}/usbboot" +TOOLS_SCRIPT="${USBBOOT_DIR}/tools/rpi-eeprom-digest" +MSD_DIR="${USBBOOT_DIR}/secure-boot-msd" +KEY_FILE="${SCRIPT_DIR}/private.pem" + +if [[ ! -d "${USBBOOT_DIR}" ]]; then + echo "Error: usbboot/ directory not found at ${USBBOOT_DIR}." >&2 + exit 1 +fi + +if [[ ! -f "${TOOLS_SCRIPT}" ]]; then + echo "rpi-eeprom-digest not found at ${TOOLS_SCRIPT}, initialising usbboot submodules..." >&2 + ( + cd "${USBBOOT_DIR}" && + git submodule update --init + ) + + if [[ ! -f "${TOOLS_SCRIPT}" ]]; then + echo "Error: rpi-eeprom-digest still not found at ${TOOLS_SCRIPT} after submodule init." >&2 + exit 1 + fi +fi + +if [[ ! -d "${MSD_DIR}" ]]; then + echo "Error: secure-boot-msd directory not found at ${MSD_DIR}." >&2 + exit 1 +fi + +if [[ ! -f "${MSD_DIR}/boot.img" ]]; then + echo "Error: boot.img not found at ${MSD_DIR}/boot.img." >&2 + exit 1 +fi + +if [[ ! -f "${KEY_FILE}" ]]; then + echo "Error: private key not found at ${KEY_FILE}." >&2 + exit 1 +fi + +echo "Signing ${MSD_DIR}/boot.img with key ${KEY_FILE}..." + +# Call the helper script via bash to avoid executable/symlink issues +bash "${TOOLS_SCRIPT}" -i "${MSD_DIR}/boot.img" -o "${MSD_DIR}/boot.sig" -k "${KEY_FILE}" + +echo "Created ${MSD_DIR}/boot.sig" diff --git a/rpi-boot-secure.sh b/rpi-boot-secure.sh new file mode 100644 index 0000000..9f5a382 --- /dev/null +++ b/rpi-boot-secure.sh @@ -0,0 +1,44 @@ +#!/usr/bin/env bash + +set -euo pipefail + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +USBBOOT_DIR="${SCRIPT_DIR}/usbboot" +MSD_DIR="${USBBOOT_DIR}/secure-boot-msd" + +if [[ ! -d "${USBBOOT_DIR}" ]]; then + echo "Error: usbboot/ directory not found next to this script (${USBBOOT_DIR})." >&2 + echo " Please clone https://github.com/raspberrypi/usbboot into the project root." >&2 + exit 1 +fi + +if [[ ! -x "${USBBOOT_DIR}/rpiboot" ]]; then + echo "Error: rpiboot binary not found at ${USBBOOT_DIR}/rpiboot." >&2 + echo " Build it via: cd usbboot && make" >&2 + exit 1 +fi + +if [[ ! -f "${MSD_DIR}/boot.img" ]]; then + echo "Error: ${MSD_DIR}/boot.img not found." >&2 + echo " Use the usbboot secure-boot docs to generate a suitable boot.img." >&2 + exit 1 +fi + +if [[ ! -f "${MSD_DIR}/boot.sig" ]]; then + echo "Error: ${MSD_DIR}/boot.sig not found." >&2 + echo " Sign boot.img with your private key using rpi-eeprom-digest to create boot.sig." >&2 + exit 1 +fi + +cat <