Revision 39acdf72-0b5a-47c0-92c6-23cf6e5f8c23

**The goal is to sign the mender yocto image and run it on secure boot enabled raspberry pi**. 

I have raspberrypi-4 and the yocto image from mender (open source OTA platform). 

Referred to **[Secure Boot Example Readme][1]** enabled secure boot on rasberrypi-4.

**Step-1 Generate Key**

Source python virtual environment, install the pycryptodmex and generate private key, then export variable KEY_FILE.

 source path/to/python/virtual_env/activate
 pip install pycryptodomex
 openssl genrsa 2048 > private.pem
 export KEY_FILE=$(pwd)/private.pem

**Step-2 Secure-boot-recovery**

Once the private key is generated, cloned the secure boot git reposistory and complied to get rpiboot binary.

 git clone https://github.com/raspberrypi/usbboot secure-boot
 cd secure-boot
 git submodule update --init
 make

 To enabled rpiboot mode, updated the program_rpiboot_gpio=5 in secure-boot/secure-boot-recovery/config.txt and connected it GND pin, then connected the raspberrypi-4 to host with usb type-C

 [![updated config.txt][2]][2] 

Then in secure boot directory sign the pieeprom image with generate private key in step-1 and flash it to eeprom.

 cd secure-boot-recovery
 ../tools/update-pieeprom.sh -k "${KEY_FILE}"
 cd ..
 ./rpiboot -d secure-boot-recovery

Now secure boot is enabled on raspberrypi-4 it will only run signed images and refereeing to document [Raspberry Pi 4 Boot Security][3] raspberrypi4 expects singed boot.img.

** Step-3 Process to create a signed mender yocto image**

In this process the mender yocto image is modified, the mender yocto image create a sdcard flashable imagename.sdimg which contain boot partition, RootFS A/B partition and data parition, so to flash boot files to boot partition it creates imagename.bootimg and then it is packaged to imagename.sdimg, to make it work with rasberrypi-4 secure boot enabled i modified files two files made imagename.bootimg to boot.img added the image signing code by refereeing sign.sh script secure-boot/secure-boot-example and rpi-eeprom-digest.sh script secure-boot/tools/rpi-eeprom 
Dependencies: python virtual env and kas need to be installed

 source /path/to/python/venv/activate
 pip install kas
 mkdir mender-raspberrypi4 && cd mender-raspberrypi4
 git clone https://github.com/theyoctojester/meta-mender-community -b scarthgap
 cd meta-mender-community
 mkdir my-raspberrypi4 && cd my-raspberrypi4

Modified some files to make it work.

So files mender-bootimg.bbclass and mender-part-images.bbclass from [classes][4] modified to create vfat image boot.img and sign boot.img added code reference with the sign.sh script in [secure-boot-example][5] output boot.sig which then copied to boot partition. Modified files are in Image and Modified Files.

**Build Command**

 - kas build ../kas/demos/raspberrypi4-64-wifi.yml

To give a quick try here is the link: [Image and Modified Files][6] of generated image flash to sd card, sign with private key and flash secure-boot-recovery pieeprom via rpiboot and boot.

please let me know if anything I'm missing in it.

**Errors Logs:**

 - 2.62 RPi: BOOTLOADER release VERSION:69471177 DATE: 2025/05/08 TIME: 16:21:35
 - 2.62 BOOTMODE: 0x06 partition 0 build-ts BUILD_TIMESTAMP=1746717695 serial 7c2
 - 2.36 Unsupported boot order 6
 - 2.61 Boot mode: SD (01) order f254
 - 2.82 SD HOST: 200000000 CTL0: 0x00800000 BUS: 400000 Hz actual: 390625 HZ div6
 - 2.83 SD HOST: 200000000 CTL0: 0x00800f00 BUS: 400000 Hz actual: 390625 HZ div6
 - 2.98 OCR c0ff8000 [171]
 - CID: 000353444a554c494580d5b740550127
 - CSD: 400e00325b59000076b27f800a404000
 - 2.98 SD: bus-width: 4 spec: 2 SCR: 0x02358043 0x00000000
 - 2.99 SD HOST: 200000000 CTL0: 0x00800f04 BUS: 50000000 Hz actual: 50000000 HZ2
 - 3.00 MBR: 0x0000c000, 206848 type: 0x0c
 - 3.01 MBR: 0x00040000, 770048 type: 0x83
 - 3.01 MBR: 0x000fc000, 770048 type: 0x83
 - 3.01 MBR: 0x001b8000, 262144 type: 0x83
 - 3.21 Trying partition: 0
 - 3.49 type: 16 lba: 49152 'mkfs.fat' ' V ^ ' clusters 51603 (4)
 - 3.05 rsc 4 fat-sectors 200 root dir cluster 1 sectors 32 entries 512
 - 3.06 FAT16 clusters 51603
 - 3.06 [sdcard] autoboot.txt not found
 - 3.06 Select partition rsts 0 C(boot_partition) 0 EEPROM config 0 result 1
 - 3.71 Trying partition: 1
 - 3.76 type: 16 lba: 49152 'mkfs.fat' ' V ^ ' clusters 51603 (4)
 - 3.08 rsc 4 fat-sectors 200 root dir cluster 1 sectors 32 entries 512
 - 3.08 FAT16 clusters 51603
 - 3.89 secure-boot
 - 3.91 Loading boot.img ...
 - 3.09 boot.sig
 - 3.09 hash: b70a74e651e9bde92dd921ac6b26c9704077bcec431518c384aafd0c39f98fc7
 - 3.10 ts: 1750829740
 - 3.10 rsa2048: 7937a7eeacf12d1433011cc1fcbd57901e0d0796fafce03d811a44e54f255f8c
 - 3.15 [sdcard] boot.img not found
 - 3.53 Error 6 loading boot.img
 - 3.55 Boot mode: USB-MSD (04) order f25
 - 3.17 PCI0 init
 - 3.17 PCI0 reset
 - 3.34 PCIe scan 00001106:00003483
 - 3.46 XHCI-STOP
 - 3.46 xHC0 ver: 256 HCS: 05000420 fc000031 00e70004 HCC: 002841eb
 - 3.47 USBSTS 11
 - 3.47 xHC0 ver: 256 HCS: 05000420 fc000031 00e70004 HCC: 002841eb
 - 3.48 xHC0 ports 5 slots 32 intrs 4
 - 3.18 USB2[3] 400202e1 connected
 - 3.33 USB2 root HUB port 1 init
 - 3.53 DEV [01:00] 2.16 000000:01 class 9 VID 2109 PID 3431
 - 3.53 HUB init [01:00] 2.16 000000:01

 

 


 [1]: https://github.com/raspberrypi/usbboot/blob/master/secure-boot-example/README.md
 [2]: https://i.sstatic.net/oTMjEouA.png
 [3]: https://pip.raspberrypi.com/categories/685-whitepapers-app-notes/documents/RP-004651-WP/Raspberry-Pi-4-Boot-Security.pdf
 [4]: https://github.com/mendersoftware/meta-mender/tree/master/meta-mender-core/classes
 [5]: https://github.com/raspberrypi/usbboot/tree/master/secure-boot-example
 [6]: https://www.dropbox.com/scl/fi/xmjn90nvy92o89fbbgiab/RPI_Forum.zip?rlkey=g8ki0m9sz104nubtaav20dgy0&st=gb5awb1d&dl=0