u-boot on raspberry pi with secure boot

Jonas Kvinge jonaski at opensuse.org
Mon Aug 19 15:11:19 CEST 2024


Hi,

I have a custom installation of openSUSE Tumbleweed which uses u-boot
and Grub.
To use secure boot on the RPI, one creates a boot.img containing the
kernel and other files which is signed, and the eeprom is locked to
only allow booting with this signature.
(https://github.com/raspberrypi/usbboot/blob/master/secure-boot-recovery/README.md
).
Since I'm using u-boot, I'm creating a boot.img containing u-boot.bin
instead of the linux kernel and ramdisk.
But then nothing is locking down which kernel can boot, since that's
controller by UEFI and Grub. u-boot starts Grub from the UEFI
partition, and Grub starts the kernel from a separate /boot partition.
And I see no way to change this
I use a 3 partition setup where the partitions are 1. FAT UEFI
partition, 2. Linux ext4 /boot partition, 3. Encrypted LUKS ext4 root
partition.
I've been looking into
https://trac.gateworks.com/wiki/secure_boot#SecuringtheKernelFDTramdiskviaFITimages
But is that possible to do with my current setup? Can I include grub
and the kernel/initrd in the boot.img and make u-boot use that instead
of from the UEFI partition?

Jonas



More information about the U-Boot mailing list