u-boot on raspberry pi with secure boot

Simon Glass sjg at chromium.org
Wed Aug 21 04:10:33 CEST 2024


Hi Jonas,

On Mon, 19 Aug 2024 at 07:11, Jonas Kvinge <jonaski at opensuse.org> wrote:
>
> Hi,
>
> I have a custom installation of openSUSE Tumbleweed which uses u-boot
> and Grub.
> To use secure boot on the RPI, one creates a boot.img containing the
> kernel and other files which is signed, and the eeprom is locked to
> only allow booting with this signature.
> (https://github.com/raspberrypi/usbboot/blob/master/secure-boot-recovery/README.md
> ).
> Since I'm using u-boot, I'm creating a boot.img containing u-boot.bin
> instead of the linux kernel and ramdisk.
> But then nothing is locking down which kernel can boot, since that's
> controller by UEFI and Grub. u-boot starts Grub from the UEFI
> partition, and Grub starts the kernel from a separate /boot partition.
> And I see no way to change this
> I use a 3 partition setup where the partitions are 1. FAT UEFI
> partition, 2. Linux ext4 /boot partition, 3. Encrypted LUKS ext4 root
> partition.
> I've been looking into
> https://trac.gateworks.com/wiki/secure_boot#SecuringtheKernelFDTramdiskviaFITimages
> But is that possible to do with my current setup? Can I include grub
> and the kernel/initrd in the boot.img and make u-boot use that instead
> of from the UEFI partition?

It's 'U-Boot', BTW.

I don't fully understand your situation, but you should be able to use
FIT as there is an EFI test for it - see
test/py/tests/test_efi_capsule/test_capsule_firmware_fit.py

Note that RPI typically uses a private bootloader, so I'm not sure how
secure it can actually be.

Regards,
Simon


More information about the U-Boot mailing list