u-boot on raspberry pi with secure boot

Jonas Kvinge jonaski at opensuse.org
Wed Aug 28 16:44:33 CEST 2024


Hi,
I have produced a signed linux UKI image.

But I need to build u-boot to only allow booting with the signed
certificate.

So I need a ubootefi.var for (EFI_VAR_SEED_FILE) according
tohttps://github.com/u-boot/u-boot/blob/ee2af844ba1b27b2e959c4e649e4b769fbeb4074/lib/efi_loader/Kconfig#L146

How do I produce this file?

https://lists.denx.de/pipermail/u-boot/2020-December/433925.html

If I type saveenv on the u-boot console, I get "uboot.env", is this the
file that's needed?

I've tried to sign the file using the efivar.py script, but I find very
little information on this topic, I've found this from the
mailinglist:(https://lists.denx.de/pipermail/u-boot/2020-December/433925.html).

Here's what I've tried:

./tools/efivar.py set --infile uboot.env -n db -d secureboot-db.esl -t
file
err: invalid magic number: 0x756162006d72613d



I've produced the certificates according to the instructions on
https://github.com/u-boot/u-boot/blob/master/doc/develop/uefi/uefi.rst

Jonas



More information about the U-Boot mailing list