From c0a7bba3dc49810f5c8d3b4e57a6f95ee4847222 Mon Sep 17 00:00:00 2001 From: will-v-pi <108662275+will-v-pi@users.noreply.github.com> Date: Wed, 25 Sep 2024 11:07:46 +0100 Subject: [PATCH 1/4] Add note on writing OTP to enc bootloader --- bootloaders/encrypted/README.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/bootloaders/encrypted/README.md b/bootloaders/encrypted/README.md index f079d9469..b91340bd4 100644 --- a/bootloaders/encrypted/README.md +++ b/bootloaders/encrypted/README.md @@ -4,12 +4,17 @@ Replace private.pem and privateaes.bin with your own keys - your signing key mus openssl ecparam -name secp256k1 -genkey -out private.pem ``` -The AES key is just be a 32 byte binary file - you can create one with +The AES key is just a 32 byte binary file - you can create one with ```bash dd if=/dev/urandom of=privateaes.bin bs=1 count=32 ``` +You will need to program your OTP using the generated `otp.json` file in the build folder. Note that this will enable secure boot on your device, so only signed binaries can run, and will also lock down the page the AES key is stored in. If you wish to test without enabling secure boot then you can load the `otp.json` file in the source folder, which will just program the AES key and lock down that page. +```bash +picotool otp load otp.json +``` + Then either drag & drop the UF2 files to the device in order (enc_bootloader first, then hello_serial_enc) waiting for a reboot in-between, or run ```bash picotool load enc_bootloader.uf2 From 1328e02865cf10fdbfaff551a91655562c1fcbc9 Mon Sep 17 00:00:00 2001 From: will-v-pi <108662275+will-v-pi@users.noreply.github.com> Date: Wed, 25 Sep 2024 12:13:07 +0100 Subject: [PATCH 2/4] "the page" -> "the OTP page" --- bootloaders/encrypted/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootloaders/encrypted/README.md b/bootloaders/encrypted/README.md index b91340bd4..0dd0bf8e2 100644 --- a/bootloaders/encrypted/README.md +++ b/bootloaders/encrypted/README.md @@ -10,7 +10,7 @@ The AES key is just a 32 byte binary file - you can create one with dd if=/dev/urandom of=privateaes.bin bs=1 count=32 ``` -You will need to program your OTP using the generated `otp.json` file in the build folder. Note that this will enable secure boot on your device, so only signed binaries can run, and will also lock down the page the AES key is stored in. If you wish to test without enabling secure boot then you can load the `otp.json` file in the source folder, which will just program the AES key and lock down that page. +You will need to program your OTP using the generated `otp.json` file in the build folder. Note that this will enable secure boot on your device, so only signed binaries can run, and will also lock down the OTP page the AES key is stored in. If you wish to test without enabling secure boot then you can load the `otp.json` file in the source folder, which will just program the AES key and lock down that OTP page. ```bash picotool otp load otp.json ``` From 86936fcf5fe98986f15d42df2e142ba5d34b8920 Mon Sep 17 00:00:00 2001 From: will-v-pi <108662275+will-v-pi@users.noreply.github.com> Date: Wed, 25 Sep 2024 13:27:20 +0100 Subject: [PATCH 3/4] Add note about datasheet --- bootloaders/encrypted/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bootloaders/encrypted/README.md b/bootloaders/encrypted/README.md index 0dd0bf8e2..8551d7777 100644 --- a/bootloaders/encrypted/README.md +++ b/bootloaders/encrypted/README.md @@ -15,6 +15,8 @@ You will need to program your OTP using the generated `otp.json` file in the bui picotool otp load otp.json ``` +> For more information on security see chapter 10 of the [RP2350 datasheet](https://datasheets.raspberrypi.com/rp2350/rp2350-datasheet.pdf), and for information on how to sign other binaries to run on a secure chip see chapter 5.10 + Then either drag & drop the UF2 files to the device in order (enc_bootloader first, then hello_serial_enc) waiting for a reboot in-between, or run ```bash picotool load enc_bootloader.uf2 From 10361d70102fa039ae2e6ab71c7bb6b5723a4f29 Mon Sep 17 00:00:00 2001 From: Graham Sanderson Date: Fri, 22 Nov 2024 13:45:20 -0600 Subject: [PATCH 4/4] Update README.md --- bootloaders/encrypted/README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/bootloaders/encrypted/README.md b/bootloaders/encrypted/README.md index 8551d7777..580e35a20 100644 --- a/bootloaders/encrypted/README.md +++ b/bootloaders/encrypted/README.md @@ -4,13 +4,15 @@ Replace private.pem and privateaes.bin with your own keys - your signing key mus openssl ecparam -name secp256k1 -genkey -out private.pem ``` -The AES key is just a 32 byte binary file - you can create one with +The AES key is just a 32 byte binary file - you can create one with: ```bash dd if=/dev/urandom of=privateaes.bin bs=1 count=32 ``` -You will need to program your OTP using the generated `otp.json` file in the build folder. Note that this will enable secure boot on your device, so only signed binaries can run, and will also lock down the OTP page the AES key is stored in. If you wish to test without enabling secure boot then you can load the `otp.json` file in the source folder, which will just program the AES key and lock down that OTP page. +You will need to program your OTP using the generated `otp.json` file generated by the build in your build folder +NOTE: This will enable secure boot on your device, so only correctly signed binaries can then run, and will also lock down the OTP page the AES key is stored in. +If you wish to test without enabling secure boot, you can load the `otp.json` file in the source folder ([otp.json](otp.json)) instead which will just program the AES key and lock down that OTP page. ```bash picotool otp load otp.json ```