Commit 5858206073c4410bd6c06982f3a622417596606e
1 parent
0eb1b633
secure-boot: Specify the minimum version for secure-boot mode.
Showing
1 changed file
with
5 additions
and
3 deletions
secure-boot-recovery/README.md
| ... | ... | @@ -51,7 +51,7 @@ cd secure-boot-recovery |
| 51 | 51 | ../tools/update-pieeprom.sh -k "${KEY_FILE}" |
| 52 | 52 | ``` |
| 53 | 53 | |
| 54 | -`pieeprom.bin` can then be flashed to the bootloader EEPROM via rpiboot. | |
| 54 | +`pieeprom.bin` can then be flashed to the bootloader EEPROM via `rpiboot`. | |
| 55 | 55 | |
| 56 | 56 | ## Program the EEPROM image using rpiboot |
| 57 | 57 | * Power off CM4 |
| ... | ... | @@ -72,9 +72,11 @@ onwards: |
| 72 | 72 | * The EEPROM configuration file must be signed with the customer private key. |
| 73 | 73 | * It is not possible to install an old version of the bootloader that does |
| 74 | 74 | support secure boot. |
| 75 | -* **It is NOT possible to use a different private key to signed the OS images** | |
| 75 | +* This option requires EEPROM version 2022-01-06 or newer. | |
| 76 | +* BETA bootloader releases are not signed with the ROM secure boot key and will | |
| 77 | + not boot on a system where `revoke_devkey` has been set. | |
| 76 | 78 | |
| 77 | -**WARNING: THESE OPTIONS PERMANENTLY THE BCM2711 CHIP AND ARE IRREVERSIBLE.** | |
| 79 | +**WARNING: Modifications to OTP are irreversible. Once `revoke_devkey` has been set it is not possible to unlock secure-boot mode or use a different private key.** | |
| 78 | 80 | |
| 79 | 81 | To enable this edit the `config.txt` file in this directory and set |
| 80 | 82 | `program_pubkey=1` | ... | ... |