OpenSystemsDevelopment / usbboot

Commit 5858206073c4410bd6c06982f3a622417596606e

Authored by Tim Gover
1 parent 0eb1b633

secure-boot: Specify the minimum version for secure-boot mode.

Inline Side-by-side
Showing 1 changed file with 5 additions and 3 deletions
secure-boot-recovery/README.md
  View file @5858206
@@ -51,7 +51,7 @@ cd secure-boot-recovery @@ -51,7 +51,7 @@ cd secure-boot-recovery
51 ../tools/update-pieeprom.sh -k "${KEY_FILE}" 51 ../tools/update-pieeprom.sh -k "${KEY_FILE}"
52 ``` 52 ```
53 53
54 -`pieeprom.bin` can then be flashed to the bootloader EEPROM via rpiboot. 54 +`pieeprom.bin` can then be flashed to the bootloader EEPROM via `rpiboot`.
55 55
56 ## Program the EEPROM image using rpiboot 56 ## Program the EEPROM image using rpiboot
57 * Power off CM4 57 * Power off CM4
@@ -72,9 +72,11 @@ onwards: @@ -72,9 +72,11 @@ onwards:
72 * The EEPROM configuration file must be signed with the customer private key. 72 * The EEPROM configuration file must be signed with the customer private key.
73 * It is not possible to install an old version of the bootloader that does 73 * It is not possible to install an old version of the bootloader that does
74 support secure boot. 74 support secure boot.
75 -* **It is NOT possible to use a different private key to signed the OS images** 75 +* This option requires EEPROM version 2022-01-06 or newer.
  76 +* BETA bootloader releases are not signed with the ROM secure boot key and will
  77 + not boot on a system where `revoke_devkey` has been set.
76 78
77 -**WARNING: THESE OPTIONS PERMANENTLY THE BCM2711 CHIP AND ARE IRREVERSIBLE.** 79 +**WARNING: Modifications to OTP are irreversible. Once `revoke_devkey` has been set it is not possible to unlock secure-boot mode or use a different private key.**
78 80
79 To enable this edit the `config.txt` file in this directory and set 81 To enable this edit the `config.txt` file in this directory and set
80 `program_pubkey=1` 82 `program_pubkey=1`