diff --git a/Readme.md b/Readme.md index 2aaa541..6c7dfe5 100644 --- a/Readme.md +++ b/Readme.md @@ -63,8 +63,10 @@ On Compute Module 4 EMMC-DISABLE / nRPIBOOT (GPIO 40) must be fitted to switch t Otherwise, the SPI EEPROM bootloader image will be loaded instead. -## Secure Boot - BETA -Secure Boot is currently a BETA release feature and the functionality to permanently enable secure-boot via OTP is not enabled in this release. +## Secure Boot +Secure Boot requires the latest stable bootloader image. +WARNING: If the `revoke_devkey` option is used to revoke the ROM development key then it will +not be possible to downgrade to a bootloader older than 2022-01-06 OR disable secure-boot mode. ### Host setup Secure boot require a 2048 bit RSA asymmetric keypair and the Python `pycrytodomex` module to sign the EEPROM config and boot image. diff --git a/secure-boot-msd/bootcode4.bin b/secure-boot-msd/bootcode4.bin index 565179b..acb78a4 100644 --- a/secure-boot-msd/bootcode4.bin +++ b/secure-boot-msd/bootcode4.bin diff --git a/secure-boot-recovery/README.md b/secure-boot-recovery/README.md index 2f57335..126dafa 100644 --- a/secure-boot-recovery/README.md +++ b/secure-boot-recovery/README.md @@ -81,8 +81,8 @@ To enable this edit the `config.txt` file in this directory and set * `program_pubkey` - If 1, write the hash of the customer's public key to OTP. * `revoke_devkey` - If 1, revoke the ROM bootloader development key which - requires secure-boot mode and prevents downgrades to bootloader versions that - don't support secure boot. + requires secure-boot mode and prevents downgrades to bootloader versions that + don't support secure boot. ** DO NOT SET THIS `revoke_devkey` UNTIL THE BOOTLOADER IS SIGNED WITH THE SECURE BOOT KEY. IT WILL PREVENT THE PI FROM BOOTING.** diff --git a/secure-boot-recovery/bootcode4.bin b/secure-boot-recovery/bootcode4.bin index e2be08b..f3a75cb 100644 --- a/secure-boot-recovery/bootcode4.bin +++ b/secure-boot-recovery/bootcode4.bin diff --git a/secure-boot-recovery/pieeprom.original.bin b/secure-boot-recovery/pieeprom.original.bin index 6a00581..8ea80de 100644 --- a/secure-boot-recovery/pieeprom.original.bin +++ b/secure-boot-recovery/pieeprom.original.bin