On Wed, 2024-08-07 at 13:42 +0200, Jonas Kvinge wrote:

Hi

Has anyone set up secure boot on Raspberry pi (CM4)?

According to https://github.com/raspberrypi/usbboot#secure-boot, a boot.img file needs to be created which contains the kernel, ramdisk, overlays, start.elf fixup.dat, etc files, which is signed and you then program the eeprom to only boot from that signature. There is buildroot here ( https://github.com/raspberrypi/buildroot/blob/raspberrypi-signed-boot/ README.md) which does build the boot.img file, but this will probably not work for opensuse since it uses the kernel and ramdisk, etc from raspberry pi os. Is there any guide for openSUSE on how to build a boot.img file for sue with secure boot on the rpi?

Jonas

Hi, I managed to set up secure boot following the instructions on https://github.com/raspberrypi/usbboot/blob/master/secure-boot-recovery/READ... and https://pip.raspberrypi.com/categories/685-whitepapers-app-notes/documents/R... The Raspberry Pi secure boot requires a signed boot ramdisk (boot.img) https://www.raspberrypi.com/documentation/computers/config_txt.html#boot_ram... , which is supposed to contain the kernel and initrd, but instead of having linux kernel/initrd on it, I've placed u-boot.bin, which works. But I assume unlike Debian someone could just replace the kernel on the /boot partition, since the kernel is not included in the boot image. So is there a way to lock which kernel and initrd boots? My setup has 3 partitions where the partitions are 1. (FAT)UEFI Boot, 2. ext4 Linux /boot (un-encrypted), 3. uncrypted Linux LUKS ext4 root (/) boot.img contains config.txt, extraconfig.txt, ubootconfig.txt, u- boot.bin, start.elf, start4.elf, fixup.dat, fixup4.dat, .dtb files and overlays. Jonas