raspberrypi
Provision devices that have a otp burned keys for secure boot
Hi,
I'm looking into reprovisioning devices that have their otp keys burned to use secure boot.
Would this work with this version of the provisioner? I haven't had the time to look into the new one unfortunately, and i don't see it happening anywhere soon due to time constraints.
Would signing scriptexecute.img and kernel.img and replacing them in /var/lib/cmprovision/scriptexecute plus their respecitve.sig files be enough, or would the provisoner not send those .sig files over?
cheers!!
Would expect that to work. CM should pull the files it wants during boot using TFTP. So if you put them there it should fetch them.
i tried signing them, but during boot i see that he loads /var/lib/cmprovision/scriptexecute/bdd8f64b/boot.img, and then gives an error that /var lib/cmprovison/scriptexecute/boot.sig can't be found (without the hex part in the path). Any idea on what to do here?
I see that the bdd8f64b directory is not present there on the provisioner, and i don't immediately find a boot.img in the cmprovision directory. If there is i could sign that one and place the .sig file there to test.
You don't need the bdd8f64b directory. That is only if you want different files for different serial numbers. It will fallback to the main folder if it cannot find a folder for the serial number.
Think you need to make the boot.img yourself by putting all individual files inside a FAT formatted file system image.
Along the lines of:
dd if=/dev/zero of=boot.img bs=1M count=32
mkdir /tmp/mnt-point
mkfs.vfat boot.img
sudo mount -o loop boot.img /tmp/mnt-point
cp -a /var/lib/cmprovision/scriptexecute/* /tmp/mnt-point
sudo umount /tmp/mnt-point
(untested)