Skip to content

Commit ad9842a

Browse files
will-v-piwill-v-pi
committed
Update readmes
This includes the changes from #553
1 parent 05557f5 commit ad9842a

File tree

2 files changed

+37
-1
lines changed

2 files changed

+37
-1
lines changed

bootloaders/encrypted/README.md

+11-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
Replace private.pem and privateaes.bin with your own keys - your signing key must be for the _secp256k1_ curve, in PEM format. You can create a .PEM file with:
1+
For security you **must** replace private.pem and privateaes.bin with your own keys, and ivsalt.bin with your own per-device salt. Your signing key must be for the _secp256k1_ curve, in PEM format. You can create a .PEM file with:
22

33
```bash
44
openssl ecparam -name secp256k1 -genkey -out private.pem
@@ -15,6 +15,16 @@ or in Powershell 7
1515
[byte[]] $(Get-SecureRandom -Maximum 256 -Count 128) | Set-Content privateaes.bin -AsByteStream
1616
```
1717

18+
The IV salt is just a 16 byte binary file - you can create it the same way, replacing `128` with `16` and `privateaes.bin` with `ivsalt.bin` in the commands above.
19+
20+
You will need to program your OTP using the `otp.json` file generated by the build in your build folder
21+
NOTE: This will enable secure boot on your device, so only correctly signed binaries can then run, and will also lock down the OTP pages the AES key and IV salt are stored in.
22+
```bash
23+
picotool otp load otp.json
24+
```
25+
26+
> For more information on security see chapter 10 of the [RP2350 datasheet](https://datasheets.raspberrypi.com/rp2350/rp2350-datasheet.pdf), and for information on how to sign other binaries to run on a secure chip see chapter 5.10
27+
1828
Then either drag & drop the UF2 files to the device in order (enc_bootloader first, then hello_serial_enc) waiting for a reboot in-between, or run
1929
```bash
2030
picotool load enc_bootloader.uf2

encrypted/hello_encrypted/README.md

+26
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
For security you **must** replace private.pem and privateaes.bin with your own keys, and ivsalt.bin with your own per-device salt. Your signing key must be for the _secp256k1_ curve, in PEM format. You can create a .PEM file with:
2+
3+
```bash
4+
openssl ecparam -name secp256k1 -genkey -out private.pem
5+
```
6+
7+
The AES key is stored as a 4-way share in a 128 byte binary file - you can create one with
8+
9+
```bash
10+
dd if=/dev/urandom of=privateaes.bin bs=1 count=128
11+
```
12+
13+
or in Powershell 7
14+
```powershell
15+
[byte[]] $(Get-SecureRandom -Maximum 256 -Count 128) | Set-Content privateaes.bin -AsByteStream
16+
```
17+
18+
The IV salt is just a 16 byte binary file - you can create it the same way, replacing `128` with `16` and `privateaes.bin` with `ivsalt.bin` in the commands above.
19+
20+
You will need to program your OTP using the `otp.json` file generated by the build in your build folder
21+
NOTE: This will enable secure boot on your device, so only correctly signed binaries can then run, and will also lock down the OTP pages the AES key and IV salt are stored in.
22+
```bash
23+
picotool otp load otp.json
24+
```
25+
26+
> For more information on security see chapter 10 of the [RP2350 datasheet](https://datasheets.raspberrypi.com/rp2350/rp2350-datasheet.pdf), and for information on how to sign other binaries to run on a secure chip see chapter 5.10

0 commit comments

Comments
 (0)