Secure Boot on Rock 5B

I’m trying to enable Secure Boot on Rock 5B by burning RSA public key to OTP fuse.
Following the Rockchip_Developer_Guide_Secure_Boot_Application_Note_EN.pdf guide I was able sign and upload the signed firmware to the devices. As per the doc, the first time a signed firmware boots it should burn fuses automatically, but apparently it doesn’t happen as I’m still able to boot with unsigned firmware.

Have tried the same approach on other RK3566/RK3568 boards with no luck.

At the same time on RK3399, I was able to burn keys with EFuseTool and everything works.

I couldn’t get it to Secure Boot either, I could be wrong but from what I gather it’s the lack of mini loader on my end, and I can’t find any code in the build repository that indicates that the trust files get packed in to the idbloader for any rk35xx build

From chapter “6.6 Programming OTP”:

If OTP program success, serial port print “otp write key success!!!”. If OTP program fail, serial
port print"otp write error: !!!".

I found out only the following loaders have the required logic:

$ grep -r "otp write key" rkbin/bin/rk35/
grep: rkbin/bin/rk35/rk3588_ramboot_v1.06.bin: binary file matches
grep: rkbin/bin/rk35/rk3568_miniloader_spinand_v1.15.bin: binary file matches
grep: rkbin/bin/rk35/rk356x_spl_nand_v1.14.bin: binary file matches

So for RK3588 the only suitable loader for enabling secure boot is rk3588_ramboot_v1.06.bin.

I created idbloader.img and signed it using the following commands:

$ ./uboot/bools/mkimage -n rk3588 -T rksd -d rk3588_ddr_lp4_2112MHz_lp5_2736MHz_v1.08.bin:rk3588_ramboot_v1.06.bin idbloader.img

$ rk_sign_tool ssr --key privateKey.pem --pubkey publicKey.pem --idb idbloader.img

but that doesn’t enable secure boot either (SecureMode = 0):

DDR Version V1.08 20220617
LPDDR4X, 2112MHz
channel[0] BW=16 Col=10 Bk=8 CS0 Row=17 CS=1 Die BW=16 Size=2048MB
channel[1] BW=16 Col=10 Bk=8 CS0 Row=17 CS=1 Die BW=16 Size=2048MB
channel[2] BW=16 Col=10 Bk=8 CS0 Row=17 CS=1 Die BW=16 Size=2048MB
channel[3] BW=16 Col=10 Bk=8 CS0 Row=17 CS=1 Die BW=16 Size=2048MB
Manufacturer ID:0xff 
CH0 RX Vref:27.7%, TX Vref:22.8%,0.0%
CH1 RX Vref:28.7%, TX Vref:23.8%,0.0%
CH2 RX Vref:28.7%, TX Vref:21.8%,0.0%
CH3 RX Vref:27.7%, TX Vref:22.8%,0.0%
change to F1: 528MHz
change to F2: 1068MHz
change to F3: 1560MHz
change to F0: 2112MHz
out
Boot1 Release Time: Feb 24 2022 10:23:56, version: 1.05 USB BOOT
ChipType = 0x32, 481
SecureMode = 0
atags_set_bootdev: ret:(0)
UsbBoot ...1079
powerOn 1340
Usb no Connecte. 6001342
Usb no Connecte. 12001344
Usb no Connecte. 18001349
Usb no Connecte. 24001357

@kirgene @ibebarrett Hi! Were you able to get the Secure Boot thing done? I was looking for some documentation and could not get anything more up-to-date than https://github.com/yunzhaoyu2050/rockchip_rv1126_rv1109_docs/blob/main/Kernel/NVM/Rockchip_Developer_Guide_Secure_Boot_Application_Note_EN.pdf

I messaged you on Discord as I saw you posted about this there…

I was able to fuse my RK3588S (not a RockPI 5B!) to secure boot enabled and now I can only run/flash code that is signed.

After trying to get the ram loader (ramboot_v1.06) to work, I gave up and reverse engineer how to do it manually and this resulted in success.

For the record, here’s how I think fusing secure boot should work:

1. Boot with the ram loader
2. Sign an image with “sign_flag=0x20” in settings.ini before signing. This is what triggers the first step of secure boot provisioning
3. Use rkdevelop to send the image in 2 to ram loader over USB. This will tell ramloader to program the public key information hash and the secure boot enable flag into the OTP/fuses.

My problem is that I could not figure out the right incantation of that satisfied 3). I believe it should be rkdevelop ul bla.bin, but whatever bla.bin I sent, it was always rejected.

Hi There, thank you for posting your results, good to know!

And did you try flashing it with dd? Something like this?
sudo dd if=./out/u-boot/idbloader.img of=/dev/mtdblock0 bs=512 seek=64
sudo dd if=./out/u-boot/u-boot.itb of=/dev/mtdblock0 bs=512 seek=16384

I don’t have flashing problems. The problem is only “ramboot” currently programs the OTP to enable secure boot. The proper incantation would be to send ramboot and then send a signed image, but ramboot is refusing any image sent to it.

For my board (Orange PI 5B), I wrote my own bootloader to program the OTP and now only signed files work (which is what I wanted).

If anyone is interested in enabling Secure Boot on their RK3588 device, I’ve released instructions and tools at my github. I don’t recommend doing it if you’re not capable of understanding C code and compiling it. I’ve made it as simple as possible, but it’s still a bit convoluted. Since enabling SB has a risk of bricking (hasn’t happened to me but…) I’ve also made it “difficult” in a few places to make sure you read the instructions correctly. If you don’t, you cannot enable SB.

Currently I would advise against enabling Secure Boot because the bootloaders are not expecting it. The SPL from RockChip was not built with SB in mind and will spit out an error that CONFIG_SPL_FIT_SIGNATURE is not enabled and stop the boot process. After patching this check in SPL, u-boot complains about various avb things due to SB, all annoying to patch out.

Until Radxa / RockChip release bootloaders source or binaries supporting Secure Boot, it’s not worth the effort if you want to use existing released images.