Provision devices that have a otp burned keys for secure boot

[knachte]

Hi,

I'm looking into reprovisioning devices that have their otp keys burned to use secure boot.

Would this work with this version of the provisioner? I haven't had the time to look into the new one unfortunately, and i don't see it happening anywhere soon due to time constraints.

Would signing scriptexecute.img and kernel.img and replacing them in /var/lib/cmprovision/scriptexecute plus their respecitve.sig files be enough, or would the provisoner not send those .sig files over?

cheers!!

[maxnet]

Would expect that to work.
CM should pull the files it wants during boot using TFTP. So if you put them there it should fetch them.

[knachte]

i tried signing them, but during boot i see that he loads /var/lib/cmprovision/scriptexecute/bdd8f64b/boot.img, and then gives an error that /var lib/cmprovison/scriptexecute/boot.sig can't be found (without the hex part in the path). Any idea on what to do here?

I see that the bdd8f64b directory is not present there on the provisioner, and i don't immediately find a boot.img in the cmprovision directory. If there is i could sign that one and place the .sig file there to test.

[maxnet]

You don't need the bdd8f64b directory. That is only if you want different files for different serial numbers.
It will fallback to the main folder if it cannot find a folder for the serial number.

Think you need to make the boot.img yourself by putting all individual files inside a FAT formatted file system image.

Along the lines of:

dd if=/dev/zero of=boot.img bs=1M count=32
mkdir /tmp/mnt-point
mkfs.vfat boot.img
sudo mount -o loop boot.img /tmp/mnt-point
cp -a /var/lib/cmprovision/scriptexecute/* /tmp/mnt-point
sudo umount /tmp/mnt-point

(untested)