We don't recommend chain loading an extra bootloader stage because as you have noted that stage will have to implement (or enable existing u-boot options) code signing for any files loaded by that stage.
The original scope of secure-boot was was to provide verified kernel+initramfs loading for buildroot/yocto systems (non APT)
For package based system which can be generated using pi-gen I'd recommend looking at the RPi secure-boot provisioner.
https://github.com/raspberrypi/rpi-sb-provisioner
The original scope of secure-boot was was to provide verified kernel+initramfs loading for buildroot/yocto systems (non APT)
For package based system which can be generated using pi-gen I'd recommend looking at the RPi secure-boot provisioner.
https://github.com/raspberrypi/rpi-sb-provisioner
Statistics: Posted by timg236 — Mon Aug 12, 2024 2:42 pm