rpi-eeprom icon indicating copy to clipboard operation
rpi-eeprom copied to clipboard
verified publisher icon raspberrypi

rpi-otp-private-key fails for Pi 3B+ and Pi Zero 1.3 despite them having support for OTP

Open sunetfreitag opened this issue 1 year ago • 6 comments

Describe the bug

The otp helper rpi-otp-private-key is written that it should also have support for most legacy hardware as stated in the documentation "Using the One-Time Programmable Memory on Raspberry Pi Single-Board Computers" (2023-02-10: githash: c65fe9c-clean). Running the script on at least the Zero 1.c and 3B+ results in "Chip not supported". If you remove the BOARD_INFO check and set MAX_ROW_COUNT=8 it works.

BOARD_INFO from my boards:

  • Pi Zero 1.3: 00900093
  • Pi 3B+ 1.4: 00a020d4

Steps to reproduce the behaviour

  1. Copy rpi-otp-private-key to your local file system
  2. Execute rpi-otp-private-key

Device (s)

Other

Bootloader configuration.

(empty)

System

$ cat /etc/rpi-issue Raspberry Pi reference 2024-03-15 Generated using pi-gen, https://github.com/RPi-Distro/pi-gen, f19ee211ddafcae300827f953d143de92a5c6624, stage2 $ vcgencmd bootloader_version unknown

$ vcgencmd version Feb 29 2024 12:26:47 Copyright (c) 2012 Broadcom version f4e2138c2adc8f3a92a3a65939e458f11d7298ba (clean) (release) (start) $ uname -a Linux udmd 6.6.20+rpt-rpi-v8 #1 SMP PREEMPT Debian 1:6.6.20-1+rpt1 (2024-03-07) aarch64 GNU/Linux

Bootloader logs

No response

USB boot

No response

NVMe boot

No response

Network (TFTP boot)

No response

sunetfreitag avatar Sep 15 '24 18:09 sunetfreitag

These are different chips with different otp reservations that also don’t support secure boot so this is not possible

timg236 avatar Sep 15 '24 18:09 timg236

@timg236 I ran into this unexpected behavior today too. The docs suggest that reading/programming a device-specific private key is possible on all Raspberry Pi computers. From your perspective, should the docs be updated to indicate it is only supported on >= Pi 4? I'm happy to submit a docs PR but want to make sure we're all on the same page.

ysi-camerona avatar Oct 28 '24 17:10 ysi-camerona

Right now it requires >= Pi4 or newer so we can add a note. It's possible that those rows could be made available on older models to store a device-private key. There's no secure-boot on those models so the security benefit is less obvious but there may be applications where that is ok e.g. if physical access to the device is not possible.

timg236 avatar Oct 29 '24 10:10 timg236

ping @nathan-contino

lurch avatar Oct 29 '24 11:10 lurch

Thanks Tim, I'll aim to have a documentation PR submitted with that change on Friday.

ysi-camerona avatar Oct 30 '24 13:10 ysi-camerona

PR has been submitted: https://github.com/raspberrypi/documentation/pull/3900

ysi-camerona avatar Nov 01 '24 19:11 ysi-camerona

Marked as enhancement. This OTP storage can be used with some caveats i.e. no verified chain of trust because the bootrom doesn't support RSA verification.

timg236 avatar Jun 23 '25 10:06 timg236

rpi-otp-private-key has been updated to enable this on BCM2710 and earlier even though these older devices cannot support secure-boot with asymettric signing.

https://github.com/raspberrypi/rpi-eeprom/blob/master/tools/rpi-otp-private-key

The update also points users to rpifwcrypto for generating ECDSA P-256 keys rather than raw values. https://github.com/raspberrypi/utils/tree/master/rpifwcrypto

timg236 avatar Oct 21 '25 06:10 timg236