rpi-otp-private-key

Read the OTP private key

$ rpi-otp-private-key

rpi-otp-private-key [OPTIONS]
rpi-otp-private-key --new-key
rpi-otp-private-key --sign-bootloader <bootloader.bin> --key <private_key.pem>
rpi-otp-private-key --burn-public-key <public_key.pem>
rpi-otp-private-key --read-public-key

--new-key
    Generates a new RSA private key (PEM format) suitable for secure boot operations. The key is typically saved to `private_key.pem` in the current directory.

--sign-bootloader <bootloader.bin>
    Signs the specified Raspberry Pi bootloader image (`.bin` file) using a provided private key. This creates a signed bootloader image (`.signed` file) ready for secure boot.

--key <private_key.pem>
    Specifies the path to the private key file (PEM format) to be used for signing bootloader images. This option is used in conjunction with `--sign-bootloader`.

--burn-public-key <public_key.pem>
    Burns the public key derived from the specified private key into the Raspberry Pi's One-Time Programmable (OTP) memory. This operation is permanent and irreversible.

--read-public-key
    Attempts to read the public key hash (or the full key if possible) from the Raspberry Pi's OTP memory. This is used to verify if a public key has been successfully burned.

rpi-otp-private-key is a specialized utility designed for Raspberry Pi 4, Compute Module 4 (CM4), and newer models to manage cryptographic keys essential for the secure boot process.

It allows users to generate new private keys, sign Raspberry Pi bootloader images with a private key, and burn the corresponding public key into the SoC's One-Time Programmable (OTP) memory. The public key stored in OTP memory is then used by the Raspberry Pi hardware to verify the integrity and authenticity of signed bootloader images, preventing unauthorized or malicious firmware from running. This command is crucial for implementing a secure boot chain on compatible Raspberry Pi devices.

Burning a public key into the Raspberry Pi's OTP memory is a permanent and irreversible operation. If the incorrect key is burned or the process is interrupted, it can render the secure boot functionality unusable for that device. Extreme caution is advised.

This command requires root privileges (e.g., using sudo) to perform operations like burning public keys or accessing specific hardware features. It is specific to Raspberry Pi 4, Compute Module 4, and newer models that support secure boot and OTP memory functionality.

A compromised private key could allow an attacker to sign malicious bootloaders, undermining the secure boot chain.

Secure boot ensures that only trusted software runs on the device. With Raspberry Pi, this typically involves signing the bootloader with a private key. The corresponding public key is then permanently fused into the device's OTP memory. During boot, the hardware uses this OTP-stored public key to verify the bootloader's signature before executing it, thereby preventing unauthorized bootloaders from running.

OTP memory is a type of non-volatile memory that can be programmed only once. Once data (such as a public key) is written to it, it cannot be erased or modified. This makes it ideal for storing cryptographic keys or configuration data that must be permanent and tamper-proof for security purposes.

The rpi-otp-private-key utility was introduced as part of the broader secure boot ecosystem developed for Raspberry Pi 4 and subsequent models. Its development was driven by the need to enhance device security by providing a mechanism to verify the authenticity and integrity of bootloader firmware. It became available with specific versions of the Raspberry Pi EEPROM firmware that enabled the secure boot features.

rpi-eeprom-update(8), openssl(1), vcgencmd(1)