I have raspberrypi-4 and the yocto image from mender (open source OTA platform). Here is the process followed to secure boot raspberry pi 4. But stuck with following issue. Enabled secure boot on raspberry pi 4 reference : https://github.com/raspberrypi/usbboot/blob/master/secure-boot-example/README.md

Generate Key

• source path/to/python/venv
• pip install pycryptodomex
• openssl genrsa 2048 > private.pem
• export KEY_FILE=$(pwd)/private.pem

Secure-boot-recovery

• git clone https://github.com/raspberrypi/usbboot secure-boot
• cd secure-boot
• git submodule update --init
• make

Enable rpiboot mode and flash the bootloader EEPROM with updated setting enables code signing.

• cd secure-boot-recovery
• ../tools/update-pieeprom.sh -k "${KEY_FILE}"
• cd ..
• ./rpiboot -d secure-boot-recovery

Now once secure boot is enabled as per document Raspberry Pi 4 Boot Security raspberrypi4 expects boot.img.

Process to create a signed yocto image

Dependecies: python virtual env and kas need to be installed

• source python/venv
• pip install kas
• mkdir mender-raspberrypi4 && cd mender-raspberrypi4
• git clone https://github.com/theyoctojester/meta-mender-community -b scarthgap
• cd meta-mender-community
• mkdir my-raspberrypi4 && cd my-raspberrypi4

Modified some files to make it work.

So files mender-bootimg.bbclass and mender-part-images.bbclass from classes modified to create vfat image boot.img and sign boot.img added code reference with the sign.sh script in secure-boot-example output boot.sig which then copied to boot partition. Modified files are in Image and Modified Files.

Build Command

• kas build ../kas/demos/raspberrypi4-64-wifi.yml

To give a quick try here is the link: Image and Modified Files of generated image flash to sd card, sign with private key and flash secure-boot-recovery pieeprom via rpiboot and boot.

please let me know if anything I'm missing in it.

Errors Logs:

• 2.62 RPi: BOOTLOADER release VERSION:69471177 DATE: 2025/05/08 TIME: 16:21:35
• 2.62 BOOTMODE: 0x06 partition 0 build-ts BUILD_TIMESTAMP=1746717695 serial 7c2
• 2.36 Unsupported boot order 6
• 2.61 Boot mode: SD (01) order f254
• 2.82 SD HOST: 200000000 CTL0: 0x00800000 BUS: 400000 Hz actual: 390625 HZ div6
• 2.83 SD HOST: 200000000 CTL0: 0x00800f00 BUS: 400000 Hz actual: 390625 HZ div6
• 2.98 OCR c0ff8000 [171]
• CID: 000353444a554c494580d5b740550127
• CSD: 400e00325b59000076b27f800a404000
• 2.98 SD: bus-width: 4 spec: 2 SCR: 0x02358043 0x00000000
• 2.99 SD HOST: 200000000 CTL0: 0x00800f04 BUS: 50000000 Hz actual: 50000000 HZ2
• 3.00 MBR: 0x0000c000, 206848 type: 0x0c
• 3.01 MBR: 0x00040000, 770048 type: 0x83
• 3.01 MBR: 0x000fc000, 770048 type: 0x83
• 3.01 MBR: 0x001b8000, 262144 type: 0x83
• 3.21 Trying partition: 0
• 3.49 type: 16 lba: 49152 'mkfs.fat' ' V ^ ' clusters 51603 (4)
• 3.05 rsc 4 fat-sectors 200 root dir cluster 1 sectors 32 entries 512
• 3.06 FAT16 clusters 51603
• 3.06 [sdcard] autoboot.txt not found
• 3.06 Select partition rsts 0 C(boot_partition) 0 EEPROM config 0 result 1
• 3.71 Trying partition: 1
• 3.76 type: 16 lba: 49152 'mkfs.fat' ' V ^ ' clusters 51603 (4)
• 3.08 rsc 4 fat-sectors 200 root dir cluster 1 sectors 32 entries 512
• 3.08 FAT16 clusters 51603
• 3.89 secure-boot
• 3.91 Loading boot.img ...
• 3.09 boot.sig
• 3.09 hash: b70a74e651e9bde92dd921ac6b26c9704077bcec431518c384aafd0c39f98fc7
• 3.10 ts: 1750829740
• 3.10 rsa2048: 7937a7eeacf12d1433011cc1fcbd57901e0d0796fafce03d811a44e54f255f8c
• 3.15 [sdcard] boot.img not found
• 3.53 Error 6 loading boot.img
• 3.55 Boot mode: USB-MSD (04) order f25
• 3.17 PCI0 init
• 3.17 PCI0 reset
• 3.34 PCIe scan 00001106:00003483
• 3.46 XHCI-STOP
• 3.46 xHC0 ver: 256 HCS: 05000420 fc000031 00e70004 HCC: 002841eb
• 3.47 USBSTS 11
• 3.47 xHC0 ver: 256 HCS: 05000420 fc000031 00e70004 HCC: 002841eb
• 3.48 xHC0 ports 5 slots 32 intrs 4
• 3.18 USB21 400202e1 connected
• 3.33 USB2 root HUB port 1 init
• 3.53 DEV [01:00] 2.16 000000:01 class 9 VID 2109 PID 3431
• 3.53 HUB init [01:00] 2.16 000000:01