Just to point out: Unless OP also wants secure boot, the public key only has to be written to the EEPROM. I don't think the [pubkey] section exists like that. At least I don't find any immediate documentation for that feature. The way a public key is embedded in the EEPROM is in a 'pubkey.bin' section. rpi-eeprom-config can include that with the '--pubkey' option.Equally, have you definitely written your key hash into OTP?
Statistics: Posted by dividuum — Fri Nov 28, 2025 9:19 am