For security you must replace private.pem and privateaes.bin with your own keys, and ivsalt.bin with your own per-device salt. Make sure you don't lose your keys and salts, else you may not be able to update the code on your device.
This bootloader uses MbedTLS for decryption, so it is not secure against side channel attacks and therefore only offers limited protection against physical attackers.
Your signing key must be for the secp256k1 curve, in PEM format. You can create a .PEM file with:
openssl ecparam -name secp256k1 -genkey -out private.pemThe AES key is stored in a 32 byte binary file - you can create one with
dd if=/dev/urandom of=privateaes.bin bs=1 count=32or in Powershell 7
[byte[]] $(Get-SecureRandom -Maximum 256 -Count 32) | Set-Content privateaes.bin -AsByteStreamThe IV salt is just a 16 byte binary file - you can create it the same way, replacing 32 with 16 and privateaes.bin with ivsalt.bin in the commands above.
You will need to program your OTP using the otp.json file generated by the build in your build folder
NOTE: This will enable secure boot on your device, so only correctly signed binaries can then run, and will also lock down the OTP pages the AES key and IV salt are stored in.
picotool otp load otp.jsonFor more information on security see chapter 10 of the RP2350 datasheet, and for information on how to sign other binaries to run on a secure chip see section 5.10
Then either drag & drop the UF2 files to the device in order (enc_bootloader first, then hello_serial_enc) waiting for a reboot in-between, or run
picotool load enc_bootloader.uf2
picotool reboot -u
picotool load -x hello_serial_enc.uf2