Today I finally burnt in my secure-boot key too into my first RPI. Aaaaand, the hash returned by the chip is... interesting. Supposedly it's SHA256 of the RSA pubkey. Ok? But at what encoding? Because it definitely did not match anything even remotely standardised like DER.