[Done] Enable secure boot and full disk encryption for x86 device types

No description provided.

1000x YES

I raise you! This would literally allow us to deploy about 100 x more stuff on balena where it makes sense.

Joseph Kogut: It’s good to see such positive feedback for this feature. :slight_smile:

I’ve been working on augmenting our QEMU worker we use to run automated test suites for balenaOS to be capable of running our flasher image, as well as enabling secure boot in a virtualized environment using OVMF firmware. This will allow us to validate secure boot enabled images in our automated test suite, including ensuring that secure boot and full-disk encryption are properly enabled, host OS upgrades and fallback capability work, and all other currently tested OS functionality remains operational.

Alex Gonzalez: To complement the above, the feature has made good progress and we are finishing up the automation testing and fixing issues that arise from that tests.
We are also finalizing the secure infrastructure that is needed to sign the release artifacts.
It’s one of the priorities of the OS team at the moment so you can expect to see progress soon enough.

Has there been any progress toward releasing this feature in the previous 2 months? Any status update is appreciated.

Alex Gonzalez: Thanks for the message - the secure boot and full disk encryption feature for x86_64 is currently being tested. We did a last minute change to use db hashes instead of db certificates to avoid issues with certificates expiration, and also to support key updates on hostOS updates invalidating artifacts signed with previous singing material.
In summary, the signing infrastructure is ready, the final db hashing change is being tested, and the automated tests are just about to be ready. We are finalizing the feature documentation too.

That sounds great!
Can you already say something about the deployment.
Does it has to be a new installation or will it be possible to migrate a device to an encrypted disk?

Alex Gonzalez: Initially it has to be a new installation as the secure boot and full disk encryption are used together and partitions need to be encrypted. In the near future we are working on a migrator tool that will allow for remote installations/migrations and will offer the migration path to secure boot and disk encryption (see Provide tool to onboard (migrate) devices already deployed in the field · Balena Feature Requests)

Joseph Kogut: Quick update, two of our three automated OS test suites have passed with secure boot and full-disk encryption enabled. Those two suites test OS-specific functionality, such as secure boot specific tests (including verifying that partitions are encrypted, and signature/hash checks work as expected), filesystem checks, configuration, engine, and networking, as well as integration tests with the cloud platform. The third suite tests host OS updates (HUP), and hasn’t seen an automated run yet as we don’t have a signed production image deployed to update from.

We’re working on deploying signed images by default, which will also enable testing HUP.

Alex Gonzalez: Some good news, the 2.114.21 release for the Generic x86_64 (GPT) device type in production was our first signed release. We are very close to the official feature announcement, and although we don’t yet recommend to use secure boot and full disk encryption on your production fleets you can definitely use it in the lab and test your applications on it. The team is working on validating the key management processes, and finishing off documentation, and once those are out of the way the feature will be ready to go.

Alex Gonzalez: This feature is now available in production, please take a look at the feature release announcement in https://blog.balena.io/balenaOS-secure-boot-and-disk-encryption-for-x86-64/.

Alex Gonzalez set the status to Completed

This feature is now available in production and the release announcement is at https://blog.balena.io/balenaOS-secure-boot-and-disk-encryption-for-x86-64/.

That’s fantastic news, thanks for the bringing this feature in so quickly!
At the moment, we are using UP-Boards in our fleet.
As far as I can tell, the are very close to a generic x86 hardware and activating the new secure-boot/encryption feature should be easy(, isn’t it? What’s the difference anyway?).
So is it also the near road map, can we expect it the next months or so?

Alex Gonzalez: Thanks for your message. We are working on bringing secure boot and disk encryption support to our other x86 based device types. In particular the up-board repository uses the vendor’s BSP layer instead of the the generic support provided by Poky which is used for the Generic x86_64 device types. The vendor BSP provides extra support for the hardware which is not available in the generic images.