The RaspberryPi CM4 module has hardware features that provide secure boot and disk encryption.
Enable this features in balenaOS.
Alex Gonzalez: This is an active project - changes are being implemented in meta-balena[1] to abstract away the secure boot and disk encryption interfaces, and secure boot and disk encryption support is being worked on in a balena-raspberrypi branch [2].
[1] CM4 secure boot by alexgg · Pull Request #3357 · balena-os/meta-balena · GitHub
[2] [WIP] CM4 secure boot support by alexgg · Pull Request #1095 · balena-os/balena-raspberrypi · GitHub
1 Like
Alex Gonzalez: An optimistic rough estimation for availability based on the current status is 1 more development cycle (6 weeks) to review/merge the above and one more cycle to finish automation testing.
Hello @Alex Gonzalez,
I see that the above mentioned pull requests are closed.
- Are these features ready to be used in production?
- If yes which balenaOS version?
- If not, when is it estimated?
-
Will an update to the relevant balenaOS version automatically include the secure boot and disk encryption?
-
What are the relevant commands/settings we can check in order to see if a device has the secure boot and disk encryption enabled?
Thank you
1 Like
Alex Gonzalez: Hi Marius,
Most of the core work is indeed done. You can find some details about the implementation in balena-raspberrypi/docs/rpi-secure-boot.md at master · balena-os/balena-raspberrypi · GitHub.
The feature is not yet production ready though. We are working on automation testing and also finishing the feature validation including security reviews and the provisioning process.
We are also working on how to surface the feature to customers. A secure boot enabled build does not fit in the current partition tables for the raspberrypicm4-ioboard device type, so we have been using a different device type to develop with raspberrypicm4-ioboard-sb. This new device type is still private.
Answering your question, a secure boot enabled device will be locked, as described in balena-raspberrypi/docs/rpi-secure-boot.md at master · balena-os/balena-raspberrypi · GitHub, so you could check that the public key digest has been written to OTP. Also, the encrypted disks will be LUKS encrypted.
Hi Alex, do you have an update on when this will be production ready?
Thanks,
Hello Alex -
While it seems to show partial support, is this a production supported release?
Thanks
hey @TMH it’s not production ready unfortunately. Work on the feature was paused until some product concerns are ironed out.
1 Like
Hello Alex -
When will those product concerns be ironed out? We’ve been awaiting this for years 
.
hey @TMH, the concerns are mostly:
- Signed images cannot modify
config.txt- this would severely limit the applicability of the images, and can either be solved by providing signing endpoints which is a security problem, or by enabling balenaCloud’s ingestion of customer signed images - Increase in root filesystem sizes - secure boot images exceed the default rootfs size so signed images cannot be deployed to existing device types. For this we need mechanism to perform safe partition resizing, or something like the ability to deploy OS variants.
The initial decision was to push forward with unmodifiable config.txt and different secure boot enabled device types. However, it was later decided that we’d rather not release anything than provide a bad product experience.