Enable secure boot and disk encryption for CM4

system · March 14, 2024, 10:09am

The RaspberryPi CM4 module has hardware features that provide secure boot and disk encryption.

Enable this features in balenaOS.

system · March 14, 2024, 10:12am

Alex Gonzalez: This is an active project - changes are being implemented in meta-balena[1] to abstract away the secure boot and disk encryption interfaces, and secure boot and disk encryption support is being worked on in a balena-raspberrypi branch [2].

[1] CM4 secure boot by alexgg · Pull Request #3357 · balena-os/meta-balena · GitHub
[2] [WIP] CM4 secure boot support by alexgg · Pull Request #1095 · balena-os/balena-raspberrypi · GitHub

system · March 15, 2024, 2:58pm

Alex Gonzalez: An optimistic rough estimation for availability based on the current status is 1 more development cycle (6 weeks) to review/merge the above and one more cycle to finish automation testing.

anonymizeduser · June 7, 2024, 7:23am

Hello @Alex Gonzalez,

I see that the above mentioned pull requests are closed.

Are these features ready to be used in production?

If yes which balenaOS version?
If not, when is it estimated?

Will an update to the relevant balenaOS version automatically include the secure boot and disk encryption?
What are the relevant commands/settings we can check in order to see if a device has the secure boot and disk encryption enabled?

Thank you

system · June 7, 2024, 9:41am

Alex Gonzalez: Hi Marius,

Most of the core work is indeed done. You can find some details about the implementation in balena-raspberrypi/docs/rpi-secure-boot.md at master · balena-os/balena-raspberrypi · GitHub.

The feature is not yet production ready though. We are working on automation testing and also finishing the feature validation including security reviews and the provisioning process.

We are also working on how to surface the feature to customers. A secure boot enabled build does not fit in the current partition tables for the raspberrypicm4-ioboard device type, so we have been using a different device type to develop with raspberrypicm4-ioboard-sb. This new device type is still private.

Answering your question, a secure boot enabled device will be locked, as described in balena-raspberrypi/docs/rpi-secure-boot.md at master · balena-os/balena-raspberrypi · GitHub, so you could check that the public key digest has been written to OTP. Also, the encrypted disks will be LUKS encrypted.

anonymizeduser · September 17, 2024, 6:31pm

Hi Alex, do you have an update on when this will be production ready?

Thanks,

Topic		Replies	Views
CM4 Secure Boot balenaOS	11	3274	August 22, 2022
Remote OS update for a fleet of devices with secure boot Product support security , raspberrypi4 , balenacloud	3	36	September 17, 2024
Raspberry Pi CM - eMMC Disk Encryption / code protection Product support raspberrypi3 , raspberrypi4	2	897	November 17, 2020
Securing the BalenaFin eMMC and related balenaFin security	3	671	February 12, 2020
Enable secure boot and full disk encryption for all device types Feature Requests balenacloud , balenaos	13	12	November 19, 2024

Enable secure boot and disk encryption for CM4

Related topics