Giving you more control over firmware in balenaOS

system · February 26, 2026, 4:00pm

Originally published at: Giving you more control over firmware in balenaOS

We’re reducing the amount of firmware that will be included in balenaOS to make it even more lightweight, secure and customizable.

wooyay · March 2, 2026, 4:21pm

Will adding your own firmware work with secure boot enabled? Kernel modules have to be signed, right?

Michael23 · March 4, 2026, 9:32am

Reading the blog post it seems like one of the major goals is to reduce the size of balenaOS.

Will the partitions stay as they are in size, or is it planned to e.g. reduce the size of A/B partition of the rootfs?

In case the size will change - is there anything to consider before upgrading to the new major balenaOS version?

rosswesleyporter · March 12, 2026, 8:41pm

Hi @Michael23,

Good question. The intent is to reduce the size of balenaOS so it fits within the existing partition size. Particularly for older device types that have smaller partition size. The partitions will stay the same size - we have no plans to reduce partition size.

Michael23 · March 16, 2026, 1:32pm

Hi @rosswesleyporter ,

thanks for the explanation. In addition I am interested in the topic pointed out by @wooyay.

Assuming I have an arm64-based device like Compulab’s IOT Gate i.MX8Plus board with secure boot enabled (GitHub - balena-os/meta-balena-hab: Support for i.MX HAB secure boot and disk encryption · GitHub), all Kernel modules have to be signed to fulfill the chain of trust.

Is there an additional mechanism in place, that ensures, that the artifacts are signed, so that secure boot can be used?

version: '2.4'
services:
 firmware:
   image: bh.cr/balena_os/linux-firmware-aarch64
   labels:
     io.balena.features.extra-firmware: '1'

Thanks

rosswesleyporter · March 16, 2026, 3:32pm

Hi @Michael23, you may want to chat with your account manager (Joe). But in the meantime, here are a few notes:

User loading of firmware is not supported on devices with secure boot enabled because the kernel cmdline is locked in secure boot.
In the future we may provide a mechanism that makes secure boot compatible with user loading of firmware. But in the interest of transparency, note that we are not actively working on that.
In some cases it can make sense to use our Custom Device Support service. But that’s a longer case-by-case discussion to have with your account manager.
If you are asking about using out-of-tree (external) kernel modules with secure boot on Compulab’s IOT Gate i.MX8Plus, that too is a longer story to discuss with your account manager.

Topic		Replies	Views
CM4 Secure Boot balenaOS	11	3880	August 22, 2022
Remote OS update for a fleet of devices with secure boot Product support security , raspberrypi4 , balenacloud	5	126	March 17, 2025
OTA with memory map change balenaOS support	3	25	March 26, 2026
How to add file to /etc/modules for HOST OS balenaOS	14	1286	January 10, 2024
How to add device firmware to /lib/firmware/ ? balenaOS	7	1090	February 3, 2020

Giving you more control over firmware in balenaOS

Related topics