Remote OS update for a fleet of devices with secure boot

Hi, I found that it is possible to enable secure boot with BalenaOS. Now I’m wondering how this works together with remote updates through balenaCloud. My intention is to provision a fleet of Raspberry Pi CM4 devices with secure boot and disk encryption enabled.

My understanding is that every device that uses secure boot has its own key that is used to verify whether a new image, signed with that same key, can be flashed. So it seems to me that when you deploy an OS update to a fleet of devices, you would need to generate signed images for every individual device, so the image matches the stored key.

Am I understanding this correctly? And if so, can balenaCloud manage the signing process in some way?

Maybe I’m just misunderstanding the provisioning process of secure boot devices. Please let me know!

Thank you in advance

Hello @bartvanderhoeven12 thanks for your message and welcome to the balena community!

First of all, we are currently working on secure boot for balenaOS on CM4 however it’s not ready yet.

We will take care of the signing and the OS updates will work as they do today, you will not need to worry about signing the OS image.

Does this solve your questions?

Thank you for the reply, that is exactly what I needed to know!

1 Like

@mpous Do you have an update on when you expect this do be ready for production?