Hi, I found that it is possible to enable secure boot with BalenaOS. Now I’m wondering how this works together with remote updates through balenaCloud. My intention is to provision a fleet of Raspberry Pi CM4 devices with secure boot and disk encryption enabled.
My understanding is that every device that uses secure boot has its own key that is used to verify whether a new image, signed with that same key, can be flashed. So it seems to me that when you deploy an OS update to a fleet of devices, you would need to generate signed images for every individual device, so the image matches the stored key.
Am I understanding this correctly? And if so, can balenaCloud manage the signing process in some way?
Maybe I’m just misunderstanding the provisioning process of secure boot devices. Please let me know!
Thank you in advance