Secure boot support for raspberrypi4-ioboard-sb #1117
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alexgg
force-pushed
the
alexgg/sb-cm4ioboard
branch
3 times, most recently
from
87166ab to
e9f21d5
Compare
alexgg
force-pushed
the
alexgg/sb-cm4ioboard
branch
5 times, most recently
from
2f279fe to
a4de8e0
Compare
alexgg
force-pushed
the
alexgg/sb-cm4ioboard
branch
3 times, most recently
from
a8a612a to
75258f5
Compare
alexgg
force-pushed
the
alexgg/sb-cm4ioboard
branch
2 times, most recently
from
20f30b4 to
17fbe48
Compare
alexgg
changed the title
alexgg
force-pushed
the
alexgg/sb-cm4ioboard
branch
4 times, most recently
from
ca5bdea to
86823d3
Compare
alexgg
force-pushed
the
alexgg/sb-cm4ioboard
branch
3 times, most recently
from
8c92728 to
67e2c73
Compare
Changelog-entry: add secure boot enabled Raspberrypicm4 ioboard support Signed-off-by: Alex Gonzalez <[email protected]>
Changelogs-entry: add class for RPI image signing Signed-off-by: Alex Gonzalez <[email protected]>
This will be used in provisioning and copied to the SPI EEPROM. Changelog-entry: Deploy RPI public key Signed-off-by: Alex Gonzalez <[email protected]>
Adds an os-helper-otp file that contains the shared interface to the OTP. Changelog-entry: add public interface to OTP Signed-off-by: Alex Gonzalez <[email protected]>
This helper file is used to customize HUP and share variables with the flasher script. Changelog-entry: add os-helpers-sb Signed-off-by: Alex Gonzalez <[email protected]>
A secured device cannot have the EEPROM updated using this mechanism. A self-update is needed. Change-type: patch Signed-off-by: Alex Gonzalez <[email protected]>
Making balena-image-flasher buildable for secure boot use cases. Also, place EEPROM binaries in the boot partition so they can be used in the provisioning process. Changelog-entry: Support flasher image for secure boot use cases. Signed-off-by: Alex Gonzalez <[email protected]>
Include the files with the secureboot and disk encryption interface. Changelog-entry: provide secure boot and disk encryption abstraction Signed-off-by: Alex Gonzalez <[email protected]>
Allow to update the SPI EEPROM from the flasher images as this is required to enable secure boot as part of provisioning. Change-type: patch Signed-off-by: Alex Gonzalez <[email protected]>
Changelog-entry: specialize cryptsetup module for RPI Signed-off-by: Alex Gonzalez <[email protected]>
Add a mount service for the unencrypted boot partition. Changelog-entry: add mount service for the unencrypted boot partition Signed-off-by: Alex Gonzalez <[email protected]>
Duplicate 1-bootfiles into 2-rpifiles so that the bootfiles are installed in two passes, one for the non-encrypted boot partition and a second one for the encrypted boot partition. The 1-bootfiles will differentiate based on the script name whether to target the encrypted or non-encrypted partittions for file installation. Changelog-entry: customize hostOS update script for secure boot Signed-off-by: Alex Gonzalez <[email protected]>
Inherit the use of OS_KERNEL_CMDLINE and OS_KERNEL_SECUREBOOT_CMDLINE from balenaOS distro settings. Also, use early console settings for osdev images. Changelog-entry: use distribution's kernel command line variables Signed-off-by: Alex Gonzalez <[email protected]>
Increase the default size to support building signed images. Change-type: patch Signed-off-by: Alex Gonzalez <[email protected]>
When performing a hostOS update we perform atomic writes of individual files, that is, first we copy a new file, and then we rename. The rename operation is atomic on some filesystems like ext4, but on vfat it has not been atomic until Linux kernel v6.0. Hence, balenaOS uses a `fatrw` library that keeps a checksummed copy of the file until the rename completes and can be verified. Unfortunately, for hostOS updates `fatrw` will fallback to a non-atomic rename if there is not enough space to keep a checksummed copy of the file. This will stop being a problem once a >6.0 kernel is used. Now, a secure boot enabled CM4/RPI4 required a single boot.img that contains all the essential boot firmware. This contains the balena bootloader and its initramfs that needs packages to mount encrypted file systems. Basically, the size of the balena booloader increases to around 50M, and the size of boot.img to around 60M, so we need at least double that in order to perform atomic updates of this file. Changelog-entry: increase the boot partition size for CM4 to support secure boot Signed-off-by: Alex Gonzalez <[email protected]>
With the definition of SIGN_API the initramfs image has increased. This still fits in the existing partition layout so there is really no other implications. Changelog-entry: adjust initramfs size for RPI4 Signed-off-by: Alex Gonzalez <[email protected]>
Changelog-entry: add usbboot native recipe Signed-off-by: Alex Gonzalez <[email protected]>
This deploys the signed artifacts needed for a locked device reprovisioning. Changelog-entry: add usbboot native dependency Signed-off-by: Alex Gonzalez <[email protected]>
Changelog-entry: add secure boot and disk encryption documentation Signed-off-by: Alex Gonzalez <[email protected]>
alexgg
force-pushed
the
alexgg/sb-cm4ioboard
branch
from
67e2c73 to
82ea457
Compare
|
lgtm |
|
Manual merge without the |
This was referenced May 20, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.