UC20: enabling Secure Boot + FDE on Raspberry PI4

abeato · October 5, 2021, 8:46am

find . -print0 | cpio --null --create --quiet --format=newc --owner=0:0 | lz4 -9 -l > …/kernel-snap/initrd.img

for this i always get permission denied to access initrd.img even if i use sudo

Try with sudo sh -c '<full command>'. Anyway, if you need root permissions is probably because you used sudo while running unsquashfs/unmkinitramfs, that you don’t need, I think.

rahul-tt · January 14, 2022, 2:22pm

Hi @fguerzoni, I am also working on this and I managed to ADD tpm_tis_spi to initrd and compile the kernel snap with fde hooks

During the initial boot, it displayed and the process hangs:

  secboot_tpm.go:77: checking if secure boot is enabled…
  secboot_tpm.go:79: secure boot not enabled: not a supported EFI system
  taskrunner.go:271: [change 2 "Setup system for run mode" task] failed: cannot encrypt device storage as mandated by model grade secured: not a supported EFI system

Did you manage to solve this issue?

mveplus · July 24, 2022, 3:25pm

Recently some changes introduced to the latest RPI4-bootloader adds beta support for secure-boot and permanently writing a hash of the customer singing keys to the eeprom, that could provide attestation but not yet FDE.

PI4 BOOTLOADER:
   CURRENT: Tue 26 Apr 10:24:28 UTC 2022 (1650968668)
   RELEASE: default (/lib/firmware/raspberrypi/bootloader/default)

For FDE adding a third party TPM 2.0 like LetsTrust TPM similar to @fguerzoni configuration is required. Chain-loading piboot+secureboot and u-boot+TPM2 could provide FDE.

This still would not address the EFI issue, though.

UC & Canonical involvement certainly will be required for provisioning a facility to sign bootloader, eeprom configurations & the hash of the production key, if one does not want to mange keys for own UC images. ( I’m just starting with UC so )

chiragmoradiya · September 1, 2022, 4:18pm

I own OPTIGATM TPM SLx 9670 TPM2.0 and I would like to setup secure-boot + full-disk-encryption on RaspberryPi 4B.

My Use Case: Raspberry Pi would be given to end-user as a Video Player Device. Videos are downloaded on the Device and can be played when offline. So, I would like to protect Videos (IP) on the SD Card.

I am actively seeking help/guidance on this.