I have been trying to promote Zymkey 4i as a secure boot option with full disk encryption for our Raspberry Pi 4B product but I have been presented options of choosing recently introduced secure boot option as an alternative and I am finding it hard to make a case. GitHub - raspberrypi/usbboot: Raspberry Pi USB booting code, moved from tools repository
It looks like node locking the device to a signed image permanently is an acceptable solution to them.
The users will have full access to the device and I feel secure boot to an extent can be compromised by booting in recovery mode and reading additional private keys they store in EEPROM for encrypting root partition. Subsequently cloning the SD Card and opening root partition by using private key obtained from step above can compromise the device.
I do not have lot of expertise in this area but if you have a comparison on why Zymkey is a better solution for securing the device, it will help me make a presentable argument on using Zymkey as a better alternative.
Looking forward to hear from you.
Thanks for your question on Zymbit, Rajesh! You’re correct, Pi secure boot alone will not protect the filesystem contents. Zymkey protects the filesystem encryption key and accessing the EEPROM will not yield anything. Without Zymkey, Pi does not have any place to store secrets because Pi secure boot is only signing the code, but there is no encryption.
Also, a popular option for even more security is via the Zymbit SCM - Secure Compute Module. It has a secured boot process that protects both the filesystem and the boot artifacts, and also prevents the Pi from being mounted in mass storage mode. The SCM is a Raspberry Pi and Zymbit security combined physically in a CM4 form factor that can be used with your motherboard, a 3rd party motherboard or a Zymbit supplied board (SCM Dev Kit 2) or boxed product (SCN). It is a great way to simplify your setup / supply chain while increasing system robustness and physical security. (Of course there is the physical security / tamper detect functionality, which all Zymbit products support, up to and including immediate destruction of keys.) Thank you again Rajesh, and please contact us if you have more questions!