I have a product board (Raspberry Pi Compute Module 4 + my own board with peripherals) and I must secure the contents. I used Zymkey4, followed the guide how to encrypt rootfs and it works like a charm. But one problem is still unresolved. BootFS is still unencrypted.
As I understand an actor can change boot options and to get direct shell after boot or eavesdrop decrypted data or tamper data or something like that.
So we must be sure that boot partition is not changed before decrypting encrypted rootfs. For SCM there Supervised Boot feature that creates checksums for mentioned files in manifest and decrypts rootfs only if stored checksum matches the checksum of files. But this option is not supported for zymkey4.
As far as I understand secure boot sequence must be implemented to boot only if boot partition is not changed. Is there any guide how to implement rootfs encryption and secure boot implementation to protect boot partition from changes and don’t boot (and don’t decrypt) bootfs if boot partition altered.
Hi. Yes. I’ve implemented rootfs encryption with zymkey4. And it works fine. I’ve mentioned it in initial post. The problem is unencrypted bootfs that potentially can be altered by some my curious clients to change encryption sequence so data can be reached which is unacceptable. So I wonder if there’s some guide or tutorial how to implement Secure Boot with Zymkey4.
Correct me if I’m wrong, but if your rootfs is encrypted with a Zymbit HSM, then altering roots won’t get you around the encryption, because you would still need the key, from the HSM, to access the encrypted partition.