Why you Need Secure Boot On a Raspberry Pi and How to Get Started
Secure boot on a Raspberry Pi is a critical feature that ensures only trusted and verified software can run on your device. By enabling secure boot, you protect your system from unauthorized access, malware, and tampering, making it an essential step for anyone using a Raspberry Pi in sensitive or security-focused applications. Whether you’re running a personal project or deploying a professional solution, secure boot enhances the overall security and reliability of your Raspberry Pi. Secure boot is an essential process to protect your Raspberry Pi from unauthorized access by ensuring only trusted software can boot.
This guide walks you through setting up secure boot on a Raspberry Pi, based on official documentation.
Prerequisites
Before getting started with creating secure boot on a Raspberry Pi, ensure you have the following:
- A separate device (e.g., another Raspberry Pi, laptop, or PC) running Linux for file collation and encryption.
- The Raspberry Pi OS (Bullseye version or later) on the target device.
- Essential tools installed:
bashCopy codesudo apt install pkg-config build-essential
4. Python cryptographic support:
bashCopy codepython3 -m pip install pycryptodomex
5. Clone the usbboot repository:
bashCopy codegit clone https://github.com/raspberrypi/usbboot/
6. Build the usbboot application:
bashCopy codecd usbboot
sudo apt install libusb-1.0-0-dev
make
7. Create a recovery SD card using the Raspberry Pi Imager:
The Raspberry Pi Imager can be run on either the Raspberry Pi itself or on the second machine, like a Windows laptop, macOS device, or another Linux machine. It’s a versatile tool available for multiple platforms. Here two options for running it on the Raspberry Pi or on a second machine.
Here are the options:
Option 1: Running Raspberry Pi Imager on the Raspberry Pi
- If your Raspberry Pi is already set up and running Raspberry Pi OS, you can install and run the Imager directly on the Pi.
- Installation command for Raspberry Pi OS:
sudo apt update sudo apt install rpi-imager - Launch it with:
rpi-imager
Note: Most Raspberry Pis have an internal SD Card on the board… We are NOT talking about that! We are talking about a separate SD Card Reader.
Yes, you can attach a card reader to a Raspberry Pi 5 via USB. The Raspberry Pi 5, like its predecessors, supports external USB devices, including card readers. Here’s how to use one:
Steps to Attach and Use a USB Card Reader with a Raspberry Pi 5
- Connect the Card Reader:
- Plug the USB card reader into one of the USB ports on the Raspberry Pi 5.
- Insert the SD card into the card reader.
- Check Device Recognition:
- Open a terminal on the Raspberry Pi and run the following command to check if the card reader is detected:
lsblk - This will list all the storage devices connected to the Raspberry Pi. Look for a device that matches the size of your SD card (e.g.,
/dev/sda).
- Open a terminal on the Raspberry Pi and run the following command to check if the card reader is detected:
- Install Raspberry Pi Imager (if not already installed):
- If you haven’t installed the Raspberry Pi Imager yet, do so with the following commands:
sudo apt update sudo apt install rpi-imager
- If you haven’t installed the Raspberry Pi Imager yet, do so with the following commands:
- Launch Raspberry Pi Imager:
- Open the Raspberry Pi Imager application:
rpi-imager - Follow the on-screen instructions to select the appropriate image (e.g., recovery SD card image) and write it to the SD card.
- Open the Raspberry Pi Imager application:
- Safely Eject the SD Card:
- After the process completes, unmount the SD card to ensure data integrity:
sudo umount /dev/sda1 - Replace
/dev/sda1with the correct device name for your SD card.
- After the process completes, unmount the SD card to ensure data integrity:
- Remove the Card Reader:
- Once the SD card is safely ejected, unplug the USB card reader from the Raspberry Pi.
Notes:
- Ensure that your card reader is compatible with the file system format used on your SD card
- Ensure the SD Card will work with the Raspberry Pi
- The Raspberry Pi 5 has USB 3.0 ports, which can speed up data transfers if your card reader supports USB 3.0.
This setup is ideal if you’re working directly on the Raspberry Pi and need to create or modify SD card images without using a separate machine.
Option 2: Running Raspberry Pi Imager on a Second Machine
- If you’re using a laptop or desktop running Windows, macOS, or Linux, download the Raspberry Pi Imager from the official website.
- Steps:
- Download and install the Imager for your operating system.
- Launch the application.
- Create the recovery SD card by following the instructions.
Recommendation
For most users, running Raspberry Pi Imager on a second machine (like a Windows laptop) is more convenient because:
- The Raspberry Pi might not yet be fully set up or configured during this process.
- It’s easier to create the recovery SD card before making any risky changes to the Raspberry Pi’s configuration.
Once you’ve installed it, do the following:
- Open Raspberry Pi Imager
- Select Misc Utility Images → Bootloader → SD Card Boot.
- Write the image to an SD card.
- Keep this card ready in case you need to recover your device.
Steps to Create Secure Boot On A Raspberry Pi
Step 1: Create an RSA Key Pair
To sign the EEPROM and boot image, generate a 2048-bit RSA key:
openssl genrsa 2048 > private.pem
openssl rsa -in private.pem -out public.pem -pubout -outform PEM
Warning: Keep these keys secure. Losing or compromising them can make your device unrecoverable or vulnerable.
Step 2: Create a Signed Boot Image
Follow the example provided in the usbboot repository to create a signed boot image. Once generated, copy it to the boot partition of your Raspberry Pi.
Step 3: Update the EEPROM
Use the secure-boot-recovery folder in the usbboot repository:
- Configure the bootloader by setting
SIGNED_BOOT=1in theboot.conffile. - Apply the configuration:
cd secure-boot-recovery ../tools/update-pieeprom.sh -k ../private.pem - Transfer the signed bootloader:
../rpiboot -d .
Step 4: Enable Secure Boot Mode
Once you verify that the signed bootloader works:
- Edit
usbboot/secure-boot-recovery/config.txtand add:program_pubkey=1 revoke_devkey=1 - Run the update:
../rpiboot -d .
This locks the device to accept only boot images signed with your private key. Ensure your key is backed up securely, as this process is irreversible.
Step 5: Sign the USB Boot Image for Mass Storage Mode
If you need to use the USB Mass Storage mode:
- Sign the boot image:
cd secure-boot-msd ../tools/rpi-eeprom-digest -i boot.img -o boot.sig -k ../private.pem - Use
rpibootto run:../rpiboot -d .
Troubleshooting and Recovery
If the system fails to boot:
- Use the Raspberry Pi Imager to create a recovery SD card.
- Insert the SD card and reboot to restore factory default settings.
Final Notes
Secure boot on a Raspberry Pi ensures that only trusted software can run on your Raspberry Pi. However, it is critical to secure your RSA keys and follow each step carefully. For detailed instructions, check the official documentation.
I am a retired software engineer with experience in a multitude of areas including managing AWS and VMWare development environments. I bought a relative a mini-PC a year ago and have become passionate about the technology and its potential to change how we deploy software.