Secure boot in OpenWrt

Hi,
I want to implement secure boot in openwrt. if any one worked on secure boot in openwrt please help me on this . And also is there any way to prevent access to the partitions from Uboot source in openwrt.

@rafiq Have you made any progress?

I read abit into it though havent tried experimenting yet. I think a good starting point might be a NanoPi R1. It became supported recently
https://github.com/jayanta525/openwrt/commit/a39697fe845c58c929afc0af8f2f1732b6d02765
It has the problem of the second slot only being 100mbps, however, a similar device, the NanoPi R1S-H3 has its second Ethernet port as USB2Ethernet with ~320Mbps. However, with only half the Ram at 512mb of the R1
https://www.friendlyarm.com/index.php?route=product/product&product_id=274

The reason for the board being that H3 has the possibility for hash checks and writable fuses. Armbian might have got it running


Ofcourse this is only a hash, so you need to go up the chain for a ECDSA sign.

Misc:

  • https://linux-sunxi.org/BROM
  • Instead of the Nano R1 you might also take a look at the ZeroPi(same manufacturer) + USB 2 Ethernet for LAN Port 2
    ZeroPi with FriendlyWrt and USB Ralink 5370 Especially if you play with the Fuses. The 10 Dollar is pretty much unbeatable. Not yet supported in OpenWRT though. But you should be able to test the first stages.

Please report back or drop me a PM if you are making progress. Good Luck!

Hi @rafiq I was thinking along the same lines regarding the possibility of a secure boot and FDE on ARM. As @DopW mentioned for x86, it's quite possible to get the ingredients but I do not want to use x86 for my home router. Looking around google wifi mesh hardware 2016 - I found out that is supported by the snapshots and it has Infineon SLB9615XQ TPM ( v1.2 specs ), it is an interesting start.
With ARM vendors secure boot does not always require discrete TPM as some vendors have their own implementation. But then we get to the bootloader support, signing keys ( are we able to upload our own keys/hashes? ) and thereafter is the rest. I'm not aware of an embedded platform that has a fully open-source bootloader and TPM/TBSA arm-secure-boot doc

There is an interesting development on RPi4 bootloader secure boot+ LetsTrust-TPM module. N.B. TPM is not required if you do not need full disk encryption. I have not tested if SB works as I'm waiting for RPi4 stock availability as only have one that is hosting some home automation.

Cheers,