By the end of this guide you will have your Raspberry Pi 4 integrated with Thistle Verified Boot. This integration relies on an Infineon OPTIGA™ Trust M as the root of trust.

Hardware Integration

Connect your Infineon OPTIGA™ Trust M to the Raspberry Pi 4 using the I²C pins:

  1. Connect RST to GPIO 17 (Pin 11)
  2. Connect SDA to GPIO 2 (Pin 3)
  3. Connect SCL to GPIO 3 (Pin 5)
  4. Connect VCC to 3.3V (Pin 1)
  5. Connect GND to Ground (Pin 9)

Software Image

We recommend using our provided image as it integrates the user-land tooling for the Infineon OPTIGA Trust M, though it is not necessary for final integration.

# fetch and decompress image
$ curl -O https://storage.googleapis.com/thistle-assets/verified-boot-demo/base-raspberrypi4-64-thistle.wic.zst
$ zstd -d base-raspberrypi4-64-thistle.wic.zst
$ sha256sum base-raspberrypi4-64-thistle.wic
2330fb778e4431dde153197e020766bd1efbb11f449dc82681c123ab888064f1  base-raspberrypi4-64-thistle.wic

# write on card. Make sure to use the correct device name for your sd card.
$ sudo dd status=progress if=base-raspberrypi4-64-thistle.wic of=/dev/mmcblk0

Raspberry Pi i2c_gpio Module & Customisation

Before booting up the image, we need to make sure the i2c_gpio module is loaded.

# mount boot partition and reach the boot directory
$ cd /mnt/boot

# amend config as follow
$ cat config.txt
[.. at the end of the file ..]

# Enable I2C
#dtparam=i2c1=on
#dtparam=i2c_arm=on
dtoverlay=i2c-gpio,i2c_gpio_sda=2,i2c_gpio_scl=3

# Enable UART
enable_uart=1

# Enable VC4 Graphics
dtoverlay=vc4-kms-v3d

It is now time to install the customised version of U-Boot on the SD card. Alongside this U-boot binary, a custom script and environment file are required, but we are not going to use these just yet.

Trust M Public Key

Refer to the Overview guide to learn how to write the Trust M public key. Note that on the provided image, an additional step is required to connect to the Trust M - we need to symlink the i2c device.

The username for this image is a and the password is also a.
# change default i2c device
raspberrypi4-64-thistle:~$ sudo ln -s /dev/i2c-22 /dev/i2c-1

Verified Boot Integration

Now that we have the environment in place, we are ready to sign the kernel image, and test a boot sequence. You now need to sign the kernel image using the image signing tool provided on your Thistle Project, and the kernel image located on the boot partition of the SD card (kernel8.img)

This file needs to be stored on the boot partition of the Raspberry Pi 4, under the name kernel-sig.

# mount boot partition and reach the boot directory
$ cd /mnt/boot

# fetch TVB enabled u-boot binary and updated uboot environment
$ curl -O https://storage.googleapis.com/thistle-assets/verified-boot-demo/boot.scr
$ curl -O https://storage.googleapis.com/thistle-assets/verified-boot-demo/uboot.env

# copy the signature
$ mv ~/Downloads/kernel-sig .

It is now time to enable verified boot by setting the verified environment variable in U-Boot.

Assets Installation

# copy enable verified boot script & environment
$ cd /mnt/boot
$ sudo cp boot.scr boot.scr.orig
$ sudo cp boot.scr.verified boot.scr
$ sudo cp uboot.env uboot.env.orig
$ sudo cp uboot.env.verified uboot.env

# the script expects a kernel at /boot/kernel
$ sudo mv Image kernel
$ sync
$ sudo halt

First Boot

You can now reboot your device. Connect a serial adapter to see the boot sequence.