Raspberry Pi CM5 IoT In C - Setting Up the CM5 |
Written by Harry Fairhead | |||||
Monday, 14 April 2025 | |||||
Page 4 of 4
Booting From NVMeAs an example of how to modify where the CM5 boots from, let’s use the NVMe drive installed as a data drive earlier. The first problem we have to solve is getting the OS onto the new boot device. The best way of doing this is to use the Raspberry Pi Imager. You can do this by connecting the NVMe drive to a host machine via an adapter or you can run the Imager on the CM5 itself. You can install the Imager using: sudo apt install rpi-imager After you have installed the Imager you can use it to install the OS of your choice onto the NVMe drive. Note: if you have setup the NVMe drive to be a data storage device and added it to fstab then you need to remove it before proceeding as the Imager will repartition the drive. After the Imager has finished you can use: sudo blkid to see the details of all of the block devices. You can see that now the NVMe drive has been divided into two partitions, where p1 is the boot partition and p2 is the working partition. To boot from the new device you have to configure the bootloader. Use: sudo -E rpi-eeprom-config --edit and change the line with BOOT_ORDER on it to read: BOOT_ORDER=0xf16 which sets it to boot first from NVMe and if that doesn’t work try to boot from eMMC and keep trying in that order. With this change you should discover that the system reboots using the NVMe drive and it takes longer. If you want to use the eMMC drive as a data store then you will need to mount it and this is done in the same way as for mounting the NVMe drive. SecuritySecurity is more difficult to enforce for an IoT device than for a server. The difference is that you cannot rule out the situation that the attacker has physical possession of the device. You can keep a server physically secure by locking it in a server room, but in general IoT devices are out in the real world. One simple way of ensuring security is to lock the boot EPROM so that it cannot be written to. This is just a matter of setting an input line high, which you can do on the CM5IO board with a jumper on J2 and more securely with a hard connection on a custom board. Of course, it doesn’t take much skill to remove the connection. A more secure system is to use secure boot. If you select this option the operating system installed has to be signed with a private key. The bootloader has a copy of the public key which it uses to validate that the OS has been signed by you. The public key is written into One Time Programmable (OTP) memory, which means it cannot be changed and the device is forever locked to only running code signed by the private key. Exactly how all of this is achieved is fairly involved and beyond the scope of this book but if you want to know more see: https://github.com/raspberrypi/usbboot/blob/master/ and https://github.com/raspberrypi/rpi-sb-provisioner Summary
Raspberry Pi Compute Module 5
|
|||||
Last Updated ( Monday, 14 April 2025 ) |