Booting From NVMe

As an example of how to modify where the CM5 boots from, let’s use the NVMe drive installed as a data drive earlier. The first problem we have to solve is getting the OS onto the new boot device. The best way of doing this is to use the Raspberry Pi Imager. You can do this by connecting the NVMe drive to a host machine via an adapter or you can run the Imager on the CM5 itself. You can install the Imager using:

sudo apt install rpi-imager

After you have installed the Imager you can use it to install the OS of your choice onto the NVMe drive. Note: if you have setup the NVMe drive to be a data storage device and added it to fstab then you need to remove it before proceeding as the Imager will repartition the drive.

After the Imager has finished you can use:

sudo blkid 

to see the details of all of the block devices.

You can see that now the NVMe drive has been divided into two partitions, where p1 is the boot partition and p2 is the working partition.

To boot from the new device you have to configure the bootloader. Use:

sudo -E rpi-eeprom-config --edit

and change the line with BOOT_ORDER on it to read:

BOOT_ORDER=0xf16

which sets it to boot first from NVMe and if that doesn’t work try to boot from eMMC and keep trying in that order.

With this change you should discover that the system reboots using the NVMe drive and it takes longer. If you want to use the eMMC drive as a data store then you will need to mount it and this is done in the same way as for mounting the NVMe drive.

Security

Security is more difficult to enforce for an IoT device than for a server. The difference is that you cannot rule out the situation that the attacker has physical possession of the device. You can keep a server physically secure by locking it in a server room, but in general IoT devices are out in the real world.

One simple way of ensuring security is to lock the boot EPROM so that it cannot be written to. This is just a matter of setting an input line high, which you can do on the CM5IO board with a jumper on J2 and more securely with a hard connection on a custom board. Of course, it doesn’t take much skill to remove the connection.

A more secure system is to use secure boot. If you select this option the operating system installed has to be signed with a private key. The bootloader has a copy of the public key which it uses to validate that the OS has been signed by you. The public key is written into One Time Programmable (OTP) memory, which means it cannot be changed and the device is forever locked to only running code signed by the private key.

Exactly how all of this is achieved is fairly involved and beyond the scope of this book but if you want to know more see:

https://github.com/raspberrypi/usbboot/blob/master/
secure-boot-example/README.md

and

https://github.com/raspberrypi/rpi-sb-provisioner

Summary

• The CM5 generally has to be used with the CM5IO board to get started on developing software.

• There are a range of jumpers and connectors on the CM5IO board that allow you to configure some aspects of the CM5.

• Installing an operating system on a CM5 that has eMMC Flash is different from how it works with other models of the Pi.

• You can also install NVMe using the M2M slot on the CM5IO card and this can be used for data storage or for booting the system.

• The boot loader in the CM5 is stored in a separate EPROM and there are commands to examine and configure it.

• You can stop the boot loader being updated using a jumper on the CM5IO.

• Creating a secure IoT system is difficult because you have to assume that the attacker has access to the physical hardware.

Raspberry Pi Compute Module 5
IoT In C
Using Linux Drivers and Gpio5

By Harry Fairhead

Buy from Amazon.

Contents

1. The CM5 For The IoT
2. Setting Up the CM5 ***NEW!!
3. C and Visual Studio Code
4. Drivers: A First Program
5. The GPIO Character Drive
6. GPIO Using I/O Control
7. GPIO Events
8. GPIO Hardware With Gpio5 
9. Some Electronics
10. The Device Tree
11. Pulse Width Modulation
12. SPI Devices
13. I2C Driver and Gpio5
14. Sensor Drivers – Linux IIO & hwmon
15. 1-Wire Bus
16. The PIO
17. Going Further With Drivers
18. Almost Real-Time Linux
19. Appendix I Gpio5

 <ASIN:1871962951>

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info