Raspberry CM5 & SecureBoot

[julienvannier]

I am currently evaluating Kairos on a Raspberry CM5 (connected to a 'Raspberry Pi Compute Module 5 IO board').
I managed to start the CM5 with a few adjustments to the COS_GRUB partition.

U-Boot seems to have a problem with the UART (maybe related to agherzan/meta-raspberrypi#1459 (comment)).
It gets stuck on a black screen with the U-Boot logo.
Adding the following lines in U-Boot config to deactivate the UART allowed Kairos to start:

[pi5]
enable_uart=0

Then another problem appeared: USB and Ethernet were not detected.
This was solved by replacing the following dtb files with those from an Ubuntu Server installation on RPi5:
- bcm2712-rpi-cm5-cm5io.dtb
- bcm2712-rpi-5-b.dtb

Finally, with these modifications, I was able to run Kairos (based on Ubuntu 24.04) without any issues on my CM5.

However, I am a bit bothered by the installation mechanism on Raspberry Pi.
The lack of an 'install' step forces me to manually modify the '01_reset.yaml' script (generated by AuroraBoot in COS_OEM partition) to add my personalization stuff.
It works, but it's not very practical.

Now I'm looking to secure the boot process of my CM5.
Ideally, I would like to use the SecureBoot mechanism proposed by https://github.com/raspberrypi/usbboot/blob/master/docs/secure-boot-chain-of-trust-2712.pdf.
It requires a bootfs partition containing a signed boot image, and then decrypt the rootfs main partition.
The tool https://github.com/raspberrypi/rpi-sb-provisioner works, but I don't see how to combine this mechanism with Kairos.
Is it worth persisting in trying to make it work or is it hopeless?
And if there is a chance it can be done, I wouldn't mind some guidance.

Thanks

[jimmykarily]

Regarding the support for rpi5, it is discussed here: #2010