2026-05-29 –, Promenade 1
This talk presents meta-raspberrypi-secure, an open-source Yocto layer that turns a Raspberry Pi 4/5 into a production-grade security-hardened platform.
We walk through a defense-in-depth architecture built entirely with OpenEmbedded tooling covering secure boot with signed boot images, LUKS2 full-disk encryption with hardware-bound key derivation, IMA/EVM file integrity enforcement, dm-verity, kernel module signing, A/B atomic updates and kernel hardening options all with a single kas build command.
We will cover:
- Secure boot: signing boot images with RSA-2048 and provisioning the RPi EEPROM
- Full-disk encryption : LUKS2 with hardware-bound key derivation (OTP HMAC + storage CID), including in-place first-boot encryption.
- System integrity using dm-verity and IMA/EVM
- OS hardening: kernel lockdown, firewall, USBGuard, audit rules, hardened mounts, and SSH certificate authority support
- Dev vs. prod security profiles managing security posture from a single layer configuration
The talk includes a live demo on a Raspberry Pi 5 and closes with guidance on adapting the layer for your own rpi based products.
Target audience: Yocto/OE developers and BSP engineers interested in practical embedded Linux security.
Embedded System Engineer with 20 years of experience across various industries, I'm helping customers to design and develop secure and reliable embedded systems. Committed to deliver innovative and robust solutions that meet the highest standards of safety, security and performance:
Website : https://embetrix.com
LinkedIn : https://www.linkedin.com/in/ayoub-zaki-embetrix