ARCA Trusted OS is an Operating System (OS) that can run on Raspberry Pi B. This hardened OS includes a secure boot to authenticate and verify the integrity of the system at each boot. CYSEC engineers produced a video to explain how this secure boot works and against which attacks it protects the system.
ARCA Trusted OS for Raspberry Pi 4B is a hardened Linux-based miro-distribution to run containerized applications. One of the security features integrated in ARCA Trusted OS is a complete secure boot chain to authenticate and check the integrity of the system at each boot time.
Secure boot is a security standard to ensure that a device boots using only software that is trusted. When this device starts, it checks the signature of each piece of software which constitutes the different boot stages: firmware, bootloader, Linux kernel and so on. If the signatures are valid, the device boots, and gives control to the Linux operating system. In the opposite case, ARCA Trusted OS crashes. That way, CYSEC ensures that the device won’t boot with malicious software instead of original ones.
In addition to a secure boot, ARCA Trusted OS for Raspberry Pi 4B also includes a by-default full disk encryption mechanism protecting the user data, an encryption key stored in a hardware-based secure storage and an A/B scheme. These four security mechanisms are linked to ensure that the user data cannot be compromised by altering the OS. Furthermore, if the alteration of the OS happens, the system has some mechanisms to try to recover autonomously.
If you want to have a technical explanation of the secure boot mechanism of ARCA Trusted OS, you can watch this video made by engineers for engineers.