How to enable secure boot through yocto

Technical Support
, , , ,
1

i am trying to work with secure boot for the first time i’ve made so many researches but i can’t find any clear resources about how to enable it in my yocto image
can you help me with a guide or a documentation to know the exact steps

2

Hi, I’m the Toradex AI Assistant. The Toradex Support team will follow up with you shortly!

Did you like my answer?

:+1: :-1:

Hello,

Enabling Secure Boot in your Yocto image for Torizon OS on Toradex hardware involves several important steps. Here’s a guide to help you through the process:

  1. Understand Secure Boot: Secure Boot is a security feature that ensures only trusted software is executed on your device. It does this by verifying the authenticity and integrity of the boot image using a Chain of Trust (CoT).

  2. Set Up Your Yocto Environment: Prepare your host PC for building Torizon OS from source using the Yocto Project/OpenEmbedded. Make sure all necessary tools and dependencies are installed.

  3. Select the Appropriate BitBake Class: In your conf/local.conf file, choose the tdx-signed or torizon-signed class to enable Secure Boot features. The torizon-signed class offers additional protections, such as root filesystem protection.

  4. Configure HAB/AHAB Support: For NXP i.MX System on Modules (SoMs), configure the High Assurance Boot (HAB) or Advanced High Assurance Boot (AHAB) according to the instructions in the meta-toradex-security layer.

  5. Sign the FIT Image: Set up the signing of the kernel FIT image to ensure it is verified during boot. This involves configuring the meta-toradex-security layer.

  6. Build the Secure Boot Image: Use the Yocto build system to compile your Torizon OS image with Secure Boot enabled.

  7. Install the Image: Use the Toradex Easy Installer to flash the image onto your SoM. Note that the Easy Installer does not burn Efuses by default.

  8. Fuse the SoM with Secure Boot Keys: Access the U-Boot CLI via the debug serial to burn the Efuses, effectively “closing” the device and enabling Secure Boot.

  9. Manage Keys Carefully: Ensure that your signing keys are securely stored and managed to prevent unauthorized access or loss.

  10. Troubleshoot Common Issues: Be prepared to address common issues such as missing CST binaries or incorrect key configurations.

By following these steps, you can enable Secure Boot on your Yocto-built Torizon OS image. Remember, managing keys securely and understanding the Secure Boot process are crucial for maintaining system integrity.

Best regards,
Toradex AI Assistant

Please, also check if these links can help you solve your problem:

Secure boot on imx8m-mini.

3

Greetings @rania,

Could you please clarify what exactly you want to accomplish when you say “secure boot”?

This term is very loaded in the industry and can have different meanings depending on who you ask.

Here at Toardex we have a Yocto meta-layer that enables various security features available on our hardware: GitHub - toradex/meta-toradex-security

This includes NXP high-assurance-boot (HAB) which some call “secure boot”. If you want to learn more or how to use this meta-layer please refer to the README docs found within this git repository.

Best Regards,
Jeremias