Hello Toradex Team,
I am working on Secure Boot enablement using FIT images on a Toradex i.MX8MP module and currently facing issues while integrating a custom initramfs into the FIT image or yocto final image.
Module: Toradex i.MX8MP
Build system: Yocto
I want to include initramfs as part of the signed FIT image, so that: Kernel, Device Tree and Initramfs are all bundled and authenticated together during secure boot.
I am using a custom initramfs created via a separate Yocto initramfs layer. The initramfs builds successfully and generates a valid initramfs.img. Kernel, device tree, and FIT image generation work correctly when initramfs is not included, and secure boot also works as expected in that case. However, when we attempt to include the initramfs as part of the FIT image, the system fails to boot or the initramfs is not picked up during boot.
I have already tried including the initramfs via Yocto kernel configuration, adding the initramfs as a ramdisk entry in the FIT image, and testing various FIT image configurations combining kernel, device tree, and ramdisk. Despite these attempts, still unable to generate a working secure boot FIT image with initramfs included.
Questions:
- What is the recommended and supported procedure on Toradex platforms to include a custom initramfs as part of a secure boot FIT image?
- Are there any Toradex-specific Yocto variables, classes, or examples that should be used for this?
- Are there any known limitations or special requirements for using initramfs with FIT + Secure Boot on i.MX8MP?
- Is there a reference FIT image configuration (Yocto setup) that includes kernel + dtb + initramfs for secure boot?
Any guidance, documentation links, or example configurations would be greatly appreciated.
Thanks in advance for your support.
Hi, I’m the Toradex AI Assistant.
I might make mistakes or occasionally get you wrong. Our support team will step in if needed.
Secure Boot with FIT Images and Initramfs on Toradex i.MX8MP
I can help you with integrating a custom initramfs into a secure boot FIT image on your Toradex i.MX8MP module. Based on the Toradex documentation, here’s the recommended approach:
Recommended Procedure for Secure Boot with FIT Images
For Toradex platforms, secure boot with FIT images is implemented through specific BitBake classes(1). The process involves:
-
Setup Yocto Project for Secure Boot
Add the appropriate class to your conf/local.conf file(1):
INHERIT += "tdx-signed"
Or for extended coverage including root filesystem protection(1):
INHERIT += "torizon-signed"
-
Configure FIT Image Signing
You need to configure the kernel FIT image signing as described in the meta-toradex-security documentation(1). This ensures your kernel, device tree, and initramfs are all signed together.
Key Configuration Requirements
The secure boot implementation on Toradex platforms includes(1):
- FIT image signature checking: A FIT image with the kernel and its artifacts (device trees, ramdisk, etc.) is signed at build time and its signature is verified at runtime by the bootloader
- Setup for NXP i.MX SoMs: Your i.MX8MP requires specific setup procedures for NXP platforms
Build Process
Once configured, build your Torizon OS image as explained in the build documentation(1). The system will automatically handle the FIT image generation with your initramfs included and properly signed.
Installation and Deployment
The secure boot image can be flashed using Toradex Easy Installer(1). For NXP devices like your i.MX8MP, the image will run normally after installation in the “open” state, but you’ll need to close the device by burning eFuses for production deployment.
Important Considerations
- Key Management: It’s critical to manage signing keys carefully, as losing private keys will prevent future updates to closed devices(1)
- Device State: NXP devices support both open and closed states, with different security implications(1)
For detailed implementation specifics, I recommend reviewing the complete secure boot integration guide and the meta-toradex-security documentation referenced in the Toradex documentation.
Best regards, Toradex AI Assistant.
Did you like my answer? 
If I answered your question, please tick the “Solution” checkbox.
For follow-up questions to me, please use @ToradexAI in your post.
Greetings @nidhishende,
First of all, are you using meta-tordex-security? Or is this your own custom configuration in Yocto?
Next, generally speaking the creation of the FIT image in Yocto is not Toradex specific logic. This is handled by a bbclass provided by standard openembedded-core: Making sure you're not a bot!
If you look through this bbclass you can see that it decides what initramfs to include in the FIT image via the INITRAMFS_IMAGE variable in Yocto. This variable should be set to the recipe name that is producing your initramfs. For example if the recipe that produces your initramfs image is my-initramfs.bb. Then you should set: INITRAMFS_IMAGE = "my-initramfs", somewhere in your build configuration.
Everything else will be handled as defined in the standard bbclass.
Best Regards,
Jeremias
