How to secure the entire rootfs with dm-verity

Dear support person,

We are investigating to secure the Torizon OS rootfs with dm-verity and are facing some problems.

We are building Torizon OS with tdxref-signed INHERIT’ed and checking the operation.
The target device is using apalis-imx8 and the repository is using 6.7.0-devel-202406.
Complicating the situation is that we are also doing u-boot hardening.
We don’t know the details, but it seems that tdxref-signed uses its own boot.scr, and u-boot hardening is prohibiting the execution of boot.scr, resulting in a boot error.

We understand that CLI access can be controlled with the device tree, but is this a recommended solution?

We have one another question.

We want to make the entire Torizon OS rootfs dm-verity, so we made the following settings.

DM_VERITY_IMAGE = “torizon-core-docker”

It seems to be built, but we cannot determine if this setting is correct.
Would you please tell us the correct DM_VERITY_IMAGE setting to secure the entire rootfs on Torizon OS using dm-verity?

Best regards,
Yoshinobu KATO

Hi, I’m the Toradex AI Assistant. I’m in early beta, and I would appreciate your feedback.
The Toradex Support team will follow up with you shortly!

Did you like my answer?

Hello,

Securing the Torizon OS root filesystem (rootfs) with dm-verity involves several steps and configurations, especially when combined with U-Boot hardening and the use of a signed boot process. Your approach to integrating dm-verity for the Apalis iMX8 module by setting DM_VERITY_IMAGE = “torizon-core-docker” in your Yocto build environment is a step in the right direction for securing the entire rootfs. This setting specifies the image that dm-verity should protect, aiming to ensure its integrity at runtime.

However, the issue you’re encountering with boot.scr not being executed due to U-Boot hardening is significant. U-Boot hardening often involves measures that restrict the execution of scripts and commands that are not explicitly allowed or signed, which can interfere with the normal boot process if boot.scr is involved. This script is crucial for setting up the environment and parameters for booting Linux, including dm-verity configurations.

To address the boot script execution issue, you might need to adjust your U-Boot hardening configuration to allow the execution of boot.scr. This could involve adding exceptions or signatures for the script, depending on your hardening strategy. It’s essential to ensure that any changes maintain the security posture you’re aiming for with hardening.

Regarding controlling CLI access with the device tree, it’s a viable solution for certain scenarios, but it might not directly address the issues you’re facing with dm-verity and U-Boot hardening. Device tree modifications can help control hardware access and features at the kernel level but are less related to the execution policies of U-Boot.

For the DM_VERITY_IMAGE setting, using “torizon-core-docker” is generally correct for applying dm-verity to the entire rootfs in a TorizonCore build. This setting indicates that the dm-verity protection should apply to the image containing the Docker runtime and containers, which is a significant part of the Torizon OS. To ensure this setting is effectively securing the rootfs, you should verify that the build process completes without errors and that the dm-verity verification is active at runtime. This typically involves checking the boot logs for dm-verity messages indicating that integrity checks are being performed.

If you continue to face issues, it may be necessary to review the specific configurations and steps you’ve taken in both the U-Boot hardening and the dm-verity setup. Ensuring compatibility between these security features requires careful configuration and sometimes custom adjustments to

Please, also check if these links can help you solve your problem:

Secure Boot on Torizon OS | Toradex Developer Center.

Greetings @Yo_KATO,

We don’t know the details, but it seems that tdxref-signed uses its own boot.scr, and u-boot hardening is prohibiting the execution of boot.scr, resulting in a boot error.

That sounds odd. The meta-toradex-security layer doesn’t add a boot script anywhere. Torizon OS does have a boot script by default but that’s present regardless of any security features.

Anyways, you’re saying the u-boot hardening is preventing the execution of the boot script, is that right? Do you have any logs of the error to share? Also can you please share how you configured your Yocto build for this so we have the full details.

We want to make the entire Torizon OS rootfs dm-verity, so we made the following settings.

We would not recommend using dm-verity with Torizon OS. Torizon OS uses OSTree, which does not work well with dm-verity. This blog from one fo the OSTree developers goes into this in more detail: On dm-verity and operating systems « Colin Walters

While they can be used together you limit yourself quite a bit. One major downside is that dm-verity make the filesystem read-only, so you can’t update the system because OSTree use a single partition. If you’re planning to update your system then this is an immediate blocker.

For OSTree systems fs-verity is the recommended alternative to dm-verity, working with the mechanisms of OSTree more smoothly. We do have preliminary support for this in meta-toradex-torizon: Initial integration of authenticity (fs-verity) capability into the system (disabled atm) by rborn-tx · Pull Request #47 · torizon/meta-toradex-torizon · GitHub

Though some functionality is still pending, namely the signing and signature verification.

Would this fulfill your security needs? Or if not could you describe your security needs in detail.

Best Regards,
Jeremias