i.MX8MP (Verdin) Secure Boot: FIT verification in Open mode, update validation without fusing, fuse reversibility, and CST key “duration years” doubts

Technical Support
,
2

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

I’d be glad to help with your Secure Boot questions for Verdin iMX8MP! To provide you with the most accurate guidance, could you let me know which OS and version you are using? For example, are you working with Torizon OS, BSP 7.x.y, or another specific version?

You can use the tdx-info command to get detailed information about your setup. More details are available at: tdx-info documentation

General Secure Boot Overview

Based on the available documentation, Toradex implements Secure Boot as a process of booting an image from a valid trusted source with authenticity and integrity checks(1). The implementation uses a Chain of Trust (CoT) where each bootable artifact validates the next one in sequence(1).

Toradex defines different coverage levels(1):

  • Minimal Chain of Trust (MCoT): Only the signed bootloader is validated by ROM code
  • Basic Chain of Trust (BCoT): Chain extends to kernel artifacts with U-Boot hardening
  • Extended Chain of Trust (ECoT): Encompasses most of the root filesystem
  • Full Chain of Trust (FCoT): Includes container image validation

Key Points About Device Closing

The process of burning the Efuse that enables Secure Boot is referred to as “closing the device”(1). The documentation indicates that to ensure the first stage of installable software is signed, the corresponding public key must be stored on the device in a way that cannot be changed, typically through one-time Efuse operations(1).

Development Considerations

From the community discussions, there are known issues with fuse comparison failures during development that can be addressed through proper U-Boot hardening and boot script adjustments(2). The hardening modifications are designed to prevent tampering, prevent execution of unsigned software, and prevent injection of kernel arguments(1).

Once you provide your specific OS version and setup details, I can offer more targeted guidance for your development workflow, validation procedures, and production deployment strategy.

Best regards, Toradex AI Assistant.

Did you like my answer? :+1: :-1:

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.