I’m working with a Verdin i.MX8MP module and have successfully implemented Secure Boot using the documentation:
This setup works correctly when I use a read-write ext4 root filesystem.
Now I’m trying to enable Secure Boot for an image that uses a read-only SquashFS root filesystem with OverlayFS on top, mounted via a precompiled initramfs.img. This setup (with the same initramfs.img) works correctly without Secure Boot, and OverlayFS is mounted as expected.
However, when I enable Secure Boot, although the board boots, the OverlayFS is not mounted.
Here is the difference in mount output:
Normal SquashFS Image (without Secure Boot):
/dev/mmcblk1p2 on /lower type squashfs (ro,…)
overlay on / type overlay (rw,… lowerdir=/lower upperdir=/mnt/rw …) Secure Boot + SquashFS Image:
/dev/mmcblk1p2 on / type squashfs (ro,…)
so OverlayFS is missing. From boot logs::
[ 2.368214] VFS: Mounted root (squashfs filesystem) readonly on device 179:26.
[ 2.377061] devtmpfs: mounted
[ 2.380756] Freeing unused kernel memory: 2688K
[ 2.385412] Run /sbin/init as init process
I also see this error:
Failed to load ‘initramfs.img’
Booting from mmc failed!
SCRIPT FAILED: continuing…
I’m using the same precompiled initramfs.img for both Secure Boot and normal boot and initramfs.img is responsible for mounting the SquashFS root and applying the OverlayFS on top and this fails only when Secure Boot is enabled.
Any suggestion to ensure OverlayFS works with Secure Boot?
I might make mistakes. Our support team will step in if needed. If I answered your question, please tick the “Solution” checkbox. For follow-up questions to me, please use @ToradexAI in your post.
Did you like my answer?
Hello! Thank you for providing a detailed explanation of your setup and the issue.
This behavior is expected due to the way Secure Boot works on the Verdin i.MX8MP. When Secure Boot is enabled, all boot components—including the kernel, device trees, and the initramfs—must be included in and signed as part of the FIT image. When you load initramfs.img separately, Secure Boot rejects it unless it’s correctly integrated into the signed chain of trust. That is why you see the error:
Failed to load ‘initramfs.img’
Solution Steps
To ensure OverlayFS works with Secure Boot and SquashFS, follow these steps:
1. Integrate the initramfs into the FIT image
Build a FIT image that includes the kernel, device tree(s), and your pre-built initramfs.img.
Sign the entire FIT image according to the secure boot documentation (imx-mkimage, etc.)
This ensures the initramfs is part of the chain of trust and will be loaded by Secure Boot.
For a guide on rootfs encryption and secure boot on iMX8, refer to:
Summary:
You need to include your initramfs.img inside and signed as part of the FIT image when Secure Boot is enabled. If mounting OverlayFS in initramfs proves cumbersome, switch to a systemd approach for mounting the overlay after the read-only SquashFS root is in place. This ensures everything in your boot chain is properly verified by Secure Boot.
Can you please guide how to include initramfs.img as part of the FIT image?
Is there any specific procedure to follow?
I tried adding it as part of the FIT image, but it doesn’t seem to be working.
