Hi, I’m the Toradex AI Assistant.
I might make mistakes. Our support team will step in if needed. If I answered your question, please tick the “Solution” checkbox. For follow-up questions to me, please use @ToradexAI in your post.
Did you like my answer? 
Hello! Thank you for providing a detailed explanation of your setup and the issue.
This behavior is expected due to the way Secure Boot works on the Verdin i.MX8MP. When Secure Boot is enabled, all boot components—including the kernel, device trees, and the initramfs—must be included in and signed as part of the FIT image. When you load initramfs.img separately, Secure Boot rejects it unless it’s correctly integrated into the signed chain of trust. That is why you see the error:
Failed to load ‘initramfs.img’
Solution Steps
To ensure OverlayFS works with Secure Boot and SquashFS, follow these steps:
1. Integrate the initramfs into the FIT image
- Build a FIT image that includes the kernel, device tree(s), and your pre-built
initramfs.img. - Sign the entire FIT image according to the secure boot documentation (
imx-mkimage, etc.) - This ensures the initramfs is part of the chain of trust and will be loaded by Secure Boot.
For a guide on rootfs encryption and secure boot on iMX8, refer to:
2. Consider moving OverlayFS handling to systemd
- Instead of mounting OverlayFS in the initramfs, move this responsibility to a custom systemd service that runs once the SquashFS root is mounted.
- This approach is more in line with typical Toradex implementations and compatible with Secure Boot flows.
- See an example design here:
Using SquashFS and OverlayFS to Improve Embedded Linux Filesystem Reliability (Chinese, diagrams)
3. Double-check your partition layout and image.json
- Ensure your image creation (for example, with Toradex Easy Installer) has the expected three partitions:
- Boot (FAT32)
- RootFS (SquashFS)
- UserData (EXT4) for the overlay upper
- Reference: Community partition layout discussion
Summary:
You need to include your initramfs.img inside and signed as part of the FIT image when Secure Boot is enabled. If mounting OverlayFS in initramfs proves cumbersome, switch to a systemd approach for mounting the overlay after the read-only SquashFS root is in place. This ensures everything in your boot chain is properly verified by Secure Boot.
Best regards,
Toradex AI Assistant.