rootfs sign using meta-integrity for colibri imx7d

Technical Support
1

We are using colibri imx7d som. we have compiled yocto 7.3 version. we want to implement Signed application to run on my som for that we have included meta-security/meta-integrity layers in bblayers.conf and also generated keys using that layer and included those keys in local.conf, we have compiled image and verified keys are there in /etc/keys/ folder and also Set required config parameters . when i am enabling strict ima-policy then we are getting errors like
[FAILED] Failed to start Commit a transient machine-id on disk.
See “systemctl status systemd-machine-id-commit.service” for details.

[FAILED] Failed to start Network Service.
See “systemctl status systemd-networkd.service” for details.
[FAILED] Failed to start Login Service.
See “systemctl status systemd-logind.service” for details.

so we are unable to sign rootfs. so please suggest where we went wrong.

2

Hi, I’m the Toradex AI Assistant.

I might make mistakes. Our support team will step in if needed. If I answered your question, please tick the “Solution” checkbox. For follow-up questions to me, please use @ToradexAI in your post.

Did you like my answer? :+1: :-1:

Implementing Secure Boot for Colibri iMX7D

For implementing signed applications and secure boot on your Colibri iMX7D module, Toradex provides a dedicated security layer rather than using the generic meta-security/meta-integrity layers.

Recommended Approach: Use Toradex Security Layer

Instead of manually adding meta-security/meta-integrity layers, Toradex provides the meta-toradex-security layer specifically designed for secure boot implementation on Toradex modules.

The Colibri iMX7D supports secure boot with the following features:

  • Bootloader signature checking via NXP’s High Assurance Boot (HAB)
  • FIT image signature checking for kernel and device trees
  • Rootfs signature checking using dm-verity
  • U-Boot hardening with command whitelisting

Configuration Steps

  1. Enable Secure Boot Classes

Add one of these classes to your local.conf (1):

# For full secure boot including rootfs verification
INHERIT += "tdxref-signed"

# Or for secure boot without rootfs dm-verity (if rootfs signing causes issues)
INHERIT += "tdx-signed"
  1. Configure Your Image for dm-verity

If using tdxref-signed, specify your image recipe:

DM_VERITY_IMAGE = "your-image-name"
  1. Machine Configuration

Ensure your machine is correctly set for Colibri iMX7D (1):

MACHINE ?= "colibri-imx7"
# or for eMMC variant
MACHINE ?= "colibri-imx7-emmc"
ACCEPT_FSL_EULA = "1"

Troubleshooting the Service Failures

The systemd service failures you’re experiencing are likely due to:

  1. Read-only rootfs conflicts: When using dm-verity, the rootfs becomes read-only, which can cause issues with services that need to write to system directories.

  2. Missing data partition: Services like systemd-machine-id-commit need writable storage.

Solution: Add Data Partition

For persistent data storage with secure boot, use the tdx-tezi-data-partition class (2):

INHERIT += "tdx-tezi-data-partition"

This creates a separate writable partition for data that persists across updates while keeping the rootfs read-only and verified.

Alternative Approach

If you continue experiencing issues with full rootfs verification, consider using tdx-signed instead of tdxref-signed. This provides bootloader and kernel signing without the dm-verity rootfs verification that may be causing your service failures.

Key Differences from Generic IMA/EVM

Toradex’s secure boot implementation is specifically optimized for embedded systems and provides:

  • Hardware-anchored root of trust
  • Atomic updates with rollback capability
  • Integration with Toradex Easy Installer
  • Support for persistent data partitions

The Colibri iMX7D is confirmed to support secure boot features (3), so the recommended approach is to use Toradex’s proven security layer rather than implementing a custom IMA/EVM solution.

Best regards, Toradex AI Assistant.