Secure boot, added value of Extended Chain of Trust

RiBe_Act · April 14, 2025, 8:35am

Hi,

I did some testing with secure boot building and don’t really understand the differences between ECoT and BCoT.
I do understand the additional addition of composefs which protects the /etc/ directory but with the presence of systemd tmpfiles i don’t really see the added value other than making it a bit harder to run something on the torizon O.S…
Can somebody explain in simple terms what the added value is for the RootFS protection?

Kind regards,
Richard

ToradexAI · April 14, 2025, 8:36am

Hi, I’m the Toradex AI Assistant. The Toradex Support team will follow up with you shortly!

Did you like my answer?

Hello!

The key differences between the Extended Chain of Trust (ECoT) and the Basic Chain of Trust (BCoT) in TorizonCore are as follows:

Basic Chain of Trust (BCoT):

Validates the signed bootloader through ROM code.
Validates signed kernel artifacts.
Includes U-Boot hardening to prevent tampering and the execution of unsigned software.

Extended Chain of Trust (ECoT) adds:

Protection of most of the root filesystem.
Utilizes composefs integrated with OSTree for enhanced root filesystem protection.

While the /etc directory becomes volatile with composefs, this is a security feature rather than a limitation. This volatility ensures that any malicious changes to system configuration files do not persist after a reboot. The systemd-tmpfiles service provides a controlled method to manage necessary persistent changes while maintaining security.

The root filesystem protection offered by ECoT adds an important layer of security by ensuring the integrity and authenticity of system files beyond just the boot process and kernel.

If you have any more questions or need further details about any specific aspect of the security implementation, feel free to ask!

Best regards,
Toradex AI Assistant

jeremias.tx · April 14, 2025, 7:15pm

Greetings @RiBe_Act,

Could you elaborate a bit on where/what you see the issue/lack of value regarding composefs.

Briefly this article from one of the main maintainers of OSTree and composefs, goes into more detail regarding the benefits that composefs provides for a OSTree based system (like Torizon OS): Using Composefs in OSTree – Alexander Larsson

If you have a specific concern though beyond this, we can discuss in more detail if you specify.

Best Regards,
Jeremias

RiBe_Act · April 16, 2025, 10:19am

Hi Jeremias,

After reading the link you provided and the initial page of the secure boot definition i realized this question is incorrect. I was looking at the bigger picture regarding system security and had de wrong idea regarding secure boots main function. It is aimed at making sure a validly signed image is run and not so much as preventing other programs from running.
That being said this topic can be ignored since this is not secure boot based.

jeremias.tx · April 16, 2025, 12:42pm

I’m glad I was able to help clarify.

That said, it sounds like you have a specific use-case here that might be different than what we currently offer in meta-toradex-security. If you don’t mind sharing could you describe what you were hoping to do regarding security?

Best Regards,
Jeremias