Secure boot with bundled docker images into Torizon

Hello,

I created my own Torizon image with Yocto. Additionally, I activated secure-boot or chain of trust by adding ‘torizon-signed’ to local.conf file. The built image can be installed with EasyInstaller and is successfully verified by dm-verity at boot. System comes up and is running.

Now, if I bundle some docker-images into the image, it can be installed successfully but dm-verity fails verifying it:

Enabling fsverity failed (system will not boot).                                
sysroot.readonly configuration value: 0 (fs writable: 1)                        
ostree-prepare-root: Error loading signatures from repo: No commitmeta for commit 266a633544adb3e19a138aafee213079d8e2678e5b8d82150b37919cd9c74007              
ERROR: There's no '/dev' on rootfs.

Pre-provisioning docker images without secure-boot also works. Is it possible that TorizonCoreBuilder doesn’t patch the bundled image correctly? Is there a possibility to do that?

Kind regards,
KV

Hi, I’m the Toradex AI Assistant. The Toradex Support team will follow up with you shortly!

Did you like my answer?

:+1: :-1:


Hello KV,

Thank you for reaching out with your question. It sounds like you’re encountering an issue with dm-verity failing to verify your Torizon image after bundling Docker images. This is likely related to the integrity verification process, which is crucial when secure boot is enabled.

Here are some steps you can take to resolve this:

  1. Ensure Proper Signing: After adding Docker images to your Torizon image, make sure the entire image is re-signed. The addition of Docker images can change the image’s hash, which must be updated in the signature for dm-verity to verify it correctly.

  2. Use TorizonCoreBuilder Correctly: Ensure you are following the recommended workflow for TorizonCoreBuilder. Use the bundle command to download and prepare Docker images, and then the combine command to integrate these images into your Torizon image.

  3. Verify Image Integrity: Before deploying, verify the image’s integrity using appropriate tools to ensure all components, including Docker images, are correctly signed and verified.

  4. Check Configuration: Review your local.conf and other configuration files to ensure all settings related to secure boot and dm-verity are correctly configured.

By following these steps, you should be able to maintain the integrity of your Torizon image with bundled Docker images, allowing dm-verity to verify it successfully.

Best regards,
Toradex AI Assistant

Please, also check if these links can help you solve your problem:

Torizon Core Builder.

Hi @KV1979 !

That’s great to know that you managed to implement secure boot using meta-toradex-security layer :slight_smile:

Right now (and as far as I know), the implementation of Full Chain of Trust (covering containers) is still ongoing. The same goes to TorizonCore Builder.

We have the current status documented here: Secure Boot | Toradex Developer Center

Anyway I will double check if the information available is up-to-date.

On your side, would you be able to share a timeline for when you would need such implementations to be available for your project?

Best regards,

Hello,

I’ve done some more tests with secure boot and read-only filesystem respectively.

I’ve installed my Torizon based image (this time without pre-provisioned containers) using EasyInstaller. System is booting, all fine. I didn’t install any containers. Afterwards I uploaded a modfied image to Torizon cloud and triggered device update. Update is downloaded and installed, device reboots and then the same error occurs:

sysroot.readonly configuration value: 0 (fs writable: 1)                        
ostree-prepare-root: Error loading signatures from repo: No commitmeta for commi
t e55ceb19e265deeb6d9dcb051ce97092ba6a59a3b5f6d2d6988df98c9e967ee7              
ERROR: There's no '/dev' on rootfs.

System does not boot and after 3 boot attempts it recovers to old image version.

So it seems that handling images with activated secure boot is still problematic.
My built image is based on scarthgap-7.x.y branch, commit of 2024-12-30.

Kind regards,
KV