Security using Torizon

I am having trouble finding existing documentation on how to secure a system running Torizon. I am looking for help on secure boot and encryption. Is there any support available currently?

Greetings @aronreman17,

We have done some internal proof of concepts with Torizon regarding security. We plan to in the near future to post our findings on: https://labs.toradex.com/. As well as future updates regarding security.

For a start however you can start looking at the high assurance boot (HAB) feature from NXP that is available on all i.MX modules.

Also to just get better context are you currently working on a product/project that requires security? Any details you could give would be helpful feedback in terms of shaping the security stance of Torizon as a whole.

Best Regards,
Jeremias

Yes, I am using the iMX6 to collect data and execute proprietary algorithms. These algorithms need to be protected, hence my need for encryption and secure boot.

Yes so like I said for the time being for secure boot this application note on HAB is probably the best starting point: https://www.nxp.com/docs/en/application-note/AN4581.pdf

As for encryption this is a little tricky on Torizon, due to the update mechanism OSTree. Probably what would be simplest would be to create another partition on the device that holds your algorithms and other secrets and encrypt that.

Is there a guide on creating partitions for this device? Also, is there the potential of loading modules like SELinux and AppArmor?

The easy installer utility that you used to originally install Torizon can be customized to create unique partitioning schemes. More info here: https://developer.toradex.com/software/toradex-easy-installer#configuration-files

As for additional security utilities, while you can pull a container down and install these utilities in that container, for your purposes it seems like it makes more sense to have these on the base OS itself. Unfortunately there is no easy way to customize the base TorizonCore OS other than use openembedded/yocto to build a unique Torizon image with the packages you need.