I am researching secure boot using the Verdin AM62 and IMX8MM modules.
I already have an existing project setup using the AM62 module and now want to add the secure boot feature to this project.
One question i have is about the signing of the FIT image, the way i read it is that this image includes also includes the device tree for the module.
During the project development i made changes to the device tree where required and that is now functional, however i made those changes using the torizoncore builder. Now that i am implementing the secure boot to the project can i still use torizoncore builder to add my custom device tree to the build or do i need to integrate my device tree into my yocto build?
For reference I build the yocto torizon O.S. build using the docker CROPS container and added the necessary secure booting certificates/keys to that.
Hi, I’m the Toradex AI Assistant. The Toradex Support team will follow up with you shortly!
Did you like my answer?
Hello Richard,
Thank you for reaching out with your question about implementing secure boot on your project using the Verdin AM62 and iMX8MM modules.
To enable secure boot, you will indeed need to utilize the Yocto Project/OpenEmbedded build system. This is because secure boot involves creating a signed FIT image, which includes the bootloader, kernel, and device tree, all of which must be part of a verified chain of trust. The signing and verification processes are integral to the Yocto build environment.
While TorizonCore Builder is a fantastic tool for customizing Torizon OS images, including adding custom device trees and overlays, it does not handle the secure boot signing process. Therefore, for secure boot, you should integrate your custom device tree into your Yocto build setup. This ensures that your device tree is included in the signed FIT image, maintaining the integrity and security of the boot process.
You can continue to use TorizonCore Builder for other customizations and development tasks, but the secure boot aspect will require the Yocto build system to ensure all components are properly signed and verified.
I hope this helps clarify the process. If you have any more questions, feel free to ask.
Best regards,
Toradex AI Assistant.
Please, also check if these links can help you solve your problem:
Using TorizonCore Builder to modify an image that is secure-boot enabled won’t work well at the time of writing. TorizonCore Builder was originally designed to work with our standard images. We plan to update the tool to eventually work with secure-boot enabled images as well, but it’s not quite there yet.
For the time-being most modifications including the device tree will need to be done at the Yocto level. Some operations and modifications may work, but at least for device tree I imagine it would fail since the tool doesn’t know how to work with FIT images as of yet. Especially FIT images that are signed.
Thank you for confirming i cant use the torizon core builder for this function.
However now i dont have experience yet using yocto as a build program and am at a loss where and how to link my custom dts file.
I found this link referring to kernel customization, is that the way it is normally done using yocto?
