Updating Rootfs Only with OTA on a Secure-Boot-Enabled Verdin iMX8M

Technical Support
, , ,
1

Hello everyone,

I’m working on a project using Yocto Scarthgap on a Verdin iMX8MP board. I’ve enabled secure boot via the meta-toradex-security layer by inheriting the tdxref-signed feature to extend the chain of trust all the way to the rootfs.

I’m now integrating OTA updates with Mender and wondering if it’s possible to update only the rootfs (without touching the fitImage), without triggering errors related to initramfs or dm-verity. Does anyone have details on how this works in this setup?

From what I understand, the initramfs computes the rootfs hash at boot from the hash tree in the rootfs partition (via .ext4.verity) and compares it to the expected hash metadata (generated during build and stored in the rootfs). If that’s correct, it should allow updating just the rootfs partition without rebuilding the fitImage. Is the rootfs signed in the same way as the fitImage?

Finally, does secure boot with meta-toradex-security work like in the attached image (sboot-signverify.jpg)? Does the signing/verification follow this scheme?

sboot-signverify
sboot-signverify757×564 17.4 KB

Thanks in advance for your feedback and experiences!

Best regards,
Stan

2

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

I’d be happy to help you understand secure boot with meta-toradex-security and its interaction with OTA updates. To provide the most accurate guidance, could you let me know which exact version of Yocto Scarthgap and BSP you are running?

You can get this information using the tdx-info command on your device. More details on this tool are available at: https://developer.toradex.com/software/development-resources/tdx-info/

Secure Boot Implementation with tdxref-signed

When you inherit tdxref-signed, the secure boot implementation includes several verification layers. The rootfs signature checking uses the dm-verity kernel feature, where the rootfs image is generated with a hash tree and the root hash is added to the ramdisk image(1). The ramdisk will only mount the rootfs if the root hash matches the dm-verity image(1).

OTA Updates and dm-verity Considerations

For OTA updates with Mender in a dm-verity setup, there are important considerations. The dm-verity feature creates a read-only rootfs, which means you’ll need to handle persistent data separately. When tdxref-signed is used to enable secure boot, you might want to create an additional partition in the eMMC to store persistent data(1).

Torizon Remote Updates Alternative

Toradex offers Torizon Remote Updates as the recommended OTA solution(1). This solution is built from the ground up to be fully integrated with Toradex hardware and uses OSTree technology, which is specifically designed to handle updates for filesystem trees atomically(1).

Once you provide the version information, I can give you more specific guidance on how the secure boot chain works with your exact setup and whether rootfs-only updates are feasible with your current configuration.

Best regards, Toradex AI Assistant.

Did you like my answer? :+1: :-1:

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.