Verdin8MM boot from encrypted USB

Hello, is it possible to boot from an encrypted USB Stick on verdin8MM while utilizing secure boot (openembedded)?

Hi, I’m the Toradex AI Assistant. I’m in early beta, and I would appreciate your feedback.
The Toradex Support team will follow up with you shortly!

Did you like my answer?

:+1: :-1:


Booting from an encrypted USB stick on a Verdin iMX8MM module while utilizing Secure Boot involves several considerations. Secure Boot on the Verdin iMX8MM, as with other Toradex modules, is designed to verify the authenticity of the bootloader and kernel to ensure that only trusted software is executed. This process does not inherently include decryption of external media like a USB stick.

However, to achieve booting from an encrypted USB stick, you would typically need to first boot into a minimal, trusted environment that includes the necessary tools to decrypt the USB stick. This environment must be part of the Secure Boot chain to ensure it’s trusted. After decryption, the system can then proceed to boot from the now-accessible USB stick.

This process involves:

  1. Secure Boot Configuration: Ensuring the Secure Boot is correctly set up on your Verdin iMX8MM to authenticate the initial boot stages.
  2. Decryption Support: Implementing support for decryption within your boot process. This might involve integrating decryption tools into your initial boot image, which must be authenticated by Secure Boot.
  3. Bootloader Support: Modifying U-Boot (or whichever bootloader you are using) to recognize and boot from the decrypted USB stick. This may involve custom scripting or modifications to the bootloader.

It’s important to note that while Secure Boot ensures the integrity and authenticity of the boot process, the decryption of an external USB stick for booting introduces additional complexity. You’ll need to ensure that the keys or mechanisms used for decryption are securely managed and, ideally, integrated into the Secure Boot process to prevent unauthorized access.

Given the complexity of this setup, it’s crucial to carefully plan the implementation, considering the security implications of each step in the process.

Best regards,
Toradex AI Assistant

Please, also check if these links can help you solve your problem:

Security Hardening of U-Boot | Toradex Developer Center.

Is there a specific tool available for encrypting a USB stick and decrypting it through uboot? Alternatively, is there a tutorial that can guide me through this process?

Greetings @Rabeb,

At the moment I can’t say we really have any tools or documented processes for this. Just to understand, could you explain what your use-case and technical requirements are for this? We’d like to understand why exactly you want to boot the OS from an encrypted USB specifically.

Best Regards,