The default Digi Embedded Yocto root file system is writable. This allows users to modify configuration files and add or remove other files. You can also build a read-only root file system with Digi Embedded Yocto. A read-only root file systems has several advantages:

  • You can separate user-specific changes from system configuration.

  • It allows for factory reset by erasing the user data from the writable partition.

  • With TrustFence, you can sign the root file system image and authenticate it at boot because the image will not change.

Configure your project for read-only rootfs

To build an image with read-only rootfs, edit your project’s conf/local.conf configuration file and add:

conf/local.conf
EXTRA_IMAGE_FEATURES += "read-only-rootfs"

This read-only-rootfs is a Yocto IMAGE_FEATURE. When you add this IMAGE_FEATURE to your project, Yocto changes some recipes to prevent them from modifying root file system files during runtime.

Build the read-only rootfs image

Build an image for your project, such as:

$ bitbake dey-image-webkit

The build produces a SQUASHFS root file system image called dey-image-webkit-wayland-ccmp15-dvk.squashfs.

Signed read-only rootfs (optional)

If TrustFence is enabled, Digi Embedded Yocto signs the read-only rootfs image. This forces closed devices to authenticate the read-only rootfs before booting.

See Secure boot for more information.

Prepare your target for read-only rootfs

  1. Use the update command to program the SQUASHFS root file system image directly on the target. For example:

    => update rootfs tftp dey-image-webkit-wayland-ccmp15-dvk.squashfs
  2. Set the rootfstype variable to squashfs. This helps the dboot command compose the appropriate boot arguments.

    => setenv rootfstype squashfs
    => saveenv
  3. Boot the target:

    => boot
    If TrustFence is enabled, the rootfs image is authenticated before boot.

You can see on the boot log that the root file system is read-only:

...
platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
ALSA device list:
  #0: imx-max98088
VFS: Mounted root (squashfs filesystem) readonly on device 179:3.
devtmpfs: mounted
Freeing unused kernel memory: 2496K...

Customize the read-only file system

Read-only root file systems do not allow modification of system configuration files, such as network settings or ConnectCore Cloud Services settings.

There are two methods to overcome this:

  • Modify configuration files at build time.

  • Mount an overlay file system over the read-only root file system.

Modify configuration files at build time

This method creates fixed configuration files at build time that will be part of the final read-only root file system.

  • Advantages

    • The system is fully read-only, but configured with your desired settings.

  • Disadvantages

    • Any device programmed with the read-only image will have the exact same settings, which may be inconvenient if several devices are working in the same network.

ConectCore Cloud Services settings

Default path to download firmware files (/mnt/update) is not writable in dual boot system devices using read-only root file system. To have CCCS firmware update service properly working, you must change the cccs.conf configuration to either:

  • Enable on-the-fly updates, on_the_fly to true, or

  • Use buffered updates with a firmware_download_path pointing to a writable directory with enough space for update packages.

Other system settings

For any system configuration file that you want to modify, do the following:

  1. Locate the recipe that contains and installs the configuration file.

  2. If the file is installed by meta-digi layer, edit the file and apply your modifications. If not, create a recipe *.bbappend (either in meta-digi layer or on a custom layer with bigger priority) that overrides the configuration file with your changes.

Mount an overlay file system

Yocto read-only support allows you to define overlays. Overlays are mount points that can overlay folders on a read-write partition over the read-only root file system. This creates a union file system between the read-only and the read-write partitions. The overlayed folders and their files become read-write, and modifications are stored on the read-write partition.

By default, Digi provides a preconfigured overlay over the /etc/ folder where most of configuration files are located.

To enable an image with overlayfs-etc, edit your project’s conf/local.conf configuration file and add:

conf/local.conf
EXTRA_IMAGE_FEATURES += "read-only-rootfs overlayfs-etc"
IMAGE_FEATURES:remove = "package-management"

By default this is the configuration provided:

OVERLAYFS_ETC_MOUNT_POINT = "/mnt/data"
OVERLAYFS_ETC_DEVICE = "ubi1:data"
OVERLAYFS_ETC_FSTYPE = "ubifs"

This configuration can be customized in your project configuration file conf/local.conf.