Home/Support/Support Forum/How can I verify Rootfs from U-Boot?
Welcome to Digi Forum, where you can ask questions and receive answers from other members of the community.

How can I verify Rootfs from U-Boot?

0 votes
Hi
I want add the Rootfs verification into the U-Boot secure-boot (like the Kernel verification).
How can I do that?

Regards
Michael
asked Dec 10, 2019 in Linux by hellsmoke New to the Community (6 points)

Please log in or register to answer this question.

1 Answer

0 votes
The closest to what you want would probably be encrypting rootfs partition:
https://www.digi.com/resources/documentation/digidocs/embedded/dey/2.6/cc6ul/yocto-trustfence_t_secure-boot-set-up.html
6. Set up your device with root filesystem encryption
Root filesystem encryption adds another layer of security to TrustFence. It uses the kernel’s cryptographic support to encrypt all the data you store in the root filesystem. Attempting to access this data without the correct encryption key returns random, meaningless bytes.

When you enable TrustFence (see Enable TrustFence support in Digi Embedded Yocto), you automatically enable root filesystem encryption. This configures the project so a new ramdisk (dey-image-trustfence-initramfs-ccimx6ulsbc.cpio.gz.u-boot.tf). This ramdisk is used at boot time to set up the encrypted root filesystem partition.
answered Dec 10, 2019 by LeonidM Veteran of the Digi Community (3,519 points)
Hi
Thank you for your answer.

I enabled tustfence with encrypted rootfs.

But I don't understand either the boot process or it doesn't work. I can store an unencrypted and unsigned rootfs images, U-Boot always boots.

U-Boot recognizes a wrong signed boot image. But U-Boot doesn't recognize a wrong rootfs image.

- I use a dual boot system with 2 partitions each:
- linux1
- rootfs1
- linux2
- rootfs2

Always one linuxX and one rootfsX is active (environment variable).

Why does U-Boot boot with a wrong rootfs?

Regards
Michael
You might need to create a support case with Digi to get help. You can do so by sending eamil with problem description to tech.support@digi.com
...