Hello,
Has anyone successfully integrated dm-verity with an IMX8M secure boot setup using Yocto? We have secure boot working all the way to the Linux kernel, but we’re running into issues with filesystem verification. Specifically, we are using the IOT-GATE-IMX8 from Compulab.
What we have done so far, is added the following to our Yocto setup's local.conf:
IMAGE_INSTALL:remove = "cl-growfs-rootfs"
INITRAMFS_IMAGE = "dm-verity-image-initramfs"
DM_VERITY_IMAGE = "core-image-minimal"
DM_VERITY_IMAGE_TYPE = "ext4"
IMAGE_CLASSES += "dm-verity-img"
INITRAMFS_IMAGE_BUNDLE = "1"
INITRAMFS_FSTYPES = "cpio.gz"
ENABLE_PARTITIONS_IMAGE = "0"
IMAGE_FEATURES:append = " read-only-rootfs "
This produces multiple files with the .verity suffixes, as well as the image Image-initramfs--5.15.32-r0-iot-gate-imx8-20250217095814.bin.
When we sign the initramfs image (Image-initramfs--...bin) using the CST signing tool from Compulab, the kernel fails to boot, and HAB reports an "Invalid signature" error.
However, if we use the same setup and keys to sign the non-initramfs image, everything works fine—except the kernel doesn't have dm-verity support on.
Are we missing something in our setup? Has anyone encountered and solved a similar issue? Any guidance would be greatly appreciated!
Thanks in advance,
Ville
