2025-12-03 –, Walnascar
This talk explores how to establish a complete secure boot chain on ARM-based embedded platforms using Yocto, combining SoC-level security mechanisms with Linux-level integrity protection. Through the example of NXP’s i.MX family, we’ll show how to leverage features such as HABv4, ARM TrustZone, and OP-TEE to create a verified, encrypted, and trusted execution environment from the first instruction to the root filesystem.
Not all ARM devices include UEFI or a TPM, yet embedded systems still need strong guarantees of authenticity and integrity. This session explains how to build a secure and trusted boot chain on ARM platforms directly using SoC-provided mechanisms.
Focusing on the NXP i.MX SoC family, we’ll walk through:
- Using the High Assurance Boot (
HABv4) to sign and verify U-Boot and kernel images - Fusing keys inside the SoC’s OTP memory
- Extending trust to userspace through
dm-verityanddm-crypt, even without a TPM - Leveraging ARM TrustZone and OP-TEE for trusted key management and runtime validation
This talk echoes the YPS 2024.12 session “Secure Boot All the Way to Userspace” by Mikko Rapeli, bringing similar principles to embedded hardware where UEFI is unavailable. Attendees will learn practical Yocto integration patterns and reproducible workflows to implement secure boot and trusted execution on ARM-based devices, ready for deployment in production environments.
Mathieu is a senior free software consultant and has a wide knowledge of Linux system, from low layers such as Kernel space to higher layers like containers / virtualization. He has valuable experience in Linux system security for both embedded systems and servers.
Mathieu is one of the main contributors of the SEAPATH open-source project supported by the LFEnergy foundation.