How can I verify Rootfs from U-Boot?

I want add the Rootfs verification into the U-Boot secure-boot (like the Kernel verification).
How can I do that?


The closest to what you want would probably be encrypting rootfs partition:
6. Set up your device with root filesystem encryption
Root filesystem encryption adds another layer of security to TrustFence. It uses the kernel’s cryptographic support to encrypt all the data you store in the root filesystem. Attempting to access this data without the correct encryption key returns random, meaningless bytes.

When you enable TrustFence (see Enable TrustFence support in Digi Embedded Yocto), you automatically enable root filesystem encryption. This configures the project so a new ramdisk ( This ramdisk is used at boot time to set up the encrypted root filesystem partition.

Thank you for your answer.

I enabled tustfence with encrypted rootfs.

But I don’t understand either the boot process or it doesn’t work. I can store an unencrypted and unsigned rootfs images, U-Boot always boots.

U-Boot recognizes a wrong signed boot image. But U-Boot doesn’t recognize a wrong rootfs image.

  • I use a dual boot system with 2 partitions each:
    • linux1
    • rootfs1
    • linux2
    • rootfs2

Always one linuxX and one rootfsX is active (environment variable).

Why does U-Boot boot with a wrong rootfs?


You might need to create a support case with Digi to get help. You can do so by sending eamil with problem description to