Skip to main content
Version: Torizon OS 7.x.y

Encryption on Torizon OS

Introduction

This article provides an overview of implementing Data-at-Rest Encryption and Trusted Execution Environment (TEE) on Toradex System-on-Modules (SoMs) using the meta-toradex-security layer. It covers the supported SoMs, necessary tools, and step-by-step pointers for building a Torizon OS image with enhanced security features, ensuring the protection of sensitive data and secure execution of critical operations.

Data-at-rest Encryption

The encryption process encodes information into an unreadable format. It keeps sensitive data confidential and secure.

The Toradex encryption implementation leverages the Linux kernel's encryption features, supporting encrypted partitions and utilizing CAAM/TPM as hardware-based trust sources for encryption keys.

Encryption is currently supported on the following SoMs:

  • Apalis iMX6
  • Apalis iMX8
  • Colibri iMX6DL
  • Colibri iMX6ULL (1GB eMMC variant only)
  • Colibri iMX7D (1GB eMMC variant only)
  • Colibri iMX8X
  • Verdin AM62 (requires the availability of a TPM)
  • Verdin iMX8MM
  • Verdin iMX8MP

You can use the meta-toradex-security layer provided by Toradex to build a Torizon OS image capable of data-at-rest Encryption. It requires you to Build Torizon OS from Source With Yocto Project/OpenEmbedded.

Refer to the GitHub documentation for instructions on how to use this feature: meta-toradex-security: README-encryption.

Trusted Execution Environment

A Trusted Execution Environment (TEE) is a secure space where code and data are protected for confidentiality and integrity. TEEs are ideal for managing secrets like encryption keys and securely executing sensitive tasks like biometric authentication and digital payments. OP-TEE, an open-source TEE, runs alongside a non-secure Linux kernel on ARM Cortex-A processors using TrustZone technology, with support for specific System-on-Modules (SoMs).

You can use the meta-toradex-security layer provided by Toradex to build a Torizon OS image capable of running OP-TEE. It requires you to Build Torizon OS from Source With Yocto Project/OpenEmbedded.

The Verdin iMX8M Plus is supported.

Refer to the GitHub documentation for instructions on how to use this feature: meta-toradex-security: README-optee.



Send Feedback!