The default Digi Embedded Yocto root file system is writable. This allows users to modify configuration files and add or remove other files. You can also build a read-only root file system with Digi Embedded Yocto. A read-only root file systems has several advantages:
-
You can separate user-specific changes from system configuration.
-
It allows for factory reset by erasing the user data from the writable partition.
-
With TrustFence, you can sign the root file system image and authenticate it at boot because the image will not change.
Configure your project for read-only rootfs
To build an image with read-only rootfs, edit your project’s conf/local.conf
configuration file and add:
EXTRA_IMAGE_FEATURES += "read-only-rootfs"
This read-only-rootfs
is a Yocto IMAGE_FEATURE.
When you add this IMAGE_FEATURE to your project, Yocto changes some recipes to prevent them from modifying root file system files during runtime.
Build the read-only rootfs image
Build an image for your project, such as:
$ bitbake dey-image-qt
The build produces a SQUASHFS root file system image called dey-image-qt-xwayland-ccimx6qpsbc.squashfs
.
Signed read-only rootfs (optional)
If TrustFence is enabled, Digi Embedded Yocto signs the read-only rootfs image. This forces closed devices to authenticate the read-only rootfs before booting.
See Secure boot for more information.
Prepare your target for read-only rootfs
-
Use the
update
command to program the SQUASHFS root file system image directly on the target. For example:=> update rootfs tftp dey-image-qt-xwayland-ccimx6qpsbc.squashfs
-
Boot the target:
=> boot
If TrustFence is enabled, the rootfs image is authenticated before boot.
You can see on the boot log that the root file system is read-only:
...
platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
ALSA device list:
#0: imx-max98088
VFS: Mounted root (squashfs filesystem) readonly on device 179:3.
devtmpfs: mounted
Freeing unused kernel memory: 2496K...
The post-installation script that formats the data partition is not available on read-only filesystems, so you must manually format the partition. To do so: |
# mkfs.ext4 /dev/mmcblk0p7
Customize the read-only file system
Read-only root file systems do not allow modification of system configuration files, such as network settings or ConnectCore Cloud Services settings.
There are two methods to overcome this:
-
Modify configuration files at build time.
-
Mount an overlay file system over the read-only root file system.
Modify configuration files at build time
This method creates fixed configuration files at build time that will be part of the final read-only root file system.
-
Advantages
-
The system is fully read-only, but configured with your desired settings.
-
-
Disadvantages
-
Any device programmed with the read-only image will have the exact same settings, which may be inconvenient if several devices are working in the same network.
-
Network settings
To configure Ethernet, see Configure Ethernet connection from Digi Embedded Yocto.
To configure Wi-Fi, see Configure Wi-Fi connection from Digi Embedded Yocto.
To configure cellular, see Configure cellular connection from Digi Embedded Yocto.
ConectCore Cloud Services settings
Default path to download firmware files (/mnt/update
) is not writable in dual boot system devices using read-only root file system.
To have CCCS firmware update service properly working, you must change the cccs.conf
configuration to either:
-
Enable on-the-fly updates,
on_the_fly
totrue
, or -
Use buffered updates with a
firmware_download_path
pointing to a writable directory with enough space for update packages.
Other system settings
For any system configuration file that you want to modify, do the following:
-
Locate the recipe that contains and installs the configuration file.
-
If the file is installed by meta-digi layer, edit the file and apply your modifications. If not, create a recipe
*.bbappend
(either in meta-digi layer or on a custom layer with bigger priority) that overrides the configuration file with your changes.
Mount an overlay file system
Yocto read-only support allows you to define overlays. Overlays are mount points that can overlay folders on a read-write partition over the read-only root file system. This creates a union file system between the read-only and the read-write partitions. The overlayed folders and their files become read-write, and modifications are stored on the read-write partition.
By default, Digi provides a preconfigured overlay over the /etc/
folder where most of configuration files are located.
To enable an image with overlayfs-etc, edit your project’s conf/local.conf
configuration file and add:
EXTRA_IMAGE_FEATURES += "read-only-rootfs overlayfs-etc"
IMAGE_FEATURES:remove = "package-management"
By default this is the configuration provided:
OVERLAYFS_ETC_MOUNT_POINT = "/mnt/data"
OVERLAYFS_ETC_DEVICE = "/dev/mmcblk0p7"
OVERLAYFS_ETC_FSTYPE = "ext4"
This configuration can be customized in your project configuration file conf/local.conf
.