Add machine include file for encrypted boot deployment and WIC file for encrypted disk image creation.
encrypted-boot-common.inc provides: - Conditional initramfs deployment to rootfs /boot/ - Build dependency on ti-encrypted-boot-initramfs - Only activates when MACHINE_FEATURES contains 'luks-encryption' sdimage-2part-encryption.wks provides: - 128M boot partition (VFAT, unencrypted) - 400M root partition (ext4, sized for LUKS header overhead) To use encrypted boot in a custom image: MACHINE_FEATURES += "luks-encryption" INITRAMFS_IMAGE = "ti-encrypted-boot-initramfs" WKS_FILE = "sdimage-2part-encryption.wks" Signed-off-by: Shiva Tripathi <[email protected]> --- .../machine/include/encrypted-boot-common.inc | 38 +++++++++++++++++++ meta-ti-bsp/wic/sdimage-2part-encryption.wks | 6 +++ 2 files changed, 44 insertions(+) create mode 100644 meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc create mode 100644 meta-ti-bsp/wic/sdimage-2part-encryption.wks diff --git a/meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc b/meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc new file mode 100644 index 00000000..231c357c --- /dev/null +++ b/meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc @@ -0,0 +1,38 @@ +# Common logic for encrypted boot with TPM-sealed LUKS keys +# +# This include file provides functionality to deploy ti-encrypted-boot-initramfs +# into the root filesystem for encrypted boot scenarios. +# +# To use this in your custom image, add to your image bbappend: +# require conf/machine/include/encrypted-boot-common.inc +# +# This will activate when MACHINE_FEATURES contains 'luks-encryption' + +# Install uncompressed initramfs.cpio to rootfs /boot/ +install_initramfs() { + # Try with .rootfs suffix first (older Yocto versions) + if [ -e ${DEPLOY_DIR_IMAGE}/ti-encrypted-boot-initramfs-${MACHINE}.rootfs.cpio.gz ]; then + install -d ${IMAGE_ROOTFS}/boot + gunzip -c ${DEPLOY_DIR_IMAGE}/ti-encrypted-boot-initramfs-${MACHINE}.rootfs.cpio.gz > ${IMAGE_ROOTFS}/boot/initramfs.cpio + # Also deploy to deploy directory for IMAGE_BOOT_FILES + gunzip -c ${DEPLOY_DIR_IMAGE}/ti-encrypted-boot-initramfs-${MACHINE}.rootfs.cpio.gz > ${DEPLOY_DIR_IMAGE}/initramfs.cpio + # Try without .rootfs suffix (newer Yocto versions) + elif [ -e ${DEPLOY_DIR_IMAGE}/ti-encrypted-boot-initramfs-${MACHINE}.cpio.gz ]; then + install -d ${IMAGE_ROOTFS}/boot + gunzip -c ${DEPLOY_DIR_IMAGE}/ti-encrypted-boot-initramfs-${MACHINE}.cpio.gz > ${IMAGE_ROOTFS}/boot/initramfs.cpio + # Also deploy to deploy directory for IMAGE_BOOT_FILES + gunzip -c ${DEPLOY_DIR_IMAGE}/ti-encrypted-boot-initramfs-${MACHINE}.cpio.gz > ${DEPLOY_DIR_IMAGE}/initramfs.cpio + else + bbwarn "Could not find ti-encrypted-boot-initramfs-${MACHINE}.cpio.gz for deployment" + fi +} + +# Only process initramfs for encrypted builds +ROOTFS_POSTPROCESS_COMMAND:append = " \ + ${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', 'install_initramfs;', '', d)} \ +" + +# Ensure ti-encrypted-boot-initramfs is built before we try to install it (only for encrypted builds) +do_rootfs[depends] += " \ + ${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', 'ti-encrypted-boot-initramfs:do_image_complete', '', d)} \ +" diff --git a/meta-ti-bsp/wic/sdimage-2part-encryption.wks b/meta-ti-bsp/wic/sdimage-2part-encryption.wks new file mode 100644 index 00000000..3a1de8d7 --- /dev/null +++ b/meta-ti-bsp/wic/sdimage-2part-encryption.wks @@ -0,0 +1,6 @@ +# WIC file for LUKS encryption with fTPM +# Larger root partition to accommodate LUKS header (32MB) + growth room + +part --source bootimg-partition --fstype=vfat --label boot --active --align 1024 --use-uuid --fixed-size 128M +part / --source rootfs --fstype=ext4 --label root --align 1024 --use-uuid --fixed-size 400M + -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19627): https://lists.yoctoproject.org/g/meta-ti/message/19627 Mute This Topic: https://lists.yoctoproject.org/mt/118097472/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-ti/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
