I'd like to request extra time to review this, as I'm a bit sicvk this week and this seems like a very major change I'm not very sure about... Please don't merge.
On Thu, Mar 05, 2026 at 01:08:21AM +0530, Shiva Tripathi via lists.yoctoproject.org wrote: > This patch series adds LUKS full disk encryption support using firmware TPM > (fTPM) for TI K3 platforms. The implementation provides hardware-backed > encryption with keys sealed by TPM running in OP-TEE and stored in eMMC RPMB. > > Background: > TI K3 platforms do not have integrated discrete TPM hardware. To provide > TPM 2.0 functionality, this implementation uses firmware TPM (fTPM) - a > Trusted Application running in OP-TEE secure world. The fTPM provides > standard TPM 2.0 interfaces while leveraging ARM TrustZone for isolation > and eMMC RPMB (Replay Protected Memory Block) for secure persistent storage. > > Key features: > - Conditional builds: Only enabled via MACHINE_FEATURES += "luks-encryption" > - No impact on default SDK builds > - In-place encryption on first boot > - TPM persistent handle for key storage (0x81080001) > - Secure key storage in eMMC RPMB via OP-TEE > - Security model similar to CIP Core > > Use case: > This is designed for K3 platforms requiring secure boot and encrypted > storage, such as industrial automation, automotive, and IoT gateways where > discrete TPM chips are cost-prohibitive but security requirements demand > hardware-backed encryption. > > Testing: > - Tested on AM62x platform with kernel 6.18 > - First boot: Successful in-place LUKS encryption > - Subsequent boots: Successful TPM unsealing and boot > > The series is structured as follows: > 1. Kernel configuration for LUKS and crypto support > 2. Encrypted boot initramfs infrastructure > 3. Machine configuration support > > --- > Changes in v3: > - remove separate sdimage.wks for encrypted boot, default works > - update encrypted-boot-common.inc to use existing hook for adding > TI_CORE_INITRAMFS_ENABLED dependency on luks-encryption flag > - add logic to verify if partition has enough space for LUKS header before > starting encryption > > Changes in v2: > - changes to use existing ti-core-initramfs instead of adding separate > - cleanup in previous init script as per comments in v1 > - /usr/bin/busybox logs updated to echo, mesg, info > - WORKDIR changed to UNPACKDIR > - Link to v1: > https://lore.kernel.org/all/[email protected]/ > > > Shiva Tripathi (3): > linux-ti-staging: Add LUKS encryption config > initramfs: Add LUKS encryption module with fTPM > machine: Add encrypted boot configuration > > .../machine/include/encrypted-boot-common.inc | 16 + > .../linux/linux-ti-staging-6.18/luks-ftpm.cfg | 28 ++ > .../linux/linux-ti-staging_6.18.bb | 9 + > .../initramfs-module-luks-ftpm/luksftpm | 341 ++++++++++++++++++ > .../initramfs-module-luks-ftpm_1.0.bb | 41 +++ > .../packagegroup-ti-core-initramfs.bb | 1 + > 6 files changed, 436 insertions(+) > create mode 100644 meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc > create mode 100644 > meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg > create mode 100644 > meta-ti-bsp/recipes-ti/initramfs/initramfs-module-luks-ftpm/luksftpm > create mode 100644 > meta-ti-bsp/recipes-ti/initramfs/initramfs-module-luks-ftpm_1.0.bb > > -- > 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19647): https://lists.yoctoproject.org/g/meta-ti/message/19647 Mute This Topic: https://lists.yoctoproject.org/mt/118139332/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-ti/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
