On 3/4/2026 5:00 PM, Denys Dmytriyenko wrote:
I'd like to request extra time to review this, as I'm a bit sicvk this week
and this seems like a very major change I'm not very sure about... Please
don't merge.
Don't worry. I wasn't going to until you had a chance to review it
since you have experience with this.
On Thu, Mar 05, 2026 at 01:08:21AM +0530, Shiva Tripathi via
lists.yoctoproject.org wrote:
This patch series adds LUKS full disk encryption support using firmware TPM
(fTPM) for TI K3 platforms. The implementation provides hardware-backed
encryption with keys sealed by TPM running in OP-TEE and stored in eMMC RPMB.
Background:
TI K3 platforms do not have integrated discrete TPM hardware. To provide
TPM 2.0 functionality, this implementation uses firmware TPM (fTPM) - a
Trusted Application running in OP-TEE secure world. The fTPM provides
standard TPM 2.0 interfaces while leveraging ARM TrustZone for isolation
and eMMC RPMB (Replay Protected Memory Block) for secure persistent storage.
Key features:
- Conditional builds: Only enabled via MACHINE_FEATURES += "luks-encryption"
- No impact on default SDK builds
- In-place encryption on first boot
- TPM persistent handle for key storage (0x81080001)
- Secure key storage in eMMC RPMB via OP-TEE
- Security model similar to CIP Core
Use case:
This is designed for K3 platforms requiring secure boot and encrypted
storage, such as industrial automation, automotive, and IoT gateways where
discrete TPM chips are cost-prohibitive but security requirements demand
hardware-backed encryption.
Testing:
- Tested on AM62x platform with kernel 6.18
- First boot: Successful in-place LUKS encryption
- Subsequent boots: Successful TPM unsealing and boot
The series is structured as follows:
1. Kernel configuration for LUKS and crypto support
2. Encrypted boot initramfs infrastructure
3. Machine configuration support
---
Changes in v3:
- remove separate sdimage.wks for encrypted boot, default works
- update encrypted-boot-common.inc to use existing hook for adding
TI_CORE_INITRAMFS_ENABLED dependency on luks-encryption flag
- add logic to verify if partition has enough space for LUKS header before
starting encryption
Changes in v2:
- changes to use existing ti-core-initramfs instead of adding separate
- cleanup in previous init script as per comments in v1
- /usr/bin/busybox logs updated to echo, mesg, info
- WORKDIR changed to UNPACKDIR
- Link to v1:
https://lore.kernel.org/all/[email protected]/
Shiva Tripathi (3):
linux-ti-staging: Add LUKS encryption config
initramfs: Add LUKS encryption module with fTPM
machine: Add encrypted boot configuration
.../machine/include/encrypted-boot-common.inc | 16 +
.../linux/linux-ti-staging-6.18/luks-ftpm.cfg | 28 ++
.../linux/linux-ti-staging_6.18.bb | 9 +
.../initramfs-module-luks-ftpm/luksftpm | 341 ++++++++++++++++++
.../initramfs-module-luks-ftpm_1.0.bb | 41 +++
.../packagegroup-ti-core-initramfs.bb | 1 +
6 files changed, 436 insertions(+)
create mode 100644 meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc
create mode 100644
meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
create mode 100644
meta-ti-bsp/recipes-ti/initramfs/initramfs-module-luks-ftpm/luksftpm
create mode 100644
meta-ti-bsp/recipes-ti/initramfs/initramfs-module-luks-ftpm_1.0.bb
--
2.34.1
--
Ryan Eatmon [email protected]
-----------------------------------------
Texas Instruments, Inc. - LCPD - MGTS
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19653):
https://lists.yoctoproject.org/g/meta-ti/message/19653
Mute This Topic: https://lists.yoctoproject.org/mt/118139332/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/meta-ti/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
