| Message ID | 20260304193824.2495898-4-s-tripathi1@ti.com |
|---|---|
| State | New |
| Headers | show |
| Series | Add LUKS encryption with fTPM support | expand |
On 3/4/2026 1:38 PM, Shiva Tripathi wrote: > Add encrypted-boot-common.inc for machines supporting LUKS encryption > with fTPM. Triggers ti-core-initramfs build and overrides IMAGE_FILE > to use uncompressed cpio. > > Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com> > --- > .../machine/include/encrypted-boot-common.inc | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > create mode 100644 meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc > > diff --git a/meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc b/meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc > new file mode 100644 > index 00000000..10a5cb86 > --- /dev/null > +++ b/meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc > @@ -0,0 +1,16 @@ > +# Common logic for encrypted boot with TPM-sealed LUKS keys > +# > +# This include file enables ti-core-initramfs with LUKS encryption support > +# via the initramfs-module-luks-ftpm hook module. > +# > +# To use this in custom image, add to your image bbappend: > +# require conf/machine/include/encrypted-boot-common.inc > +# > +# This will activate when MACHINE_FEATURES contains 'luks-encryption' > + > +TI_CORE_INITRAMFS_EXTRA_INSTALL:append = "${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', ' ', '', d)}" This line does absolutely nothing and is not needed. > + > +TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') or bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', 'true', 'false', d) else '0'}" > + > +# Override to use uncompressed cpio (U-Boot can't decompress XZ format) > +TI_CORE_INITRAMFS_IMAGE_FILE = "${TI_CORE_INITRAMFS_IMAGE}.cpio;initramfs.cpio" You misunderstood. This file should not exist. All of this should be in the existing conf/machine/include/ti-core-initramfs.inc file. You are just adding a single option to the existing settings for TI_CORE_INITRAMFS_ENABLED.
On 3/5/26 02:14, Ryan Eatmon wrote: > > > On 3/4/2026 1:38 PM, Shiva Tripathi wrote: >> Add encrypted-boot-common.inc for machines supporting LUKS encryption >> with fTPM. Triggers ti-core-initramfs build and overrides IMAGE_FILE >> to use uncompressed cpio. >> >> Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com> >> --- >> .../machine/include/encrypted-boot-common.inc | 16 ++++++++++++++++ >> 1 file changed, 16 insertions(+) >> create mode 100644 meta-ti-bsp/conf/machine/include/encrypted-boot- >> common.inc >> >> diff --git a/meta-ti-bsp/conf/machine/include/encrypted-boot- >> common.inc b/meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc >> new file mode 100644 >> index 00000000..10a5cb86 >> --- /dev/null >> +++ b/meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc >> @@ -0,0 +1,16 @@ >> +# Common logic for encrypted boot with TPM-sealed LUKS keys >> +# >> +# This include file enables ti-core-initramfs with LUKS encryption >> support >> +# via the initramfs-module-luks-ftpm hook module. >> +# >> +# To use this in custom image, add to your image bbappend: >> +# require conf/machine/include/encrypted-boot-common.inc >> +# >> +# This will activate when MACHINE_FEATURES contains 'luks-encryption' >> + >> +TI_CORE_INITRAMFS_EXTRA_INSTALL:append = >> "${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', ' ', '', >> d)}" > > This line does absolutely nothing and is not needed. > >> + >> +TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if >> d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or >> d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') or >> bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', 'true', >> 'false', d) else '0'}" >> + >> +# Override to use uncompressed cpio (U-Boot can't decompress XZ format) >> +TI_CORE_INITRAMFS_IMAGE_FILE = >> "${TI_CORE_INITRAMFS_IMAGE}.cpio;initramfs.cpio" > > You misunderstood. This file should not exist. All of this should be > in the existing conf/machine/include/ti-core-initramfs.inc file. You > are just adding a single option to the existing settings for > TI_CORE_INITRAMFS_ENABLED. Thanks for the clarification, makes sense. Will fix this and remove encrypted-boot-common.inc. Thanks, Shiva > > >
diff --git a/meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc b/meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc new file mode 100644 index 00000000..10a5cb86 --- /dev/null +++ b/meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc @@ -0,0 +1,16 @@ +# Common logic for encrypted boot with TPM-sealed LUKS keys +# +# This include file enables ti-core-initramfs with LUKS encryption support +# via the initramfs-module-luks-ftpm hook module. +# +# To use this in custom image, add to your image bbappend: +# require conf/machine/include/encrypted-boot-common.inc +# +# This will activate when MACHINE_FEATURES contains 'luks-encryption' + +TI_CORE_INITRAMFS_EXTRA_INSTALL:append = "${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', ' ', '', d)}" + +TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') or bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', 'true', 'false', d) else '0'}" + +# Override to use uncompressed cpio (U-Boot can't decompress XZ format) +TI_CORE_INITRAMFS_IMAGE_FILE = "${TI_CORE_INITRAMFS_IMAGE}.cpio;initramfs.cpio"
Add encrypted-boot-common.inc for machines supporting LUKS encryption with fTPM. Triggers ti-core-initramfs build and overrides IMAGE_FILE to use uncompressed cpio. Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com> --- .../machine/include/encrypted-boot-common.inc | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc