[meta-ti,master,0/3] Add LUKS encryption with fTPM support

Message ID	20260302144647.1705408-1-s-tripathi1@ti.com
Headers	show Return-Path: <reatmon@ti.com> ip: 52.101.62.69, mailfrom: s-tripathi1@ti.com) Received-SPF: Pass (protection.outlook.com: domain of ti.com designates 198.47.21.195 as permitted sender) receiver=protection.outlook.com; client-ip=198.47.21.195; helo=flwvzet201.ext.ti.com; pr=C From: Shiva Tripathi <s-tripathi1@ti.com> To: <meta-ti@lists.yoctoproject.org> CC: <reatmon@ti.com>, <praneeth@ti.com>, <kamlesh@ti.com>, <vishalm@ti.com>, <k-malarvizhi@ti.com>, <s-tripathi1@ti.com> Subject: [meta-ti][master][PATCH 0/3] Add LUKS encryption with fTPM support Date: Mon, 2 Mar 2026 20:16:44 +0530 Message-ID: <20260302144647.1705408-1-s-tripathi1@ti.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain
Series	Add LUKS encryption with fTPM support \| expand [meta-ti,master,0/3] Add LUKS encryption with fTPM support [meta-ti,master,1/3] linux-ti-staging: Add LUKS encryption config [meta-ti,master,2/3] initramfs: Add encrypted boot support with fTPM [meta-ti,master,3/3] conf: Add encrypted boot machine config and WIC file

Message ID

20260302144647.1705408-1-s-tripathi1@ti.com

Headers

Received-SPF: Pass (protection.outlook.com: domain of ti.com designates
 198.47.21.195 as permitted sender) receiver=protection.outlook.com;
 client-ip=198.47.21.195; helo=flwvzet201.ext.ti.com; pr=C
From: Shiva Tripathi <s-tripathi1@ti.com>
To: <meta-ti@lists.yoctoproject.org>
CC: <reatmon@ti.com>, <praneeth@ti.com>, <kamlesh@ti.com>, <vishalm@ti.com>,
	<k-malarvizhi@ti.com>, <s-tripathi1@ti.com>
Subject: [meta-ti][master][PATCH 0/3] Add LUKS encryption with fTPM support
Date: Mon, 2 Mar 2026 20:16:44 +0530
Message-ID: <20260302144647.1705408-1-s-tripathi1@ti.com>
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 rXykh6BxBgJnoD1++oJ0W/rBebZLB7Xnrhu9kJWtUWgQ+gRMgPY2EkaNjY+ssQ7WOqd/dndtew9F41brtKpalyiAuHUaxe9iNARcgffq15kd+2wbSUz0D+E7/R/5QHSWUuJBEl5YCaRWlvSfYvCGwPNXBNwxcAoHJtKEUzb8hzpD8Fjmkf8h+TMDiET4ztejCmZ/B7DArhHSi3Nn+uhNmPc9691jc+9+KE+JW6/Inz9ZHQy+NPRzI3lwv0Nql6iqhCQfyD0R3vA292SUGwdcGcmE4+qLCerh8ITU/7m4242HNL8OnbLbSuccqciZYrcFST4nfXwozdkJXG1g1FEy94jRyd/7FHQeD0jchKlM+gKx+N8nXGD/aV9Mz0eVV273hhhHwFFxmsRQB1wCzTob9eVoNZAGcO3agHv8Y8VjC46lmh1OEmKXAvcwys3L3aoe
X-OriginatorOrg: ti.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Mar 2026 14:47:26.5231
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 dcf61877-00bf-4ba6-ceb1-08de786a9f37
X-MS-Exchange-CrossTenant-Id: e5b49634-450b-4709-8abb-1e2b19b982b7
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=e5b49634-450b-4709-8abb-1e2b19b982b7;Ip=[198.47.21.195];Helo=[flwvzet201.ext.ti.com]
X-MS-Exchange-CrossTenant-AuthSource: 
 DS1PEPF00017094.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR10MB5096
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
List-Id: <meta-ti.lists.yoctoproject.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-ti@lists.yoctoproject.org>; Mon, 02 Mar 2026 17:07:16 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-ti/message/19625

Series

Add LUKS encryption with fTPM support | expand

Message

Shiva Tripathi March 2, 2026, 2:46 p.m. UTC

This patch series adds LUKS full disk encryption support using firmware TPM
(fTPM) for TI K3 platforms. The implementation provides hardware-backed
encryption with keys sealed by TPM running in OP-TEE and stored in eMMC RPMB.

Background:
TI K3 platforms do not have integrated discrete TPM hardware. To provide
TPM 2.0 functionality, this implementation uses firmware TPM (fTPM) - a
Trusted Application running in OP-TEE secure world. The fTPM provides
standard TPM 2.0 interfaces while leveraging ARM TrustZone for isolation
and eMMC RPMB (Replay Protected Memory Block) for secure persistent storage.

Key features:
- Conditional builds: Only enabled via MACHINE_FEATURES += "luks-encryption"
- No impact on default SDK builds (COMPATIBLE_MACHINE = "null")
- In-place encryption on first boot
- TPM persistent handle for key storage (0x81080001)
- Secure key storage in eMMC RPMB via OP-TEE
- Security model similar to CIP Core

Use case:
This is designed for K3 platforms requiring secure boot and encrypted
storage, such as industrial automation, automotive, and IoT gateways where
discrete TPM chips are cost-prohibitive but security requirements demand
hardware-backed encryption.

Testing:
- Tested on AM62x platform with kernel 6.18
- First boot: Successful in-place LUKS encryption
- Subsequent boots: Successful TPM unsealing and boot

The series is structured as follows:
1. Kernel configuration for LUKS and crypto support
2. Encrypted boot initramfs infrastructure
3. Machine configuration and WIC support

Shiva Tripathi (3):
  linux-ti-staging: Add LUKS encryption config
  initramfs: Add encrypted boot support with fTPM
  conf: Add encrypted boot machine config and WIC file

 .../machine/include/encrypted-boot-common.inc |  38 ++
 .../linux/linux-ti-staging-6.18/luks-ftpm.cfg |  28 ++
 .../linux/linux-ti-staging_6.18.bb            |   9 +
 .../initramfs-ti-encrypted-init/files/init    | 324 ++++++++++++++++++
 .../initramfs-ti-encrypted-init_1.0.bb        |  30 ++
 .../initramfs/ti-encrypted-boot-initramfs.bb  |  50 +++
 meta-ti-bsp/wic/sdimage-2part-encryption.wks  |   6 +
 7 files changed, 485 insertions(+)
 create mode 100644 meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc
 create mode 100644 meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
 create mode 100644 meta-ti-bsp/recipes-ti/initramfs/initramfs-ti-encrypted-init/files/init
 create mode 100644 meta-ti-bsp/recipes-ti/initramfs/initramfs-ti-encrypted-init_1.0.bb
 create mode 100644 meta-ti-bsp/recipes-ti/initramfs/ti-encrypted-boot-initramfs.bb
 create mode 100644 meta-ti-bsp/wic/sdimage-2part-encryption.wks

Comments

PRC Automation March 2, 2026, 5:15 p.m. UTC | #1

meta-ti / na / 20260302144647.1705408-1-s-tripathi1

PRC Results: FAIL

=========================================================
  check-yocto-patches: PASS
=========================================================
Patches
----------------------------------------
WARN - [meta-ti][master][PATCH 3/3] conf: Add encrypted boot machine config and WIC file
    WARN: Commit message does not include file/recipe name: conf: Add encrypted boot machine config and WIC file. (COMMIT-MESSAGE-2)
        patch
    
    WARN: Commit message should not include directory path to recipe: conf: Add encrypted boot machine config and WIC file.
              conf (COMMIT-MESSAGE-3)
        patch
    
    For details on the above errors/warnings visit: https://lists.yoctoproject.org/g/meta-ti/wiki/40887



=========================================================
  apply-yocto-patch: PASS
=========================================================
master
=====================
Summary:
- Patch Series: [meta-ti][master][PATCH 0/3] Add LUKS encryption with fTPM support
- Submitter: From: Shiva Tripathi <s-tripathi1@ti.com>
- Date: Date: Mon, 2 Mar 2026 20:16:44 +0530
- Num Patches: 3
- Mailing List (public inbox) Commit SHA: 4475e4a802dc8bc2467c55cbe25e8611f6fdb65e

Applied to:
- Repository: lcpd-prc-meta-ti
- Base Branch: master-wip
- Commit Author: Denys Dmytriyenko (TI) <denys@konsulko.com>
- Commit Subject: beagle-bsp: unset TI_CORE_INITRAMFS_KERNEL_MODULES
- Commit SHA: df144cc0cc142a207378242da10340ada2174c44

Patches
----------------------------------------
All patches applied



=========================================================
  check-yocto-repo: FAIL
=========================================================
master
=====================
FAIL
    WARN: Are you missing a PV = "...". (PV-1)
        meta-ti-bsp/recipes-ti/initramfs/ti-encrypted-boot-initramfs.bb
    
    For details on the above errors/warnings visit: https://lists.yoctoproject.org/g/meta-ti/wiki/40887