new file mode 100644
@@ -0,0 +1,38 @@
+# Common logic for encrypted boot with TPM-sealed LUKS keys
+#
+# This include file provides functionality to deploy ti-encrypted-boot-initramfs
+# into the root filesystem for encrypted boot scenarios.
+#
+# To use this in your custom image, add to your image bbappend:
+# require conf/machine/include/encrypted-boot-common.inc
+#
+# This will activate when MACHINE_FEATURES contains 'luks-encryption'
+
+# Install uncompressed initramfs.cpio to rootfs /boot/
+install_initramfs() {
+ # Try with .rootfs suffix first (older Yocto versions)
+ if [ -e ${DEPLOY_DIR_IMAGE}/ti-encrypted-boot-initramfs-${MACHINE}.rootfs.cpio.gz ]; then
+ install -d ${IMAGE_ROOTFS}/boot
+ gunzip -c ${DEPLOY_DIR_IMAGE}/ti-encrypted-boot-initramfs-${MACHINE}.rootfs.cpio.gz > ${IMAGE_ROOTFS}/boot/initramfs.cpio
+ # Also deploy to deploy directory for IMAGE_BOOT_FILES
+ gunzip -c ${DEPLOY_DIR_IMAGE}/ti-encrypted-boot-initramfs-${MACHINE}.rootfs.cpio.gz > ${DEPLOY_DIR_IMAGE}/initramfs.cpio
+ # Try without .rootfs suffix (newer Yocto versions)
+ elif [ -e ${DEPLOY_DIR_IMAGE}/ti-encrypted-boot-initramfs-${MACHINE}.cpio.gz ]; then
+ install -d ${IMAGE_ROOTFS}/boot
+ gunzip -c ${DEPLOY_DIR_IMAGE}/ti-encrypted-boot-initramfs-${MACHINE}.cpio.gz > ${IMAGE_ROOTFS}/boot/initramfs.cpio
+ # Also deploy to deploy directory for IMAGE_BOOT_FILES
+ gunzip -c ${DEPLOY_DIR_IMAGE}/ti-encrypted-boot-initramfs-${MACHINE}.cpio.gz > ${DEPLOY_DIR_IMAGE}/initramfs.cpio
+ else
+ bbwarn "Could not find ti-encrypted-boot-initramfs-${MACHINE}.cpio.gz for deployment"
+ fi
+}
+
+# Only process initramfs for encrypted builds
+ROOTFS_POSTPROCESS_COMMAND:append = " \
+ ${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', 'install_initramfs;', '', d)} \
+"
+
+# Ensure ti-encrypted-boot-initramfs is built before we try to install it (only for encrypted builds)
+do_rootfs[depends] += " \
+ ${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', 'ti-encrypted-boot-initramfs:do_image_complete', '', d)} \
+"
new file mode 100644
@@ -0,0 +1,6 @@
+# WIC file for LUKS encryption with fTPM
+# Larger root partition to accommodate LUKS header (32MB) + growth room
+
+part --source bootimg-partition --fstype=vfat --label boot --active --align 1024 --use-uuid --fixed-size 128M
+part / --source rootfs --fstype=ext4 --label root --align 1024 --use-uuid --fixed-size 400M
+
Add machine include file for encrypted boot deployment and WIC file for encrypted disk image creation. encrypted-boot-common.inc provides: - Conditional initramfs deployment to rootfs /boot/ - Build dependency on ti-encrypted-boot-initramfs - Only activates when MACHINE_FEATURES contains 'luks-encryption' sdimage-2part-encryption.wks provides: - 128M boot partition (VFAT, unencrypted) - 400M root partition (ext4, sized for LUKS header overhead) To use encrypted boot in a custom image: MACHINE_FEATURES += "luks-encryption" INITRAMFS_IMAGE = "ti-encrypted-boot-initramfs" WKS_FILE = "sdimage-2part-encryption.wks" Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com> --- .../machine/include/encrypted-boot-common.inc | 38 +++++++++++++++++++ meta-ti-bsp/wic/sdimage-2part-encryption.wks | 6 +++ 2 files changed, 44 insertions(+) create mode 100644 meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc create mode 100644 meta-ti-bsp/wic/sdimage-2part-encryption.wks