diff mbox series

[meta-ti,master,v3,3/3] machine: Add encrypted boot configuration

Message ID 20260304193824.2495898-4-s-tripathi1@ti.com
State New
Headers show
Series Add LUKS encryption with fTPM support | expand

Commit Message

Shiva Tripathi March 4, 2026, 7:38 p.m. UTC 
Add encrypted-boot-common.inc for machines supporting LUKS encryption
with fTPM. Triggers ti-core-initramfs build and overrides IMAGE_FILE
to use uncompressed cpio.

Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com>
---
 .../machine/include/encrypted-boot-common.inc    | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc

Comments

Ryan Eatmon March 4, 2026, 8:44 p.m. UTC | #1 
On 3/4/2026 1:38 PM, Shiva Tripathi wrote:
> Add encrypted-boot-common.inc for machines supporting LUKS encryption
> with fTPM. Triggers ti-core-initramfs build and overrides IMAGE_FILE
> to use uncompressed cpio.
> 
> Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com>
> ---
>   .../machine/include/encrypted-boot-common.inc    | 16 ++++++++++++++++
>   1 file changed, 16 insertions(+)
>   create mode 100644 meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc
> 
> diff --git a/meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc b/meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc
> new file mode 100644
> index 00000000..10a5cb86
> --- /dev/null
> +++ b/meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc
> @@ -0,0 +1,16 @@
> +# Common logic for encrypted boot with TPM-sealed LUKS keys
> +#
> +# This include file enables ti-core-initramfs with LUKS encryption support
> +# via the initramfs-module-luks-ftpm hook module.
> +#
> +# To use this in custom image, add to your image bbappend:
> +#   require conf/machine/include/encrypted-boot-common.inc
> +#
> +# This will activate when MACHINE_FEATURES contains 'luks-encryption'
> +
> +TI_CORE_INITRAMFS_EXTRA_INSTALL:append = "${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', ' ', '', d)}"

This line does absolutely nothing and is not needed.

> +
> +TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') or bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', 'true', 'false', d) else '0'}"
> +
> +# Override to use uncompressed cpio (U-Boot can't decompress XZ format)
> +TI_CORE_INITRAMFS_IMAGE_FILE = "${TI_CORE_INITRAMFS_IMAGE}.cpio;initramfs.cpio"

You misunderstood.   This file should not exist.  All of this should be 
in the existing conf/machine/include/ti-core-initramfs.inc file.  You 
are just adding a single option to the existing settings for 
TI_CORE_INITRAMFS_ENABLED.
diff mbox series

Patch

diff --git a/meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc b/meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc
new file mode 100644
index 00000000..10a5cb86
--- /dev/null
+++ b/meta-ti-bsp/conf/machine/include/encrypted-boot-common.inc
@@ -0,0 +1,16 @@ 
+# Common logic for encrypted boot with TPM-sealed LUKS keys
+#
+# This include file enables ti-core-initramfs with LUKS encryption support
+# via the initramfs-module-luks-ftpm hook module.
+#
+# To use this in custom image, add to your image bbappend:
+#   require conf/machine/include/encrypted-boot-common.inc
+#
+# This will activate when MACHINE_FEATURES contains 'luks-encryption'
+
+TI_CORE_INITRAMFS_EXTRA_INSTALL:append = "${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', ' ', '', d)}"
+
+TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') or bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', 'true', 'false', d) else '0'}"
+
+# Override to use uncompressed cpio (U-Boot can't decompress XZ format)
+TI_CORE_INITRAMFS_IMAGE_FILE = "${TI_CORE_INITRAMFS_IMAGE}.cpio;initramfs.cpio"