diff mbox series

[meta-ti,master,v4,1/3] linux-ti-staging: Add LUKS encryption config

Message ID 20260305172148.3684377-1-s-tripathi1@ti.com
State Changes Requested
Delegated to: Ryan Eatmon
Headers show
Series Add LUKS encryption with fTPM support | expand

Commit Message

Shiva Tripathi March 5, 2026, 5:21 p.m. UTC 
Add conditional kernel configuration fragment for LUKS encryption with
fTPM support. This enables dm-crypt and necessary crypto algorithms
when MACHINE_FEATURES contains 'luks-encryption'.

Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com>
---
 .../linux/linux-ti-staging-6.18/luks-ftpm.cfg | 28 +++++++++++++++++++
 .../linux/linux-ti-staging_6.18.bb            |  9 ++++++
 2 files changed, 37 insertions(+)
 create mode 100644 meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg

Comments

Andrew Davis March 5, 2026, 8:13 p.m. UTC | #1 
On 3/5/26 11:21 AM, Shiva Tripathi via lists.yoctoproject.org wrote:
> Add conditional kernel configuration fragment for LUKS encryption with
> fTPM support. This enables dm-crypt and necessary crypto algorithms
> when MACHINE_FEATURES contains 'luks-encryption'.
> 
> Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com>
> ---
>   .../linux/linux-ti-staging-6.18/luks-ftpm.cfg | 28 +++++++++++++++++++
>   .../linux/linux-ti-staging_6.18.bb            |  9 ++++++
>   2 files changed, 37 insertions(+)
>   create mode 100644 meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
> 
> diff --git a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
> new file mode 100644
> index 00000000..234cc087
> --- /dev/null
> +++ b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
> @@ -0,0 +1,28 @@
> +# Device Mapper support
> +CONFIG_MD=y
> +CONFIG_BLK_DEV_DM=y
> +CONFIG_DM_CRYPT=y
> +
> +# Crypto algorithms for LUKS
> +CONFIG_CRYPTO_XTS=y
> +CONFIG_CRYPTO_AES=y
> +CONFIG_CRYPTO_AES_ARM64=y
> +CONFIG_CRYPTO_AES_ARM64_CE=y
> +CONFIG_CRYPTO_AES_ARM64_CE_BLK=y
> +CONFIG_CRYPTO_SHA256=y
> +CONFIG_CRYPTO_SHA256_ARM64=y

Tell me more about this symbol, why did you pick it and what does it do.

Andrew

> +CONFIG_CRYPTO_SHA512=y
> +CONFIG_CRYPTO_USER_API_HASH=y
> +CONFIG_CRYPTO_USER_API_SKCIPHER=y
> +
> +# Additional crypto support for LUKS2
> +CONFIG_CRYPTO_CBC=y
> +CONFIG_CRYPTO_ECB=y
> +CONFIG_CRYPTO_ESSIV=y
> +CONFIG_CRYPTO_LRW=y
> +CONFIG_CRYPTO_PCBC=y
> +
> +# TPM kernel modules needed for initramfs
> +CONFIG_TCG_TIS_CORE=m
> +CONFIG_TCG_CRB=m
> +
> diff --git a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
> index 8e4ccd7d..69d6217f 100644
> --- a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
> +++ b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
> @@ -35,3 +35,12 @@ module_conf_rpmsg_client_sample = "blacklist rpmsg_client_sample"
>   module_conf_ti_k3_r5_remoteproc = "softdep ti_k3_r5_remoteproc pre: virtio_rpmsg_bus"
>   module_conf_ti_k3_dsp_remoteproc = "softdep ti_k3_dsp_remoteproc pre: virtio_rpmsg_bus"
>   KERNEL_MODULE_PROBECONF += "rpmsg_client_sample ti_k3_r5_remoteproc ti_k3_dsp_remoteproc"
> +
> +# LUKS encryption with fTPM kernel configuration
> +SRC_URI:append:k3 = " \
> +    ${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', 'file://luks-ftpm.cfg', '', d)} \
> +"
> +KERNEL_CONFIG_FRAGMENTS:append:k3 = " \
> +    ${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', '${UNPACKDIR}/luks-ftpm.cfg', '', d)} \
> +"
> +
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#19655): https://lists.yoctoproject.org/g/meta-ti/message/19655
> Mute This Topic: https://lists.yoctoproject.org/mt/118155818/3619733
> Group Owner: meta-ti+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-ti/unsub [afd@ti.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Ryan Eatmon March 5, 2026, 8:51 p.m. UTC | #2 
On 3/5/2026 11:21 AM, Shiva Tripathi wrote:
> Add conditional kernel configuration fragment for LUKS encryption with
> fTPM support. This enables dm-crypt and necessary crypto algorithms
> when MACHINE_FEATURES contains 'luks-encryption'.
> 
> Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com>
> ---
>   .../linux/linux-ti-staging-6.18/luks-ftpm.cfg | 28 +++++++++++++++++++
>   .../linux/linux-ti-staging_6.18.bb            |  9 ++++++
>   2 files changed, 37 insertions(+)
>   create mode 100644 meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
> 
> diff --git a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
> new file mode 100644
> index 00000000..234cc087
> --- /dev/null
> +++ b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
> @@ -0,0 +1,28 @@
> +# Device Mapper support
> +CONFIG_MD=y
> +CONFIG_BLK_DEV_DM=y
> +CONFIG_DM_CRYPT=y
> +
> +# Crypto algorithms for LUKS
> +CONFIG_CRYPTO_XTS=y
> +CONFIG_CRYPTO_AES=y
> +CONFIG_CRYPTO_AES_ARM64=y
> +CONFIG_CRYPTO_AES_ARM64_CE=y
> +CONFIG_CRYPTO_AES_ARM64_CE_BLK=y
> +CONFIG_CRYPTO_SHA256=y
> +CONFIG_CRYPTO_SHA256_ARM64=y
> +CONFIG_CRYPTO_SHA512=y
> +CONFIG_CRYPTO_USER_API_HASH=y
> +CONFIG_CRYPTO_USER_API_SKCIPHER=y
> +
> +# Additional crypto support for LUKS2
> +CONFIG_CRYPTO_CBC=y
> +CONFIG_CRYPTO_ECB=y
> +CONFIG_CRYPTO_ESSIV=y
> +CONFIG_CRYPTO_LRW=y
> +CONFIG_CRYPTO_PCBC=y
> +
> +# TPM kernel modules needed for initramfs
> +CONFIG_TCG_TIS_CORE=m
> +CONFIG_TCG_CRB=m
> +
> diff --git a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
> index 8e4ccd7d..69d6217f 100644
> --- a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
> +++ b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
> @@ -35,3 +35,12 @@ module_conf_rpmsg_client_sample = "blacklist rpmsg_client_sample"
>   module_conf_ti_k3_r5_remoteproc = "softdep ti_k3_r5_remoteproc pre: virtio_rpmsg_bus"
>   module_conf_ti_k3_dsp_remoteproc = "softdep ti_k3_dsp_remoteproc pre: virtio_rpmsg_bus"
>   KERNEL_MODULE_PROBECONF += "rpmsg_client_sample ti_k3_r5_remoteproc ti_k3_dsp_remoteproc"
> +

After thinking about this a little more... I'm thinking that the 
luks-encryption is more of a DISTRO_FEATURE and not a MACHINE_FEATURE. 
"tpm" would be a MACHINE_FEATURE.

And the best most correct thing to do would be to do some combination of 
the two.  I assume that only some of our boards have tpm support, right?

So I would go through the effort to add that to all of the correct 
boards, and then change the logic to check both variables.  I'll reply 
on the other patches with those changes.


> +# LUKS encryption with fTPM kernel configuration
> +SRC_URI:append:k3 = " \
> +    ${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', 'file://luks-ftpm.cfg', '', d)} \

${@bb.utils.contains('DISTRO_FEATURES', 'luks', 'file://luks-ftpm.cfg', 
'', d)}


> +"
> +KERNEL_CONFIG_FRAGMENTS:append:k3 = " \
> +    ${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', '${UNPACKDIR}/luks-ftpm.cfg', '', d)} \
> +"
> +

${@bb.utils.contains('DISTRO_FEATURES', 'luks', 
'${UNPACKDIR}/luks-ftpm.cfg', '', d)}
Denys Dmytriyenko March 5, 2026, 9:12 p.m. UTC | #3 
On Thu, Mar 05, 2026 at 02:51:44PM -0600, Ryan Eatmon via lists.yoctoproject.org wrote:
> 
> 
> On 3/5/2026 11:21 AM, Shiva Tripathi wrote:
> >Add conditional kernel configuration fragment for LUKS encryption with
> >fTPM support. This enables dm-crypt and necessary crypto algorithms
> >when MACHINE_FEATURES contains 'luks-encryption'.
> >
> >Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com>
> >---
> >  .../linux/linux-ti-staging-6.18/luks-ftpm.cfg | 28 +++++++++++++++++++
> >  .../linux/linux-ti-staging_6.18.bb            |  9 ++++++
> >  2 files changed, 37 insertions(+)
> >  create mode 100644 meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
> >
> >diff --git a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
> >new file mode 100644
> >index 00000000..234cc087
> >--- /dev/null
> >+++ b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
> >@@ -0,0 +1,28 @@
> >+# Device Mapper support
> >+CONFIG_MD=y
> >+CONFIG_BLK_DEV_DM=y
> >+CONFIG_DM_CRYPT=y
> >+
> >+# Crypto algorithms for LUKS
> >+CONFIG_CRYPTO_XTS=y
> >+CONFIG_CRYPTO_AES=y
> >+CONFIG_CRYPTO_AES_ARM64=y
> >+CONFIG_CRYPTO_AES_ARM64_CE=y
> >+CONFIG_CRYPTO_AES_ARM64_CE_BLK=y
> >+CONFIG_CRYPTO_SHA256=y
> >+CONFIG_CRYPTO_SHA256_ARM64=y
> >+CONFIG_CRYPTO_SHA512=y
> >+CONFIG_CRYPTO_USER_API_HASH=y
> >+CONFIG_CRYPTO_USER_API_SKCIPHER=y
> >+
> >+# Additional crypto support for LUKS2
> >+CONFIG_CRYPTO_CBC=y
> >+CONFIG_CRYPTO_ECB=y
> >+CONFIG_CRYPTO_ESSIV=y
> >+CONFIG_CRYPTO_LRW=y
> >+CONFIG_CRYPTO_PCBC=y
> >+
> >+# TPM kernel modules needed for initramfs
> >+CONFIG_TCG_TIS_CORE=m
> >+CONFIG_TCG_CRB=m
> >+
> >diff --git a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
> >index 8e4ccd7d..69d6217f 100644
> >--- a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
> >+++ b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
> >@@ -35,3 +35,12 @@ module_conf_rpmsg_client_sample = "blacklist rpmsg_client_sample"
> >  module_conf_ti_k3_r5_remoteproc = "softdep ti_k3_r5_remoteproc pre: virtio_rpmsg_bus"
> >  module_conf_ti_k3_dsp_remoteproc = "softdep ti_k3_dsp_remoteproc pre: virtio_rpmsg_bus"
> >  KERNEL_MODULE_PROBECONF += "rpmsg_client_sample ti_k3_r5_remoteproc ti_k3_dsp_remoteproc"
> >+
> 
> After thinking about this a little more... I'm thinking that the
> luks-encryption is more of a DISTRO_FEATURE and not a
> MACHINE_FEATURE. "tpm" would be a MACHINE_FEATURE.

This was the first thought I had - it's a distro feature.


> And the best most correct thing to do would be to do some
> combination of the two.  I assume that only some of our boards have
> tpm support, right?

On the other hand, isn't fTPM a software-only implementation of TPM?


> So I would go through the effort to add that to all of the correct
> boards, and then change the logic to check both variables.  I'll
> reply on the other patches with those changes.
> 
> 
> >+# LUKS encryption with fTPM kernel configuration
> >+SRC_URI:append:k3 = " \
> >+    ${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', 'file://luks-ftpm.cfg', '', d)} \
> 
> ${@bb.utils.contains('DISTRO_FEATURES', 'luks',
> 'file://luks-ftpm.cfg', '', d)}
> 
> 
> >+"
> >+KERNEL_CONFIG_FRAGMENTS:append:k3 = " \
> >+    ${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', '${UNPACKDIR}/luks-ftpm.cfg', '', d)} \
> >+"
> >+
> 
> ${@bb.utils.contains('DISTRO_FEATURES', 'luks',
> '${UNPACKDIR}/luks-ftpm.cfg', '', d)}
Randolph Sapp March 5, 2026, 11:09 p.m. UTC | #4 
On Thu Mar 5, 2026 at 3:12 PM CST, Denys Dmytriyenko wrote:
> On Thu, Mar 05, 2026 at 02:51:44PM -0600, Ryan Eatmon via lists.yoctoproject.org wrote:
>> 
>> 
>> On 3/5/2026 11:21 AM, Shiva Tripathi wrote:
>> >Add conditional kernel configuration fragment for LUKS encryption with
>> >fTPM support. This enables dm-crypt and necessary crypto algorithms
>> >when MACHINE_FEATURES contains 'luks-encryption'.
>> >
>> >Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com>
>> >---
>> >  .../linux/linux-ti-staging-6.18/luks-ftpm.cfg | 28 +++++++++++++++++++
>> >  .../linux/linux-ti-staging_6.18.bb            |  9 ++++++
>> >  2 files changed, 37 insertions(+)
>> >  create mode 100644 meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
>> >
>> >diff --git a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
>> >new file mode 100644
>> >index 00000000..234cc087
>> >--- /dev/null
>> >+++ b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
>> >@@ -0,0 +1,28 @@
>> >+# Device Mapper support
>> >+CONFIG_MD=y
>> >+CONFIG_BLK_DEV_DM=y
>> >+CONFIG_DM_CRYPT=y
>> >+
>> >+# Crypto algorithms for LUKS
>> >+CONFIG_CRYPTO_XTS=y
>> >+CONFIG_CRYPTO_AES=y
>> >+CONFIG_CRYPTO_AES_ARM64=y
>> >+CONFIG_CRYPTO_AES_ARM64_CE=y
>> >+CONFIG_CRYPTO_AES_ARM64_CE_BLK=y
>> >+CONFIG_CRYPTO_SHA256=y
>> >+CONFIG_CRYPTO_SHA256_ARM64=y
>> >+CONFIG_CRYPTO_SHA512=y
>> >+CONFIG_CRYPTO_USER_API_HASH=y
>> >+CONFIG_CRYPTO_USER_API_SKCIPHER=y
>> >+
>> >+# Additional crypto support for LUKS2
>> >+CONFIG_CRYPTO_CBC=y
>> >+CONFIG_CRYPTO_ECB=y
>> >+CONFIG_CRYPTO_ESSIV=y
>> >+CONFIG_CRYPTO_LRW=y
>> >+CONFIG_CRYPTO_PCBC=y
>> >+
>> >+# TPM kernel modules needed for initramfs
>> >+CONFIG_TCG_TIS_CORE=m
>> >+CONFIG_TCG_CRB=m
>> >+
>> >diff --git a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
>> >index 8e4ccd7d..69d6217f 100644
>> >--- a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
>> >+++ b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
>> >@@ -35,3 +35,12 @@ module_conf_rpmsg_client_sample = "blacklist rpmsg_client_sample"
>> >  module_conf_ti_k3_r5_remoteproc = "softdep ti_k3_r5_remoteproc pre: virtio_rpmsg_bus"
>> >  module_conf_ti_k3_dsp_remoteproc = "softdep ti_k3_dsp_remoteproc pre: virtio_rpmsg_bus"
>> >  KERNEL_MODULE_PROBECONF += "rpmsg_client_sample ti_k3_r5_remoteproc ti_k3_dsp_remoteproc"
>> >+
>> 
>> After thinking about this a little more... I'm thinking that the
>> luks-encryption is more of a DISTRO_FEATURE and not a
>> MACHINE_FEATURE. "tpm" would be a MACHINE_FEATURE.
>
> This was the first thought I had - it's a distro feature.
>
>
>> And the best most correct thing to do would be to do some
>> combination of the two.  I assume that only some of our boards have
>> tpm support, right?
>
> On the other hand, isn't fTPM a software-only implementation of TPM?
>

Yeah, though they should behave the same in userspace. It seems like there is a
bug preventing systemd-cryptenroll from working in our case though. Obviously
there are some quirks here.

>> So I would go through the effort to add that to all of the correct
>> boards, and then change the logic to check both variables.  I'll
>> reply on the other patches with those changes.
>> 
>> 
>> >+# LUKS encryption with fTPM kernel configuration
>> >+SRC_URI:append:k3 = " \
>> >+    ${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', 'file://luks-ftpm.cfg', '', d)} \
>> 
>> ${@bb.utils.contains('DISTRO_FEATURES', 'luks',
>> 'file://luks-ftpm.cfg', '', d)}
>> 
>> 
>> >+"
>> >+KERNEL_CONFIG_FRAGMENTS:append:k3 = " \
>> >+    ${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', '${UNPACKDIR}/luks-ftpm.cfg', '', d)} \
>> >+"
>> >+
>> 
>> ${@bb.utils.contains('DISTRO_FEATURES', 'luks',
>> '${UNPACKDIR}/luks-ftpm.cfg', '', d)}
Shiva Tripathi March 6, 2026, 2:29 p.m. UTC | #5 
On 3/6/26 01:43, Andrew Davis wrote:
> On 3/5/26 11:21 AM, Shiva Tripathi via lists.yoctoproject.org wrote:
>> Add conditional kernel configuration fragment for LUKS encryption with
>> fTPM support. This enables dm-crypt and necessary crypto algorithms
>> when MACHINE_FEATURES contains 'luks-encryption'.
>>
>> Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com>
>> ---
>>   .../linux/linux-ti-staging-6.18/luks-ftpm.cfg | 28 +++++++++++++++++++
>>   .../linux/linux-ti-staging_6.18.bb            |  9 ++++++
>>   2 files changed, 37 insertions(+)
>>   create mode 100644 meta-ti-bsp/recipes-kernel/linux/linux-ti-
>> staging-6.18/luks-ftpm.cfg
>>
>> diff --git a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/
>> luks-ftpm.cfg b/meta-ti-bsp/recipes-kernel/linux/linux-ti-
>> staging-6.18/luks-ftpm.cfg
>> new file mode 100644
>> index 00000000..234cc087
>> --- /dev/null
>> +++ b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-
>> ftpm.cfg
>> @@ -0,0 +1,28 @@
>> +# Device Mapper support
>> +CONFIG_MD=y
>> +CONFIG_BLK_DEV_DM=y
>> +CONFIG_DM_CRYPT=y
>> +
>> +# Crypto algorithms for LUKS
>> +CONFIG_CRYPTO_XTS=y
>> +CONFIG_CRYPTO_AES=y
>> +CONFIG_CRYPTO_AES_ARM64=y
>> +CONFIG_CRYPTO_AES_ARM64_CE=y
>> +CONFIG_CRYPTO_AES_ARM64_CE_BLK=y
>> +CONFIG_CRYPTO_SHA256=y
>> +CONFIG_CRYPTO_SHA256_ARM64=y
> 
> Tell me more about this symbol, why did you pick it and what does it do.
> 
> Andrew

My understanding was adding this helps optimize SHA-256 on ARM64. But on
digging deeper, realized it's a Kconfig dependency chain which gets
selected automatically when SHA2_ARM64_CE/CONFIG_CRYPTO_SHA2_ARM64_CE is
enabled, so shouldn't be explicitly enabled here.

Also re-evaluated all other symbols in patch, not all were needed. The
required ones are:
"
# Device Mapper support
CONFIG_MD=y
CONFIG_BLK_DEV_DM=y
CONFIG_DM_CRYPT=y

# Core crypto algorithms for LUKS encryption
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_XTS=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y

# ARM64 optimized crypto for better performance
CONFIG_CRYPTO_AES_ARM64=y
CONFIG_CRYPTO_AES_ARM64_CE=y
CONFIG_CRYPTO_AES_ARM64_CE_BLK=y

# Userspace crypto API for cryptsetup
CONFIG_CRYPTO_USER_API_HASH=y
CONFIG_CRYPTO_USER_API_SKCIPHER=y
"
Few above are already present in ti-linux-kernel, but think it's good to
keep an inclusive set required for LUKS in case a user deviates from
ti-linux-kernel config and start observing failures here. Will send the
updated patch.

Thanks,
Shiva

> 
>> +CONFIG_CRYPTO_SHA512=y
>> +CONFIG_CRYPTO_USER_API_HASH=y
>> +CONFIG_CRYPTO_USER_API_SKCIPHER=y
>> +
>> +# Additional crypto support for LUKS2
>> +CONFIG_CRYPTO_CBC=y
>> +CONFIG_CRYPTO_ECB=y
>> +CONFIG_CRYPTO_ESSIV=y
>> +CONFIG_CRYPTO_LRW=y
>> +CONFIG_CRYPTO_PCBC=y
>> +
>> +# TPM kernel modules needed for initramfs
>> +CONFIG_TCG_TIS_CORE=m
>> +CONFIG_TCG_CRB=m
>> +
>> diff --git a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
>> b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
>> index 8e4ccd7d..69d6217f 100644
>> --- a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
>> +++ b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
>> @@ -35,3 +35,12 @@ module_conf_rpmsg_client_sample = "blacklist
>> rpmsg_client_sample"
>>   module_conf_ti_k3_r5_remoteproc = "softdep ti_k3_r5_remoteproc pre:
>> virtio_rpmsg_bus"
>>   module_conf_ti_k3_dsp_remoteproc = "softdep ti_k3_dsp_remoteproc
>> pre: virtio_rpmsg_bus"
>>   KERNEL_MODULE_PROBECONF += "rpmsg_client_sample ti_k3_r5_remoteproc
>> ti_k3_dsp_remoteproc"
>> +
>> +# LUKS encryption with fTPM kernel configuration
>> +SRC_URI:append:k3 = " \
>> +    ${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption',
>> 'file://luks-ftpm.cfg', '', d)} \
>> +"
>> +KERNEL_CONFIG_FRAGMENTS:append:k3 = " \
>> +    ${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption',
>> '${UNPACKDIR}/luks-ftpm.cfg', '', d)} \
>> +"
>> +
>>
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#19655): https://lists.yoctoproject.org/g/meta-ti/
>> message/19655
>> Mute This Topic: https://lists.yoctoproject.org/mt/118155818/3619733
>> Group Owner: meta-ti+owner@lists.yoctoproject.org
>> Unsubscribe: https://lists.yoctoproject.org/g/meta-ti/unsub [afd@ti.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
>
Shiva Tripathi March 6, 2026, 2:41 p.m. UTC | #6 
On 3/6/26 04:39, Randolph Sapp wrote:
> On Thu Mar 5, 2026 at 3:12 PM CST, Denys Dmytriyenko wrote:
>> On Thu, Mar 05, 2026 at 02:51:44PM -0600, Ryan Eatmon via lists.yoctoproject.org wrote:
>>>
>>>
>>> On 3/5/2026 11:21 AM, Shiva Tripathi wrote:
>>>> Add conditional kernel configuration fragment for LUKS encryption with
>>>> fTPM support. This enables dm-crypt and necessary crypto algorithms
>>>> when MACHINE_FEATURES contains 'luks-encryption'.
>>>>
>>>> Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com>
>>>> ---
>>>>  .../linux/linux-ti-staging-6.18/luks-ftpm.cfg | 28 +++++++++++++++++++
>>>>  .../linux/linux-ti-staging_6.18.bb            |  9 ++++++
>>>>  2 files changed, 37 insertions(+)
>>>>  create mode 100644 meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
>>>>
>>>> diff --git a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
>>>> new file mode 100644
>>>> index 00000000..234cc087
>>>> --- /dev/null
>>>> +++ b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
>>>> @@ -0,0 +1,28 @@
>>>> +# Device Mapper support
>>>> +CONFIG_MD=y
>>>> +CONFIG_BLK_DEV_DM=y
>>>> +CONFIG_DM_CRYPT=y
>>>> +
>>>> +# Crypto algorithms for LUKS
>>>> +CONFIG_CRYPTO_XTS=y
>>>> +CONFIG_CRYPTO_AES=y
>>>> +CONFIG_CRYPTO_AES_ARM64=y
>>>> +CONFIG_CRYPTO_AES_ARM64_CE=y
>>>> +CONFIG_CRYPTO_AES_ARM64_CE_BLK=y
>>>> +CONFIG_CRYPTO_SHA256=y
>>>> +CONFIG_CRYPTO_SHA256_ARM64=y
>>>> +CONFIG_CRYPTO_SHA512=y
>>>> +CONFIG_CRYPTO_USER_API_HASH=y
>>>> +CONFIG_CRYPTO_USER_API_SKCIPHER=y
>>>> +
>>>> +# Additional crypto support for LUKS2
>>>> +CONFIG_CRYPTO_CBC=y
>>>> +CONFIG_CRYPTO_ECB=y
>>>> +CONFIG_CRYPTO_ESSIV=y
>>>> +CONFIG_CRYPTO_LRW=y
>>>> +CONFIG_CRYPTO_PCBC=y
>>>> +
>>>> +# TPM kernel modules needed for initramfs
>>>> +CONFIG_TCG_TIS_CORE=m
>>>> +CONFIG_TCG_CRB=m
>>>> +
>>>> diff --git a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
>>>> index 8e4ccd7d..69d6217f 100644
>>>> --- a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
>>>> +++ b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
>>>> @@ -35,3 +35,12 @@ module_conf_rpmsg_client_sample = "blacklist rpmsg_client_sample"
>>>>  module_conf_ti_k3_r5_remoteproc = "softdep ti_k3_r5_remoteproc pre: virtio_rpmsg_bus"
>>>>  module_conf_ti_k3_dsp_remoteproc = "softdep ti_k3_dsp_remoteproc pre: virtio_rpmsg_bus"
>>>>  KERNEL_MODULE_PROBECONF += "rpmsg_client_sample ti_k3_r5_remoteproc ti_k3_dsp_remoteproc"
>>>> +
>>>
>>> After thinking about this a little more... I'm thinking that the
>>> luks-encryption is more of a DISTRO_FEATURE and not a
>>> MACHINE_FEATURE. "tpm" would be a MACHINE_FEATURE.
>>
>> This was the first thought I had - it's a distro feature.
>>
>>
>>> And the best most correct thing to do would be to do some
>>> combination of the two.  I assume that only some of our boards have
>>> tpm support, right?
>>
>> On the other hand, isn't fTPM a software-only implementation of TPM?
>>
> 
> Yeah, though they should behave the same in userspace. It seems like there is a
> bug preventing systemd-cryptenroll from working in our case though. Obviously
> there are some quirks here.
> 

The TPM support we are using here comes from OP-TEE based firmware TPM
(Microsoft's implementation). We are not using an actual HW TPM here.
Also I see, all K3 platforms already have "optee-ftpm" as
MACHINE_FEATURES enabled [1]

Would it be fine to use existing "optee-ftpm" as MACHINE_FEATURES with
"luks" as DISTRO_FEATURES in this patch series ?
Thinking of implementing same checks as suggested by Ryan, just
"optee-ftpm" in place of "tpm", if that's okay ?

[1]:
https://github.com/YoeDistro/meta-ti/blob/master/meta-ti-bsp/conf/machine/include/k3.inc#L41

Thanks,
Shiva

>>> So I would go through the effort to add that to all of the correct
>>> boards, and then change the logic to check both variables.  I'll
>>> reply on the other patches with those changes.
>>>
>>>
>>>> +# LUKS encryption with fTPM kernel configuration
>>>> +SRC_URI:append:k3 = " \
>>>> +    ${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', 'file://luks-ftpm.cfg', '', d)} \
>>>
>>> ${@bb.utils.contains('DISTRO_FEATURES', 'luks',
>>> 'file://luks-ftpm.cfg', '', d)}
>>>
>>>
>>>> +"
>>>> +KERNEL_CONFIG_FRAGMENTS:append:k3 = " \
>>>> +    ${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', '${UNPACKDIR}/luks-ftpm.cfg', '', d)} \
>>>> +"
>>>> +
>>>
>>> ${@bb.utils.contains('DISTRO_FEATURES', 'luks',
>>> '${UNPACKDIR}/luks-ftpm.cfg', '', d)}
>
Ryan Eatmon March 6, 2026, 2:44 p.m. UTC | #7 
On 3/6/2026 8:41 AM, Shiva Tripathi wrote:
> 
> 
> On 3/6/26 04:39, Randolph Sapp wrote:
>> On Thu Mar 5, 2026 at 3:12 PM CST, Denys Dmytriyenko wrote:
>>> On Thu, Mar 05, 2026 at 02:51:44PM -0600, Ryan Eatmon via lists.yoctoproject.org wrote:
>>>>
>>>>
>>>> On 3/5/2026 11:21 AM, Shiva Tripathi wrote:
>>>>> Add conditional kernel configuration fragment for LUKS encryption with
>>>>> fTPM support. This enables dm-crypt and necessary crypto algorithms
>>>>> when MACHINE_FEATURES contains 'luks-encryption'.
>>>>>
>>>>> Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com>
>>>>> ---
>>>>>   .../linux/linux-ti-staging-6.18/luks-ftpm.cfg | 28 +++++++++++++++++++
>>>>>   .../linux/linux-ti-staging_6.18.bb            |  9 ++++++
>>>>>   2 files changed, 37 insertions(+)
>>>>>   create mode 100644 meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
>>>>>
>>>>> diff --git a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
>>>>> new file mode 100644
>>>>> index 00000000..234cc087
>>>>> --- /dev/null
>>>>> +++ b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
>>>>> @@ -0,0 +1,28 @@
>>>>> +# Device Mapper support
>>>>> +CONFIG_MD=y
>>>>> +CONFIG_BLK_DEV_DM=y
>>>>> +CONFIG_DM_CRYPT=y
>>>>> +
>>>>> +# Crypto algorithms for LUKS
>>>>> +CONFIG_CRYPTO_XTS=y
>>>>> +CONFIG_CRYPTO_AES=y
>>>>> +CONFIG_CRYPTO_AES_ARM64=y
>>>>> +CONFIG_CRYPTO_AES_ARM64_CE=y
>>>>> +CONFIG_CRYPTO_AES_ARM64_CE_BLK=y
>>>>> +CONFIG_CRYPTO_SHA256=y
>>>>> +CONFIG_CRYPTO_SHA256_ARM64=y
>>>>> +CONFIG_CRYPTO_SHA512=y
>>>>> +CONFIG_CRYPTO_USER_API_HASH=y
>>>>> +CONFIG_CRYPTO_USER_API_SKCIPHER=y
>>>>> +
>>>>> +# Additional crypto support for LUKS2
>>>>> +CONFIG_CRYPTO_CBC=y
>>>>> +CONFIG_CRYPTO_ECB=y
>>>>> +CONFIG_CRYPTO_ESSIV=y
>>>>> +CONFIG_CRYPTO_LRW=y
>>>>> +CONFIG_CRYPTO_PCBC=y
>>>>> +
>>>>> +# TPM kernel modules needed for initramfs
>>>>> +CONFIG_TCG_TIS_CORE=m
>>>>> +CONFIG_TCG_CRB=m
>>>>> +
>>>>> diff --git a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
>>>>> index 8e4ccd7d..69d6217f 100644
>>>>> --- a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
>>>>> +++ b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
>>>>> @@ -35,3 +35,12 @@ module_conf_rpmsg_client_sample = "blacklist rpmsg_client_sample"
>>>>>   module_conf_ti_k3_r5_remoteproc = "softdep ti_k3_r5_remoteproc pre: virtio_rpmsg_bus"
>>>>>   module_conf_ti_k3_dsp_remoteproc = "softdep ti_k3_dsp_remoteproc pre: virtio_rpmsg_bus"
>>>>>   KERNEL_MODULE_PROBECONF += "rpmsg_client_sample ti_k3_r5_remoteproc ti_k3_dsp_remoteproc"
>>>>> +
>>>>
>>>> After thinking about this a little more... I'm thinking that the
>>>> luks-encryption is more of a DISTRO_FEATURE and not a
>>>> MACHINE_FEATURE. "tpm" would be a MACHINE_FEATURE.
>>>
>>> This was the first thought I had - it's a distro feature.
>>>
>>>
>>>> And the best most correct thing to do would be to do some
>>>> combination of the two.  I assume that only some of our boards have
>>>> tpm support, right?
>>>
>>> On the other hand, isn't fTPM a software-only implementation of TPM?
>>>
>>
>> Yeah, though they should behave the same in userspace. It seems like there is a
>> bug preventing systemd-cryptenroll from working in our case though. Obviously
>> there are some quirks here.
>>
> 
> The TPM support we are using here comes from OP-TEE based firmware TPM
> (Microsoft's implementation). We are not using an actual HW TPM here.
> Also I see, all K3 platforms already have "optee-ftpm" as
> MACHINE_FEATURES enabled [1]
> 
> Would it be fine to use existing "optee-ftpm" as MACHINE_FEATURES with
> "luks" as DISTRO_FEATURES in this patch series ?
> Thinking of implementing same checks as suggested by Ryan, just
> "optee-ftpm" in place of "tpm", if that's okay ?

I'm fine with it.


> [1]:
> https://github.com/YoeDistro/meta-ti/blob/master/meta-ti-bsp/conf/machine/include/k3.inc#L41
> 
> Thanks,
> Shiva
> 
>>>> So I would go through the effort to add that to all of the correct
>>>> boards, and then change the logic to check both variables.  I'll
>>>> reply on the other patches with those changes.
>>>>
>>>>
>>>>> +# LUKS encryption with fTPM kernel configuration
>>>>> +SRC_URI:append:k3 = " \
>>>>> +    ${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', 'file://luks-ftpm.cfg', '', d)} \
>>>>
>>>> ${@bb.utils.contains('DISTRO_FEATURES', 'luks',
>>>> 'file://luks-ftpm.cfg', '', d)}
>>>>
>>>>
>>>>> +"
>>>>> +KERNEL_CONFIG_FRAGMENTS:append:k3 = " \
>>>>> +    ${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', '${UNPACKDIR}/luks-ftpm.cfg', '', d)} \
>>>>> +"
>>>>> +
>>>>
>>>> ${@bb.utils.contains('DISTRO_FEATURES', 'luks',
>>>> '${UNPACKDIR}/luks-ftpm.cfg', '', d)}
>>
>
diff mbox series

Patch

diff --git a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
new file mode 100644
index 00000000..234cc087
--- /dev/null
+++ b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg
@@ -0,0 +1,28 @@ 
+# Device Mapper support
+CONFIG_MD=y
+CONFIG_BLK_DEV_DM=y
+CONFIG_DM_CRYPT=y
+
+# Crypto algorithms for LUKS
+CONFIG_CRYPTO_XTS=y
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_ARM64=y
+CONFIG_CRYPTO_AES_ARM64_CE=y
+CONFIG_CRYPTO_AES_ARM64_CE_BLK=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA256_ARM64=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+
+# Additional crypto support for LUKS2
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_ESSIV=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+
+# TPM kernel modules needed for initramfs
+CONFIG_TCG_TIS_CORE=m
+CONFIG_TCG_CRB=m
+
diff --git a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
index 8e4ccd7d..69d6217f 100644
--- a/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
+++ b/meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb
@@ -35,3 +35,12 @@  module_conf_rpmsg_client_sample = "blacklist rpmsg_client_sample"
 module_conf_ti_k3_r5_remoteproc = "softdep ti_k3_r5_remoteproc pre: virtio_rpmsg_bus"
 module_conf_ti_k3_dsp_remoteproc = "softdep ti_k3_dsp_remoteproc pre: virtio_rpmsg_bus"
 KERNEL_MODULE_PROBECONF += "rpmsg_client_sample ti_k3_r5_remoteproc ti_k3_dsp_remoteproc"
+
+# LUKS encryption with fTPM kernel configuration
+SRC_URI:append:k3 = " \
+    ${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', 'file://luks-ftpm.cfg', '', d)} \
+"
+KERNEL_CONFIG_FRAGMENTS:append:k3 = " \
+    ${@bb.utils.contains('MACHINE_FEATURES', 'luks-encryption', '${UNPACKDIR}/luks-ftpm.cfg', '', d)} \
+"
+