diff mbox series

[meta-ti,master,v6,3/3] conf: Enable dynamic security layer for LUKS

Message ID 20260318145732.2115521-4-s-tripathi1@ti.com
State Superseded
Delegated to: Ryan Eatmon
Headers show
Series Add LUKS encryption with fTPM support | expand

Commit Message

Shiva Tripathi March 18, 2026, 2:57 p.m. UTC 
Register dynamic-layers/security in layer.conf to conditionally
build LUKS encryption support when meta-security layer is present.

Update ti-core-initramfs.inc to auto-enable initramfs generation
when DISTRO_FEATURES contains 'luks'.

Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com>
---
 meta-ti-bsp/conf/layer.conf                            | 2 ++
 meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

Comments

Ryan Eatmon March 18, 2026, 4:06 p.m. UTC | #1 
On 3/18/2026 9:57 AM, Shiva Tripathi wrote:
> Register dynamic-layers/security in layer.conf to conditionally
> build LUKS encryption support when meta-security layer is present.
> 
> Update ti-core-initramfs.inc to auto-enable initramfs generation
> when DISTRO_FEATURES contains 'luks'.
> 
> Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com>
> ---
>   meta-ti-bsp/conf/layer.conf                            | 2 ++
>   meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc | 2 +-
>   2 files changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/meta-ti-bsp/conf/layer.conf b/meta-ti-bsp/conf/layer.conf
> index f78da573..ce2883ac 100644
> --- a/meta-ti-bsp/conf/layer.conf
> +++ b/meta-ti-bsp/conf/layer.conf
> @@ -24,6 +24,8 @@ LAYERRECOMMENDS_meta-ti-bsp = " \
>   
>   BBFILES_DYNAMIC += " \
>       openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/recipes*/*/*.bbappend \
> +    security:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bb \
> +    security:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bbappend \
>   "
>  

You should also update the LAYERRECOMMENDS to include meta-security.

And you should also submit an oe-layersetup change to include 
meta-security in the arago-master builds, commented out of course and 
add a new arago-master-security-config.xml that adds in the new layer.



>   SIGGEN_EXCLUDERECIPES_ABISAFE += " \
> diff --git a/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc b/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc
> index 9d3cc612..15c05e04 100644
> --- a/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc
> +++ b/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc
> @@ -5,7 +5,7 @@
>   #   TI_CORE_INITRAMFS_ENABLED = "0"
>   #
>   #------------------------------------------------------------------------------
> -TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') else '0'}"
> +TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') or bb.utils.contains('DISTRO_FEATURES', 'luks', True, False, d) else '0'}"
>   
>   TI_CORE_INITRAMFS_KERNEL_MODULES ?= ""
>   TI_CORE_INITRAMFS_EXTRA_INSTALL ?= ""
Denys Dmytriyenko March 18, 2026, 7:59 p.m. UTC | #2 
On Wed, Mar 18, 2026 at 08:27:32PM +0530, Shiva Tripathi wrote:
> Register dynamic-layers/security in layer.conf to conditionally
> build LUKS encryption support when meta-security layer is present.
> 
> Update ti-core-initramfs.inc to auto-enable initramfs generation
> when DISTRO_FEATURES contains 'luks'.
> 
> Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com>
> ---
>  meta-ti-bsp/conf/layer.conf                            | 2 ++
>  meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc | 2 +-
>  2 files changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/meta-ti-bsp/conf/layer.conf b/meta-ti-bsp/conf/layer.conf
> index f78da573..ce2883ac 100644
> --- a/meta-ti-bsp/conf/layer.conf
> +++ b/meta-ti-bsp/conf/layer.conf
> @@ -24,6 +24,8 @@ LAYERRECOMMENDS_meta-ti-bsp = " \
>  
>  BBFILES_DYNAMIC += " \
>      openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/recipes*/*/*.bbappend \
> +    security:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bb \
> +    security:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bbappend \

As I've previously mentioned, TPM components currently are provided by 
multiple layers:

1. meta-security/meta-tpm - a community set of layers, backed by YP, active
2. meta-secure-core/meta-tpm2 - WindRiver vendor set of layers, active
3. meta-measured - personal layer, no longer active for 4 years

Just to note that meta-arm already sets up dynamic-layer with own bbappend 
fixes for #2 meta-secure-core/meta-tpm2:
https://git.yoctoproject.org/meta-arm/tree/meta-arm/dynamic-layers/meta-tpm2/recipes-tpm/tpm2-tools

But I'm fine for meta-ti to go with #1 meta-security/meta-tpm.

That said - have you tested your change? I'm afraid it won't work.

You are only setting up meta-security, which is a top-level layer, parsing 
only recipes*/*/*.bb and recipes*/*/*.bbappend - please note that TPM recipes 
reside in meta-tpm sub-layer called "tpm-layer":
https://git.yoctoproject.org/meta-security/tree/meta-tpm/conf/layer.conf


>  "
>  
>  SIGGEN_EXCLUDERECIPES_ABISAFE += " \
> diff --git a/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc b/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc
> index 9d3cc612..15c05e04 100644
> --- a/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc
> +++ b/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc
> @@ -5,7 +5,7 @@
>  #   TI_CORE_INITRAMFS_ENABLED = "0"
>  #
>  #------------------------------------------------------------------------------
> -TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') else '0'}"
> +TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') or bb.utils.contains('DISTRO_FEATURES', 'luks', True, False, d) else '0'}"
>  
>  TI_CORE_INITRAMFS_KERNEL_MODULES ?= ""
>  TI_CORE_INITRAMFS_EXTRA_INSTALL ?= ""
> -- 
> 2.34.1
Shiva Tripathi March 19, 2026, 10:22 a.m. UTC | #3 
On 3/19/26 01:29, Denys Dmytriyenko wrote:
> On Wed, Mar 18, 2026 at 08:27:32PM +0530, Shiva Tripathi wrote:
>> Register dynamic-layers/security in layer.conf to conditionally
>> build LUKS encryption support when meta-security layer is present.
>>
>> Update ti-core-initramfs.inc to auto-enable initramfs generation
>> when DISTRO_FEATURES contains 'luks'.
>>
>> Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com>
>> ---
>>  meta-ti-bsp/conf/layer.conf                            | 2 ++
>>  meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc | 2 +-
>>  2 files changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/meta-ti-bsp/conf/layer.conf b/meta-ti-bsp/conf/layer.conf
>> index f78da573..ce2883ac 100644
>> --- a/meta-ti-bsp/conf/layer.conf
>> +++ b/meta-ti-bsp/conf/layer.conf
>> @@ -24,6 +24,8 @@ LAYERRECOMMENDS_meta-ti-bsp = " \
>>  
>>  BBFILES_DYNAMIC += " \
>>      openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/recipes*/*/*.bbappend \
>> +    security:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bb \
>> +    security:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bbappend \
> 
> As I've previously mentioned, TPM components currently are provided by 
> multiple layers:
> 
> 1. meta-security/meta-tpm - a community set of layers, backed by YP, active
> 2. meta-secure-core/meta-tpm2 - WindRiver vendor set of layers, active
> 3. meta-measured - personal layer, no longer active for 4 years
> 
> Just to note that meta-arm already sets up dynamic-layer with own bbappend 
> fixes for #2 meta-secure-core/meta-tpm2:
> https://git.yoctoproject.org/meta-arm/tree/meta-arm/dynamic-layers/meta-tpm2/recipes-tpm/tpm2-tools
> 
> But I'm fine for meta-ti to go with #1 meta-security/meta-tpm.
> 
> That said - have you tested your change? I'm afraid it won't work.
> 
> You are only setting up meta-security, which is a top-level layer, parsing 
> only recipes*/*/*.bb and recipes*/*/*.bbappend - please note that TPM recipes 
> reside in meta-tpm sub-layer called "tpm-layer":
> https://git.yoctoproject.org/meta-security/tree/meta-tpm/conf/layer.conf
> 

Thanks for pointing it out. I did test my v6 patches, but seems it
worked because my local bblayers.conf had both:
  /sources/meta-security/.
  /sources/meta-security/meta-tpm

I'll address this change in v7 series.

Thanks,
Shiva

> 
>>  "
>>  
>>  SIGGEN_EXCLUDERECIPES_ABISAFE += " \
>> diff --git a/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc b/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc
>> index 9d3cc612..15c05e04 100644
>> --- a/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc
>> +++ b/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc
>> @@ -5,7 +5,7 @@
>>  #   TI_CORE_INITRAMFS_ENABLED = "0"
>>  #
>>  #------------------------------------------------------------------------------
>> -TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') else '0'}"
>> +TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') or bb.utils.contains('DISTRO_FEATURES', 'luks', True, False, d) else '0'}"
>>  
>>  TI_CORE_INITRAMFS_KERNEL_MODULES ?= ""
>>  TI_CORE_INITRAMFS_EXTRA_INSTALL ?= ""
>> -- 
>> 2.34.1
Shiva Tripathi March 19, 2026, 10:27 a.m. UTC | #4 
On 3/18/26 21:36, Ryan Eatmon wrote:
> 
> 
> On 3/18/2026 9:57 AM, Shiva Tripathi wrote:
>> Register dynamic-layers/security in layer.conf to conditionally
>> build LUKS encryption support when meta-security layer is present.
>>
>> Update ti-core-initramfs.inc to auto-enable initramfs generation
>> when DISTRO_FEATURES contains 'luks'.
>>
>> Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com>
>> ---
>>   meta-ti-bsp/conf/layer.conf                            | 2 ++
>>   meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc | 2 +-
>>   2 files changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/meta-ti-bsp/conf/layer.conf b/meta-ti-bsp/conf/layer.conf
>> index f78da573..ce2883ac 100644
>> --- a/meta-ti-bsp/conf/layer.conf
>> +++ b/meta-ti-bsp/conf/layer.conf
>> @@ -24,6 +24,8 @@ LAYERRECOMMENDS_meta-ti-bsp = " \
>>     BBFILES_DYNAMIC += " \
>>       openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-
>> layer/recipes*/*/*.bbappend \
>> +    security:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bb \
>> +    security:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bbappend \
>>   "
>>  
> 
> You should also update the LAYERRECOMMENDS to include meta-security.

Okay, will address this in v7.

> 
> And you should also submit an oe-layersetup change to include meta-
> security in the arago-master builds, commented out of course and add a
> new arago-master-security-config.xml that adds in the new layer.
> 

Sure, will send this patch separately.

Thanks,
Shiva

> 
>>   SIGGEN_EXCLUDERECIPES_ABISAFE += " \
>> diff --git a/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc b/
>> meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc
>> index 9d3cc612..15c05e04 100644
>> --- a/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc
>> +++ b/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc
>> @@ -5,7 +5,7 @@
>>   #   TI_CORE_INITRAMFS_ENABLED = "0"
>>   #
>>  
>> #------------------------------------------------------------------------------
>> -TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if
>> d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or
>> d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') else '0'}"
>> +TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if
>> d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or
>> d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') or
>> bb.utils.contains('DISTRO_FEATURES', 'luks', True, False, d) else '0'}"
>>     TI_CORE_INITRAMFS_KERNEL_MODULES ?= ""
>>   TI_CORE_INITRAMFS_EXTRA_INSTALL ?= ""
>
diff mbox series

Patch

diff --git a/meta-ti-bsp/conf/layer.conf b/meta-ti-bsp/conf/layer.conf
index f78da573..ce2883ac 100644
--- a/meta-ti-bsp/conf/layer.conf
+++ b/meta-ti-bsp/conf/layer.conf
@@ -24,6 +24,8 @@  LAYERRECOMMENDS_meta-ti-bsp = " \
 
 BBFILES_DYNAMIC += " \
     openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/recipes*/*/*.bbappend \
+    security:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bb \
+    security:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bbappend \
 "
 
 SIGGEN_EXCLUDERECIPES_ABISAFE += " \
diff --git a/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc b/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc
index 9d3cc612..15c05e04 100644
--- a/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc
+++ b/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc
@@ -5,7 +5,7 @@ 
 #   TI_CORE_INITRAMFS_ENABLED = "0"
 #
 #------------------------------------------------------------------------------
-TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') else '0'}"
+TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') or bb.utils.contains('DISTRO_FEATURES', 'luks', True, False, d) else '0'}"
 
 TI_CORE_INITRAMFS_KERNEL_MODULES ?= ""
 TI_CORE_INITRAMFS_EXTRA_INSTALL ?= ""