| Message ID | 20260319103533.2431033-4-s-tripathi1@ti.com |
|---|---|
| State | New |
| Headers | show |
| Series | Add LUKS encryption with fTPM support | expand |
On 3/19/2026 5:35 AM, Shiva Tripathi wrote: > Register dynamic-layers/security in layer.conf with BBFILES_DYNAMIC > for both 'security' and 'tpm-layer' collections to conditionally > build LUKS encryption support when meta-security/meta-tpm layers > are present. > > Add meta-security to LAYERRECOMMENDS to document the optional > dependency for LUKS functionality. > > Update ti-core-initramfs.inc to auto-enable initramfs generation > when DISTRO_FEATURES contains 'luks'. > > Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com> > --- > meta-ti-bsp/conf/layer.conf | 5 +++++ > meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc | 2 +- > 2 files changed, 6 insertions(+), 1 deletion(-) > > diff --git a/meta-ti-bsp/conf/layer.conf b/meta-ti-bsp/conf/layer.conf > index f78da573..36d05b5a 100644 > --- a/meta-ti-bsp/conf/layer.conf > +++ b/meta-ti-bsp/conf/layer.conf > @@ -20,10 +20,15 @@ LAYERDEPENDS_meta-ti-bsp = " \ > > LAYERRECOMMENDS_meta-ti-bsp = " \ > openembedded-layer \ > + meta-security \ > " The layer should be same as below: security and tpm-layer I was just using meta-security as a placeholder. > BBFILES_DYNAMIC += " \ > openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/recipes*/*/*.bbappend \ > + security:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bb \ > + security:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bbappend \ > + tpm-layer:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bb \ > + tpm-layer:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bbappend \ > " > > SIGGEN_EXCLUDERECIPES_ABISAFE += " \ > diff --git a/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc b/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc > index 9d3cc612..15c05e04 100644 > --- a/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc > +++ b/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc > @@ -5,7 +5,7 @@ > # TI_CORE_INITRAMFS_ENABLED = "0" > # > #------------------------------------------------------------------------------ > -TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') else '0'}" > +TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') or bb.utils.contains('DISTRO_FEATURES', 'luks', True, False, d) else '0'}" > > TI_CORE_INITRAMFS_KERNEL_MODULES ?= "" > TI_CORE_INITRAMFS_EXTRA_INSTALL ?= ""
On Thu, Mar 19, 2026 at 08:59:24AM -0500, Ryan Eatmon via lists.yoctoproject.org wrote: > > > On 3/19/2026 5:35 AM, Shiva Tripathi wrote: > >Register dynamic-layers/security in layer.conf with BBFILES_DYNAMIC > >for both 'security' and 'tpm-layer' collections to conditionally > >build LUKS encryption support when meta-security/meta-tpm layers > >are present. > > > >Add meta-security to LAYERRECOMMENDS to document the optional > >dependency for LUKS functionality. > > > >Update ti-core-initramfs.inc to auto-enable initramfs generation > >when DISTRO_FEATURES contains 'luks'. > > > >Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com> > >--- > > meta-ti-bsp/conf/layer.conf | 5 +++++ > > meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc | 2 +- > > 2 files changed, 6 insertions(+), 1 deletion(-) > > > >diff --git a/meta-ti-bsp/conf/layer.conf b/meta-ti-bsp/conf/layer.conf > >index f78da573..36d05b5a 100644 > >--- a/meta-ti-bsp/conf/layer.conf > >+++ b/meta-ti-bsp/conf/layer.conf > >@@ -20,10 +20,15 @@ LAYERDEPENDS_meta-ti-bsp = " \ > > LAYERRECOMMENDS_meta-ti-bsp = " \ > > openembedded-layer \ > >+ meta-security \ > > " > > The layer should be same as below: security and tpm-layer I was > just using meta-security as a placeholder. Yeah, it's quite unfortunate that layer's collection name could be different from layer's directory name. Some maintainers keep them the same (e.g. meta-ti-bsp), but some make them different (e.g. meta-security -> security and meta-tpm -> tpm-layer). It could be rather confusing... > > BBFILES_DYNAMIC += " \ > > openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/recipes*/*/*.bbappend \ > >+ security:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bb \ > >+ security:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bbappend \ > >+ tpm-layer:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bb \ > >+ tpm-layer:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bbappend \ Moreover - is there really a need to set up security top level layer here? If only TPM tools are needed, then just tpm-layer should be enough, even when it comes from within meta-security git repository. E.g., we set up openembedded-layer here, but that's not meta-openembedded top level, but instead meta-oe sub-layer inside meta-openembedded. There are sub-layers in there, which are not needed for meta-ti-bsp dependency. Same thought goes to tpm-layer. > > " > > SIGGEN_EXCLUDERECIPES_ABISAFE += " \ > >diff --git a/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc b/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc > >index 9d3cc612..15c05e04 100644 > >--- a/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc > >+++ b/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc > >@@ -5,7 +5,7 @@ > > # TI_CORE_INITRAMFS_ENABLED = "0" > > # > > #------------------------------------------------------------------------------ > >-TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') else '0'}" > >+TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') or bb.utils.contains('DISTRO_FEATURES', 'luks', True, False, d) else '0'}" > > TI_CORE_INITRAMFS_KERNEL_MODULES ?= "" > > TI_CORE_INITRAMFS_EXTRA_INSTALL ?= ""
On 3/19/2026 9:55 AM, Denys Dmytriyenko wrote: > On Thu, Mar 19, 2026 at 08:59:24AM -0500, Ryan Eatmon via lists.yoctoproject.org wrote: >> >> >> On 3/19/2026 5:35 AM, Shiva Tripathi wrote: >>> Register dynamic-layers/security in layer.conf with BBFILES_DYNAMIC >>> for both 'security' and 'tpm-layer' collections to conditionally >>> build LUKS encryption support when meta-security/meta-tpm layers >>> are present. >>> >>> Add meta-security to LAYERRECOMMENDS to document the optional >>> dependency for LUKS functionality. >>> >>> Update ti-core-initramfs.inc to auto-enable initramfs generation >>> when DISTRO_FEATURES contains 'luks'. >>> >>> Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com> >>> --- >>> meta-ti-bsp/conf/layer.conf | 5 +++++ >>> meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc | 2 +- >>> 2 files changed, 6 insertions(+), 1 deletion(-) >>> >>> diff --git a/meta-ti-bsp/conf/layer.conf b/meta-ti-bsp/conf/layer.conf >>> index f78da573..36d05b5a 100644 >>> --- a/meta-ti-bsp/conf/layer.conf >>> +++ b/meta-ti-bsp/conf/layer.conf >>> @@ -20,10 +20,15 @@ LAYERDEPENDS_meta-ti-bsp = " \ >>> LAYERRECOMMENDS_meta-ti-bsp = " \ >>> openembedded-layer \ >>> + meta-security \ >>> " >> >> The layer should be same as below: security and tpm-layer I was >> just using meta-security as a placeholder. > > Yeah, it's quite unfortunate that layer's collection name could be different > from layer's directory name. Some maintainers keep them the same (e.g. > meta-ti-bsp), but some make them different (e.g. meta-security -> security > and meta-tpm -> tpm-layer). It could be rather confusing... > > >>> BBFILES_DYNAMIC += " \ >>> openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/recipes*/*/*.bbappend \ >>> + security:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bb \ >>> + security:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bbappend \ >>> + tpm-layer:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bb \ >>> + tpm-layer:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bbappend \ > > Moreover - is there really a need to set up security top level layer here? If > only TPM tools are needed, then just tpm-layer should be enough, even when it > comes from within meta-security git repository. > > E.g., we set up openembedded-layer here, but that's not meta-openembedded top > level, but instead meta-oe sub-layer inside meta-openembedded. There are > sub-layers in there, which are not needed for meta-ti-bsp dependency. Same > thought goes to tpm-layer. Then we would only be including the tpm-layer in the layer setup, so we should change the dynamic layer name to match in the second patch. > >>> " >>> SIGGEN_EXCLUDERECIPES_ABISAFE += " \ >>> diff --git a/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc b/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc >>> index 9d3cc612..15c05e04 100644 >>> --- a/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc >>> +++ b/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc >>> @@ -5,7 +5,7 @@ >>> # TI_CORE_INITRAMFS_ENABLED = "0" >>> # >>> #------------------------------------------------------------------------------ >>> -TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') else '0'}" >>> +TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') or bb.utils.contains('DISTRO_FEATURES', 'luks', True, False, d) else '0'}" >>> TI_CORE_INITRAMFS_KERNEL_MODULES ?= "" >>> TI_CORE_INITRAMFS_EXTRA_INSTALL ?= ""
diff --git a/meta-ti-bsp/conf/layer.conf b/meta-ti-bsp/conf/layer.conf index f78da573..36d05b5a 100644 --- a/meta-ti-bsp/conf/layer.conf +++ b/meta-ti-bsp/conf/layer.conf @@ -20,10 +20,15 @@ LAYERDEPENDS_meta-ti-bsp = " \ LAYERRECOMMENDS_meta-ti-bsp = " \ openembedded-layer \ + meta-security \ " BBFILES_DYNAMIC += " \ openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/recipes*/*/*.bbappend \ + security:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bb \ + security:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bbappend \ + tpm-layer:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bb \ + tpm-layer:${LAYERDIR}/dynamic-layers/security/recipes*/*/*.bbappend \ " SIGGEN_EXCLUDERECIPES_ABISAFE += " \ diff --git a/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc b/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc index 9d3cc612..15c05e04 100644 --- a/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc +++ b/meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc @@ -5,7 +5,7 @@ # TI_CORE_INITRAMFS_ENABLED = "0" # #------------------------------------------------------------------------------ -TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') else '0'}" +TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') or bb.utils.contains('DISTRO_FEATURES', 'luks', True, False, d) else '0'}" TI_CORE_INITRAMFS_KERNEL_MODULES ?= "" TI_CORE_INITRAMFS_EXTRA_INSTALL ?= ""
Register dynamic-layers/security in layer.conf with BBFILES_DYNAMIC for both 'security' and 'tpm-layer' collections to conditionally build LUKS encryption support when meta-security/meta-tpm layers are present. Add meta-security to LAYERRECOMMENDS to document the optional dependency for LUKS functionality. Update ti-core-initramfs.inc to auto-enable initramfs generation when DISTRO_FEATURES contains 'luks'. Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com> --- meta-ti-bsp/conf/layer.conf | 5 +++++ meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-)