changed init file from the secure-core-image-initramfs to not load an unencrypted rootfs when using full disk encryption.

meta/recipes-core/initrdscripts/files/init

@@ -4,6 +4,8 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin"
 ROOTFS_MOUNT="/rootfs"
 INIT="/sbin/init"
 
+is_encrypted=0
+
 mount -t proc none /proc
 mount -t sysfs none /sys
 mount -t devtmpfs none /dev
@@ -33,12 +35,14 @@ mkdir -p "$ROOTFS_MOUNT"
 try_to_mount_rootfs() {
     local mount_flags="rw,noatime,iversion"
 
-    mount -o "$mount_flags" "$ROOTFS_DEV" "$ROOTFS_MOUNT" \
-        2>/dev/null && return 0
-
-    [ -x /init.cryptfs ] &&
-        /init.cryptfs "$ROOTFS_MOUNT" "$ROOTFS_DEV" \
-            "$mount_flags" && return 0
+    if [ $is_encrypted -eq 1 ] ; then
+        [ -x /init.cryptfs ] &&
+            /init.cryptfs "$ROOTFS_MOUNT" "$ROOTFS_DEV" \
+                "$mount_flags" && return 0
+    else
+        mount -o "$mount_flags" "$ROOTFS_DEV" "$ROOTFS_MOUNT" \
+            2>/dev/null && return 0
+    fi
 
     return 1
 }
@@ -76,4 +80,4 @@ exec "$switch_root" "$ROOTFS_MOUNT" "$INIT" || {
     "$ROOTFS_MOUNT/bin/echo.coreutils" "Couldn't switch to the real rootfs"
     # Cause kernel panic.
     exit 2
-}
+}

meta/recipes-core/initrdscripts/initrdscripts-secure-core.bb

@@ -11,6 +11,10 @@ SRC_URI = "\
 do_install() {
     install -m 0755 "${WORKDIR}/init" "${D}/init"
 
+    if [ "${FULL_DISK_ENCRYPTION}" = "1" ] && [ ${@bb.utils.contains("DISTRO_FEATURES", "luks", 'true', '', d)} ]; then
+        sed -i '0,/is_encrypted=0/s//is_encrypted=1/' ${D}/init
+    fi
+
     # Create device nodes expected by kernel in initramfs
     # before executing /init.
     install -d "${D}/dev"