Add initramfs module to dynamic-layers/tpm-layer providing LUKS2 full
disk encryption with TPM-sealed keys for TI K3 platforms. Keys are
sealed by firmware TPM (fTPM) running in OP-TEE and stored in eMMC
RPMB.
Features:
- First-boot in-place encryption with tpm2_getrandom key generation
- TPM-sealed key storage via persistent handle 0x81080001
- Automatic unlock on subsequent boots
- Space verification ensuring 32MB available for LUKS header
The module is built only when meta-tpm layer is present and gets
included in initramfs only when DISTRO_FEATURES='luks' and
MACHINE_FEATURES='optee-ftpm'
LUKS packages (cryptsetup, tpm2-tools, tpm2-tss, optee-ftpm,
e2fsprogs-*) significantly increase initramfs size beyond the default
131072 limit. Increase INITRAMFS_MAXSIZE to 200000 to accommodate
these packages.
Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com>
Signed-off-by: Ryan Eatmon <reatmon@ti.com>
Since cifs-utils is available in meta-openembedded, not OE-Core, it
cannot be added to this packagegroup unconditionally, as meta-ti-bsp
doesn't depend on meta-oe, only recommends it.
As it breaks yocto-check-layer now, move cifs-utils addition to
dynamic-layers to be added conditionally on meta-oe presence.
Signed-off-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Ryan Eatmon <reatmon@ti.com>
The gitpkgv class we are using to set UBOOT_VERSION is located in
meta-openembedded. We do not want to depend on meta-openembedded to
keep meta-ti-bsp as light as possible, and the naming of UBOOT_VERSION
is not a requirement, just a nice to have. Dynamic layers allow us to
use the class if it is available in the build, but not require it.
Signed-off-by: Ryan Eatmon <reatmon@ti.com>
The mesa.inc that we inherit from oe-core now has the required
parameters. This conditional append is no longer required.
This reverts commit dbc6afc46e.
Signed-off-by: Randolph Sapp <rs@ti.com>
Signed-off-by: Ryan Eatmon <reatmon@ti.com>
Meta-clang provides a bbappend for mesa to use clang to accelerate it's
rasterization with runtime code generation through the use of llvmpipe.
With the addition of mesa-pvr we no longer get this for free with the
blanket mesa bbappend on the devices that explicitly request mesa-pvr so
lets add a dynamic layer to append the same args meta-clang does.
Though the number of devices that would select pvr-mesa and still want
to use software rendering is small, it's not zero due to debug and
testing purposes.
Signed-off-by: Randolph Sapp <rs@ti.com>
Signed-off-by: Ryan Eatmon <reatmon@ti.com>
Shiva Tripathi
Denys Dmytriyenko
Ryan Eatmon
Randolph Sapp