conf: Add falcon support natively

Add support for building falcon natively and remove the ti-falcon build
option.

Signed-off-by: Ryan Eatmon <reatmon@ti.com>

check_yocto_rules.json

@@ -20,7 +20,8 @@
             "meta-ti-bsp/recipes-security/optee/optee-%.bbappend",
             "meta-ti-bsp/dynamic-layers/openembedded-layer/recipes-bsp/u-boot/u-boot-ti-%.bbappend",
             "meta-ti-bsp/dynamic-layers/openembedded-layer/recipes-ti/initramfs/packagegroup-ti-core-initramfs.bbappend",
-            "meta-ti-bsp/dynamic-layers/tpm-layer/recipes-ti/initramfs/packagegroup-ti-core-initramfs.bbappend"
+            "meta-ti-bsp/dynamic-layers/tpm-layer/recipes-ti/initramfs/packagegroup-ti-core-initramfs.bbappend",
+            "meta-ti-bsp/dynamic-layers/tpm-layer/recipes-ti/initramfs/ti-core-initramfs.bbappend"
         ]
     },
     "GUARD-2" : {

meta-ti-bsp/conf/layer.conf

@@ -20,10 +20,13 @@ LAYERDEPENDS_meta-ti-bsp = " \
 
 LAYERRECOMMENDS_meta-ti-bsp = " \
     openembedded-layer \
+    tpm-layer \
 "
 
 BBFILES_DYNAMIC += " \
     openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/recipes*/*/*.bbappend \
+    tpm-layer:${LAYERDIR}/dynamic-layers/tpm-layer/recipes*/*/*.bb \
+    tpm-layer:${LAYERDIR}/dynamic-layers/tpm-layer/recipes*/*/*.bbappend \
 "
 
 SIGGEN_EXCLUDERECIPES_ABISAFE += " \

meta-ti-bsp/conf/machine/am62axx-evm-k3r5.conf

@@ -4,14 +4,14 @@
 
 require conf/machine/include/k3r5.inc
 
-UBOOT_MACHINE = "am62ax_evm_r5_defconfig"
-UBOOT_MACHINE:tie-test-builds = ""
+UBOOT_MACHINE = ""
 
-UBOOT_CONFIG = ""
-UBOOT_CONFIG:tie-test-builds = "usbdfu main"
+#XXX UBOOT_CONFIG = "falcon main"
+UBOOT_CONFIG = "main"
+UBOOT_CONFIG:prepend:tie-test-builds = "usbdfu "
 UBOOT_CONFIG[main] = "am62ax_evm_r5_defconfig"
+UBOOT_CONFIG[falcon] = "am62ax_evm_r5_defconfig"
 UBOOT_CONFIG[usbdfu] = "am62ax_evm_r5_defconfig"
 
+UBOOT_CONFIG_FRAGMENTS[falcon] = "k3_r5_falcon.config"
 UBOOT_CONFIG_FRAGMENTS[usbdfu] = "am62x_r5_usbdfu.config"
-
-UBOOT_FRAGMENTS:ti-falcon = "k3_r5_falcon.config"

meta-ti-bsp/conf/machine/am62axx-evm.conf

@@ -3,6 +3,7 @@
 #@DESCRIPTION: Machine configuration for the TI AM62AXX EVM
 
 require conf/machine/include/am62axx.inc
+#XXX require conf/machine/include/ti-falcon.inc
 
 KERNEL_DEVICETREE_PREFIX = " \
     ti/k3-am62a7 \

meta-ti-bsp/conf/machine/am62lxx-evm.conf

@@ -17,3 +17,10 @@ KERNEL_DEVICETREE_PREFIX = " \
 KERNEL_DEVICETREE = ""
 
 UBOOT_MACHINE = "am62lx_evm_defconfig"
+FIT_CONF_DEFAULT_DTB = "k3-am62l3-evm.dtb"
+UBOOT_LOADADDRESS = "0x82400000"
+UBOOT_ENTRYPOINT = "0x82400000"
+UBOOT_RD_LOADADDRESS = "0x84000000"
+UBOOT_RD_ENTRYPOINT = "0x84000000"
+UBOOT_DTB_LOADADDRESS = "0x84f00000"
+UBOOT_DTBO_LOADADDRESS = "0x84f80000"

meta-ti-bsp/conf/machine/am62pxx-evm-k3r5.conf

@@ -11,15 +11,18 @@ UBOOT_ECDSA_SIGN_CONFIG:bsp-ti-6_6 = ""
 UBOOT_ECDSA_SIGN_CONFIG:bsp-next = ""
 UBOOT_ECDSA_SIGN_CONFIG:bsp-mainline = ""
 
+#UBOOT_CONFIG = "${UBOOT_ECDSA_SIGN_CONFIG} falcon main"
 UBOOT_CONFIG = "${UBOOT_ECDSA_SIGN_CONFIG} main"
 UBOOT_CONFIG:prepend:tie-test-builds = "usbdfu "
 
 UBOOT_CONFIG[main] = "am62px_evm_r5_defconfig"
+UBOOT_CONFIG[falcon] = "am62ax_evm_r5_defconfig"
 UBOOT_CONFIG[ecdsa] = "am62px_evm_r5_defconfig"
 UBOOT_CONFIG[usbdfu] = "am62px_evm_r5_defconfig"
 
 UBOOT_CONFIG_MAKE_OPTS[ecdsa] = "${TI_SIGN_WITH_ECDSA_KEY}"
 
+UBOOT_CONFIG_FRAGMENTS[falcon] = "k3_r5_falcon.config"
 UBOOT_CONFIG_FRAGMENTS[usbdfu] = "am62x_r5_usbdfu.config"
 
 UBOOT_FRAGMENTS:ti-falcon = "k3_r5_falcon.config"

meta-ti-bsp/conf/machine/am62pxx-evm.conf

@@ -3,6 +3,7 @@
 #@DESCRIPTION: Machine configuration for the TI AM62PX EVM
 
 require conf/machine/include/am62pxx.inc
+#XXX require conf/machine/include/ti-falcon.inc
 
 KERNEL_DEVICETREE_PREFIX = " \
     ti/k3-am62p5 \

meta-ti-bsp/conf/machine/am62xx-evm-k3r5.conf

@@ -4,14 +4,13 @@
 
 require conf/machine/include/k3r5.inc
 
-UBOOT_MACHINE = "am62x_evm_r5_defconfig"
-UBOOT_MACHINE:tie-test-builds = ""
+UBOOT_MACHINE = ""
 
-UBOOT_CONFIG = ""
-UBOOT_CONFIG:tie-test-builds = "usbdfu main"
+UBOOT_CONFIG = "falcon main"
+UBOOT_CONFIG:prepend:tie-test-builds = "usbdfu "
 UBOOT_CONFIG[main] = "am62x_evm_r5_defconfig"
+UBOOT_CONFIG[falcon] = "am62x_evm_r5_defconfig"
 UBOOT_CONFIG[usbdfu] = "am62x_evm_r5_defconfig"
 
+UBOOT_CONFIG_FRAGMENTS[falcon] = "k3_r5_falcon.config"
 UBOOT_CONFIG_FRAGMENTS[usbdfu] = "am62x_r5_usbdfu.config"
-
-UBOOT_FRAGMENTS:ti-falcon = "k3_r5_falcon.config"

meta-ti-bsp/conf/machine/am62xx-evm.conf

@@ -3,6 +3,7 @@
 #@DESCRIPTION: Machine configuration for the TI AM62XX EVM
 
 require conf/machine/include/am62xx.inc
+require conf/machine/include/ti-falcon.inc
 
 KERNEL_DEVICETREE_PREFIX = " \
     ti/k3-am625 \

meta-ti-bsp/conf/machine/am62xx-lp-evm-k3r5.conf

@@ -4,14 +4,14 @@
 
 require conf/machine/include/k3r5.inc
 
-UBOOT_MACHINE = "am62x_lpsk_r5_defconfig"
-UBOOT_MACHINE:tie-test-builds = ""
+UBOOT_MACHINE = ""
 
-UBOOT_CONFIG = ""
-UBOOT_CONFIG:tie-test-builds = "usbdfu main"
+#XXX UBOOT_CONFIG = "falcon main"
+UBOOT_CONFIG = "main"
+UBOOT_CONFIG:prepend:tie-test-builds = "usbdfu "
 UBOOT_CONFIG[main] = "am62x_lpsk_r5_defconfig"
+UBOOT_CONFIG[falcon] = "am62x_lpsk_r5_defconfig"
 UBOOT_CONFIG[usbdfu] = "am62x_lpsk_r5_defconfig"
 
+UBOOT_CONFIG_FRAGMENTS[falcon] = "k3_r5_falcon.config"
 UBOOT_CONFIG_FRAGMENTS[usbdfu] = "am62x_r5_usbdfu.config"
-
-UBOOT_FRAGMENTS:ti-falcon = "k3_r5_falcon.config"

meta-ti-bsp/conf/machine/am62xx-lp-evm.conf

@@ -3,6 +3,7 @@
 #@DESCRIPTION: Machine configuration for the TI AM62XX LP EVM
 
 require conf/machine/include/am62xx.inc
+#XXX require conf/machine/include/ti-falcon.inc
 
 KERNEL_DEVICETREE_PREFIX = " \
     ti/k3-am62-lp \

meta-ti-bsp/conf/machine/include/j784s4.inc

@@ -12,7 +12,7 @@ TFA_BOARD = "j784s4"
 
 OPTEEMACHINE = "k3-j784s4"
 
-MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS += "cadence-mhdp-fw cnm-wave-fw ti-eth-fw-j784s4"
+MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS += "cadence-mhdp-fw cnm-wave-fw"
 
 TI_CORE_INITRAMFS_KERNEL_MODULES = "kernel-module-cdns-pltfrm kernel-module-ti-j721e-ufs"
 TI_CORE_INITRAMFS_KERNEL_MODULES:bsp-ti-6_6 = ""

meta-ti-bsp/conf/machine/include/k3.inc

@@ -33,6 +33,11 @@ MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "kernel-image-image ti-kernel-fitimage"
 
 TFA_PLATFORM = "k3"
 
+# Change the default memory location for all k3 devices.  This requires an
+# in layer config fragment for u-boot.
+TFA_K3_PRELOADED_BL33 ?= "${@ '0x82000000' if d.getVar('BSP_TI_K3_TFA_MOVE') else ''}"
+TFA_K3_HW_CONFIG_BASE ?= "${@ '0x88000000' if d.getVar('BSP_TI_K3_TFA_MOVE') else ''}"
+
 # Use the expected value of the ubifs filesystem's volume name in the kernel
 # and u-boot.
 UBI_VOLNAME = "rootfs"
@@ -55,9 +60,4 @@ TI_WKS_BOOTLOADER_APPEND ?= "console=${KERNEL_CONSOLE}"
 
 do_image_wic[depends] += "virtual/bootloader:do_deploy"
 
-SERIAL_CONSOLES = "115200;ttyS0 115200;ttyS2"
-
-FALCON_INCLUDE = ""
-FALCON_INCLUDE:ti-falcon = "conf/machine/include/ti-falcon.inc"
-
-require ${FALCON_INCLUDE}
+SERIAL_CONSOLES = "115200;ttyS2 115200;ttyS0"

meta-ti-bsp/conf/machine/include/ti-bsp.inc

@@ -46,6 +46,8 @@ BSP_ROGUE_DRIVER_PROVIDER:bsp-ti-6_18 = "ti-img-rogue-driver"
 BSP_ROGUE_DRIVER_VERSION:bsp-ti-6_18 = "25%"
 BSP_MESA_PVR_VERSION:bsp-ti-6_18 = "24%"
 
+BSP_TI_K3_TFA_MOVE:bsp-ti-6_18 = "1"
+
 # ==========
 # ti-6_12
 # TI staging kernel 6.12, u-boot 2025.01
@@ -95,6 +97,8 @@ BSP_ROGUE_DRIVER_PROVIDER ?= ""
 BSP_ROGUE_DRIVER_VERSION ?= ""
 BSP_MESA_PVR_VERSION ?= ""
 
+BSP_TI_K3_TFA_MOVE ?= ""
+
 # ==========
 # global preferences
 # ==========

meta-ti-bsp/conf/machine/include/ti-core-initramfs.inc

@@ -5,7 +5,7 @@
 #   TI_CORE_INITRAMFS_ENABLED = "0"
 #
 #------------------------------------------------------------------------------
-TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') else '0'}"
+TI_CORE_INITRAMFS_ENABLED ?= "${@ '1' if d.getVar('TI_CORE_INITRAMFS_KERNEL_MODULES') or d.getVar('TI_CORE_INITRAMFS_EXTRA_INSTALL') or bb.utils.contains('DISTRO_FEATURES', 'luks', True, False, d) else '0'}"
 
 TI_CORE_INITRAMFS_KERNEL_MODULES ?= ""
 TI_CORE_INITRAMFS_EXTRA_INSTALL ?= ""

meta-ti-bsp/conf/machine/include/ti-falcon.inc

@@ -1,5 +1,4 @@
-IMAGE_INSTALL:append = " u-boot-ti-staging-falcon"
-KERNEL_CLASSES:remove = "kernel-fit-extra-artifacts"
-MACHINE_ESSENTIAL_EXTRA_RDEPENDS:remove = "ti-kernel-fitimage"
-KERNEL_CLASSES += "kernel-fitimage-legacyhs"
-FIT_KERNEL_COMP_ALG = "none"
+#KERNEL_CLASSES:remove = "kernel-fit-extra-artifacts"
+#MACHINE_ESSENTIAL_EXTRA_RDEPENDS:remove = "ti-kernel-fitimage"
+#KERNEL_CLASSES += "kernel-fitimage-legacyhs"
+#FIT_KERNEL_COMP_ALG = "none"

meta-ti-bsp/conf/machine/j784s4-evm.conf

@@ -27,3 +27,5 @@ KERNEL_DEVICETREE = " \
 "
 
 UBOOT_MACHINE = "j784s4_evm_a72_defconfig"
+
+MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS += "ti-eth-fw-j784s4"

meta-ti-bsp/dynamic-layers/tpm-layer/recipes-ti/initramfs/initramfs-module-luks-ftpm/luksftpm

@@ -0,0 +1,341 @@
+#!/bin/sh
+# initramfs-framework module for LUKS encryption with fTPM support
+
+# Configuration
+BOOT_DEV="/dev/mmcblk1p1"           # Boot partition (FAT, unencrypted)
+ROOT_DEV="/dev/mmcblk1p2"           # Root partition (will be encrypted)
+CRYPT_NAME="root_crypt"
+CRYPT_DEV="/dev/mapper/${CRYPT_NAME}"
+BOOT_MNT="/boot_part"
+TPM_PRIMARY_CTX="/tmp/tpm_primary.ctx"
+TPM_KEY_PRIV="/tmp/tpm_key.priv"
+TPM_KEY_PUB="/tmp/tpm_key.pub"
+TPM_KEY_CTX="/tmp/tpm_key.ctx"
+TPM2_HANDLE="0x81080001"            # TPM persistent handle for LUKS key
+ENCRYPTION_MARKER="${BOOT_MNT}/.encryption_in_progress"
+
+# Wait for MMC device to appear
+wait_for_device() {
+    local device="$1"
+    local timeout="${2:-10}"
+
+    msg "Waiting for storage device ${device}..."
+    for i in $(seq 1 ${timeout}); do
+        if [ -b "${device}" ]; then
+            return 0
+        fi
+        sleep 1
+    done
+    return 1
+}
+
+# Initialize fTPM and check availability
+init_ftpm() {
+    msg "Initializing secure hardware (fTPM)..."
+
+    # Start TEE supplicant (required for fTPM TA to work)
+    if [ -x /usr/sbin/tee-supplicant ]; then
+        /usr/sbin/tee-supplicant -d &
+        TEE_SUPPLICANT_PID=$!
+        sleep 5
+    else
+        info "Warning: Trusted execution environment not available"
+        return 1
+    fi
+
+    # Load fTPM kernel module
+    if ! /sbin/modprobe tpm_ftpm_tee; then
+        info "Warning: TPM module failed to load"
+        return 1
+    fi
+
+    # Wait for TPM device
+    for i in $(seq 1 10); do
+        if [ -c /dev/tpmrm0 ]; then
+            export TPM2TOOLS_TCTI="device:/dev/tpmrm0"
+            return 0
+        fi
+        sleep 1
+    done
+
+    info "Warning: fTPM not available - encryption will be skipped"
+    return 1
+}
+
+# Generate 32-byte random key using TPM RNG
+generate_random_key() {
+    /usr/bin/tpm2_getrandom --hex 32
+}
+
+# Seal data with TPM and store in persistent handle
+tpm_seal_key() {
+    local KEY_DATA="$1"
+
+    # Create primary key in owner hierarchy
+    /usr/bin/tpm2_createprimary -C o -c "${TPM_PRIMARY_CTX}" -Q || return 1
+
+    # Create sealed object
+    echo -n "${KEY_DATA}" | \
+        /usr/bin/tpm2_create -C "${TPM_PRIMARY_CTX}" \
+        -u "${TPM_KEY_PUB}" -r "${TPM_KEY_PRIV}" \
+        -i- -Q || return 1
+
+    # Load sealed object into TPM
+    /usr/bin/tpm2_load -C "${TPM_PRIMARY_CTX}" \
+        -u "${TPM_KEY_PUB}" -r "${TPM_KEY_PRIV}" \
+        -c "${TPM_KEY_CTX}" -Q || return 1
+
+    # Make key persistent at handle (stored in TPM NV RAM - RPMB)
+    /usr/bin/tpm2_evictcontrol -C o -c "${TPM_KEY_CTX}" "${TPM2_HANDLE}" || return 1
+
+    return 0
+}
+
+# Unseal data from TPM persistent handle
+tpm_unseal_key() {
+    # Check if persistent handle exists
+    if ! /usr/bin/tpm2_getcap handles-persistent | grep -q "${TPM2_HANDLE}"; then
+        debug "ERROR: TPM persistent handle not found"
+        return 1
+    fi
+
+    # Unseal key directly from persistent handle
+    /usr/bin/tpm2_unseal -c "${TPM2_HANDLE}" || return 1
+
+    return 0
+}
+
+# Perform in-place LUKS encryption (first boot)
+encrypt_root_filesystem() {
+    msg "=========================================="
+    msg "First boot: Encrypting root filesystem"
+    msg "=========================================="
+
+    # Set marker to track encryption progress
+    touch "${ENCRYPTION_MARKER}"
+    sync
+
+    # Generate random encryption key using TPM RNG
+    msg "Generating encryption key..."
+    LUKS_KEY=$(generate_random_key)
+
+    if [ -z "${LUKS_KEY}" ]; then
+        msg "ERROR: Failed to generate encryption key"
+        rm -f "${ENCRYPTION_MARKER}"
+        return 1
+    fi
+
+    # Seal key with TPM before encryption starts
+    msg "Securing key with TPM..."
+    if ! tpm_seal_key "${LUKS_KEY}"; then
+        msg "ERROR: Failed to secure key"
+        rm -f "${ENCRYPTION_MARKER}"
+        return 1
+    fi
+
+    # Filesystem check before encryption
+    msg "Checking filesystem integrity..."
+    /usr/sbin/e2fsck -f -y "${ROOT_DEV}"
+    E2FSCK_RET=$?
+    if [ ${E2FSCK_RET} -ge 4 ]; then
+        msg "ERROR: Filesystem check failed"
+        rm -f "${ENCRYPTION_MARKER}"
+        return 1
+    fi
+
+    # Shrink filesystem before encryption to leave room for LUKS header
+    msg "Preparing filesystem for encryption..."
+    /usr/sbin/resize2fs -M "${ROOT_DEV}" || {
+        msg "ERROR: Failed to prepare filesystem"
+        rm -f "${ENCRYPTION_MARKER}"
+        return 1
+    }
+
+    # Verify partition has sufficient space for LUKS header
+    msg "Verifying space for encryption..."
+    MIN_BLOCKS=$(/usr/sbin/resize2fs -P "${ROOT_DEV}" 2>&1 | awk '/[Mm]inimum.*:/ {print $NF}')
+
+    # Get filesystem block size and device size
+    BLOCK_SIZE=$(/usr/sbin/tune2fs -l "${ROOT_DEV}" 2>/dev/null | awk '/^Block size:/ {print $NF}')
+    DEV_NAME=$(basename "${ROOT_DEV}")
+    PART_SECTORS=$(cat /sys/class/block/"${DEV_NAME}"/size 2>/dev/null)
+
+    if [ -z "${MIN_BLOCKS}" ] || [ -z "${BLOCK_SIZE}" ] || [ -z "${PART_SECTORS}" ]; then
+        msg "ERROR: Unable to determine partition geometry"
+        rm -f "${ENCRYPTION_MARKER}"
+        return 1
+    fi
+
+    # Convert filesystem blocks to 512-byte sectors
+    MIN_SECTORS=$((MIN_BLOCKS * BLOCK_SIZE / 512))
+    LUKS_SECTORS=65536  # 32MB in 512-byte sectors
+
+    if [ $((PART_SECTORS - MIN_SECTORS)) -lt ${LUKS_SECTORS} ]; then
+        msg "ERROR: Insufficient space for LUKS header (need 32MB free)"
+        rm -f "${ENCRYPTION_MARKER}"
+        return 1
+    fi
+
+    # Perform in-place encryption
+    msg "=========================================="
+    msg "Encrypting filesystem..."
+    msg "This will take several minutes."
+    msg "DO NOT POWER OFF THE DEVICE!"
+    msg "=========================================="
+
+    echo -n "${LUKS_KEY}" | \
+        /usr/sbin/cryptsetup reencrypt --encrypt \
+        --type luks2 \
+        --cipher aes-xts-plain64 \
+        --key-size 256 \
+        --hash sha256 \
+        --reduce-device-size 32M \
+        --key-file - \
+        "${ROOT_DEV}" || {
+        msg "ERROR: Encryption failed"
+        rm -f "${ENCRYPTION_MARKER}"
+        return 1
+    }
+
+    msg "=========================================="
+    msg "Encryption completed successfully!"
+    msg "=========================================="
+
+    # Remove encryption marker
+    rm -f "${ENCRYPTION_MARKER}"
+    sync
+
+    # Unlock the newly encrypted device
+    msg "Activating encrypted filesystem..."
+    echo -n "${LUKS_KEY}" | \
+        /usr/sbin/cryptsetup luksOpen "${ROOT_DEV}" "${CRYPT_NAME}" --key-file - || {
+        msg "ERROR: Failed to activate encrypted filesystem"
+        return 1
+    }
+
+    # Resize filesystem to fit the encrypted device
+    msg "Optimizing filesystem..."
+    /usr/sbin/resize2fs -f "${CRYPT_DEV}" || {
+        msg "ERROR: Failed to optimize filesystem"
+        return 1
+    }
+
+    # Verify filesystem after resize
+    /usr/sbin/e2fsck -f -y "${CRYPT_DEV}" || {
+        info "WARNING: Filesystem verification had issues, but continuing"
+    }
+
+    return 0
+}
+
+# Unlock encrypted root filesystem (subsequent boots)
+unlock_encrypted_root() {
+    msg "Unlocking encrypted filesystem..."
+
+    # Unseal key from TPM persistent handle
+    LUKS_KEY=$(tpm_unseal_key)
+
+    if [ -z "${LUKS_KEY}" ]; then
+        msg "ERROR: Failed to retrieve encryption key from TPM"
+        msg "Attempting passphrase fallback..."
+
+        # Try to unlock with passphrase (interactive)
+        /usr/sbin/cryptsetup luksOpen "${ROOT_DEV}" "${CRYPT_NAME}" || {
+            fatal "ERROR: Failed to unlock encrypted filesystem"
+        }
+    else
+        # Unlock with unsealed key
+        echo -n "${LUKS_KEY}" | \
+            /usr/sbin/cryptsetup luksOpen "${ROOT_DEV}" "${CRYPT_NAME}" --key-file - || {
+            fatal "ERROR: Failed to unlock with TPM key"
+        }
+    fi
+
+    msg "Encrypted filesystem unlocked"
+}
+
+# Module enabled check
+luksftpm_enabled() {
+    # Always run this module - it handles both encrypted and unencrypted cases
+    return 0
+}
+
+# Module main function
+luksftpm_run() {
+    # Wait for storage device
+    if ! wait_for_device "${ROOT_DEV}" 10; then
+        info "Storage device not found, skipping encryption module"
+        return 0
+    fi
+
+    # Mount boot partition
+    msg "Mounting boot partition..."
+    mkdir -p "${BOOT_MNT}"
+    if ! mount "${BOOT_DEV}" "${BOOT_MNT}"; then
+        info "ERROR: Failed to mount boot partition, attempting standard boot..."
+        mkdir -p ${ROOTFS_DIR}
+        mount "${ROOT_DEV}" ${ROOTFS_DIR}
+        return 0
+    fi
+
+    # Initialize fTPM
+    TPM_AVAILABLE=0
+    if init_ftpm; then
+        TPM_AVAILABLE=1
+    fi
+
+    # Check filesystem encryption status
+    msg "Checking filesystem encryption status..."
+
+    MOUNT_DEV="${ROOT_DEV}"
+
+    if /usr/sbin/cryptsetup isLuks "${ROOT_DEV}"; then
+        msg "Filesystem is encrypted"
+        unlock_encrypted_root
+        MOUNT_DEV="${CRYPT_DEV}"
+    else
+        msg "Filesystem is not encrypted"
+
+        # Check if encryption is enabled and TPM is available
+        if [ $TPM_AVAILABLE -eq 1 ]; then
+            # Check for encryption marker (resume interrupted encryption)
+            if [ -f "${ENCRYPTION_MARKER}" ]; then
+                msg "Resuming interrupted encryption..."
+                if ! encrypt_root_filesystem; then
+                    msg "ERROR: Failed to resume encryption"
+                    msg "Booting without encryption..."
+                    MOUNT_DEV="${ROOT_DEV}"
+                else
+                    MOUNT_DEV="${CRYPT_DEV}"
+                fi
+            else
+                # First boot - perform encryption
+                if encrypt_root_filesystem; then
+                    MOUNT_DEV="${CRYPT_DEV}"
+                else
+                    msg "ERROR: Encryption failed - booting without encryption"
+                    MOUNT_DEV="${ROOT_DEV}"
+                fi
+            fi
+        else
+            msg "TPM not available - skipping encryption"
+            MOUNT_DEV="${ROOT_DEV}"
+        fi
+    fi
+
+    # Unmount boot partition before switching root
+    umount "${BOOT_MNT}"
+
+    # Mount root filesystem to $ROOTFS_DIR (framework expects this)
+    msg "Mounting root filesystem..."
+    mkdir -p ${ROOTFS_DIR}
+    mount "${MOUNT_DEV}" ${ROOTFS_DIR} || {
+        fatal "ERROR: Failed to mount root filesystem!"
+    }
+
+    # Clean up tmpfs and sensitive variables
+    rm -f "${TPM_PRIMARY_CTX}" "${TPM_KEY_PUB}" "${TPM_KEY_PRIV}" "${TPM_KEY_CTX}"
+    unset LUKS_KEY TPM_AVAILABLE MOUNT_DEV TEE_SUPPLICANT_PID
+
+    msg "Boot complete"
+}

meta-ti-bsp/dynamic-layers/tpm-layer/recipes-ti/initramfs/initramfs-module-luks-ftpm_1.0.bb

@@ -0,0 +1,43 @@
+SUMMARY = "initramfs support for LUKS encryption with fTPM"
+DESCRIPTION = "Provides LUKS2 full disk encryption using firmware TPM (fTPM) for key management on TI K3 platforms"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+# Only build for platforms with optee-ftpm support
+COMPATIBLE_MACHINE = "null"
+COMPATIBLE_MACHINE:k3 = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-ftpm', '.*', 'null', d)}"
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+SRC_URI = "file://luksftpm"
+
+S = "${UNPACKDIR}"
+
+do_install() {
+    install -d ${D}/init.d
+    # Install as 85-luksftpm (runs after udev at 01, before rootfs at 90)
+    install -m 0755 ${UNPACKDIR}/luksftpm ${D}/init.d/85-luksftpm
+}
+
+FILES:${PN} = "/init.d/85-luksftpm"
+
+# Runtime dependencies
+RDEPENDS:${PN} = "\
+    initramfs-framework-base \
+    busybox \
+    kmod \
+    cryptsetup \
+    tpm2-tools \
+    tpm2-tss \
+    libtss2-tcti-device \
+    optee-client \
+    optee-ftpm \
+    e2fsprogs-e2fsck \
+    e2fsprogs-resize2fs \
+    e2fsprogs-tune2fs \
+    util-linux-blkid \
+    kernel-module-tpm-ftpm-tee \
+"
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"

meta-ti-bsp/dynamic-layers/tpm-layer/recipes-ti/initramfs/packagegroup-ti-core-initramfs.bbappend

@@ -0,0 +1,3 @@
+LUKS_ENCRYPTION ?= "${@bb.utils.contains('MACHINE_FEATURES', 'optee-ftpm', 'initramfs-module-luks-ftpm', '', d)}"
+
+RDEPENDS:${PN}:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'luks', '${LUKS_ENCRYPTION}', '', d)}"

meta-ti-bsp/dynamic-layers/tpm-layer/recipes-ti/initramfs/ti-core-initramfs.bbappend

@@ -0,0 +1 @@
+INITRAMFS_MAXSIZE = "200000"

meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-ti.inc

@@ -28,5 +28,5 @@ TFA_INSTALL_TARGET:am62lxx = "bl31 bl1"
 EXTRA_OEMAKE += "${@ 'K3_USART=' + d.getVar('TFA_K3_USART') if d.getVar('TFA_K3_USART') else ''}"
 EXTRA_OEMAKE += "${@ 'BL32_BASE=' + d.getVar('TFA_K3_BL32_BASE') if d.getVar('TFA_K3_BL32_BASE') else ''}"
 EXTRA_OEMAKE += "${@ 'PRELOADED_BL33_BASE=' + d.getVar('TFA_K3_PRELOADED_BL33') if d.getVar('TFA_K3_PRELOADED_BL33') else ''}"
+EXTRA_OEMAKE += "${@ 'K3_HW_CONFIG_BASE=' + d.getVar('TFA_K3_HW_CONFIG_BASE') if d.getVar('TFA_K3_HW_CONFIG_BASE') else ''}"
 EXTRA_OEMAKE += "${@ 'K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}"
-EXTRA_OEMAKE:append:ti-falcon = " PRELOADED_BL33_BASE=0x82000000 K3_HW_CONFIG_BASE=0x88000000"

meta-ti-bsp/recipes-bsp/u-boot/ti-extras.inc

@@ -7,6 +7,6 @@ BRANCH:tie-jailhouse:bsp-ti-6_12 = "ti-u-boot-2025.01-jailhouse"
 BRANCH:tie-jailhouse:bsp-ti-6_18 = "ti-u-boot-2026.01-jailhouse"
 
 SRCREV_uboot:tie-jailhouse:bsp-ti-6_12 = "e718bbcec3ebf663c021839753034a224be4cc53"
-SRCREV_uboot:tie-jailhouse:bsp-ti-6_18 = "cfac87057b6fed15c4be4f1d35bf0c4001807484"
+SRCREV_uboot:tie-jailhouse:bsp-ti-6_18 = "53a287d24610f0747ae4e35cff2afa3af23a48e3"
 
 UBOOT_GIT_URI:tie-jailhouse = "git://git.ti.com/git/processor-sdk/u-boot.git"

meta-ti-bsp/recipes-bsp/u-boot/u-boot-ti-mainline_git.bb

@@ -2,8 +2,8 @@ require u-boot-ti.inc
 
 SUMMARY = "Mainline U-Boot for TI devices"
 
-PV = "2026.01"
+PV = "2026.04"
 
 UBOOT_GIT_URI = "git://source.denx.de/u-boot/u-boot.git"
 
-SRCREV_uboot = "127a42c7257a6ffbbd1575ed1cbaa8f5408a44b3"
+SRCREV_uboot = "88dc2788777babfd6322fa655df549a019aa1e69"

meta-ti-bsp/recipes-bsp/u-boot/u-boot-ti-staging_2026.01.bb

@@ -4,4 +4,4 @@ PR = "r0"
 
 BRANCH = "ti-u-boot-2026.01"
 
-SRCREV_uboot = "a46241db71e383bb6dda103ecad12b13e7af3c38"
+SRCREV_uboot = "2549829cc194ffd9e38b755d2e10c7fc4cd971eb"

meta-ti-bsp/recipes-bsp/u-boot/u-boot-ti.inc

@@ -25,6 +25,15 @@ UBOOT_GIT_PROTOCOL ?= "https"
 UBOOT_GIT_BRANCH ?= "branch=${BRANCH}"
 SRC_URI = "${UBOOT_GIT_URI};protocol=${UBOOT_GIT_PROTOCOL};${UBOOT_GIT_BRANCH};name=uboot"
 
+# Match the meta-ti trusted-firmware-a specific changes to memory locations
+# for bl33 and k3 hardware.
+TI_K3_TFA_CFG_FILES = "\
+    file://k3_tfa.cfg \
+    file://0001-env-Make-the-env-based-on-KConfig-instead-of-hardcod.patch \
+"
+
+SRC_URI:append:k3 = " ${@ '${TI_K3_TFA_CFG_FILES}' if d.getVar('BSP_TI_K3_TFA_MOVE') else ''}"
+
 SRCREV_FORMAT = "uboot"
 
 PV:append = "+git"
@@ -403,18 +412,12 @@ do_deploy:append:am62pxx() {
 	install -m 0644 ${S}/tools/logos/ti_logo_414x97_32bpp.bmp.gz ${DEPLOYDIR}
 }
 
-do_install:append:ti-falcon() {
+do_install:append() {
+    if [ -f ${B}/tifalcon.bin ]; then
 	install -m 0644 ${B}/tifalcon.bin ${D}/boot
+    fi
 }
 
-FALCON_PKG = ""
-FALCON_PKG:ti-falcon = "${PN}-falcon "
-
-PACKAGES:prepend:am62xx-evm = "${FALCON_PKG} "
-PACKAGES:prepend:am62axx-evm = "${FALCON_PKG} "
-PACKAGES:prepend:am62pxx-evm = "${FALCON_PKG} "
-PACKAGES:prepend:am62xx-lp-evm = "${FALCON_PKG} "
-
 TOOLCHAIN = "gcc"
 
 TI_SIGN_WITH_ECDSA_KEY ?= "SIGNING_KEY=${THISDIR}/files/custMpk_ecdsa.key"

meta-ti-bsp/recipes-bsp/u-boot/u-boot/0001-env-Make-the-env-based-on-KConfig-instead-of-hardcod.patch

@@ -0,0 +1,32 @@
+From 25569d2b31a4dcb73bb55cffe13c95afd9441987 Mon Sep 17 00:00:00 2001
+From: Ryan Eatmon <reatmon@ti.com>
+Date: Wed, 4 Feb 2026 14:07:39 -0600
+Subject: [PATCH] env: Make the env based on KConfig instead of hardcoded
+
+testing...
+
+Upstream-Status: Pending
+
+Signed-off-by: Ryan Eatmon <reatmon@ti.com>
+---
+ include/env/ti/k3_dfu.env | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/env/ti/k3_dfu.env b/include/env/ti/k3_dfu.env
+index 2ea8554d413..3a3eb959b94 100644
+--- a/include/env/ti/k3_dfu.env
++++ b/include/env/ti/k3_dfu.env
+@@ -25,8 +25,8 @@ dfu_alt_info_ospi=
+ 	rootfs raw 0x800000 0x3800000
+ 
+ dfu_alt_info_ram=
+-	tispl.bin ram 0x80080000 0x200000;
+-	u-boot.img ram 0x81000000 0x400000
++	tispl.bin ram CONFIG_SPL_TEXT_BASE 0x200000;
++	u-boot.img ram CONFIG_TEXT_BASE 0x400000
+ 
+ dfu_alt_info_ospi_nand=
+ 	ospi.tiboot3 part 1;
+-- 
+2.43.0
+

meta-ti-bsp/recipes-bsp/u-boot/u-boot/k3_tfa.cfg

@@ -0,0 +1,7 @@
+CONFIG_TEXT_BASE=0x82f80000
+CONFIG_BLOBLIST_ADDR=0x82c80000
+CONFIG_SPL_TEXT_BASE=0x82000000
+CONFIG_SPL_STACK_R_ADDR=0x83f80000
+CONFIG_SPL_BSS_START_ADDR=0x82c00000
+CONFIG_SPL_LOAD_FIT_ADDRESS=0x82f80000
+CONFIG_CUSTOM_SYS_INIT_SP_ADDR=0x82b00000

meta-ti-bsp/recipes-graphics/mesa/mesa-pvr-24.0.1/0001-gallivm-Fix-armhf-build-against-LLVM-22.patch

@@ -0,0 +1,29 @@
+From 973dc32026c164d0c13f7f5bef36c8d1c2375973 Mon Sep 17 00:00:00 2001
+From: Alessandro Astone <ales.astone@gmail.com>
+Date: Sun, 1 Mar 2026 18:14:09 +0100
+Subject: [PATCH] gallivm: Fix armhf build against LLVM 22
+
+StringMapIterator<bool> became StringMapIterBase<bool, false /* IsConst */>;
+Use `auto` to handle either case.
+
+Upstream-Status: Submitted [https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/40161]
+Signed-off-by: Jose Quaresma <jose.quaresma@oss.qualcomm.com>
+---
+ src/gallium/auxiliary/gallivm/lp_bld_misc.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/gallium/auxiliary/gallivm/lp_bld_misc.cpp b/src/gallium/auxiliary/gallivm/lp_bld_misc.cpp
+index d3ad342..c95d86e 100644
+--- a/src/gallium/auxiliary/gallivm/lp_bld_misc.cpp
++++ b/src/gallium/auxiliary/gallivm/lp_bld_misc.cpp
+@@ -331,7 +331,7 @@ lp_build_fill_mattrs(std::vector<std::string> &MAttrs)
+       llvm::sys::getHostCPUFeatures(features);
+    #endif
+
+-   for (llvm::StringMapIterator<bool> f = features.begin();
++   for (auto f = features.begin();
+         f != features.end();
+         ++f) {
+       MAttrs.push_back(((*f).second ? "+" : "-") + (*f).first().str());
+--
+2.53.0

meta-ti-bsp/recipes-graphics/mesa/mesa-pvr_24.0.1.bb

@@ -19,6 +19,7 @@ SRC_URI = " \
     file://0002-glxext-don-t-try-zink-if-not-enabled-in-mesa.patch \
     file://0001-gallivm-Call-StringMapIterator-from-llvm-scope.patch \
     file://0001-Update-lp_bld_misc.cpp-to-support-llvm-19.patch \
+    file://0001-gallivm-Fix-armhf-build-against-LLVM-22.patch \
 "
 
 SRCREV = "7c82c1eebc67f5a62a347a84d42fe795cf7f523b"

meta-ti-bsp/recipes-kernel/linux/linux-ti-staging-6.18/luks-ftpm.cfg

@@ -0,0 +1,22 @@
+# Device Mapper support
+CONFIG_MD=y
+CONFIG_BLK_DEV_DM=y
+CONFIG_DM_CRYPT=y
+
+# Core crypto algorithms for LUKS encryption
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_XTS=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+
+# ARM64 optimized crypto for better performance
+CONFIG_CRYPTO_AES_ARM64=y
+CONFIG_CRYPTO_AES_ARM64_CE=y
+CONFIG_CRYPTO_AES_ARM64_CE_BLK=y
+
+# Userspace crypto API for cryptsetup
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+
+# Firmware TPM support via OP-TEE
+CONFIG_TCG_FTPM_TEE=m

meta-ti-bsp/recipes-kernel/linux/linux-ti-staging_6.18.bb

@@ -22,7 +22,7 @@ S = "${UNPACKDIR}/${BB_GIT_DEFAULT_DESTSUFFIX}"
 
 BRANCH ?= "ti-linux-6.18.y"
 
-SRCREV ?= "c164e381f6bc1a72b527f0bf3a6b1fc9af06517f"
+SRCREV ?= "c214492085504176b9c252a7175e4e60b4b442af"
 PV = "6.18.13+git"
 
 KERNEL_REPRODUCIBILITY_PATCHES = " \
@@ -35,3 +35,11 @@ module_conf_rpmsg_client_sample = "blacklist rpmsg_client_sample"
 module_conf_ti_k3_r5_remoteproc = "softdep ti_k3_r5_remoteproc pre: virtio_rpmsg_bus"
 module_conf_ti_k3_dsp_remoteproc = "softdep ti_k3_dsp_remoteproc pre: virtio_rpmsg_bus"
 KERNEL_MODULE_PROBECONF += "rpmsg_client_sample ti_k3_r5_remoteproc ti_k3_dsp_remoteproc"
+
+# LUKS encryption with fTPM kernel configuration
+SRC_URI:append:k3 = " \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'luks', 'file://luks-ftpm.cfg', '', d)} \
+"
+KERNEL_CONFIG_FRAGMENTS:append:k3 = " \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'luks', '${UNPACKDIR}/luks-ftpm.cfg', '', d)} \
+"

meta-ti-bsp/recipes-kernel/linux/ti-extras-rt.inc

@@ -5,4 +5,4 @@ BRANCH:tie-jailhouse:bsp-ti-6_12 = "ti-linux-6.12.y-jailhouse"
 BRANCH:tie-jailhouse:bsp-ti-6_18 = "ti-linux-6.18.y-jailhouse"
 
 SRCREV:tie-jailhouse:bsp-ti-6_12 = "229a48602ad1557612a4ffabec6a3cbcdd745f87"
-SRCREV:tie-jailhouse:bsp-ti-6_18 = "e80c3501e727c8c01454594ca5b10555377dfd60"
+SRCREV:tie-jailhouse:bsp-ti-6_18 = "b27ed9ea7bdad936265fe38c6e112d86743fd379"

meta-ti-bsp/recipes-kernel/linux/ti-extras.inc

@@ -9,6 +9,6 @@ BRANCH:tie-jailhouse:bsp-ti-6_12 = "ti-linux-6.12.y-jailhouse"
 BRANCH:tie-jailhouse:bsp-ti-6_18 = "ti-linux-6.18.y-jailhouse"
 
 SRCREV:tie-jailhouse:bsp-ti-6_12 = "229a48602ad1557612a4ffabec6a3cbcdd745f87"
-SRCREV:tie-jailhouse:bsp-ti-6_18 = "e80c3501e727c8c01454594ca5b10555377dfd60"
+SRCREV:tie-jailhouse:bsp-ti-6_18 = "b27ed9ea7bdad936265fe38c6e112d86743fd379"
 
 KERNEL_GIT_URI:tie-jailhouse = "git://git.ti.com/git/processor-sdk/linux.git"