diff --git a/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client/tee-supplicant b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client/tee-supplicant new file mode 100644 index 000000000..80c817279 --- /dev/null +++ b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client/tee-supplicant @@ -0,0 +1 @@ +OPTARGS="--fs-parent-path=/mnt/data/tee" diff --git a/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client_4.0.0.imx.bb b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client_4.0.0.imx.bb index 427bdf1a8..f4640b6e7 100644 --- a/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client_4.0.0.imx.bb +++ b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client_4.0.0.imx.bb @@ -5,6 +5,7 @@ # require recipes-security/optee-imx/optee-client_3.19.0.imx.bb +SRC_URI += "${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', 'file://tee-supplicant', '', d)}" SRCBRANCH = "lf-6.1.55_2.2.0" SRCREV = "acb0885c117e73cb6c5c9b1dd9054cb3f93507ee" @@ -16,6 +17,11 @@ do_install() { sed -i -e s:@sysconfdir@:${sysconfdir}:g \ -e s:@sbindir@:${sbindir}:g \ ${D}${systemd_system_unitdir}/tee-supplicant.service + + if ${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', 'true', 'false',d)}; then + install -d ${D}${sysconfdir}/default/ + install -m 0644 ${WORKDIR}/tee-supplicant ${D}${sysconfdir}/default/tee-supplicant + fi } COMPATIBLE_MACHINE = "(ccimx93)" diff --git a/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-os/environment.d-optee-sdk.sh b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-os/environment.d-optee-sdk.sh new file mode 100644 index 000000000..c929f303a --- /dev/null +++ b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-os/environment.d-optee-sdk.sh @@ -0,0 +1,3 @@ +export TEEC_EXPORT=$SDKTARGETSYSROOT/usr +export TA_DEV_KIT_DIR=$SDKTARGETSYSROOT/usr/include/optee/export-user_ta_#OPTEE_ARCH# +export LIBGCC_LOCATE_CFLAGS=--sysroot=$SDKTARGETSYSROOT diff --git a/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-os_4.0.0.imx.bb b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-os_4.0.0.imx.bb index 67d5a5ccf..2338caf72 100644 --- a/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-os_4.0.0.imx.bb +++ b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-os_4.0.0.imx.bb @@ -10,6 +10,7 @@ SRC_URI = " \ file://0007-allow-setting-sysroot-for-clang.patch \ file://0001-core-imx-support-ccimx93-dvk.patch \ file://0002-core-ccimx93-enable-AES_HUK-trusted-application.patch \ + file://environment.d-optee-sdk.sh \ " SRCBRANCH = "lf-6.1.55_2.2.0" # Tag: lf-6.1.55-2.2.0 @@ -22,8 +23,15 @@ do_compile:append:ccimx93 () { } do_compile[cleandirs] += "${B}-A0" +do_install:append:ccimx93 () { + mkdir -p ${D}/environment-setup.d + sed -e "s,#OPTEE_ARCH#,${OPTEE_ARCH},g" ${WORKDIR}/environment.d-optee-sdk.sh > ${D}/environment-setup.d/optee-sdk.sh +} + do_deploy:append:ccimx93 () { cp ${B}-A0/core/tee-raw.bin ${DEPLOYDIR}/tee.${PLATFORM_FLAVOR}_a0.bin } +FILES:${PN}-staticdev += "/environment-setup.d/" + COMPATIBLE_MACHINE = "(ccimx93)" diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_3.16.bb b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_3.16.bb index 4a3164499..bea3c2478 100755 --- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_3.16.bb +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_3.16.bb @@ -25,6 +25,9 @@ EXTRA_OECMAKE = " \ -DBUILD_SHARED_LIBS=ON \ " +# If TF file based encryption is enabled, move the TEE_FS_PARENT_PATH out of the rootfs +EXTRA_OECMAKE += "${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', '-DCFG_TEE_FS_PARENT_PATH=/mnt/data/tee', '', d)}" + do_install:append() { if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then install -D -p -m0644 ${WORKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc index 87f6ec74c..3aa8c98d7 100644 --- a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc +++ b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc @@ -1,4 +1,4 @@ -# Copyright (C) 2018-2023 Digi International +# Copyright (C) 2018-2024 Digi International SUMMARY = "Linux kernel for Digi boards" LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" @@ -18,6 +18,7 @@ SRC_URI = " \ ${LINUX_GIT_URI};branch=${SRCBRANCH} \ ${@oe.utils.conditional('KERNEL_DEFCONFIG', '', 'file://defconfig', '', d)} \ ${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', 'file://docker_conf.cfg', '', d)} \ + ${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', 'file://fscrypt.cfg', '', d)} \ " S = "${WORKDIR}/git" diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey/fscrypt.cfg b/meta-digi-arm/recipes-kernel/linux/linux-dey/fscrypt.cfg new file mode 100644 index 000000000..371d3c25f --- /dev/null +++ b/meta-digi-arm/recipes-kernel/linux/linux-dey/fscrypt.cfg @@ -0,0 +1,5 @@ +CONFIG_BLK_INLINE_ENCRYPTION=y +CONFIG_FS_ENCRYPTION=y +CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y +CONFIG_MMC_CRYPTO=y +CONFIG_CRYPTO_ESSIV=y diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass index ba99025bb..dfdc0c227 100644 --- a/meta-digi-dey/classes/trustfence.bbclass +++ b/meta-digi-dey/classes/trustfence.bbclass @@ -36,6 +36,7 @@ TRUSTFENCE_ENCRYPT_PARTITIONS ?= "1" TRUSTFENCE_ENCRYPT_PARTITIONS:ccimx93 ?= "0" TRUSTFENCE_ENCRYPT_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "0", "1", d)}" TRUSTFENCE_ENCRYPT_ROOTFS:ccimx93 ?= "0" +TRUSTFENCE_FILE_BASED_ENCRYPT ?= "${TF_FILE_BASED_ENCRYPT}" # Read-only rootfs TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "1", "0", d)}" @@ -48,6 +49,9 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl TF_DEK_PATH = "default" TF_DEK_PATH:ccimx93 = "0" TF_DEK_PATH:ccmp1 = "0" +TF_FILE_BASED_ENCRYPT = "0" +TF_FILE_BASED_ENCRYPT:ccimx93 = "1" +TF_FILE_BASED_ENCRYPT:ccmp1 = "1" # NXP-based sign a FIT-format boot artifact TRUSTFENCE_SIGN_FIT_NXP = "0" diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-fscrypt_0.1.bb b/meta-digi-dey/recipes-core/trustfence/trustfence-fscrypt_0.1.bb new file mode 100644 index 000000000..bd0d606ea --- /dev/null +++ b/meta-digi-dey/recipes-core/trustfence/trustfence-fscrypt_0.1.bb @@ -0,0 +1,19 @@ +# Copyright (C) 2024 Digi International. + +SUMMARY = "Trustfence fscrypt command line tool" +SECTION = "console/tools" +LICENSE = "CLOSED" + +TF_FSCRYPT_ARCH = "${TARGET_ARCH}" +TF_FSCRYPT_ARCH:aarch64 = "arm64" + +SRC_URI = "${DIGI_PKG_SRC}/${BP}-${TF_FSCRYPT_ARCH}.tar.gz;name=${TARGET_ARCH}" +SRC_URI[aarch64.md5sum] = "68291e8f9180312e5418247335434df0" +SRC_URI[aarch64.sha256sum] = "c6ffa9af67dee848e29bb10ddcbb4debd77323714e5f66f557f5ef4bf7d371f4" +SRC_URI[arm.md5sum] = "0831130450d6f0beeebbb68af9b6af29" +SRC_URI[arm.sha256sum] = "7dee4bbcff21d817bbbc152e904e8091362378446b08ad2d485f373b0da8b83b" + +# Needed to resolve dependencies to libteec +RDEPENDS:${PN} += "optee-client" + +inherit bin_package diff --git a/meta-digi-dey/recipes-digi/packagegroups/packagegroup-dey-trustfence.bb b/meta-digi-dey/recipes-digi/packagegroups/packagegroup-dey-trustfence.bb index 372c65a2c..12c687cc8 100644 --- a/meta-digi-dey/recipes-digi/packagegroups/packagegroup-dey-trustfence.bb +++ b/meta-digi-dey/recipes-digi/packagegroups/packagegroup-dey-trustfence.bb @@ -1,4 +1,4 @@ -# Copyright (C) 2016 Digi International. +# Copyright (C) 2016-2024 Digi International. SUMMARY = "DEY trustfence packagegroup" @@ -6,5 +6,6 @@ inherit packagegroup RDEPENDS:${PN} = "\ ${@oe.utils.conditional('TRUSTFENCE_CONSOLE_DISABLE', '1', 'auto-serial-console', '', d)} \ + ${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', 'e2fsprogs-tune2fs trustfence-fscrypt', '', d)} \ " -do_package[vardeps] += "TRUSTFENCE_CONSOLE_DISABLE" +do_package[vardeps] += "TRUSTFENCE_CONSOLE_DISABLE TRUSTFENCE_FILE_BASED_ENCRYPT"