From 0e23efb9b16872290e2209e7f3a8530f28d29acc Mon Sep 17 00:00:00 2001
From: Javier Viguera <javier.viguera@digi.com>
Date: Tue, 18 Jun 2024 14:17:46 +0200
Subject: [PATCH 1/5] trustfence: add variables for file-based encryption

On new platforms, trustfence will use file-based encryption instead of
full-disk encryption. Add base variables and platform defaults to allow
implementing file-based encryption.

Signed-off-by: Javier Viguera <javier.viguera@digi.com>
---
 meta-digi-dey/classes/trustfence.bbclass | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index ba99025bb..dfdc0c227 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -36,6 +36,7 @@ TRUSTFENCE_ENCRYPT_PARTITIONS ?= "1"
 TRUSTFENCE_ENCRYPT_PARTITIONS:ccimx93 ?= "0"
 TRUSTFENCE_ENCRYPT_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "0", "1", d)}"
 TRUSTFENCE_ENCRYPT_ROOTFS:ccimx93 ?= "0"
+TRUSTFENCE_FILE_BASED_ENCRYPT ?= "${TF_FILE_BASED_ENCRYPT}"
 
 # Read-only rootfs
 TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "1", "0", d)}"
@@ -48,6 +49,9 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl
 TF_DEK_PATH = "default"
 TF_DEK_PATH:ccimx93 = "0"
 TF_DEK_PATH:ccmp1 = "0"
+TF_FILE_BASED_ENCRYPT = "0"
+TF_FILE_BASED_ENCRYPT:ccimx93 = "1"
+TF_FILE_BASED_ENCRYPT:ccmp1 = "1"
 
 # NXP-based sign a FIT-format boot artifact
 TRUSTFENCE_SIGN_FIT_NXP = "0"

From 994906d1def2d79d26ebe44d01cf42826dc6a44c Mon Sep 17 00:00:00 2001
From: Mike Engel <Mike.Engel@digi.com>
Date: Fri, 8 Oct 2021 12:36:54 +0200
Subject: [PATCH 2/5] linux: add kernel fragment to enable File system
 encryption support

https://onedigi.atlassian.net/browse/DEL-8944

Signed-off-by: Mike Engel <Mike.Engel@digi.com>
---
 meta-digi-arm/recipes-kernel/linux/linux-dey.inc         | 3 ++-
 meta-digi-arm/recipes-kernel/linux/linux-dey/fscrypt.cfg | 5 +++++
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 meta-digi-arm/recipes-kernel/linux/linux-dey/fscrypt.cfg

diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc
index 87f6ec74c..3aa8c98d7 100644
--- a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc
+++ b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc
@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2023 Digi International
+# Copyright (C) 2018-2024 Digi International
 SUMMARY = "Linux kernel for Digi boards"
 LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
@@ -18,6 +18,7 @@ SRC_URI = " \
     ${LINUX_GIT_URI};branch=${SRCBRANCH} \
     ${@oe.utils.conditional('KERNEL_DEFCONFIG', '', 'file://defconfig', '', d)} \
     ${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', 'file://docker_conf.cfg', '', d)} \
+    ${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', 'file://fscrypt.cfg', '', d)} \
 "
 S = "${WORKDIR}/git"
 
diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey/fscrypt.cfg b/meta-digi-arm/recipes-kernel/linux/linux-dey/fscrypt.cfg
new file mode 100644
index 000000000..371d3c25f
--- /dev/null
+++ b/meta-digi-arm/recipes-kernel/linux/linux-dey/fscrypt.cfg
@@ -0,0 +1,5 @@
+CONFIG_BLK_INLINE_ENCRYPTION=y
+CONFIG_FS_ENCRYPTION=y
+CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
+CONFIG_MMC_CRYPTO=y
+CONFIG_CRYPTO_ESSIV=y

From 8a2a1beb0804ba7a12294841549b33ba41640685 Mon Sep 17 00:00:00 2001
From: Mike Engel <Mike.Engel@digi.com>
Date: Thu, 2 May 2024 12:21:14 +0200
Subject: [PATCH 3/5] fscrypt: include trustfence-fscrypt tool into rootfs

Add also 'e2fsprogs-tune2fs' to the image, as busybox's version of
tune2fs command does not support setting the "encrypt" feature of the
EXT4 filesystem.

Signed-off-by: Mike Engel <Mike.Engel@digi.com>
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
---
 .../trustfence/trustfence-fscrypt_0.1.bb      | 19 +++++++++++++++++++
 .../packagegroup-dey-trustfence.bb            |  5 +++--
 2 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 meta-digi-dey/recipes-core/trustfence/trustfence-fscrypt_0.1.bb

diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-fscrypt_0.1.bb b/meta-digi-dey/recipes-core/trustfence/trustfence-fscrypt_0.1.bb
new file mode 100644
index 000000000..bd0d606ea
--- /dev/null
+++ b/meta-digi-dey/recipes-core/trustfence/trustfence-fscrypt_0.1.bb
@@ -0,0 +1,19 @@
+# Copyright (C) 2024 Digi International.
+
+SUMMARY = "Trustfence fscrypt command line tool"
+SECTION = "console/tools"
+LICENSE = "CLOSED"
+
+TF_FSCRYPT_ARCH = "${TARGET_ARCH}"
+TF_FSCRYPT_ARCH:aarch64 = "arm64"
+
+SRC_URI = "${DIGI_PKG_SRC}/${BP}-${TF_FSCRYPT_ARCH}.tar.gz;name=${TARGET_ARCH}"
+SRC_URI[aarch64.md5sum] = "68291e8f9180312e5418247335434df0"
+SRC_URI[aarch64.sha256sum] = "c6ffa9af67dee848e29bb10ddcbb4debd77323714e5f66f557f5ef4bf7d371f4"
+SRC_URI[arm.md5sum] = "0831130450d6f0beeebbb68af9b6af29"
+SRC_URI[arm.sha256sum] = "7dee4bbcff21d817bbbc152e904e8091362378446b08ad2d485f373b0da8b83b"
+
+# Needed to resolve dependencies to libteec
+RDEPENDS:${PN} += "optee-client"
+
+inherit bin_package
diff --git a/meta-digi-dey/recipes-digi/packagegroups/packagegroup-dey-trustfence.bb b/meta-digi-dey/recipes-digi/packagegroups/packagegroup-dey-trustfence.bb
index 372c65a2c..12c687cc8 100644
--- a/meta-digi-dey/recipes-digi/packagegroups/packagegroup-dey-trustfence.bb
+++ b/meta-digi-dey/recipes-digi/packagegroups/packagegroup-dey-trustfence.bb
@@ -1,4 +1,4 @@
-# Copyright (C) 2016 Digi International.
+# Copyright (C) 2016-2024 Digi International.
 
 SUMMARY = "DEY trustfence packagegroup"
 
@@ -6,5 +6,6 @@ inherit packagegroup
 
 RDEPENDS:${PN} = "\
 	${@oe.utils.conditional('TRUSTFENCE_CONSOLE_DISABLE', '1', 'auto-serial-console', '', d)} \
+	${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', 'e2fsprogs-tune2fs trustfence-fscrypt', '', d)} \
 "
-do_package[vardeps] += "TRUSTFENCE_CONSOLE_DISABLE"
+do_package[vardeps] += "TRUSTFENCE_CONSOLE_DISABLE TRUSTFENCE_FILE_BASED_ENCRYPT"

From 3c1f32f09aeb3b9ac9c37d9c9aae1243afed264d Mon Sep 17 00:00:00 2001
From: Javier Viguera <javier.viguera@digi.com>
Date: Thu, 20 Jun 2024 11:30:03 +0200
Subject: [PATCH 4/5] optee-os: add SDK environment script to build trusted
 applications

Building Optee trusted applications (TA) depends on optee_client and the TA
devkit provided by optee_os. Our toolchain provides those dependencies, but
the SDK script which configures the environment for standalone building,
is not configuring some variables needed to build trusted applications.

This commit extends the SDK environment script to allow building TAs.

Signed-off-by: Javier Viguera <javier.viguera@digi.com>
---
 .../optee-imx/optee-os/environment.d-optee-sdk.sh         | 3 +++
 .../recipes-security/optee-imx/optee-os_4.0.0.imx.bb      | 8 ++++++++
 2 files changed, 11 insertions(+)
 create mode 100644 meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-os/environment.d-optee-sdk.sh

diff --git a/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-os/environment.d-optee-sdk.sh b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-os/environment.d-optee-sdk.sh
new file mode 100644
index 000000000..c929f303a
--- /dev/null
+++ b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-os/environment.d-optee-sdk.sh
@@ -0,0 +1,3 @@
+export TEEC_EXPORT=$SDKTARGETSYSROOT/usr
+export TA_DEV_KIT_DIR=$SDKTARGETSYSROOT/usr/include/optee/export-user_ta_#OPTEE_ARCH#
+export LIBGCC_LOCATE_CFLAGS=--sysroot=$SDKTARGETSYSROOT
diff --git a/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-os_4.0.0.imx.bb b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-os_4.0.0.imx.bb
index 67d5a5ccf..2338caf72 100644
--- a/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-os_4.0.0.imx.bb
+++ b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-os_4.0.0.imx.bb
@@ -10,6 +10,7 @@ SRC_URI = " \
     file://0007-allow-setting-sysroot-for-clang.patch \
     file://0001-core-imx-support-ccimx93-dvk.patch \
     file://0002-core-ccimx93-enable-AES_HUK-trusted-application.patch \
+    file://environment.d-optee-sdk.sh \
 "
 SRCBRANCH = "lf-6.1.55_2.2.0"
 # Tag: lf-6.1.55-2.2.0
@@ -22,8 +23,15 @@ do_compile:append:ccimx93 () {
 }
 do_compile[cleandirs] += "${B}-A0"
 
+do_install:append:ccimx93 () {
+	mkdir -p ${D}/environment-setup.d
+	sed -e "s,#OPTEE_ARCH#,${OPTEE_ARCH},g" ${WORKDIR}/environment.d-optee-sdk.sh > ${D}/environment-setup.d/optee-sdk.sh
+}
+
 do_deploy:append:ccimx93 () {
     cp ${B}-A0/core/tee-raw.bin ${DEPLOYDIR}/tee.${PLATFORM_FLAVOR}_a0.bin
 }
 
+FILES:${PN}-staticdev += "/environment-setup.d/"
+
 COMPATIBLE_MACHINE = "(ccimx93)"

From ac237149671891fd61b9f9a613c609c5bf3b9866 Mon Sep 17 00:00:00 2001
From: Javier Viguera <javier.viguera@digi.com>
Date: Thu, 27 Jun 2024 15:33:15 +0200
Subject: [PATCH 5/5] optee-client: change secure storage path when TF is
 enabled

By default, the secure storage path in the REE is "/var/lib/tee". It is
part of the rootfs, and thus, it gets lost on a firmware update.

This commit changes that path to a different partition "/mnt/data/tee"
when Trustfence file-based encryption is enabled.

Signed-off-by: Javier Viguera <javier.viguera@digi.com>
---
 .../recipes-security/optee-imx/optee-client/tee-supplicant  | 1 +
 .../recipes-security/optee-imx/optee-client_4.0.0.imx.bb    | 6 ++++++
 .../recipes-security/optee/optee-client_3.16.bb             | 3 +++
 3 files changed, 10 insertions(+)
 create mode 100644 meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client/tee-supplicant

diff --git a/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client/tee-supplicant b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client/tee-supplicant
new file mode 100644
index 000000000..80c817279
--- /dev/null
+++ b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client/tee-supplicant
@@ -0,0 +1 @@
+OPTARGS="--fs-parent-path=/mnt/data/tee"
diff --git a/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client_4.0.0.imx.bb b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client_4.0.0.imx.bb
index 427bdf1a8..f4640b6e7 100644
--- a/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client_4.0.0.imx.bb
+++ b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client_4.0.0.imx.bb
@@ -5,6 +5,7 @@
 #
 require recipes-security/optee-imx/optee-client_3.19.0.imx.bb
 
+SRC_URI += "${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', 'file://tee-supplicant', '', d)}"
 SRCBRANCH = "lf-6.1.55_2.2.0"
 SRCREV = "acb0885c117e73cb6c5c9b1dd9054cb3f93507ee"
 
@@ -16,6 +17,11 @@ do_install() {
 	sed -i -e s:@sysconfdir@:${sysconfdir}:g \
 		-e s:@sbindir@:${sbindir}:g \
 		${D}${systemd_system_unitdir}/tee-supplicant.service
+
+	if ${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', 'true', 'false',d)}; then
+		install -d ${D}${sysconfdir}/default/
+		install -m 0644 ${WORKDIR}/tee-supplicant ${D}${sysconfdir}/default/tee-supplicant
+	fi
 }
 
 COMPATIBLE_MACHINE = "(ccimx93)"
diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_3.16.bb b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_3.16.bb
index 4a3164499..bea3c2478 100755
--- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_3.16.bb
+++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_3.16.bb
@@ -25,6 +25,9 @@ EXTRA_OECMAKE = " \
     -DBUILD_SHARED_LIBS=ON \
     "
 
+# If TF file based encryption is enabled, move the TEE_FS_PARENT_PATH out of the rootfs
+EXTRA_OECMAKE += "${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', '-DCFG_TEE_FS_PARENT_PATH=/mnt/data/tee', '', d)}"
+
 do_install:append() {
     if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
         install -D -p -m0644 ${WORKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service