Merge branch 'dey-4.0/master' into dey-4.0/maint

Merges Trustfence file-based encryption support.

Signed-off-by: Javier Viguera <javier.viguera@digi.com>

meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client/tee-supplicant

@@ -0,0 +1 @@
+OPTARGS="--fs-parent-path=/mnt/data/tee"

meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client_4.0.0.imx.bb

@@ -5,6 +5,7 @@
 #
 require recipes-security/optee-imx/optee-client_3.19.0.imx.bb
 
+SRC_URI += "${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', 'file://tee-supplicant', '', d)}"
 SRCBRANCH = "lf-6.1.55_2.2.0"
 SRCREV = "acb0885c117e73cb6c5c9b1dd9054cb3f93507ee"
 
@@ -16,6 +17,11 @@ do_install() {
 	sed -i -e s:@sysconfdir@:${sysconfdir}:g \
 		-e s:@sbindir@:${sbindir}:g \
 		${D}${systemd_system_unitdir}/tee-supplicant.service
+
+	if ${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', 'true', 'false',d)}; then
+		install -d ${D}${sysconfdir}/default/
+		install -m 0644 ${WORKDIR}/tee-supplicant ${D}${sysconfdir}/default/tee-supplicant
+	fi
 }
 
 COMPATIBLE_MACHINE = "(ccimx93)"

meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-os/environment.d-optee-sdk.sh

@@ -0,0 +1,3 @@
+export TEEC_EXPORT=$SDKTARGETSYSROOT/usr
+export TA_DEV_KIT_DIR=$SDKTARGETSYSROOT/usr/include/optee/export-user_ta_#OPTEE_ARCH#
+export LIBGCC_LOCATE_CFLAGS=--sysroot=$SDKTARGETSYSROOT

meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-os_4.0.0.imx.bb

@@ -10,6 +10,7 @@ SRC_URI = " \
     file://0007-allow-setting-sysroot-for-clang.patch \
     file://0001-core-imx-support-ccimx93-dvk.patch \
     file://0002-core-ccimx93-enable-AES_HUK-trusted-application.patch \
+    file://environment.d-optee-sdk.sh \
 "
 SRCBRANCH = "lf-6.1.55_2.2.0"
 # Tag: lf-6.1.55-2.2.0
@@ -22,8 +23,15 @@ do_compile:append:ccimx93 () {
 }
 do_compile[cleandirs] += "${B}-A0"
 
+do_install:append:ccimx93 () {
+	mkdir -p ${D}/environment-setup.d
+	sed -e "s,#OPTEE_ARCH#,${OPTEE_ARCH},g" ${WORKDIR}/environment.d-optee-sdk.sh > ${D}/environment-setup.d/optee-sdk.sh
+}
+
 do_deploy:append:ccimx93 () {
     cp ${B}-A0/core/tee-raw.bin ${DEPLOYDIR}/tee.${PLATFORM_FLAVOR}_a0.bin
 }
 
+FILES:${PN}-staticdev += "/environment-setup.d/"
+
 COMPATIBLE_MACHINE = "(ccimx93)"

meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_3.16.bb

@@ -25,6 +25,9 @@ EXTRA_OECMAKE = " \
     -DBUILD_SHARED_LIBS=ON \
     "
 
+# If TF file based encryption is enabled, move the TEE_FS_PARENT_PATH out of the rootfs
+EXTRA_OECMAKE += "${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', '-DCFG_TEE_FS_PARENT_PATH=/mnt/data/tee', '', d)}"
+
 do_install:append() {
     if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
         install -D -p -m0644 ${WORKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service

meta-digi-arm/recipes-kernel/linux/linux-dey.inc

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2023 Digi International
+# Copyright (C) 2018-2024 Digi International
 SUMMARY = "Linux kernel for Digi boards"
 LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
@@ -18,6 +18,7 @@ SRC_URI = " \
     ${LINUX_GIT_URI};branch=${SRCBRANCH} \
     ${@oe.utils.conditional('KERNEL_DEFCONFIG', '', 'file://defconfig', '', d)} \
     ${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', 'file://docker_conf.cfg', '', d)} \
+    ${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', 'file://fscrypt.cfg', '', d)} \
 "
 S = "${WORKDIR}/git"
 

meta-digi-arm/recipes-kernel/linux/linux-dey/fscrypt.cfg

@@ -0,0 +1,5 @@
+CONFIG_BLK_INLINE_ENCRYPTION=y
+CONFIG_FS_ENCRYPTION=y
+CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
+CONFIG_MMC_CRYPTO=y
+CONFIG_CRYPTO_ESSIV=y

meta-digi-dey/classes/trustfence.bbclass

@@ -36,6 +36,7 @@ TRUSTFENCE_ENCRYPT_PARTITIONS ?= "1"
 TRUSTFENCE_ENCRYPT_PARTITIONS:ccimx93 ?= "0"
 TRUSTFENCE_ENCRYPT_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "0", "1", d)}"
 TRUSTFENCE_ENCRYPT_ROOTFS:ccimx93 ?= "0"
+TRUSTFENCE_FILE_BASED_ENCRYPT ?= "${TF_FILE_BASED_ENCRYPT}"
 
 # Read-only rootfs
 TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "1", "0", d)}"
@@ -48,6 +49,9 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl
 TF_DEK_PATH = "default"
 TF_DEK_PATH:ccimx93 = "0"
 TF_DEK_PATH:ccmp1 = "0"
+TF_FILE_BASED_ENCRYPT = "0"
+TF_FILE_BASED_ENCRYPT:ccimx93 = "1"
+TF_FILE_BASED_ENCRYPT:ccmp1 = "1"
 
 # NXP-based sign a FIT-format boot artifact
 TRUSTFENCE_SIGN_FIT_NXP = "0"

meta-digi-dey/recipes-core/trustfence/trustfence-fscrypt_0.1.bb

@@ -0,0 +1,19 @@
+# Copyright (C) 2024 Digi International.
+
+SUMMARY = "Trustfence fscrypt command line tool"
+SECTION = "console/tools"
+LICENSE = "CLOSED"
+
+TF_FSCRYPT_ARCH = "${TARGET_ARCH}"
+TF_FSCRYPT_ARCH:aarch64 = "arm64"
+
+SRC_URI = "${DIGI_PKG_SRC}/${BP}-${TF_FSCRYPT_ARCH}.tar.gz;name=${TARGET_ARCH}"
+SRC_URI[aarch64.md5sum] = "68291e8f9180312e5418247335434df0"
+SRC_URI[aarch64.sha256sum] = "c6ffa9af67dee848e29bb10ddcbb4debd77323714e5f66f557f5ef4bf7d371f4"
+SRC_URI[arm.md5sum] = "0831130450d6f0beeebbb68af9b6af29"
+SRC_URI[arm.sha256sum] = "7dee4bbcff21d817bbbc152e904e8091362378446b08ad2d485f373b0da8b83b"
+
+# Needed to resolve dependencies to libteec
+RDEPENDS:${PN} += "optee-client"
+
+inherit bin_package

meta-digi-dey/recipes-digi/packagegroups/packagegroup-dey-trustfence.bb

@@ -1,4 +1,4 @@
-# Copyright (C) 2016 Digi International.
+# Copyright (C) 2016-2024 Digi International.
 
 SUMMARY = "DEY trustfence packagegroup"
 
@@ -6,5 +6,6 @@ inherit packagegroup
 
 RDEPENDS:${PN} = "\
 	${@oe.utils.conditional('TRUSTFENCE_CONSOLE_DISABLE', '1', 'auto-serial-console', '', d)} \
+	${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', 'e2fsprogs-tune2fs trustfence-fscrypt', '', d)} \
 "
-do_package[vardeps] += "TRUSTFENCE_CONSOLE_DISABLE"
+do_package[vardeps] += "TRUSTFENCE_CONSOLE_DISABLE TRUSTFENCE_FILE_BASED_ENCRYPT"