From 3c7301d68887603422f4e49a501dc64e36072c37 Mon Sep 17 00:00:00 2001
From: Mike Engel <Mike.Engel@digi.com>
Date: Fri, 9 Jan 2026 18:00:55 +0100
Subject: [PATCH] trustfence: add secure storage service and script

This commit add secure storage service and helper
script to setup the secure storage at boot up.

Signed-off-by: Mike Engel <Mike.Engel@digi.com>

https://onedigi.atlassian.net/browse/DEL-9891
---
 meta-digi-dey/classes/trustfence.bbclass      |  1 +
 .../trustfence/files/secure-storage           |  1 +
 .../files/secure-storage-init.service         | 21 ++++++
 .../trustfence/files/secure-storage-init.sh   | 67 +++++++++++++++++++
 .../trustfence/trustfence-fscrypt_0.2.bb      | 32 ++++++++-
 5 files changed, 120 insertions(+), 2 deletions(-)
 create mode 100644 meta-digi-dey/recipes-core/trustfence/files/secure-storage
 create mode 100755 meta-digi-dey/recipes-core/trustfence/files/secure-storage-init.service
 create mode 100755 meta-digi-dey/recipes-core/trustfence/files/secure-storage-init.sh

diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index 8c26ba4a3..27ae1da79 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -44,6 +44,7 @@ TRUSTFENCE_ENCRYPT_ROOTFS:ccimx9 ?= "0"
 TRUSTFENCE_ENCRYPT_ROOTFS:ccmp1 ?= "0"
 TRUSTFENCE_ENCRYPT_ROOTFS:ccmp2 ?= "0"
 TRUSTFENCE_FILE_BASED_ENCRYPT ?= "${TF_FILE_BASED_ENCRYPT}"
+TRUSTFENCE_FILE_BASED_ENCRYPT_DIR ?= "/mnt/data/private"
 
 # Co-processor settings
 TRUSTFENCE_COPRO_ENABLED ?= "1"
diff --git a/meta-digi-dey/recipes-core/trustfence/files/secure-storage b/meta-digi-dey/recipes-core/trustfence/files/secure-storage
new file mode 100644
index 000000000..8f6d3af6f
--- /dev/null
+++ b/meta-digi-dey/recipes-core/trustfence/files/secure-storage
@@ -0,0 +1 @@
+SECURE_DIR=@TRUSTFENCE_SECURE_STORAGE_DIR@
diff --git a/meta-digi-dey/recipes-core/trustfence/files/secure-storage-init.service b/meta-digi-dey/recipes-core/trustfence/files/secure-storage-init.service
new file mode 100755
index 000000000..88e700891
--- /dev/null
+++ b/meta-digi-dey/recipes-core/trustfence/files/secure-storage-init.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=Secure storage init (fscrypt)
+After=local-fs.target
+Before=multi-user.target
+Before=shutdown.target
+Conflicts=shutdown.target
+
+[Service]
+Type=oneshot
+RuntimeDirectory=secure-storage
+RuntimeDirectoryMode=0700
+EnvironmentFile=/etc/default/secure-storage
+ExecStart=/usr/sbin/secure-storage-init.sh start
+ExecStop=/usr/sbin/secure-storage-init.sh stop
+RemainAfterExit=yes
+
+# Make shutdown not wait forever
+TimeoutStopSec=2s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta-digi-dey/recipes-core/trustfence/files/secure-storage-init.sh b/meta-digi-dey/recipes-core/trustfence/files/secure-storage-init.sh
new file mode 100755
index 000000000..b05c77b59
--- /dev/null
+++ b/meta-digi-dey/recipes-core/trustfence/files/secure-storage-init.sh
@@ -0,0 +1,67 @@
+#!/bin/sh
+
+# Get the Key storage location from tee-supplicant config file
+KEYDIR="$(cat /etc/default/tee-supplicant | tr -d \" | awk -F =/ '{ print $2 }')"
+
+log() { echo "[secure-storage] $*"; }
+
+# Configure encryption for the EXT4 filesystem if detected
+enable_ext4_encrypt() {
+	set -- $(df -T -P "${SECURE_DIR}" 2>/dev/null | awk 'NR==2 { print $1, $2 }')
+	[ "${2:-}" = "ext4" ] || return 0
+	if [ "${1#/dev/}" != "${1}" ]; then
+		tune2fs -O encrypt "${1}" >/dev/null 2>&1
+		tune2fs -l "${1}" 2>/dev/null | grep -qs 'Filesystem features:.*encrypt' || \
+			{ log "Cannot enable file system encryption on ${1}"; exit 1; }
+	fi
+}
+
+secure_dir_is_empty() {
+	[ -z "$(find "${SECURE_DIR}" -mindepth 1 -print -quit 2>/dev/null)" ]
+}
+
+# Ensure prerequisites
+command -v trustfence-fscrypt >/dev/null 2>&1 || { log "trustfence-fscrypt tool not found"; exit 1; }
+
+start () {
+	log "create $SECURE_DIR"
+	# Ensure secure directory exists
+	mkdir -p "$SECURE_DIR"
+	log "verifiy if we are on EXT4"
+	# verify if we are on EXT4 and enable encryption
+	enable_ext4_encrypt
+
+	log "Check if $KEYDIR exists"
+	# check if we already have a KEYDIR
+	if [ ! -d "$KEYDIR" ]; then
+		log "Generating master key directory at $KEYDIR"
+		install -d -m770 -o root -g tee $KEYDIR
+	fi
+
+	log "check if we already have a key"
+	# check if we already have a key
+	if ! trustfence-fscrypt --start-session=$SECURE_DIR >/dev/null 2>&1; then
+		# check if directory is empty
+		if secure_dir_is_empty; then
+			log "Generating new random key"
+			# start fscrypt session with random key
+			trustfence-fscrypt --new-key --start-session=$SECURE_DIR >/dev/null 2>&1
+		else
+			log "ERROR: ${SECURE_DIR} not empty, but must be empty for initial policy setup"
+			exit 1
+		fi
+	fi
+
+	log "Secure storage ready at $SECURE_DIR"
+}
+
+stop() {
+	log "Remove session key and lock secure storage"
+	trustfence-fscrypt --end-session=$SECURE_DIR >/dev/null 2>&1
+}
+
+case "$1" in
+	start)  start ;;
+	stop)   stop ;;
+	*) ;;
+esac
diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-fscrypt_0.2.bb b/meta-digi-dey/recipes-core/trustfence/trustfence-fscrypt_0.2.bb
index 61003c2b9..6fe4874be 100644
--- a/meta-digi-dey/recipes-core/trustfence/trustfence-fscrypt_0.2.bb
+++ b/meta-digi-dey/recipes-core/trustfence/trustfence-fscrypt_0.2.bb
@@ -1,4 +1,4 @@
-# Copyright (C) 2024,2025 Digi International Inc.
+# Copyright (C) 2024-2026 Digi International Inc.
 
 SUMMARY = "Trustfence fscrypt command line tool"
 SECTION = "console/tools"
@@ -20,9 +20,37 @@ SRC_URI[aarch64-libteecv1.sha256sum] = "43c2e900ca8d0aaac15963ffb5a7c57e3dd07613
 SRC_URI[arm-libteecv1.md5sum] = "6b153a51a4c3b77d8172ce37c6542c59"
 SRC_URI[arm-libteecv1.sha256sum] = "bc65a13d234da8d4a9c0cfd6d0a8672e8fe1c1c884180f47121d41bd7dcefafe"
 
+SRC_URI:append = " \
+    file://secure-storage-init.service \
+    file://secure-storage-init.sh \
+    file://secure-storage \
+"
+
+# Install secure storage service and script
+do_install:append() {
+    # systemd unit
+    install -d ${D}${systemd_unitdir}/system
+    install -m 0644 ${WORKDIR}/secure-storage-init.service \
+        ${D}${systemd_unitdir}/system/secure-storage-init.service
+
+    # script
+    install -d ${D}${sbindir}
+    install -m 0755 ${WORKDIR}/secure-storage-init.sh \
+        ${D}${sbindir}/secure-storage-init.sh
+
+    # environment
+    install -d ${D}${sysconfdir}/default/
+    install -m 0644 ${WORKDIR}/secure-storage \
+        ${D}${sysconfdir}/default/secure-storage
+    sed -i -e 's,@TRUSTFENCE_SECURE_STORAGE_DIR@,${TRUSTFENCE_FILE_BASED_ENCRYPT_DIR},g' ${D}${sysconfdir}/default/secure-storage
+}
+
+SYSTEMD_SERVICE:${PN} = "secure-storage-init.service"
+SYSTEMD_AUTO_ENABLE:${PN} = "${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', 'enable', 'disable', d)}"
+
 # Needed to resolve dependencies to libteec
 RDEPENDS:${PN} += "optee-client"
 
-inherit bin_package
+inherit bin_package systemd
 
 INSANE_SKIP:${PN} = "already-stripped"