trustfence: split filesystem encryption support into two variables

Previously, TRUSTFENCE_INITRAMFS_IMAGE was the only variable used to configure rootfs encryption. Now that any partition can be encrypted and the rootfs encryption still needs to be handled differently, use two variables instead. * TRUSTFENCE_ENCRYPT_PARTITIONS to control partition encryption in general * TRUSTFENCE_ENCRYPT_ROOTFS to control rootfs encryption As with most trustfence functionality, enable both by default. Leave TRUSTFENCE_INITRAMFS_IMAGE as an internal variable only. https://onedigi.atlassian.net/browse/DEL-7174 Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
2021-05-10 16:20:56 +02:00 · 2021-05-10 16:20:56 +02:00 · 82a76a7106
parent 402f9775b9
commit 82a76a7106
3 changed files with 25 additions and 14 deletions
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@ -25,8 +25,9 @@ TRUSTFENCE_DEK_PATH ?= "default"
 TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1"
 TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0"

-# Trustfence initramfs image recipe
-TRUSTFENCE_INITRAMFS_IMAGE ?= "dey-image-trustfence-initramfs"
+# Partition encryption configuration
+TRUSTFENCE_ENCRYPT_PARTITIONS ?= "1"
+TRUSTFENCE_ENCRYPT_ROOTFS ?= "1"

 IMAGE_FEATURES += "dey-trustfence"

@ -92,4 +93,14 @@ python () {

        # Set the key password.
        d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass.txt")
+
+    # Enable partition encryption if rootfs encryption is enabled
+    if (d.getVar("TRUSTFENCE_ENCRYPT_ROOTFS", True) == "1"):
+        d.setVar("TRUSTFENCE_ENCRYPT_PARTITIONS", "1");
+
+    # Enable the trustfence initramfs if and only if partition encryption is enabled
+    if (d.getVar("TRUSTFENCE_ENCRYPT_PARTITIONS", True) == "1"):
+        d.setVar("TRUSTFENCE_INITRAMFS_IMAGE", "dey-image-trustfence-initramfs");
+    else:
+        d.setVar("TRUSTFENCE_INITRAMFS_IMAGE", "");
 }
--- a/meta-digi-dey/recipes-core/base-files/base-files_3.0.14.bbappend
+++ b/meta-digi-dey/recipes-core/base-files/base-files_3.0.14.bbappend
@ -1,4 +1,4 @@
-# Copyright (C) 2013-2019 Digi International.
+# Copyright (C) 2013-2021 Digi International.

 FILESEXTRAPATHS_prepend := "${THISDIR}/${BPN}:"

@ -38,7 +38,7 @@ pkg_postinst_ontarget_${PN}() {
 	fi

 	# Disable file system check when rootfs is encrypted
-	if [ -n "${TRUSTFENCE_INITRAMFS_IMAGE}" ]; then
+	if [ "${TRUSTFENCE_ENCRYPT_ROOTFS}" = "1" ]; then
 		for arg in $(cat /proc/cmdline); do
 			case "${arg}" in
 				root=*) eval ${arg};;
--- a/meta-digi-dey/recipes-digi/swu-images/swu.inc
+++ b/meta-digi-dey/recipes-digi/swu-images/swu.inc
@ -1,14 +1,14 @@
-# Copyright (C) 2016-2020 Digi International Inc.
+# Copyright (C) 2016-2021 Digi International Inc.
 SUMMARY = "Generate update package for SWUpdate"
 SECTION = "base"
 LICENSE = "GPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"

 SRC_URI = "file://sw-description"
-SRC_URI_append_ccimx6 = " ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_INITRAMFS_IMAGE', True), 'file://preinstall_swu.sh', '')}"
-SRC_URI_append_ccimx6ul = " ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_INITRAMFS_IMAGE', True), '', 'file://preinstall_swu.sh')}"
-SRC_URI_append_ccimx8x = " ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_INITRAMFS_IMAGE', True), 'file://preinstall_swu.sh', '')}"
-SRC_URI_append_ccimx8m = " ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_INITRAMFS_IMAGE', True), 'file://preinstall_swu.sh', '')}"
+SRC_URI_append_ccimx6 = " ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT_ROOTFS', True) == '1', 'file://preinstall_swu.sh', '')}"
+SRC_URI_append_ccimx6ul = " ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT_ROOTFS', True) == '1', '', 'file://preinstall_swu.sh')}"
+SRC_URI_append_ccimx8x = " ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT_ROOTFS', True) == '1', 'file://preinstall_swu.sh', '')}"
+SRC_URI_append_ccimx8m = " ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT_ROOTFS', True) == '1', 'file://preinstall_swu.sh', '')}"

 inherit swupdate

@ -31,13 +31,13 @@ ROOTFS_DEV_NAME ?= "/dev/mmcblk0p3"
 ROOTFS_DEV_NAME_ccimx6ul ?= "rootfs"
 ROOTFS_ENC_DEV = "/dev/mapper/cryptrootfs"
 ROOTFS_ENC_DEV_ccimx6ul = "${ROOTFS_DEV_NAME}"
-ROOTFS_DEV_NAME_FINAL = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_INITRAMFS_IMAGE', True), '${ROOTFS_ENC_DEV}', '${ROOTFS_DEV_NAME}')}"
+ROOTFS_DEV_NAME_FINAL = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT_ROOTFS', True) == '1', '${ROOTFS_ENC_DEV}', '${ROOTFS_DEV_NAME}')}"
 PREINST_SCRIPT_TEMPLATE = "scripts: ( { filename = \\"preinstall_swu.sh\\"; type = \\"preinstall\\"; sha256 = \\"@preinstall_swu.sh\\"; \\x7D );"
 PREINST_SCRIPT_DESC = ""
-PREINST_SCRIPT_DESC_ccimx6 = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_INITRAMFS_IMAGE', True), '${PREINST_SCRIPT_TEMPLATE}', '')}"
-PREINST_SCRIPT_DESC_ccimx6ul = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_INITRAMFS_IMAGE', True), '', '${PREINST_SCRIPT_TEMPLATE}')}"
-PREINST_SCRIPT_DESC_ccimx8x = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_INITRAMFS_IMAGE', True), '${PREINST_SCRIPT_TEMPLATE}', '')}"
-PREINST_SCRIPT_DESC_ccimx8m = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_INITRAMFS_IMAGE', True), '${PREINST_SCRIPT_TEMPLATE}', '')}"
+PREINST_SCRIPT_DESC_ccimx6 = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT_ROOTFS', True) == '1', '${PREINST_SCRIPT_TEMPLATE}', '')}"
+PREINST_SCRIPT_DESC_ccimx6ul = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT_ROOTFS', True) == '1', '', '${PREINST_SCRIPT_TEMPLATE}')}"
+PREINST_SCRIPT_DESC_ccimx8x = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT_ROOTFS', True) == '1', '${PREINST_SCRIPT_TEMPLATE}', '')}"
+PREINST_SCRIPT_DESC_ccimx8m = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT_ROOTFS', True) == '1', '${PREINST_SCRIPT_TEMPLATE}', '')}"

 python () {
    img_fstypes = d.getVar('BOOTFS_EXT', True) + " " + d.getVar('ROOTFS_EXT', True)