From 82a76a710639c521a6a837d6dcb48ee88d7d135f Mon Sep 17 00:00:00 2001
From: Gabriel Valcazar <gabriel.valcazar@digi.com>
Date: Mon, 10 May 2021 16:20:56 +0200
Subject: [PATCH] trustfence: split filesystem encryption support into two
 variables

Previously, TRUSTFENCE_INITRAMFS_IMAGE was the only variable used to configure
rootfs encryption. Now that any partition can be encrypted and the rootfs
encryption still needs to be handled differently, use two variables instead.

    * TRUSTFENCE_ENCRYPT_PARTITIONS to control partition encryption in general
    * TRUSTFENCE_ENCRYPT_ROOTFS to control rootfs encryption

As with most trustfence functionality, enable both by default. Leave
TRUSTFENCE_INITRAMFS_IMAGE as an internal variable only.

https://onedigi.atlassian.net/browse/DEL-7174

Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
---
 meta-digi-dey/classes/trustfence.bbclass      | 15 ++++++++++++--
 .../base-files/base-files_3.0.14.bbappend     |  4 ++--
 meta-digi-dey/recipes-digi/swu-images/swu.inc | 20 +++++++++----------
 3 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index 6ec8d054e..f4fa2b2cc 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -25,8 +25,9 @@ TRUSTFENCE_DEK_PATH ?= "default"
 TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1"
 TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0"
 
-# Trustfence initramfs image recipe
-TRUSTFENCE_INITRAMFS_IMAGE ?= "dey-image-trustfence-initramfs"
+# Partition encryption configuration
+TRUSTFENCE_ENCRYPT_PARTITIONS ?= "1"
+TRUSTFENCE_ENCRYPT_ROOTFS ?= "1"
 
 IMAGE_FEATURES += "dey-trustfence"
 
@@ -92,4 +93,14 @@ python () {
 
         # Set the key password.
         d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass.txt")
+
+    # Enable partition encryption if rootfs encryption is enabled
+    if (d.getVar("TRUSTFENCE_ENCRYPT_ROOTFS", True) == "1"):
+        d.setVar("TRUSTFENCE_ENCRYPT_PARTITIONS", "1");
+
+    # Enable the trustfence initramfs if and only if partition encryption is enabled
+    if (d.getVar("TRUSTFENCE_ENCRYPT_PARTITIONS", True) == "1"):
+        d.setVar("TRUSTFENCE_INITRAMFS_IMAGE", "dey-image-trustfence-initramfs");
+    else:
+        d.setVar("TRUSTFENCE_INITRAMFS_IMAGE", "");
 }
diff --git a/meta-digi-dey/recipes-core/base-files/base-files_3.0.14.bbappend b/meta-digi-dey/recipes-core/base-files/base-files_3.0.14.bbappend
index 31e072038..4adb075d2 100644
--- a/meta-digi-dey/recipes-core/base-files/base-files_3.0.14.bbappend
+++ b/meta-digi-dey/recipes-core/base-files/base-files_3.0.14.bbappend
@@ -1,4 +1,4 @@
-# Copyright (C) 2013-2019 Digi International.
+# Copyright (C) 2013-2021 Digi International.
 
 FILESEXTRAPATHS_prepend := "${THISDIR}/${BPN}:"
 
@@ -38,7 +38,7 @@ pkg_postinst_ontarget_${PN}() {
 	fi
 
 	# Disable file system check when rootfs is encrypted
-	if [ -n "${TRUSTFENCE_INITRAMFS_IMAGE}" ]; then
+	if [ "${TRUSTFENCE_ENCRYPT_ROOTFS}" = "1" ]; then
 		for arg in $(cat /proc/cmdline); do
 			case "${arg}" in
 				root=*) eval ${arg};;
diff --git a/meta-digi-dey/recipes-digi/swu-images/swu.inc b/meta-digi-dey/recipes-digi/swu-images/swu.inc
index d744e160b..e16529718 100644
--- a/meta-digi-dey/recipes-digi/swu-images/swu.inc
+++ b/meta-digi-dey/recipes-digi/swu-images/swu.inc
@@ -1,14 +1,14 @@
-# Copyright (C) 2016-2020 Digi International Inc.
+# Copyright (C) 2016-2021 Digi International Inc.
 SUMMARY = "Generate update package for SWUpdate"
 SECTION = "base"
 LICENSE = "GPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
 
 SRC_URI = "file://sw-description"
-SRC_URI_append_ccimx6 = " ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_INITRAMFS_IMAGE', True), 'file://preinstall_swu.sh', '')}"
-SRC_URI_append_ccimx6ul = " ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_INITRAMFS_IMAGE', True), '', 'file://preinstall_swu.sh')}"
-SRC_URI_append_ccimx8x = " ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_INITRAMFS_IMAGE', True), 'file://preinstall_swu.sh', '')}"
-SRC_URI_append_ccimx8m = " ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_INITRAMFS_IMAGE', True), 'file://preinstall_swu.sh', '')}"
+SRC_URI_append_ccimx6 = " ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT_ROOTFS', True) == '1', 'file://preinstall_swu.sh', '')}"
+SRC_URI_append_ccimx6ul = " ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT_ROOTFS', True) == '1', '', 'file://preinstall_swu.sh')}"
+SRC_URI_append_ccimx8x = " ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT_ROOTFS', True) == '1', 'file://preinstall_swu.sh', '')}"
+SRC_URI_append_ccimx8m = " ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT_ROOTFS', True) == '1', 'file://preinstall_swu.sh', '')}"
 
 inherit swupdate
 
@@ -31,13 +31,13 @@ ROOTFS_DEV_NAME ?= "/dev/mmcblk0p3"
 ROOTFS_DEV_NAME_ccimx6ul ?= "rootfs"
 ROOTFS_ENC_DEV = "/dev/mapper/cryptrootfs"
 ROOTFS_ENC_DEV_ccimx6ul = "${ROOTFS_DEV_NAME}"
-ROOTFS_DEV_NAME_FINAL = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_INITRAMFS_IMAGE', True), '${ROOTFS_ENC_DEV}', '${ROOTFS_DEV_NAME}')}"
+ROOTFS_DEV_NAME_FINAL = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT_ROOTFS', True) == '1', '${ROOTFS_ENC_DEV}', '${ROOTFS_DEV_NAME}')}"
 PREINST_SCRIPT_TEMPLATE = "scripts: ( { filename = \\"preinstall_swu.sh\\"; type = \\"preinstall\\"; sha256 = \\"@preinstall_swu.sh\\"; \\x7D );"
 PREINST_SCRIPT_DESC = ""
-PREINST_SCRIPT_DESC_ccimx6 = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_INITRAMFS_IMAGE', True), '${PREINST_SCRIPT_TEMPLATE}', '')}"
-PREINST_SCRIPT_DESC_ccimx6ul = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_INITRAMFS_IMAGE', True), '', '${PREINST_SCRIPT_TEMPLATE}')}"
-PREINST_SCRIPT_DESC_ccimx8x = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_INITRAMFS_IMAGE', True), '${PREINST_SCRIPT_TEMPLATE}', '')}"
-PREINST_SCRIPT_DESC_ccimx8m = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_INITRAMFS_IMAGE', True), '${PREINST_SCRIPT_TEMPLATE}', '')}"
+PREINST_SCRIPT_DESC_ccimx6 = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT_ROOTFS', True) == '1', '${PREINST_SCRIPT_TEMPLATE}', '')}"
+PREINST_SCRIPT_DESC_ccimx6ul = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT_ROOTFS', True) == '1', '', '${PREINST_SCRIPT_TEMPLATE}')}"
+PREINST_SCRIPT_DESC_ccimx8x = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT_ROOTFS', True) == '1', '${PREINST_SCRIPT_TEMPLATE}', '')}"
+PREINST_SCRIPT_DESC_ccimx8m = "${@oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT_ROOTFS', True) == '1', '${PREINST_SCRIPT_TEMPLATE}', '')}"
 
 python () {
     img_fstypes = d.getVar('BOOTFS_EXT', True) + " " + d.getVar('ROOTFS_EXT', True)