Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

trustfence-initramfs: Extend for the ccimx6ul 

https://jira.digi.com/browse/DEL-3173

Signed-off-by: Alex Gonzalez <alex.gonzalez@digi.com>
This commit is contained in:
Alex Gonzalez 2016-11-08 14:07:10 +01:00
parent af3f883f09
commit b3e5837cf4
8 changed files with 211 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
meta-digi-arm/classes/image_types_digi.bbclass
View File

@ -75,6 +75,7 @@ IMAGE_DEPENDS_boot.ubifs = " \
mtd-utils-native:do_populate_sysroot \ mtd-utils-native:do_populate_sysroot \
u-boot:do_deploy \ u-boot:do_deploy \
virtual/kernel:do_deploy \ virtual/kernel:do_deploy \
${@TRUSTFENCE_BOOTIMAGE_DEPENDS(d)} \
" "
IMAGE_CMD_boot.ubifs() { IMAGE_CMD_boot.ubifs() {
@ -90,6 +91,11 @@ IMAGE_CMD_boot.ubifs() {
done done
fi fi
# Add Trustfence initramfs if enabled
if [ -n "${TRUSTFENCE_INITRAMFS_IMAGE}" ]; then
BOOTIMG_FILES_SYMLINK="${BOOTIMG_FILES_SYMLINK} ${DEPLOY_DIR_IMAGE}/${TRUSTFENCE_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot.tf"
fi
# Create temporary folder # Create temporary folder
TMP_BOOTDIR="$(mktemp -d ${DEPLOY_DIR_IMAGE}/boot.XXXXXX)" TMP_BOOTDIR="$(mktemp -d ${DEPLOY_DIR_IMAGE}/boot.XXXXXX)"

1
meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
View File

@ -98,6 +98,7 @@ do_compile () {
TF_BOOTSCRIPT_SEDFILTER = "" TF_BOOTSCRIPT_SEDFILTER = ""
TF_BOOTSCRIPT_SEDFILTER_ccimx6 = "${@tf_bootscript_sedfilter(d)}" TF_BOOTSCRIPT_SEDFILTER_ccimx6 = "${@tf_bootscript_sedfilter(d)}"
TF_BOOTSCRIPT_SEDFILTER_ccimx6ul = "${@tf_bootscript_sedfilter(d)}"
def tf_bootscript_sedfilter(d): def tf_bootscript_sedfilter(d):
tf_initramfs = d.getVar('TRUSTFENCE_INITRAMFS_IMAGE',True) or "" tf_initramfs = d.getVar('TRUSTFENCE_INITRAMFS_IMAGE',True) or ""

12
meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb
View File

@ -24,9 +24,17 @@ FILES_${PN} = "/"
# Runtime packages used in 'trustfence-initramfs-init' # Runtime packages used in 'trustfence-initramfs-init'
RDEPENDS_${PN} = " \ RDEPENDS_${PN} = " \
cryptsetup \
rng-tools \
trustfence-tool \ trustfence-tool \
util-linux-findfs \ util-linux-findfs \
wipe \ wipe \
u-boot-fw-utils \
"
RDEPENDS_${PN}_append_ccimx6sbc = " \
cryptsetup \
rng-tools \
"
RDEPENDS_${PN}_append_ccimx6ul = " \
mtd-utils-ubifs \
" "

0
meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-initramfs-init → meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6sbc/trustfence-initramfs-init
View File

0
meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-install.sh → meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6sbc/trustfence-install.sh
View File

98
meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6ul/trustfence-initramfs-init Normal file
View File

@ -0,0 +1,98 @@
#!/bin/sh
#===============================================================================
#
# trustfence-initramfs-init
#
# Copyright (C) 2016 by Digi International Inc.
# All rights reserved.
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 as published by
# the Free Software Foundation.
#
#
# !Description: Init script for Trustfence initramfs
#
#===============================================================================
export PATH=/bin:/sbin:/usr/bin:/usr/sbin
mkdir -p /proc /sys /dev
mount -t proc proc /proc
mount -t sysfs sysfs /sys
mount -t devtmpfs devtmpfs /dev
# Set kernel console loglevel
LOGLEVEL="$(sysctl -n kernel.printk)"
sysctl -q -w kernel.printk=4
for arg in $(cat /proc/cmdline); do
case "${arg}" in
init=*|rescue=1|root=*|trustfence_install=*) eval ${arg};;
trustfence_fskey*)
tf_fskey_bool=true;
eval ${arg};;
esac
done
# Translate "PARTUUID=..." to real device
root="/dev/$(findfs ${root})"
rescue_shell () {
# Expand console and respawn if exited
while true; do
setsid cttyhack sh -l
sleep 1
done
}
# Jump to a rescue shell if requested
if [ -n "${rescue}" ]; then
rescue_shell
fi
if [ -n "${tf_fskey_bool}" ]; then
# Program key if trustfence_fskey kernel parameter exists
if [ -n "${trustfence_fskey}" ]; then
# trustfence_fskey not empty - use provided key
printf "\nUsing provided key\n"
trustfence-tool --newkey=${trustfence_fskey}
if [ "${?}" != "0" ]; then
error "trustfence-tool: key generation"
fi
else
# trustfence_fskey empty - use random key
printf "\nGenerating new random key\n"
trustfence-tool --newkey
if [ "${?}" != "0" ]; then
error "trustfence-tool: key generation"
fi
fi
echo "\nFile system encryption key changed.\n"
echo "A system reboot is needed for the kernel to use it.\n"
rescue_shell
fi
# Run install script if "trustfence_install" kernel parameter exists
if [ -n "${trustfence_install}" ]; then
trustfence-install.sh ${trustfence_install}
sleep 1
echo ">> Rebooting the system"
sleep 1
sync && reboot -f
fi
# Mount device
mkdir -p /newroot
mount -t "ubifs" ${root} /newroot
#
# Clean-up and do the switch_root to the final rootfs
#
# - restore previous kernel console loglevel
# - umount virtual filesystems
#
[ -n "${LOGLEVEL}" ] && sysctl -q -w kernel.printk="${LOGLEVEL}"
mount --move /dev /newroot/dev
umount /sys /proc
exec switch_root /newroot ${init:-/sbin/init}

94
meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6ul/trustfence-install.sh Normal file
View File

@ -0,0 +1,94 @@
#!/bin/sh
#===============================================================================
#
# trustfence-install.sh
#
# Copyright (C) 2016 by Digi International Inc.
# All rights reserved.
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 as published by
# the Free Software Foundation.
#
#
# !Description: Wrapper script for initial deployment of encrypted filesystems
#
# The script gathers the needed information from the 'trustfence_install'
# kernel command line parameter with following syntax:
#
# trustfence_install="source:serverip:filename:partname"
# source -> 'tftp' | <block-device>
# serverip -> <tftp-ip> | '' (serverip or empty if local)
# filename -> <image-filename> (path relative to 'source')
# partname -> <partition name> (should match an entry on the
# partition table)
#
# For 'tftp' mode the kernel IP autoconfig may be used to bring the network
# interface up, with 'ip' kernel parameter. Examples:
#
# ip=<static-ip>:::<netmask>::eth0:off
# ip=dhcp
#
# This script is meant for testing purposes. It's NOT a stable API and may
# be subject to change.
#
#===============================================================================
set -o pipefail
TF_INSTALL_INFO="${1}"
error() {
[ "${#}" != "0" ] && printf "\n[ERROR]: %s\n\n" "${1}"
exit 1
}
# Parse trustfence_install kernel parameter
IFS=":" read SOURCE SERVERIP FILENAME PARTNAME <<_EOF_
${TF_INSTALL_INFO}
_EOF_
# Validate command line arguments
if [ -z "${SOURCE}" ] || [ -z "${FILENAME}" ] || [ -z "${PARTNAME}" ] || { [ "${SOURCE}" = "tftp" ] && [ -z "${SERVERIP}" ]; }; then
error "wrong 'trustfence_install' parameter: ${TF_INSTALL_INFO}"
fi
# Format partition
mtdindex="$(sed -ne "/\"${PARTNAME}\"$/s,^mtd\([0-9]\):.*,\1,g;T;p" /proc/mtd)"
ubidetach -p /dev/mtd${mtdindex} >/dev/null 2>&1
ubiformat -y /dev/mtd${mtdindex}
UBI_DEVICE="$(ubiattach -p /dev/mtd${mtdindex} | sed -ne 's,.*device number \([0-9]\).*,\1,g;T;p')"
ubimkvol /dev/ubi${UBI_DEVICE} -N "${PARTNAME}" -m
# Install image to the encrypted mapped device
if [ "${SOURCE}" = "tftp" ]; then
printf "\nInstalling ${FILENAME} from TFTP\n\n"
FILE=$(basename "$FILENAME")
tftp -g -l - -r "${FILENAME}" "${SERVERIP}" > ${FILE} || { error "tftp failed"; }
FILESIZE=$(stat -c%s "$FILE")
pv -tprebW ${FILE} | ubiupdatevol /dev/ubi${UBI_DEVICE}_0 -s ${FILESIZE} - 2>/dev/null
rm -f ${FILE}
if [ "${?}" != "0" ]; then
error "write ${FILENAME}"
fi
elif [ -b "${SOURCE}" ]; then
printf "\nInstalling ${FILENAME} from local media\n\n"
MOUNTPOINT="/media/$(basename ${SOURCE})"
FSTYPE="$(blkid ${SOURCE} | sed -e 's,.*TYPE="\([^"]\+\)".*,\1,g')"
mkdir -p ${MOUNTPOINT}
mount -r ${FSTYPE:+-t ${FSTYPE}} ${SOURCE} ${MOUNTPOINT}
FILESIZE=$(stat -c%s "${MOUNTPOINT}/${FILENAME}")
pv -tprebW ${MOUNTPOINT}/${FILENAME} | ubiupdatevol /dev/ubi${UBI_DEVICE}_0 -s ${FILESIZE} - 2>/dev/null
if [ "${?}" != "0" ]; then
error "write ${FILENAME}"
fi
umount ${SOURCE}
else
error "${SOURCE} is neither a block device nor 'tftp'"
fi
echo ""
echo "#######################"
echo "# Install completed #"
echo "#######################"
echo ""

4
meta-digi-dey/recipes-core/trustfence/trustfence-tool_1.0.bb → meta-digi-dey/recipes-core/trustfence/trustfence-tool_2.0.bb
View File

@ -6,7 +6,7 @@ LICENSE = "CLOSED"
SRC_URI = "${DIGI_PKG_SRC}/${BP}.tar.gz" SRC_URI = "${DIGI_PKG_SRC}/${BP}.tar.gz"
SRC_URI[md5sum] = "eea4efe8b8e7527a0ffeea16fd238ba3" SRC_URI[md5sum] = "413084cc2045d345883189cd0d68ca76"
SRC_URI[sha256sum] = "aefeb08f2db59c891cf1162488499448bf9d80d64b2778d4fda11343793373e7" SRC_URI[sha256sum] = "dff702f2838a7802103469c1ba07daead206652774e02a0a855b08d94aafe5fe"
inherit bin_package inherit bin_package