The common license file GPL-2.0 is now called GPL-2.0-only in poky, so we need
to reflect this name change to avoid errors
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This version adds new functionality to check if an encryption key is installed
as well as a fix for an issue that happens when encrypting partitions with long
names (over 12 characters).
https://onedigi.atlassian.net/browse/DEL-7535
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This initramfs only makes sense in platforms with an eMMC as the internal
storage, due to how the partition encryption support is implemented. In
plaatforms that use NAND instead, ths initramfs offers no functionality and
increases the recovery image size, so remove it.
https://onedigi.atlassian.net/browse/DEL-7534
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Modify the recovery and trustfence initramfs scripts to be able to encrypt any
partition on the internal storage media, not just the rootfs.
To implement this functionality, add a new recovery command called
'encrypt_partitions'. When used, this command must contain a comma-separated
list of the partitions that are to be encrypted by the end of the recovery
process, including partitions that were already encrypted beforehand. Any
partition that isn't in the list will be unencrypted. If the command is absent,
no changes will be made, but it's possible to pass an empty command to
unencrypt all partitions.
Include a blacklist to avoid encrypting partitions that shouldn't be encrypted,
such as partitions that need to be accessed by the ROM code/U-Boot or
partitions that contain encryption keys.
While at it, remove unnecessary "get_kernel_version" function from the script.
https://onedigi.atlassian.net/browse/DEL-7174
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Modify the recovery-utils code to reflect the change (change in C header and
linked libraries)
https://jira.digi.com/browse/DEL-7410
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This version includes changes needed to reflect the OTP driver update in the
kernel.
https://jira.digi.com/browse/DEL-7261
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The poweroff command is not available in the initramfs due to a missing
sysvinit/systemd dependency. Use the busybox "halt" command, since it's
available regardless of the init manager used. Rework the error message and
script variables accordingly.
https://jira.digi.com/browse/DEL-6983
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Trustfence is not supported in the CC8X at the moment. This cleans the
following warning:
WARNING: meta-digi/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb: Unable to get checksum for trustfence-initramfs SRC_URI entry trustfence-initramfs-init: file could not be found
Signed-off-by: Jose Diaz de Grenu <Jose.DiazdeGrenu@digi.com>
(cherry picked from commit 778fc424274fc0983c348f4da6ca09e1a7b5b859)
We now have different tarballs for each CPU architecture we compile for. Also,
add support for the aarch64 tarball.
https://jira.digi.com/browse/DEL-6046
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This tool was only needed for old kernels, newer kernels use the hardware
random number generator themselves.
https://jira.digi.com/browse/DEL-5518
Signed-off-by: Jose Diaz de Grenu <Jose.DiazdeGrenu@digi.com>
This commit modifies different recipes to support the new platform
ccimx6qpsbc and adapt it to maintain the support to ccimx6sbc.
https://jira.digi.com/browse/DEL-5082
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Allowing to boot a non-encrypted rootfs when encryption is enable is a security
hole: if an attacker can somehow write (offline) to the media, he could flash a
custom unencrypted rootfs and break into the system.
If the system is configured to use encryption, only encrypted rootfs will boot.
Trying to boot a non-encrypted rootfs will fail and power off the device.
https://jira.digi.com/browse/DEL-3829
Signed-off-by: Tatiana Leon <tatiana.leon@digi.com>
The recovery ramdisk already contains functionality for encrypted rootfs
installation. The goal is to centralize all this functionality in the recovery
ramdisk.
https://jira.digi.com/browse/DEL-3829
Signed-off-by: Tatiana Leon <tatiana.leon@digi.com>
Use the static binary from the tarball, which should be common across
different platforms and operating systems.
https://jira.digi.com/browse/DEL-3261
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
New functionality has been implemented in trustfence-tool application,
so there is no need to call cryptsetup command.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Get filesystem type of rootfs block device and pass it explicitly to the
mount command to clean following warnings on boot:
EXT4-fs (dm-0): couldn't mount as ext3 due to feature incompatibilities
EXT4-fs (dm-0): couldn't mount as ext2 due to feature incompatibilities
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This package adds some files needed by the trustfence initramfs and that
are not included in other packages.
https://jira.digi.com/browse/DEL-2278
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Javier Viguera
Gabriel Valcazar
Arturo Buzarra
Mike Engel
Jose Diaz de Grenu
Gonzalo Ruiz
Sebastian Pastor
Tatiana Leon
Alex Gonzalez