meta-ti-security: Add new layer for security features#57
Draft
AashvijShenai wants to merge 5 commits intoTexasInstruments:scarthgapfrom
Draft
meta-ti-security: Add new layer for security features#57AashvijShenai wants to merge 5 commits intoTexasInstruments:scarthgapfrom
AashvijShenai wants to merge 5 commits intoTexasInstruments:scarthgapfrom
Conversation
This new sub layer adds security features that are relevant to TI's products. Signed-off-by: Aashvij Shenai <a-shenai@ti.com>
cshilwant
reviewed
Mar 10, 2025
meta-ti-security/recipes-core/images/packagegroup-ti-security.bb
Outdated
Show resolved
Hide resolved
1. For authenticated boot, the initramfs needs to decrypt & verify the secure root filesystem. recipes-core/images/files/init_crypt_verity.sh will be the init that will run in the initramfs for this purpose. 2. Extend the capabilities of the initramfs image by including dm-crypt and dm-verity via cryptsetup, lvm2. e2fsprogs-mke2fs adds support to convert partitions to ext4 3. Due to the encryption utility erasing exisiting data when setting up the secure partition, a post-install script is being used on the target that will setup crypt and verity partitions Signed-off-by: Aashvij Shenai <a-shenai@ti.com>
1. recipes-kernel/linux/files/security.cfg adds dm-* configs 2. This also specifies the initramfs that needs to be packaged along with the kernel. The idea is to use tisdk-default-image build the full root filesystem and package the tisdk-tiny-initramfs Signed-off-by: Aashvij Shenai <a-shenai@ti.com>
This creates a wic image of 4 partitions. dm-crypt and dm-verity require a partition each. The crypt partition needs to be as large as the filesystem it contains + at least 32MB of additional buffer for the headers. The verity partition needs about 10% of the size of the partition it is verifying. Signed-off-by: Aashvij Shenai <a-shenai@ti.com>
Signed-off-by: Aashvij Shenai <a-shenai@ti.com>
AashvijShenai
force-pushed
the
meta-ti-security
branch
from
764f027 to
4971bf0
Compare
Author
DO NOT MERGE THIS PRIt needs to be worked on further to be functional |
Member
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DO NOT MERGE THIS PR YET