From 76b03fbf4aa2735689dff6f4f2e64a237c34f5fe Mon Sep 17 00:00:00 2001 From: Aashvij Shenai Date: Mon, 10 Mar 2025 15:36:00 +0530 Subject: [PATCH 1/5] meta-ti-security: Add README This new sub layer adds security features that are relevant to TI's products. Signed-off-by: Aashvij Shenai --- meta-ti-security/README | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 meta-ti-security/README diff --git a/meta-ti-security/README b/meta-ti-security/README new file mode 100644 index 00000000..04932138 --- /dev/null +++ b/meta-ti-security/README @@ -0,0 +1,36 @@ +meta-ti-security layer includes components for Texas Instruments' security offering. + +This layer works with the latest Yocto Project release (currently 5.0+) and tracks +the stable/maintenance branches (currently "scarthgap") of the corresponding layers: + +URI: git://git.openembedded.org/openembedded-core +branch: scarthgap +revision: HEAD +layers: meta + +URI: git://git.yoctoproject.org/meta-ti +branch: scarthgap +revision: HEAD +layers: meta-ti-bsp, meta-ti-extras + +URI: git://git.yoctoproject.org/meta-arm +branch: scarthgap +revision: HEAD +layers: meta-arm, meta-arm-toolchain + +URI: git://git.openembedded.org/meta-openembedded +branch: scarthgap +revision: HEAD +layers: meta-oe, meta-networking, meta-python + +URI: git://git.yoctoproject.org/meta-arago +branch: scarthgap +revision: HEAD +layers: meta-arago-distro, meta-arago-extras, meta-arago-test + +Please submit any patches against the meta-tisdk layer by using the GitHub pull-request feature. +You are encouraged to fork the mirror on GitHub https://github.com/TexasInstruments/meta-tisdk +to share your patches. + +Layer Maintainers: +Chirag Shilwant From e51b531be67b6785b190be7c500e661ceaea4f5b Mon Sep 17 00:00:00 2001 From: Aashvij Shenai Date: Mon, 10 Mar 2025 15:56:33 +0530 Subject: [PATCH 2/5] meta-ti-security: Add initramfs features 1. For authenticated boot, the initramfs needs to decrypt & verify the secure root filesystem. recipes-core/images/files/init_crypt_verity.sh will be the init that will run in the initramfs for this purpose. 2. Extend the capabilities of the initramfs image by including dm-crypt and dm-verity via cryptsetup, lvm2. e2fsprogs-mke2fs adds support to convert partitions to ext4 3. Due to the encryption utility erasing exisiting data when setting up the secure partition, a post-install script is being used on the target that will setup crypt and verity partitions Signed-off-by: Aashvij Shenai --- .../images/files/init_crypt_verity.sh | 83 +++++++++++++++++++ .../images/packagegroup-ti-security.bb | 59 +++++++++++++ .../images/tisdk-tiny-initramfs.bbappend | 4 + 3 files changed, 146 insertions(+) create mode 100644 meta-ti-security/recipes-core/images/files/init_crypt_verity.sh create mode 100644 meta-ti-security/recipes-core/images/packagegroup-ti-security.bb create mode 100644 meta-ti-security/recipes-core/images/tisdk-tiny-initramfs.bbappend diff --git a/meta-ti-security/recipes-core/images/files/init_crypt_verity.sh b/meta-ti-security/recipes-core/images/files/init_crypt_verity.sh new file mode 100644 index 00000000..7542aac1 --- /dev/null +++ b/meta-ti-security/recipes-core/images/files/init_crypt_verity.sh @@ -0,0 +1,83 @@ +# TEXAS INSTRUMENTS TEXT FILE LICENSE +# +# Copyright (c) 2025 - 2025 Texas Instruments Incorporated +# +# All rights reserved not granted herein. +# +# Limited License. +# +# Texas Instruments Incorporated grants a world-wide, royalty-free, +# non-exclusive license under copyrights and patents it now or hereafter owns +# or controls to make, have made, use, import, offer to sell and sell +# ("Utilize") this software subject to the terms herein. With respect to the +# foregoing patent license, such license is granted solely to the extent that +# any such patent is necessary to Utilize the software alone. The patent +# license shall not apply to any combinations which include this software, +# other than combinations with devices manufactured by or for TI ("TI +# Devices"). No hardware patent is licensed hereunder. +# +# Redistributions must preserve existing copyright notices and reproduce this +# license (including the above copyright notice and the disclaimer and (if +# applicable) source code license limitations below) in the documentation +# and/or other materials provided with the distribution +# +# Redistribution and use in binary form, without modification, are permitted +# provided that the following conditions are met: +# +# * No reverse engineering, decompilation, or disassembly of this software is +# permitted with respect to any software provided in binary form. +# +# * any redistribution and use are licensed by TI for use only with TI +# Devices. +# +# * Nothing shall obligate TI to provide you with source code for the software +# licensed and provided to you in object code. +# +# If software source code is provided to you, modification and redistribution +# of the source code are permitted provided that the following conditions are +# met: +# +# * any redistribution and use of the source code, including any resulting +# derivative works, are licensed by TI for use only with TI Devices. +# +# * any redistribution and use of any object code compiled from the source +# code and any resulting derivative works, are licensed by TI for use only +# with TI Devices. +# +# Neither the name of Texas Instruments Incorporated nor the names of its +# suppliers may be used to endorse or promote products derived from this +# software without specific prior written permission. +# +# DISCLAIMER. +# +# THIS SOFTWARE IS PROVIDED BY TI AND TI'S LICENSORS "AS IS" AND ANY EXPRESS +# OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN +# NO EVENT SHALL TI AND TI'S LICENSORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, +# OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#!/bin/sh + +sleep 5 #For mmcblk1 to populate +chown root:root /bin/mount.util-linux + +# Mount dev, procfs and sysfs +/bin/mount -t devtmpfs none /dev +/bin/mount -t proc none /proc +/bin/mount -t sysfs none /sys + +# Decrypt +/sbin/cryptsetup luksOpen --key-file=/keyfile /dev/mmcblk1p3 crypt_root + +#Verify +/sbin/veritysetup open /dev/mapper/crypt_root verity_root /dev/mmcblk1p4 $(cat /keyfile.hash) + +mount -o ro /dev/mapper/verity_root /mnt + +# Jump to secure root FS +exec switch_root /mnt/ /sbin/init diff --git a/meta-ti-security/recipes-core/images/packagegroup-ti-security.bb b/meta-ti-security/recipes-core/images/packagegroup-ti-security.bb new file mode 100644 index 00000000..577b5a5c --- /dev/null +++ b/meta-ti-security/recipes-core/images/packagegroup-ti-security.bb @@ -0,0 +1,59 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" + +LICENSE = "TI-TFL" +LIC_FILES_CHKSUM = "file://init_crypt_verity.sh;beginline=1;endline=62;md5=907b750a47c5cfa49f82cb712643f470" + +# This script is used to decrypt and verify data during boot +SRC_URI = "file://init_crypt_verity.sh" + +do_configure() { + # This demo uses a random pass_key + dd if=/dev/urandom of=${WORKDIR}/pass_key bs=64 count=1 +} + +do_install() { + install -d ${D}${base_prefix} + install -m 0755 ${WORKDIR}/init_crypt_verity.sh ${D}${base_prefix}/init + install -m 0600 ${WORKDIR}/pass_key ${D}${base_prefix}/pass_key +} + +pkg_postinst_ontarget:${PN}() { + #!/bin/sh + + sleep 5 #For mmcblk1 to populate + chown root:root /bin/mount.util-linux + + /bin/mount -t devtmpfs none /dev >/dev/ttyS2 2>/dev/ttyS2 + sleep 1 + mount /dev/mmcblk1p2 /mnt >/dev/ttyS2 2>/dev/ttyS2 + sleep 1 + umount /dev/mmcblk1p3 >/dev/ttyS2 2>/dev/ttyS2 + sleep 1 + umount /dev/mmcblk1p4 >/dev/ttyS2 2>/dev/ttyS2 + sleep 1 + + # Set up encrypted root + cryptsetup luksFormat /dev/mmcblk1p3 --key-file=/pass_key --batch-mode >/dev/ttyS2 2>/dev/ttyS2 + sleep 3 + cryptsetup luksOpen /dev/mmcblk1p3 crypt_root --key-file=/pass_key >/dev/ttyS2 2>/dev/ttyS2 + sleep 1 + + # Format and copy rootfs inside encrypted partition + mkfs.ext4 /dev/mapper/crypt_root >/dev/ttyS2 2>/dev/ttyS2 + sleep 1 + mkdir -p /new_mount >/dev/ttyS2 2>/dev/ttyS2 + sleep 1 + mount /dev/mapper/crypt_root /new_mount >/dev/ttyS2 2>/dev/ttyS2 + sleep 1 + cp -r /mnt /new_mount + umount /new_mount + umount /mnt + + # Generate verity hash + veritysetup format /dev/mapper/crypt_root /dev/mmcblk1p4 > /pass_key.hash +} + +FILES:${PN} += " \ + ${base_prefix}/init \ + ${base_prefix}/pass_key \ +" diff --git a/meta-ti-security/recipes-core/images/tisdk-tiny-initramfs.bbappend b/meta-ti-security/recipes-core/images/tisdk-tiny-initramfs.bbappend new file mode 100644 index 00000000..248973a4 --- /dev/null +++ b/meta-ti-security/recipes-core/images/tisdk-tiny-initramfs.bbappend @@ -0,0 +1,4 @@ +# Since do_configure and do_install do not work in an initramfs setting, +# call required functionality from packagegroup + +PACKAGE_INSTALL += " cryptsetup lvm2 e2fsprogs-mke2fs packagegroup-ti-security" From 8d975d623358ea35085a712bf585be91384cda1d Mon Sep 17 00:00:00 2001 From: Aashvij Shenai Date: Mon, 10 Mar 2025 16:08:19 +0530 Subject: [PATCH 3/5] meta-ti-security: Extend kernel features 1. recipes-kernel/linux/files/security.cfg adds dm-* configs 2. This also specifies the initramfs that needs to be packaged along with the kernel. The idea is to use tisdk-default-image build the full root filesystem and package the tisdk-tiny-initramfs Signed-off-by: Aashvij Shenai --- .../recipes-kernel/linux/files/security.cfg | 17 +++++++++++++++++ .../linux/linux-ti-staging_6.12.bbappend | 11 +++++++++++ 2 files changed, 28 insertions(+) create mode 100644 meta-ti-security/recipes-kernel/linux/files/security.cfg create mode 100644 meta-ti-security/recipes-kernel/linux/linux-ti-staging_6.12.bbappend diff --git a/meta-ti-security/recipes-kernel/linux/files/security.cfg b/meta-ti-security/recipes-kernel/linux/files/security.cfg new file mode 100644 index 00000000..d9e5e952 --- /dev/null +++ b/meta-ti-security/recipes-kernel/linux/files/security.cfg @@ -0,0 +1,17 @@ +.......................................................................... +. WARNING +. +. This file is a kernel configuration fragment, and not a full kernel +. configuration file. The final kernel configuration is made up of +. an assembly of processed fragments, each of which is designed to +. capture a specific part of the final configuration (e.g. platform +. configuration, feature configuration, and board specific hardware +. configuration). For more information on kernel configuration, please +. consult the product documentation. +. +.......................................................................... + +CONFIG_BLK_DEV_DM=y +CONFIG_DM_CRYPT=y +CONFIG_DM_INTEGRITY=y +CONFIG_DM_VERITY=y diff --git a/meta-ti-security/recipes-kernel/linux/linux-ti-staging_6.12.bbappend b/meta-ti-security/recipes-kernel/linux/linux-ti-staging_6.12.bbappend new file mode 100644 index 00000000..b9a21fb1 --- /dev/null +++ b/meta-ti-security/recipes-kernel/linux/linux-ti-staging_6.12.bbappend @@ -0,0 +1,11 @@ +PR:append = ".ti-security0" + +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" +SRC_URI += "file://security.cfg" + +do_configure:append() { + cat ${WORKDIR}/security.cfg >> ${B}/.config +} + +INITRAMFS_IMAGE = "tisdk-tiny-initramfs" +INITRAMFS_IMAGE_NAME = "tisdk-tiny-initramfs-${MACHINE}.rootfs" From f60e6a395c30ae889c89b88d6d772fb957f12f0c Mon Sep 17 00:00:00 2001 From: Aashvij Shenai Date: Mon, 10 Mar 2025 16:26:28 +0530 Subject: [PATCH 4/5] meta-ti-security: Add WIC image This creates a wic image of 4 partitions. dm-crypt and dm-verity require a partition each. The crypt partition needs to be as large as the filesystem it contains + at least 32MB of additional buffer for the headers. The verity partition needs about 10% of the size of the partition it is verifying. Signed-off-by: Aashvij Shenai --- .../recipes-core/images/tisdk-default-image.bbappend | 7 +++++++ meta-ti-security/wic/tisdk-secure-image.wks | 8 ++++++++ 2 files changed, 15 insertions(+) create mode 100644 meta-ti-security/recipes-core/images/tisdk-default-image.bbappend create mode 100644 meta-ti-security/wic/tisdk-secure-image.wks diff --git a/meta-ti-security/recipes-core/images/tisdk-default-image.bbappend b/meta-ti-security/recipes-core/images/tisdk-default-image.bbappend new file mode 100644 index 00000000..4518a6f2 --- /dev/null +++ b/meta-ti-security/recipes-core/images/tisdk-default-image.bbappend @@ -0,0 +1,7 @@ +IMAGE_FSTYPES += "wic" +WKS_FILE = "tisdk-secure-image.wks" +WIC_CREATE_EXTRA_ARGS += " --no-fstab-update" + +IMAGE_INSTALL:append = " cryptsetup lvm2" + +DEPENDS += "tisdk-tiny-initramfs" diff --git a/meta-ti-security/wic/tisdk-secure-image.wks b/meta-ti-security/wic/tisdk-secure-image.wks new file mode 100644 index 00000000..7bfeb848 --- /dev/null +++ b/meta-ti-security/wic/tisdk-secure-image.wks @@ -0,0 +1,8 @@ +# short-description: Create SD card image with 4 partitions +# long-description: Creates a partitioned SD card image for TI platforms. +# Boot files are located in the first vfat partition with extra reserved space. + +part /boot --source bootimg-partition --fstype=vfat --label boot --active --align 1024 --use-uuid --fixed-size 128M +part / --source rootfs --fstype=ext4 --label root --align 1024 --use-uuid --size=10G +part /crypt --source empty --fstype=ext4 --label crypt --align 1024 --use-uuid --size=10G +part /verity --source empty --fstype=ext4 --label verity --align 1024 --use-uuid --size=1G From 4971bf09cbbda620f88331339a56099c0f51f0c6 Mon Sep 17 00:00:00 2001 From: Aashvij Shenai Date: Mon, 10 Mar 2025 16:32:19 +0530 Subject: [PATCH 5/5] meta-ti-security: Add layer.conf Signed-off-by: Aashvij Shenai --- meta-ti-security/conf/layer.conf | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 meta-ti-security/conf/layer.conf diff --git a/meta-ti-security/conf/layer.conf b/meta-ti-security/conf/layer.conf new file mode 100644 index 00000000..f29ad9c5 --- /dev/null +++ b/meta-ti-security/conf/layer.conf @@ -0,0 +1,15 @@ +# We have a conf and classes directory, add to BBPATH +BBPATH .= ":${LAYERDIR}" + +# We have recipes-* directories, add to BBFILES +BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \ + ${LAYERDIR}/recipes-*/*/*.bbappend" + +BBFILE_COLLECTIONS += "meta-ti-security" +BBFILE_PATTERN_meta-ti-security = "^${LAYERDIR}/" +BBFILE_PRIORITY_meta-ti-security = "12" + +LAYERDEPENDS_meta-ti-security = "core" +LAYERDEPENDS_meta-ti-security = "meta-ti-bsdp" +LAYERDEPENDS_meta-ti-security = "meta-arago-distro" +LAYERSERIES_COMPAT_meta-ti-security = "scarthgap"