meta-ti-security: Add new layer for security features

meta-ti-security/README

@@ -0,0 +1,36 @@
+meta-ti-security layer includes components for Texas Instruments' security offering.
+
+This layer works with the latest Yocto Project release (currently 5.0+) and tracks
+the stable/maintenance branches (currently "scarthgap") of the corresponding layers:
+
+URI: git://git.openembedded.org/openembedded-core
+branch: scarthgap
+revision: HEAD
+layers: meta
+
+URI: git://git.yoctoproject.org/meta-ti
+branch: scarthgap
+revision: HEAD
+layers: meta-ti-bsp, meta-ti-extras
+
+URI: git://git.yoctoproject.org/meta-arm
+branch: scarthgap
+revision: HEAD
+layers: meta-arm, meta-arm-toolchain
+
+URI: git://git.openembedded.org/meta-openembedded
+branch: scarthgap
+revision: HEAD
+layers: meta-oe, meta-networking, meta-python
+
+URI: git://git.yoctoproject.org/meta-arago
+branch: scarthgap
+revision: HEAD
+layers: meta-arago-distro, meta-arago-extras, meta-arago-test
+
+Please submit any patches against the meta-tisdk layer by using the GitHub pull-request feature.
+You are encouraged to fork the mirror on GitHub https://github.com/TexasInstruments/meta-tisdk
+to share your patches.
+
+Layer Maintainers:
+Chirag Shilwant <c-shilwant@ti.com>

meta-ti-security/conf/layer.conf

@@ -0,0 +1,15 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH .= ":${LAYERDIR}"
+
+# We have recipes-* directories, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+            ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "meta-ti-security"
+BBFILE_PATTERN_meta-ti-security = "^${LAYERDIR}/"
+BBFILE_PRIORITY_meta-ti-security = "12"
+
+LAYERDEPENDS_meta-ti-security = "core"
+LAYERDEPENDS_meta-ti-security = "meta-ti-bsdp"
+LAYERDEPENDS_meta-ti-security = "meta-arago-distro"
+LAYERSERIES_COMPAT_meta-ti-security = "scarthgap"

meta-ti-security/recipes-core/images/files/init_crypt_verity.sh

@@ -0,0 +1,83 @@
+# TEXAS INSTRUMENTS TEXT FILE LICENSE
+#
+# Copyright (c) 2025 - 2025 Texas Instruments Incorporated
+#
+# All rights reserved not granted herein.
+#
+# Limited License.
+#
+# Texas Instruments Incorporated grants a world-wide, royalty-free,
+# non-exclusive license under copyrights and patents it now or hereafter owns
+# or controls to make, have made, use, import, offer to sell and sell
+# ("Utilize") this software subject to the terms herein.  With respect to the
+# foregoing patent license, such license is granted  solely to the extent that
+# any such patent is necessary to Utilize the software alone.  The patent
+# license shall not apply to any combinations which include this software,
+# other than combinations with devices manufactured by or for TI ("TI
+# Devices").  No hardware patent is licensed hereunder.
+#
+# Redistributions must preserve existing copyright notices and reproduce this
+# license (including the above copyright notice and the disclaimer and (if
+# applicable) source code license limitations below) in the documentation
+# and/or other materials provided with the distribution
+#
+# Redistribution and use in binary form, without modification, are permitted
+# provided that the following conditions are met:
+#
+# * No reverse engineering, decompilation, or disassembly of this software is
+# permitted with respect to any software provided in binary form.
+#
+# * any redistribution and use are licensed by TI for use only with TI
+# Devices.
+#
+# * Nothing shall obligate TI to provide you with source code for the software
+# licensed and provided to you in object code.
+#
+# If software source code is provided to you, modification and redistribution
+# of the source code are permitted provided that the following conditions are
+# met:
+#
+# * any redistribution and use of the source code, including any resulting
+# derivative works, are licensed by TI for use only with TI Devices.
+#
+# * any redistribution and use of any object code compiled from the source
+# code and any resulting derivative works, are licensed by TI for use only
+# with TI Devices.
+#
+# Neither the name of Texas Instruments Incorporated nor the names of its
+# suppliers may be used to endorse or promote products derived from this
+# software without specific prior written permission.
+#
+# DISCLAIMER.
+#
+# THIS SOFTWARE IS PROVIDED BY TI AND TI'S LICENSORS "AS IS" AND ANY EXPRESS
+# OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
+# NO EVENT SHALL TI AND TI'S LICENSORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
+# OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#!/bin/sh
+
+sleep 5 #For mmcblk1 to populate
+chown root:root /bin/mount.util-linux
+
+# Mount dev, procfs and sysfs
+/bin/mount -t devtmpfs none /dev
+/bin/mount -t proc none /proc
+/bin/mount -t sysfs none /sys
+
+# Decrypt
+/sbin/cryptsetup luksOpen --key-file=/keyfile /dev/mmcblk1p3 crypt_root
+
+#Verify
+/sbin/veritysetup open /dev/mapper/crypt_root verity_root /dev/mmcblk1p4 $(cat /keyfile.hash)
+
+mount -o ro /dev/mapper/verity_root /mnt
+
+# Jump to secure root FS
+exec switch_root /mnt/ /sbin/init

meta-ti-security/recipes-core/images/packagegroup-ti-security.bb

@@ -0,0 +1,59 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+LICENSE = "TI-TFL"
+LIC_FILES_CHKSUM = "file://init_crypt_verity.sh;beginline=1;endline=62;md5=907b750a47c5cfa49f82cb712643f470"
+
+# This script is used to decrypt and verify data during boot
+SRC_URI = "file://init_crypt_verity.sh"
+
+do_configure() {
+    # This demo uses a random pass_key
+    dd if=/dev/urandom of=${WORKDIR}/pass_key bs=64 count=1
+}
+
+do_install() {
+    install -d ${D}${base_prefix}
+    install -m 0755 ${WORKDIR}/init_crypt_verity.sh ${D}${base_prefix}/init
+    install -m 0600 ${WORKDIR}/pass_key ${D}${base_prefix}/pass_key
+}
+
+pkg_postinst_ontarget:${PN}() {
+    #!/bin/sh
+
+    sleep 5 #For mmcblk1 to populate
+    chown root:root /bin/mount.util-linux
+
+    /bin/mount -t devtmpfs none /dev >/dev/ttyS2 2>/dev/ttyS2
+    sleep 1
+    mount /dev/mmcblk1p2 /mnt >/dev/ttyS2 2>/dev/ttyS2
+    sleep 1
+    umount /dev/mmcblk1p3 >/dev/ttyS2 2>/dev/ttyS2
+    sleep 1
+    umount /dev/mmcblk1p4 >/dev/ttyS2 2>/dev/ttyS2
+    sleep 1
+
+    # Set up encrypted root
+    cryptsetup luksFormat /dev/mmcblk1p3 --key-file=/pass_key --batch-mode >/dev/ttyS2 2>/dev/ttyS2
+    sleep 3
+    cryptsetup luksOpen /dev/mmcblk1p3 crypt_root --key-file=/pass_key >/dev/ttyS2 2>/dev/ttyS2
+    sleep 1
+
+    # Format and copy rootfs inside encrypted partition
+    mkfs.ext4 /dev/mapper/crypt_root >/dev/ttyS2 2>/dev/ttyS2
+    sleep 1
+    mkdir -p /new_mount >/dev/ttyS2 2>/dev/ttyS2
+    sleep 1
+    mount /dev/mapper/crypt_root /new_mount >/dev/ttyS2 2>/dev/ttyS2
+    sleep 1
+    cp -r /mnt /new_mount
+    umount /new_mount
+    umount /mnt
+
+    # Generate verity hash
+    veritysetup format /dev/mapper/crypt_root /dev/mmcblk1p4 > /pass_key.hash
+}
+
+FILES:${PN} += " \
+    ${base_prefix}/init \
+    ${base_prefix}/pass_key \
+"

meta-ti-security/recipes-core/images/tisdk-default-image.bbappend

@@ -0,0 +1,7 @@
+IMAGE_FSTYPES += "wic"
+WKS_FILE = "tisdk-secure-image.wks"
+WIC_CREATE_EXTRA_ARGS += " --no-fstab-update"
+
+IMAGE_INSTALL:append = " cryptsetup lvm2"
+
+DEPENDS += "tisdk-tiny-initramfs"

meta-ti-security/recipes-core/images/tisdk-tiny-initramfs.bbappend

@@ -0,0 +1,4 @@
+# Since do_configure and do_install do not work in an initramfs setting,
+# call required functionality from packagegroup
+
+PACKAGE_INSTALL += " cryptsetup lvm2 e2fsprogs-mke2fs packagegroup-ti-security"

meta-ti-security/recipes-kernel/linux/files/security.cfg

@@ -0,0 +1,17 @@
+..........................................................................
+.                                WARNING
+.
+. This file is a kernel configuration fragment, and not a full kernel
+. configuration file.  The final kernel configuration is made up of
+. an assembly of processed fragments, each of which is designed to
+. capture a specific part of the final configuration (e.g. platform
+. configuration, feature configuration, and board specific hardware
+. configuration).  For more information on kernel configuration, please
+. consult the product documentation.
+.
+..........................................................................
+
+CONFIG_BLK_DEV_DM=y
+CONFIG_DM_CRYPT=y
+CONFIG_DM_INTEGRITY=y
+CONFIG_DM_VERITY=y

meta-ti-security/recipes-kernel/linux/linux-ti-staging_6.12.bbappend

@@ -0,0 +1,11 @@
+PR:append = ".ti-security0"
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+SRC_URI += "file://security.cfg"
+
+do_configure:append() {
+    cat ${WORKDIR}/security.cfg >> ${B}/.config
+}
+
+INITRAMFS_IMAGE = "tisdk-tiny-initramfs"
+INITRAMFS_IMAGE_NAME = "tisdk-tiny-initramfs-${MACHINE}.rootfs"

meta-ti-security/wic/tisdk-secure-image.wks

@@ -0,0 +1,8 @@
+# short-description: Create SD card image with 4 partitions
+# long-description: Creates a partitioned SD card image for TI platforms.
+# Boot files are located in the first vfat partition with extra reserved space.
+
+part /boot --source bootimg-partition --fstype=vfat --label boot --active --align 1024 --use-uuid --fixed-size 128M
+part / --source rootfs --fstype=ext4 --label root --align 1024 --use-uuid --size=10G
+part /crypt --source empty --fstype=ext4 --label crypt --align 1024 --use-uuid --size=10G
+part /verity --source empty --fstype=ext4 --label verity --align 1024 --use-uuid --size=1G