Initial support for rootfs disk encryption

meta-lmp-base/recipes-bsp/lmp-boot-firmware/lmp-boot-firmware.bb

@@ -25,19 +25,22 @@ LMP_BOOT_FIRMWARE_FILES ?= ""
 do_configure[noexec] = "1"
 do_compile[noexec] = "1"
 
+FIRMWARE_DEPLOY_DIR = "${@bb.utils.contains('OSTREE_DEPLOY_USR_OSTREE_BOOT', '1', 'ostree-boot', 'firmware', d)}"
+
 do_install() {
     if [ -n "${LMP_BOOT_FIRMWARE_FILES}" ]; then
         install -d ${D}${nonarch_base_libdir}/firmware/
+        install -d ${D}${nonarch_base_libdir}/ostree-boot/
 
         # Unfortunately we can't extract the files required via sysroot/install
         # as the signing process happens at the deployed files, so refer to the
         # firmware files from the deploy folder when generating this package,
         # unless it gets provided via SRC_URI (e.g. signed firmware such as SPL)
         for file in ${LMP_BOOT_FIRMWARE_FILES}; do
             if [ -f ${S}/${file} ]; then
-                install -m 644 ${S}/${file} ${D}${nonarch_base_libdir}/firmware/
+                install -m 644 ${S}/${file} ${D}${nonarch_base_libdir}/${FIRMWARE_DEPLOY_DIR}/
             elif [ -f ${DEPLOY_DIR_IMAGE}/${file} ]; then
-                install -m 644 ${DEPLOY_DIR_IMAGE}/${file} ${D}${nonarch_base_libdir}/firmware/
+                install -m 644 ${DEPLOY_DIR_IMAGE}/${file} ${D}${nonarch_base_libdir}/${FIRMWARE_DEPLOY_DIR}/
             else
                 bbfatal "File "${file}" not found in "${S}" and "${DEPLOY_DIR_IMAGE}""
             fi
@@ -47,12 +50,17 @@ do_install() {
         if [ "${PV}" != "0" ]; then
             version="${PV}"
         else
-            for file in `ls ${D}${nonarch_base_libdir}/firmware/`; do
-                version="${version}-`md5sum ${D}${nonarch_base_libdir}/firmware/${file} | cut -d' ' -f1`"
+            for file in `ls ${D}${nonarch_base_libdir}/${FIRMWARE_DEPLOY_DIR}/`; do
+                version="${version}-`md5sum ${D}${nonarch_base_libdir}/${FIRMWARE_DEPLOY_DIR}/${file} | cut -d' ' -f1`"
             done
         fi
         echo "bootfirmware_version=${version#-}" > version.txt
+
+        # Make version.txt available on both dirs for compatibility with aktualizr-lite
         install -m 644 ${S}/version.txt ${D}${nonarch_base_libdir}/firmware/
+        if [ "${OSTREE_DEPLOY_USR_OSTREE_BOOT}" != "0" ]; then
+            install -m 644 ${S}/version.txt ${D}${nonarch_base_libdir}/ostree-boot/
+        fi
     fi
 }
 do_install[depends] = "${@bb.utils.contains('WKS_FILE_DEPENDS', 'virtual/bootloader', 'virtual/bootloader:do_deploy', '', d)}"
@@ -62,12 +70,15 @@ do_install[depends] += "${@bb.utils.contains('WKS_FILE_DEPENDS', 'imx-boot', 'im
 do_deploy() {
     if [ -n "${LMP_BOOT_FIRMWARE_FILES}" ]; then
         install -d ${DEPLOYDIR}/lmp-boot-firmware
-        for file in `ls ${D}${nonarch_base_libdir}/firmware/`; do
-            install -m 644 ${D}${nonarch_base_libdir}/firmware/${file} ${DEPLOYDIR}/lmp-boot-firmware/
+        for file in `ls ${D}${nonarch_base_libdir}/${FIRMWARE_DEPLOY_DIR}/`; do
+            install -m 644 ${D}${nonarch_base_libdir}/${FIRMWARE_DEPLOY_DIR}/${file} ${DEPLOYDIR}/lmp-boot-firmware/
         done
     fi
 }
 addtask deploy after do_install
 
 ALLOW_EMPTY:${PN} = "1"
-FILES:${PN} = "${nonarch_base_libdir}/firmware"
+FILES:${PN} = "\
+	${nonarch_base_libdir}/firmware \
+	${nonarch_base_libdir}/ostree-boot \
+"

meta-lmp-base/recipes-bsp/u-boot/u-boot-ostree-scr-fit.bb

@@ -34,6 +34,8 @@ do_compile() {
 	sed -i -e '/@@INCLUDE_COMMON_ALTERNATIVE@@/ {' -e 'r ${S}/boot-common-alternative.cmd.in' -e 'd' -e '}' \
 			boot.cmd.in
 	sed -e 's/@@FIT_NODE_SEPARATOR@@/${FIT_NODE_SEPARATOR}/g' \
+	    -e 's/@@OSTREE_SPLIT_BOOT@@/${OSTREE_SPLIT_BOOT}/g' \
+	    -e 's/@@OSTREE_DEPLOY_USR_OSTREE_BOOT@@/${OSTREE_DEPLOY_USR_OSTREE_BOOT}/g' \
 			boot.cmd.in > boot.cmd
 	sed -e 's/@@FIT_HASH_ALG@@/${FIT_HASH_ALG}/' \
 	    -e 's/@@UBOOT_SIGN_KEYNAME@@/${UBOOT_SIGN_KEYNAME}/' \

meta-lmp-base/recipes-bsp/u-boot/u-boot-ostree-scr-fit/boot-common-alternative.cmd.in

@@ -1,21 +1,25 @@
 # common boot handlers
 setenv fio_msg "FIO:"
+setenv ostree_split_boot "@@OSTREE_SPLIT_BOOT@@"
+setenv ostree_deploy_usr "@@OSTREE_DEPLOY_USR_OSTREE_BOOT@@"
 
 # uEnv handling
-setenv bootcmd_resetvars 'setenv kernel_image; setenv bootargs; setenv kernel_image2; setenv bootargs2'
-setenv bootcmd_otenv 'run bootcmd_resetvars; ext4load ${devtype} ${devnum}:${rootpart} ${loadaddr} /boot/loader/uEnv.txt; env import -t ${loadaddr} ${filesize} kernel_image bootargs kernel_image2 bootargs2'
-setenv bootcmd_bootenv 'setenv bootfirmware_version; ext4load ${devtype} ${devnum}:${rootpart} ${loadaddr} ${ostree_root}/usr/lib/firmware/version.txt; env import -t ${loadaddr} ${filesize} bootfirmware_version'
+setenv bootcmd_resetvars 'setenv kernel_image; setenv bootdir; setenv bootargs; setenv kernel_image2; setenv bootdir2; setenv bootargs2'
+setenv bootcmd_ostree_bootpart 'if test "${ostree_split_boot}" = "1"; then setenv ostree_bootpart "${bootpart}"; else setenv ostree_bootpart "${rootpart}"; fi'
+setenv bootcmd_otenv 'run bootcmd_resetvars; ext4load ${devtype} ${devnum}:${ostree_bootpart} ${loadaddr} /boot/loader/uEnv.txt; env import -t ${loadaddr} ${filesize} kernel_image bootdir bootargs kernel_image2 bootdir2 bootargs2'
+setenv bootcmd_bootenv 'setenv bootfirmware_version; if test "${ostree_deploy_usr}" = "1"; then ext4load ${devtype} ${devnum}:${ostree_bootpart} ${loadaddr} ${bootdir}/version.txt; else ext4load ${devtype} ${devnum}:${rootpart} ${loadaddr} ${ostree_root}/usr/lib/firmware/version.txt; fi; env import -t ${loadaddr} ${filesize} bootfirmware_version'
 setenv bootcmd_getroot 'setexpr ostree_root gsub "^.*ostree=([^ ]*).*$" "\\\\1" "${bootargs}"'
 
 # Env saving
 setenv saveenv_mmc 'if test -z "${fiovb_rpmb}"; then saveenv; fi;'
 
 # Boot firmware update helpers
 setenv rollback_setup 'if test -n "${fiovb_rpmb}"; then fiovb write_pvalue rollback 1; fiovb write_pvalue upgrade_available 0; fiovb write_pvalue bootupgrade_available 0; fiovb write_pvalue bootupgrade_primary_updated 0; else setenv rollback 1; setenv upgrade_available 0; setenv bootupgrade_available 0; setenv bootupgrade_primary_updated 0; setenv fiovb.rollback "${rollback}"; setenv fiovb.upgrade_available "${upgrade_available}"; setenv fiovb.bootupgrade_available "${bootupgrade_available}"; setenv fiovb.bootupgrade_primary_updated "${bootupgrade_primary_updated}"; fi;'
-setenv load_image 'if ext4load ${devtype} ${devnum}:${rootpart} ${loadaddr} ${image_path}; then echo "${fio_msg} loaded ${image_path}"; else echo "${fio_msg} error occured while loading ${image_path}, scheduling rollback after reset ..."; run rollback_setup; run saveenv_mmc; run do_reboot; fi;'
+setenv load_image 'if ext4load ${devtype} ${devnum}:${ostree_bootpart} ${loadaddr} ${image_path}; then echo "${fio_msg} loaded ${image_path}"; else echo "${fio_msg} error occured while loading ${image_path}, scheduling rollback after reset ..."; run rollback_setup; run saveenv_mmc; run do_reboot; fi;'
 setenv set_blkcnt 'setexpr blkcnt ${filesize} + 0x1ff && setexpr blkcnt ${blkcnt} / 0x200'
 
 # Import uEnv.txt
+run bootcmd_ostree_bootpart
 run bootcmd_otenv
 # Get deployment sysroot absolute path
 run bootcmd_getroot
@@ -80,6 +84,9 @@ if test "${fiovb.debug}" = "1"; then
 	echo "${fio_msg} bootfirmware_version = ${bootfirmware_version}"
 	echo "${fio_msg}"
 	echo "${fio_msg} Other variables:"
+	echo "${fio_msg} ostree deploy usr = ${ostree_deploy_usr}"
+	echo "${fio_msg} ostree split boot = ${ostree_split_boot}"
+	echo "${fio_msg} ostree boot dir = ${bootdir}"
 	echo "${fio_msg} ostree root path = ${ostree_root}"
 	echo "${fio_msg} primary boot image offset = ${bootloader}"
 	echo "${fio_msg} primary FIT offset = ${bootloader2}"
@@ -167,10 +174,10 @@ else
 	fi
 fi
 
-setenv bootcmd_load_f 'ext4load ${devtype} ${devnum}:${rootpart} ${fit_addr} "/boot"${kernel_image}'
+setenv bootcmd_load_f 'ext4load ${devtype} ${devnum}:${ostree_bootpart} ${fit_addr} "/boot"${kernel_image}'
 setenv bootcmd_tee_ovy 'if test -n ${optee_ovl_addr}; then imxtract ${fit_addr}#conf@@FIT_NODE_SEPARATOR@@${fdt_file_final} fdt@@FIT_NODE_SEPARATOR@@${fdt_file_final} ${fdt_addr}; fdt addr ${fdt_addr}; fdt resize 0x1000; fdt apply ${optee_ovl_addr}; fi'
 setenv bootcmd_run 'if test -n ${optee_ovl_addr}; then bootm ${fit_addr}#conf@@FIT_NODE_SEPARATOR@@${fdt_file_final} ${fit_addr}#conf@@FIT_NODE_SEPARATOR@@${fdt_file_final} ${fdt_addr}; else echo "${fio_msg} loading ${fdt_file_final}"; bootm ${fit_addr}#conf@@FIT_NODE_SEPARATOR@@${fdt_file_final}; fi'
-setenv bootcmd_rollback 'if test -n "${kernel_image2}" && test "${fiovb.rollback}" = "1"; then setenv kernel_image "${kernel_image2}"; setenv bootargs "${bootargs2}"; fi;'
+setenv bootcmd_rollback 'if test -n "${kernel_image2}" && test "${fiovb.rollback}" = "1"; then setenv kernel_image "${kernel_image2}"; setenv bootdir "${bootdir2}"; setenv bootargs "${bootargs2}"; fi;'
 
 # Handle the case if we booted secondary boot image set,
 # which means that the primary set is broken (for example, boot0 is corrupted)

meta-lmp-base/recipes-bsp/u-boot/u-boot-ostree-scr-fit/boot-common.cmd.in

@@ -1,21 +1,25 @@
 # common boot handlers
 setenv fio_msg "FIO:"
+setenv ostree_split_boot "@@OSTREE_SPLIT_BOOT@@"
+setenv ostree_deploy_usr "@@OSTREE_DEPLOY_USR_OSTREE_BOOT@@"
 
 # uEnv handling
-setenv bootcmd_resetvars 'setenv kernel_image; setenv bootargs; setenv kernel_image2; setenv bootargs2'
-setenv bootcmd_otenv 'run bootcmd_resetvars; ext4load ${devtype} ${devnum}:${rootpart} ${loadaddr} /boot/loader/uEnv.txt; env import -t ${loadaddr} ${filesize} kernel_image bootargs kernel_image2 bootargs2'
-setenv bootcmd_bootenv 'setenv bootfirmware_version; ext4load ${devtype} ${devnum}:${rootpart} ${loadaddr} ${ostree_root}/usr/lib/firmware/version.txt; env import -t ${loadaddr} ${filesize} bootfirmware_version'
+setenv bootcmd_resetvars 'setenv kernel_image; setenv bootdir; setenv bootargs; setenv kernel_image2; setenv bootdir2; setenv bootargs2'
+setenv bootcmd_ostree_bootpart 'if test "${ostree_split_boot}" = "1"; then setenv ostree_bootpart "${bootpart}"; else setenv ostree_bootpart "${rootpart}"; fi'
+setenv bootcmd_otenv 'run bootcmd_resetvars; ext4load ${devtype} ${devnum}:${ostree_bootpart} ${loadaddr} /boot/loader/uEnv.txt; env import -t ${loadaddr} ${filesize} kernel_image bootdir bootargs kernel_image2 bootdir2 bootargs2'
+setenv bootcmd_bootenv 'setenv bootfirmware_version; if test "${ostree_deploy_usr}" = "1"; then ext4load ${devtype} ${devnum}:${ostree_bootpart} ${loadaddr} ${bootdir}/version.txt; else ext4load ${devtype} ${devnum}:${rootpart} ${loadaddr} ${ostree_root}/usr/lib/firmware/version.txt; fi; env import -t ${loadaddr} ${filesize} bootfirmware_version'
 setenv bootcmd_getroot 'setexpr ostree_root gsub "^.*ostree=([^ ]*).*$" "\\\\1" "${bootargs}"'
 
 # Env saving
 setenv saveenv_mmc 'if test -z "${fiovb_rpmb}"; then saveenv; fi;'
 
 # Boot firmware update helpers
 setenv rollback_setup 'if test -n "${fiovb_rpmb}"; then fiovb write_pvalue rollback 1; fiovb write_pvalue upgrade_available 0; fiovb write_pvalue bootupgrade_available 0; else setenv rollback 1; setenv upgrade_available 0; setenv bootupgrade_available 0; setenv fiovb.rollback "${rollback}"; setenv fiovb.upgrade_available "${upgrade_available}"; setenv fiovb.bootupgrade_available "${bootupgrade_available}"; fi;'
-setenv load_image 'if ext4load ${devtype} ${devnum}:${rootpart} ${loadaddr} ${image_path}; then echo "${fio_msg} loaded ${image_path}"; else echo "${fio_msg} error occured while loading ${image_path}, scheduling rollback after reset ..."; run rollback_setup; run saveenv_mmc; run set_primary_boot; reset; fi;'
+setenv load_image 'if ext4load ${devtype} ${devnum}:${ostree_bootpart} ${loadaddr} ${image_path}; then echo "${fio_msg} loaded ${image_path}"; else echo "${fio_msg} error occured while loading ${image_path}, scheduling rollback after reset ..."; run rollback_setup; run saveenv_mmc; run set_primary_boot; reset; fi;'
 setenv set_blkcnt 'setexpr blkcnt ${filesize} + 0x1ff && setexpr blkcnt ${blkcnt} / 0x200'
 
 # Import uEnv.txt
+run bootcmd_ostree_bootpart
 run bootcmd_otenv
 # Get deployment sysroot absolute path
 run bootcmd_getroot
@@ -76,6 +80,9 @@ if test "${fiovb.debug}" = "1"; then
 	echo "${fio_msg} bootfirmware_version = ${bootfirmware_version}"
 	echo "${fio_msg}"
 	echo "${fio_msg} Other variables:"
+	echo "${fio_msg} ostree deploy usr = ${ostree_deploy_usr}"
+	echo "${fio_msg} ostree split boot = ${ostree_split_boot}"
+	echo "${fio_msg} ostree boot dir = ${bootdir}"
 	echo "${fio_msg} ostree root path = ${ostree_root}"
 	echo "${fio_msg} bootloader_image_update = ${bootloader_image_update}"
 	echo "${fio_msg} bootloader_s_image_update = ${bootloader_s_image_update}"
@@ -130,17 +137,31 @@ if test "${fiovb.is_secondary_boot}" = "0"; then
 		else
 			if test "${fiovb.bootupgrade_available}" = "1"; then
 				run set_secondary_boot;
-				echo "${fio_msg} updating secondary boot images from ${ostree_root} ..."
-
-				setenv image_path "${ostree_root}/usr/lib/firmware/${bootloader_s_image}"
-				setenv start_blk "${bootloader_s}"
-				run load_image
-				run update_secondary_image
-
-				setenv image_path "${ostree_root}/usr/lib/firmware/${bootloader2_s_image}"
-				setenv start_blk "${bootloader2_s}"
-				run load_image
-				run update_secondary_image2
+				if test "${ostree_deploy_usr}" = "1"; then
+					echo "${fio_msg} updating secondary boot images from ${bootdir} ..."
+
+					setenv image_path "${bootdir}/${bootloader_s_image}"
+					setenv start_blk "${bootloader_s}"
+					run load_image
+					run update_secondary_image
+
+					setenv image_path "${bootdir}/${bootloader2_s_image}"
+					setenv start_blk "${bootloader2_s}"
+					run load_image
+					run update_secondary_image2
+				else
+					echo "${fio_msg} updating secondary boot images from ${ostree_root} ..."
+
+					setenv image_path "${ostree_root}/usr/lib/firmware/${bootloader_s_image}"
+					setenv start_blk "${bootloader_s}"
+					run load_image
+					run update_secondary_image
+
+					setenv image_path "${ostree_root}/usr/lib/firmware/${bootloader2_s_image}"
+					setenv start_blk "${bootloader2_s}"
+					run load_image
+					run update_secondary_image2
+				fi
 
 				run saveenv_mmc
 				echo "${fio_msg} doing warm reset to boot into secondary boot path..."
@@ -154,17 +175,27 @@ if test "${fiovb.is_secondary_boot}" = "0"; then
 	if test "${fiovb.bootupgrade_available}" = "1" && test "${fiovb.upgrade_available}" = "0"; then
 		if test -z "${custom_apply_stable}"; then
 			echo "${fio_msg} update primary boot path with validated images ..."
+			if test "${ostree_deploy_usr}" = "1"; then
+				setenv image_path "${bootdir}/${bootloader_image}"
+				setenv start_blk "${bootloader}"
+				run load_image
+				run update_primary_image
 
-			setenv image_path "${ostree_root}/usr/lib/firmware/${bootloader_image}"
-			setenv start_blk "${bootloader}"
-			run load_image
-			run update_primary_image
-
-			setenv image_path "${ostree_root}/usr/lib/firmware/${bootloader2_image}"
-			setenv start_blk "${bootloader2}"
-			run load_image
-			run update_primary_image2
+				setenv image_path "${bootdir}/${bootloader2_image}"
+				setenv start_blk "${bootloader2}"
+				run load_image
+				run update_primary_image2
+			else
+				setenv image_path "${ostree_root}/usr/lib/firmware/${bootloader_image}"
+				setenv start_blk "${bootloader}"
+				run load_image
+				run update_primary_image
 
+				setenv image_path "${ostree_root}/usr/lib/firmware/${bootloader2_image}"
+				setenv start_blk "${bootloader2}"
+				run load_image
+				run update_primary_image2
+			fi
 			run set_primary_boot
 		else
 			run custom_apply_stable
@@ -186,10 +217,10 @@ if test "${fiovb.is_secondary_boot}" = "0"; then
 	fi
 fi
 
-setenv bootcmd_load_f 'ext4load ${devtype} ${devnum}:${rootpart} ${fit_addr} "/boot"${kernel_image}'
+setenv bootcmd_load_f 'ext4load ${devtype} ${devnum}:${ostree_bootpart} ${fit_addr} "/boot"${kernel_image}'
 setenv bootcmd_tee_ovy 'if test -n ${optee_ovl_addr}; then imxtract ${fit_addr}#conf@@FIT_NODE_SEPARATOR@@${fdt_file_final} fdt@@FIT_NODE_SEPARATOR@@${fdt_file_final} ${fdt_addr}; fdt addr ${fdt_addr}; fdt resize 0x1000; fdt apply ${optee_ovl_addr}; fi'
 if test -z "${bootcmd_custom_run}"; then setenv bootcmd_run 'if test -n ${optee_ovl_addr}; then bootm ${fit_addr}#conf@@FIT_NODE_SEPARATOR@@${fdt_file_final} ${fit_addr}#conf@@FIT_NODE_SEPARATOR@@${fdt_file_final} ${fdt_addr}; else echo "${fio_msg} loading ${fdt_file_final}"; bootm ${fit_addr}#conf@@FIT_NODE_SEPARATOR@@${fdt_file_final}; fi'; else setenv bootcmd_run ${bootcmd_custom_run}; setenv bootcmd_custom_run; fi
-setenv bootcmd_rollback 'if test -n "${kernel_image2}" && test "${fiovb.is_secondary_boot}" = "0" && test "${fiovb.rollback}" = "1"; then setenv kernel_image "${kernel_image2}"; setenv bootargs "${bootargs2}"; fi;'
+setenv bootcmd_rollback 'if test -n "${kernel_image2}" && test "${fiovb.is_secondary_boot}" = "0" && test "${fiovb.rollback}" = "1"; then setenv kernel_image "${kernel_image2}"; setenv bootdir "${bootdir2}"; setenv bootargs "${bootargs2}"; fi;'
 
 run bootcmd_rollback
 run bootcmd_load_f

meta-lmp-base/recipes-core/images/initramfs-ostree-lmp-image.bb

@@ -7,9 +7,16 @@ PACKAGE_INSTALL = "initramfs-framework-base \
 	initramfs-module-ostree-factory-reset \
 	${VIRTUAL-RUNTIME_base-utils} \
 	${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'initramfs-framework-ima', '', d)} \
+	${@bb.utils.contains('DISTRO_FEATURES', 'luks', '${PACKAGE_INSTALL_LUKS}', '', d)} \
 	udev base-passwd e2fsprogs-e2fsck \
 	${ROOTFS_BOOTSTRAP_INSTALL}"
 
+# Prefer TPM 2.0 when both are available as OP-TEE requires RPMB/eMMC
+PACKAGE_INSTALL_LUKS ?= "\
+	${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'initramfs-module-cryptfs-tpm2', \
+		bb.utils.contains('MACHINE_FEATURES', 'optee', 'initramfs-module-cryptfs-pkcs11', '', d), d)} \
+"
+
 SYSTEMD_DEFAULT_TARGET = "initrd.target"
 
 # Do not pollute the initrd image with rootfs features