foundriesio · ricardosalveti · Aug 3, 2022 · Jul 23, 2022 · Jul 18, 2022 · Jul 13, 2022
diff --git a/meta-lmp-base/conf/distro/include/lmp.inc b/meta-lmp-base/conf/distro/include/lmp.inc
@@ -50,6 +50,8 @@ PACKAGECONFIG:append:pn-qemu-native = " libusb"
 PACKAGECONFIG:append:pn-networkmanager = " libedit"
 PACKAGECONFIG:remove:pn-networkmanager = " readline"
 PACKAGECONFIG:append:pn-kmod = " openssl"
+PACKAGECONFIG:append:pn-cryptsetup = " luks2"
+PACKAGECONFIG:append:pn-cryptsetup-native = " luks2"
 
 # Alternatives used by nss-altfiles
 NSS_ALT_TYPES ?= "hosts,pwd,grp,spwd,sgrp"

diff --git a/meta-lmp-base/recipes-core/initrdscripts/initramfs-framework/rootfs b/meta-lmp-base/recipes-core/initrdscripts/initramfs-framework/rootfs
@@ -39,24 +39,13 @@ rootfs_run() {
 			if [ "`echo ${bootparam_root} | cut -c1-5`" = "UUID=" ]; then
 				root_uuid=`echo $bootparam_root | cut -c6-`
 				bootparam_root="/dev/disk/by-uuid/$root_uuid"
-			fi
-
-			if [ "`echo ${bootparam_root} | cut -c1-9`" = "PARTUUID=" ]; then
+			elif [ "`echo ${bootparam_root} | cut -c1-9`" = "PARTUUID=" ]; then
 				root_partuuid=`echo $bootparam_root | cut -c10-`
 				bootparam_root="/dev/disk/by-partuuid/$root_partuuid"
-			fi
-
-			if [ "`echo ${bootparam_root} | cut -c1-10`" = "PARTLABEL=" ]; then
-				root_partlabel=`echo $bootparam_root | cut -c11-`
-				bootparam_root="/dev/disk/by-partlabel/$root_partlabel"
-			fi
-
-			if [ "`echo ${bootparam_root} | cut -c1-10`" = "PARTLABEL=" ]; then
+			elif [ "`echo ${bootparam_root} | cut -c1-10`" = "PARTLABEL=" ]; then
 				root_partlabel=`echo $bootparam_root | cut -c11-`
 				bootparam_root="/dev/disk/by-partlabel/$root_partlabel"
-			fi
-
-			if [ "`echo ${bootparam_root} | cut -c1-6`" = "LABEL=" ]; then
+			elif [ "`echo ${bootparam_root} | cut -c1-6`" = "LABEL=" ]; then
 				root_label=`echo $bootparam_root | cut -c7-`
 				bootparam_root="/dev/disk/by-label/$root_label"
 			fi

diff --git a/meta-lmp-base/recipes-core/systemd/systemd_%.bbappend b/meta-lmp-base/recipes-core/systemd/systemd_%.bbappend
@@ -9,6 +9,8 @@ PACKAGECONFIG ?= " \
     ${@bb.utils.contains('DISTRO_FEATURES', 'efi', 'gnu-efi', '', d)} \
     backlight \
     binfmt \
+    cryptsetup \
+    cryptsetup-plugins \
     gshadow \
     hibernate \
     hostnamed \
@@ -23,7 +25,9 @@ PACKAGECONFIG ?= " \
     nss \
     nss-mymachines \
     nss-resolve \
+    openssl \
     quotacheck \
+    p11kit \
     randomseed \
     resolved \
     serial-getty-generator \
@@ -40,6 +44,16 @@ PACKAGECONFIG ?= " \
     zstd \
 "
 
+PACKAGECONFIG[p11kit] = "-Dp11kit=true,-Dp11kit=false,p11-kit"
+PACKAGECONFIG[cryptsetup-plugins] = "-Dlibcryptsetup-plugins=true,-Dlibcryptsetup-plugins=false,cryptsetup,,cryptsetup"
+
+PACKAGE_BEFORE_PN += "${PN}-crypt"
+SUMMARY:${PN}-crypt = "Cryptographic tools and libraries for manipulating LUKS2 devices"
+FILES:${PN}-crypt = "${bindir}/systemd-cryptenroll \
+		     ${nonarch_libdir}/cryptsetup \
+		    "
+RRECOMMENDS:${PN} += "systemd-crypt"
+
 ALTERNATIVE_PRIORITY[resolv-conf] = "300"
 
 DEF_FALLBACK_NTP_SERVERS ?= "time1.google.com time2.google.com time3.google.com time4.google.com time.cloudflare.com"

diff --git a/meta-lmp-base/recipes-security/optee/optee-client-fio.inc b/meta-lmp-base/recipes-security/optee/optee-client-fio.inc
@@ -9,6 +9,7 @@ inherit systemd cmake
 
 SRC_URI = " \
     git://github.com/OP-TEE/optee_client.git;protocol=https;branch=master \
+    file://ckteec.module \
     file://tee-supplicant.service \
 "
 
@@ -24,7 +25,12 @@ EXTRA_OECMAKE = " \
 EXTRA_OECMAKE:append:toolchain-clang = " -DCFG_WERROR=0"
 
 do_install:append() {
+    install -d ${D}${datadir}/p11-kit/modules
+    install -m 0644 ${WORKDIR}/ckteec.module ${D}${datadir}/p11-kit/modules/ckteec.module
     install -D -p -m0644 ${WORKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service
 }
 
 SYSTEMD_SERVICE:${PN} = "tee-supplicant.service"
+FILES:${PN} += " \
+    ${datadir}/p11-kit/modules \
+"
diff --git a/meta-lmp-base/recipes-security/optee/optee-client/ckteec.module b/meta-lmp-base/recipes-security/optee/optee-client/ckteec.module
@@ -0,0 +1 @@
+module: /usr/lib/libckteec.so.0
diff --git a/meta-lmp-base/recipes-support/resize-helper/resize-helper/resize-helper b/meta-lmp-base/recipes-support/resize-helper/resize-helper/resize-helper
@@ -38,8 +38,16 @@ RESIZE2FS=$(which resize2fs) || { echo "E: You must have resize2fs" && exit 1; }
 
 # find root device
 ROOT_DEVICE=$(findmnt --noheadings --output=SOURCE / | cut -d'[' -f1)
+# identify a possible mapper-based device (e.g. luks)
+if echo ${ROOT_DEVICE} | grep -q "^/dev/mapper/"; then
+	DM_NAME=`basename ${ROOT_DEVICE}`
+fi
 # prune root device (for example UUID)
 ROOT_DEVICE=$(realpath ${ROOT_DEVICE})
+# check if root device is available via device-mapper / luks
+if [ -n "${DM_NAME}" ]; then
+	ROOT_DEVICE="/dev/`dmsetup deps -o devname ${ROOT_DEVICE} | cut -d'(' -f2 | cut -d')' -f1`"
+fi
 # get the partition number and type
 INFO=$(udevadm info --query=property --name=${ROOT_DEVICE})
 PART_ENTRY_NUMBER=$(echo "${INFO}" | grep '^ID_PART_ENTRY_NUMBER=' | cut -d'=' -f2)
@@ -78,4 +86,11 @@ if [ -n "${PART_ENTRY_NAME}" ]; then
 fi
 
 ${PARTX} -u ${DEVICE}
-${RESIZE2FS} "${ROOT_DEVICE}"
+if [ -n "${DM_NAME}" ] && cryptsetup isLuks ${ROOT_DEVICE}; then
+	# OP-TEE: use TEE Identity for pkcs11 authentication
+	export CKTEEC_LOGIN_TYPE=user
+	cryptsetup resize --token-only ${DM_NAME}
+	${RESIZE2FS} "/dev/mapper/${DM_NAME}"
+else
+	${RESIZE2FS} "${ROOT_DEVICE}"
+fi