feat(linux): Add fTPM based filesystem encryption rst#660
Open
shiva-ti wants to merge 1 commit intoTexasInstruments:masterfrom
Open
feat(linux): Add fTPM based filesystem encryption rst#660shiva-ti wants to merge 1 commit intoTexasInstruments:masterfrom
shiva-ti wants to merge 1 commit intoTexasInstruments:masterfrom
Conversation
shiva-ti
requested review from
StaticRocket,
VeeruPrudhvi,
cshilwant,
gehariprasath,
jeevantelukula,
praneethbajjuri and
uditkumarti
as code owners
github-actions
bot
assigned
devarsht,
gehariprasath,
praneethbajjuri,
r-vignesh and
uditkumarti
shiva-ti
force-pushed
the
ftpm_encrypted_boot
branch
2 times, most recently
from
939d8cc to
0749309
Compare
Pratham-T
suggested changes
Apr 13, 2026
Contributor
Pratham-T
left a comment
Pratham-T
left a comment
There was a problem hiding this comment.
Enable this documentation for AM62AX, AM62AX, AM62PX, AM62LX
Correct the commit message
shiva-ti
force-pushed
the
ftpm_encrypted_boot
branch
from
0749309 to
b1b9add
Compare
StaticRocket
requested changes
Apr 14, 2026
Member
StaticRocket
left a comment
StaticRocket
left a comment
There was a problem hiding this comment.
Two vale comments, but otherwise this looks fine to me
shiva-ti
force-pushed
the
ftpm_encrypted_boot
branch
from
b1b9add to
03c35d9
Compare
StaticRocket
requested changes
Apr 15, 2026
shiva-ti
force-pushed
the
ftpm_encrypted_boot
branch
from
03c35d9 to
f620288
Compare
Add new security subsection for fTPM based filesystem encryption feature. Enable this documentation for AM62X, AM62AX, AM62PX, AM62LX as per testing done with 12.0 SDK. Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com>
shiva-ti
force-pushed
the
ftpm_encrypted_boot
branch
from
f620288 to
ecd67c4
Compare
praneethbajjuri
approved these changes
Apr 16, 2026
StaticRocket
requested changes
Apr 17, 2026
| steps specific to LUKS: | ||
|
|
||
| #. Use the latest :ref:`oe-config file <yocto-layer-configuration>`, using | ||
| the "luks" specific config. |
Member
There was a problem hiding this comment.
Suggested change
| the "luks" specific config. | |
| the LUKS specific config. |
Comment on lines
+165
to
+166
| components in yocto setup should be configured to make use of these | ||
| hardware keys. |
Member
There was a problem hiding this comment.
Suggested change
| components in yocto setup should be configured to make use of these | |
| hardware keys. | |
| components in Yocto should be configured to make use of these | |
| hardware keys. |
| - Once the keys are written to RPMB, the optee-os and optee-client | ||
| components in yocto setup should be configured to make use of these | ||
| hardware keys. | ||
| Following can be used in yocto for the same: |
Member
There was a problem hiding this comment.
Suggested change
| Following can be used in yocto for the same: | |
| The following explains how Yocto should be configured: |
| hardware keys. | ||
| Following can be used in yocto for the same: | ||
|
|
||
| - for **optee-os**: under meta-ti layer: |
Member
There was a problem hiding this comment.
Suggested change
| - for **optee-os**: under meta-ti layer: | |
| - **optee-os**: under the ``meta-ti`` layer |
| Following can be used in yocto for the same: | ||
|
|
||
| - for **optee-os**: under meta-ti layer: | ||
| *"meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc"* |
Member
There was a problem hiding this comment.
Suggested change
| *"meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc"* | |
| :file:`meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc` |
|
|
||
| EXTRA_OECMAKE:append = " -DRPMB_EMU=OFF" | ||
|
|
||
| - **u-boot configuration**: The kernel Image and dtbs are read from the |
Member
There was a problem hiding this comment.
Suggested change
| - **u-boot configuration**: The kernel Image and dtbs are read from the | |
| - **u-boot**: The kernel Image and dtbs are read from the |
| EXTRA_OECMAKE:append = " -DRPMB_EMU=OFF" | ||
|
|
||
| - **u-boot configuration**: The kernel Image and dtbs are read from the | ||
| root partition of SD by default. But since this implemenation encrypts the root |
Member
There was a problem hiding this comment.
Suggested change
| root partition of SD by default. But since this implemenation encrypts the root | |
| root partition of SD by default. Since this implementation encrypts the root |
Comment on lines
+191
to
+192
| and initramfs from the boot partition. This can be done using such | ||
| following change in uboot (can be a patch in u-boot meta-ti layer): |
Member
There was a problem hiding this comment.
Suggested change
| and initramfs from the boot partition. This can be done using such | |
| following change in uboot (can be a patch in u-boot meta-ti layer): | |
| and initramfs from the boot partition. This can be done by overriding the ``CONFIG_BOOTCOMMAND``: |
Comment on lines
+236
to
+237
| - Size of initramfs image can be reduced by using the busybox | ||
| optimizations, for reference: |
Member
There was a problem hiding this comment.
Suggested change
| - Size of initramfs image can be reduced by using the busybox | |
| optimizations, for reference: | |
| - The size of initramfs image can be reduced by using busybox: |
|
|
||
| - The first boot involves encryption of complete root filesystem using the | ||
| ARM aes-generic (software implmentation), giving around 17.0 MB/s of | ||
| performance. This makes use of "cryptsetup reencrypt" which reads, |
Member
There was a problem hiding this comment.
Suggested change
| performance. This makes use of "cryptsetup reencrypt" which reads, | |
| performance. This makes use of :command:`cryptsetup reencrypt` which reads, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add new security subsection for fTPM based filesystem encryption feature.
Enable this documentation for AM62AX, AM62AX, AM62PX, AM62LX as per testing done with 12.0 SDK.