add encryption - sb and encryption now working with rauc ota updates

board/beacon-cm4/genimage.cfg

@@ -1,14 +1,3 @@
-image data.ext4 {
-	name = "Data"
-	mountpoint = /data
-	ext4 {
-		use-mke2fs = true
-		label = "Data"
-		features = "^64bit"
-	}
-	size = 128M
-}
-
 image upload.ext4 {
 	name = "Upload"
 	empty = true
@@ -61,7 +50,6 @@ image sdcard.img {
 
 	partition data {
 		partition-type = 0x83
-		image = "data.ext4"
 		size = 128M
 	}
 

board/beacon-cm4/linux.fragment

@@ -4,6 +4,9 @@ CONFIG_BLK_DEV_LOOP=y
 CONFIG_DM_VERITY=y
 CONFIG_SQUASHFS=y
 CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
 CONFIG_DM_CRYPT=y
 CONFIG_CRYPTO_AES=y
 CONFIG_CRYPTO_XTS=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y

board/beacon-cm4/post-build.sh

@@ -24,17 +24,23 @@ fi
 
 
 # Mount persistent data partitions
+# /data is handled by beacon-encrypt-data.service (LUKS2 encrypted, key from OTP)
 if [ -e ${TARGET_DIR}/etc/fstab ]; then
-	# For configuration data
-	# WARNING: data=journal is safest, but potentially slow!
-	grep -qE 'LABEL=Data' ${TARGET_DIR}/etc/fstab || \
-	echo "LABEL=Data /data ext4 defaults,data=journal,noatime 0 0" >> ${TARGET_DIR}/etc/fstab
-
-	# For bulk data (eg: firmware updates)
+	# Remove any stale LABEL=Data entry left from previous builds
+	sed -i '/LABEL=Data/d' ${TARGET_DIR}/etc/fstab
+	# For bulk data (eg: firmware updates) — unencrypted
 	grep -qE 'LABEL=Upload' ${TARGET_DIR}/etc/fstab || \
 	echo "LABEL=Upload /upload ext4 defaults,noatime 0 0" >> ${TARGET_DIR}/etc/fstab
 fi
 
+# Enable beacon-encrypt-data.service (runs before local-fs.target to mount /data)
+mkdir -p "${TARGET_DIR}/etc/systemd/system/local-fs.target.wants"
+ln -sf ../beacon-encrypt-data.service \
+	"${TARGET_DIR}/etc/systemd/system/local-fs.target.wants/beacon-encrypt-data.service"
+
+# Ensure the service script is executable
+chmod 0755 "${TARGET_DIR}/usr/sbin/beacon-encrypt-data.sh" 2>/dev/null || true
+
 # Copy custom cmdline.txt file
 install -D -m 0644 ${BR2_EXTERNAL_BEACON_PATH}/board/beacon-cm4/cmdline.txt ${BINARIES_DIR}/custom/cmdline.txt
 

board/beacon-cm4/rootfs-overlay/etc/systemd/system/beacon-encrypt-data.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=LUKS2 encrypted data partition setup
+Documentation=man:cryptsetup(8)
+DefaultDependencies=no
+Conflicts=umount.target
+After=systemd-udevd.service
+Before=local-fs.target umount.target
+# Wait for the block device to appear
+After=dev-mmcblk0p3.device
+Wants=dev-mmcblk0p3.device
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/sbin/beacon-encrypt-data.sh
+
+[Install]
+WantedBy=local-fs.target

board/beacon-cm4/rootfs-overlay/usr/sbin/beacon-encrypt-data.sh

@@ -0,0 +1,98 @@
+#!/bin/sh
+#
+# beacon-encrypt-data.sh
+#
+# On first boot:  LUKS2-format /dev/mmcblk0p3 with device OTP key, create ext4, mount /data
+# On later boots: open LUKS2 container with device OTP key, mount /data
+#
+# If the OTP key is all-zeros (not programmed) the partition is mounted unencrypted
+# so the system is still usable on a non-secure-boot device during development.
+
+set -e
+
+DATA_DEV="/dev/mmcblk0p3"
+MAPPER_NAME="data"
+MAPPER_DEV="/dev/mapper/${MAPPER_NAME}"
+MOUNT_POINT="/data"
+OTP_TOOL="/usr/sbin/beacon-otp-key"
+
+log() { echo "beacon-encrypt-data: $*"; }
+die() { echo "beacon-encrypt-data: ERROR: $*" >&2; exit 1; }
+
+# Block device must exist
+[ -b "${DATA_DEV}" ] || { log "${DATA_DEV} not found, skipping"; exit 0; }
+
+# OTP tool must exist
+[ -x "${OTP_TOOL}" ] || die "OTP tool not found at ${OTP_TOOL}"
+
+# Write OTP key into a tmpfs file so it never touches disk
+KEY_FILE="$(mktemp /dev/shm/otp-XXXXXX 2>/dev/null || mktemp /tmp/otp-XXXXXX)"
+trap 'rm -f "${KEY_FILE}"' EXIT INT TERM
+
+OTP_READ_OK=1
+if ! ${OTP_TOOL} -b > "${KEY_FILE}"; then
+    log "WARNING: OTP key read failed — falling back to unencrypted /data"
+    OTP_READ_OK=0
+fi
+
+# Check if key is all zeros (OTP not programmed — dev/test device)
+KEY_HEX=""
+if [ "${OTP_READ_OK}" = "1" ]; then
+    KEY_HEX="$(${OTP_TOOL} 2>/dev/null || true)"
+fi
+
+mount_unencrypted() {
+    if ! blkid "${DATA_DEV}" >/dev/null 2>&1; then
+        log "No filesystem on ${DATA_DEV} — creating ext4 (unencrypted)"
+        mkfs.ext4 -q -L "Data" "${DATA_DEV}" || die "mkfs.ext4 failed"
+    fi
+    mount -t ext4 -o defaults,noatime "${DATA_DEV}" "${MOUNT_POINT}" \
+        || die "mount ${MOUNT_POINT} failed"
+    log "${MOUNT_POINT} is ready (unencrypted)"
+    exit 0
+}
+
+if [ "${OTP_READ_OK}" = "0" ] || [ -z "$(echo "${KEY_HEX}" | tr -d '0')" ]; then
+    log "OTP key is all-zeros or unreadable — mounting ${DATA_DEV} unencrypted"
+    mount_unencrypted
+fi
+
+# --- Encrypted path ---
+luks_format() {
+    log "Formatting /dev/mmcblk0p3 with LUKS2"
+    dd if=/dev/zero of="${DATA_DEV}" bs=1M count=4 status=none 2>/dev/null || true
+    cryptsetup luksFormat \
+        --batch-mode \
+        --type luks2 \
+        --key-file "${KEY_FILE}" \
+        --key-size 512 \
+        --cipher aes-xts-plain64 \
+        --hash sha256 \
+        --pbkdf pbkdf2 \
+        "${DATA_DEV}" \
+        || die "luksFormat failed"
+    cryptsetup luksOpen "${DATA_DEV}" "${MAPPER_NAME}" \
+        --key-file "${KEY_FILE}" \
+        || die "luksOpen after format failed"
+    log "Creating ext4 filesystem inside encrypted container"
+    mkfs.ext4 -q -L "DataEnc" "${MAPPER_DEV}" \
+        || die "mkfs.ext4 failed"
+}
+
+if cryptsetup isLuks "${DATA_DEV}" 2>/dev/null; then
+    log "Opening existing LUKS2 container on ${DATA_DEV}"
+    if ! cryptsetup luksOpen "${DATA_DEV}" "${MAPPER_NAME}" \
+            --key-file "${KEY_FILE}" 2>/dev/null; then
+        log "WARNING: luksOpen failed (stale header or wrong key) — re-formatting"
+        luks_format
+    fi
+else
+    log "No LUKS header on ${DATA_DEV} — formatting with LUKS2 (first boot)"
+    luks_format
+fi
+
+log "Mounting ${MAPPER_DEV} at ${MOUNT_POINT}"
+mount -t ext4 -o defaults,noatime "${MAPPER_DEV}" "${MOUNT_POINT}" \
+    || die "mount ${MOUNT_POINT} failed"
+
+log "${MOUNT_POINT} is ready (encrypted)"