add encryption - sb and encryption now working with rauc ota updates

2026-03-05 13:56:18 +01:00
parent 9d05be4d32
commit 8e3cafbd5b
13 changed files with 372 additions and 88 deletions
--- a/board/beacon-cm4/rootfs-overlay/usr/sbin/beacon-encrypt-data.sh
+++ b/board/beacon-cm4/rootfs-overlay/usr/sbin/beacon-encrypt-data.sh
@@ -0,0 +1,98 @@
+#!/bin/sh
+#
+# beacon-encrypt-data.sh
+#
+# On first boot:  LUKS2-format /dev/mmcblk0p3 with device OTP key, create ext4, mount /data
+# On later boots: open LUKS2 container with device OTP key, mount /data
+#
+# If the OTP key is all-zeros (not programmed) the partition is mounted unencrypted
+# so the system is still usable on a non-secure-boot device during development.
+
+set -e
+
+DATA_DEV="/dev/mmcblk0p3"
+MAPPER_NAME="data"
+MAPPER_DEV="/dev/mapper/${MAPPER_NAME}"
+MOUNT_POINT="/data"
+OTP_TOOL="/usr/sbin/beacon-otp-key"
+
+log() { echo "beacon-encrypt-data: $*"; }
+die() { echo "beacon-encrypt-data: ERROR: $*" >&2; exit 1; }
+
+# Block device must exist
+[ -b "${DATA_DEV}" ] || { log "${DATA_DEV} not found, skipping"; exit 0; }
+
+# OTP tool must exist
+[ -x "${OTP_TOOL}" ] || die "OTP tool not found at ${OTP_TOOL}"
+
+# Write OTP key into a tmpfs file so it never touches disk
+KEY_FILE="$(mktemp /dev/shm/otp-XXXXXX 2>/dev/null || mktemp /tmp/otp-XXXXXX)"
+trap 'rm -f "${KEY_FILE}"' EXIT INT TERM
+
+OTP_READ_OK=1
+if ! ${OTP_TOOL} -b > "${KEY_FILE}"; then
+    log "WARNING: OTP key read failed — falling back to unencrypted /data"
+    OTP_READ_OK=0
+fi
+
+# Check if key is all zeros (OTP not programmed — dev/test device)
+KEY_HEX=""
+if [ "${OTP_READ_OK}" = "1" ]; then
+    KEY_HEX="$(${OTP_TOOL} 2>/dev/null || true)"
+fi
+
+mount_unencrypted() {
+    if ! blkid "${DATA_DEV}" >/dev/null 2>&1; then
+        log "No filesystem on ${DATA_DEV} — creating ext4 (unencrypted)"
+        mkfs.ext4 -q -L "Data" "${DATA_DEV}" || die "mkfs.ext4 failed"
+    fi
+    mount -t ext4 -o defaults,noatime "${DATA_DEV}" "${MOUNT_POINT}" \
+        || die "mount ${MOUNT_POINT} failed"
+    log "${MOUNT_POINT} is ready (unencrypted)"
+    exit 0
+}
+
+if [ "${OTP_READ_OK}" = "0" ] || [ -z "$(echo "${KEY_HEX}" | tr -d '0')" ]; then
+    log "OTP key is all-zeros or unreadable — mounting ${DATA_DEV} unencrypted"
+    mount_unencrypted
+fi
+
+# --- Encrypted path ---
+luks_format() {
+    log "Formatting /dev/mmcblk0p3 with LUKS2"
+    dd if=/dev/zero of="${DATA_DEV}" bs=1M count=4 status=none 2>/dev/null || true
+    cryptsetup luksFormat \
+        --batch-mode \
+        --type luks2 \
+        --key-file "${KEY_FILE}" \
+        --key-size 512 \
+        --cipher aes-xts-plain64 \
+        --hash sha256 \
+        --pbkdf pbkdf2 \
+        "${DATA_DEV}" \
+        || die "luksFormat failed"
+    cryptsetup luksOpen "${DATA_DEV}" "${MAPPER_NAME}" \
+        --key-file "${KEY_FILE}" \
+        || die "luksOpen after format failed"
+    log "Creating ext4 filesystem inside encrypted container"
+    mkfs.ext4 -q -L "DataEnc" "${MAPPER_DEV}" \
+        || die "mkfs.ext4 failed"
+}
+
+if cryptsetup isLuks "${DATA_DEV}" 2>/dev/null; then
+    log "Opening existing LUKS2 container on ${DATA_DEV}"
+    if ! cryptsetup luksOpen "${DATA_DEV}" "${MAPPER_NAME}" \
+            --key-file "${KEY_FILE}" 2>/dev/null; then
+        log "WARNING: luksOpen failed (stale header or wrong key) — re-formatting"
+        luks_format
+    fi
+else
+    log "No LUKS header on ${DATA_DEV} — formatting with LUKS2 (first boot)"
+    luks_format
+fi
+
+log "Mounting ${MAPPER_DEV} at ${MOUNT_POINT}"
+mount -t ext4 -o defaults,noatime "${MAPPER_DEV}" "${MOUNT_POINT}" \
+    || die "mount ${MOUNT_POINT} failed"
+
+log "${MOUNT_POINT} is ready (encrypted)"