add encryption - sb and encryption now working with rauc ota updates

package/beacon-otp/Config.in

@@ -0,0 +1,6 @@
+config BR2_PACKAGE_BEACON_OTP
+	bool "beacon-otp"
+	help
+	  Reads the device-specific 256-bit private key from RPi OTP
+	  via the VideoCore mailbox (/dev/vcio).  Used by the
+	  beacon-encrypt-data service to unlock the LUKS2 data partition.

package/beacon-otp/beacon-otp.mk

@@ -0,0 +1,22 @@
+################################################################################
+#
+# beacon-otp
+#
+################################################################################
+
+BEACON_OTP_VERSION = local
+BEACON_OTP_SITE = $(BR2_EXTERNAL_BEACON_PATH)/package/beacon-otp/src
+BEACON_OTP_SITE_METHOD = local
+BEACON_OTP_LICENSE = MIT
+
+define BEACON_OTP_BUILD_CMDS
+	$(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_LDFLAGS) \
+		-o $(@D)/beacon-otp-key $(@D)/beacon-otp-key.c
+endef
+
+define BEACON_OTP_INSTALL_TARGET_CMDS
+	$(INSTALL) -D -m 0750 $(@D)/beacon-otp-key \
+		$(TARGET_DIR)/usr/sbin/beacon-otp-key
+endef
+
+$(eval $(generic-package))

package/beacon-otp/src/beacon-otp-key.c

@@ -0,0 +1,84 @@
+/* beacon-otp-key.c
+ * Read the device-specific private key from RPi OTP via the VideoCore mailbox.
+ * Usage: beacon-otp-key [-b]
+ *   (no args)  print 64-char hex string + newline
+ *   -b         write 32 raw bytes to stdout (for use as a key-file)
+ */
+#include <fcntl.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdint.h>
+#include <sys/ioctl.h>
+#include <unistd.h>
+
+#define IOCTL_MBOX_PROPERTY  _IOWR(100, 0, char *)
+#define TAG_GET_PRIVATE_KEY  0x00030081u
+#define KEY_WORDS            8   /* 8 x 32-bit = 256-bit key */
+
+int main(int argc, char *argv[])
+{
+    int binary = (argc > 1 && strcmp(argv[1], "-b") == 0);
+
+    /*
+     * Mailbox property buffer layout (uint32_t words):
+     *  [0]  total message size in bytes
+     *  [1]  process-request code (0)
+     *  [2]  tag id
+     *  [3]  value-buffer size in bytes = (2 + KEY_WORDS) * 4
+     *  [4]  request/response indicator (0 = request)
+     *  [5]  offset into OTP keystore (0)
+     *  [6]  number of words to read
+     *  [7 .. 6+KEY_WORDS]  key data (output)
+     *  [7+KEY_WORDS]        end tag (0)
+     */
+    uint32_t buf[7 + KEY_WORDS + 1];
+    memset(buf, 0, sizeof(buf));
+    buf[0] = (uint32_t)sizeof(buf);
+    buf[1] = 0x00000000;
+    buf[2] = TAG_GET_PRIVATE_KEY;
+    buf[3] = (2 + KEY_WORDS) * 4;
+    buf[4] = 0;
+    buf[5] = 0;
+    buf[6] = KEY_WORDS;
+    buf[7 + KEY_WORDS] = 0;
+
+    int fd = open("/dev/vcio", O_RDWR);
+    if (fd < 0) {
+        perror("beacon-otp-key: open /dev/vcio");
+        return 1;
+    }
+
+    if (ioctl(fd, IOCTL_MBOX_PROPERTY, buf) < 0) {
+        perror("beacon-otp-key: ioctl MBOX_PROPERTY");
+        close(fd);
+        return 1;
+    }
+    close(fd);
+
+    if (buf[1] != 0x80000000u) {
+        fprintf(stderr, "beacon-otp-key: mailbox error 0x%08x\n", buf[1]);
+        return 1;
+    }
+
+    for (int i = 0; i < KEY_WORDS; i++) {
+        uint32_t w = buf[7 + i];
+        if (binary) {
+            uint8_t b[4] = {
+                (uint8_t)(w        & 0xff),
+                (uint8_t)((w >> 8) & 0xff),
+                (uint8_t)((w >>16) & 0xff),
+                (uint8_t)((w >>24) & 0xff)
+            };
+            if (fwrite(b, 1, 4, stdout) != 4) {
+                perror("beacon-otp-key: fwrite");
+                return 1;
+            }
+        } else {
+            printf("%08x", w);
+        }
+    }
+    if (!binary)
+        printf("\n");
+    fflush(stdout);
+    return 0;
+}