Skip to content

Security fixes #692

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
praneethbajjuri merged 2 commits into from
Apr 27, 2026
Merged

Security fixes #692

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b1907f9
fix(security): Clarify TRNG engine ownership by OPTEE
shiva-ti Apr 24, 2026
ec5fb2c
feat(linux): Add Yocto layer luks configuration
shiva-ti Apr 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions source/devices/AM62LX/linux/Release_Specific_Yocto_layer_Configuration.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,5 +29,8 @@
* - :file:`processor-sdk-master-selinux-12.00.00.07.04-config.txt`
- Used for building SELinux enabled Yocto based filesystem
- |__SDK_BUILD_MACHINE__|
* - :file:`processor-sdk-master-luks-12.00.00.07.04-config.txt`

Check warning on line 32 in source/devices/AM62LX/linux/Release_Specific_Yocto_layer_Configuration.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.ConsciousLanguage] Use 'primary', 'source', 'initiator', 'requester', 'controller', 'host', 'director', or 'supplier' rather than 'master'.

Raw Output:
{"message": "[RedHat.ConsciousLanguage] Use 'primary', 'source', 'initiator', 'requester', 'controller', 'host', 'director', or 'supplier' rather than 'master'.", "location": {"path": "source/devices/AM62LX/linux/Release_Specific_Yocto_layer_Configuration.rst", "range": {"start": {"line": 32, "column": 29}}}, "severity": "WARNING"}
- Used for building SDK with the luks disk encryption using fTPM
- |__SDK_BUILD_MACHINE__|

The oe-layersetup configuration, as defined in :file:`processor-sdk-master-nonui-12.00.00.07.04-config.txt`, is used for configuring the meta layers in the yocto SD card image available on |__SDK_DOWNLOAD_URL__|.
3 changes: 3 additions & 0 deletions source/devices/AM62PX/linux/Release_Specific_Yocto_layer_Configuration.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,5 +32,8 @@
* - :file:`processor-sdk-master-selinux-12.00.00.07.04-config.txt`
- Used for building SELinux enabled Yocto based filesystem
- |__SDK_BUILD_MACHINE__|
* - :file:`processor-sdk-master-luks-12.00.00.07.04-config.txt`

Check warning on line 35 in source/devices/AM62PX/linux/Release_Specific_Yocto_layer_Configuration.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.ConsciousLanguage] Use 'primary', 'source', 'initiator', 'requester', 'controller', 'host', 'director', or 'supplier' rather than 'master'.

Raw Output:
{"message": "[RedHat.ConsciousLanguage] Use 'primary', 'source', 'initiator', 'requester', 'controller', 'host', 'director', or 'supplier' rather than 'master'.", "location": {"path": "source/devices/AM62PX/linux/Release_Specific_Yocto_layer_Configuration.rst", "range": {"start": {"line": 35, "column": 29}}}, "severity": "WARNING"}
- Used for building SDK with the luks disk encryption using fTPM
- |__SDK_BUILD_MACHINE__|

The oe-layersetup configuration, as defined in :file:`processor-sdk-master-chromium-12.00.00.07.04-config.txt`, is used for configuring the meta layers in the yocto SD card image available on |__SDK_DOWNLOAD_URL__|.
3 changes: 3 additions & 0 deletions source/devices/AM62X/linux/Release_Specific_Yocto_layer_Configuration.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,5 +32,8 @@
* - :file:`processor-sdk-master-selinux-12.00.00.07.04-config.txt`
- Used for building SELinux enabled Yocto based filesystem
- |__SDK_BUILD_MACHINE__|, am62xx-lp-evm, am62xxsip-evm, beagleplay-ti
* - :file:`processor-sdk-master-luks-12.00.00.07.04-config.txt`

Check warning on line 35 in source/devices/AM62X/linux/Release_Specific_Yocto_layer_Configuration.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.ConsciousLanguage] Use 'primary', 'source', 'initiator', 'requester', 'controller', 'host', 'director', or 'supplier' rather than 'master'.

Raw Output:
{"message": "[RedHat.ConsciousLanguage] Use 'primary', 'source', 'initiator', 'requester', 'controller', 'host', 'director', or 'supplier' rather than 'master'.", "location": {"path": "source/devices/AM62X/linux/Release_Specific_Yocto_layer_Configuration.rst", "range": {"start": {"line": 35, "column": 29}}}, "severity": "WARNING"}
- Used for building SDK with the luks disk encryption using fTPM
- |__SDK_BUILD_MACHINE__|

The oe-layersetup configuration, as defined in :file:`processor-sdk-master-chromium-12.00.00.07.04-config.txt`, is used for configuring the meta layers in the yocto SD card image available on |__SDK_DOWNLOAD_URL__|.
3 changes: 3 additions & 0 deletions source/devices/AM64X/linux/Release_Specific_Yocto_layer_Configuration.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,5 +29,8 @@
* - :file:`processor-sdk-master-selinux-12.00.00.07.04-config.txt`
- Used for building SELinux enabled Yocto based filesystem
- |__SDK_BUILD_MACHINE__|
* - :file:`processor-sdk-master-luks-12.00.00.07.04-config.txt`

Check warning on line 32 in source/devices/AM64X/linux/Release_Specific_Yocto_layer_Configuration.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.ConsciousLanguage] Use 'primary', 'source', 'initiator', 'requester', 'controller', 'host', 'director', or 'supplier' rather than 'master'.

Raw Output:
{"message": "[RedHat.ConsciousLanguage] Use 'primary', 'source', 'initiator', 'requester', 'controller', 'host', 'director', or 'supplier' rather than 'master'.", "location": {"path": "source/devices/AM64X/linux/Release_Specific_Yocto_layer_Configuration.rst", "range": {"start": {"line": 32, "column": 29}}}, "severity": "WARNING"}
- Used for building SDK with the luks disk encryption using fTPM
- |__SDK_BUILD_MACHINE__|

The oe-layersetup configuration, as defined in :file:`processor-sdk-master-nonui-12.00.00.07.04-config.txt`, is used for configuring the meta layers in the yocto SD card image available on |__SDK_DOWNLOAD_URL__|.
8 changes: 5 additions & 3 deletions source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -216,10 +216,12 @@
Using the True Random Number Generator (TRNG) Hardware Accelerator
******************************************************************

The pre-built kernel included within the SDK already has the OP-TEE TRNG
driver enabled. You do not need any further configuration.
In the default SDK, OP-TEE controls the TRNG engine and firewalls its

Check warning on line 219 in source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Definitions] Define acronyms and abbreviations (such as 'TEE') on first occurrence if they're likely to be unfamiliar.

Raw Output:
{"message": "[RedHat.Definitions] Define acronyms and abbreviations (such as 'TEE') on first occurrence if they're likely to be unfamiliar.", "location": {"path": "source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst", "range": {"start": {"line": 219, "column": 24}}}, "severity": "INFO"}
hardware registers, blocking outside access. To use TRNG from Linux instead,
disable the OP-TEE driver and enable the RNG node in the Linux device tree.

Check warning on line 221 in source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Definitions] Define acronyms and abbreviations (such as 'RNG') on first occurrence if they're likely to be unfamiliar.

Raw Output:
{"message": "[RedHat.Definitions] Define acronyms and abbreviations (such as 'RNG') on first occurrence if they're likely to be unfamiliar.", "location": {"path": "source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst", "range": {"start": {"line": 221, "column": 42}}}, "severity": "INFO"}

Check warning on line 221 in source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Definitions] Define acronyms and abbreviations (such as 'TEE') on first occurrence if they're likely to be unfamiliar.

Raw Output:
{"message": "[RedHat.Definitions] Define acronyms and abbreviations (such as 'TEE') on first occurrence if they're likely to be unfamiliar.", "location": {"path": "source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst", "range": {"start": {"line": 221, "column": 16}}}, "severity": "INFO"}

Verify that the optee-rng driver is loaded:
Using TRNG from OP-TEE requires no further configuration. Verify the optee-rng

Check warning on line 223 in source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Definitions] Define acronyms and abbreviations (such as 'TEE') on first occurrence if they're likely to be unfamiliar.

Raw Output:
{"message": "[RedHat.Definitions] Define acronyms and abbreviations (such as 'TEE') on first occurrence if they're likely to be unfamiliar.", "location": {"path": "source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst", "range": {"start": {"line": 223, "column": 20}}}, "severity": "INFO"}
driver loads:

.. code-block:: console
Expand Down
8 changes: 6 additions & 2 deletions source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -304,8 +304,12 @@
Using the TRNG Hardware Accelerator
***********************************

The pre built kernel that come with the SDK already has the TRNG driver
built into the kernel. No further configuration is required.
In the default SDK, OP-TEE controls the TRNG engine and firewalls its

Check warning on line 307 in source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Definitions] Define acronyms and abbreviations (such as 'TRNG') on first occurrence if they're likely to be unfamiliar.

Raw Output:
{"message": "[RedHat.Definitions] Define acronyms and abbreviations (such as 'TRNG') on first occurrence if they're likely to be unfamiliar.", "location": {"path": "source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst", "range": {"start": {"line": 307, "column": 41}}}, "severity": "INFO"}

Check warning on line 307 in source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Definitions] Define acronyms and abbreviations (such as 'TEE') on first occurrence if they're likely to be unfamiliar.

Raw Output:
{"message": "[RedHat.Definitions] Define acronyms and abbreviations (such as 'TEE') on first occurrence if they're likely to be unfamiliar.", "location": {"path": "source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst", "range": {"start": {"line": 307, "column": 24}}}, "severity": "INFO"}
hardware registers, blocking outside access. To use TRNG from Linux instead,
disable the OP-TEE driver and enable the RNG node in the Linux device tree.

Using TRNG from OP-TEE requires no further configuration. Verify the optee-rng
driver loads:

.. ifconfig:: CONFIG_crypto in ('sa2ul')

Expand Down
9 changes: 6 additions & 3 deletions source/linux/Foundational_Components/System_Security/Security_overview.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,8 @@ The following table lists some of the key Security Features:
| **Authenticated Boot** | Verifies each boot component to ensure only authorized | :ref:`auth_boot_guide` |
| | code executes on the device | |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Crypto Acceleration** | Hardware driver support for cryptographic algorithms | :ref:`crypto-accelerator` |
| **Crypto Acceleration** | Hardware driver support for cryptographic algorithms and | :ref:`crypto-accelerator` |
| **and TRNG** | hardware entropy based secure random number generation | |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Key Management** | Tools for secure key provisioning | :ref:`key-writer-lite-label` |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
Expand Down Expand Up @@ -81,7 +82,8 @@ The following table lists some of the key Security Features:
| **Authenticated Boot** | Transparent disk encryption using the Linux kernel | :ref:`auth_boot_guide` |
| | device mapper (dm-crypt) for data confidentiality | |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Crypto Acceleration** | Hardware driver support for cryptographic algorithms | :ref:`crypto-accelerator` |
| **Crypto Acceleration** | Hardware driver support for cryptographic algorithms and | :ref:`crypto-accelerator` |
| **and TRNG** | hardware entropy based secure random number generation | |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Secure Storage** | Protection mechanisms for sensitive data | :ref:`secure-storage-with-rpmb` |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
Expand All @@ -106,7 +108,8 @@ The following table lists some of the key Security Features:
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| Security Feature | Description | Links |
+=========================+===========================================================+======================================+
| **Crypto Acceleration** | Hardware driver support for cryptographic algorithms | :ref:`crypto-accelerator` |
| **Crypto Acceleration** | Hardware driver support for cryptographic algorithms and | :ref:`crypto-accelerator` |
| **and TRNG** | hardware entropy based secure random number generation | |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Secure Storage** | Protection mechanisms for sensitive data | :ref:`secure-storage-with-rpmb` |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
Expand Down
Loading