Creating an Independent Data Partition with Yocto meta-toradex-security Layer

Introduction

Toradex provides numerous security features for its software systems such as Linux, including Secure Boot, partition encryption, OP-TEE, etc., to help users meet security compliance. These features can be easily utilized by adding the meta-toradex-security layer developed by Toradex in the Yocto Project. In the following articles, we will introduce how to use these features. This time, we will first discuss how to create an independent partition when generating installation images using the Yocto Project, which prepares for subsequent partition encryption.

Setting Up and Configuring the Yocto Project Environment

Refer to the instructions on the Build a Reference Image with Yocto Project/OpenEmbedded page; we will use the latest Linux BSP version 7. In addition to using the default repo, we can also use the domestic site repo tool for easier downloads.

$ curl -L https://mirrors.tuna.tsinghua.edu.cn/git/git-repo -o repo
$ chmod +x repo
$ export REPO_URL='https://mirrors.tuna.tsinghua.edu.cn/git/git-repo'

Download the manifest file used to compile the BSP 7 image.

$ repo init -u git://git.toradex.cn/toradex-manifest.git -b scarthgap-7.x.y \
-m tdxref/default.xml
$ repo sync
$ . export

After executing the <span>repo sync</span> command, you can find the recipes files used by the Yocto Project in the layers directory. In the layers directory, you need to add the meta-toradex-security and its dependent meta-security layers.

$ cd layers
$ git clone -b scarthgap-7.x.y https://github.com/toradex/meta-toradex-security.git
$ git clone -b scarthgap git://git.yoctoproject.org/meta-security

Add meta-toradex-security and meta-security at the end of build/conf/bblayers.conf. This way, these recipes can be used during the later bitbake compilation.

  ${TOPDIR}/../layers/openembedded-core/meta \
  ${TOPDIR}/../layers/meta-toradex-security \
  ${TOPDIR}/../layers/meta-security \
"

Add the following content at the end of build/conf/local.conf.

INHERIT += "tdx-tezi-data-partition"

When creating and mounting partitions, local.conf can use the following variables to change the partition name, mount path, whether to auto-mount, and use other mount parameters as needed.

Variable	Description	Default Value
`<span>TDX_TEZI_DATA_PARTITION_TYPE</span>`	File system type of the data partition. Available values are ext2, ext3, ext4, fat, and ubifs. Supported values are limited to those supported by the Toradex Easy Installer.	ext4
`<span>TDX_TEZI_DATA_PARTITION_LABEL</span>`	Label used to format and mount the data partition.	DATA
`<span>TDX_TEZI_DATA_PARTITION_AUTOMOUNT</span>`	Set to 1 to automatically mount the data partition at startup, or set to 0 to disable auto-mount; when set to -1, the partition will not even appear in fstab (needs to be mounted by other means).	If using the tdx-encrypted class, set to -1; otherwise, set to 1.
`<span>TDX_TEZI_DATA_PARTITION_MOUNTPOINT</span>`	Directory where the data partition should be mounted.	/data
`<span>TDX_TEZI_DATA_PARTITION_MOUNT_FLAGS</span>`	Flags for mounting the data partition. For more information on available mount flags, refer to the mount manual page.	rw,nosuid,nodev,noatime, errors=remount-ro

In module cases, an EXT4 formatted partition will be mounted at the /data directory, where user data can be stored.

Compiling the Image

After completing the above configuration, you can use the bitbake command to compile the image. For example, this test will compile a minimal image for the Verdin AM62 module.

$ MACHINE=verdin-am62 bitbake tdx-reference-minimal-image

Installing the Image

Although a partition under /data is planned in the Yocto Project, this partition still needs to be created on the module’s eMMC by the Toradex Easy Installer when installing the image. In the generated image installation file image.json, you can see the following content. A DATA partition will be created after the RFS system partition.

{
    "partition_size_nominal":"512",
    "partition_type":"83",
    "want_maximised":true,
    "content":{
        "label":"DATA",
        "filesystem_type":"ext4",
        "mkfs_options":"-E nodiscard",
        "filename":""
    }
}

\clearpage

Checking the Partition Status

After installation and rebooting into the system, you can see that /dev/mmcblk0p3 is mounted to the /data directory using the mount command.

root@verdin-am62-15415684:~# mount -l
...
/dev/mmcblk0p3 on /data type ext4 (rw,nosuid,nodev,noatime,errors=remount-ro) [DATA]

In /etc/fstab, the partition with the LABEL of DATA is set to auto-mount at startup. The LABEL name is the default value of the TDX_TEZI_DATA_PARTITION_LABEL parameter in the previous table.
\mbox{}\newline

root@verdin-am62-15415684:/data# cat /etc/fstab 
...
LABEL=DATA  /data  auto  rw,nosuid,nodev,noatime,errors=remount-ro,auto  0  0

In image.json, both the RFS and DATA partitions are set with “want_maximised”: true, so these two partitions will share the remaining space on the eMMC, which is approximately 3GB.

root@verdin-am62-15415684:/data# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                 3.4G    207.0M      3.0G   6% /
...
/dev/mmcblk0p3            3.4G     28.0K      3.2G   0% /data

Conclusion

With meta-toradex-security, users can easily plan partitions during image compilation and automatically mount them at runtime. More practical features from meta-toradex-security will be introduced in subsequent articles.