From b1e14f4e88be503f91db9c51c89a5a9f5e30de91 Mon Sep 17 00:00:00 2001
From: Jia Zhang <lans.zhang2008@gmail.com>
Date: Sun, 20 Aug 2017 15:31:11 +0800
Subject: encrypted-storage: use luks as the feature name for current
 implementation

encrypted-storage layer will include more security features about encrypted
storage so the term "encrypted-storage" won't be used to specify a dedicated
technology term such as "LUKS".

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
---
 README                                                      |  6 +++---
 .../recipes-bsp/grub/grub-efi_2.02.bbappend                 |  9 ++++-----
 .../packagegroup-encrypted-storage-initramfs.bb             |  8 --------
 .../packagegroups/packagegroup-encrypted-storage.bb         | 13 -------------
 .../packagegroups/packagegroup-encrypted-storage.inc        | 12 ------------
 .../packagegroups/packagegroup-luks-initramfs.bb            |  8 ++++++++
 .../recipes-base/packagegroups/packagegroup-luks.bb         | 13 +++++++++++++
 .../recipes-base/packagegroups/packagegroup-luks.inc        | 12 ++++++++++++
 .../recipes-core/systemd/systemd_%.bbappend                 |  2 +-
 .../recipes-kernel/linux/linux-yocto-encrypted-storage.inc  |  6 ------
 .../recipes-kernel/linux/linux-yocto-luks.inc               |  6 ++++++
 .../recipes-kernel/linux/linux-yocto-rt_%.bbappend          |  2 +-
 .../recipes-kernel/linux/linux-yocto_%.bbappend             |  2 +-
 .../recipes-tpm/cryptfs-tpm2/cryptfs-tpm2_git.bb            |  2 +-
 meta-integrity/README.md                                    |  6 +++---
 meta/recipes-core/images/secure-core-image-initramfs.bb     |  4 ++--
 meta/recipes-core/images/secure-core-image.inc              |  4 ++--
 17 files changed, 57 insertions(+), 58 deletions(-)
 delete mode 100644 meta-encrypted-storage/recipes-base/packagegroups/packagegroup-encrypted-storage-initramfs.bb
 delete mode 100644 meta-encrypted-storage/recipes-base/packagegroups/packagegroup-encrypted-storage.bb
 delete mode 100644 meta-encrypted-storage/recipes-base/packagegroups/packagegroup-encrypted-storage.inc
 create mode 100644 meta-encrypted-storage/recipes-base/packagegroups/packagegroup-luks-initramfs.bb
 create mode 100644 meta-encrypted-storage/recipes-base/packagegroups/packagegroup-luks.bb
 create mode 100644 meta-encrypted-storage/recipes-base/packagegroups/packagegroup-luks.inc
 delete mode 100644 meta-encrypted-storage/recipes-kernel/linux/linux-yocto-encrypted-storage.inc
 create mode 100644 meta-encrypted-storage/recipes-kernel/linux/linux-yocto-luks.inc

diff --git a/README b/README
index e4402f8..9fbdcea 100644
--- a/README
+++ b/README
@@ -75,14 +75,14 @@ The full features in meta-secure-core can be configured with these definitions
 in local.conf:
 
 INITRAMFS_IMAGE = "secure-core-image-initramfs"
-DISTRO_FEATURES_NATIVE_append += " ima tpm tpm2 efi-secure-boot encrypted-storage"
-DISTRO_FEATURES_append += " ima tpm tpm2 efi-secure-boot encrypted-storage"
+DISTRO_FEATURES_NATIVE_append += " ima tpm tpm2 efi-secure-boot luks"
+DISTRO_FEATURES_append += " ima tpm tpm2 efi-secure-boot luks"
 SECURE_CORE_IMAGE_EXTRA_INSTALL ?= "\
     packagegroup-efi-secure-boot \
     packagegroup-tpm \
     packagegroup-tpm2 \
     packagegroup-ima \
-    packagegroup-encrypted-storage \
+    packagegroup-luks \
 "
 DEBUG_FLAGS_forcevariable = ""
 
diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend
index da02b5c..1700adc 100644
--- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend
@@ -65,11 +65,10 @@ do_install_append_class-native() {
 do_install_append_class-target() {
     local menu="${WORKDIR}/boot-menu.inc"
 
-    # Enable the default IMA rules if IMA is enabled and encrypted-storage is
-    # disabled. This is because unseal operation will fail when any PCR is
-    # extended due to updating the aggregate integrity value by the default
-    # IMA rules.
-    [ x"${IMA}" = x"1" -a x"${@bb.utils.contains('DISTRO_FEATURES', 'encrypted-storage', '1', '0', d)}" != x"1" ] && {
+    # Enable the default IMA rules if IMA is enabled and luks is disabled.
+    # This is because unseal operation will fail when any PCR is extended
+    # due to updating the aggregate integrity value by the default IMA rules.
+    [ x"${IMA}" = x"1" -a x"${@bb.utils.contains('DISTRO_FEATURES', 'luks', '1', '0', d)}" != x"1" ] && {
         ! grep -q "ima_policy=tcb" "$menu" &&
             sed -i 's/^\s*linux\s\+.*bzImage.*/& ima_policy=tcb/g' "$menu"
     }
diff --git a/meta-encrypted-storage/recipes-base/packagegroups/packagegroup-encrypted-storage-initramfs.bb b/meta-encrypted-storage/recipes-base/packagegroups/packagegroup-encrypted-storage-initramfs.bb
deleted file mode 100644
index 91c16fd..0000000
--- a/meta-encrypted-storage/recipes-base/packagegroups/packagegroup-encrypted-storage-initramfs.bb
+++ /dev/null
@@ -1,8 +0,0 @@
-DESCRIPTION = "The packages used for encrypted storage in initramfs."
-
-require packagegroup-encrypted-storage.inc
-
-RDEPENDS_${PN} += "\
-    cryptfs-tpm2-initramfs \
-    packagegroup-tpm2-initramfs \
-"
diff --git a/meta-encrypted-storage/recipes-base/packagegroups/packagegroup-encrypted-storage.bb b/meta-encrypted-storage/recipes-base/packagegroups/packagegroup-encrypted-storage.bb
deleted file mode 100644
index 46ed2a8..0000000
--- a/meta-encrypted-storage/recipes-base/packagegroups/packagegroup-encrypted-storage.bb
+++ /dev/null
@@ -1,13 +0,0 @@
-DESCRIPTION = "The packages used for encrypted storage."
-
-require packagegroup-encrypted-storage.inc
-
-# Install the minimal stuffs only for the linux rootfs.
-# The common packages shared between initramfs and rootfs
-# are listed in the .inc.
-
-RDEPENDS_${PN} += "\
-    util-linux-fdisk \
-    parted \
-    packagegroup-tpm2 \
-"
diff --git a/meta-encrypted-storage/recipes-base/packagegroups/packagegroup-encrypted-storage.inc b/meta-encrypted-storage/recipes-base/packagegroups/packagegroup-encrypted-storage.inc
deleted file mode 100644
index b3fa991..0000000
--- a/meta-encrypted-storage/recipes-base/packagegroups/packagegroup-encrypted-storage.inc
+++ /dev/null
@@ -1,12 +0,0 @@
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "\
-    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420 \
-"
-
-ALLOW_EMPTY_${PN} = "1"
-
-S = "${WORKDIR}"
-
-RDEPENDS_${PN} += "\
-    cryptfs-tpm2 \
-"
diff --git a/meta-encrypted-storage/recipes-base/packagegroups/packagegroup-luks-initramfs.bb b/meta-encrypted-storage/recipes-base/packagegroups/packagegroup-luks-initramfs.bb
new file mode 100644
index 0000000..34bc907
--- /dev/null
+++ b/meta-encrypted-storage/recipes-base/packagegroups/packagegroup-luks-initramfs.bb
@@ -0,0 +1,8 @@
+DESCRIPTION = "The packages used for luks in initramfs."
+
+require packagegroup-luks.inc
+
+RDEPENDS_${PN} += "\
+    cryptfs-tpm2-initramfs \
+    packagegroup-tpm2-initramfs \
+"
diff --git a/meta-encrypted-storage/recipes-base/packagegroups/packagegroup-luks.bb b/meta-encrypted-storage/recipes-base/packagegroups/packagegroup-luks.bb
new file mode 100644
index 0000000..fd0c162
--- /dev/null
+++ b/meta-encrypted-storage/recipes-base/packagegroups/packagegroup-luks.bb
@@ -0,0 +1,13 @@
+DESCRIPTION = "The packages used for LUKS."
+
+require packagegroup-luks.inc
+
+# Install the minimal stuffs only for the linux rootfs.
+# The common packages shared between initramfs and rootfs
+# are listed in the .inc.
+
+RDEPENDS_${PN} += "\
+    util-linux-fdisk \
+    parted \
+    packagegroup-tpm2 \
+"
diff --git a/meta-encrypted-storage/recipes-base/packagegroups/packagegroup-luks.inc b/meta-encrypted-storage/recipes-base/packagegroups/packagegroup-luks.inc
new file mode 100644
index 0000000..b3fa991
--- /dev/null
+++ b/meta-encrypted-storage/recipes-base/packagegroups/packagegroup-luks.inc
@@ -0,0 +1,12 @@
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "\
+    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420 \
+"
+
+ALLOW_EMPTY_${PN} = "1"
+
+S = "${WORKDIR}"
+
+RDEPENDS_${PN} += "\
+    cryptfs-tpm2 \
+"
diff --git a/meta-encrypted-storage/recipes-core/systemd/systemd_%.bbappend b/meta-encrypted-storage/recipes-core/systemd/systemd_%.bbappend
index 166b6a8..9bd4ee1 100644
--- a/meta-encrypted-storage/recipes-core/systemd/systemd_%.bbappend
+++ b/meta-encrypted-storage/recipes-core/systemd/systemd_%.bbappend
@@ -1,4 +1,4 @@
 #PACKAGECONFIG_append += "\
-#    ${@bb.utils.contains('DISTRO_FEATURES', 'encrypted-storage', \
+#    ${@bb.utils.contains('DISTRO_FEATURES', 'luks', \
 #                         'cryptsetup', '', d)} \
 #"
diff --git a/meta-encrypted-storage/recipes-kernel/linux/linux-yocto-encrypted-storage.inc b/meta-encrypted-storage/recipes-kernel/linux/linux-yocto-encrypted-storage.inc
deleted file mode 100644
index faa613f..0000000
--- a/meta-encrypted-storage/recipes-kernel/linux/linux-yocto-encrypted-storage.inc
+++ /dev/null
@@ -1,6 +0,0 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:"
-
-SRC_URI += "\
-    ${@bb.utils.contains('DISTRO_FEATURES', 'encrypted-storage', \
-                         'file://dmcrypt.scc file://dmcrypt.cfg', '', d)} \
-"
diff --git a/meta-encrypted-storage/recipes-kernel/linux/linux-yocto-luks.inc b/meta-encrypted-storage/recipes-kernel/linux/linux-yocto-luks.inc
new file mode 100644
index 0000000..91dceb6
--- /dev/null
+++ b/meta-encrypted-storage/recipes-kernel/linux/linux-yocto-luks.inc
@@ -0,0 +1,6 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:"
+
+SRC_URI += "\
+    ${@bb.utils.contains('DISTRO_FEATURES', 'luks', \
+                         'file://dmcrypt.scc file://dmcrypt.cfg', '', d)} \
+"
diff --git a/meta-encrypted-storage/recipes-kernel/linux/linux-yocto-rt_%.bbappend b/meta-encrypted-storage/recipes-kernel/linux/linux-yocto-rt_%.bbappend
index fc85431..49d5d48 100644
--- a/meta-encrypted-storage/recipes-kernel/linux/linux-yocto-rt_%.bbappend
+++ b/meta-encrypted-storage/recipes-kernel/linux/linux-yocto-rt_%.bbappend
@@ -1 +1 @@
-include linux-yocto-encrypted-storage.inc
+include linux-yocto-luks.inc
diff --git a/meta-encrypted-storage/recipes-kernel/linux/linux-yocto_%.bbappend b/meta-encrypted-storage/recipes-kernel/linux/linux-yocto_%.bbappend
index fc85431..49d5d48 100644
--- a/meta-encrypted-storage/recipes-kernel/linux/linux-yocto_%.bbappend
+++ b/meta-encrypted-storage/recipes-kernel/linux/linux-yocto_%.bbappend
@@ -1 +1 @@
-include linux-yocto-encrypted-storage.inc
+include linux-yocto-luks.inc
diff --git a/meta-encrypted-storage/recipes-tpm/cryptfs-tpm2/cryptfs-tpm2_git.bb b/meta-encrypted-storage/recipes-tpm/cryptfs-tpm2/cryptfs-tpm2_git.bb
index 97c0fbd..217cf65 100644
--- a/meta-encrypted-storage/recipes-tpm/cryptfs-tpm2/cryptfs-tpm2_git.bb
+++ b/meta-encrypted-storage/recipes-tpm/cryptfs-tpm2/cryptfs-tpm2_git.bb
@@ -44,7 +44,7 @@ PARALLEL_MAKE = ""
 do_install() {
     oe_runmake install DESTDIR="${D}"
 
-    if [ "${@bb.utils.contains('DISTRO_FEATURES', 'encrypted-storage', '1', '0', d)}" = "1" ]; then
+    if [ "${@bb.utils.contains('DISTRO_FEATURES', 'luks', '1', '0', d)}" = "1" ]; then
         install -m 0500 "${S}/scripts/init.cryptfs" "${D}"
     fi
 }
diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 82db535..8ffd484 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -170,9 +170,9 @@ The following best practices should be applied with using IMA.
 
 - The default IMA rules provides the ability of measuring the boot components
   and calculating the aggregate integrity value for attesting. However, this
-  function conflicts with encrypted-storage feature which employs PCR policy
-  session to retrieve the passphrase in a safe way. If both of them are
-  enabled, the default IMA rules will be not used.
+  function conflicts with the luks feature which employs PCR policy session to
+  retrieve the passphrase in a safe way. If both of them are enabled, the
+  default IMA rules will be not used.
 
 ### Reference
 [Official IMA wiki page](https://sourceforge.net/p/linux-ima/wiki/Home/)
diff --git a/meta/recipes-core/images/secure-core-image-initramfs.bb b/meta/recipes-core/images/secure-core-image-initramfs.bb
index 1b97261..87eaec2 100644
--- a/meta/recipes-core/images/secure-core-image-initramfs.bb
+++ b/meta/recipes-core/images/secure-core-image-initramfs.bb
@@ -8,8 +8,8 @@ ROOTFS_BOOTSTRAP_INSTALL_append += "\
                          "packagegroup-tpm2-initramfs", "", d)} \
     ${@bb.utils.contains("DISTRO_FEATURES", "ima", \
                          "packagegroup-ima-initramfs", "", d)} \
-    ${@bb.utils.contains("DISTRO_FEATURES", "encrypted-storage", \
-                         "packagegroup-encrypted-storage-initramfs", "", d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "luks", \
+                         "packagegroup-luks-initramfs", "", d)} \
 "
 
 PACKAGE_INSTALL = "\
diff --git a/meta/recipes-core/images/secure-core-image.inc b/meta/recipes-core/images/secure-core-image.inc
index e08b84a..0fc56fb 100644
--- a/meta/recipes-core/images/secure-core-image.inc
+++ b/meta/recipes-core/images/secure-core-image.inc
@@ -10,8 +10,8 @@ SECURE_CORE_IMAGE_EXTRA_INSTALL_append += "\
                          "packagegroup-tpm2", "", d)} \
     ${@bb.utils.contains("DISTRO_FEATURES", "ima", \
                          "packagegroup-ima", "", d)} \
-    ${@bb.utils.contains("DISTRO_FEATURES", "encrypted-storage", \
-                         "packagegroup-encrypted-storage", "", d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "luks", \
+                         "packagegroup-luks", "", d)} \
 "
 
 IMAGE_INSTALL = "\
-- 
cgit v1.2.3-54-g00ecf