From: Quirin Gylstorff <quirin.gylstorff@...>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
Kconfig | 10 ++++++++++
1 file changed, 10 insertions(+)

diff --git a/Kconfig b/Kconfig
index 7d72094..cafb04c 100644
--- a/Kconfig
+++ b/Kconfig
@@ -193,4 +193,14 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT
default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT

+config IMAGE_DATA_ENCRYPTION
+ bool "Encrypt data partitions on first boot"
+ depends on TARGET_QEMU_AMD64
+ help
+ This enables LUKS encryption for the partitions /var and /home.
+
+config KAS_INCLUDE_DATA_ENCRYPTION
+ string
+ default "kas/opt/encrypt-partitions.yml" if IMAGE_DATA_ENCRYPTION
+
endif
--
2.39.2

On 09.03.23 11:28, Quirin Gylstorff wrote:

From: Quirin Gylstorff <quirin.gylstorff@...>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
Kconfig | 10 ++++++++++
1 file changed, 10 insertions(+)

diff --git a/Kconfig b/Kconfig
index 7d72094..cafb04c 100644
--- a/Kconfig
+++ b/Kconfig
@@ -193,4 +193,14 @@ config KAS_INCLUDE_SWUPDATE_SECBOOT
default "kas/opt/ebg-swu.yml" if IMAGE_SWUPDATE && !IMAGE_SECURE_BOOT
default "kas/opt/ebg-secure-boot-snakeoil.yml" if IMAGE_SECURE_BOOT

+config IMAGE_DATA_ENCRYPTION
+ bool "Encrypt data partitions on first boot"
+ depends on TARGET_QEMU_AMD64

This depends on IMAGE_SWUPDATE. Logically, it only makes sense in
combination with IMAGE_SECURE_BOOT, so I will add that as selection here.

As the TPM emulation is not hw-dependenent, I would like to add other
QEMU targets as well. But it seems we need to flip kernel configs there
as well first. So, this can come later.

Jan

+ help
+ This enables LUKS encryption for the partitions /var and /home.
+
+config KAS_INCLUDE_DATA_ENCRYPTION
+ string
+ default "kas/opt/encrypt-partitions.yml" if IMAGE_DATA_ENCRYPTION
+
endif

--
Siemens AG, Technology
Competence Center Embedded Linux