ni · chaitu236 · Mar 26, 2026 · Jan 9, 2026 · Jan 13, 2026 · Jan 12, 2026
diff --git a/conf/machine/x64.conf b/conf/machine/x64.conf
@@ -10,6 +10,8 @@ DEFAULTTUNE ?= "core2-64"
 require conf/machine/include/x86/tune-core2.inc
 require conf/machine/include/x86/x86-base.inc
 
+MACHINE_FEATURES:append = " tpm2"
+
 XSERVER = "\
 	${XSERVER_X86_BASE} \
 	${XSERVER_X86_EXT} \

diff --git a/files/group b/files/group
@@ -6,6 +6,7 @@ ni:x:500:
 openvpn:x:499:
 niwscerts:x:498:
 # free space
+clevis:x:405:
 krill:x:404:
 xrdp:x:403:
 arpwatch:x:402:

diff --git a/files/passwd b/files/passwd
@@ -6,6 +6,7 @@ webserv:x:501::::
 lvuser:x:500::::
 openvpn:x:499::::
 # free space
+clevis:x:405::::
 krill:x:404::::
 xrdp:x:403::::
 arpwatch:x:402::::

diff --git a/recipes-bsp/grub/grub-efi_2.%.bbappend b/recipes-bsp/grub/grub-efi_2.%.bbappend
@@ -1,12 +1,37 @@
 require grub-nilrt.inc
 
-GRUB_BUILDIN += "smbios chain multiboot efi_uga font gfxterm gfxmenu terminal \
-                minicmd iorw echo reboot terminfo loopback memdisk tar help serial \
-                ls search_fs_uuid udf btrfs ntfs reiserfs xfs lvm ata \
-                regexp probe"
-
-# Downstream NI-branch code quality is not yet ready to build with -Werror
-CFLAGS:append = " -Wno-error"
+GRUB_BUILDIN:append = " \
+    ata \
+    btrfs \
+    chain \
+    echo \
+    efi_uga \
+    font \
+    gfxmenu \
+    gfxterm \
+    help \
+    iorw \
+    loopback \
+    ls \
+    lvm \
+    memdisk \
+    minicmd \
+    multiboot \
+    ntfs \
+    probe \
+    reboot \
+    regexp \
+    reiserfs \
+    search_fs_uuid \
+    serial \
+    smbios \
+    tar \
+    terminal \
+    terminfo \
+    tpm \
+    udf \
+    xfs \
+"
 
 PACKAGES:prepend = "${PN}-nilrt "
 
@@ -17,10 +42,13 @@ do_install:append:class-target() {
     # unchanged so that we may use it with USB provisioning tool
     # and other removable storage.
     (
-    cd "${B}"
-    grub-mkimage -p /efi/nilrt -d ./grub-core/ \
-                 -O ${GRUB_TARGET}-efi -o ./${GRUB_IMAGE_PREFIX}nilrt-${GRUB_IMAGE} \
-                 ${GRUB_BUILDIN}
+        cd "${B}"
+        grub-mkimage \
+            --prefix=/efi/nilrt \
+            --directory=./grub-core/ \
+            --format=${GRUB_TARGET}-efi \
+            --output=./${GRUB_IMAGE_PREFIX}nilrt-${GRUB_IMAGE} \
+            ${GRUB_BUILDIN}
     )
 
     # Install NILRT grub image

diff --git a/recipes-bsp/grub/grub/grub-safemode.cfg b/recipes-bsp/grub/grub/grub-safemode.cfg
@@ -41,6 +41,7 @@ set sys_reset=false
 set system_manufacturer=""
 set smbios_bootmode=0
 set smbios_tablelen=0
+set measure_on=true
 
 # Set the root variable to NI's bootfs partition
 search --set root --label nibootfs

diff --git a/recipes-core/base-files/base-files/x64/fstab b/recipes-core/base-files/base-files/x64/fstab
@@ -1,10 +1,11 @@
 # stock fstab - you probably want to override this with a machine specific one
 
-/dev/root            /                    auto       defaults              1  1
-proc                 /proc                proc       defaults              0  0
-devpts               /dev/pts             devpts     mode=0620,gid=5       0  0
-tmpfs                /run                 tmpfs      mode=0755,nodev,nosuid,strictatime 0  0
-tmpfs                /var/volatile        tmpfs      size=26%              0  0
+/dev/root            /                    auto        defaults              1  1
+proc                 /proc                proc        defaults              0  0
+devpts               /dev/pts             devpts      mode=0620,gid=5       0  0
+tmpfs                /run                 tmpfs       mode=0755,nodev,nosuid,strictatime 0  0
+tmpfs                /var/volatile        tmpfs       size=26%              0  0
+securityfs           /sys/kernel/security securityfs  defaults              0  0
 
 # uncomment this if your device has a SD/MMC/Transflash slot
 #/dev/mmcblk0p1       /media/card          auto       defaults,sync,noauto  0  0

diff --git a/recipes-core/packagegroups/packagegroup-ni-tpm.bb b/recipes-core/packagegroups/packagegroup-ni-tpm.bb
@@ -11,5 +11,8 @@ inherit packagegroup
 
 RDEPENDS:${PN} = "\
 	packagegroup-security-tpm2 \
+	clevis \
+	cryptsetup \
 	libtss2-tcti-device \
+	tpm2-tools \
 "
diff --git a/recipes-kernel/linux/files/extra_x64.cfg b/recipes-kernel/linux/files/extra_x64.cfg
@@ -1072,6 +1072,7 @@ CONFIG_HWMON_VID=m
 CONFIG_HWPOISON_INJECT=m
 CONFIG_HW_RANDOM_BA431=m
 CONFIG_HW_RANDOM_TIMERIOMEM=m
+CONFIG_HW_RANDOM_TPM=m
 CONFIG_HW_RANDOM_XIPHERA=m
 CONFIG_HX711=m
 CONFIG_HYPERV_VSOCKETS=m
@@ -1083,8 +1084,10 @@ CONFIG_I2C_AMD756=m
 CONFIG_I2C_AMD756_S4882=m
 CONFIG_I2C_AMD8111=m
 CONFIG_I2C_AMD_MP2=m
+CONFIG_I2C_BOARDINFO=m
 CONFIG_I2C_CBUS_GPIO=m
 CONFIG_I2C_CHT_WC=m
+CONFIG_I2C_COMPAT=m
 CONFIG_I2C_CP2615=m
 CONFIG_I2C_CROS_EC_TUNNEL=m
 CONFIG_I2C_DIOLAN_U2C=m
@@ -2460,6 +2463,7 @@ CONFIG_RDS_RDMA=m
 CONFIG_RDS_TCP=m
 CONFIG_REALTEK_PHY=m
 CONFIG_REED_SOLOMON=m
+CONFIG_REGMAP_I2C=m
 CONFIG_REGMAP_I3C=m
 CONFIG_REGMAP_SCCB=m
 CONFIG_REGMAP_SLIMBUS=m
@@ -2510,6 +2514,7 @@ CONFIG_RT2800_LIB_MMIO=m
 CONFIG_RT2X00_LIB_MMIO=m
 CONFIG_RT2X00_LIB_PCI=m
 CONFIG_RT61PCI=m
+CONFIG_RTC_I2C_AND_SPI=m
 CONFIG_RTL8180=m
 CONFIG_RTL8188EE=m
 CONFIG_RTL8192CE=m
@@ -2656,6 +2661,7 @@ CONFIG_SCSI_WD719X=m
 CONFIG_SDIO_UART=m
 CONFIG_SDR_MAX2175=m
 CONFIG_SD_ADC_MODULATOR=m
+CONFIG_SECURITYFS=m
 CONFIG_SEL3350_PLATFORM=m
 CONFIG_SENSEAIR_SUNRISE_CO2=m
 CONFIG_SENSIRION_SGP30=m

diff --git a/recipes-security/clevis/clevis_21.bb b/recipes-security/clevis/clevis_21.bb
@@ -0,0 +1,67 @@
+SUMMARY = "Clevis - Automated Encryption Framework"
+DESCRIPTION = "Clevis is a pluggable framework for automated decryption. It \
+can be used to provide automated decryption of data or even automated \
+unlocking of LUKS volumes."
+HOMEPAGE = "https://github.com/latchset/clevis"
+SECTION = "security"
+LICENSE = "GPL-3.0-or-later"
+LIC_FILES_CHKSUM = "\
+	file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \
+	file://COPYING.openssl;md5=a78c00d154a43f35ef1dc1292a234c6d \
+"
+
+
+DEPENDS = "\
+	cryptsetup \
+	cryptsetup-native \
+	jansson \
+	jose \
+	keyutils-native \
+"
+
+SRC_URI = "\
+	https://github.com/latchset/clevis/releases/download/v${PV}/${BP}.tar.xz \
+"
+SRC_URI[sha256sum] = "a0388a544c77139dc751cdbf66bdd38fc29c43f9e81a1cdfd119c84109ffca3f"
+
+
+# ==============================================================================
+# BBCLASSES
+# ==============================================================================
+
+# CONFIGURATION AND BUILD
+inherit meson pkgconfig
+
+PACKAGECONFIG ??= ""
+PACKAGECONFIG[docs] = ",, asciidoc-native"
+PACKAGECONFIG[dracut] = ",, dracut, dracut"
+PACKAGECONFIG[luks] = ",, luksmeta, cryptsetup jq"
+PACKAGECONFIG[pkcs11] = ",, opensc-native, opensc"
+PACKAGECONFIG[tpm2] = ",, tpm2-tools-native, tpm2-tools"
+# TODO: Add support for systemd systems.
+# initramfs-tools integration intentionally skipped due to no-support in OE.
+
+
+inherit bash-completion
+
+
+# PTESTING
+
+inherit ptest
+
+do_install_ptest () {
+	install -d ${D}${PTEST_PATH}
+	install -m 0744 ${S}/src/luks/tests/* ${D}${PTEST_PATH}
+	# TODO: more tests
+}
+
+RDEPENDS:${PN}-ptest += " bash cryptsetup"
+RRECOMMENDS:${PN}-ptest += " jq keyutils"
+
+
+# ==============================================================================
+# PACKAGING
+# ==============================================================================
+# clevis
+FILES:${PN} += " ${libdir}/dracut/*"
+RDEPENDS:${PN} += " bash tpm2-tools"
diff --git a/recipes-security/clevis/clevis_21.bbappend b/recipes-security/clevis/clevis_21.bbappend
@@ -0,0 +1 @@
+PACKAGECONFIG = "docs luks pkcs11 tpm2"
diff --git a/recipes-security/jose/jose_14.bb b/recipes-security/jose/jose_14.bb
@@ -0,0 +1,33 @@
+SUMMARY = "Jose - C-language implementation of Javascript Object Signing and \
+Encryption"
+DESCRIPTION = "José is a C-language implementation of the Javascript Object \
+Signing and Encryption standards. Specifically. José is extensively tested \
+against the RFC test vectors."
+HOMEPAGE = "https://github.com/latchset/jose"
+SECTION = "security"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "\
+	file://COPYING;md5=34400b68072d710fecd0a2940a0d1658 \
+"
+
+DEPENDS = "\
+	openssl \
+	jansson \
+	zlib \
+"
+
+
+SRC_URI = "\
+	https://github.com/latchset/jose/releases/download/v14/jose-14.tar.xz \
+"
+SRC_URI[sha256sum] = "cee329ef9fce97c4c025604a8d237092f619aaa9f6d35fdf9d8c9052bc1ff95b"
+
+
+# ==============================================================================
+# BBCLASSES
+# ==============================================================================
+
+inherit meson pkgconfig
+
+
+BBCLASSEXTEND = "native"
diff --git a/recipes-support/luksmeta/luksmeta_10.bb b/recipes-support/luksmeta/luksmeta_10.bb
@@ -0,0 +1,29 @@
+SUMMARY = "LUKSMeta"
+DESCRIPTION = "Welcome to LUKSMeta! LUKSMeta is a simple library for storing \
+metadata in the LUKSv1 header. This library is licensed under the GNU LGPLv2+."
+HOMEPAGE = "https://github.com/latchset/luksmeta"
+SECTION = "security"
+LICENSE = "LGPL-2.1-or-later"
+LIC_FILES_CHKSUM = "\
+	file://COPYING;md5=4e9dfcb21c14eb0c40ae8ba436d3bb7a \
+"
+
+DEPENDS = "\
+    cryptsetup \
+"
+
+
+SRC_URI = "\
+    https://github.com/latchset/luksmeta/releases/download/v10/luksmeta-10.tar.bz2 \
+"
+SRC_URI[sha256sum] = "a842538ba39680c8319c41dac0bcc082fe40fb43342561761925c0daa1a48f28"
+
+
+inherit autotools pkgconfig
+
+# ==============================================================================
+# PACKAGING
+# ==============================================================================
+
+
+BBCLASSEXTEND = "native"