ni · amstewart · Jan 9, 2026 · Jan 13, 2026 · Jan 12, 2026 · Jan 12, 2026
diff --git a/conf/machine/x64.conf b/conf/machine/x64.conf
@@ -10,6 +10,8 @@ DEFAULTTUNE ?= "core2-64"
 require conf/machine/include/x86/tune-core2.inc
 require conf/machine/include/x86/x86-base.inc
 
+MACHINE_FEATURES:append = " tpm2"
+
 XSERVER = "\
 	${XSERVER_X86_BASE} \
 	${XSERVER_X86_EXT} \

diff --git a/files/group b/files/group
@@ -6,6 +6,7 @@ ni:x:500:
 openvpn:x:499:
 niwscerts:x:498:
 # free space
+clevis:x:405:
 krill:x:404:
 xrdp:x:403:
 arpwatch:x:402:

diff --git a/files/passwd b/files/passwd
@@ -6,6 +6,7 @@ webserv:x:501::::
 lvuser:x:500::::
 openvpn:x:499::::
 # free space
+clevis:x:405::::
 krill:x:404::::
 xrdp:x:403::::
 arpwatch:x:402::::

diff --git a/recipes-bsp/grub/grub-bootconf_%.bbappend b/recipes-bsp/grub/grub-bootconf_%.bbappend
diff --git a/recipes-bsp/grub/grub-efi_2.%.bbappend b/recipes-bsp/grub/grub-efi_2.%.bbappend
@@ -1,12 +1,37 @@
 require grub-nilrt.inc
 
-GRUB_BUILDIN += "smbios chain multiboot efi_uga font gfxterm gfxmenu terminal \
-                minicmd iorw echo reboot terminfo loopback memdisk tar help serial \
-                ls search_fs_uuid udf btrfs ntfs reiserfs xfs lvm ata \
-                regexp probe"
-
-# Downstream NI-branch code quality is not yet ready to build with -Werror
-CFLAGS:append = " -Wno-error"
+GRUB_BUILDIN:append = " \
+    ata \
+    btrfs \
+    chain \
+    echo \
+    efi_uga \
+    font \
+    gfxmenu \
+    gfxterm \
+    help \
+    iorw \
+    loopback \
+    ls \
+    lvm \
+    memdisk \
+    minicmd \
+    multiboot \
+    ntfs \
+    probe \
+    reboot \
+    regexp \
+    reiserfs \
+    search_fs_uuid \
+    serial \
+    smbios \
+    tar \
+    terminal \
+    terminfo \
+    tpm \
+    udf \
+    xfs \
+"
 
 PACKAGES:prepend = "${PN}-nilrt "
 
@@ -17,10 +42,13 @@ do_install:append:class-target() {
     # unchanged so that we may use it with USB provisioning tool
     # and other removable storage.
     (
-    cd "${B}"
-    grub-mkimage -p /efi/nilrt -d ./grub-core/ \
-                 -O ${GRUB_TARGET}-efi -o ./${GRUB_IMAGE_PREFIX}nilrt-${GRUB_IMAGE} \
-                 ${GRUB_BUILDIN}
+        cd "${B}"
+        grub-mkimage \
+            --prefix=/efi/nilrt \
+            --directory=./grub-core/ \
+            --format=${GRUB_TARGET}-efi \
+            --output=./${GRUB_IMAGE_PREFIX}nilrt-${GRUB_IMAGE} \
+            ${GRUB_BUILDIN}
     )
 
     # Install NILRT grub image

diff --git a/recipes-bsp/grub/grub-nilrt.inc b/recipes-bsp/grub/grub-nilrt.inc
@@ -4,7 +4,6 @@ SRC_URI += "\
 	file://cmd-test-Add-bitwise-AND-document-the-feature.patch \
 	file://grub-advertise-NI-NILRT-over-GNU-GRUB.patch \
 	file://add-inbit-command-to-io-module.patch \
-	file://grub.cfg \
 	file://cfg \
 	file://grub.d \
 "

diff --git a/recipes-bsp/grub/grub/grub-safemode.cfg b/recipes-bsp/grub/grub/grub-safemode.cfg
@@ -41,6 +41,7 @@ set sys_reset=false
 set system_manufacturer=""
 set smbios_bootmode=0
 set smbios_tablelen=0
+set measure_on=true
 
 # Set the root variable to NI's bootfs partition
 search --set root --label nibootfs

diff --git a/recipes-bsp/grub/grub/grub.cfg b/recipes-bsp/grub/grub/grub.cfg
diff --git a/recipes-core/packagegroups/packagegroup-ni-base.bb b/recipes-core/packagegroups/packagegroup-ni-base.bb
@@ -103,6 +103,10 @@ RDEPENDS:${PN}:append:x64 = "\
 	efibootmgr \
 	efivar \
 	pstore-save \
+	clevis \
+	cryptsetup \
+	libtss2-tcti-device \
+	tpm2-tools \
 "
 
 RDEPENDS:${PN}:append:xilinx-zynq = "\

diff --git a/recipes-core/packagegroups/packagegroup-ni-tpm.bb b/recipes-core/packagegroups/packagegroup-ni-tpm.bb
@@ -11,5 +11,8 @@ inherit packagegroup
 
 RDEPENDS:${PN} = "\
 	packagegroup-security-tpm2 \
+	clevis \
+	cryptsetup \
 	libtss2-tcti-device \
+	tpm2-tools \
 "
diff --git a/recipes-kernel/linux/files/extra_x64.cfg b/recipes-kernel/linux/files/extra_x64.cfg
@@ -1072,6 +1072,7 @@ CONFIG_HWMON_VID=m
 CONFIG_HWPOISON_INJECT=m
 CONFIG_HW_RANDOM_BA431=m
 CONFIG_HW_RANDOM_TIMERIOMEM=m
+CONFIG_HW_RANDOM_TPM=m
 CONFIG_HW_RANDOM_XIPHERA=m
 CONFIG_HX711=m
 CONFIG_HYPERV_VSOCKETS=m
@@ -1083,8 +1084,10 @@ CONFIG_I2C_AMD756=m
 CONFIG_I2C_AMD756_S4882=m
 CONFIG_I2C_AMD8111=m
 CONFIG_I2C_AMD_MP2=m
+CONFIG_I2C_BOARDINFO=m
 CONFIG_I2C_CBUS_GPIO=m
 CONFIG_I2C_CHT_WC=m
+CONFIG_I2C_COMPAT=m
 CONFIG_I2C_CP2615=m
 CONFIG_I2C_CROS_EC_TUNNEL=m
 CONFIG_I2C_DIOLAN_U2C=m
@@ -2460,6 +2463,7 @@ CONFIG_RDS_RDMA=m
 CONFIG_RDS_TCP=m
 CONFIG_REALTEK_PHY=m
 CONFIG_REED_SOLOMON=m
+CONFIG_REGMAP_I2C=m
 CONFIG_REGMAP_I3C=m
 CONFIG_REGMAP_SCCB=m
 CONFIG_REGMAP_SLIMBUS=m
@@ -2510,6 +2514,7 @@ CONFIG_RT2800_LIB_MMIO=m
 CONFIG_RT2X00_LIB_MMIO=m
 CONFIG_RT2X00_LIB_PCI=m
 CONFIG_RT61PCI=m
+CONFIG_RTC_I2C_AND_SPI=m
 CONFIG_RTL8180=m
 CONFIG_RTL8188EE=m
 CONFIG_RTL8192CE=m
@@ -2656,6 +2661,7 @@ CONFIG_SCSI_WD719X=m
 CONFIG_SDIO_UART=m
 CONFIG_SDR_MAX2175=m
 CONFIG_SD_ADC_MODULATOR=m
+CONFIG_SECURITYFS=m
 CONFIG_SEL3350_PLATFORM=m
 CONFIG_SENSEAIR_SUNRISE_CO2=m
 CONFIG_SENSIRION_SGP30=m
@@ -3065,8 +3071,11 @@ CONFIG_TAHVO_USB=m
 CONFIG_TAP=m
 CONFIG_TARGET_CORE=m
 CONFIG_TCG_ATMEL=m
+CONFIG_TCG_CRB=m
 CONFIG_TCG_INFINEON=m
 CONFIG_TCG_NSC=m
+CONFIG_TCG_TIS=m
+CONFIG_TCG_TIS_CORE=m
 CONFIG_TCG_TIS_I2C=m
 CONFIG_TCG_TIS_I2C_ATMEL=m
 CONFIG_TCG_TIS_I2C_CR50=m
@@ -3076,6 +3085,7 @@ CONFIG_TCG_TIS_SPI=m
 CONFIG_TCG_TIS_ST33ZP24=m
 CONFIG_TCG_TIS_ST33ZP24_I2C=m
 CONFIG_TCG_TIS_ST33ZP24_SPI=m
+CONFIG_TCG_TPM=m
 CONFIG_TCG_VTPM_PROXY=m
 CONFIG_TCG_XEN=m
 CONFIG_TCM_FC=m

diff --git a/recipes-security/clevis/clevis_21.bb b/recipes-security/clevis/clevis_21.bb
@@ -0,0 +1,67 @@
+SUMMARY = "Clevis - Automated Encryption Framework"
+DESCRIPTION = "Clevis is a pluggable framework for automated decryption. It \
+can be used to provide automated decryption of data or even automated \
+unlocking of LUKS volumes."
+HOMEPAGE = "https://github.com/latchset/clevis"
+SECTION = "security"
+LICENSE = "GPL-3.0-or-later"
+LIC_FILES_CHKSUM = "\
+	file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \
+	file://COPYING.openssl;md5=a78c00d154a43f35ef1dc1292a234c6d \
+"
+
+
+DEPENDS = "\
+	cryptsetup \
+	cryptsetup-native \
+	jansson \
+	jose \
+	keyutils-native \
+"
+
+SRC_URI = "\
+	https://github.com/latchset/clevis/releases/download/v${PV}/${BP}.tar.xz \
+"
+SRC_URI[sha256sum] = "a0388a544c77139dc751cdbf66bdd38fc29c43f9e81a1cdfd119c84109ffca3f"
+
+
+# ==============================================================================
+# BBCLASSES
+# ==============================================================================
+
+# CONFIGURATION AND BUILD
+inherit meson pkgconfig
+
+PACKAGECONFIG ??= ""
+PACKAGECONFIG[docs] = ",, asciidoc-native"
+PACKAGECONFIG[dracut] = ",, dracut, dracut"
+PACKAGECONFIG[luks] = ",, luksmeta, cryptsetup jq"
+PACKAGECONFIG[pkcs11] = ",, opensc-native, opensc"
+PACKAGECONFIG[tpm2] = ",, tpm2-tools-native, tpm2-tools"
+# TODO: Add support for systemd systems.
+# initramfs-tools integration intentionally skipped due to no-support in OE.
+
+
+inherit bash-completion
+
+
+# PTESTING
+
+inherit ptest
+
+do_install_ptest () {
+	install -d ${D}${PTEST_PATH}
+	install -m 0744 ${S}/src/luks/tests/* ${D}${PTEST_PATH}
+	# TODO: more tests
+}
+
+RDEPENDS:${PN}-ptest += " bash cryptsetup"
+RRECOMMENDS:${PN}-ptest += " jq keyutils"
+
+
+# ==============================================================================
+# PACKAGING
+# ==============================================================================
+# clevis
+FILES:${PN} += " ${libdir}/dracut/*"
+RDEPENDS:${PN} += " bash tpm2-tools"
diff --git a/recipes-security/clevis/clevis_21.bbappend b/recipes-security/clevis/clevis_21.bbappend
@@ -0,0 +1 @@
+PACKAGECONFIG = "docs dracut luks pkcs11 tpm2"
diff --git a/recipes-security/jose/jose_14.bb b/recipes-security/jose/jose_14.bb
@@ -0,0 +1,33 @@
+SUMMARY = "Jose - C-language implementation of Javascript Object Signing and \
+Encryption"
+DESCRIPTION = "José is a C-language implementation of the Javascript Object \
+Signing and Encryption standards. Specifically. José is extensively tested \
+against the RFC test vectors."
+HOMEPAGE = "https://github.com/latchset/jose"
+SECTION = "security"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "\
+	file://COPYING;md5=34400b68072d710fecd0a2940a0d1658 \
+"
+
+DEPENDS = "\
+	openssl \
+	jansson \
+	zlib \
+"
+
+
+SRC_URI = "\
+	https://github.com/latchset/jose/releases/download/v14/jose-14.tar.xz \
+"
+SRC_URI[sha256sum] = "cee329ef9fce97c4c025604a8d237092f619aaa9f6d35fdf9d8c9052bc1ff95b"
+
+
+# ==============================================================================
+# BBCLASSES
+# ==============================================================================
+
+inherit meson pkgconfig
+
+
+BBCLASSEXTEND = "native"
diff --git a/recipes-support/luksmeta/luksmeta_10.bb b/recipes-support/luksmeta/luksmeta_10.bb
@@ -0,0 +1,29 @@
+SUMMARY = "LUKSMeta"
+DESCRIPTION = "Welcome to LUKSMeta! LUKSMeta is a simple library for storing \
+metadata in the LUKSv1 header. This library is licensed under the GNU LGPLv2+."
+HOMEPAGE = "https://github.com/latchset/luksmeta"
+SECTION = "security"
+LICENSE = "LGPL-2.1-or-later"
+LIC_FILES_CHKSUM = "\
+	file://COPYING;md5=4e9dfcb21c14eb0c40ae8ba436d3bb7a \
+"
+
+DEPENDS = "\
+    cryptsetup \
+"
+
+
+SRC_URI = "\
+    https://github.com/latchset/luksmeta/releases/download/v10/luksmeta-10.tar.bz2 \
+"
+SRC_URI[sha256sum] = "a842538ba39680c8319c41dac0bcc082fe40fb43342561761925c0daa1a48f28"
+
+
+inherit autotools pkgconfig
+
+# ==============================================================================
+# PACKAGING
+# ==============================================================================
+
+
+BBCLASSEXTEND = "native"