From b1907f9922ead713639a93c7e93f62ac9feea69b Mon Sep 17 00:00:00 2001
From: Shiva Tripathi <s-tripathi1@ti.com>
Date: Fri, 24 Apr 2026 12:31:41 +0530
Subject: [PATCH 1/2] fix(security): Clarify TRNG engine ownership by OPTEE

The SDK by default provides control of TRNG engine to OP-TEE, which
also firewalls the associated MMR regions.
Document this design choice for clarity.

Also include reference of TRNG in security central page.

Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com>
---
 .../Kernel/Kernel_Drivers/Crypto/DTHEv2.rst              | 8 +++++---
 .../Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst          | 8 ++++++--
 .../System_Security/Security_overview.rst                | 9 ++++++---
 3 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst b/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst
index b70ff3f9d..44c8ae259 100644
--- a/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst
+++ b/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst
@@ -216,10 +216,12 @@ software only implementation can be compared to the previous test.
 Using the True Random Number Generator (TRNG) Hardware Accelerator
 ******************************************************************
 
-The pre-built kernel included within the SDK already has the OP-TEE TRNG
-driver enabled. You do not need any further configuration.
+In the default SDK, OP-TEE controls the TRNG engine and firewalls its
+hardware registers, blocking outside access. To use TRNG from Linux instead,
+disable the OP-TEE driver and enable the RNG node in the Linux device tree.
 
-Verify that the optee-rng driver is loaded:
+Using TRNG from OP-TEE requires no further configuration. Verify the optee-rng
+driver loads:
 
 .. code-block:: console
 
diff --git a/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst b/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst
index d3cb4eac4..f8d5f717a 100644
--- a/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst
+++ b/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst
@@ -304,8 +304,12 @@ software only implementation can be compared to the previous test.
 Using the TRNG Hardware Accelerator
 ***********************************
 
-The pre built kernel that come with the SDK already has the TRNG driver
-built into the kernel. No further configuration is required.
+In the default SDK, OP-TEE controls the TRNG engine and firewalls its
+hardware registers, blocking outside access. To use TRNG from Linux instead,
+disable the OP-TEE driver and enable the RNG node in the Linux device tree.
+
+Using TRNG from OP-TEE requires no further configuration. Verify the optee-rng
+driver loads:
 
 .. ifconfig:: CONFIG_crypto in ('sa2ul')
 
diff --git a/source/linux/Foundational_Components/System_Security/Security_overview.rst b/source/linux/Foundational_Components/System_Security/Security_overview.rst
index 509852664..22ee4936b 100644
--- a/source/linux/Foundational_Components/System_Security/Security_overview.rst
+++ b/source/linux/Foundational_Components/System_Security/Security_overview.rst
@@ -49,7 +49,8 @@ The following table lists some of the key Security Features:
   | **Authenticated Boot**  | Verifies each boot component to ensure only authorized    | :ref:`auth_boot_guide`               |
   |                         | code executes on the device                               |                                      |
   +-------------------------+-----------------------------------------------------------+--------------------------------------+
-  | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms      | :ref:`crypto-accelerator`            |
+  | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms and  | :ref:`crypto-accelerator`            |
+  | **and TRNG**            | hardware entropy based secure random number generation    |                                      |
   +-------------------------+-----------------------------------------------------------+--------------------------------------+
   | **Key Management**      | Tools for secure key provisioning                         | :ref:`key-writer-lite-label`         |
   +-------------------------+-----------------------------------------------------------+--------------------------------------+
@@ -81,7 +82,8 @@ The following table lists some of the key Security Features:
   | **Authenticated Boot**  | Transparent disk encryption using the Linux kernel        | :ref:`auth_boot_guide`               |
   |                         | device mapper (dm-crypt) for data confidentiality         |                                      |
   +-------------------------+-----------------------------------------------------------+--------------------------------------+
-  | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms      | :ref:`crypto-accelerator`            |
+  | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms and  | :ref:`crypto-accelerator`            |
+  | **and TRNG**            | hardware entropy based secure random number generation    |                                      |
   +-------------------------+-----------------------------------------------------------+--------------------------------------+
   | **Secure Storage**      | Protection mechanisms for sensitive data                  | :ref:`secure-storage-with-rpmb`      |
   +-------------------------+-----------------------------------------------------------+--------------------------------------+
@@ -106,7 +108,8 @@ The following table lists some of the key Security Features:
   +-------------------------+-----------------------------------------------------------+--------------------------------------+
   | Security Feature        | Description                                               | Links                                |
   +=========================+===========================================================+======================================+
-  | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms      | :ref:`crypto-accelerator`            |
+  | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms and  | :ref:`crypto-accelerator`            |
+  | **and TRNG**            | hardware entropy based secure random number generation    |                                      |
   +-------------------------+-----------------------------------------------------------+--------------------------------------+
   | **Secure Storage**      | Protection mechanisms for sensitive data                  | :ref:`secure-storage-with-rpmb`      |
   +-------------------------+-----------------------------------------------------------+--------------------------------------+

From ec5fb2c70deba1e3f1a672b7033f5dad06262bd1 Mon Sep 17 00:00:00 2001
From: Shiva Tripathi <s-tripathi1@ti.com>
Date: Fri, 24 Apr 2026 14:31:52 +0530
Subject: [PATCH 2/2] feat(linux): Add Yocto layer luks configuration

Add the luks yocto layer configuration used to build the SDK
image with disk encryption using fTPM for AM62x/AM62Lx/AM62Px/AM64x.

Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com>
---
 .../linux/Release_Specific_Yocto_layer_Configuration.rst       | 3 +++
 .../linux/Release_Specific_Yocto_layer_Configuration.rst       | 3 +++
 .../AM62X/linux/Release_Specific_Yocto_layer_Configuration.rst | 3 +++
 .../AM64X/linux/Release_Specific_Yocto_layer_Configuration.rst | 3 +++
 4 files changed, 12 insertions(+)

diff --git a/source/devices/AM62LX/linux/Release_Specific_Yocto_layer_Configuration.rst b/source/devices/AM62LX/linux/Release_Specific_Yocto_layer_Configuration.rst
index 9b7894df8..b3a3ef175 100644
--- a/source/devices/AM62LX/linux/Release_Specific_Yocto_layer_Configuration.rst
+++ b/source/devices/AM62LX/linux/Release_Specific_Yocto_layer_Configuration.rst
@@ -29,5 +29,8 @@ has the following configuration files in the :file:`configs/processor-sdk` direc
    * - :file:`processor-sdk-master-selinux-12.00.00.07.04-config.txt`
      - Used for building SELinux enabled Yocto based filesystem
      - |__SDK_BUILD_MACHINE__|
+   * - :file:`processor-sdk-master-luks-12.00.00.07.04-config.txt`
+     - Used for building SDK with the luks disk encryption using fTPM
+     - |__SDK_BUILD_MACHINE__|
 
 The oe-layersetup configuration, as defined in :file:`processor-sdk-master-nonui-12.00.00.07.04-config.txt`, is used for configuring the meta layers in the yocto SD card image available on |__SDK_DOWNLOAD_URL__|.
diff --git a/source/devices/AM62PX/linux/Release_Specific_Yocto_layer_Configuration.rst b/source/devices/AM62PX/linux/Release_Specific_Yocto_layer_Configuration.rst
index 528b37ca7..36383d8ed 100644
--- a/source/devices/AM62PX/linux/Release_Specific_Yocto_layer_Configuration.rst
+++ b/source/devices/AM62PX/linux/Release_Specific_Yocto_layer_Configuration.rst
@@ -32,5 +32,8 @@ has the following configuration files in the :file:`configs/processor-sdk` direc
    * - :file:`processor-sdk-master-selinux-12.00.00.07.04-config.txt`
      - Used for building SELinux enabled Yocto based filesystem
      - |__SDK_BUILD_MACHINE__|
+   * - :file:`processor-sdk-master-luks-12.00.00.07.04-config.txt`
+     - Used for building SDK with the luks disk encryption using fTPM
+     - |__SDK_BUILD_MACHINE__|
 
 The oe-layersetup configuration, as defined in :file:`processor-sdk-master-chromium-12.00.00.07.04-config.txt`, is used for configuring the meta layers in the yocto SD card image available on |__SDK_DOWNLOAD_URL__|.
diff --git a/source/devices/AM62X/linux/Release_Specific_Yocto_layer_Configuration.rst b/source/devices/AM62X/linux/Release_Specific_Yocto_layer_Configuration.rst
index 25163fc29..1f10e1fb9 100644
--- a/source/devices/AM62X/linux/Release_Specific_Yocto_layer_Configuration.rst
+++ b/source/devices/AM62X/linux/Release_Specific_Yocto_layer_Configuration.rst
@@ -32,5 +32,8 @@ has the following configuration files in the :file:`configs/processor-sdk` direc
    * - :file:`processor-sdk-master-selinux-12.00.00.07.04-config.txt`
      - Used for building SELinux enabled Yocto based filesystem
      - |__SDK_BUILD_MACHINE__|, am62xx-lp-evm, am62xxsip-evm, beagleplay-ti
+   * - :file:`processor-sdk-master-luks-12.00.00.07.04-config.txt`
+     - Used for building SDK with the luks disk encryption using fTPM
+     - |__SDK_BUILD_MACHINE__|
 
 The oe-layersetup configuration, as defined in :file:`processor-sdk-master-chromium-12.00.00.07.04-config.txt`, is used for configuring the meta layers in the yocto SD card image available on |__SDK_DOWNLOAD_URL__|.
diff --git a/source/devices/AM64X/linux/Release_Specific_Yocto_layer_Configuration.rst b/source/devices/AM64X/linux/Release_Specific_Yocto_layer_Configuration.rst
index 9b7894df8..b3a3ef175 100644
--- a/source/devices/AM64X/linux/Release_Specific_Yocto_layer_Configuration.rst
+++ b/source/devices/AM64X/linux/Release_Specific_Yocto_layer_Configuration.rst
@@ -29,5 +29,8 @@ has the following configuration files in the :file:`configs/processor-sdk` direc
    * - :file:`processor-sdk-master-selinux-12.00.00.07.04-config.txt`
      - Used for building SELinux enabled Yocto based filesystem
      - |__SDK_BUILD_MACHINE__|
+   * - :file:`processor-sdk-master-luks-12.00.00.07.04-config.txt`
+     - Used for building SDK with the luks disk encryption using fTPM
+     - |__SDK_BUILD_MACHINE__|
 
 The oe-layersetup configuration, as defined in :file:`processor-sdk-master-nonui-12.00.00.07.04-config.txt`, is used for configuring the meta layers in the yocto SD card image available on |__SDK_DOWNLOAD_URL__|.