Thistle Options
thistle-features:
meta-thistle: 5c06b3509d5df6144a87027286558968988418f7
updater: true
read-only-rootfs: false
libc: glibc
curl:
bin: true
lib: true
tls: openssl
By integrating around the open-source repo meta-thistle, it is possible to simply amend the build to integrate features we support. To enable Thistle Features on your build, simply add the thistle-features
dictionary, and set the meta-thistle
release desired.
Thistle Update Client
It is possible to directly integrate the Thistle Update Client for your target by setting update: true
on the thistle-features configuration. This will automatically pull the correct update client for your build, and it will directly be usable on your build at /usr/bin/tuc
, or on the path directly at tuc
.
Infineon Trust-M Integration
The meta-thistle
layer provides full support for Infineon Trust M platforms. Integrate your aarch64 platform by setting the optional package configuration as shown below.
local_conf_header:
standard: |
IMAGE_INSTALL:append = " trust-m trust-m-dev"
This will automatically build all the linux-optiga-trust-m tools, and make them available on your build directly:
raspberrypi4-64-thistle:/usr/bin$ ls trustm_*
trustm_cert trustm_engine.so trustm_monotonic_counter trustm_read_data trustm_rsa_enc trustm_symmetric_keygen
trustm_chipinfo trustm_errorcode trustm_protected_update trustm_read_status trustm_rsa_keygen
trustm_data trustm_hkdf trustm_protected_update_aeskey trustm_readmetadata_data trustm_rsa_sign
trustm_ecc_keygen trustm_hmac trustm_protected_update_data trustm_readmetadata_private trustm_rsa_verify
trustm_ecc_sign trustm_hmac_verify_Auth trustm_protected_update_ecckey trustm_readmetadata_status trustm_symmetric_dec
trustm_ecc_verify trustm_metadata trustm_protected_update_rsakey trustm_rsa_dec trustm_symmetric_enc
Read Only Rootfs
The Root Filesystem can be made read-only by setting the read-only-rootfs
flag. This will harden the build as persistent exploits will be more difficult to implement.
libc
The libc is also selectable via the libc
option. glibc
and musl
are supported.
curl
curl is directly integrable as well, and it’s possible to set options such as the TLS stack (gnutls
, mbedtls
, rustls
, and openssl
are supported). It is also possible to enable the lib
option to make libcurl.so
available on the system.