Link Search Menu Expand Document

Thistle Options

thistle-features:
  meta-thistle: 5c06b3509d5df6144a87027286558968988418f7
  updater: true
  read-only-rootfs: false
  libc: glibc
  curl:
    bin: true
    lib: true
    tls: openssl

By integrating around the open-source repo meta-thistle, it is possible to simply amend the build to integrate features we support. To enable Thistle Features on your build, simply add the thistle-features dictionary, and set the meta-thistle release desired.

Thistle Update Client

It is possible to directly integrate the Thistle Update Client for your target by setting update: true on the thistle-features configuration. This will automatically pull the correct update client for your build, and it will directly be usable on your build at /usr/bin/tuc, or on the path directly at tuc.

Infineon Trust-M Integration

The meta-thistle layer provides full support for Infineon Trust M platforms. Integrate your aarch64 platform by setting the optional package configuration as shown below.

local_conf_header:
  standard: |
    IMAGE_INSTALL:append = " trust-m trust-m-dev"

This will automatically build all the linux-optiga-trust-m tools, and make them available on your build directly:

raspberrypi4-64-thistle:/usr/bin$ ls trustm_*
trustm_cert                     trustm_engine.so                trustm_monotonic_counter        trustm_read_data                trustm_rsa_enc                  trustm_symmetric_keygen
trustm_chipinfo                 trustm_errorcode                trustm_protected_update         trustm_read_status              trustm_rsa_keygen
trustm_data                     trustm_hkdf                     trustm_protected_update_aeskey  trustm_readmetadata_data        trustm_rsa_sign
trustm_ecc_keygen               trustm_hmac                     trustm_protected_update_data    trustm_readmetadata_private     trustm_rsa_verify
trustm_ecc_sign                 trustm_hmac_verify_Auth         trustm_protected_update_ecckey  trustm_readmetadata_status      trustm_symmetric_dec
trustm_ecc_verify               trustm_metadata                 trustm_protected_update_rsakey  trustm_rsa_dec                  trustm_symmetric_enc

Read Only Rootfs

The Root Filesystem can be made read-only by setting the read-only-rootfs flag. This will harden the build as persistent exploits will be more difficult to implement.

libc

The libc is also selectable via the libc option. glibc and musl are supported.

curl

curl is directly integrable as well, and it’s possible to set options such as the TLS stack (gnutls, mbedtls, rustls, and openssl are supported). It is also possible to enable the lib option to make libcurl.so available on the system.