From 0d5e631162d90ab724fd1f03ec294fd171cac3cf Mon Sep 17 00:00:00 2001 From: Samuel Dolt Date: Mon, 7 Aug 2023 15:32:53 +0200 Subject: [PATCH] feat(belden-coreos): reworked distro settings Now the distro settings is splitted into two config smaller config file. PACKAGECONFIG for the system package is set to include a reduced set of features by default. Some EFI related feature are now dependant of the EFI DISTRO_ and MACHINE_FEATURES. --- .../efibootguard/efibootguard_%.bbappend | 11 -- .../recipes-bsp/u-boot/u-boot-coreos.inc | 2 +- .../linux/linux-yocto_5.15.bbappend | 2 +- .../classes/coreos-image.bbclass | 6 +- .../conf/distro/belden-coreos-base.conf | 8 ++ .../conf/distro/belden-coreos.conf | 84 +------------- .../distro/include/belden-coreos-base.inc | 108 ++++++++++++++++++ .../distro/include/belden-coreos-extra.inc | 30 +++++ .../recipes-bsp/efi/efi-secureboot-keys.bb | 0 .../efibootguard/efibootguard_%.bbappend | 16 +++ .../swupdate/swupdate_%.bbappend | 4 +- 11 files changed, 173 insertions(+), 98 deletions(-) delete mode 100644 layers/meta-belden-coreos-bsp/recipes-bsp/efibootguard/efibootguard_%.bbappend create mode 100644 layers/meta-belden-coreos/conf/distro/belden-coreos-base.conf create mode 100644 layers/meta-belden-coreos/conf/distro/include/belden-coreos-base.inc create mode 100644 layers/meta-belden-coreos/conf/distro/include/belden-coreos-extra.inc rename layers/{meta-belden-coreos-bsp => meta-belden-coreos}/recipes-bsp/efi/efi-secureboot-keys.bb (100%) diff --git a/layers/meta-belden-coreos-bsp/recipes-bsp/efibootguard/efibootguard_%.bbappend b/layers/meta-belden-coreos-bsp/recipes-bsp/efibootguard/efibootguard_%.bbappend deleted file mode 100644 index cf840b0..0000000 --- a/layers/meta-belden-coreos-bsp/recipes-bsp/efibootguard/efibootguard_%.bbappend +++ /dev/null @@ -1,11 +0,0 @@ -# Add signature support - -inherit coreos-efi-sbsign -require conf/image-uefi.conf - -do_deploy:append() { - - if [ -f "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi" ]; then - coreos_efi_secureboot_sign_app "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi" - fi -} diff --git a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos.inc b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos.inc index ace80b9..cba923d 100644 --- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos.inc +++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos.inc @@ -9,4 +9,4 @@ SRC_URI += " \ ${@bb.utils.contains("IMAGE_FEATURES", "debug-tweaks", "file://debug-tweaks.cfg", "", d)} \ " -require u-boot-coreos-efi.inc +require ${@bb.utils.contains("COMBINED_FEATURES", "efi", "u-boot-coreos-efi.inc", "", d)} diff --git a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend index fe155d5..913e80a 100644 --- a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend +++ b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend @@ -10,4 +10,4 @@ SRCREV_machine:beaglebone ?= "9aabbaa89fcb21af7028e814c1f5b61171314d5a" COMPATIBLE_MACHINE:beaglebone = "beaglebone" LINUX_VERSION:beaglebone = "5.15.54" -require linux-yocto-coreos-efi.inc +require ${@bb.utils.contains("COMBINED_FEATURES", "efi", "linux-yocto-coreos-efi.inc", "", d)} diff --git a/layers/meta-belden-coreos/classes/coreos-image.bbclass b/layers/meta-belden-coreos/classes/coreos-image.bbclass index 057d652..f2e7f59 100644 --- a/layers/meta-belden-coreos/classes/coreos-image.bbclass +++ b/layers/meta-belden-coreos/classes/coreos-image.bbclass @@ -90,9 +90,9 @@ IMAGE_ROOTFS_EXTRA_SPACE:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'sys # ============================================================================== # Support for Unified Kernel Image and Swupdate are optional -COREOS_IMAGE_GENERATE_INSTALLER ?= "1" -COREOS_IMAGE_GENERATE_UKI ?= "1" -COREOS_IMAGE_GENERATE_SWU ?= "1" +COREOS_IMAGE_GENERATE_INSTALLER ?= "${@bb.utils.contains("DISTRO_FEATURES", "swupdate", "1", "0", d)}" +COREOS_IMAGE_GENERATE_UKI ?= "${@bb.utils.contains("COMBINED_FEATURES", "efi", "1", "0", d)}" +COREOS_IMAGE_GENERATE_SWU ?= "${@bb.utils.contains("DISTRO_FEATURES", "swupdate", "1", "0", d)}" # Generate the installer image if needed do_build[depends] += "${@'coreos-image-installer:do_build' if d.getVar('COREOS_IMAGE_GENERATE_INSTALLER') == '1' else ''}" diff --git a/layers/meta-belden-coreos/conf/distro/belden-coreos-base.conf b/layers/meta-belden-coreos/conf/distro/belden-coreos-base.conf new file mode 100644 index 0000000..22001d4 --- /dev/null +++ b/layers/meta-belden-coreos/conf/distro/belden-coreos-base.conf @@ -0,0 +1,8 @@ +require conf/distro/include/belden-coreos-base.inc + +DISTRO = "belden-coreos-base" +DISTRO_NAME = "Belden CoreOS (Base)" +MAINTAINER = "Belden CoreOS Team" + +DISTRO_VERSION = "0.0.1" +DISTRO_CODENAME = "kirkstone" diff --git a/layers/meta-belden-coreos/conf/distro/belden-coreos.conf b/layers/meta-belden-coreos/conf/distro/belden-coreos.conf index 8b22836..4eec78e 100644 --- a/layers/meta-belden-coreos/conf/distro/belden-coreos.conf +++ b/layers/meta-belden-coreos/conf/distro/belden-coreos.conf @@ -1,87 +1,9 @@ +require conf/distro/include/belden-coreos-base.inc +require conf/distro/include/belden-coreos-extra.inc + DISTRO = "belden-coreos" DISTRO_NAME = "Belden CoreOS" MAINTAINER = "Belden CoreOS Team" -INHERIT += "coreos_metadata_scm" - DISTRO_VERSION = "0.0.1" DISTRO_CODENAME = "kirkstone" - -# Distro features and policies -# ============================================================================== - -PACKAGE_CLASSES = "package_ipk" -INIT_MANAGER = "systemd" - -# CoreOS use journald from the systemd package to handle log -# https://docs.yoctoproject.org/singleindex.html#using-systemd-journald-without-a-traditional-syslog-daemon -# This remove syslog from packagegroup-core-boot -VIRTUAL-RUNTIME_syslog = "" -VIRTUAL-RUNTIME_base-utils-syslog = "" - -DISTRO_FEATURES_DEFAULT ?= "bluetooth usbhost pci ipv4 ipv6 wifi multiarch usrmerge ptest efi pam" -DISTRO_FEATURES ?= "${DISTRO_FEATURES_DEFAULT}" -DISTRO_FEATURES_BACKFILL_CONSIDERED = "pulseaudio ldconfig" -DISTRO_EXTRA_RDEPENDS += "packagegroup-core-boot" - -# Build configuration -# ============================================================================== - -TARGET_VENDOR = "-belden" - -# We don't support multiple libc, so we don't need to append the libc name to -# the tmp directory: ie use build/tmp instead of build/tmp-glibc -TCLIBCAPPEND = "" - -SANITY_TESTED_DISTROS ?= " \ - debian-11 \n \ - ubuntu-22.04 \n \ - " - -# This variable is used to ensure that any distribution using the CoreOS layer -# include this file. This is checked by the coreos-sanity class -SANITY_COREOS_COMPATIBLE ?= "1" - -require conf/distro/include/no-static-libs.inc -require conf/distro/include/yocto-uninative.inc -require conf/distro/include/security_flags.inc - -# uninative is need to share the sstates between multiple host distrubtion -INHERIT += "uninative" - -# Bitbake configuration -# ============================================================================== - -BB_SIGNATURE_HANDLER ?= "OEBasicHash" - -# SDK Configuration -# ============================================================================== - -SDK_VENDOR = "-coreossdk" -SDK_VERSION = "${DISTRO_VERSION}" -SDK_VERSION[vardepvalue] = "${SDK_VERSION}" -SDK_NAME = "${DISTRO}-${TCLIBC}-${SDKMACHINE}-${IMAGE_BASENAME}-${TUNE_PKGARCH}-${MACHINE}" -SDKPATHINSTALL = "/opt/${DISTRO}/${SDK_VERSION}" - -# EFI and Secure boot -# ============================================================================== - -EFI_PROVIDER = "efibootguard" -EFIBOOTGUARD_TIMEOUT ??= "60" -INHERIT += "coreos-efi-secureboot" - -# Virtualization configuration -# ============================================================================== - -# Use crun insted of runc as a OCI runtime. crun is faster and need less memory -# than runc so it's a better fit for embedded -#PREFERRED_PROVIDER_virtual/runc = "crun" -PACKAGECONFIG:append:pn-podman = " rootless" -DISTRO_FEATURES_DEFAULT += "virtualization seccomp ipv6" - -# CoreOS specific options -# ============================================================================== - -# Distro based on CoreOS can provide their own configuration files for the -# CoreOS installer by overriding this variable -PREFERRED_PROVIDER_coreos-installer-config ??= "coreos-installer-config" diff --git a/layers/meta-belden-coreos/conf/distro/include/belden-coreos-base.inc b/layers/meta-belden-coreos/conf/distro/include/belden-coreos-base.inc new file mode 100644 index 0000000..1d6ca82 --- /dev/null +++ b/layers/meta-belden-coreos/conf/distro/include/belden-coreos-base.inc @@ -0,0 +1,108 @@ +# This is the base include file for all coreos based distro +# it should support the most basic distro without optional coreos +# features + +INHERIT += "coreos_metadata_scm" + +# Distro features and policies +# ============================================================================== + +PACKAGE_CLASSES = "package_ipk" +INIT_MANAGER = "systemd" + +# CoreOS use journald from the systemd package to handle log +# https://docs.yoctoproject.org/singleindex.html#using-systemd-journald-without-a-traditional-syslog-daemon +# This remove syslog from packagegroup-core-boot +VIRTUAL-RUNTIME_syslog = "" +VIRTUAL-RUNTIME_base-utils-syslog = "" + +DISTRO_FEATURES ?= "usbhost pci ipv4 ipv6 wifi multiarch usrmerge efi pam" + +# CoreOS wasn't compatible with older Yocto version, so we should not have any +# features backfilled. Value are from DISTRO_FEATURES_BACKFILL +# with the exception of gobject-introspection-data that are backfilled on +# purpose, this allow to use C library based on gobject in python or javascript +DISTRO_FEATURES_BACKFILL_CONSIDERED = "pulseaudio sysvinit ldconfig" + +DISTRO_EXTRA_RDEPENDS += "packagegroup-core-boot" + +# Build configuration +# ============================================================================== + +TARGET_VENDOR = "-belden" + +# We don't support multiple libc, so we don't need to append the libc name to +# the tmp directory: ie use build/tmp instead of build/tmp-glibc +TCLIBCAPPEND = "" + +SANITY_TESTED_DISTROS ?= " \ + debian-11 \n \ + ubuntu-22.04 \n \ + " + +# This variable is used to ensure that any distribution using the CoreOS layer +# include this file. This is checked by the coreos-sanity class +SANITY_COREOS_COMPATIBLE ?= "1" + +require conf/distro/include/no-static-libs.inc +require conf/distro/include/yocto-uninative.inc +require conf/distro/include/security_flags.inc + +# uninative is need to share the sstates between multiple host distrubtion +INHERIT += "uninative" + +# Bitbake configuration +# ============================================================================== + +BB_SIGNATURE_HANDLER ?= "OEBasicHash" + +# SDK Configuration +# ============================================================================== + +SDK_VENDOR = "-coreossdk" +SDK_VERSION = "${DISTRO_VERSION}" +SDK_VERSION[vardepvalue] = "${SDK_VERSION}" +SDK_NAME = "${DISTRO}-${TCLIBC}-${SDKMACHINE}-${IMAGE_BASENAME}-${TUNE_PKGARCH}-${MACHINE}" +SDKPATHINSTALL = "/opt/${DISTRO}/${SDK_VERSION}" + +# EFI and Secure boot +# ============================================================================== + +EFI_PROVIDER = "efibootguard" +EFIBOOTGUARD_TIMEOUT ??= "60" +INHERIT += "coreos-efi-secureboot" + + +# PACKAGECONFIG +# ============================================================================== +# Reduce the size of some package by disabling some feature by default + +# Distro using coreos can re-enabled a disabled config by changing +# the COREOS_DISABLED_PACKAGECONFIG variable + +PACKAGECONFIG:pn-systemd ?= " \ + ${@bb.utils.filter('DISTRO_FEATURES', 'acl audit efi ldconfig pam selinux smack usrmerge polkit seccomp', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'wifi', 'rfkill', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'xkbcommon', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', '', 'link-udev-shared', d)} \ + hostnamed \ + kmod \ + localed \ + logind \ + set-time-epoch \ + sysusers \ + userdb \ + vconsole \ + wheel-group \ + zstd \ +" + +# DNS Configuration + + +# CoreOS specific options +# ============================================================================== + +# Distro based on CoreOS can provide their own configuration files for the +# CoreOS installer by overriding this variable +PREFERRED_PROVIDER_coreos-installer-config ??= "coreos-installer-config" diff --git a/layers/meta-belden-coreos/conf/distro/include/belden-coreos-extra.inc b/layers/meta-belden-coreos/conf/distro/include/belden-coreos-extra.inc new file mode 100644 index 0000000..c37835b --- /dev/null +++ b/layers/meta-belden-coreos/conf/distro/include/belden-coreos-extra.inc @@ -0,0 +1,30 @@ +# This is the include all the CoreOS feature that are optional + +# Virtualization configuration +# ============================================================================== + +PACKAGECONFIG:append:pn-podman = " rootless" +DISTRO_FEATURES += "virtualization seccomp" + +# swupdate configuration +# ============================================================================== + +# Enable the generation of .swu file for images +DISTRO_FEATURES += "swupdate" + +# Networking configuration +# ============================================================================== + +# Add networking support to systemd. This allow systemd to handle +# network/dhcp/dns/time +PACKAGECONFIG:pn-systemd += " \ + hostnamed \ + idn \ + myhostname \ + nss \ + nss-resolve \ + resolved \ + networkd \ + timedated \ + timesyncd \ +" diff --git a/layers/meta-belden-coreos-bsp/recipes-bsp/efi/efi-secureboot-keys.bb b/layers/meta-belden-coreos/recipes-bsp/efi/efi-secureboot-keys.bb similarity index 100% rename from layers/meta-belden-coreos-bsp/recipes-bsp/efi/efi-secureboot-keys.bb rename to layers/meta-belden-coreos/recipes-bsp/efi/efi-secureboot-keys.bb diff --git a/layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend b/layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend index 682574a..2a5b34b 100644 --- a/layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend +++ b/layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend @@ -1,4 +1,20 @@ + +# Add CoreOS A/B Switching support +# ============================================================================== + FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" SRC_URI += "file://0001-coreos-add-a-coreos-specific-rootfs-switch-to-the-UK.patch" +# Add signature support +# ============================================================================== + +inherit coreos-efi-sbsign +require conf/image-uefi.conf + +do_deploy:append() { + + if [ -f "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi" ]; then + coreos_efi_secureboot_sign_app "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi" + fi +} diff --git a/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend b/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend index 96bea30..b45fca4 100644 --- a/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend +++ b/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend @@ -1,3 +1,6 @@ +inherit features_check +REQUIRED_DISTRO_FEATURES = "swupdate" + # File in the swupdate subdirectory of this recipe should overwrite the # same file in meta-swupdate FILESEXTRAPATHS:prepend := "${THISDIR}/swupdate:" @@ -9,7 +12,6 @@ SRC_URI += "\ PACKAGES =+ "${PN}-coreos-config ${PN}-coreos-installer-config" - # Don't use /www as the web root wwwdir = "${datadir}/swupdate-www"