feat(efibootguard): replace systemd-boot by efibootguard

We are now using efibootguard to provide a A/B boot path for
the kernel and the rootfs.

This commit remove some change for systemd/systemd-boot that are
not needed anymore and rework how we set the command line, as we
will need to have the command line argument of the kernel both
inside do_image_wic and in a future do_image_swu

.gitmodules

@@ -14,3 +14,7 @@
 	path = layers/meta-virtualization
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-virtualization.git
 	branch = kirkstone
+[submodule "layers/meta-efibootguard"]
+	path = layers/meta-efibootguard
+	url = ssh://git@bitbucket.gad.local:7999/ico/meta-efibootguard.git
+	branch = coreos/master

layers/meta-belden-coreos-bsp/classes/coreos-bsp-config.bbclass

@@ -1,44 +0,0 @@
-# This class is ihnerited globally in the CoreOS distro
-# ==============================================================================
-#
-# This class change the default of variables that are usually set in the machine
-# configuration
-
-# EFI Configuration
-# ==============================================================================
-
-# EFI is a requirement for CoreOS
-MACHINE_FEATURES:append = "efi"
-MACHINE_FEATURES:remove:container = "efi"
-
-# If a bootloader is used, it should be systemd-boot and not grub-efi as set
-# in packagegroup-core-boot by default.
-EFI_PROVIDER ?= "systemd-boot"
-
-# Variables used in *.wks.in files
-# ==============================================================================
-
-# Partition type UUIDs
-# ==============================================================================
-
-# See https://uapi-group.org/specifications/specs/discoverable_partitions_specification/
-WKS_GPT_PART_UUID_ROOT:arm = "69DAD710-2CE4-4E3C-B16C-21A1D49ABED3"
-WKS_GPT_PART_UUID_ROOT:aarch64 = "B921B045-1DF0-41C3-AF44-4C6F280D3FAE"
-WKS_GPT_PART_UUID_ROOT:x86-64 = "4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709"
-
-WKS_GPT_PART_UUID_EFI = "C12A7328-F81F-11D2-BA4B-00A0C93EC93B"
-
-# For MBR disk, the EFI partition should use --system-id 0xef
-
-# For GPT disk
-WKS_MBR_PART_EFI ??= 'part /boot --source bootimg-efi --sourceparams="loader=${EFI_PROVIDER}" --align 1024 --label EFI --system-id 0xef'
-WKS_GPT_PART_EFI ??= 'part /boot --source bootimg-efi --sourceparams="loader=${EFI_PROVIDER}" --align 1024 --label EFI --part-type "${WKS_GPT_PART_UUID_EFI}"'
-
-WKS_MBR_PART_ROOT ??= 'part / --source rootfs --fstype=ext4 --label root --align 1024 --use-uuid'
-WKS_GPT_PART_ROOT ??= 'part / --source rootfs --fstype=ext4 --label root --align 1024 --use-uuid --part-type ${WKS_GPT_PART_UUID_ROOT}'
-
-
-WKS_KERNEL_ARGS_EXTRA ??= "console=ttyS0,115200 console=tty0"
-WKS_KERNEL_ARGS ??= "rootfstype=ext4 rootwait ${WKS_KERNEL_ARGS_EXTRA}"
-
-WKS_BOOTLOADER_ARGS ??= '--timeout=5 --append="${WKS_KERNEL_ARGS}"'

layers/meta-belden-coreos-bsp/conf/machine/beaglebone.conf

@@ -9,13 +9,14 @@ DEFAULTTUNE ?= "cortexa8hf-neon"
 include conf/machine/include/arm/armv7a/tune-cortexa8.inc
 
 IMAGE_FSTYPES += "wic wic.xz wic.bmap"
-WKS_FILE ?= "beaglebone.wks.in"
+WKS_FILE ?= "beaglebone-sdcard.wks.in"
 MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "kernel-image kernel-devicetree"
 do_image_wic[depends] += "mtools-native:do_populate_sysroot dosfstools-native:do_populate_sysroot gptfdisk-native:do_populate_sysroot virtual/bootloader:do_deploy"
 do_image_wic[recrdeptask] += "do_bootimg"
 
 SERIAL_CONSOLES ?= "115200;ttyS0 115200;ttyO0 115200;ttyAMA0"
 SERIAL_CONSOLES_CHECK = "${SERIAL_CONSOLES}"
+APPEND:append = " console=ttyS0,115200"
 
 PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
 PREFERRED_VERSION_linux-yocto ?= "5.15%"
@@ -32,10 +33,9 @@ UBOOT_MACHINE = "am335x_evm_defconfig"
 UBOOT_ENTRYPOINT = "0x80008000"
 UBOOT_LOADADDRESS = "0x80008000"
 
-MACHINE_FEATURES = "usbgadget usbhost vfat alsa efi"
+MACHINE_FEATURES = "usbgadget usbhost vfat alsa"
 
 IMAGE_BOOT_FILES ?= "u-boot.${UBOOT_SUFFIX} ${SPL_BINARY}"
-# ${KERNEL_IMAGETYPE} ${KERNEL_DEVICETREE}
 IMAGE_EFI_BOOT_FILES ?= "${KERNEL_DEVICETREE}"
 
 # support runqemu
@@ -43,7 +43,7 @@ EXTRA_IMAGEDEPENDS += "qemu-native qemu-helper-native"
 IMAGE_CLASSES += "qemuboot"
 QB_DEFAULT_FSTYPE = "wic"
 QB_FSINFO = "wic:no-kernel-in-fs"
-QB_KERNEL_ROOT = "/dev/vda2"
+QB_KERNEL_ROOT = "/dev/vda3"
 QB_SYSTEM_NAME = "qemu-system-arm"
 QB_MACHINE = "-machine virt"
 QB_CPU = "-cpu cortex-a15"
@@ -54,3 +54,9 @@ QB_NETWORK_DEVICE = "-device virtio-net-device,netdev=net0,mac=@MAC@"
 QB_ROOTFS_OPT = "-drive id=disk0,file=@ROOTFS@,if=none,format=raw -device virtio-blk-device,drive=disk0"
 QB_SERIAL_OPT = ""
 QB_TCPSERIAL_OPT = "-device virtio-serial-device -chardev socket,id=virtcon,port=@PORT@,host=127.0.0.1 -device virtconsole,chardev=virtcon"
+
+# No watchdog available yet
+EFIBOOTGUARD_TIMEOUT ?= "0"
+
+require conf/machine/include/coreos-generic-features/efi.inc
+require conf/machine/include/coreos-generic-features/legacy-mbr-disk.inc

layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/efi.inc

@@ -0,0 +1,16 @@
+# EFI Configuration
+# ==============================================================================
+
+MACHINE_FEATURES:append = " efi"
+EFI_PROVIDER = "efibootguard"
+EFIBOOTGUARD_TIMEOUT ?= "60"
+
+do_image_wic[depends] += "efibootguard-native:do_populate_sysroot efibootguard:do_deploy"
+
+# Variable used in WKS file
+
+WKS_PART_EFI ??= 'part --source efibootguard-efi --label efi --align 1024 --part-type=EF00'
+WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label platform0 --align 1024'
+WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label platform1 --align 1024'
+WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label boot0 --align 1024 --part-type=0700 --sourceparams "watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=kernel0-${MACHINE}.efi;KERNEL0.EFI"'
+WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label boot1 --align 1024 --part-type=0700 --sourceparams "watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=kernel1-${MACHINE}.efi;KERNEL1.EFI"'

layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/legacy-mbr-disk.inc

@@ -0,0 +1,15 @@
+
+# MBR disk are still supported by CoreOS, but only for legacy product
+# This ensure that efibootguard / swupdate work with MBR disk
+
+# Do not include this file in a machine configuration if the machine support
+# a GPT disk instead
+COREOS_DISK_PARTLABEL_LOOKUP_DIRECTORY ?= "/dev/disk/by-label"
+
+COREOS_PLATFORM0_ROOT ?= "LABEL=platform0"
+COREOS_PLATFORM1_ROOT ?= "LABEL=platform1"
+
+# MBR disk can't use --part-type but can use system-id 
+WKS_PART_EFI ?= 'part --source efibootguard-efi --label efi --system-id 0xef'
+WKS_PART_EFIBOOTGUARD_A ?= 'part --source efibootguard-boot --label boot0  --sourceparams "watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=kernel0-${MACHINE}.efi;KERNEL0.EFI"'
+WKS_PART_EFIBOOTGUARD_B ?=  'part --source efibootguard-boot --label boot1 --sourceparams "watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=kernel1-${MACHINE}.efi;KERNEL1.EFI"'

layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-machine/vm.inc

@@ -20,3 +20,5 @@ do_image_wic[recrdeptask] += "do_bootimg"
 # CoreOS Specific Machine settings
 # ==============================================================================
 COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR = "1"
+
+require conf/machine/include/coreos-generic-features/efi.inc

layers/meta-belden-coreos-bsp/recipes-bsp/efibootguard/efibootguard_%.bbappend

@@ -0,0 +1,11 @@
+# Add signature support
+
+inherit coreos-efi-sbsign
+require conf/image-uefi.conf
+
+do_deploy:append() {
+
+    if [ -f "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi" ]; then
+        coreos_efi_secureboot_sign_app "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi"
+    fi
+}

layers/meta-belden-coreos-bsp/recipes-core/systemd/systemd-boot_250.5.bbappend

@@ -1,11 +0,0 @@
-# Add signature support
-
-inherit coreos-efi-sbsign
-
-do_install:append() {
-    coreos_efi_secureboot_sign_app "${D}${EFI_FILES_PATH}/${SYSTEMD_BOOT_IMAGE}"
-}
-
-do_deploy:append() {
-    coreos_efi_secureboot_sign_app ${DEPLOYDIR}/systemd-${SYSTEMD_BOOT_IMAGE}
-}

layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos-efi.inc

@@ -1,14 +1,23 @@
 
 inherit coreos-efi-sbsign
+require conf/image-uefi.conf
 
 # Ensure EFI STUB is enabled
 KERNEL_FEATURES:append = " cfg/efi.scc cfg/efi-ext.scc"
 
+# By default we use a Unified Kernel Image that contain the kernel, the
+# kernel command line and some device tree, so we don't need to sign the output
+# of the kernel recipes
+COREOS_KERNEL_EFI_SIGNED ??= "0"
+
 # Extend the kernel_do_deploy function from kernel.bbclass to sign the kernel
 kernel_do_deploy:append() {
+    if [ "${COREOS_KERNEL_EFI_SIGNED}" == "1" ]; then
       deployDir="${DEPLOYDIR}"
       for imageType in ${KERNEL_IMAGETYPES} ; do
-		baseName=$imageType-${KERNEL_IMAGE_NAME}
-        coreos_efi_secureboot_sign_app $deployDir/$baseName${KERNEL_IMAGE_BIN_EXT}
+        baseName="$imageType-${KERNEL_IMAGE_NAME}"
+        coreos_efi_secureboot_sign_app "$deployDir/$baseName${KERNEL_IMAGE_BIN_EXT}"
       done
+    fi
 }
+

layers/meta-belden-coreos-bsp/wic/beaglebone-sdcard.wks.in

@@ -0,0 +1,11 @@
+# short-description: Create SD card image for Beaglebone
+# long-description: Creates a partitioned SD card image for Beaglebone.
+# Boot files are located in the first vfat partition.
+
+part --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label boot --active --align 4 --fixed-size 32
+${WKS_PART_EFI} --ondisk mmcblk0 --align 1024 --fixed-size 32
+${WKS_PART_ROOT_A} --ondisk mmcblk0 --fixed-size 2G
+${WKS_PART_ROOT_B} --ondisk mmcblk0 --fixed-size 2G
+${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk0 --align 1024 --fixed-size 32
+${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk0 --align 1024 --fixed-size 32
+bootloader --ptable msdos

layers/meta-belden-coreos-bsp/wic/beaglebone.wks.in

@@ -1,8 +0,0 @@
-# short-description: Create SD card image for Beaglebone
-# long-description: Creates a partitioned SD card image for Beaglebone.
-# Boot files are located in the first vfat partition.
-
-part --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label boot --active --align 4 --fixed-size 32
-${WKS_MBR_PART_EFI} --ondisk mmcblk0
-${WKS_MBR_PART_ROOT} --ondisk mmcblk0
-bootloader ${WKS_BOOTLOADER_ARGS}

layers/meta-belden-coreos-bsp/wic/generic-uefi.wks.in

@@ -1,6 +1,10 @@
 # short-description: Create an EFI disk image for genericx86*
 # long-description: Creates a partitioned EFI disk image for genericx86* machines
-${WKS_GPT_PART_EFI} --ondisk sda
-${WKS_GPT_PART_ROOT} --ondisk sda
+${WKS_PART_EFI} --ondisk sda  --align 1024 --fixed-size 32
+${WKS_PART_ROOT_A} --ondisk sda --fixed-size 2G
+${WKS_PART_ROOT_B} --ondisk sda --fixed-size 2G
+${WKS_PART_EFIBOOTGUARD_A} --ondisk sda  --align 1024 --fixed-size 32
+${WKS_PART_EFIBOOTGUARD_B} --ondisk sda  --align 1024 --fixed-size 32
+
 part swap --ondisk sda --size 44 --label swap1 --fstype=swap
-bootloader --ptable gpt ${WKS_BOOTLOADER_ARGS}
+bootloader --ptable gpt

layers/meta-belden-coreos/classes/coreos-image-uki.bbclass

@@ -0,0 +1,65 @@
+# This class generate the UKI kernel needed by WIC and by swupdate
+# This class should not be used directly, as it's ihnerited by
+# the coreos-image class
+
+require conf/image-uefi.conf
+inherit kernel-artifact-names
+inherit coreos-efi-sbsign
+
+# Output file name
+# ==============================================================================
+
+COREOS_KERNEL_EXT ??= ".efi"
+COREOS_KERNEL0_NAME ??= "kernel0-${MACHINE}"
+COREOS_KERNEL1_NAME ??= "kernel1-${MACHINE}"
+COREOS_KERNEL0_FILENAME ??= "${COREOS_KERNEL0_NAME}${COREOS_KERNEL_EXT}"
+COREOS_KERNEL1_FILENAME ??= "${COREOS_KERNEL1_NAME}${COREOS_KERNEL_EXT}"
+
+# Kernel command line
+# ==============================================================================
+
+APPEND += "rootwait "
+COREOS_PLATFORM0_ROOT ??= "PARTLABEL=platform0"
+COREOS_PLATFORM1_ROOT ??= "PARTLABEL=platform1"
+COREOS_KERNEL0_CMDLINE ??= "root=${COREOS_PLATFORM0_ROOT} ${APPEND}"
+COREOS_KERNEL1_CMDLINE ??= "root=${COREOS_PLATFORM0_ROOT} ${APPEND}"
+
+# UKI Generation
+# ==============================================================================
+
+do_bundle_uki() {
+    deployDir="${DEPLOY_DIR_IMAGE}"
+	kernel=${KERNEL_IMAGETYPE}-${MACHINE}${KERNEL_IMAGE_BIN_EXT}
+
+    # Create an array with device tree if any
+    DTB_PARAMS=""
+    for dtb in ${KERNEL_DEVICETREE}; do
+        # Bitbake allow full path inside KERNEL_DEVICETREE, but we want the
+        # filename only
+        dtb=$(basename "${dtb}")
+        DTB_PARAMS="${DTB_PARAMS} --dtb=${deployDir}/${dtb}"
+    done
+
+    echo "kernel: ${kernel}"
+    echo "dtb: ${DTB_PARAMS}"
+
+    bg_gen_unified_kernel \
+        "${STAGING_LIBDIR}/efibootguard/kernel-stub${EFI_ARCH}.efi" \
+        "${deployDir}/${kernel}" \
+        "${deployDir}/${COREOS_KERNEL0_FILENAME}" \
+        --cmdline "console=ttyS0,115200 root=${COREOS_PLATFORM0_ROOT} rootwait " \
+        ${DTB_PARAMS}
+
+     bg_gen_unified_kernel \
+        "${STAGING_LIBDIR}/efibootguard/kernel-stub${EFI_ARCH}.efi" \
+        "${deployDir}/${kernel}" \
+        "${deployDir}/${COREOS_KERNEL1_FILENAME}" \
+        --cmdline "console=ttyS0,115200 root=${COREOS_PLATFORM1_ROOT} rootwait " \
+        ${DTB_PARAMS}
+
+    coreos_efi_secureboot_sign_app "${deployDir}/${COREOS_KERNEL0_FILENAME}"
+    coreos_efi_secureboot_sign_app "${deployDir}/${COREOS_KERNEL1_FILENAME}"
+}
+
+do_bundle_uki[depends] += "virtual/kernel:do_deploy efibootguard-native:do_populate_sysroot efibootguard:do_populate_sysroot"
+addtask bundle_uki after do_rootfs before do_image

layers/meta-belden-coreos/classes/coreos-image.bbclass

@@ -63,14 +63,12 @@ PACKAGE_EXCLUDE_COMPLEMENTARY:append = "${@bb.utils.contains_any('PACKAGE_INSTAL
 # An error exception would be raised if both image features foo and bar1(or bar2) are included
 
 
-COREOS_IMAGE_BASE_INSTALL = '\
+COREOS_IMAGE_BASE_INSTALL = "\
     packagegroup-core-boot \
     packagegroup-base-extended \
-    \
-    efibootmgr \
-    efivar \
+    ${@'efibootguard-tools' if d.getVar('EFI_PROVIDER') == 'efibootguard' else ''} \
     os-release \
-    '
+    "
 
 COREOS_IMAGE_EXTRA_INSTALL ?= ""
 
@@ -87,3 +85,13 @@ IMAGE_FEATURES:append = " ${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tw
 
 # Add some extra space, as done in core-image-minimal
 IMAGE_ROOTFS_EXTRA_SPACE:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' + 4096', '', d)}"
+
+# Unified kernel image and swupdate support
+# ==============================================================================
+
+COREOS_IMAGE_GENERATE_UKI ??= "${@bb.utils.contains('COMBINED_FEATURES', 'efi', '1', '0', d)}"
+
+# Support for Unified Kernel Image and Swupdate are optional
+COREOS_IMAGE_EXTRACLASSES ??= ""
+COREOS_IMAGE_EXTRACLASSES:append = "${@' coreos-image-uki' if d.getVar('COREOS_IMAGE_GENERATE_UKI') == '1' else ''}"
+inherit ${COREOS_IMAGE_EXTRACLASSES}

layers/meta-belden-coreos/conf/distro/belden-coreos.conf

@@ -61,7 +61,6 @@ SDKPATHINSTALL = "/opt/${DISTRO}/${SDK_VERSION}"
 # Secure boot
 # ==============================================================================
 
-INHERIT += "coreos-bsp-config"
 INHERIT += "coreos-efi-secureboot"
 
 # Virtualization configuration

layers/meta-belden-coreos/recipes-core/systemd/systemd_250.5.bbappend

@@ -1,17 +0,0 @@
-
-# Compile and install the bootctl command by default
-#===============================================================================
-
-# bootctl command is only built if the gnu-efi feature is enables
-PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'efi', 'gnu-efi', '', d)}"
-
-# Enabling gnu-efi does create stub file inside  /usr/lib/systemd/boot/efi/ 
-# this generate some QA errors:
-# ERROR: systemd-1_250.5-r0 do_package_qa: QA Issue:
-# File /usr/lib/systemd/boot/efi/linuxarm.elf.stub in package systemd doesn't 
-# have GNU_HASH (didn't pass LDFLAGS?) [ldflags]
-#
-# Theses files are already by the systemd-boot recipes, so we can delete them
-do_install:append() {
-    rm -r ${D}/${libdir}/systemd/boot
-}

layers/meta-belden-marvell-bsp/conf/machine/include/cn913x.inc

@@ -33,8 +33,6 @@ KERNEL_EXTRA_ARGS += "LOADADDR=${UBOOT_ENTRYPOINT}"
 
 KERNEL_DEFCONFIG ?= "cn9130-netmodule_defconfig"
 
-# By default we compile all supported cn913x devicetree. The devicetree to use
-# is then set for each machine with the KERNEL_DEVICETREE_TO_USE variable
 KERNEL_DEVICETREE ?= "\
     marvell/${MACHINE}.dtb \
 "
@@ -44,6 +42,7 @@ KERNEL_DEVICETREE ?= "\
 
 SERIAL_CONSOLES = "115200;ttyS0 115200;ttyAMA0"
 SERIAL_CONSOLES_CHECK ?= "${SERIAL_CONSOLES}"
+APPEND += "console=ttyS0,115200"
 
 # Image generation
 # ******************************************************************************
@@ -55,4 +54,5 @@ WKS_FILE = "cn913x-sdcard.wks.in"
 IMAGE_FSTYPES += "wic.xz wic.bmap"
 
 MACHINE_ESSENTIAL_EXTRA_RDEPENDS += " kernel-modules kernel-devicetree"
-IMAGE_EFI_BOOT_FILES ?= "${MACHINE}.dtb"
+
+require conf/machine/include/coreos-generic-features/efi.inc

layers/meta-belden-marvell-bsp/wic/cn913x-sdcard.wks.in

@@ -12,7 +12,10 @@
 part --offset 4096S --source rawcopy --sourceparams="file=flash-image.bin" --ondisk mmcblk1
 part --offset 12288S --source rawcopy --sourceparams="file=flash-image.bin" --ondisk mmcblk1
 
-${WKS_GPT_PART_EFI} --ondisk mmcblk1 --offset 20480S
-${WKS_GPT_PART_ROOT} --ondisk mmcblk1
-bootloader --ptable gpt ${WKS_BOOTLOADER_ARGS}
+${WKS_PART_EFI} --ondisk mmcblk1 --offset 20480S --fixed-size 64M
+${WKS_PART_ROOT_A} --ondisk mmcblk1 --fixed-size 2G
+${WKS_PART_ROOT_B} --ondisk mmcblk1 --fixed-size 2G
+${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk1  --align 1024 --fixed-size 128M
+${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk1  --align 1024 --fixed-size 128M
 
+bootloader --ptable gpt

layers/meta-efibootguard

@@ -0,0 +1 @@
+Subproject commit 0ae20f85ff8b2ad95b1f9522af76fc1353296cd5