Pull request #157: update kirkstone-next with master

Merge in ICO/coreos from master to kirkstone-next * commit '12ba99370ae12339f37fa7526c247a3707eb0542': refactor(trusted-firmware-a): update patches and cleanup feat(certificates-and-keys-native): add developer keys and certificates feat(secure-storage): add kernel config fragment for dm_crypt feat(secure-storage): add secure-storage as Coreos base feature feat(secure-storage): add secure-storage base functionality feat(userdata): add userdata partition feat: set default time for initial startup
2024-01-30 23:03:42 +01:00 · 2024-01-30 23:03:42 +01:00 · d82566ae82
parent 635cc433cc 12ba99370a
commit d82566ae82
25 changed files with 260 additions and 347 deletions
--- a/15
+++ b/15
@ -92,18 +92,3 @@ coreos-bblayers-envsub COREOS_EXTLAYERSDIR "${COREOS_ROOT}/external-layers"
 # stdout is redirected to reduce the amount of output but not stderr
 #
 #Note: if a final build is detected all the dev keys are deleted
 if [ "$CreateFinal" = "true" ]; then
    echo "\nFinal build detected delete dev keys and dont use or generate them" >&2
    rm -rf "${BUILDDIR}/keys"
 else
    echo "\nNo final build detected use development keys" >&2
    coreos-get-dev-keys > /dev/null || {
        echo "The coreos-get-dev-keys script has failed" >&2
    }
    coreos-keygen > /dev/null || {
        echo "The coreos-keygen script has failed" >&2
        return 1
    }
 fi
--- a/layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass
+++ b/layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass
@ -3,7 +3,7 @@
 # UEFI Secure boot configuration
 # ==============================================================================
-COREOS_EFI_SECUREBOOT_KEYDIR ??= "${TOPDIR}/keys"
+COREOS_EFI_SECUREBOOT_KEYDIR ??= "${RECIPE_SYSROOT_NATIVE}/${datadir}/keys"
 COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
 # UEFI Secure boot helpers
@ -16,12 +16,12 @@ HOSTTOOLS += "sbsign"
 # Ensure that the public keys are always deployed to the deploy directory
 # before running wic
-do_image_wic[depends] += "efi-secureboot-keys:do_deploy"
+do_image_wic[depends] += "certificates-and-keys-native:do_deploy"
 COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
 def get_coreos_secureboot_efi_boot_files(d):
    """
-        Return the list of pubkey file inside deploy if 
+        Return the list of pubkey file inside deploy if
        COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR is set or an empty string
        otherwise
    """
@ -31,26 +31,4 @@ def get_coreos_secureboot_efi_boot_files(d):
 IMAGE_EFI_BOOT_FILES:append = " ${@get_coreos_secureboot_efi_boot_files(d)}"
 def get_coreos_secureboot_keydir_hash(d):
    """
        Generate a space separate list, with a value for each file inside of 
        keydir. Fromat: <filename>:md5:<md5sum>
    """
    import hashlib
    keydir = d.getVar('COREOS_EFI_SECUREBOOT_KEYDIR')
    value = ""
    for keyname in os.listdir(keydir):
        filepath = os.path.join(keydir, keyname)
        if os.path.isfile(filepath): 
            md5 = bb.utils.md5_file(filepath)
            value += f"{keyname}:md5:{md5} "
    return value
 # The build system should detect if someone change one of the key inside
 # COREOS_EFI_SECUREBOOT_KEYDIR and rebuild all the recipes and artifacts that
 # depends on this directory
 COREOS_EFI_SECUREBOOT_KEYDIR_HASH = "${@get_coreos_secureboot_keydir_hash(d)}"
 COREOS_EFI_SECUREBOOT_KEYDIR[vardeps] += "COREOS_EFI_SECUREBOOT_KEYDIR_HASH"
--- a/layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc
+++ b/layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc
@ -6,7 +6,9 @@ WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part
 WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
 WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label rootfs0'
 WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label rootfs1'
-WKS_PART_ROOT_SIZE ??= '2G'
+WKS_PART_ROOT_SIZE ??= '1G'
 WKS_PART_USERDATA_SIZE ??= '1G'
 WKS_PART_USERDATA ??= 'part /usr/local/data --fstype=btrfs --label userdata'
 SFDISK_PART_EFI ??= 'type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, name="efi"'
 SFDISK_PART_EFIBOOTGUARD_A ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg0"'
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos-efi.inc
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos-efi.inc
@ -5,7 +5,7 @@ SRC_URI += " \
    file://uefi-secureboot.cfg \
 "
-DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native"
+DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native certificates-and-keys-native"
 # Generate a ubootefi.var file inside the build directory
 #
--- a/layers/meta-belden-coreos-bsp/wic/generic-uefi.wks.in
+++ b/layers/meta-belden-coreos-bsp/wic/generic-uefi.wks.in
@ -5,6 +5,7 @@ ${WKS_PART_ROOT_A} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --o
 ${WKS_PART_ROOT_B} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
 ${WKS_PART_EFIBOOTGUARD_A} --ondisk sda  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
 ${WKS_PART_EFIBOOTGUARD_B} --ondisk sda  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
 ${WKS_PART_USERDATA} --ondisk sda --size ${WKS_PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
 part swap --ondisk sda --size 44 --label swap1 --fstype=swap
 bootloader --ptable gpt
--- a/layers/meta-belden-coreos-bsp/wic/qemu-efi-coreos-generic.wks.in
+++ b/layers/meta-belden-coreos-bsp/wic/qemu-efi-coreos-generic.wks.in
@ -7,5 +7,6 @@ part / --source rootfs --fstype=ext4 --label rootfs0 --ondisk mmcblk1 --size ${W
 part --fstype=ext4 --label rootfs1 --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
 part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --ondisk mmcblk1  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
 part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --ondisk mmcblk1  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
 ${WKS_PART_USERDATA} --ondisk mmcblk1 --size ${WKS_PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
 bootloader --ptable gpt
--- a/layers/meta-belden-coreos/classes/coreos-image.bbclass
+++ b/layers/meta-belden-coreos/classes/coreos-image.bbclass
@ -68,6 +68,7 @@ PACKAGE_EXCLUDE_COMPLEMENTARY:append = "${@bb.utils.contains_any('PACKAGE_INSTAL
 COREOS_IMAGE_BASE_INSTALL = "\
    packagegroup-coreos-boot \
    packagegroup-coreos-base \
    secure-storage \
    "
 COREOS_IMAGE_EXTRA_INSTALL ?= ""
--- a/layers/meta-belden-coreos/classes/coreos-sanity.bbclass
+++ b/layers/meta-belden-coreos/classes/coreos-sanity.bbclass
@ -13,6 +13,8 @@ addhandler check_coreos_sanity_eventhandler
 check_coreos_sanity_eventhandler[eventmask] = "bb.event.SanityCheck"
 python check_coreos_sanity_eventhandler() {
    import datetime
    # Checks related to the distribution configuration files
    # ==========================================================================
@ -29,13 +31,22 @@ python check_coreos_sanity_eventhandler() {
            "systemd is not set as `INIT_MANAGER`. "
            "Using SystemD is mandatory on CoreOS based distribution"
        )
-    
+
    if e.data.getVar("TCLIBC") != "glibc":
        bb.fatal(
            "glibc is not set as `TCLIBC`. "
            "Using glibc is mandatory on CoreOS based distribution"
        )
-    
+
    # Check if the timestamp for REPRODUCIBLE_TIMESTAMP_ROOTFS is still up to date
    first_of_year = datetime.datetime(datetime.date.today().year, 1, 1, tzinfo=datetime.timezone.utc)
    foy_ts = str(int(first_of_year.timestamp()))
    if e.data.getVar("REPRODUCIBLE_TIMESTAMP_ROOTFS") != foy_ts:
        bb.warn(
            "`REPRODUCIBLE_TIMESTAMP_ROOTFS` outdated!"
            "Set to current 01. january of the year."
        )
    # Checks related to the machine configuration files
    # ==========================================================================
@ -47,7 +58,7 @@ python check_coreos_sanity_eventhandler() {
                "CoreOS recommands to use compressed wic image, please add "
                "`wic.xz` to your machine `IMAGE_FSTYPES` variables"
            )
-        
+
        if not "wic.bmap":
            bb.warn(
                "wic image should be flashed with bmaptools, but this require "
--- a/layers/meta-belden-coreos/conf/distro/belden-coreos.conf
+++ b/layers/meta-belden-coreos/conf/distro/belden-coreos.conf
@ -7,3 +7,8 @@ MAINTAINER = "Belden CoreOS Team"
 DISTRO_VERSION = "0.0.1"
 DISTRO_CODENAME = "kirkstone"
 # This TS represents 01.01.2024 generating it dynamically would cause a lot of
 # things to get re-build, we need a good solution for this or change it every
 # year
 REPRODUCIBLE_TIMESTAMP_ROOTFS = "1704067200"
--- a/layers/meta-belden-coreos/recipes-bsp/efi/efi-secureboot-keys.bb
+++ b/layers/meta-belden-coreos/recipes-bsp/efi/efi-secureboot-keys.bb
@ -1,33 +0,0 @@
 SUMMARY = "A recipe to deploy UEFI public keys update files"
 LICENSE = "CLOSED"
 INHIBIT_DEFAULT_DEPS = "1"
 inherit nopackages
 inherit deploy
 inherit coreos-efi-secureboot
 # Public key needed by firmware very depending on the implementation
 # So we copy all type of public key (*.auth, *.esl, *.crt, *der)
 addtask deploy after do_compile
 do_deploy() {
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.auth ${DEPLOYDIR}/KEK.auth
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.auth ${DEPLOYDIR}/db.auth
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.auth ${DEPLOYDIR}/PK.auth
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.esl ${DEPLOYDIR}/KEK.esl
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.esl ${DEPLOYDIR}/db.esl
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.esl ${DEPLOYDIR}/PK.esl
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.crt ${DEPLOYDIR}/KEK.crt
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.crt ${DEPLOYDIR}/db.crt
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.crt ${DEPLOYDIR}/PK.crt
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.der ${DEPLOYDIR}/KEK.der
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.der ${DEPLOYDIR}/db.der
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.der ${DEPLOYDIR}/PK.der
    # !SECURITY WARNING! 
    # .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
 }
--- a/layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend
+++ b/layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend
@ -9,6 +9,8 @@ SRC_URI += "file://0001-coreos-add-a-coreos-specific-rootfs-switch-to-the-UK.pat
 # Add signature support
 # ==============================================================================
 DEPENDS:append = " certificates-and-keys-native"
 inherit coreos-efi-sbsign
 require conf/image-uefi.conf
--- a/layers/meta-belden-coreos/recipes-core/systemd/systemd_%.bbappend
+++ b/layers/meta-belden-coreos/recipes-core/systemd/systemd_%.bbappend
@ -0,0 +1,10 @@
 do_install:append(){
 	# the creation date/time of this file will be used as initial boot time.
 	# Creation time will be set to REPRODUCIBLE_TIMESTAMP_ROOTFS
 	# More info about the date/time handling here:
 	# https://www.freedesktop.org/software/systemd/man/latest/systemd-timesyncd.service.html
 	touch ${D}/${base_libdir}/clock-epoch
 }
 FILES:${PN} += "${base_libdir}/clock-epoch"
--- a/layers/meta-belden-coreos/recipes-security/certificates-and-keys/certificates-and-keys-native_1.0.bb
+++ b/layers/meta-belden-coreos/recipes-security/certificates-and-keys/certificates-and-keys-native_1.0.bb
@ -0,0 +1,65 @@
 SUMMARY = "Installs certificates and keys"
 DESCRIPTION = "Installs certificates and keys that are used during the build"
 AUTHOR = "Patrick Vogelaar"
 LICENSE = "CLOSED"
 SRC_URI = "git://git@bitbucket.gad.local:7999/ico/development-keys.git;protocol=ssh;branch=master"
 SRCREV = "2b5d6941ea8759db90f07e195bb1855f618cccb7"
 S = "${WORKDIR}/git"
 inherit deploy native
 CERTIFICATES_AND_KEYS_DIR ?= "${datadir}/keys/"
 #FILES:${PN} += "${CERTIFICATES_AND_KEYS_DIR}/*"
 do_install() {
    install -d "${D}/${CERTIFICATES_AND_KEYS_DIR}"
    install -m 755 ${S}/db.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.auth
    install -m 755 ${S}/db.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.crt
    install -m 755 ${S}/db.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.der
    install -m 755 ${S}/db.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.esl
    install -m 755 ${S}/db.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.key
    install -m 755 ${S}/KEK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.auth
    install -m 755 ${S}/KEK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.crt
    install -m 755 ${S}/KEK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.der
    install -m 755 ${S}/KEK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.esl
    install -m 755 ${S}/KEK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.key
    install -m 755 ${S}/PK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.auth
    install -m 755 ${S}/PK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.crt
    install -m 755 ${S}/PK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.der
    install -m 755 ${S}/PK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.esl
    install -m 755 ${S}/PK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.key
    install -m 755 ${S}/swupdate.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.crt
    install -m 755 ${S}/swupdate.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.key
    bbwarn "Development certificates and keys are added into the image (UNSECURE)! This image must not be released!"
 }
 # Public key needed by firmware very depending on the implementation
 # So we copy all type of public key (*.auth, *.esl, *.crt, *der)
 addtask deploy after do_compile
 do_deploy() {
    install -D -m 644 ${S}/KEK.auth ${DEPLOYDIR}/KEK.auth
    install -D -m 644 ${S}/db.auth ${DEPLOYDIR}/db.auth
    install -D -m 644 ${S}/PK.auth ${DEPLOYDIR}/PK.auth
    install -D -m 644 ${S}/KEK.esl ${DEPLOYDIR}/KEK.esl
    install -D -m 644 ${S}/db.esl ${DEPLOYDIR}/db.esl
    install -D -m 644 ${S}/PK.esl ${DEPLOYDIR}/PK.esl
    install -D -m 644 ${S}/KEK.crt ${DEPLOYDIR}/KEK.crt
    install -D -m 644 ${S}/db.crt ${DEPLOYDIR}/db.crt
    install -D -m 644 ${S}/PK.crt ${DEPLOYDIR}/PK.crt
    install -D -m 644 ${S}/KEK.der ${DEPLOYDIR}/KEK.der
    install -D -m 644 ${S}/db.der ${DEPLOYDIR}/db.der
    install -D -m 644 ${S}/PK.der ${DEPLOYDIR}/PK.der
    # !SECURITY WARNING!
    # .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
 }
--- a/layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh
+++ b/layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh
@ -0,0 +1,93 @@
 #!/usr/bin/env sh
 loopdir=/usr/local/data/loopdevices
 loopfile=$loopdir/crypt.loop
 keyfiledir=/usr/local/data/.crypto
 keyfile=$keyfiledir/ss_crypto.keyfile
 #megabytes
 loopsize=16
 #/dev/mapper/xxxxx when open
 cryptmapper=secStorage
 makefilesystem=ext4
 #mountpoint of uncrypted device
 mountpoint=/usr/local/data/secure-storage
 create_keyfile() {
 	# echo "Create key file"
 	systemd-notify --status="Create key file"
 	mkdir -p $keyfiledir
 	dd if=/dev/urandom of=$keyfile bs=1 count=256
 	chown root:root $keyfiledir/*
 	chmod 000 $keyfiledir/*
 }
 error() {
 	echo "Error: $1"
 	exit $?
 }
 #creates a new file
 create_loopback_and_open() {
 	# echo "Creating a file with random bits.. this could take a while..."
 	systemd-notify --status="Creating a file with random bits.. this could take a while..."
 	mkdir -p $loopdir || error "Creating loopdir"
 	mkdir -p $mountpoint || error "Creating mountpoint"
 	dd if=/dev/urandom of=$loopfile bs=1M count=$loopsize || error "Creating loopfile"
 	loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
 	echo "Selected loop device: $loopdevice"
 	cryptsetup luksFormat -q --key-file $keyfile $loopdevice || error "Setting up encrypted loop device"
 	cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
 	mkfs.$makefilesystem /dev/mapper/$cryptmapper || error "Creating encrypted FS"
 	mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
 	systemd-notify --ready --status="Sucessfully mounted secure storage"
 }
 #mounts crypted loopback file
 open() {
 	#echo "Open secure-storage"
 	systemd-notify --status="Open secure storage"
 	loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
 	echo "Selected loop device: $ld"
 	cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
 	mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
 	systemd-notify --ready --status="Sucessfully mounted secure storage"
 }
 #unmounts previously mounted loopback file
 close() {
 	echo "Close secure-storage"
 	# get loopdevice
 	loopdevice=$(losetup --list --noheadings --output NAME,BACK-FILE | grep crypt.loop | awk '{print $1}')
 	umount $mountpoint
 	cryptsetup close $cryptmapper
 	losetup -d $loopdevice
 }
 if [ $# -eq 1 ]
 then
 	#echo "Parameter detected"
 	$1
 	exit 0
 fi
 if [ -e $keyfile ]
 then
 	#echo "Key file available"
 	if [ -e $loopfile ]
 	then
 		#echo "Loop file available"
 		open
 	else
 		#echo "Loop file not available"
 		create_loopback_and_open
 	fi
 else
 	#echo "Key file not available"
 	create_keyfile
 	create_loopback_and_open
 fi
--- a/layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service
+++ b/layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service
@ -0,0 +1,12 @@
 [Unit]
 Description=Secure Storage Service
 RequiresMountsFor=/usr/local/data
 [Service]
 Type=notify
 ExecStart=/usr/bin/sec-storage-loopback.sh
 TimeoutSec=300
 [Install]
 WantedBy=local-fs.target
--- a/layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb
+++ b/layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb
@ -0,0 +1,34 @@
 SUMMARY = "Provides a Secure Storage"
 DESCRIPTION = "The secure storage is a loopback mount that is encrypted. It protects data in rest"
 AUTHOR = "Patrick Vogelaar"
 LICENSE = "CLOSED"
 SRC_URI = "\
    file://sec-storage-loopback.sh \
    file://secure-storage.service \
    "
 S = "${WORKDIR}"
 inherit systemd
 FILES:${PN} += "\
    /usr/local/data/ \
    ${systemd_unitdir}/system \
    ${bindir}/sec-storage-loopback.sh \
    ${systemd_unitdir}/system/secure-storage.service \
    "
 do_install() {
    install -d ${D}$/usr/local/data/
    install -d ${D}${bindir}
    install -m 0731 ${S}/sec-storage-loopback.sh ${D}${bindir}/sec-storage-loopback.sh
    install -d ${D}${systemd_unitdir}/system
    install -m 0644 ${S}/secure-storage.service ${D}${systemd_unitdir}/system
 }
 SYSTEMD_SERVICE:${PN} = "secure-storage.service"
 SYSTEMD_AUTO_ENABLE = "enable"
 RDEPENDS:${PN} += "cryptsetup"
--- a/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend
+++ b/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend
@ -5,6 +5,8 @@ REQUIRED_DISTRO_FEATURES = "swupdate"
 # same file in meta-swupdate
 FILESEXTRAPATHS:prepend := "${THISDIR}/swupdate:"
 DEPENDS += "certificates-and-keys-native"
 SRC_URI += "\
    file://50-webserver-config.sh \
    file://25-sw-collections-config.sh \
--- a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0001-ddr-spd-read-failover-to-defualt-config.patch
+++ b/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0001-ddr-spd-read-failover-to-defualt-config.patch
@ -1,14 +1,14 @@
-From 5aeea052b30604b2f8640960b775cee0f5c877cb Mon Sep 17 00:00:00 2001
+From 3f8f24cf82848ef1778f3e1d0a0607d4860dd4f3 Mon Sep 17 00:00:00 2001
 From: Alon Rotman <alon.rotman@solid-run.com>
 Date: Mon, 22 Nov 2021 13:33:25 +0200
-Subject: [PATCH 2/2] ddr spd read failover to defualt config
+Subject: [PATCH] ddr spd read failover to defualt config
 ---
 .../octeontx/otx2/t91/t9130/board/dram_port.c | 100 ++++++++++++++++--
 1 file changed, 93 insertions(+), 7 deletions(-)
 diff --git a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
-index 0befadfc6..5de71f095 100644
+index 82ce07b09..bb7814e9b 100644
 --- a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
 +++ b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
@@ -33,7 +33,7 @@ struct mv_ddr_iface dram_iface_ap0 = {
@ -148,7 +148,7 @@ index 0befadfc6..5de71f095 100644
 {
 	struct mv_ddr_topology_map *tm = mv_ddr_topology_map_get();
@@ -152,7 +236,9 @@ void plat_marvell_dram_update_topology(void)
- 		i2c_write(I2C_SPD_P0_ADDR, 0x0, 1, tm->spd_data.all_bytes, 1);
+ 		i2c_write(I2C_SPD_P0_ADDR, 0x0, 1, tm->spd_data.all_bytes, 0);
 		/* read data from spd */
 -		i2c_read(I2C_SPD_ADDR, 0x0, 1, tm->spd_data.all_bytes,
@ -159,6 +159,3 @@ index 0befadfc6..5de71f095 100644
 +			set_param_based_on_som_strap();
 	}
 }
 -- 
 2.25.1
--- a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0002-som-sdp-failover-using-crc-verification.patch
+++ b/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0002-som-sdp-failover-using-crc-verification.patch
@ -1,15 +1,16 @@
-From da25bbba607de35267f4dbe74cd772588260de57 Mon Sep 17 00:00:00 2001
+From 6cbb01ba5a5a5ad2b2247c8401d5fac488bf05c3 Mon Sep 17 00:00:00 2001
 From: Alon Rotman <alon.rotman@solid-run.com>
 Date: Mon, 6 Dec 2021 18:34:37 +0200
 Subject: [PATCH] som sdp failover using crc verification
 Signed-off-by: Alon Rotman <alon.rotman@solid-run.com>
 ---
 .../octeontx/otx2/t91/t9130/board/dram_port.c | 63 ++++++++++++-------
 1 file changed, 41 insertions(+), 22 deletions(-)
 diff --git a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
-index 5de71f095..d59b8100d 100644
+index bb7814e9b..772774215 100644
 --- a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
 +++ b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
@@ -50,7 +50,7 @@ struct mv_ddr_iface dram_iface_ap0 = {
@ -122,6 +123,3 @@ index 5de71f095..d59b8100d 100644
 +	
 	}
 }
 -- 
 2.25.1
--- a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/ssl.patch
+++ b/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/ssl.patch
@ -1,52 +0,0 @@
 fiptool: respect OPENSSL_DIR
 fiptool links to libcrypto, so as with the other tools it should respect
 OPENSSL_DIR for include/library paths.
 Upstream-Status: Submitted
 Signed-off-by: Ross Burton <ross.burton@arm.com>
 diff --git a/Makefile b/Makefile
 index ec6f88585..2d3b9fc26 100644
 --- a/Makefile
 +++ b/Makefile
@@ -1388,7 +1388,7 @@ fwu_fip: ${BUILD_PLAT}/${FWU_FIP_NAME}
 ${FIPTOOL}: FORCE
 ifdef UNIX_MK
 -	${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} --no-print-directory -C ${FIPTOOLPATH}
 +	${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} OPENSSL_DIR=${OPENSSL_DIR} --no-print-directory -C ${FIPTOOLPATH}
 else
 # Clear the MAKEFLAGS as we do not want
 # to pass the gnumake flags to nmake.
 diff --git a/tools/fiptool/Makefile b/tools/fiptool/Makefile
 index 11d2e7b0b..7c2a08379 100644
 --- a/tools/fiptool/Makefile
 +++ b/tools/fiptool/Makefile
@@ -12,6 +12,8 @@ FIPTOOL ?= fiptool${BIN_EXT}
 PROJECT := $(notdir ${FIPTOOL})
 OBJECTS := fiptool.o tbbr_config.o
 V ?= 0
 +OPENSSL_DIR := /usr
 +
 override CPPFLAGS += -D_GNU_SOURCE -D_XOPEN_SOURCE=700
 HOSTCCFLAGS := -Wall -Werror -pedantic -std=c99
@@ -20,7 +22,7 @@ ifeq (${DEBUG},1)
 else
   HOSTCCFLAGS += -O2
 endif
 -LDLIBS := -lcrypto
 +LDLIBS := -L${OPENSSL_DIR}/lib -lcrypto
 ifeq (${V},0)
   Q := @
@@ -28,7 +30,7 @@ else
   Q :=
 endif
 -INCLUDE_PATHS := -I../../include/tools_share
 +INCLUDE_PATHS := -I../../include/tools_share  -I${OPENSSL_DIR}/include
 HOSTCC ?= gcc
--- a/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule/secure-storage.cfg
+++ b/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule/secure-storage.cfg
@ -0,0 +1,4 @@
 CONFIG_BLK_DEV_DM=y
 CONFIG_KEYS=y
 CONFIG_ENCRYPTED_KEYS=y
 CONFIG_DM_CRYPT=y
--- a/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule_git-5.15-solidrun.bb
+++ b/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule_git-5.15-solidrun.bb
@ -12,6 +12,7 @@ SRC_URI = "git://gitlab.com/netmodule/kernel/linux-netmodule.git;protocol=ssh;us
           file://0001-fix-phy-support-for-falcon-board.patch \
           file://0001-refactor-cn913x-defconfig-cleanup.patch \
           file://cn913x_additions.cfg \
           file://secure-storage.cfg \
           "
 SRCREV ?= "be2f2f0c96e85ecec9d807397194e46bb8bea4a5"
--- a/layers/meta-belden-marvell-bsp/wic/cn913x-sdcard.wks.in
+++ b/layers/meta-belden-marvell-bsp/wic/cn913x-sdcard.wks.in
@ -16,5 +16,6 @@ ${WKS_PART_ROOT_A} --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0
 ${WKS_PART_ROOT_B} --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
 ${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk1  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
 ${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk1  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
 ${WKS_PART_USERDATA} --ondisk mmcblk1 --size ${WKS_PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
 bootloader --ptable gpt
--- a/scripts/coreos-get-dev-keys
+++ b/scripts/coreos-get-dev-keys
@ -1,88 +0,0 @@
 #!/usr/bin/env bash
 # This script will get development keys needed by the UEFI secure boot
 # implementation from the k-stufen web share and put the under $BUILDDIR/keys
 #
 # The reason for every developer to have the same keys is that image/update
 # filest are interchangable.
 # Those developer keys are used for all builds except the ones that are marked
 # as final. Here the official keys will be used.
 #
 # Following keys will be downloaded
 # db.auth  db.der  db.key    KEK.crt  KEK.esl  PK.auth  PK.der  PK.key
 # db.crt   db.esl  KEK.auth  KEK.der  KEK.key  PK.crt   PK.esl
 # This script is used every time the build environment of CoreOS is sourced
 # Note: in the build environment stdout is redirected to /dev/null but not
 # stderr.
 set -e
 # Logging helper
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 BOLD='\033[1m'
 RESET='\033[0m'
 # Ensure that BUILDDIR is defined
 # ==============================================================================
 # This is usually done inside the coreos-init-build-env script
 if [ -z "$BUILDDIR" ]; then 
    echo -e "${RED}BUILDDIR is not defined${RESET}" 2>&1
    echo -e "Have you run the coreos-init-buildenv script?" 2>&1
    exit 1
 fi
 # We need the KEYDIR directory to exist
 # ==============================================================================
 KEYDIR="${BUILDDIR}/keys"
 mkdir -p "${KEYDIR}"
 cd "${KEYDIR}"
 # we need wget and tar
 # ==============================================================================
 assert_command_in_path() {
    if command -v "$1" >/dev/null 2>&1; then
        echo -e "✓ Command ${GREEN}${1}${RESET} was found"
    else
        echo -e "✗ ${RED}Command ${BOLD}${1}${RESET}${RED} was not found in your path${RESET}" >&2 
        echo -e "Please check the coreos-documentation for the list of required packages" >&2 
        exit 1
    fi
 }
 assert_command_in_path wget
 assert_command_in_path tar
 # Generate all they keys, as needed
 # ==============================================================================
 # Only generate the file if it's missing and don't fail if the file already
 # exist
 check_files_exist() {
    RET=0
    for file in "$@"; do
        if [ ! -e "$file" ]; then
            echo -e "𐄂 File ${RED}${file}${RESET} missing"
            RET=1
        else
            echo -e "✓ File ${GREEN}${file}${RESET} already exist"
        fi
    done
    return $RET
 }
 check_files_exist db.auth db.crt db.der db.esl db.key KEK.auth KEK.crt KEK.der \
                  KEK.esl KEK.key PK.auth PK.crt PK.der PK.esl PK.key || \
 {
    echo -e "${RED}Incosistent or no keys.${RESET}"
    echo "Downloading Keys"
    wget -q https://platform-nas.gad.local/K-Stufen/CoreOS/.signing/coreos_developer_signing.keys.tar.gz && \
    tar -xzf coreos_developer_signing.keys.tar.gz -C ${BUILDDIR}/keys && \
    rm coreos_developer_signing.keys.tar.gz
 }
--- a/scripts/coreos-keygen
+++ b/scripts/coreos-keygen
@ -1,117 +0,0 @@
 #!/usr/bin/env bash
 # This script will generate key needed by the UEFI secure boot implementation
 # under $BUILDDIR/keys
 # db.auth  db.der  db.key    KEK.crt  KEK.esl  PK.auth  PK.der  PK.key
 # db.crt   db.esl  KEK.auth  KEK.der  KEK.key  PK.crt   PK.esl
 # This script is used every time the build environment of CoreOS is sourced
 # Note: in the build environment stdout is redirected to /dev/null but not
 # stderr.
 set -e
 # Logging helper
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 BOLD='\033[1m'
 RESET='\033[0m'
 # Ensure that BUILDDIR is defined
 # ==============================================================================
 # This is usually done inside the coreos-init-build-env script
 if [ -z "$BUILDDIR" ]; then 
    echo -e "${RED}BUILDDIR is not defined${RESET}" 2>&1
    echo -e "Have you run the coreos-init-buildenv script?" 2>&1
    exit 1
 fi
 # We need the KEYDIR directory to exist
 # ==============================================================================
 KEYDIR="${BUILDDIR}/keys"
 mkdir -p "${KEYDIR}"
 cd "${KEYDIR}"
 # we need openssl, cert-to-efi-sig-list and sign-efi-sig-list 
 # ==============================================================================
 assert_command_in_path() {
    if command -v "$1" >/dev/null 2>&1; then
        echo -e "✓ Command ${GREEN}${1}${RESET} was found"
    else
        echo -e "✗ ${RED}Command ${BOLD}${1}${RESET}${RED} was not found in your path${RESET}" >&2 
        echo -e "Please check the coreos-documentation for the list of required packages" >&2 
        exit 1
    fi
 }
 assert_command_in_path openssl
 assert_command_in_path cert-to-efi-sig-list
 assert_command_in_path sign-efi-sig-list
 # Generate all they keys, as needed
 # ==============================================================================
 # Only generate the file if it's missing and don't fail if the file already
 # exist
 check_files_exist() {
    RET=0
    for file in "$@"; do
        if [ ! -e "$file" ]; then
            echo -e "𐄂 File ${RED}${file}${RESET} missing"
            RET=1
        else
            echo -e "✓ File ${GREEN}${file}${RESET} already exist"
        fi
    done
    return $RET
 }
 echo "Generating private/public keys in .key/.crt format for PK, KEK et db"
 check_files_exist PK.key PK.crt || \
 openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ \
        -keyout PK.key -out PK.crt -nodes -days 365
 check_files_exist KEK.key KEK.crt || \
 openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ \
        -keyout KEK.key -out KEK.crt -nodes -days 365
 check_files_exist db.key db.crt || \
 openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db/ \
 		-keyout db.key -out db.crt -nodes -days 365
 echo "Generatic EFI signature list file with PK, KEK et db public key"
 check_files_exist PK.esl || \
 cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \
        PK.crt PK.esl;
 check_files_exist KEK.esl || \
 cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \
        KEK.crt KEK.esl
 check_files_exist db.esl || \
 cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \
        db.crt db.esl
 echo "Generatic EFI AUTH file with PK, KEK et db public key"
 check_files_exist PK.auth || sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
 check_files_exist KEK.auth || sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
 check_files_exist db.auth || sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
 echo "Generatic DER files with PK, KEK et db public key"
 # der certificate are need for OVMF based firmware (virtual machine)
 check_files_exist PK.der || openssl x509 -in PK.crt -outform der -out PK.der
 check_files_exist KEK.der || openssl x509 -in KEK.crt -outform der -out KEK.der
 check_files_exist db.der || openssl x509 -in db.crt -outform der -out db.der
 # keys needed to sign and verify SWUpdate
 check_files_exist swupdate.key swupdate.crt || openssl req -x509 -newkey rsa:4096 -nodes -keyout swupdate.key \
    -out swupdate.crt -subj "/O=SWUpdate /CN=target"