Pull request #157: update kirkstone-next with master

Merge in ICO/coreos from master to kirkstone-next

* commit '12ba99370ae12339f37fa7526c247a3707eb0542':
  refactor(trusted-firmware-a): update patches and cleanup
  feat(certificates-and-keys-native): add developer keys and certificates
  feat(secure-storage): add kernel config fragment for dm_crypt
  feat(secure-storage): add secure-storage as Coreos base feature
  feat(secure-storage): add secure-storage base functionality
  feat(userdata): add userdata partition
  feat: set default time for initial startup

coreos-init-build-env

@@ -92,18 +92,3 @@ coreos-bblayers-envsub COREOS_EXTLAYERSDIR "${COREOS_ROOT}/external-layers"
 # stdout is redirected to reduce the amount of output but not stderr
 #
 #Note: if a final build is detected all the dev keys are deleted
-
-if [ "$CreateFinal" = "true" ]; then
-    echo "\nFinal build detected delete dev keys and dont use or generate them" >&2
-    rm -rf "${BUILDDIR}/keys"
-else
-    echo "\nNo final build detected use development keys" >&2
-    coreos-get-dev-keys > /dev/null || {
-        echo "The coreos-get-dev-keys script has failed" >&2
-    }
-
-    coreos-keygen > /dev/null || {
-        echo "The coreos-keygen script has failed" >&2
-        return 1
-    }
-fi

layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass

@@ -3,7 +3,7 @@
 # UEFI Secure boot configuration
 # ==============================================================================
 
-COREOS_EFI_SECUREBOOT_KEYDIR ??= "${TOPDIR}/keys"
+COREOS_EFI_SECUREBOOT_KEYDIR ??= "${RECIPE_SYSROOT_NATIVE}/${datadir}/keys"
 COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
 
 # UEFI Secure boot helpers
@@ -16,7 +16,7 @@ HOSTTOOLS += "sbsign"
 
 # Ensure that the public keys are always deployed to the deploy directory
 # before running wic
-do_image_wic[depends] += "efi-secureboot-keys:do_deploy"
+do_image_wic[depends] += "certificates-and-keys-native:do_deploy"
 
 COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
 def get_coreos_secureboot_efi_boot_files(d):
@@ -31,26 +31,4 @@ def get_coreos_secureboot_efi_boot_files(d):
 
 IMAGE_EFI_BOOT_FILES:append = " ${@get_coreos_secureboot_efi_boot_files(d)}"
 
-def get_coreos_secureboot_keydir_hash(d):
-    """
-        Generate a space separate list, with a value for each file inside of 
-        keydir. Fromat: <filename>:md5:<md5sum>
-    """
-    import hashlib
 
-    keydir = d.getVar('COREOS_EFI_SECUREBOOT_KEYDIR')
-    value = ""
-    
-    for keyname in os.listdir(keydir):
-        filepath = os.path.join(keydir, keyname)
-        if os.path.isfile(filepath): 
-            md5 = bb.utils.md5_file(filepath)
-            value += f"{keyname}:md5:{md5} "
-
-    return value
-
-# The build system should detect if someone change one of the key inside
-# COREOS_EFI_SECUREBOOT_KEYDIR and rebuild all the recipes and artifacts that
-# depends on this directory
-COREOS_EFI_SECUREBOOT_KEYDIR_HASH = "${@get_coreos_secureboot_keydir_hash(d)}"
-COREOS_EFI_SECUREBOOT_KEYDIR[vardeps] += "COREOS_EFI_SECUREBOOT_KEYDIR_HASH"

layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc

@@ -6,7 +6,9 @@ WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part
 WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
 WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label rootfs0'
 WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label rootfs1'
-WKS_PART_ROOT_SIZE ??= '2G'
+WKS_PART_ROOT_SIZE ??= '1G'
+WKS_PART_USERDATA_SIZE ??= '1G'
+WKS_PART_USERDATA ??= 'part /usr/local/data --fstype=btrfs --label userdata'
 
 SFDISK_PART_EFI ??= 'type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, name="efi"'
 SFDISK_PART_EFIBOOTGUARD_A ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg0"'

layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos-efi.inc

@@ -5,7 +5,7 @@ SRC_URI += " \
     file://uefi-secureboot.cfg \
 "
 
-DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native"
+DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native certificates-and-keys-native"
 
 # Generate a ubootefi.var file inside the build directory
 #

layers/meta-belden-coreos-bsp/wic/generic-uefi.wks.in

@@ -5,6 +5,7 @@ ${WKS_PART_ROOT_A} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --o
 ${WKS_PART_ROOT_B} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
 ${WKS_PART_EFIBOOTGUARD_A} --ondisk sda  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
 ${WKS_PART_EFIBOOTGUARD_B} --ondisk sda  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
+${WKS_PART_USERDATA} --ondisk sda --size ${WKS_PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
 
 part swap --ondisk sda --size 44 --label swap1 --fstype=swap
 bootloader --ptable gpt

layers/meta-belden-coreos-bsp/wic/qemu-efi-coreos-generic.wks.in

@@ -7,5 +7,6 @@ part / --source rootfs --fstype=ext4 --label rootfs0 --ondisk mmcblk1 --size ${W
 part --fstype=ext4 --label rootfs1 --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
 part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --ondisk mmcblk1  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
 part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --ondisk mmcblk1  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
+${WKS_PART_USERDATA} --ondisk mmcblk1 --size ${WKS_PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
 
 bootloader --ptable gpt

layers/meta-belden-coreos/classes/coreos-image.bbclass

@@ -68,6 +68,7 @@ PACKAGE_EXCLUDE_COMPLEMENTARY:append = "${@bb.utils.contains_any('PACKAGE_INSTAL
 COREOS_IMAGE_BASE_INSTALL = "\
     packagegroup-coreos-boot \
     packagegroup-coreos-base \
+    secure-storage \
     "
 
 COREOS_IMAGE_EXTRA_INSTALL ?= ""

layers/meta-belden-coreos/classes/coreos-sanity.bbclass

@@ -13,6 +13,8 @@ addhandler check_coreos_sanity_eventhandler
 check_coreos_sanity_eventhandler[eventmask] = "bb.event.SanityCheck"
 python check_coreos_sanity_eventhandler() {
 
+    import datetime
+
     # Checks related to the distribution configuration files
     # ==========================================================================
 
@@ -36,6 +38,15 @@ python check_coreos_sanity_eventhandler() {
             "Using glibc is mandatory on CoreOS based distribution"
         )
 
+    # Check if the timestamp for REPRODUCIBLE_TIMESTAMP_ROOTFS is still up to date
+    first_of_year = datetime.datetime(datetime.date.today().year, 1, 1, tzinfo=datetime.timezone.utc)
+    foy_ts = str(int(first_of_year.timestamp()))
+    if e.data.getVar("REPRODUCIBLE_TIMESTAMP_ROOTFS") != foy_ts:
+        bb.warn(
+            "`REPRODUCIBLE_TIMESTAMP_ROOTFS` outdated!"
+            "Set to current 01. january of the year."
+        )
+
     # Checks related to the machine configuration files
     # ==========================================================================
 

layers/meta-belden-coreos/conf/distro/belden-coreos.conf

@@ -7,3 +7,8 @@ MAINTAINER = "Belden CoreOS Team"
 
 DISTRO_VERSION = "0.0.1"
 DISTRO_CODENAME = "kirkstone"
+
+# This TS represents 01.01.2024 generating it dynamically would cause a lot of
+# things to get re-build, we need a good solution for this or change it every
+# year
+REPRODUCIBLE_TIMESTAMP_ROOTFS = "1704067200"

layers/meta-belden-coreos/recipes-bsp/efi/efi-secureboot-keys.bb

@@ -1,33 +0,0 @@
-SUMMARY = "A recipe to deploy UEFI public keys update files"
-LICENSE = "CLOSED"
-
-
-INHIBIT_DEFAULT_DEPS = "1"
-inherit nopackages
-
-inherit deploy
-inherit coreos-efi-secureboot
-
-# Public key needed by firmware very depending on the implementation
-# So we copy all type of public key (*.auth, *.esl, *.crt, *der)
-addtask deploy after do_compile
-do_deploy() {
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.auth ${DEPLOYDIR}/KEK.auth
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.auth ${DEPLOYDIR}/db.auth
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.auth ${DEPLOYDIR}/PK.auth
-    
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.esl ${DEPLOYDIR}/KEK.esl
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.esl ${DEPLOYDIR}/db.esl
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.esl ${DEPLOYDIR}/PK.esl
-
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.crt ${DEPLOYDIR}/KEK.crt
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.crt ${DEPLOYDIR}/db.crt
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.crt ${DEPLOYDIR}/PK.crt
-
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.der ${DEPLOYDIR}/KEK.der
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.der ${DEPLOYDIR}/db.der
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.der ${DEPLOYDIR}/PK.der
-
-    # !SECURITY WARNING! 
-    # .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
-}

layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend

@@ -9,6 +9,8 @@ SRC_URI += "file://0001-coreos-add-a-coreos-specific-rootfs-switch-to-the-UK.pat
 # Add signature support
 # ==============================================================================
 
+DEPENDS:append = " certificates-and-keys-native"
+
 inherit coreos-efi-sbsign
 require conf/image-uefi.conf
 

layers/meta-belden-coreos/recipes-core/systemd/systemd_%.bbappend

@@ -0,0 +1,10 @@
+
+do_install:append(){
+	# the creation date/time of this file will be used as initial boot time.
+	# Creation time will be set to REPRODUCIBLE_TIMESTAMP_ROOTFS
+	# More info about the date/time handling here:
+	# https://www.freedesktop.org/software/systemd/man/latest/systemd-timesyncd.service.html
+	touch ${D}/${base_libdir}/clock-epoch
+}
+
+FILES:${PN} += "${base_libdir}/clock-epoch"

layers/meta-belden-coreos/recipes-security/certificates-and-keys/certificates-and-keys-native_1.0.bb

@@ -0,0 +1,65 @@
+SUMMARY = "Installs certificates and keys"
+DESCRIPTION = "Installs certificates and keys that are used during the build"
+AUTHOR = "Patrick Vogelaar"
+LICENSE = "CLOSED"
+
+SRC_URI = "git://git@bitbucket.gad.local:7999/ico/development-keys.git;protocol=ssh;branch=master"
+SRCREV = "2b5d6941ea8759db90f07e195bb1855f618cccb7"
+
+S = "${WORKDIR}/git"
+
+inherit deploy native
+
+CERTIFICATES_AND_KEYS_DIR ?= "${datadir}/keys/"
+
+#FILES:${PN} += "${CERTIFICATES_AND_KEYS_DIR}/*"
+
+
+do_install() {
+    install -d "${D}/${CERTIFICATES_AND_KEYS_DIR}"
+    install -m 755 ${S}/db.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.auth
+    install -m 755 ${S}/db.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.crt
+    install -m 755 ${S}/db.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.der
+    install -m 755 ${S}/db.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.esl
+    install -m 755 ${S}/db.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.key
+    install -m 755 ${S}/KEK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.auth
+    install -m 755 ${S}/KEK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.crt
+    install -m 755 ${S}/KEK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.der
+    install -m 755 ${S}/KEK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.esl
+    install -m 755 ${S}/KEK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.key
+    install -m 755 ${S}/PK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.auth
+    install -m 755 ${S}/PK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.crt
+    install -m 755 ${S}/PK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.der
+    install -m 755 ${S}/PK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.esl
+    install -m 755 ${S}/PK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.key
+    install -m 755 ${S}/swupdate.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.crt
+    install -m 755 ${S}/swupdate.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.key
+
+    bbwarn "Development certificates and keys are added into the image (UNSECURE)! This image must not be released!"
+}
+
+
+# Public key needed by firmware very depending on the implementation
+# So we copy all type of public key (*.auth, *.esl, *.crt, *der)
+
+addtask deploy after do_compile
+do_deploy() {
+    install -D -m 644 ${S}/KEK.auth ${DEPLOYDIR}/KEK.auth
+    install -D -m 644 ${S}/db.auth ${DEPLOYDIR}/db.auth
+    install -D -m 644 ${S}/PK.auth ${DEPLOYDIR}/PK.auth
+
+    install -D -m 644 ${S}/KEK.esl ${DEPLOYDIR}/KEK.esl
+    install -D -m 644 ${S}/db.esl ${DEPLOYDIR}/db.esl
+    install -D -m 644 ${S}/PK.esl ${DEPLOYDIR}/PK.esl
+
+    install -D -m 644 ${S}/KEK.crt ${DEPLOYDIR}/KEK.crt
+    install -D -m 644 ${S}/db.crt ${DEPLOYDIR}/db.crt
+    install -D -m 644 ${S}/PK.crt ${DEPLOYDIR}/PK.crt
+
+    install -D -m 644 ${S}/KEK.der ${DEPLOYDIR}/KEK.der
+    install -D -m 644 ${S}/db.der ${DEPLOYDIR}/db.der
+    install -D -m 644 ${S}/PK.der ${DEPLOYDIR}/PK.der
+
+    # !SECURITY WARNING!
+    # .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
+}

layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh

@@ -0,0 +1,93 @@
+#!/usr/bin/env sh
+
+loopdir=/usr/local/data/loopdevices
+loopfile=$loopdir/crypt.loop
+
+keyfiledir=/usr/local/data/.crypto
+keyfile=$keyfiledir/ss_crypto.keyfile
+
+#megabytes
+loopsize=16
+
+#/dev/mapper/xxxxx when open
+cryptmapper=secStorage
+
+makefilesystem=ext4
+
+#mountpoint of uncrypted device
+mountpoint=/usr/local/data/secure-storage
+
+create_keyfile() {
+	# echo "Create key file"
+	systemd-notify --status="Create key file"
+	mkdir -p $keyfiledir
+	dd if=/dev/urandom of=$keyfile bs=1 count=256
+	chown root:root $keyfiledir/*
+	chmod 000 $keyfiledir/*
+}
+
+error() {
+	echo "Error: $1"
+	exit $?
+}
+
+#creates a new file
+create_loopback_and_open() {
+	# echo "Creating a file with random bits.. this could take a while..."
+	systemd-notify --status="Creating a file with random bits.. this could take a while..."
+	mkdir -p $loopdir || error "Creating loopdir"
+	mkdir -p $mountpoint || error "Creating mountpoint"
+	dd if=/dev/urandom of=$loopfile bs=1M count=$loopsize || error "Creating loopfile"
+	loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
+	echo "Selected loop device: $loopdevice"
+	cryptsetup luksFormat -q --key-file $keyfile $loopdevice || error "Setting up encrypted loop device"
+	cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
+	mkfs.$makefilesystem /dev/mapper/$cryptmapper || error "Creating encrypted FS"
+	mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
+	systemd-notify --ready --status="Sucessfully mounted secure storage"
+}
+
+#mounts crypted loopback file
+open() {
+	#echo "Open secure-storage"
+	systemd-notify --status="Open secure storage"
+	loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
+	echo "Selected loop device: $ld"
+	cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
+	mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
+	systemd-notify --ready --status="Sucessfully mounted secure storage"
+}
+
+#unmounts previously mounted loopback file
+close() {
+	echo "Close secure-storage"
+	# get loopdevice
+	loopdevice=$(losetup --list --noheadings --output NAME,BACK-FILE | grep crypt.loop | awk '{print $1}')
+	umount $mountpoint
+	cryptsetup close $cryptmapper
+	losetup -d $loopdevice
+}
+
+if [ $# -eq 1 ]
+then
+	#echo "Parameter detected"
+	$1
+	exit 0
+fi
+
+if [ -e $keyfile ]
+then
+	#echo "Key file available"
+	if [ -e $loopfile ]
+	then
+		#echo "Loop file available"
+		open
+	else
+		#echo "Loop file not available"
+		create_loopback_and_open
+	fi
+else
+	#echo "Key file not available"
+	create_keyfile
+	create_loopback_and_open
+fi

layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Secure Storage Service
+RequiresMountsFor=/usr/local/data
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/sec-storage-loopback.sh
+TimeoutSec=300
+
+[Install]
+WantedBy=local-fs.target
+

layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb

@@ -0,0 +1,34 @@
+SUMMARY = "Provides a Secure Storage"
+DESCRIPTION = "The secure storage is a loopback mount that is encrypted. It protects data in rest"
+AUTHOR = "Patrick Vogelaar"
+LICENSE = "CLOSED"
+
+SRC_URI = "\
+    file://sec-storage-loopback.sh \
+    file://secure-storage.service \
+    "
+
+S = "${WORKDIR}"
+
+inherit systemd
+
+FILES:${PN} += "\
+    /usr/local/data/ \
+    ${systemd_unitdir}/system \
+    ${bindir}/sec-storage-loopback.sh \
+    ${systemd_unitdir}/system/secure-storage.service \
+    "
+
+do_install() {
+    install -d ${D}$/usr/local/data/
+    install -d ${D}${bindir}
+    install -m 0731 ${S}/sec-storage-loopback.sh ${D}${bindir}/sec-storage-loopback.sh
+
+    install -d ${D}${systemd_unitdir}/system
+    install -m 0644 ${S}/secure-storage.service ${D}${systemd_unitdir}/system
+}
+
+SYSTEMD_SERVICE:${PN} = "secure-storage.service"
+SYSTEMD_AUTO_ENABLE = "enable"
+
+RDEPENDS:${PN} += "cryptsetup"

layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend

@@ -5,6 +5,8 @@ REQUIRED_DISTRO_FEATURES = "swupdate"
 # same file in meta-swupdate
 FILESEXTRAPATHS:prepend := "${THISDIR}/swupdate:"
 
+DEPENDS += "certificates-and-keys-native"
+
 SRC_URI += "\
     file://50-webserver-config.sh \
     file://25-sw-collections-config.sh \

layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0001-ddr-spd-read-failover-to-defualt-config.patch

@@ -1,14 +1,14 @@
-From 5aeea052b30604b2f8640960b775cee0f5c877cb Mon Sep 17 00:00:00 2001
+From 3f8f24cf82848ef1778f3e1d0a0607d4860dd4f3 Mon Sep 17 00:00:00 2001
 From: Alon Rotman <alon.rotman@solid-run.com>
 Date: Mon, 22 Nov 2021 13:33:25 +0200
-Subject: [PATCH 2/2] ddr spd read failover to defualt config
+Subject: [PATCH] ddr spd read failover to defualt config
 
 ---
  .../octeontx/otx2/t91/t9130/board/dram_port.c | 100 ++++++++++++++++--
  1 file changed, 93 insertions(+), 7 deletions(-)
 
 diff --git a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
-index 0befadfc6..5de71f095 100644
+index 82ce07b09..bb7814e9b 100644
 --- a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
 +++ b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
 @@ -33,7 +33,7 @@ struct mv_ddr_iface dram_iface_ap0 = {
@@ -148,7 +148,7 @@ index 0befadfc6..5de71f095 100644
  {
  	struct mv_ddr_topology_map *tm = mv_ddr_topology_map_get();
 @@ -152,7 +236,9 @@ void plat_marvell_dram_update_topology(void)
- 		i2c_write(I2C_SPD_P0_ADDR, 0x0, 1, tm->spd_data.all_bytes, 1);
+ 		i2c_write(I2C_SPD_P0_ADDR, 0x0, 1, tm->spd_data.all_bytes, 0);
  
  		/* read data from spd */
 -		i2c_read(I2C_SPD_ADDR, 0x0, 1, tm->spd_data.all_bytes,
@@ -159,6 +159,3 @@ index 0befadfc6..5de71f095 100644
 +			set_param_based_on_som_strap();
  	}
  }
--- 
-2.25.1
-

layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0002-som-sdp-failover-using-crc-verification.patch

@@ -1,15 +1,16 @@
-From da25bbba607de35267f4dbe74cd772588260de57 Mon Sep 17 00:00:00 2001
+From 6cbb01ba5a5a5ad2b2247c8401d5fac488bf05c3 Mon Sep 17 00:00:00 2001
 From: Alon Rotman <alon.rotman@solid-run.com>
 Date: Mon, 6 Dec 2021 18:34:37 +0200
 Subject: [PATCH] som sdp failover using crc verification
 
 Signed-off-by: Alon Rotman <alon.rotman@solid-run.com>
+
 ---
  .../octeontx/otx2/t91/t9130/board/dram_port.c | 63 ++++++++++++-------
  1 file changed, 41 insertions(+), 22 deletions(-)
 
 diff --git a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
-index 5de71f095..d59b8100d 100644
+index bb7814e9b..772774215 100644
 --- a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
 +++ b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
 @@ -50,7 +50,7 @@ struct mv_ddr_iface dram_iface_ap0 = {
@@ -122,6 +123,3 @@ index 5de71f095..d59b8100d 100644
 +	
  	}
  }
--- 
-2.25.1
-

layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/ssl.patch

@@ -1,52 +0,0 @@
-fiptool: respect OPENSSL_DIR
-
-fiptool links to libcrypto, so as with the other tools it should respect
-OPENSSL_DIR for include/library paths.
-
-Upstream-Status: Submitted
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-diff --git a/Makefile b/Makefile
-index ec6f88585..2d3b9fc26 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1388,7 +1388,7 @@ fwu_fip: ${BUILD_PLAT}/${FWU_FIP_NAME}
- 
- ${FIPTOOL}: FORCE
- ifdef UNIX_MK
--	${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} --no-print-directory -C ${FIPTOOLPATH}
-+	${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} OPENSSL_DIR=${OPENSSL_DIR} --no-print-directory -C ${FIPTOOLPATH}
- else
- # Clear the MAKEFLAGS as we do not want
- # to pass the gnumake flags to nmake.
-diff --git a/tools/fiptool/Makefile b/tools/fiptool/Makefile
-index 11d2e7b0b..7c2a08379 100644
---- a/tools/fiptool/Makefile
-+++ b/tools/fiptool/Makefile
-@@ -12,6 +12,8 @@ FIPTOOL ?= fiptool${BIN_EXT}
- PROJECT := $(notdir ${FIPTOOL})
- OBJECTS := fiptool.o tbbr_config.o
- V ?= 0
-+OPENSSL_DIR := /usr
-+
- 
- override CPPFLAGS += -D_GNU_SOURCE -D_XOPEN_SOURCE=700
- HOSTCCFLAGS := -Wall -Werror -pedantic -std=c99
-@@ -20,7 +22,7 @@ ifeq (${DEBUG},1)
- else
-   HOSTCCFLAGS += -O2
- endif
--LDLIBS := -lcrypto
-+LDLIBS := -L${OPENSSL_DIR}/lib -lcrypto
- 
- ifeq (${V},0)
-   Q := @
-@@ -28,7 +30,7 @@ else
-   Q :=
- endif
- 
--INCLUDE_PATHS := -I../../include/tools_share
-+INCLUDE_PATHS := -I../../include/tools_share  -I${OPENSSL_DIR}/include
- 
- HOSTCC ?= gcc
- 

layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule/secure-storage.cfg

@@ -0,0 +1,4 @@
+CONFIG_BLK_DEV_DM=y
+CONFIG_KEYS=y
+CONFIG_ENCRYPTED_KEYS=y
+CONFIG_DM_CRYPT=y

layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule_git-5.15-solidrun.bb

@@ -12,6 +12,7 @@ SRC_URI = "git://gitlab.com/netmodule/kernel/linux-netmodule.git;protocol=ssh;us
            file://0001-fix-phy-support-for-falcon-board.patch \
            file://0001-refactor-cn913x-defconfig-cleanup.patch \
            file://cn913x_additions.cfg \
+           file://secure-storage.cfg \
            "
 SRCREV ?= "be2f2f0c96e85ecec9d807397194e46bb8bea4a5"
 

layers/meta-belden-marvell-bsp/wic/cn913x-sdcard.wks.in

@@ -16,5 +16,6 @@ ${WKS_PART_ROOT_A} --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0
 ${WKS_PART_ROOT_B} --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
 ${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk1  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
 ${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk1  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
+${WKS_PART_USERDATA} --ondisk mmcblk1 --size ${WKS_PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
 
 bootloader --ptable gpt

scripts/coreos-get-dev-keys

@@ -1,88 +0,0 @@
-#!/usr/bin/env bash
-
-# This script will get development keys needed by the UEFI secure boot
-# implementation from the k-stufen web share and put the under $BUILDDIR/keys
-#
-# The reason for every developer to have the same keys is that image/update
-# filest are interchangable.
-# Those developer keys are used for all builds except the ones that are marked
-# as final. Here the official keys will be used.
-#
-# Following keys will be downloaded
-# db.auth  db.der  db.key    KEK.crt  KEK.esl  PK.auth  PK.der  PK.key
-# db.crt   db.esl  KEK.auth  KEK.der  KEK.key  PK.crt   PK.esl
-
-# This script is used every time the build environment of CoreOS is sourced
-# Note: in the build environment stdout is redirected to /dev/null but not
-# stderr.
-
-set -e
-
-# Logging helper
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-BOLD='\033[1m'
-RESET='\033[0m'
-
-# Ensure that BUILDDIR is defined
-# ==============================================================================
-# This is usually done inside the coreos-init-build-env script
-
-
-if [ -z "$BUILDDIR" ]; then 
-    echo -e "${RED}BUILDDIR is not defined${RESET}" 2>&1
-    echo -e "Have you run the coreos-init-buildenv script?" 2>&1
-    exit 1
-fi
-
-# We need the KEYDIR directory to exist
-# ==============================================================================
-
-KEYDIR="${BUILDDIR}/keys"
-mkdir -p "${KEYDIR}"
-cd "${KEYDIR}"
-
-# we need wget and tar
-# ==============================================================================
-
-assert_command_in_path() {
-    if command -v "$1" >/dev/null 2>&1; then
-        echo -e "✓ Command ${GREEN}${1}${RESET} was found"
-    else
-        echo -e "✗ ${RED}Command ${BOLD}${1}${RESET}${RED} was not found in your path${RESET}" >&2 
-        echo -e "Please check the coreos-documentation for the list of required packages" >&2 
-        exit 1
-    fi
-}
-
-assert_command_in_path wget
-assert_command_in_path tar
-
-
-# Generate all they keys, as needed
-# ==============================================================================
-# Only generate the file if it's missing and don't fail if the file already
-# exist
-
-check_files_exist() {
-    RET=0
-    for file in "$@"; do
-        if [ ! -e "$file" ]; then
-            echo -e "𐄂 File ${RED}${file}${RESET} missing"
-            RET=1
-        else
-            echo -e "✓ File ${GREEN}${file}${RESET} already exist"
-        fi
-    done
-    return $RET
-}
-
-check_files_exist db.auth db.crt db.der db.esl db.key KEK.auth KEK.crt KEK.der \
-                  KEK.esl KEK.key PK.auth PK.crt PK.der PK.esl PK.key || \
-{
-    echo -e "${RED}Incosistent or no keys.${RESET}"
-    echo "Downloading Keys"
-    wget -q https://platform-nas.gad.local/K-Stufen/CoreOS/.signing/coreos_developer_signing.keys.tar.gz && \
-    tar -xzf coreos_developer_signing.keys.tar.gz -C ${BUILDDIR}/keys && \
-    rm coreos_developer_signing.keys.tar.gz
-}

scripts/coreos-keygen

@@ -1,117 +0,0 @@
-#!/usr/bin/env bash
-
-# This script will generate key needed by the UEFI secure boot implementation
-# under $BUILDDIR/keys
-# db.auth  db.der  db.key    KEK.crt  KEK.esl  PK.auth  PK.der  PK.key
-# db.crt   db.esl  KEK.auth  KEK.der  KEK.key  PK.crt   PK.esl
-
-# This script is used every time the build environment of CoreOS is sourced
-# Note: in the build environment stdout is redirected to /dev/null but not
-# stderr.
-
-set -e
-
-# Logging helper
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-BOLD='\033[1m'
-RESET='\033[0m'
-
-# Ensure that BUILDDIR is defined
-# ==============================================================================
-# This is usually done inside the coreos-init-build-env script
-
-
-if [ -z "$BUILDDIR" ]; then 
-    echo -e "${RED}BUILDDIR is not defined${RESET}" 2>&1
-    echo -e "Have you run the coreos-init-buildenv script?" 2>&1
-    exit 1
-fi
-
-# We need the KEYDIR directory to exist
-# ==============================================================================
-
-KEYDIR="${BUILDDIR}/keys"
-mkdir -p "${KEYDIR}"
-cd "${KEYDIR}"
-
-# we need openssl, cert-to-efi-sig-list and sign-efi-sig-list 
-# ==============================================================================
-
-assert_command_in_path() {
-    if command -v "$1" >/dev/null 2>&1; then
-        echo -e "✓ Command ${GREEN}${1}${RESET} was found"
-    else
-        echo -e "✗ ${RED}Command ${BOLD}${1}${RESET}${RED} was not found in your path${RESET}" >&2 
-        echo -e "Please check the coreos-documentation for the list of required packages" >&2 
-        exit 1
-    fi
-}
-
-assert_command_in_path openssl
-assert_command_in_path cert-to-efi-sig-list
-assert_command_in_path sign-efi-sig-list
-
-# Generate all they keys, as needed
-# ==============================================================================
-# Only generate the file if it's missing and don't fail if the file already
-# exist
-
-check_files_exist() {
-    RET=0
-    for file in "$@"; do
-        if [ ! -e "$file" ]; then
-            echo -e "𐄂 File ${RED}${file}${RESET} missing"
-            RET=1
-        else
-            echo -e "✓ File ${GREEN}${file}${RESET} already exist"
-        fi
-    done
-    return $RET
-}
-
-echo "Generating private/public keys in .key/.crt format for PK, KEK et db"
-
-check_files_exist PK.key PK.crt || \
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ \
-        -keyout PK.key -out PK.crt -nodes -days 365
-
-check_files_exist KEK.key KEK.crt || \
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ \
-        -keyout KEK.key -out KEK.crt -nodes -days 365
-
-check_files_exist db.key db.crt || \
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db/ \
-		-keyout db.key -out db.crt -nodes -days 365
-
-
-echo "Generatic EFI signature list file with PK, KEK et db public key"
-
-check_files_exist PK.esl || \
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \
-        PK.crt PK.esl;
-
-check_files_exist KEK.esl || \
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \
-        KEK.crt KEK.esl
-
-check_files_exist db.esl || \
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \
-        db.crt db.esl
-
-echo "Generatic EFI AUTH file with PK, KEK et db public key"
-
-check_files_exist PK.auth || sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
-check_files_exist KEK.auth || sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
-check_files_exist db.auth || sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
-
-echo "Generatic DER files with PK, KEK et db public key"
-
-# der certificate are need for OVMF based firmware (virtual machine)
-check_files_exist PK.der || openssl x509 -in PK.crt -outform der -out PK.der
-check_files_exist KEK.der || openssl x509 -in KEK.crt -outform der -out KEK.der
-check_files_exist db.der || openssl x509 -in db.crt -outform der -out db.der
-
-# keys needed to sign and verify SWUpdate
-check_files_exist swupdate.key swupdate.crt || openssl req -x509 -newkey rsa:4096 -nodes -keyout swupdate.key \
-    -out swupdate.crt -subj "/O=SWUpdate /CN=target"