feat(coreos-image): add support for dm-verity

Machine that add dm-verity into MACHINE_FEATURES now get a
read only rootfs that is verified using dm-verity. In this
case the rootfs is formatted with erofs

BREAKING CHANGE: The beaglebone machine now use dm-verity and read
only rootfs by default

.gitmodules

@@ -22,3 +22,7 @@
 	path = external-layers/meta-swupdate
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-swupdate.git
 	branch = kirkstone
+[submodule "external-layers/meta-security"]
+	path = external-layers/meta-security
+	url = ssh://git@bitbucket.gad.local:7999/ico/meta-security.git
+	branch = kirkstone

external-layers/meta-security

@@ -0,0 +1 @@
+Subproject commit cefe9aba508c21012969fbaf525d2c0bf68620a6

layers/meta-belden-coreos-bsp/conf/machine/beaglebone.conf

@@ -35,7 +35,7 @@ UBOOT_MACHINE = "am335x_evm_defconfig"
 UBOOT_ENTRYPOINT = "0x80008000"
 UBOOT_LOADADDRESS = "0x80008000"
 
-MACHINE_FEATURES = "usbgadget usbhost vfat alsa"
+MACHINE_FEATURES = "usbgadget usbhost vfat alsa dm-verity"
 
 # support runqemu
 EXTRA_IMAGEDEPENDS += "qemu-native qemu-helper-native"

layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc

@@ -1,11 +1,14 @@
 
 # Variable used in WKS file
 
+# Info: WKS use gdisk HEX code to assign GPT GUID : https://askubuntu.com/questions/703443/gdisk-hex-codes
+# SFDISK just use the GPT GUID. This mean that 8300 in WKS is indeed 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+
 WKS_PART_EFI ??= 'part --source efibootguard-efi --label efi --part-type=EF00'
 WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=kernel-${MACHINE}.efi;KERNEL.EFI"'
 WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=kernel-${MACHINE}.efi;KERNEL.EFI"'
-WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label rootfs0'
-WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label rootfs1'
+WKS_PART_ROOT_A ??= 'part / --source rawcopy --sourceparams="file=${IMGDEPLOYDIR}/${COREOS_ROOTFS_IMAGE_FILENAME}" --part-type=8300 --part-name rootfs0'
+WKS_PART_ROOT_B ??= 'part --part-type=8300 --part-name rootfs1'
 WKS_PART_ROOT_SIZE ??= '2G'
 
 SFDISK_PART_EFI ??= 'type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, name="efi"'

layers/meta-belden-coreos-bsp/recipes-kernel/linux/kernel/0001-dm-init-add-dm-mod.waitfor-to-wait-for-asynchronousl.patch

@@ -0,0 +1,118 @@
+From 203a61e84712777c6163055ab226ef9255e98463 Mon Sep 17 00:00:00 2001
+From: Peter Korsgaard <peter@korsgaard.com>
+Date: Wed, 16 Nov 2022 07:16:56 +0100
+Subject: [PATCH] dm init: add dm-mod.waitfor to wait for asynchronously probed
+ block devices
+
+Just calling wait_for_device_probe() is not enough to ensure that
+asynchronously probed block devices are available (E.G. mmc, usb), so
+add a "dm-mod.waitfor=<device1>[,..,<deviceN>]" parameter to get
+dm-init to explicitly wait for specific block devices before
+initializing the tables with logic similar to the rootwait logic that
+was introduced with commit  cc1ed7542c8c ("init: wait for
+asynchronously scanned block devices").
+
+E.G. with dm-verity on mmc using:
+dm-mod.waitfor="PARTLABEL=hash-a,PARTLABEL=root-a"
+
+[    0.671671] device-mapper: init: waiting for all devices to be available before creating mapped devices
+[    0.671679] device-mapper: init: waiting for device PARTLABEL=hash-a ...
+[    0.710695] mmc0: new HS200 MMC card at address 0001
+[    0.711158] mmcblk0: mmc0:0001 004GA0 3.69 GiB
+[    0.715954] mmcblk0boot0: mmc0:0001 004GA0 partition 1 2.00 MiB
+[    0.722085] mmcblk0boot1: mmc0:0001 004GA0 partition 2 2.00 MiB
+[    0.728093] mmcblk0rpmb: mmc0:0001 004GA0 partition 3 512 KiB, chardev (249:0)
+[    0.738274]  mmcblk0: p1 p2 p3 p4 p5 p6 p7
+[    0.751282] device-mapper: init: waiting for device PARTLABEL=root-a ...
+[    0.751306] device-mapper: init: all devices available
+[    0.751683] device-mapper: verity: sha256 using implementation "sha256-generic"
+[    0.759344] device-mapper: ioctl: dm-0 (vroot) is ready
+[    0.766540] VFS: Mounted root (squashfs filesystem) readonly on device 254:0.
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+---
+ .../admin-guide/device-mapper/dm-init.rst     |  8 +++++++
+ drivers/md/dm-init.c                          | 22 ++++++++++++++++++-
+ 2 files changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/admin-guide/device-mapper/dm-init.rst b/Documentation/admin-guide/device-mapper/dm-init.rst
+index e5242ff17e9b..981d6a907699 100644
+--- a/Documentation/admin-guide/device-mapper/dm-init.rst
++++ b/Documentation/admin-guide/device-mapper/dm-init.rst
+@@ -123,3 +123,11 @@ Other examples (per target):
+     0 1638400 verity 1 8:1 8:2 4096 4096 204800 1 sha256
+     fb1a5a0f00deb908d8b53cb270858975e76cf64105d412ce764225d53b8f3cfd
+     51934789604d1b92399c52e7cb149d1b3a1b74bbbcb103b2a0aaacbed5c08584
++
++For setups using device-mapper on top of asynchronously probed block
++devices (MMC, USB, ..), it may be necessary to tell dm-init to
++explicitly wait for them to become available before setting up the
++device-mapper tables. This can be done with the "dm-mod.waitfor="
++module parameter, which takes a list of devices to wait for::
++
++  dm-mod.waitfor=<device1>[,..,<deviceN>]
+diff --git a/drivers/md/dm-init.c b/drivers/md/dm-init.c
+index b0c45c6ebe0b..dc4381d68313 100644
+--- a/drivers/md/dm-init.c
++++ b/drivers/md/dm-init.c
+@@ -8,6 +8,7 @@
+  */
+ 
+ #include <linux/ctype.h>
++#include <linux/delay.h>
+ #include <linux/device.h>
+ #include <linux/device-mapper.h>
+ #include <linux/init.h>
+@@ -18,12 +19,17 @@
+ #define DM_MAX_DEVICES 256
+ #define DM_MAX_TARGETS 256
+ #define DM_MAX_STR_SIZE 4096
++#define DM_MAX_WAITFOR 256
+ 
+ static char *create;
+ 
++static char *waitfor[DM_MAX_WAITFOR];
++
+ /*
+  * Format: dm-mod.create=<name>,<uuid>,<minor>,<flags>,<table>[,<table>+][;<name>,<uuid>,<minor>,<flags>,<table>[,<table>+]+]
+  * Table format: <start_sector> <num_sectors> <target_type> <target_args>
++ * Block devices to wait for to become available before setting up tables:
++ * dm-mod.waitfor=<device1>[,..,<deviceN>]
+  *
+  * See Documentation/admin-guide/device-mapper/dm-init.rst for dm-mod.create="..." format
+  * details.
+@@ -266,7 +272,7 @@ static int __init dm_init_init(void)
+ 	struct dm_device *dev;
+ 	LIST_HEAD(devices);
+ 	char *str;
+-	int r;
++	int i, r;
+ 
+ 	if (!create)
+ 		return 0;
+@@ -286,6 +292,17 @@ static int __init dm_init_init(void)
+ 	DMINFO("waiting for all devices to be available before creating mapped devices");
+ 	wait_for_device_probe();
+ 
++	for (i = 0; i < ARRAY_SIZE(waitfor); i++) {
++		if (waitfor[i]) {
++			DMINFO("waiting for device %s ...", waitfor[i]);
++			while (!dm_get_dev_t(waitfor[i]))
++				msleep(5);
++		}
++	}
++
++	if (waitfor[0])
++		DMINFO("all devices available");
++
+ 	list_for_each_entry(dev, &devices, list) {
+ 		if (dm_early_create(&dev->dmi, dev->table,
+ 				    dev->target_args_array))
+@@ -301,3 +318,6 @@ late_initcall(dm_init_init);
+ 
+ module_param(create, charp, 0);
+ MODULE_PARM_DESC(create, "Create a mapped device in early boot");
++
++module_param_array(waitfor, charp, NULL, 0);
++MODULE_PARM_DESC(waitfor, "Devices to wait for before setting up tables");

layers/meta-belden-coreos-bsp/recipes-kernel/linux/kernel/dm-init.cfg

@@ -0,0 +1 @@
+CONFIG_DM_INIT=y

layers/meta-belden-coreos-bsp/recipes-kernel/linux/kernel/erofs.cfg

@@ -0,0 +1,8 @@
+CONFIG_EROFS_FS=y
+# CONFIG_EROFS_FS_DEBUG is not set
+CONFIG_EROFS_FS_XATTR=y
+CONFIG_EROFS_FS_POSIX_ACL=y
+CONFIG_EROFS_FS_SECURITY=y
+CONFIG_CRYPTO_LZ4=y
+CONFIG_CRYPTO_LZ4HC=y
+CONFIG_EROFS_FS_ZIP=y

layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos-dm-verity.inc

@@ -0,0 +1,10 @@
+# Backport support for dm-mod.waitfor from Kernel 6.2
+SRC_URI += "file://0001-dm-init-add-dm-mod.waitfor-to-wait-for-asynchronousl.patch"
+
+# Enable erofs support as this is the default FS in CoreOS if dm-verity is enabled
+SRC_URI += "file://erofs.cfg"
+
+# Ensure dm-verity is enabled
+KERNEL_FEATURES:append = " features/device-mapper/dm-verity.scc"
+# Ensure that dm-verity can be enabled at boot time without an initramfs
+SRC_URI += "file://dm-init.cfg"

layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos-efi.inc

@@ -1,7 +1,10 @@
+# EFI Support
+# ==============================================================================
 
 inherit coreos-efi-sbsign
 require conf/image-uefi.conf
 
+
 # Ensure EFI STUB is enabled
 KERNEL_FEATURES:append = " cfg/efi.scc cfg/efi-ext.scc"
 

layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos.inc

@@ -0,0 +1,6 @@
+# Ensure that file are found event when this file is included in another layer
+# ==============================================================================
+FILESEXTRAPATHS:prepend := "${THISDIR}/kernel:"
+
+require ${@bb.utils.contains("COMBINED_FEATURES", "efi", "linux-yocto-coreos-efi.inc", "", d)}
+require ${@bb.utils.contains('MACHINE_FEATURES', 'dm-verity', 'linux-yocto-coreos-dm-verity.inc', '', d)}

layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend

@@ -10,4 +10,4 @@ SRCREV_machine:beaglebone ?= "9aabbaa89fcb21af7028e814c1f5b61171314d5a"
 COMPATIBLE_MACHINE:beaglebone = "beaglebone"
 LINUX_VERSION:beaglebone = "5.15.54"
 
-require ${@bb.utils.contains("COMBINED_FEATURES", "efi", "linux-yocto-coreos-efi.inc", "", d)}
+require linux-yocto-coreos.inc

layers/meta-belden-coreos/classes/coreos-image-dm-verity.bbclass

@@ -0,0 +1,30 @@
+# Glue code to use the dm-verity-img class from meta-security with a CoreOS
+# rootfs image
+
+
+# Settings for the image class
+# ==============================================================================
+
+# Use the dm-verity-img.bbclass
+IMAGE_CLASSES += "dm-verity-img"
+
+# Settings for the dm-verity-img class
+# ==============================================================================
+
+# Let's place the .env file in the DEPLOY_DIR, this will be reused by
+# coreos-image-uki to generate the kernel command line
+STAGING_VERITY_DIR ?= "${DEPLOY_DIR_IMAGE}"
+
+DM_VERITY_IMAGE ?= "${PN}"
+
+# We use erofs as this FS offer at the moment the best performance for a read
+# only file system.
+DM_VERITY_IMAGE_TYPE ?= "erofs"
+
+
+# Settings for coreos-image related classes
+# ==============================================================================
+
+COREOS_ROOTFS_IMAGE_FSTYPE ??= "${DM_VERITY_IMAGE_TYPE}.verity"
+
+

layers/meta-belden-coreos/classes/coreos-image-swupdate.bbclass

@@ -7,16 +7,17 @@
 # Swupdate image generation
 # ==============================================================================
 
-IMAGE_FSTYPES:append = " ext4.zst"
+
 python () {
-    image = d.getVar('IMAGE_BASENAME')
-    d.setVarFlag("SWUPDATE_IMAGES_FSTYPES", image, ".ext4.zst")
+    image = d.getVar('COREOS_ROOTFS_IMAGE_NAME')
+    image_ext = d.getVar('COREOS_ROOTFS_IMAGE_EXT')
+    d.setVarFlag("SWUPDATE_IMAGES_FSTYPES", image, image_ext)
 }
 
 inherit swupdate-image
 
 # Ensure than variable used in the sw-description files are watched for change
-do_swuimage[vardeps] += "COREOS_KERNEL_FILENAME EFIBOOTGUARD_TIMEOUT EFIDIR EFI_BOOT_IMAGE COREOS_EFIBOOTGUARD_FILENAME"
+do_swuimage[vardeps] += "COREOS_ROOTFS_IMAGE_FILENAME COREOS_KERNEL_FILENAME EFIBOOTGUARD_TIMEOUT EFIDIR EFI_BOOT_IMAGE COREOS_EFIBOOTGUARD_FILENAME"
 do_swuimage[deptask] += "do_bundle_uki"
 
 COREOS_EFIBOOTGUARD_NAME ?= "efibootguard${EFI_ARCH}"

layers/meta-belden-coreos/classes/coreos-image-uki.bbclass

@@ -31,6 +31,34 @@ COREOS_UKI_PART_INITRAMFS ??= ""
 # UKI Generation
 # ==============================================================================
 
+coreos_dm_verify_cmdline() {
+    # In all command that use bc to do some math, we use cut to remove the decimal as
+    # we need integer and bc automatically add .00000000
+
+    . "${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}.${DM_VERITY_IMAGE_TYPE}.verity.env"
+    DISK_SECTOR_SIZE=512
+    
+    # We need the number of sector used in the block device
+    # The image size is already a multiple of 512bytes, so we don't need to round it
+    IMAGE_FILE=$(realpath "${IMGDEPLOYDIR}/${IMAGE_BASENAME}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity")
+    IMAGE_SIZE=$(stat --printf="%s" "${IMAGE_FILE}")
+    DISK_SECTORS=$(echo "${IMAGE_SIZE}/${DISK_SECTOR_SIZE}" | bc -l | cut -d '.' -f 1 )
+    DATA_SECTORS=$(echo "${DATA_SIZE}/${DISK_SECTOR_SIZE}" | bc -l | cut -d '.' -f 1 ) 
+
+    # offset, in HASH_BLOCK_SIZE blocks, from the start of hash_device to the root block of the hash tree
+    # We use a single partition, so the hash is just after the data. DATA_SIZE is in bytes
+    HASH_OFFSET=$(echo "(${DATA_BLOCKS}*${DATA_BLOCK_SIZE}/${HASH_BLOCK_SIZE})+1" | bc -l | cut -d '.' -f 1 )
+
+    # MAPPING_TABLE Format https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMVerity
+    # 0 417792 verity 1 /dev/sdb /dev/sdc 4096 4096 52224 1 sha256 2aa4f7b7b6...f4952060e8 762307f4bc8...d2a6b7595d8..
+    # |    |     |    |     |     |        |    |    |    |    |              |                        |  
+    # start|     |    |  data_dev |  data_block | #blocks | hash_alg      root_digest                salt  
+    #      size  |  version    hash_dev         |     hash_offset  
+    #          target                       hash_block  
+    MAPPING_TABLE="0 ${DATA_SECTORS} verity ${HASH_TYPE} $1 $1 ${DATA_BLOCK_SIZE} ${HASH_BLOCK_SIZE} ${DATA_BLOCKS} ${HASH_OFFSET} ${HASH_ALGORITHM} ${ROOT_HASH} ${SALT}"
+    echo "dm-mod.create=\"verity,,,ro,${MAPPING_TABLE} 2 ignore_zero_blocks panic_on_corruption\" dm-mod.waitfor=${1} root=/dev/dm-0 ${APPEND} rootwait"
+}
+
 do_image_uki() {
     deployDir="${DEPLOY_DIR_IMAGE}"
 
@@ -43,9 +71,17 @@ do_image_uki() {
         DTB_PARAMS="${DTB_PARAMS} --dtb=${deployDir}/${dtb}"
     done
 
+
+    # Support for coreos-image-dm-verity
+    if [ "${COREOS_IMAGE_GENERATE_DM_VERITY}" -eq "1" ]; then
+        CMDLINE=$(coreos_dm_verify_cmdline "${COREOS_ROOTFS_ROOT}")
+    else
+        CMDLINE="${COREOS_KERNEL_CMDLINE}"
+    fi
+
     echo "kernel: ${COREOS_UKI_PART_KERNEL_FILENAME}"
     echo "dtb: ${DTB_PARAMS}"
-    echo "cmdline: ${COREOS_KERNEL_CMDLINE}"
+    echo "cmdline: ${CMDLINE}"
     echo "initramfs: ${COREOS_UKI_PART_INITRAMFS}"
 
     if [ ! -z "${COREOS_UKI_PART_INITRAMFS}" ]; then
@@ -58,13 +94,13 @@ do_image_uki() {
         "${COREOS_UKI_PART_STUB}" \
         "${COREOS_UKI_PART_KERNEL}" \
         "${COREOS_KERNEL}" \
-        --cmdline "${COREOS_KERNEL_CMDLINE}" \
+        --cmdline "${CMDLINE}" \
         ${DTB_PARAMS}
 
     coreos_efi_secureboot_sign_app "${deployDir}/${COREOS_KERNEL_FILENAME}"
 }
 
-do_image_uki[depends] += "virtual/kernel:do_deploy efibootguard-native:do_populate_sysroot efibootguard:do_populate_sysroot"
+do_image_uki[depends] += "virtual/kernel:do_deploy efibootguard-native:do_populate_sysroot efibootguard:do_populate_sysroot bc-native:do_populate_sysroot"
 
 
 addtask image_uki after do_image before do_image_complete
@@ -75,5 +111,13 @@ do_image_wic[recrdeptask] += "do_image_uki"
 # UKI image is normally embedded into a SWU image
 do_image_swu[recrdeptask] += "${@'do_image_uki' if d.getVar('COREOS_IMAGE_GENERATE_SWU') == '1' else ''}"
 
-# UKI image may embedded the rootfs as a cpio archive, in this case do_image_uki should run after do_image_cpio
-do_image_uki[recrdeptask] += "${@'do_image_cpio' if d.getVar('COREOS_UKI_PART_INITRAMFS') else ''}"
+# UKI image may embedded the rootfs as initrd or use the rootfs signature as part of the command line
+# thus it should run after the do_image_${FSTYPE} task
+python __anonymous() {
+    image_fstypes = d.getVar('IMAGE_FSTYPES')
+    rootfs_fstype = d.getVar('COREOS_ROOTFS_IMAGE_FSTYPE')
+    pn = d.getVar('PN')
+    
+    dep = f' {pn}:do_image_{rootfs_fstype.split(".")[0].replace("-", "_")}'
+    d.appendVarFlag('do_image_uki', 'depends', dep)
+}

layers/meta-belden-coreos/classes/coreos-image.bbclass

@@ -78,15 +78,47 @@ IMAGE_INSTALL ?= "${COREOS_IMAGE_BASE_INSTALL} ${COREOS_IMAGE_EXTRA_INSTALL}"
 # before ihneriting the image class, as we don't need to install custom locales
 IMAGE_LINGUAS ?= " "
 
+# Rootfs Settings
+# ==============================================================================
+
+# Variable for the rootfs
+# This can be overriden using ??= in other coreos-image-* classes
+
+COREOS_ROOTFS_IMAGE_NAME ??= "${IMAGE_BASENAME}-${MACHINE}"
+COREOS_ROOTFS_IMAGE_FSTYPE ??= "ext4"
+COREOS_ROOTFS_IMAGE_EXT ??= ".${COREOS_ROOTFS_IMAGE_FSTYPE}"
+COREOS_ROOTFS_IMAGE_FILENAME ??= "${COREOS_ROOTFS_IMAGE_NAME}${COREOS_ROOTFS_IMAGE_EXT}"
+
+IMAGE_FSTYPES:append = " ${COREOS_ROOTFS_IMAGE_FSTYPE}"
+
+# We use the generic python in keyword instead of bb.contains so that erofs or erofs-lz4 or any
+# other erofs settings is detected. Erofs is a read only filesystem by design
+IMAGE_FEATURES:append = " ${@'read-only-rootfs' if 'erofs' in d.getVar('COREOS_ROOTFS_IMAGE_EXT') else ''}"
+
+# We use the wic rawcopy plugin instead of roots, as we want to rootfs image to
+# be copied as is, so we need to inform bitbake that the wic image depends
+# on the erofs image
+python __anonymous() {
+    image_fstypes = d.getVar('IMAGE_FSTYPES')
+    rootfs_fstype = d.getVar('COREOS_ROOTFS_IMAGE_FSTYPE')
+    pn = d.getVar('PN')
+
+    if 'wic' in image_fstypes:
+        dep = f' {pn}:do_image_{rootfs_fstype.split(".")[0].replace("-", "_")}'
+        d.appendVarFlag('do_image_wic', 'depends', dep)
+}
+
+# Optional coreos-image features that need to be ihnerited before image.bbclass
+# ==============================================================================
+
+# dm-verity is for now conditionnally enabled using a MACHINE_FEATURES as not all
+# MACHINE support it yet
+COREOS_IMAGE_GENERATE_DM_VERITY ?= "${@bb.utils.contains('MACHINE_FEATURES', 'dm-verity', '1', '0', d)}"
+inherit ${@'coreos-image-dm-verity' if d.getVar('COREOS_IMAGE_GENERATE_DM_VERITY') == '1' else ''}
+
 inherit image
 
-# Enable some feature by default
-IMAGE_FEATURES:append = " ${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks', '', ' read-only-rootfs', d)}"
-
-# Add some extra space, as done in core-image-minimal
-IMAGE_ROOTFS_EXTRA_SPACE:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' + 4096', '', d)}"
-
-# Unified kernel image and swupdate support
+# Optional coreos-image features that need to be ihnerited after image.bbclass
 # ==============================================================================
 
 # Support for Unified Kernel Image and Swupdate are optional

layers/meta-belden-coreos/conf/distro/include/belden-coreos-base.inc

@@ -16,7 +16,7 @@ INIT_MANAGER = "systemd"
 VIRTUAL-RUNTIME_syslog = ""
 VIRTUAL-RUNTIME_base-utils-syslog = ""
 
-DISTRO_FEATURES ?= "usbhost pci ipv4 ipv6 wifi multiarch usrmerge efi pam"
+DISTRO_FEATURES ?= "usbhost pci ipv4 ipv6 wifi multiarch usrmerge efi pam security"
 
 # CoreOS wasn't compatible with older Yocto version, so we should not have any
 # features backfilled. Value are from DISTRO_FEATURES_BACKFILL

layers/meta-belden-coreos/files/sw-description

@@ -7,14 +7,13 @@ software =
             copy0 = {
                 images: (
                     {
-                        filename = "@@PN@@-@@MACHINE@@.ext4.zst";
-                        compressed = "zstd";
+                        filename = "@@COREOS_ROOTFS_IMAGE_FILENAME@@";
                         installed-directly = true;
                         # partlabel are stored inside the GPT partition table.
                         # The partition table is flashed only once and never updated
                         device = "/dev/disk/by-partlabel/rootfs0";
                         type = "raw";
-                        sha256 = "$swupdate_get_sha256(@@PN@@-@@MACHINE@@.ext4.zst)";
+                        sha256 = "$swupdate_get_sha256(@@COREOS_ROOTFS_IMAGE_FILENAME@@)";
                     }
                     # Don't remove the trailing whitspace on the next line otherwise
                     # it will not work due to a regex bug in meta-swupdate
@@ -64,14 +63,13 @@ software =
             copy1 = {
                 images: (
                     {
-                        filename = "@@PN@@-@@MACHINE@@.ext4.zst";
-                        compressed = "zstd";
+                        filename = "@@COREOS_ROOTFS_IMAGE_FILENAME@@";
                         installed-directly = true;
                         # partlabel are stored inside the GPT partition table.
                         # The partition table is flashed only once and never updated
                         device = "/dev/disk/by-partlabel/rootfs1";
                         type = "raw";
-                        sha256 = "$swupdate_get_sha256(@@PN@@-@@MACHINE@@.ext4.zst)";
+                        sha256 = "$swupdate_get_sha256(@@COREOS_ROOTFS_IMAGE_FILENAME@@)";
                     }
                     # Don't remove the trailing whitspace on the next line otherwise
                     # it will not work due to a regex bug in meta-swupdate

layers/meta-belden-coreos/recipes-core/images/coreos-image-installer.bb

@@ -1,7 +1,5 @@
 DESCRIPTION = "Initramfs image with the CoreOS emmc installer"
 
-
-
 # Don't reboot the device at reboot and don't do A/B switching
 BAD_RECOMMENDATIONS = "swupdate-progress swupdate-coreos-config"
 
@@ -11,7 +9,11 @@ IMAGE_LINGUAS = ""
 
 LICENSE = "MIT"
 
-IMAGE_FSTYPES = "cpio.gz"
+# Remove default FSTYPES from MACHINE or DISTRO configuration. Note that
+# coreos-image-* classes used some :append so the resulting variable will
+# contains at least COREOS_ROOTFS_IMAGE_FSTYPE
+IMAGE_FSTYPES = ""
+COREOS_ROOTFS_IMAGE_FSTYPE = "cpio.gz"
 
 # Support for generating a SDCard installer is optional
 COREOS_INSTALLER_WKS_FILE ??= ""
@@ -21,6 +23,10 @@ IMAGE_BOOT_FILES =  "${COREOS_KERNEL_FILENAME};EFI/BOOT/${EFI_BOOT_IMAGE}"
 
 COREOS_IMAGE_GENERATE_UKI = "1"
 
+# We don't need dm-verity support for the installer as we bundle the rootfs in
+# the UKI, thus the rootfs is part of a signed image
+COREOS_IMAGE_GENERATE_DM_VERITY = "0"
+
 # Avoid dependancy loop, we are already in an installer image, so we don't need
 # to bundle another one
 COREOS_IMAGE_GENERATE_INSTALLER = "0"

layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule_git-5.15-solidrun.bb

@@ -31,4 +31,4 @@ do_configure:append(){
     fi
 }
 
-require recipes-kernel/linux/linux-yocto-coreos-efi.inc
+require recipes-kernel/linux/linux-yocto-coreos.inc

templates/bblayers.conf.sample

@@ -16,6 +16,8 @@ BBLAYERS ?= " \
   ##COREOS_EXTLAYERSDIR##/meta-openembedded/meta-filesystems \
   ##COREOS_EXTLAYERSDIR##/meta-openembedded/meta-python \
   ##COREOS_EXTLAYERSDIR##/meta-openembedded/meta-webserver \
+  ##COREOS_EXTLAYERSDIR##/meta-openembedded/meta-perl \
+  ##COREOS_EXTLAYERSDIR##/meta-security \
   ##COREOS_EXTLAYERSDIR##/meta-virtualization \
   ##COREOS_EXTLAYERSDIR##/meta-efibootguard \
   ##COREOS_EXTLAYERSDIR##/meta-swupdate \