LM
/
coreos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: LM:HEAD
Branches Tags
LM:HEAD
LM:feat/signed-firmware/multicert
LM:chore/meta-belden-marvell-octeon-tx2-bsp
LM:kirkstone
LM:kirkstone-next
LM:feat/eagle40-03/add-partition
LM:master
LM:chore/staging-bsp
LM:feat/nitroc
LM:update_subomdules_2024-03-07_15-15
LM:update_subomdules_2024-03-07_15-14
LM:gemini-improvements
LM:add_commit_status
LM:enable_watchdog
LM:kirkstone_kas
LM:update_subomdules_2023-12-12_18-09
LM:feat/netmodule-gemini-bsp
LM:add_uefi_qemu_and_meta_arm
LM:feat/oe-master
LM:kirkstone-tmp
LM:kirkstone-next-tmp
LM:bugfix/core-os-container-package
LM:feat/signed-swu
LM:feat/ms-hyperv
LM:add_eagle40_03_board
LM:add_variable_for_kernel_in_wks_file
LM:hackathon/codebusters/devtool-ide
LM:feature/k3s
LM:docs/secure-boot
LM:feat/bats
LM:feat/verity
LM:feat/distro-rework
LM:synchonize_kirkstone_with_master
LM:update_to
LM:fix/generate-keys
LM:fix_populate_sdk_build
LM:update_subomdules_2023-07-26_10-23
LM:test/verification_build_server
LM:feat/netmodule-bsp
LM:update_subomdules_2023-06-23_09-58
LM:update_subomdules_2023-06-23_09-56
LM:feature/cve_check
LM:update_subomdules_2023-06-23_06-09
LM:doc/quickBuildUpdate
LM:update_subomdules_2023-06-19_10-28
LM:feature/cn913x_kernel_tune
LM:feature/cn913x_defconfig_clean_ath11_enable
LM:hotfix/phy_issue
LM:feat/coreos-swupdate-helper
LM:update_subomdules_2023-05-10_10-13
LM:fix/broken-keyhash
LM:feat/openssh
LM:feat/add_support_script
LM:feat/add_ramoops
LM:feat/use_multiconfig_for_building_container
LM:cmakedemo_docs_warning
LM:demoimage_recipe_add_cmakedemo
LM:doc_demo_cmake
LM:adding_swupdate
LM:docs/docker-and-update
LM:feat/container-bundle
LM:hotfix/update_uboot_config
LM:feat/update-layers-scripts
LM:feat/oci-image
LM:feat/use_new_kernel_concept
LM:feat/beaglebone
LM:feat/sanity-checks
LM:feat/add-distro-setup
LM:coreos-1.0.0-rc.1
..
compare: LM:feature/cve_check
Branches Tags
LM:feat/signed-firmware/multicert
LM:chore/meta-belden-marvell-octeon-tx2-bsp
LM:kirkstone
LM:kirkstone-next
LM:feat/eagle40-03/add-partition
LM:HEAD
LM:master
LM:chore/staging-bsp
LM:feat/nitroc
LM:update_subomdules_2024-03-07_15-15
LM:update_subomdules_2024-03-07_15-14
LM:gemini-improvements
LM:add_commit_status
LM:enable_watchdog
LM:kirkstone_kas
LM:update_subomdules_2023-12-12_18-09
LM:feat/netmodule-gemini-bsp
LM:add_uefi_qemu_and_meta_arm
LM:feat/oe-master
LM:kirkstone-tmp
LM:kirkstone-next-tmp
LM:bugfix/core-os-container-package
LM:feat/signed-swu
LM:feat/ms-hyperv
LM:add_eagle40_03_board
LM:add_variable_for_kernel_in_wks_file
LM:hackathon/codebusters/devtool-ide
LM:feature/k3s
LM:docs/secure-boot
LM:feat/bats
LM:feat/verity
LM:feat/distro-rework
LM:synchonize_kirkstone_with_master
LM:update_to
LM:fix/generate-keys
LM:fix_populate_sdk_build
LM:update_subomdules_2023-07-26_10-23
LM:test/verification_build_server
LM:feat/netmodule-bsp
LM:update_subomdules_2023-06-23_09-58
LM:update_subomdules_2023-06-23_09-56
LM:feature/cve_check
LM:update_subomdules_2023-06-23_06-09
LM:doc/quickBuildUpdate
LM:update_subomdules_2023-06-19_10-28
LM:feature/cn913x_kernel_tune
LM:feature/cn913x_defconfig_clean_ath11_enable
LM:hotfix/phy_issue
LM:feat/coreos-swupdate-helper
LM:update_subomdules_2023-05-10_10-13
LM:fix/broken-keyhash
LM:feat/openssh
LM:feat/add_support_script
LM:feat/add_ramoops
LM:feat/use_multiconfig_for_building_container
LM:cmakedemo_docs_warning
LM:demoimage_recipe_add_cmakedemo
LM:doc_demo_cmake
LM:adding_swupdate
LM:docs/docker-and-update
LM:feat/container-bundle
LM:hotfix/update_uboot_config
LM:feat/update-layers-scripts
LM:feat/oci-image
LM:feat/use_new_kernel_concept
LM:feat/beaglebone
LM:feat/sanity-checks
LM:feat/add-distro-setup
LM:coreos-1.0.0-rc.1

2 Commits
HEAD ... feature/cv

Author SHA1 Message Date
Patrick Vogelaar 3e621df753 feat(cve-check): add custom elements to cve-summary.json 2023-06-23 11:45:58 +02:00
Patrick Vogelaar bb15c4a6d8 feat(cve_to_elastic.py): add script that copies all CVE entries to elastic 
* this script parses the cve-summary.json
* the json is modified and reformated
* the json objects a pushed to elastic

NOTE: There is a modification necessary on how the cve-summary is created.
I will try to get this upstream.
 2023-06-23 11:37:51 +02:00
130 changed files with 7104 additions and 2554 deletions
Show Stats Expand all files Collapse all files

22
.gitmodules vendored
View File

@ -2,35 +2,23 @@
path = bitbake
url = ssh://git@bitbucket.gad.local:7999/ico/bitbake.git
branch = 2.0
[submodule "openembedded-core"]
[submodule "layers/openembedded-core"]
path = external-layers/openembedded-core
url = ssh://git@bitbucket.gad.local:7999/ico/openembedded-core.git
branch = kirkstone
[submodule "meta-openembedded"]
[submodule "layers/meta-openembedded"]
path = external-layers/meta-openembedded
url = ssh://git@bitbucket.gad.local:7999/ico/meta-openembedded.git
branch = kirkstone
[submodule "meta-virtualization"]
[submodule "layers/meta-virtualization"]
path = external-layers/meta-virtualization
url = ssh://git@bitbucket.gad.local:7999/ico/meta-virtualization.git
branch = kirkstone
[submodule "meta-efibootguard"]
[submodule "layers/meta-efibootguard"]
path = external-layers/meta-efibootguard
url = ssh://git@bitbucket.gad.local:7999/ico/meta-efibootguard.git
branch = master
[submodule "meta-swupdate"]
[submodule "layers/meta-swupdate"]
path = external-layers/meta-swupdate
url = ssh://git@bitbucket.gad.local:7999/ico/meta-swupdate.git
branch = kirkstone
[submodule "meta-arm"]
path = external-layers/meta-arm
url = ssh://git@bitbucket.gad.local:7999/ico/meta-arm.git
branch = kirkstone
[submodule "meta-ti"]
path = external-layers/meta-ti
url = ssh://git@bitbucket.gad.local:7999/ico/meta-ti.git
branch = kirkstone
[submodule "meta-lts-kernel-mixin"]
path = external-layers/meta-lts-kernel-mixin
url = ssh://git@bitbucket.gad.local:7999/ico/meta-lts-mixins.git
branch = coreos/kirkstone/kernel

4
.vscode/extensions.json vendored
View File

@ -2,9 +2,9 @@
"recommendations": [
"ms-vscode.makefile-tools",
"timonwong.shellcheck",
"eugenwiens.bitbake",
"kweihmann.oelint-vscode",
"lextudio.restructuredtext",
"trond-snekvik.simple-rst",
"yocto-project.yocto-bitbake"
"trond-snekvik.simple-rst"
]
}

49
.vscode/settings.json vendored
View File

@ -1,47 +1,12 @@
{
"files.watcherExclude": {
"**/build/**": true,
"**/_build/**": true,
"**/build/cache/**": true,
"**/build/downloads/**": true,
"**/build/sstate-cache/**": true,
"**/build/tmp/**": true,
"**/documentation/_build/**": true,
"**/build/workspace": true
},
"search.exclude": {
"**/build/**": true,
"**/_build/**": true,
},
"C_Cpp.files.exclude": {
"**/build": true,
"**/_build": true,
},
"python.analysis.exclude": [
"**/build/**",
"**/_build/**",
],
"python.formatting.provider": "black",
"editor.rulers": [80,100,120],
"bitbake.pathToBuildFolder": "${workspaceFolder}/build",
"bitbake.pathToEnvScript": "${workspaceFolder}/coreos-init-build-env",
"bitbake.pathToBitbakeFolder": "${workspaceFolder}/bitbake",
"python.autoComplete.extraPaths": [
"${workspaceFolder}/bitbake/lib",
"${workspaceFolder}/meta/lib"
],
"python.analysis.extraPaths": [
"${workspaceFolder}/bitbake/lib",
"${workspaceFolder}/meta/lib"
],
"[python]": {
"diffEditor.ignoreTrimWhitespace": false,
"gitlens.codeLens.symbolScopes": [
"!Module"
],
"editor.formatOnType": true,
"editor.wordBasedSuggestions": "off",
"files.trimTrailingWhitespace": false
},
"[shellscript]": {
"files.eol": "\n",
"files.trimTrailingWhitespace": false
},
"bitbake.sdkImage": "coreos-image-minimal",
"bitbake.workingDirectory": "${workspaceFolder}",
"task.saveBeforeRun": "always",
"editor.rulers": [80,100,120]
}

2
bitbake

@ -1 +1 @@
Subproject commit 40fd5f4eef7460ca67f32cfce8e229e67e1ff607
Subproject commit 0c6f86b60cfba67c20733516957c0a654eb2b44c

8
coreos-init-build-env
View File

@ -87,8 +87,6 @@ coreos-bblayers-envsub COREOS_LAYERSDIR "${COREOS_ROOT}/layers"
# Add support for ##COREOS_EXTLAYERSDIR## inside of bblayer template
coreos-bblayers-envsub COREOS_EXTLAYERSDIR "${COREOS_ROOT}/external-layers"
# Generate the ${BUILDDIR}/key directory. The scripts doesn't generate anything
# if the directory already exist so it's safe to call it everytime
# stdout is redirected to reduce the amount of output but not stderr
#
#Note: if a final build is detected all the dev keys are deleted
# Generate the ${BUILDDIR}/key directory. The scripts doesn't generate anything it
# the directory already exist, so it's safe to call it everytime
coreos-keygen > /dev/null 2> /dev/null

7
documentation/.vscode/extensions.json vendored
View File

@ -1,7 +0,0 @@
{
"recommendations": [
"ms-vscode.makefile-tools",
"lextudio.restructuredtext",
"trond-snekvik.simple-rst"
]
}

12
documentation/.vscode/settings.json vendored
View File

@ -1,12 +0,0 @@
{
"files.watcherExclude": {
"**/_build/**": true,
},
"python.formatting.provider": "black",
"editor.rulers": [
80,
100,
120
],
"esbonio.sphinx.confDir": ""
}

1
documentation/boot/index.rst
View File

@ -11,4 +11,3 @@ Belden CoreOS Boot Concepts
overview
uboot
secure-boot

268
documentation/boot/secure-boot.rst
View File

@ -1,268 +0,0 @@
*******************
Secure Boot Concept
*******************
Currently CoreOS provide a Proof Of Concept of some of the secure boot element that we want to
implement a full secure-boot solution based on UEFI secure boot.
The current proof of concept is structured as follows:
Hardware Requirements
=====================
- The device must have an `eMMC`.
- The architecture of the device must be either `ARM32` or `AARCH64`.
eMMC Embedded MultiMediaCard
============================
eMMC, or Embedded MultiMediaCard, represents a prevalent storage format in devices such as
smartphones, tablets, and other embedded systems. It encapsulates NAND flash memory and a dedicated
controller within one package. This structure not only eases integration for device manufacturers
but also ensures a compact, efficient storage medium.
Within eMMC's architecture, distinct hardware partitions cater to diverse operational demands:
.. graphviz::
digraph emmcStructure {
rankdir=TB;
node [shape=box, style=filled, fillcolor="#e6f2ff"];
edge [color="#0099cc", fontsize=12];
compound=true;
subgraph cluster_eMMC {
label="eMMC";
color="#0099cc";
Boot0 [label="Boot0"];
Boot1 [label="Boot1"];
RPMB [label="RPMB"];
subgraph cluster_User {
label="User";
color="#00cc99";
GPT [label="GPT Table"];
subgraph cluster_GPT {
label="Software Partitions (GPT)";
color="#99e6e6";
SoftwarePartition1 [label="Partition 1"];
SoftwarePartition2 [label="Partition 2"];
SoftwarePartitionN [label="Partition N"];
}
}
}
}
#. **Boot0 and Boot1**: The boot partitions cater to device start-up requirements, typically hosting
the firmware. Boot0 predominantly initiates the boot-up, while Boot1 stands as a secondary guard
or backup, ensuring booting is resilient and failsafe.
#. **RPMB (Replay Protected Memory Block)**: As a secure partition, RPMB shelters data against
potential tampering. It's tailored for sensitive information storage, such as cryptographic keys.
Its design counters data replays or rollbacks, fortifying against particular attack types.
#. **User**: The primary storage domain, the User partition accommodates the OS, applications,
and user-centric data. It's reminiscent of the primary storage drive in larger computing devices.
Importantly, the User partition has a layered structure. Using the GPT (GUID Partition Table), it
is further divided into multiple software partitions, which can house diverse datasets or file
systems.
The boot concept of CoreOS rely on the presence of an eMMC to implement the following feature:
- Storage of two copy of the firmware with a way to switch from a copy to another using the eMMC
boot0 and boot1 hardware partition
- Storage of keys used by the UEFI Secure Key specification inside the secure RPMB hardware
partition.
- Storage of the bootloader, kernel and rootfs inside the user hardware partition using multiple
software partition in the GPT format.
Firmware
========
The firmware of the device should implement a subset of the UEFI specification as defined in the
ARM Base Boot Requirements (EBBR) and should implement the optional UEFI Secure Boot part of the
EBBR specifications.
This is done in CoreOS by levering the built-in EBBR and UEFI Secure Boot present into the u-boot
project.
The hardware should verify the validity of the firmware using a hardware specific way. Then the
generic secure boot concept explained here can be used to valide all the following component of
CoreOS.
UEFI Key used by UEFI Secure Boot
=================================
- **PK (Platform Key)**: This top-tier key shoulders the responsibility of KEK verification and its
potential revocation. PK holders have the exclusive privilege to configure the KEK and the `db`
database. It's the gatekeeper ensuring only authorized software can touch the firmware or
bootloader.
- **KEK (Key Exchange Key)**: As a medium for data exchange, the KEK is pivotal for signing the `db`
and `dbx` databases.
- **db (Allowed Database)**: This is the white list. It houses the keys or hashes of permitted
firmware and OS loaders. Execution is only granted to software with a signature that resonates
with the keys/hashes in this database.
- **dbx (Forbidden Database)**: The black sheep are here. Housing keys or hashes of known
unauthorized software, it ensures any associated software is prohibited from executing.
Currently all theses public keys are built-in into u-boot at build time and are read only. In the
future we will use the OP-TEE support into u-boot to use OP-TEE to manage the keys.
OP-TEE and RPMB as key manager
==============================
OP-TEE, or Open Portable Trusted Execution Environment, is an open-source implementation of the
Trusted Execution Environment (TEE) designed for ARM-powered platforms. In essence, a TEE is a
secure enclave that provides a separated, isolated environment where specific applications and their
data can run independently from the regular operating system, ensuring they are protected against
potential tampering or unauthorized access.
OP-TEE guarantees confidentiality, integrity, and authenticity for critical applications by
executing them in this secure space. It offers a wide range of security features, including secure
storage of cryptographic keys, secure boot, and hardware-backed crypto operations.
In the context of UEFI secure boot, OP-TEE becomes instrumental. UEFI's secure boot mechanism
ensures that only trusted, signed firmware, OS loaders, and OS kernels are executed during the boot
process. To enforce this level of trust, UEFI relies on a set of cryptographic keys, including PK
(Platform Key), KEK (Key Exchange Key), and db/dbx (allowed and forbidden signature databases).
Safeguarding these keys is paramount to maintain the security and integrity of the boot process.
By leveraging OP-TEE, these UEFI secure boot keys can be securely stored in the RPMB (Replay
Protected Memory Block) partition of the eMMC. The RPMB is a write-protected, secure area of the
eMMC designed to hold sensitive data and protect it against tampering and replay attacks.
Since OP-TEE manages secure access to the RPMB partition, it ensures that the UEFI secure boot keys
are not only safely stored but are also accessible only by authorized firmware components.
eMMC User Partition
===================
The user partition of the eMMC must be structured using the GPT (GUID Partition Table) format.
Within the GPT-formatted user partition, specific partitions should be established for efficient
booting and system operation:
1. **EFI**: This is the Essential Firmware Interface partition. It holds the `efibootguard`
os-loader binary, responsible for the boot sequence's initial steps and the kernel's selection
based on its configuration. This binary is signed with a key present in the `dbx` database
2. **EBG0 - Efibootguard Config 0**: This partition houses the `efibootguard` configuration for the
first kernel option. Alongside the configuration file, it also contains a Unified Kernel Image
(UKI), a bundled package comprising the Linux kernel, device trees, and associated boot
components. The UKI is signed with a key present in the `dbx` database
3. **EBG1 - Efibootguard Config 1**: Similar to EBG0, this partition carries the `efibootguard`
configuration for the second kernel option. It too holds a Unified Kernel Image tailored for this
alternate boot choice.
4. **rootfs0**: This partition stores the CoreOS root filesystem designed to complement and operate
with the kernel embedded in the EBG0 partition. It provides the essential system files and
structures required for the operating system's functioning when the kernel from EBG0 is booted.
Integrety of this rootfs is assured by storing an hash of the rootfs inside the UKI image.
5. **rootfs1**: Analogous to `rootfs0`, this partition houses the CoreOS root filesystem tailored
for the kernel within the EBG1 partition. It ensures that, should the system boot from the kernel
in EBG1, the appropriate file structures and system components are readily available.
EFIBootGuard Configuration
==========================
Efibootguard, as a part of its design, employs a configuration system to determine the appropriate
kernel and associated resources to boot from. This configuration is stored in distinct partitions,
EBG0 and EBG1, each holding its configuration file.
The configuration file itself comprises several fields, but most crucially, it contains a revision
field. This field is a numerical identifier indicating the version or update level of the contained
kernel and resources. When the system initiates its boot sequence, Efibootguard assesses the
revision values in both the EBG0 and EBG1 configuration files.
The selection process is straightforward yet robust: Efibootguard chooses the partition with the
higher revision value. By doing so, it inherently opts for the most recent or updated kernel version
available. However, this system also supports failover mechanisms. In case the kernel in the
partition with the higher revision encounters issues during boot, Efibootguard can revert to the
other partition, ensuring resilience and continuity in system operations.
Moreover, the choice isn't rigidly fixed. When the system undergoes updates, the configuration files
can be rewritten, and the revision values adjusted, allowing for dynamic and flexible booting in
line with system evolutions and updates. In essence, Efibootguard, with its configuration-based
approach, ensures a blend of up-to-date system booting and built-in fail-safes for dependable
operation.
Unified Kernel Image
====================
After having choosen the right configuration file, Efibootguard takes on the responsibility of
launching the Unified Kernel Image (UKI) linked with the active configuration. This image bundle
together essential boot components like the Linux kernel, device trees, and the kernel command
line. The secure initiation of this image is paramount, and Efibootguard ensures this by leveraging
UEFI's start_image system call.
The UEFI start_image system call verifies the image's signature against the Secure Boot keys
(PK, KEK, db, and potentially dbx). If the signature matches, indicating that the image is trusted
and hasn't been tampered with, the image is permitted to execute. If not, the booting halts,
preventing any unauthorized or potentially malicious code from running.
Once the UKI has been securely initiated, it undertakes multiple tasks. It first extracts the
necessary components from the bundled package, identifying and utilizing the appropriate device
trees based on `compatible` node, by matching with the `compatible` node of the `device-tree` that
is built into the firmware. These device trees inform the system about the hardware configuration,
ensuring the kernel interacts correctly with the system's components.
The UKI os-launcher also has CoreOS specialized patches, enabling dynamic rootfs switching without
requiring an initramfs by changing the `root=` part of the kernel command line at run time to
point to the right rootfs partition.
RootFS and dm-verity
====================
dm-verity is a Linux kernel feature designed to provide transparent integrity checking of block
devices, particularly for read-only file systems. Rooted in cryptographic principles, dm-verity
employs a hash-based approach to ensure and validate the integrity of the root filesystem (rootfs).
The way dm-verity operates is by building a Merkle tree, a structure where each leaf node contains a
hash of a block of the underlying data, while each non-leaf node is a hash of its children. The
topmost node, the root of the Merkle tree, provides a cumulative hash representing the entirety of
the data. This top hash, known as the root hash, serves as a concise, cryptographic representation
of the entire filesystem's state.
When integrating dm-verity with the Unified Kernel Image (UKI), an additional layer of security is
established. By embedding the root hash into the signed UKI, any tampering or modification in the
rootfs can be swiftly detected. When the system boots, the UKI, being signed, ensures that the
embedded root hash is legitimate and untampered. As the OS accesses the rootfs, dm-verity
recalculates the hash values in real-time and compares them to the values in the original Merkle
tree, referenced by the embedded root hash.
If any discrepancies are found that is, if the recalculated hash doesn't match the stored value
it indicates potential tampering, and the OS can halt access or take appropriate measures.
.. graphviz::
digraph SecureBootFlow {
rankdir=TB;
node [shape=box, style=filled, fillcolor="#e6f2ff"];
edge [color="#0099cc", fontsize=12];
Hardware [label="Hardware\n(ARM32/AARCH64 with eMMC)"];
Firmware [label="u-boot Firmware\n(UEFI EBRR subset)"];
eMMCConfig [label="eMMC Configuration\n(GPT with EFI partition)"];
EFIBootGuard [label="EFIBootGuard\n(A/B Kernel Switching)"];
UnifiedKernel [label="Unified Kernel Image\n(Kernel, cmd line, DTB)"];
KernelAndRootFS [label="Kernel & RootFS\n(dm-verity validation)"];
Hardware -> Firmware [label="Flashed with u-boot\n+ Built-in keys"];
Firmware -> eMMCConfig [label="eMMC boot"];
eMMCConfig -> EFIBootGuard [label="Boots from EFI partition"];
EFIBootGuard -> UnifiedKernel [label="Selects kernel A/B"];
UnifiedKernel -> KernelAndRootFS [label="Kernel boot\n+ RootFS verification"];
}

22
documentation/components/optional/installer.rst
View File

@ -3,35 +3,33 @@
CoreOS Installer
****************
The CoreOS installer is a set of scripts running on the target and a
The CoreOS installer is a set of script running on the target and a
corresponding bitbake image that is used into the bootstrap process of CoreOS.
coreos-image-installer
======================
The CoreOS image installer results in an image contairing only a single binary
EFI file. This EFI file includes a kernel, a device tree and an initramfs with
all (and only) the tools needed to install CoreOS.
The CoreOS installer image is a single binary EFI file that include a kernel,
device tree and an initramfs with all the tools needed to install CoreOS.
The installer image is not automatically built in parallel of a normal image.
This can be changed by setting `COREOS_IMAGE_GENERATE_INSTALLER` to 1 in the
image file (as it is done for example in coreos-image-all-features.bb).
An installer image is automatically built in parallel of a normal image.
This can be deactivated by setting `COREOS_IMAGE_GENERATE_INSTALLER` to 0.
The installer image build by default only a single EFI binary named
coreos-installer-MACHINE.efi. An SDCard or USB image can be generated if
coreos-installer-MACHINE.efi. An SDCard image can be generate if
`COREOS_INSTALLER_WKS_FILE` is set to a wks file.
coreos-installer
================
The coreos-installer recipe installs scripts that are used at startup to
automatically format the internal emmc of the device. The recipe also contains
The coreos-installer recipe installs some script that is used at startup
to automatically format the internal emmc of the device. It also contains
a swupdate configuration file to setup swupdate correctly for that use case.
coreos-installer-config
=======================
The coreos-installer-config recipe installs device specific configuration file
used by the coreos-installer. This includes the partitioner config file. Distros
and projects based on CoreOS can change the partioning scheme or partition size
used by the coreos-installer. This includes the partitionner config file. Distro
and project based on CoreOS can change the partionning scheme or partition size
by installing their own version of this package using a `bbappend file`.

1
documentation/index.rst
View File

@ -40,7 +40,6 @@ same structures.
Installation Manual <installation/index>
Reference Manual <ref-manual/index>
Testing Manual <testing/index>
Boot Concepts <boot/index>
Best Practices <best_practices/index>

354
documentation/testing/bats.rst
View File

@ -1,354 +0,0 @@
.. index:: BATS
************************************
BATS - Bash Automated Testing System
************************************
The CoreOS distribution supports writing tests using shell syntax by providing the `bats` command.
If you want to use `bats`, you will need the following CoreOS packages:
- bats
- bats-file
- bats-assert
Overview of BATS
================
A BATS test can be as simple as a single .bats file. For example:
.. code-block:: bash
#!/usr/bin/env bats
bats_load_library bats-support
bats_load_library bats-assert
@test "can output to stdout" {
run echo hello
assert_output 'hello'
}
You can run it using the command `bats <filename>.bats`
This will give you the following output:
.. code-block:: bash
sam@SAVE:~/Projects/tests$ bats <filename>.bats
<filename>.bats
✓ can output to stdout
1 test, 0 failures
The run command
================
In shell tests, you often need to run commands and capture their output, exit
status, and error messages. The run command provided by `bats` allows you to
execute commands within your test cases and collect this information for later
assertion and validation.
The run command will make the following variables available:
- `${status}`: exit code of the command run by `run`
- `${output}`: combined content of `stdout` and `stderr`
- `${lines[@]}`: array of lines of the output
- `${BATS_RUN_COMMAND}`: command run by the `run` command
.. code-block:: bash
@test "invoking foo with a nonexistent file prints an error" {
run foo nonexistent_filename
[ "$status" -eq 1 ]
[ "$output" = "foo: no such file 'nonexistent_filename'" ]
[ "$BATS_RUN_COMMAND" = "foo nonexistent_filename" ]
}
The `run` command accepts some parameters:
- `-N`: Expect N as exit status and fail otherwise
- `-!`: Expect non-zero exit status and fail if the command succeeds.
- `--keep-empty-lines`: don't remove empty lines from `${lines}`
- `--separate-stderr`: Use separate variables for stderr `${stderr}` and `${stderr_lines[@]}`
.. code-block:: bash
@test "invoking foo without arguments prints usage" {
run -1 foo
[ "${lines[0]}" = "usage: foo <filename>" ]
}
The bats-assert helper
======================
The `bats-assert` helper provides some functions to create more readable tests.
These assertions use the variables created by the `run` command and can be used
as follows:
.. code-block:: bash
@test 'assert_output()' {
run echo 'have'
assert_output 'want'
}
The following functions are provided:
- `assert` and `refute`: Assert that a given expression evaluates to true or false.
- `assert_equal`: Assert that two parameters are equal.
- `assert_not_equal`: Assert that two parameters are not equal.
- `assert_success` and `assert_failure`: Assert that the exit status is 0 or 1.
- `assert_output` and `refute_output`: Assert that the output does (or does not) contain the given content.
- `assert_line` and `refute_line`: Assert that a specific line of the output does (or does not) contain the given content.
- `assert_regex` and `refute_regex`: Assert that a parameter matches (or does not match) the given pattern.
The bats-file helper
====================
The `bats-file` helper provides functions to help work with files in tests:
**Test File Types:**
- `assert_exists` and `assert_not_exists`: Check if a file or directory exists.
- `assert_file_exists` and `assert_file_not_exists`: Check if a file exists.
- `assert_dir_exists` and `assert_dir_not_exists`: Check if a directory exists.
- `assert_link_exists` and `assert_link_not_exists`: Check if a link exists.
- `assert_block_exists` and `assert_block_not_exists`: Check if a block special file exists.
- `assert_character_exists` and `assert_character_not_exists`: Check if a character special file exists.
- `assert_socket_exists` and `assert_socket_not_exists`: Check if a socket exists.
- `assert_fifo_exists` and `assert_fifo_not_exists`: Check if a fifo special file exists.
**Test File Attributes:**
- `assert_file_executable` and `assert_file_not_executable`
- `assert_file_owner` and `assert_file_not_owner`
- `assert_file_permission` and `assert_not_file_permission`
- `assert_file_size_equals`
- `assert_size_zero` and `assert_size_not_zero`
- `assert_file_group_id_set` and `assert_file_not_group_id_set`
- `assert_file_user_id_set` and `assert_file_not_user_id_set`
- `assert_sticky_bit` and `assert_no_sticky_bit`
**Test File Content:**
- `assert_file_empty` and `assert_file_not_empty`
- `assert_file_contains` and `assert_file_not_contains`
- `assert_symlink_to` and `assert_not_symlink_to`
**Working with a temporary directory:**
- `temp_make` and `temp_del`
Pre- and Post-test case hooks
==============================
In some cases, it's useful to have a function that runs before or after each test
case in a bats file.
A function named `setup` will run before each test case, and a function
named `teardown` will run after each test case.
This example creates a directory in the setup function but lacks a teardown
that removes the directory. The second time the setup function is run, the
setup will fail as the directory already exists:
.. code-block:: bash
#!/usr/bin/env bats
bats_load_library bats-support
bats_load_library bats-assert
bats_load_library bats-file
setup() {
mkdir tmp
echo 'a' >> ./tmp/test
}
@test "test contains a single a I" {
assert_file_contains ./tmp/test '^a$'
}
@test "test contains a single a II" {
assert_file_contains ./tmp/test '^a$'
}
.. code-block:: bash
sam@SAVE:~/Projects/tests$ bats test.bats
test.bats
✓ test contains a single a I
✗ test contains a single a II
(from function `setup' in test file test.bats, line 8)
`mkdir tmp' failed
mkdir: cannot create directory tmp: File exists
2 tests, 1 failure
This can be easily fixed by adding a teardown function:
.. code-block:: bash
#!/usr/bin/env bats
bats_load_library bats-support
bats_load_library bats-assert
bats_load_library bats-file
setup() {
mkdir tmp
echo 'a' >> ./tmp/test
}
teardown() {
rm -rf ./tmp
}
@test "test contains a single a I" {
assert_file_contains ./tmp/test '^a$'
}
@test "test contains a single a II" {
assert_file_contains ./tmp/test '^a$'
}
.. code-block:: bash
sam@SAVE:~/Projects/tests$ bats test.bats
test.bats
✓ test contains a single a I
✓ test contains a single a II
2 tests, 0 failures
Pre- and Post-test file hooks
=============================
To run some code before executing a test file or after executing it, the
functions `setup_file` and `teardown_file` can be used.
The last example could be refactored to only create the tmp directory once:
.. code-block:: bash
#!/usr/bin/env bats
bats_load_library bats-support
bats_load_library bats-assert
bats_load_library bats-file
setup_file() {
export DIR="./tmp"
export FILE="${DIR}/test"
mkdir "${DIR}"
}
teardown_file() {
rm -rf "${DIR}"
}
setup() {
echo 'a' >> "${FILE}"
}
teardown() {
rm "${FILE}"
}
@test "test contains a single a I" {
assert_file_contains "${FILE}" '^a$'
}
@test "test contains a single a II" {
assert_file_contains "${FILE}" '^a$'
}
Multiple files
==============
With `bats`, a file is a test suite. If you have multiple `bats` files in a
directory and you provide the directory in the `bats` command line, `bats`
will execute all the test suites.
Example: `bats .`
.. code-block:: bash
sam@SAVE:~/Projects/tests$ bats .
./first.bats
✓ can run our script
✗ second test
(in test file ./first.bats, line 27)
`false' failed
./second.bats
✓ multi file
./test.bats
✓ test contains a single a I
✓ test contains a single a II
5 tests, 1 failure
Pre- and Post-suite hooks
=========================
If you want to execute the same function before each test suite or after
each test suite, create a file named `setup_suite.bash`. In this file,
create a function named `setup_suite()` and another named `teardown_suite()`.
Exporting the test results
==========================
Test results can be exported using the JUnit XML format. This can then be
used in other tools and merged with other JUnit XML formats to generate a final
test report.
Example:
.. code-block:: bash
sam@SAVE:~/Projects/tests$ bats . -F junit
This will produce the following XML content on stdout:
.. code-block:: xml
<?xml version="1.0" encoding="UTF-8"?>
<testsuites time="0.048">
<testsuite name="./first.bats" tests="2" failures="1" errors="0" skipped="0" time="0.025" timestamp="2023-08-16T14:22:15" hostname="SAVE">
<testcase classname="./first.bats" name="can run our script" time="0.013" />
<testcase classname="./first.bats" name="second test" time="0.012">
<failure type="failure">(in test file ./first.bats, line 27)
`false&#39; failed</failure>
</testcase>
</testsuite>
<testsuite name="./second.bats" tests="1" failures="0" errors="0" skipped="0" time="0.008" timestamp="2023-08-16T14:22:15" hostname="SAVE">
<testcase classname="./second.bats" name="multi file" time="0.008" />
</testsuite>
<testsuite name="./test.bats" tests="2" failures="0" errors="0" skipped="0" time="0.015" timestamp="2023-08-16T14:22:15" hostname="SAVE">
<testcase classname="./test.bats" name="test contains a single a I" time="0.008" />
<testcase classname="./test.bats" name="test contains a single a II" time="0.007" />
</testsuite>
</testsuites>
Going further
=============
`bats` scripts can be checked with shellcheck for common mistakes.
The `bats-assert` add-on provides many helper functions to perform
assertions with a more readable syntax than the shell's built-in syntax.
See https://github.com/bats-core/bats-assert
The `bats-file` add-on provides helper functions to check for files. See
https://github.com/bats-core/bats-file/
You can find a list of projects using `bats` on this page:
https://github.com/bats-core/bats-core/wiki/Projects-Using-Bats

15
documentation/testing/index.rst
View File

@ -1,15 +0,0 @@
==============================
Belden CoreOS Testing Manual
==============================
This manual is a work on progress on how to test and how to write test for
CoreOS or CoreOS based distribution.
|
.. toctree::
:caption: Table of Contents
:numbered:
bats

1
external-layers/meta-arm

@ -1 +0,0 @@
Subproject commit d7b7b6fb6c7c5545e718e44f38853d1718ce5446

2
external-layers/meta-efibootguard

@ -1 +1 @@
Subproject commit e3581b11d30d91d0363acb48a6aee47043b7e0bc
Subproject commit c65743e5dcaecce38383b23782c063bdbc73c404

1
external-layers/meta-lts-kernel-mixin

@ -1 +0,0 @@
Subproject commit 09d2f9391813674627ec53cb222da6c7a51221e6

2
external-layers/meta-openembedded

@ -1 +1 @@
Subproject commit 8bb16533532b6abc2eded7d9961ab2a108fd7a5b
Subproject commit bdad2a789e30703a825b876279665720d06d55dc

2
external-layers/meta-swupdate

@ -1 +1 @@
Subproject commit 3d12b2788a45d86efcb1ad3e01f209558c54795c
Subproject commit d1d4abfaf82d37c31e3cec3602d6d8d56d105185

1
external-layers/meta-ti

@ -1 +0,0 @@
Subproject commit bae3658ac0bc1c9adac7a882439cabb385cae720

2
external-layers/meta-virtualization

@ -1 +1 @@
Subproject commit cb2bc17e96552cdfc141d27bd9f4dbd95a872846
Subproject commit b3b3dbc67504e8cd498d6db202ddcf5a9dd26a9d

2
external-layers/openembedded-core

@ -1 +1 @@
Subproject commit 1b5405955c7c2579ed1f52522e2e177d0281fa33
Subproject commit a70209cc6b111957b8dda9190e1291911a52286b

26
layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass
View File

@ -3,7 +3,7 @@
# UEFI Secure boot configuration
# ==============================================================================
COREOS_EFI_SECUREBOOT_KEYDIR ??= "${RECIPE_SYSROOT_NATIVE}/${datadir}/keys"
COREOS_EFI_SECUREBOOT_KEYDIR ??= "${TOPDIR}/keys"
COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
# UEFI Secure boot helpers
@ -16,7 +16,7 @@ HOSTTOOLS += "sbsign"
# Ensure that the public keys are always deployed to the deploy directory
# before running wic
do_image_wic[depends] += "cos-certificates-and-keys-native:do_deploy"
do_image_wic[depends] += "efi-secureboot-keys:do_deploy"
COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
def get_coreos_secureboot_efi_boot_files(d):
@ -31,4 +31,26 @@ def get_coreos_secureboot_efi_boot_files(d):
IMAGE_EFI_BOOT_FILES:append = " ${@get_coreos_secureboot_efi_boot_files(d)}"
def get_coreos_secureboot_keydir_hash(d):
"""
Generate a space separate list, with a value for each file inside of
keydir. Fromat: <filename>:md5:<md5sum>
"""
import hashlib
keydir = d.getVar('COREOS_EFI_SECUREBOOT_KEYDIR')
value = ""
for keyname in os.listdir(keydir):
filepath = os.path.join(keydir, keyname)
if os.path.isfile(filepath):
md5 = bb.utils.md5_file(filepath)
value += f"{keyname}:md5:{md5} "
return value
# The build system should detect if someone change one of the key inside
# COREOS_EFI_SECUREBOOT_KEYDIR and rebuild all the recipes and artifacts that
# depends on this directory
COREOS_EFI_SECUREBOOT_KEYDIR_HASH = "${@get_coreos_secureboot_keydir_hash(d)}"
COREOS_EFI_SECUREBOOT_KEYDIR[vardeps] += "COREOS_EFI_SECUREBOOT_KEYDIR_HASH"

6
layers/meta-belden-coreos-bsp/conf/machine/beaglebone.conf
View File

@ -12,7 +12,7 @@ include conf/machine/include/arm/armv7a/tune-cortexa8.inc
IMAGE_FSTYPES += "wic wic.xz wic.bmap"
WKS_FILE ?= "beaglebone-sdcard.wks.in"
COREOS_INSTALLER_WKS_FILE ?= "beaglebone-sdcard-installer.wks"
MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "kernel-image"
MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "kernel-image kernel-devicetree"
do_image_wic[depends] += "mtools-native:do_populate_sysroot dosfstools-native:do_populate_sysroot gptfdisk-native:do_populate_sysroot virtual/bootloader:do_deploy"
do_image_wic[recrdeptask] += "do_bootimg"
@ -21,10 +21,10 @@ SERIAL_CONSOLES_CHECK = "${SERIAL_CONSOLES}"
APPEND:append = " console=ttyS0,115200"
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
PREFERRED_VERSION_linux-yocto ?= "6.6%"
PREFERRED_VERSION_linux-yocto ?= "5.15%"
KERNEL_IMAGETYPE = "zImage"
DTB_FILES = "ti/omap/am335x-bone.dtb ti/omap/am335x-boneblack.dtb ti/omap/am335x-bonegreen.dtb"
KERNEL_DEVICETREE = "am335x-bone.dtb am335x-boneblack.dtb am335x-bonegreen.dtb"
KERNEL_EXTRA_ARGS += "LOADADDR=${UBOOT_ENTRYPOINT}"
PREFERRED_PROVIDER_virtual/bootloader ?= "u-boot"

39
layers/meta-belden-coreos-bsp/conf/machine/eagle40-03.conf
View File

@ -1,39 +0,0 @@
#@TYPE: Machine
#@NAME: eagle40-03
#@DESCRIPTION: Machine support for EAGLE40-03
#
require include/coreos-generic-arch/x64.inc
MACHINE_FEATURES += "pci usbhost x86 serial efi"
# Kernel configuration
# ******************************************************************************
PREFERRED_VERSION_linux-yocto ?= "6.6%"
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
KERNEL_IMAGETYPE = "bzImage"
# getty configuration
# ******************************************************************************
SERIAL_CONSOLES = "115200;ttyS0"
SERIAL_CONSOLES_CHECK = "ttyS0"
APPEND += "console=ttyS0,115200"
# Image generation
# ******************************************************************************
# Ensure that both flash-image.bin and boot.scr are generated as they are needed
# for a wic image
WKS_FILE = "generic-uefi.wks.in"
COREOS_INSTALLER_WKS_FILE ?= "generic-uefi-usb-installer.wks"
IMAGE_FSTYPES += "wic.xz wic.bmap"
MACHINE_ESSENTIAL_EXTRA_RDEPENDS += " kernel-modules"
# No watchdog available yet
EFIBOOTGUARD_TIMEOUT ?= "0"
require conf/machine/include/coreos-generic-features/efi.inc
require conf/machine/include/coreos-generic-features/partitions.inc

19
layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc
View File

@ -1,20 +1,15 @@
# Variables used in WKS file
# Variable used in WKS file
WKS_PART_EFI ??= 'part --source efibootguard-efi --label efi --part-type=EF00'
WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=kernel0-${MACHINE}.efi;KERNEL.EFI"'
WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=kernel1-${MACHINE}.efi;KERNEL.EFI"'
WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label rootfs0'
WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label rootfs1'
WKS_PART_USERDATA ??= 'part /usr/local/data --fstype=btrfs --label userdata'
WKS_PART_ROOT_SIZE ??= '2G'
PART_EFI_SIZE ??= '64M'
PART_ROOT_SIZE ??= '1G'
PART_EFIBG_SIZE ??= '128M'
PART_USERDATA_SIZE ??= '1G'
# Variables used in SFDISK file
SFDISK_PART_EFI ??= 'type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, name="efi"'
SFDISK_PART_EFIBOOTGUARD_A ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg0"'
SFDISK_PART_EFIBOOTGUARD_B ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg1"'
SFDISK_PART_ROOT_A ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs0"'
SFDISK_PART_ROOT_B ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs1"'
SFDISK_PART_USERDATA ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="userdata"'
SFDISK_PART_ROOT_B ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs0"'

4
layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-machine/vm.inc
View File

@ -6,12 +6,12 @@ MACHINE_FEATURES += "wifi efi"
# Add an override that work for all pc image
MACHINEOVERRIDES =. "vm:"
PREFERRED_VERSION_linux-yocto ?= "6.6%"
PREFERRED_VERSION_linux-yocto ?= "5.15%"
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
MACHINE_EXTRA_RRECOMMENDS += "kernel-modules linux-firmware"
IMAGE_FSTYPES += "ext4 wic wic.xz wic.bmap wic.vmdk wic.vhdx"
IMAGE_FSTYPES += "ext4 wic wic.xz wic.bmap wic.vmdk"
WKS_FILE ?= "generic-uefi.wks.in"
do_image_wic[depends] += "gptfdisk-native:do_populate_sysroot"

15
layers/meta-belden-coreos-bsp/conf/machine/qemu-coreos-arm64.conf
View File

@ -1,15 +0,0 @@
#@TYPE: Machine
#@NAME: qemu-generic-arm64
#@DESCRIPTION: Generic Arm64 machine for typical SystemReady platforms, which
#have working firmware and boot via EFI.
require conf/machine/qemu-generic-arm64.conf
MACHINEOVERRIDES =. "qemu-generic-arm64:"
COREOS_IMAGE_GENERATE_INSTALLER = "0"
WKS_FILE = "qemu-efi-coreos-generic.wks.in"
EFIBOOTGUARD_TIMEOUT ?= "0"
require conf/machine/include/coreos-generic-features/efi.inc
require conf/machine/include/coreos-generic-features/partitions.inc

33
layers/meta-belden-coreos-bsp/recipes-bsp/efi/efi-secureboot-keys.bb Normal file
View File

@ -0,0 +1,33 @@
SUMMARY = "A recipe to deploy UEFI public keys update files"
LICENSE = "CLOSED"
INHIBIT_DEFAULT_DEPS = "1"
inherit nopackages
inherit deploy
inherit coreos-efi-secureboot
# Public key needed by firmware very depending on the implementation
# So we copy all type of public key (*.auth, *.esl, *.crt, *der)
addtask deploy after do_compile
do_deploy() {
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.auth ${DEPLOYDIR}/KEK.auth
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.auth ${DEPLOYDIR}/db.auth
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.auth ${DEPLOYDIR}/PK.auth
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.esl ${DEPLOYDIR}/KEK.esl
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.esl ${DEPLOYDIR}/db.esl
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.esl ${DEPLOYDIR}/PK.esl
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.crt ${DEPLOYDIR}/KEK.crt
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.crt ${DEPLOYDIR}/db.crt
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.crt ${DEPLOYDIR}/PK.crt
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.der ${DEPLOYDIR}/KEK.der
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.der ${DEPLOYDIR}/db.der
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.der ${DEPLOYDIR}/PK.der
# !SECURITY WARNING!
# .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
}

11
layers/meta-belden-coreos-bsp/recipes-bsp/efibootguard/efibootguard_%.bbappend Normal file
View File

@ -0,0 +1,11 @@
# Add signature support
inherit coreos-efi-sbsign
require conf/image-uefi.conf
do_deploy:append() {
if [ -f "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi" ]; then
coreos_efi_secureboot_sign_app "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi"
fi
}

16
layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot-coreos.inc → layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos-efi.inc
View File

@ -1,23 +1,12 @@
# Ensure that file are found event when this file is included in another layer
# ==============================================================================
FILESEXTRAPATHS:prepend := "${THISDIR}/u-boot:"
# U-Boot CoreOS Distro Settings
# ==============================================================================
# Enable more debug option when debug-tweaks is enabled
SRC_URI += " \
${@bb.utils.contains("IMAGE_FEATURES", "debug-tweaks", "file://debug-tweaks.cfg", "", d)} \
"
inherit coreos-efi-secureboot
# Make sure UEFI and secure boot is enabled for every u-boot build
SRC_URI += " \
file://uefi.cfg \
file://uefi-secureboot.cfg \
"
DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native"
# Generate a ubootefi.var file inside the build directory
#
# This file can be directly linked inside the u-boot binary to provide
@ -26,7 +15,6 @@ SRC_URI += " \
#
# The efivar.py is taken from u-boot-tools recipes, so that we are sure that he
# is found and don't depend on the u-boot version being used
DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native cos-certificates-and-keys-native"
addtask uboot_generate_efivar after do_configure before do_compile
do_uboot_generate_efivar() {
# Settings OPENSSL_MODULES is needed, otherwise efivar.py fail with

12
layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos.inc Normal file
View File

@ -0,0 +1,12 @@
# Ensure that file are found event when this file is included in another layer
# ==============================================================================
FILESEXTRAPATHS:prepend := "${THISDIR}/u-boot:"
# Main include file for u-boot to ensure CoreOS compatibility
# ==============================================================================
SRC_URI += " \
${@bb.utils.contains("IMAGE_FEATURES", "debug-tweaks", "file://debug-tweaks.cfg", "", d)} \
"
require u-boot-coreos-efi.inc

2
layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot-tools_2022.01.bbappend → layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-tools_2022.01.bbappend
View File

@ -5,5 +5,3 @@
do_install:append() {
install -m 0755 ${S}/tools/efivar.py ${D}${bindir}/uboot-efivar
}
FILES:${PN} += "${bindir}/uboot-efivar"

0
layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot/debug-tweaks.cfg → layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot/debug-tweaks.cfg
View File

0
layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg → layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
View File

0
layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot/uefi.cfg → layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot/uefi.cfg
View File

2
layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot_2022.01.bbappend Normal file
View File

@ -0,0 +1,2 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
require u-boot-coreos.inc

2
layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot_2022.10.bb → layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot_2022.10.bb
View File

@ -4,3 +4,5 @@ require recipes-bsp/u-boot/u-boot.inc
SRCREV = "4debc57a3da6c3f4d3f89a637e99206f4cea0a96"
DEPENDS += "bc-native dtc-native python3-setuptools-native"
LIC_FILES_CHKSUM = "file://Licenses/README;md5=2ca5f2c35c8cc335f0a19756634782f1"
require u-boot-coreos.inc

10
layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config/beaglebone_1.0.sfdisk
View File

@ -12,8 +12,8 @@ sector-size: 512
/dev/mmcblk1p1 : start= 256, size= 512, type=4DA6E9DA-C803-4BE4-BAC4-8192717C5EB0, name="mlo", attrs="RequiredPartition"
/dev/mmcblk1p2 : start= 768, size= 8192, type=5B97345D-B7A1-47D3-A491-ED40F4841639, name="uboot", attrs="RequiredPartition"
/dev/mmcblk1p3 : size= ${PART_EFI_SIZE}, ${SFDISK_PART_EFI}
/dev/mmcblk1p4 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_A}
/dev/mmcblk1p5 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_B}
/dev/mmcblk1p6 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_A}
/dev/mmcblk1p7 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_B}
/dev/mmcblk1p3 : start= 8960, size= 131072, ${SFDISK_PART_EFI}
/dev/mmcblk1p4 : start= 140032, size= 262144, ${SFDISK_PART_EFIBOOTGUARD_A}
/dev/mmcblk1p5 : start= 402176, size= 262144, ${SFDISK_PART_EFIBOOTGUARD_B}
/dev/mmcblk1p6 : start= 664320, size= 3403375, ${SFDISK_PART_ROOT_A}
/dev/mmcblk1p7 : start= 4067695, size= 3403375, ${SFDISK_PART_ROOT_B}

13
layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config/eagle40-03_1.0.sfdisk
View File

@ -1,13 +0,0 @@
label: gpt
device: /dev/mmcblk2
unit: sectors
first-lba: 34
last-lba: 7471070
sector-size: 512
/dev/mmcblk2p1 : start= 256, size= ${PART_EFI_SIZE}, ${SFDISK_PART_EFI}
/dev/mmcblk2p2 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_A}
/dev/mmcblk2p3 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_B}
/dev/mmcblk2p4 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_A}
/dev/mmcblk2p5 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_B}
/dev/mmcblk2p6 : size= ${PART_USERDATA_SIZE}, ${SFDISK_PART_USERDATA}

1
layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config_%.bbappend
View File

@ -1,4 +1,3 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/coreos-installer-config:"
SRC_URI:append:beaglebone = " file://beaglebone_1.0.sfdisk"
SRC_URI:append:eagle40-03 = " file://eagle40-03_1.0.sfdisk"

2
layers/meta-belden-coreos-bsp/recipes-kernel/linux/files/eagle40-03.cfg
View File

@ -1,2 +0,0 @@
CONFIG_F71808E_WDT=y
CONFIG_WATCHDOG_SYSFS=y

16
layers/meta-belden-coreos-bsp/recipes-kernel/linux/files/hyperv.cfg
View File

@ -1,16 +0,0 @@
CONFIG_HYPERVISOR_GUEST=y
CONFIG_PARAVIRT=y
CONFIG_PARAVIRT_SPINLOCKS=y
CONFIG_CONNECTOR=y
CONFIG_SCSI_FC_ATTRS=y
CONFIG_HYPERV=y
CONFIG_HYPERV_UTILS=y
CONFIG_HYPERV_BALLOON=y
CONFIG_HYPERV_STORAGE=y
CONFIG_HYPERV_NET=y
CONFIG_HYPERV_KEYBOARD=y
CONFIG_FB_HYPERV=y
CONFIG_HID_HYPERV_MOUSE=y
CONFIG_PCI_HYPERV=y
CONFIG_VSOCKETS=y
CONFIG_HYPERV_VSOCKETS=y

23
layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos-efi.inc Normal file
View File

@ -0,0 +1,23 @@
inherit coreos-efi-sbsign
require conf/image-uefi.conf
# Ensure EFI STUB is enabled
KERNEL_FEATURES:append = " cfg/efi.scc cfg/efi-ext.scc"
# By default we use a Unified Kernel Image that contain the kernel, the
# kernel command line and some device tree, so we don't need to sign the output
# of the kernel recipes
COREOS_KERNEL_EFI_SIGNED ??= "0"
# Extend the kernel_do_deploy function from kernel.bbclass to sign the kernel
kernel_do_deploy:append() {
if [ "${COREOS_KERNEL_EFI_SIGNED}" == "1" ]; then
deployDir="${DEPLOYDIR}"
for imageType in ${KERNEL_IMAGETYPES} ; do
baseName="$imageType-${KERNEL_IMAGE_NAME}"
coreos_efi_secureboot_sign_app "$deployDir/$baseName${KERNEL_IMAGE_BIN_EXT}"
done
fi
}

11
layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend
View File

@ -1,20 +1,13 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
KMACHINE:vm-x64 ?= "common-pc-64"
COMPATIBLE_MACHINE:vm-x64 = "vm-x64"
# Enable some kernel features related to virtualiuzation
KERNEL_FEATURES:append:vm-x64=" cfg/virtio.scc cfg/paravirt_kvm.scc"
SRC_URI:append:vm-x64 = " file://hyperv.cfg"
KMACHINE:eagle40-03 ?= "common-pc-64"
KBRANCH:eagle40-03 = "v5.15/standard/base"
SRCREV_machine:eagle40-03 ?= "3baf1c5c0e6084b3f4a1d2d805168d657f872e60"
COMPATIBLE_MACHINE:eagle40-03 = "eagle40-03"
LINUX_VERSION:eagle40-03 = "5.15.134"
KBRANCH:beaglebone = "v5.15/standard/beaglebone"
KMACHINE:beaglebone ?= "beaglebone"
SRCREV_machine:beaglebone ?= "9aabbaa89fcb21af7028e814c1f5b61171314d5a"
COMPATIBLE_MACHINE:beaglebone = "beaglebone"
LINUX_VERSION:beaglebone = "5.15.54"
require linux-yocto-coreos-efi.inc

14
layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_6.6.bbappend
View File

@ -1,14 +0,0 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
KMACHINE:eagle40-03 ?= "common-pc-64"
COMPATIBLE_MACHINE:eagle40-03 = "eagle40-03"
KMACHINE:beaglebone ?= "beaglebone"
COMPATIBLE_MACHINE:beaglebone = "beaglebone"
KMACHINE:vm-x64 ?= "common-pc-64"
COMPATIBLE_MACHINE:vm-x64 = "vm-x64"
KERNEL_FEATURES:append:vm-x64=" cfg/virtio.scc cfg/paravirt_kvm.scc"
SRC_URI:append:vm-x64 = " file://hyperv.cfg"
SRC_URI += " file://eagle40-03.cfg"

8
layers/meta-belden-coreos-bsp/wic/beaglebone-sdcard.wks.in
View File

@ -13,8 +13,8 @@ part --offset 768S --source rawcopy --sourceparams="file=u-boot.img" --ondisk mm
# Let's define a 4MiB maximum size for the bootloader
# 4MiB => 4*1024*1024/512=8192S | 768S + 8192S => 8960S
${WKS_PART_EFI} --ondisk mmcblk0 --offset 8960S --fixed-size 32M
${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk0 --fixed-size ${PART_EFIBG_SIZE}
${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk0 --fixed-size ${PART_EFIBG_SIZE}
${WKS_PART_ROOT_A} --ondisk mmcblk0 --fixed-size ${PART_ROOT_SIZE}
${WKS_PART_ROOT_B} --ondisk mmcblk0 --fixed-size ${PART_ROOT_SIZE}
${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk0 --fixed-size 128M
${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk0 --fixed-size 128M
${WKS_PART_ROOT_A} --ondisk mmcblk0 --fixed-size ${WKS_PART_ROOT_SIZE}
${WKS_PART_ROOT_B} --ondisk mmcblk0 --fixed-size ${WKS_PART_ROOT_SIZE}
bootloader --ptable gpt

16
layers/meta-belden-coreos-bsp/wic/generic-uefi-usb-installer.wks
View File

@ -1,16 +0,0 @@
# short-description: Create USB image for Eagle 40-03
# long-description: Creates a partitioned USB image for Eagle 40-03.
# offset 1S => 1 sector (1x512 byte)
# The bootloader can be at 4 different position in raw mode: 0S, 256S, 512S, 768S
# MBR disk use only the sector 0, so 1S is free
# GPT disk use sector 0-33S, so first free slot is 256S
# Offset are from the BBB default settings
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Don't name partition in the installer disk image, otherwise the installer may not work as it rely on partition label!
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
part --offset 256S --source bootimg-partition --part-type=EF00 --ondisk mmcblk0
part --fixed-size 3G --fstype=vfat --label=image
bootloader --ptable gpt

13
layers/meta-belden-coreos-bsp/wic/generic-uefi.wks.in
View File

@ -1,11 +1,10 @@
# short-description: Create an EFI disk image for genericx86*
# long-description: Creates a partitioned EFI disk image for genericx86* machines
${WKS_PART_EFI} --ondisk sda --align 1024 --size 64M --extra-space 0 --overhead-factor 1
${WKS_PART_ROOT_A} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
${WKS_PART_ROOT_B} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
${WKS_PART_EFIBOOTGUARD_A} --ondisk sda --align 1024 --size 128M --extra-space 0 --overhead-factor 1
${WKS_PART_EFIBOOTGUARD_B} --ondisk sda --align 1024 --size 128M --extra-space 0 --overhead-factor 1
${WKS_PART_EFI} --align 1024 --size ${PART_EFI_SIZE} --extra-space 0 --overhead-factor 1
${WKS_PART_ROOT_A} --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
${WKS_PART_ROOT_B} --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
${WKS_PART_EFIBOOTGUARD_A} --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
${WKS_PART_EFIBOOTGUARD_B} --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
${WKS_PART_USERDATA} --size ${PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
part swap --ondisk sda --size 44 --label swap1 --fstype=swap
bootloader --ptable gpt

12
layers/meta-belden-coreos-bsp/wic/qemu-efi-coreos-generic.wks.in
View File

@ -1,12 +0,0 @@
# short-description: Create an EFI disk image
# long-description: Creates a partitioned EFI disk image that the user
# can directly dd to boot media.
part --source efibootguard-efi --label efi --part-type=EF00 --use-uuid --offset 20480S --size ${PART_EFI_SIZE} --extra-space 0 --overhead-factor 1
part / --source rootfs --fstype=ext4 --label rootfs0 --use-uuid --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
part --fstype=ext4 --label rootfs1 --use-uuid --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --use-uuid --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --use-uuid --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
${WKS_PART_USERDATA} --use-uuid --size ${PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
bootloader --ptable gpt

8
layers/meta-belden-coreos-demo/recipes-core/images/coreos-image-demo-k3s.bb
View File

@ -1,8 +0,0 @@
DESCRIPTION = "An image that includes k3s-agent"
require recipes-core/images/coreos-image-all-features.bb
IMAGE_INSTALL += "k3s-agent"
# To use this image, please add k3s to DISTRO_FEATURE inside your
# local.conf config file.

8
layers/meta-belden-coreos-demo/recipes-kernel/linux/files/k3s_kernel_adaptions.cfg
View File

@ -1,8 +0,0 @@
#this file contains the necssary kernel adaption that k3s an containerd require
#Reference
#k3s config check: https://raw.githubusercontent.com/k3s-io/k3s/master/contrib/util/check-config.sh
#container config check: https://raw.githubusercontent.com/moby/moby/master/contrib/check-config.sh
#these scripts are provided by moby and rancher
CONFIG_OABI_COMPAT=n
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y

1
layers/meta-belden-coreos-demo/recipes-kernel/linux/linux-yocto_%.bbappend
View File

@ -1 +0,0 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/files:"

19
layers/meta-belden-coreos/classes/bats-library.bbclass
View File

@ -1,19 +0,0 @@
# Library to share code needed to install most available bats library
# Bats library are shell scripts, so they are arch independant
inherit allarch
RDEPENDS:${PN} += "bats"
# Bats can find library in this folder by default
BATS_LIB_PATH ?= "${libdir}/bats"
# By default the library will have the same name as the recipe
BATS_INSTALL_DIR ?= "${BATS_LIB_PATH}/${PN}"
FILES:${PN} += "${BATS_INSTALL_DIR}"
do_install() {
install -d ${D}${BATS_INSTALL_DIR}
cp -r ${S}/src ${D}${BATS_INSTALL_DIR}/
install ${S}/load.bash ${D}${BATS_INSTALL_DIR}/
}

8
layers/meta-belden-coreos/classes/coreos-image-ci.bbclass
View File

@ -3,7 +3,6 @@
# > COREOS_IMAGE_EXTRACLASSES += "coreos-image-ci"
# in auto.conf (or local.conf)
inherit kernel-artifact-names
def get_coreos_ci_artifacts(d):
artifacts = []
@ -30,10 +29,6 @@ def get_coreos_ci_artifacts(d):
if bb.utils.contains('IMAGE_FSTYPES', 'wic.bmap', True, False, d):
artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.bmap')
# This is used for qemu-coreos-arm64
if bb.utils.contains('IMAGE_FSTYPES', 'wic.qcow2', True, False, d):
artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.qcow2')
if d.getVar('COREOS_IMAGE_GENERATE_SWU') == '1':
artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.swu')
@ -51,7 +46,8 @@ def get_coreos_ci_artifacts(d):
artifacts.append(kernel_imagetype + '-' + machine + kernel_image_bin_ext)
if d.getVar('COREOS_IMAGE_GENERATE_UKI') == '1':
artifacts.append(d.getVar('COREOS_KERNEL_FILENAME'))
artifacts.append(d.getVar('COREOS_KERNEL0_FILENAME'))
artifacts.append(d.getVar('COREOS_KERNEL1_FILENAME'))
# Bootloaders
# ==========================================================================

41
layers/meta-belden-coreos/classes/coreos-image-installer.bbclass
View File

@ -1,41 +0,0 @@
# Class used to generate image based on Belden CoreOS
export IMAGE_BASENAME = "${MLPREFIX}${PN}"
IMAGE_NAME_SUFFIX ?= ""
IMAGE_LINGUAS = ""
LICENSE = "MIT"
IMAGE_FSTYPES = "cpio.gz"
# Support for generating a SDCard or USB installer is optional
COREOS_INSTALLER_WKS_FILE ??= ""
WKS_FILE = "${COREOS_INSTALLER_WKS_FILE}"
IMAGE_FSTYPES += "${@'wic.xz wic.bmap' if d.getVar('COREOS_INSTALLER_WKS_FILE') else ''}"
IMAGE_BOOT_FILES = "${COREOS_KERNEL_FILENAME};EFI/BOOT/${EFI_BOOT_IMAGE}"
COREOS_IMAGE_GENERATE_UKI = "1"
# IMGDEPLOYDIR has to be used instead of DEPLOY_DIR_IMAGE here, because it will
# run during image generation
COREOS_UKI_PART_INITRAMFS = "${IMGDEPLOYDIR}/${IMAGE_BASENAME}-${MACHINE}.cpio.gz"
COREOS_IMAGE_GENERATE_SWU = "0"
# Change generated UKI filename and reset the bundled command line to "APPEND"
# to ensure that root is not set in the kernel command line
COREOS_KERNEL_NAME ?= "coreos-installer-${MACHINE}"
COREOS_KERNEL_CMDLINE ?= "${APPEND}"
inherit coreos-image
# Only install a reduced set of package and feature to keep image size small
IMAGE_INSTALL = "packagegroup-coreos-boot coreos-installer coreos-installer-unattended util-linux-sfdisk util-linux-fdisk util-linux-cfdisk efibootguard efibootguard-tools"
IMAGE_FEATURES = "debug-tweaks swupdate"
NO_RECOMMENDATIONS = "1"
IMAGE_ROOTFS_SIZE = "8192"
INITRAMFS_MAXSIZE = "976562"
IMAGE_ROOTFS_EXTRA_SPACE = "0"
# Use the same restriction as initramfs-module-install
COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*)-(linux.*|freebsd.*)'

16
layers/meta-belden-coreos/classes/coreos-image-swupdate.bbclass
View File

@ -16,19 +16,21 @@ python () {
inherit swupdate-image
# Ensure than variable used in the sw-description files are watched for change
do_swuimage[vardeps] += "COREOS_KERNEL_FILENAME EFIBOOTGUARD_TIMEOUT EFIDIR EFI_BOOT_IMAGE COREOS_EFIBOOTGUARD_FILENAME"
do_swuimage[vardeps] += "COREOS_KERNEL0_FILENAME COREOS_KERNEL1_FILENAME EFIBOOTGUARD_TIMEOUT EFIDIR EFI_BOOT_IMAGE COREOS_EFIBOOTGUARD_FILENAME"
do_swuimage[deptask] += "do_bundle_uki"
COREOS_EFIBOOTGUARD_NAME ?= "efibootguard${EFI_ARCH}"
COREOS_EFIBOOTGUARD_EXT ?= ".efi"
COREOS_EFIBOOTGUARD_FILENAME = "${COREOS_EFIBOOTGUARD_NAME}${COREOS_EFIBOOTGUARD_EXT}"
SWUPDATE_IMAGES += "${COREOS_KERNEL_NAME} ${COREOS_EFIBOOTGUARD_NAME}"
SWUPDATE_IMAGES += "${COREOS_KERNEL0_NAME} ${COREOS_KERNEL1_NAME} ${COREOS_EFIBOOTGUARD_NAME}"
python () {
kernel = d.getVar('COREOS_KERNEL_NAME')
kernel0 = d.getVar('COREOS_KERNEL0_NAME')
kernel1 = d.getVar('COREOS_KERNEL1_NAME')
kernelext = d.getVar('COREOS_KERNEL_EXT')
d.setVarFlag("SWUPDATE_IMAGES_FSTYPES", kernel, kernelext)
d.setVarFlag("SWUPDATE_IMAGES_FSTYPES", kernel0, kernelext)
d.setVarFlag("SWUPDATE_IMAGES_FSTYPES", kernel1, kernelext)
efibootguard = d.getVar('COREOS_EFIBOOTGUARD_NAME')
efibootguardext = d.getVar('COREOS_EFIBOOTGUARD_EXT')
@ -69,11 +71,5 @@ def coreos_swupdate_extends(d, s, key):
return text
# Signature support
inherit coreos-efi-secureboot
SWUPDATE_SIGNING = "CMS"
SWUPDATE_CMS_KEY = "${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.key"
SWUPDATE_CMS_CERT = "${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt"
COREOS_IMAGE_SWUPDATE_EXTRACLASSES ?= ""
inherit ${COREOS_IMAGE_SWUPDATE_EXTRACLASSES}

34
layers/meta-belden-coreos/classes/coreos-image-uki.bbclass
View File

@ -10,17 +10,20 @@ inherit coreos-efi-sbsign
# ==============================================================================
COREOS_KERNEL_EXT ??= ".efi"
COREOS_KERNEL_NAME ??= "kernel-${MACHINE}"
COREOS_KERNEL_FILENAME ??= "${COREOS_KERNEL_NAME}${COREOS_KERNEL_EXT}"
COREOS_KERNEL ??= "${DEPLOY_DIR_IMAGE}/${COREOS_KERNEL_FILENAME}"
COREOS_KERNEL0_NAME ??= "kernel0-${MACHINE}"
COREOS_KERNEL1_NAME ??= "kernel1-${MACHINE}"
COREOS_KERNEL0_FILENAME ??= "${COREOS_KERNEL0_NAME}${COREOS_KERNEL_EXT}"
COREOS_KERNEL0 ??= "${DEPLOY_DIR_IMAGE}/${COREOS_KERNEL0_FILENAME}"
COREOS_KERNEL1_FILENAME ??= "${COREOS_KERNEL1_NAME}${COREOS_KERNEL_EXT}"
COREOS_KERNEL1 ??= "${DEPLOY_DIR_IMAGE}/${COREOS_KERNEL1_FILENAME}"
# Kernel command line
# ==============================================================================
# AUTOLABEL will be replaced by the right PARTLABEL (rootfs0 or rootfs1) at
# runtime in the efibootguard UKI stub
COREOS_ROOTFS_ROOT ??= "PARTLABEL=AUTOLABEL"
COREOS_KERNEL_CMDLINE ??= "root=${COREOS_ROOTFS_ROOT} ${APPEND} rootwait"
COREOS_ROOTFS0_ROOT ??= "PARTLABEL=rootfs0"
COREOS_ROOTFS1_ROOT ??= "PARTLABEL=rootfs1"
COREOS_KERNEL0_CMDLINE ??= "root=${COREOS_ROOTFS0_ROOT} ${APPEND} rootwait"
COREOS_KERNEL1_CMDLINE ??= "root=${COREOS_ROOTFS1_ROOT} ${APPEND} rootwait"
COREOS_UKI_PART_KERNEL_FILENAME ??= "${KERNEL_IMAGETYPE}-${MACHINE}${KERNEL_IMAGE_BIN_EXT}"
COREOS_UKI_PART_KERNEL ??= "${DEPLOY_DIR_IMAGE}/${COREOS_UKI_PART_KERNEL_FILENAME}"
@ -45,7 +48,8 @@ do_image_uki() {
echo "kernel: ${COREOS_UKI_PART_KERNEL_FILENAME}"
echo "dtb: ${DTB_PARAMS}"
echo "cmdline: ${COREOS_KERNEL_CMDLINE}"
echo "cmdline0: ${COREOS_KERNEL0_CMDLINE}"
echo "cmdline1: ${COREOS_KERNEL1_CMDLINE}"
echo "initramfs: ${COREOS_UKI_PART_INITRAMFS}"
if [ ! -z "${COREOS_UKI_PART_INITRAMFS}" ]; then
@ -57,11 +61,19 @@ do_image_uki() {
bg_gen_unified_kernel \
"${COREOS_UKI_PART_STUB}" \
"${COREOS_UKI_PART_KERNEL}" \
"${COREOS_KERNEL}" \
--cmdline "${COREOS_KERNEL_CMDLINE}" \
"${COREOS_KERNEL0}" \
--cmdline "${COREOS_KERNEL0_CMDLINE}" \
${DTB_PARAMS}
coreos_efi_secureboot_sign_app "${deployDir}/${COREOS_KERNEL_FILENAME}"
bg_gen_unified_kernel \
"${COREOS_UKI_PART_STUB}" \
"${COREOS_UKI_PART_KERNEL}" \
"${COREOS_KERNEL1}" \
--cmdline "${COREOS_KERNEL1_CMDLINE}" \
${DTB_PARAMS}
coreos_efi_secureboot_sign_app "${deployDir}/${COREOS_KERNEL0_FILENAME}"
coreos_efi_secureboot_sign_app "${deployDir}/${COREOS_KERNEL1_FILENAME}"
}
do_image_uki[depends] += "virtual/kernel:do_deploy efibootguard-native:do_populate_sysroot efibootguard:do_populate_sysroot"

11
layers/meta-belden-coreos/classes/coreos-image.bbclass
View File

@ -68,7 +68,6 @@ PACKAGE_EXCLUDE_COMPLEMENTARY:append = "${@bb.utils.contains_any('PACKAGE_INSTAL
COREOS_IMAGE_BASE_INSTALL = "\
packagegroup-coreos-boot \
packagegroup-coreos-base \
secure-storage \
"
COREOS_IMAGE_EXTRA_INSTALL ?= ""
@ -90,12 +89,10 @@ IMAGE_ROOTFS_EXTRA_SPACE:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'sys
# Unified kernel image and swupdate support
# ==============================================================================
# The CoreOS image installer is disabled by default.
COREOS_IMAGE_GENERATE_INSTALLER ?= "0"
# Support for Unified Kernel Image and Swupdate are optional.
COREOS_IMAGE_GENERATE_UKI ?= "${@bb.utils.contains("COMBINED_FEATURES", "efi", "1", "0", d)}"
COREOS_IMAGE_GENERATE_SWU ?= "${@"1" if "efi" in d.getVar('COMBINED_FEATURES') and "swupdate" in d.getVar("DISTRO_FEATURES") else "0"}"
# Support for Unified Kernel Image and Swupdate are optional
COREOS_IMAGE_GENERATE_INSTALLER ?= "1"
COREOS_IMAGE_GENERATE_UKI ?= "1"
COREOS_IMAGE_GENERATE_SWU ?= "1"
# Generate the installer image if needed
do_build[depends] += "${@'coreos-image-installer:do_build' if d.getVar('COREOS_IMAGE_GENERATE_INSTALLER') == '1' else ''}"

11
layers/meta-belden-coreos/classes/coreos-sanity.bbclass
View File

@ -13,8 +13,6 @@ addhandler check_coreos_sanity_eventhandler
check_coreos_sanity_eventhandler[eventmask] = "bb.event.SanityCheck"
python check_coreos_sanity_eventhandler() {
import datetime
# Checks related to the distribution configuration files
# ==========================================================================
@ -38,15 +36,6 @@ python check_coreos_sanity_eventhandler() {
"Using glibc is mandatory on CoreOS based distribution"
)
# Check if the timestamp for REPRODUCIBLE_TIMESTAMP_ROOTFS is still up to date
first_of_year = datetime.datetime(datetime.date.today().year, 1, 1, tzinfo=datetime.timezone.utc)
foy_ts = str(int(first_of_year.timestamp()))
if e.data.getVar("REPRODUCIBLE_TIMESTAMP_ROOTFS") != foy_ts:
bb.warn(
"`REPRODUCIBLE_TIMESTAMP_ROOTFS` outdated!"
"Set to current 01. january of the year."
)
# Checks related to the machine configuration files
# ==========================================================================

8
layers/meta-belden-coreos/conf/distro/belden-coreos-base.conf
View File

@ -1,8 +0,0 @@
require conf/distro/include/belden-coreos-base.inc
DISTRO = "belden-coreos-base"
DISTRO_NAME = "Belden CoreOS (Base)"
MAINTAINER = "Belden CoreOS Team"
DISTRO_VERSION = "0.0.1"
DISTRO_CODENAME = "kirkstone"

91
layers/meta-belden-coreos/conf/distro/belden-coreos.conf
View File

@ -1,9 +1,94 @@
require conf/distro/include/belden-coreos-base.inc
require conf/distro/include/belden-coreos-extra.inc
DISTRO = "belden-coreos"
DISTRO_NAME = "Belden CoreOS"
MAINTAINER = "Belden CoreOS Team"
INHERIT += "coreos_metadata_scm"
DISTRO_VERSION = "0.0.1"
DISTRO_CODENAME = "kirkstone"
# Distro features and policies
# ==============================================================================
PACKAGE_CLASSES = "package_ipk"
INIT_MANAGER = "systemd"
# CoreOS use journald from the systemd package to handle log
# https://docs.yoctoproject.org/singleindex.html#using-systemd-journald-without-a-traditional-syslog-daemon
# This remove syslog from packagegroup-core-boot
VIRTUAL-RUNTIME_syslog = ""
VIRTUAL-RUNTIME_base-utils-syslog = ""
DISTRO_FEATURES_DEFAULT ?= "bluetooth usbhost pci ipv4 ipv6 wifi multiarch usrmerge ptest efi pam"
DISTRO_FEATURES ?= "${DISTRO_FEATURES_DEFAULT}"
DISTRO_FEATURES_BACKFILL_CONSIDERED = "pulseaudio ldconfig"
DISTRO_EXTRA_RDEPENDS += "packagegroup-core-boot"
# Build configuration
# ==============================================================================
TARGET_VENDOR = "-belden"
# We don't support multiple libc, so we don't need to append the libc name to
# the tmp directory: ie use build/tmp instead of build/tmp-glibc
TCLIBCAPPEND = ""
SANITY_TESTED_DISTROS ?= " \
debian-11 \n \
ubuntu-22.04 \n \
"
# This variable is used to ensure that any distribution using the CoreOS layer
# include this file. This is checked by the coreos-sanity class
SANITY_COREOS_COMPATIBLE ?= "1"
require conf/distro/include/no-static-libs.inc
require conf/distro/include/yocto-uninative.inc
require conf/distro/include/security_flags.inc
# uninative is need to share the sstates between multiple host distrubtion
INHERIT += "uninative"
# Bitbake configuration
# ==============================================================================
BB_SIGNATURE_HANDLER ?= "OEBasicHash"
# SDK Configuration
# ==============================================================================
SDK_VENDOR = "-coreossdk"
SDK_VERSION = "${DISTRO_VERSION}"
SDK_VERSION[vardepvalue] = "${SDK_VERSION}"
SDK_NAME = "${DISTRO}-${TCLIBC}-${SDKMACHINE}-${IMAGE_BASENAME}-${TUNE_PKGARCH}-${MACHINE}"
SDKPATHINSTALL = "/opt/${DISTRO}/${SDK_VERSION}"
# EFI and Secure boot
# ==============================================================================
EFI_PROVIDER = "efibootguard"
EFIBOOTGUARD_TIMEOUT ??= "60"
INHERIT += "coreos-efi-secureboot"
# Virtualization configuration
# ==============================================================================
# Use crun insted of runc as a OCI runtime. crun is faster and need less memory
# than runc so it's a better fit for embedded
#PREFERRED_PROVIDER_virtual/runc = "crun"
PACKAGECONFIG:append:pn-podman = " rootless"
DISTRO_FEATURES_DEFAULT += "virtualization seccomp ipv6"
# CoreOS specific options
# ==============================================================================
# Distro based on CoreOS can provide their own configuration files for the
# CoreOS installer by overriding this variable
PREFERRED_PROVIDER_coreos-installer-config ??= "coreos-installer-config"
# Add distro details to cve-summary.json
CVE_CHECK_SUMMARY_JSON_HEADER_ADDITIONS ?= '"distro": "${DISTRO}", \
"distroCodeName": "${DISTRO_CODENAME}", \
"distroVersion": "${DISTRO_VERSION}", \
"metadataBranch": "${COREOS_METADATA_BRANCH}", \
"metadataRevision": "${COREOS_METADATA_REVISION}"'

118
layers/meta-belden-coreos/conf/distro/include/belden-coreos-base.inc
View File

@ -1,118 +0,0 @@
# This is the base include file for all coreos based distro
# it should support the most basic distro without optional coreos
# features
# Using :coreos override should work on all CoreOS based distro
# Note that :belden-coreos does not work on CoreOS based distro but will
# work when build for the belden-coreos distro
DISTROOVERRIDES = "coreos:${DISTRO}"
INHERIT += "coreos_metadata_scm"
# Distro features and policies
# ==============================================================================
PACKAGE_CLASSES = "package_ipk"
INIT_MANAGER = "systemd"
# CoreOS use journald from the systemd package to handle log
# https://docs.yoctoproject.org/singleindex.html#using-systemd-journald-without-a-traditional-syslog-daemon
# This remove syslog from packagegroup-core-boot
VIRTUAL-RUNTIME_syslog = ""
VIRTUAL-RUNTIME_base-utils-syslog = ""
DISTRO_FEATURES ?= "usbhost pci ipv4 ipv6 wifi multiarch usrmerge efi pam"
# CoreOS wasn't compatible with older Yocto version, so we should not have any
# features backfilled. Value are from DISTRO_FEATURES_BACKFILL
# with the exception of gobject-introspection-data that are backfilled on
# purpose, this allow to use C library based on gobject in python or javascript
DISTRO_FEATURES_BACKFILL_CONSIDERED = "pulseaudio sysvinit ldconfig"
DISTRO_EXTRA_RDEPENDS += "packagegroup-core-boot"
# Build configuration
# ==============================================================================
TARGET_VENDOR = "-belden"
# We don't support multiple libc, so we don't need to append the libc name to
# the tmp directory: ie use build/tmp instead of build/tmp-glibc
TCLIBCAPPEND = ""
SANITY_TESTED_DISTROS ?= " \
debian-11 \n \
ubuntu-22.04 \n \
"
# This variable is used to ensure that any distribution using the CoreOS layer
# include this file. This is checked by the coreos-sanity class
SANITY_COREOS_COMPATIBLE ?= "1"
require conf/distro/include/no-static-libs.inc
require conf/distro/include/yocto-uninative.inc
require conf/distro/include/security_flags.inc
# uninative is need to share the sstates between multiple host distrubtion
INHERIT += "uninative"
# Bitbake configuration
# ==============================================================================
BB_SIGNATURE_HANDLER ?= "OEBasicHash"
# SDK Configuration
# ==============================================================================
SDK_VENDOR = "-coreossdk"
SDK_VERSION = "${DISTRO_VERSION}"
SDK_VERSION[vardepvalue] = "${SDK_VERSION}"
SDK_NAME = "${DISTRO}-${TCLIBC}-${SDKMACHINE}-${IMAGE_BASENAME}-${TUNE_PKGARCH}-${MACHINE}"
SDKPATHINSTALL = "/opt/${DISTRO}/${SDK_VERSION}"
# EFI and Secure boot
# ==============================================================================
EFI_PROVIDER = "efibootguard"
EFIBOOTGUARD_TIMEOUT ??= "60"
INHERIT += "coreos-efi-secureboot"
# PACKAGECONFIG
# ==============================================================================
# Reduce the size of some package by disabling some feature by default
# Distro using coreos can re-enabled a disabled config by changing
# the COREOS_DISABLED_PACKAGECONFIG variable
PACKAGECONFIG:pn-systemd ?= " \
${@bb.utils.filter('DISTRO_FEATURES', 'acl audit efi ldconfig pam selinux smack usrmerge polkit seccomp', d)} \
${@bb.utils.contains('DISTRO_FEATURES', 'wifi', 'rfkill', '', d)} \
${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'xkbcommon', '', d)} \
${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', '', 'link-udev-shared', d)} \
hostnamed \
kmod \
localed \
logind \
set-time-epoch \
sysusers \
userdb \
vconsole \
wheel-group \
zstd \
"
# DNS Configuration
# CoreOS specific options
# ==============================================================================
# Distro based on CoreOS can provide their own configuration files for the
# CoreOS installer by overriding this variable
PREFERRED_PROVIDER_coreos-installer-config ??= "coreos-installer-config"
# This TS represents 01.01.2024 generating it dynamically would cause a lot of
# things to get re-build, we need a good solution for this or change it every
# year
REPRODUCIBLE_TIMESTAMP_ROOTFS = "1704067200"

30
layers/meta-belden-coreos/conf/distro/include/belden-coreos-extra.inc
View File

@ -1,30 +0,0 @@
# This is the include all the CoreOS feature that are optional
# Virtualization configuration
# ==============================================================================
PACKAGECONFIG:append:pn-podman = " rootless"
DISTRO_FEATURES += "virtualization seccomp"
# swupdate configuration
# ==============================================================================
# Enable the generation of .swu file for images
DISTRO_FEATURES += "swupdate"
# Networking configuration
# ==============================================================================
# Add networking support to systemd. This allow systemd to handle
# network/dhcp/dns/time
PACKAGECONFIG:pn-systemd += " \
hostnamed \
idn \
myhostname \
nss \
nss-resolve \
resolved \
networkd \
timedated \
timesyncd \
"

149
layers/meta-belden-coreos/conf/distro/include/coreos-support.inc
View File

@ -1,149 +0,0 @@
COREOS_RECIPE_MAINTAINER:pn-acl = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-arptables = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-attr = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-autoconf-archive = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-base-files = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-base-passwd = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-bash-completion = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-bash = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-binutils-cross-x86_64 = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-boost = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-bridge-utils = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-busybox = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-bzip2 = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-ca-certificates = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-conntrack-tools = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-coreutils = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-cppzmq = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-cracklib = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-cryptsetup = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-curl = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-dbus = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-depmodwrapper-cross = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-e2fsprogs = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-ebtables = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-efibootguard = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-elfutils = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-ethtool = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-expat = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-findutils = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-flatbuffers = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-flex = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-fmt = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-gawk = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-gcc-cross-x86_64 = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-gcc-runtime = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-gcc-source-11.4.0 = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-gdbm = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-glib-2.0 = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-glibc = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-glibc-locale = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-gmp = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-gnu-efi = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-gnutls = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-grub-bootconf = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-grub = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-grub-efi = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-icu = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-iproute2 = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-iptables = "Team CoreOS"
#iw should be removed
COREOS_RECIPE_MAINTAINER:pn-json-c = "Team CoreOS"
# kbd check if it can be removed
# kmod check if it can be removed
COREOS_RECIPE_MAINTAINER:pn-libaio = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libarchive = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libcap = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libcap-ng = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libcheck = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libconfig = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libdevmapper = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libestr = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libfastjson = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libffi = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libgcc = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libgcc-initial = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libgcrypt = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libgpg-error = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libidn2 = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-liblogging = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libmnl = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libnet = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libnetfilter-conntrack = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libnetfilter-cthelper = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libnetfilter-cttimeout = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libnetfilter-log = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libnetfilter-queue = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libnfnetlink = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libnl = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libnsl2 = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libpam = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libpcap = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libpcre = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libseccomp = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libsodium = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libsolv = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libssh2 = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libssh = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libtirpc = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libtool-cross = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libunistring = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libusb1 = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libxcrypt = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-libxml2 = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-linux-libc-headers = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-linux-yocto = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-logrotate = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-lrzsz = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-lvm2 = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-lzo = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-m4 = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-mtools = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-ncurses = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-netbase = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-nettle = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-openssh = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-openssl = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-opkg-arch-config = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-opkg = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-opkg-utils = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-os-release = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-packagegroup-base = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-packagegroup-core-boot = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-packagegroup-coreos-base = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-packagegroup-coreos-boot = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-pciutils = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-perl = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-popt = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-python3 = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-qemuwrapper-cross = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-readline = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-rsyslog = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-run-postinsts = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-secure-storage = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-setserial = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-sh = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-shared-mime-info = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-spdlog = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-sqlite3 = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-swupdate = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-sysfsutils = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-syslinux = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-syslog-ng = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-systemd-bootconf = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-systemd-boot = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-systemd-conf = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-systemd = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-systemd-serialgetty = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-tar = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-tcpdump = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-usbutils = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-util-linux = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-util-linux-libuuid = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-volatile-binds = "Team CoreOS"
# wpa-supplicant should be removed
COREOS_RECIPE_MAINTAINER:pn-xz = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-zeromq = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-zip = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-zlib = "Team CoreOS"
COREOS_RECIPE_MAINTAINER:pn-zstd = "Team CoreOS"

1
layers/meta-belden-coreos/conf/layer.conf
View File

@ -15,7 +15,6 @@ LAYERDEPENDS_meta-belden-coreos = "\
networking-layer \
virtualization-layer \
webserver \
meta-arm \
"
LAYERSERIES_COMPAT_meta-belden-coreos = "kirkstone"

12
layers/meta-belden-coreos/files/sw-description
View File

@ -23,11 +23,11 @@ software =
files: (
{
filename = "@@COREOS_KERNEL_FILENAME@@";
filename = "@@COREOS_KERNEL0_FILENAME@@";
path = "/KERNEL.EFI";
device = "/dev/disk/by-partlabel/ebg0";
filesystem = "vfat";
sha256 = "$swupdate_get_sha256(@@COREOS_KERNEL_FILENAME@@)";
sha256 = "$swupdate_get_sha256(@@COREOS_KERNEL0_FILENAME@@)";
},
{
filename = "@@COREOS_EFIBOOTGUARD_FILENAME@@";
@ -44,7 +44,7 @@ software =
bootenv: (
{
name = "kernelparams";
value = "coreos.root=rootfs0";
value = "";
},
{
name = "watchdog_timeout_sec";
@ -80,11 +80,11 @@ software =
files: (
{
filename = "@@COREOS_KERNEL_FILENAME@@";
filename = "@@COREOS_KERNEL1_FILENAME@@";
path = "/KERNEL.EFI";
device = "/dev/disk/by-partlabel/ebg1";
filesystem = "vfat";
sha256 = "$swupdate_get_sha256(@@COREOS_KERNEL_FILENAME@@)";
sha256 = "$swupdate_get_sha256(@@COREOS_KERNEL1_FILENAME@@)";
},
{
filename = "@@COREOS_EFIBOOTGUARD_FILENAME@@";
@ -100,7 +100,7 @@ software =
bootenv: (
{
name = "kernelparams";
value = "coreos.root=rootfs1";
value = "";
},
{
name = "watchdog_timeout_sec";

32
layers/meta-belden-coreos/lib/devtool/coreos-efibootguard.py
View File

@ -272,24 +272,40 @@ def efibootguard_generate_uki(args, config, basepath, workspace):
keydir = os.path.relpath(rd.getVar("COREOS_EFI_SECUREBOOT_KEYDIR"))
uki = UKIGeneratorArgs(
uki0 = UKIGeneratorArgs(
kernel=kernel,
output=os.path.relpath(rd.getVar("COREOS_KERNEL")),
cmdline=rd.getVar("COREOS_KERNEL_CMDLINE"),
output=os.path.relpath(rd.getVar("COREOS_KERNEL0")),
cmdline=rd.getVar("COREOS_KERNEL0_CMDLINE"),
dtb=dtb,
stub=stub,
root=rd.getVar("COREOS_ROOTFS_ROOT"),
root=rd.getVar("COREOS_ROOTFS0_ROOT"),
build_binary=build_binary,
keydir=keydir,
)
uki1 = UKIGeneratorArgs(
kernel=kernel,
output=os.path.relpath(rd.getVar("COREOS_KERNEL1")),
cmdline=rd.getVar("COREOS_KERNEL1_CMDLINE"),
dtb=dtb,
stub=stub,
root=rd.getVar("COREOS_ROOTFS1_ROOT"),
build_binary=build_binary,
keydir=keydir,
)
print(f"Applying passed parameters...")
uki.process_args(args)
uki0.process_args(args)
uki1.process_args(args)
print(f"KERNEL image will be generated with the following settings:")
printi(f"{uki}", 1)
print(f"KERNEL0 image will be generated with the following settings:")
printi(f"{uki0}", 1)
print()
print(f"KERNEL1 image will be generated with the following settings:")
printi(f"{uki1}", 1)
print()
print(f"Generating the files...")
return uki0.build_and_sign()
r = uki0.build_and_sign()
r += uki1.build_and_sign()
return r

93
layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard/0001-coreos-add-a-coreos-specific-rootfs-switch-to-the-UK.patch
View File

@ -1,93 +0,0 @@
From 2e8b73826c6ecaf5168002a18282ba7e4ac95e76 Mon Sep 17 00:00:00 2001
From: Samuel Dolt <samuel.dolt@netmodule.com>
Date: Mon, 12 Jun 2023 16:29:49 +0200
Subject: [PATCH] coreos: add a coreos specific rootfs switch to the UKI stub
The unified kernel stub can now replace the substring "AUTOLABEL"
in the built-in kernel command line by either rootfs0 and rootfs1
by looking the LoadOption string passed by ther firmware:
- LoadOptions contain "coreos.root=rootfs0", all occurences of
"AUTOLABEL" are replaced by "rootfs0"
- LoadOptions contain "coreos.root=rootfs1", all occurences of
"AUTOLABEL" are replaced by "rootfs1".
- LoadOptions is empty, the kernel command line will be used as is.
In all other case, the stub will exist without booting the kernel
with a INVALID PARAMETER error.
---
kernel-stub/main.c | 55 +++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 50 insertions(+), 5 deletions(-)
diff --git a/kernel-stub/main.c b/kernel-stub/main.c
index c0be1f6..6f456d3 100644
--- a/kernel-stub/main.c
+++ b/kernel-stub/main.c
@@ -128,11 +128,6 @@ EFI_STATUS efi_main(EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *system_table)
error_exit(L"Error getting LoadedImageProtocol", status);
}
- /* consider zero-termination for string length */
- if (stub_image->LoadOptionsSize > sizeof(CHAR16)) {
- info(L"WARNING: Passed command line options ignored, only built-in used");
- }
-
pe_header = get_pe_header(stub_image->ImageBase);
for (n = 0, section = get_sections(pe_header);
n < pe_header->Coff.NumberOfSections;
@@ -161,6 +156,56 @@ EFI_STATUS efi_main(EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *system_table)
kernel_image.LoadOptions = (UINT8 *) stub_image->ImageBase +
cmdline_section->VirtualAddress;
kernel_image.LoadOptionsSize = cmdline_section->VirtualSize;
+
+ /* CoreOS utilize the option passed from efibootguard to customize the kernel
+ * command line.
+ *
+ * Allowed option are:
+ * 'coreos.root=rootfs0' => replace "AUTOLABEL" with "rootfs0 " in place in the kernel CLI
+ * 'coreos.root=rootfs1' => replace "AUTOLABEL" with "rootfs1 " in place in the kernel CLI
+ * '' => no option passed
+ *
+ * Using another option string will return without booting the kernel
+ *
+ * hint: LoadOptions is a null-terminated wide string
+ * hint: sizeof return the number of byte. StrLen the number of characters
+ */
+ if (stub_image->LoadOptionsSize > sizeof(CHAR16)) {
+
+ // !!! symbol and rootfs must have the same length !!!
+ const CHAR16 symbol[] = L"AUTOLABEL";
+ CHAR16 rootfs[] = L"rootfsX ";
+
+ if (StrnCmp(L"coreos.root=rootfs0", stub_image->LoadOptions, stub_image->LoadOptionsSize) == 0) {
+ rootfs[6] = L'0';
+ } else if (StrnCmp(L"coreos.root=rootfs1", stub_image->LoadOptions, stub_image->LoadOptionsSize) == 0) {
+ rootfs[6] = L'1';
+ } else {
+ error_exit(L"LoadOptions is not valid", EFI_INVALID_PARAMETER);
+ }
+
+ /* Replace symbol by rootfs (AUTOLABEL by either rootfs0 or rootfs1) */
+ CHAR16 * str = kernel_image.LoadOptions;
+ UINTN len = kernel_image.LoadOptionsSize;
+ while (*str && len) {
+
+ /* Ensure that the string still contains enough char for the symbol */
+ if(len < sizeof(symbol)) {
+ break;
+ }
+
+ if(StrnCmp(str, &symbol, StrLen(symbol)) == 0) {
+ /* Replace symbol by rootfs, works because symbole and rootfs has the same length */
+ StrnCpy(str, rootfs, StrLen(rootfs));
+ }
+
+ str += 1;
+ len -= sizeof(CHAR16);
+ }
+
+ }
+
+ Print(L"Unified kernel stub: Kernel Options: %s\n", kernel_image.LoadOptions);
}
if (initrd_section) {

22
layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend
View File

@ -1,22 +0,0 @@
# Add CoreOS A/B Switching support
# ==============================================================================
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
SRC_URI += "file://0001-coreos-add-a-coreos-specific-rootfs-switch-to-the-UK.patch"
# Add signature support
# ==============================================================================
DEPENDS:append = " cos-certificates-and-keys-native"
inherit coreos-efi-sbsign
require conf/image-uefi.conf
do_deploy:append() {
if [ -f "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi" ]; then
coreos_efi_secureboot_sign_app "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi"
fi
}

244
layers/meta-belden-coreos/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc Normal file
View File

@ -0,0 +1,244 @@
DESCRIPTION = "Trusted Firmware-A"
LICENSE = "BSD-3-Clause & MIT"
PACKAGE_ARCH = "${MACHINE_ARCH}"
inherit deploy
SRC_URI = "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https;name=tfa;branch=master"
UPSTREAM_CHECK_GITTAGREGEX = "^v(?P<pver>\d+(\.\d+)+)$"
SRCREV_FORMAT = "tfa"
COMPATIBLE_MACHINE ?= "invalid"
# Platform must be set for each machine
TFA_PLATFORM ?= "invalid"
# Some platforms can have multiple board configurations
# Leave empty for default behavior
TFA_BOARD ?= ""
# Some platforms use SPD (Secure Payload Dispatcher) services
# Few options are "opteed", "tlkd", "trusty", "tspd", "spmd"...
# Leave empty to not use SPD
TFA_SPD ?= ""
# Variable used when TFA_SPD=spmd
TFA_SPMD_SPM_AT_SEL2 ?= "1"
# SP layout file location. Used when TFA_SPD=spmd and TFA_SPMD_SPM_AT_SEL2=1
TFA_SP_LAYOUT_FILE ?= ""
# SPMC manifest file location. Used when TFA_SPD=spmd and TFA_SPMD_SPM_AT_SEL2=1
TFA_ARM_SPMC_MANIFEST_DTS ?= ""
# Build for debug (set TFA_DEBUG to 1 to activate)
TFA_DEBUG ?= "0"
S = "${WORKDIR}/git"
B = "${WORKDIR}/build"
# mbed TLS support (set TFA_MBEDTLS to 1 to activate)
TFA_MBEDTLS ?= "0"
# sub-directory in which mbedtls will be downloaded
TFA_MBEDTLS_DIR ?= "mbedtls"
# This should be set to MBEDTLS download URL if MBEDTLS is needed
SRC_URI_MBEDTLS ??= ""
# This should be set to MBEDTLS LIC FILES checksum
LIC_FILES_CHKSUM_MBEDTLS ??= ""
# add MBEDTLS to our sources if activated
SRC_URI:append = " ${@bb.utils.contains('TFA_MBEDTLS', '1', '${SRC_URI_MBEDTLS}', '', d)}"
# Update license variables
LICENSE:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', ' & Apache-2.0', '', d)}"
LIC_FILES_CHKSUM:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', ' ${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}"
# add mbed TLS to version
SRCREV_FORMAT:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '', d)}"
# U-boot support (set TFA_UBOOT to 1 to activate)
# When U-Boot support is activated BL33 is activated with u-boot.bin file
TFA_UBOOT ??= "0"
# UEFI support (set TFA_UEFI to 1 to activate)
# When UEFI support is activated BL33 is activated with uefi.bin file
TFA_UEFI ??= "0"
# What to build
# By default we only build bl1, do_deploy will copy
# everything listed in this variable (by default bl1.bin)
TFA_BUILD_TARGET ?= "bl1"
# What to install
# do_install and do_deploy will install everything listed in this
# variable. It is set by default to TFA_BUILD_TARGET
TFA_INSTALL_TARGET ?= "${TFA_BUILD_TARGET}"
# Requires CROSS_COMPILE set by hand as there is no configure script
export CROSS_COMPILE="${TARGET_PREFIX}"
# Let the Makefile handle setting up the CFLAGS and LDFLAGS as it is a standalone application
CFLAGS[unexport] = "1"
LDFLAGS[unexport] = "1"
AS[unexport] = "1"
LD[unexport] = "1"
# No configure
do_configure[noexec] = "1"
# Baremetal, just need a compiler
DEPENDS:remove = "virtual/${TARGET_PREFIX}compilerlibs virtual/libc"
# We need dtc for dtbs compilation
# We need openssl for fiptool
DEPENDS = "dtc-native openssl-native"
DEPENDS:append:toolchain-clang = " compiler-rt"
# CC and LD introduce arguments which conflict with those otherwise provided by
# this recipe. The heads of these variables excluding those arguments
# are therefore used instead.
def remove_options_tail (in_string):
from itertools import takewhile
return ' '.join(takewhile(lambda x: not x.startswith('-'), in_string.split(' ')))
EXTRA_OEMAKE += "LD=${@remove_options_tail(d.getVar('LD'))}"
EXTRA_OEMAKE += "CC=${@remove_options_tail(d.getVar('CC'))}"
# Verbose builds, no -Werror
EXTRA_OEMAKE += "V=1 E=0"
# Add platform parameter
EXTRA_OEMAKE += "BUILD_BASE=${B} PLAT=${TFA_PLATFORM}"
# Handle TFA_BOARD parameter
EXTRA_OEMAKE += "${@'TARGET_BOARD=${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
# Handle TFA_SPD parameter
EXTRA_OEMAKE += "${@'SPD=${TFA_SPD}' if d.getVar('TFA_SPD') else ''}"
# If TFA_SPD is spmd, set SPMD_SPM_AT_SEL2
EXTRA_OEMAKE += "${@'SPMD_SPM_AT_SEL2=${TFA_SPMD_SPM_AT_SEL2}' if d.getVar('TFA_SPD', True) == 'spmd' else ''}"
# Handle TFA_DEBUG parameter
EXTRA_OEMAKE += "${@bb.utils.contains('TFA_DEBUG', '1', 'DEBUG=${TFA_DEBUG}', '', d)}"
# Handle MBEDTLS
EXTRA_OEMAKE += "${@bb.utils.contains('TFA_MBEDTLS', '1', 'MBEDTLS_DIR=${TFA_MBEDTLS_DIR}', '', d)}"
# Uboot support
DEPENDS += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot', '', d)}"
do_compile[depends] += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot:do_deploy', '', d)}"
EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UBOOT', '1', 'BL33=${DEPLOY_DIR_IMAGE}/u-boot.bin', '', d)}"
# UEFI support
DEPENDS += " ${@bb.utils.contains('TFA_UEFI', '1', 'edk2-firmware', '', d)}"
EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UEFI', '1', 'BL33=${RECIPE_SYSROOT}/firmware/uefi.bin', '', d)}"
# TFTF test support
DEPENDS += " ${@bb.utils.contains('TFTF_TESTS', '1', 'tf-a-tests', '', d)}"
EXTRA_OEMAKE += "${@bb.utils.contains('TFTF_TESTS', '1', 'BL33=${RECIPE_SYSROOT}/firmware/tftf.bin', '',d)}"
# Hafnium support
SEL2_SPMC = "${@'${TFA_SPMD_SPM_AT_SEL2}' if d.getVar('TFA_SPD', True) == 'spmd' else ''}"
DEPENDS += " ${@bb.utils.contains('SEL2_SPMC', '1', 'hafnium', '', d)}"
EXTRA_OEMAKE += "${@bb.utils.contains('SEL2_SPMC', '1', 'CTX_INCLUDE_EL2_REGS=1 ARM_ARCH_MINOR=4 BL32=${RECIPE_SYSROOT}/firmware/hafnium.bin', '', d)}"
# Add SP layout file and spmc manifest for hafnium
EXTRA_OEMAKE += "${@bb.utils.contains('SEL2_SPMC', '1', 'SP_LAYOUT_FILE=${TFA_SP_LAYOUT_FILE}' if d.getVar('TFA_SP_LAYOUT_FILE') else '', '', d)}"
EXTRA_OEMAKE += "${@bb.utils.contains('SEL2_SPMC', '1', 'ARM_SPMC_MANIFEST_DTS=${TFA_ARM_SPMC_MANIFEST_DTS}' if d.getVar('TFA_ARM_SPMC_MANIFEST_DTS') else '', '', d)}"
# Tell the tools where the native OpenSSL is located
EXTRA_OEMAKE += "OPENSSL_DIR=${STAGING_DIR_NATIVE}/${prefix_native}"
# Use the correct native compiler
EXTRA_OEMAKE += "HOSTCC='${BUILD_CC}'"
# Runtime variables
EXTRA_OEMAKE += "RUNTIME_SYSROOT=${STAGING_DIR_HOST}"
BUILD_DIR = "${B}/${TFA_PLATFORM}"
BUILD_DIR .= "${@'/${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
BUILD_DIR .= "/${@'debug' if d.getVar("TFA_DEBUG") == '1' else 'release'}"
do_compile() {
# This is still needed to have the native tools executing properly by
# setting the RPATH
sed -i '/^LDLIBS/ s,$, \$\{BUILD_LDFLAGS},' ${S}/tools/fiptool/Makefile
sed -i '/^INCLUDE_PATHS/ s,$, \$\{BUILD_CFLAGS},' ${S}/tools/fiptool/Makefile
sed -i '/^LIB/ s,$, \$\{BUILD_LDFLAGS},' ${S}/tools/cert_create/Makefile
# Currently there are races if you build all the targets at once in parallel
for T in ${TFA_BUILD_TARGET}; do
oe_runmake -C ${S} $T
done
}
do_compile[cleandirs] = "${B}"
do_install() {
install -d -m 755 ${D}/firmware
for atfbin in ${TFA_INSTALL_TARGET}; do
processed="0"
if [ "$atfbin" = "all" ]; then
# Target all is not handled by default
bberror "all as TFA_INSTALL_TARGET is not handled by do_install"
bberror "Please specify valid targets in TFA_INSTALL_TARGET or"
bberror "rewrite or turn off do_install"
exit 1
fi
if [ -f ${BUILD_DIR}/$atfbin.bin ]; then
echo "Install $atfbin.bin"
install -m 0644 ${BUILD_DIR}/$atfbin.bin \
${D}/firmware/$atfbin-${TFA_PLATFORM}.bin
ln -sf $atfbin-${TFA_PLATFORM}.bin ${D}/firmware/$atfbin.bin
processed="1"
fi
if [ -f ${BUILD_DIR}/$atfbin/$atfbin.elf ]; then
echo "Install $atfbin.elf"
install -m 0644 ${BUILD_DIR}/$atfbin/$atfbin.elf \
${D}/firmware/$atfbin-${TFA_PLATFORM}.elf
ln -sf $atfbin-${TFA_PLATFORM}.elf ${D}/firmware/$atfbin.elf
processed="1"
fi
if [ -f ${BUILD_DIR}/$atfbin ]; then
echo "Install $atfbin"
install -m 0644 ${BUILD_DIR}/$atfbin \
${D}/firmware/$atfbin-${TFA_PLATFORM}
ln -sf $atfbin-${TFA_PLATFORM} ${D}/firmware/$atfbin
processed="1"
fi
if [ -f ${BUILD_DIR}/fdts/$atfbin.dtb ]; then
echo "Install $atfbin.dtb"
install -m 0644 "${BUILD_DIR}/fdts/$atfbin.dtb" \
"${D}/firmware/$atfbin.dtb"
processed="1"
elif [ "$atfbin" = "dtbs" ]; then
echo "dtbs install, skipped: set dtbs in TFA_INSTALL_TARGET"
elif [ -f ${B}/tools/$atfbin/$atfbin ]; then
echo "Tools $atfbin install, skipped"
elif [ "$processed" = "0" ]; then
bberror "Unsupported TFA_INSTALL_TARGET target $atfbin"
exit 1
fi
done
}
FILES:${PN} = "/firmware"
SYSROOT_DIRS += "/firmware"
FILES:${PN}-dbg = "/firmware/*.elf"
# Skip QA check for relocations in .text of elf binaries
INSANE_SKIP:${PN}-dbg = "textrel"
do_deploy() {
cp -rf ${D}/firmware/* ${DEPLOYDIR}/
}
addtask deploy after do_install
CVE_PRODUCT = "arm:arm-trusted-firmware \
arm:trusted_firmware-a \
arm:arm_trusted_firmware \
arm_trusted_firmware_project:arm_trusted_firmware"

5
layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot_%.bbappend
View File

@ -1,5 +0,0 @@
# Add CoreOS distro settings to u-boot
UBOOT_COREOS_REQUIRE:coreos ?= "u-boot-coreos.inc"
UBOOT_COREOS_REQUIRE ?= ""
require ${UBOOT_COREOS_REQUIRE}

3
layers/meta-belden-coreos/recipes-core/images/coreos-image-all-features.bb
View File

@ -10,6 +10,3 @@ IMAGE_INSTALL:append = "${@bb.utils.contains("IMAGE_FEATURES", "swupdate", " swu
# development tools
IMAGE_INSTALL:append = " systemd-analyze"
# Enable the optional image installer
COREOS_IMAGE_GENERATE_INSTALLER = "1"

51
layers/meta-belden-coreos/recipes-core/images/coreos-image-installer.bb
View File

@ -1,4 +1,53 @@
DESCRIPTION = "Initramfs image with the CoreOS emmc installer"
# Don't reboot the device at reboot and don't do A/B switching
BAD_RECOMMENDATIONS = "swupdate-progress swupdate-coreos-config"
export IMAGE_BASENAME = "${MLPREFIX}${PN}"
IMAGE_NAME_SUFFIX ?= ""
IMAGE_LINGUAS = ""
LICENSE = "MIT"
inherit coreos-image-installer
IMAGE_FSTYPES = "cpio.gz"
# Support for generating a SDCard installer is optional
COREOS_INSTALLER_WKS_FILE ??= ""
WKS_FILE = "${COREOS_INSTALLER_WKS_FILE}"
IMAGE_FSTYPES += "${@'wic.xz wic.bmap' if d.getVar('COREOS_INSTALLER_WKS_FILE') else ''}"
IMAGE_BOOT_FILES = "${COREOS_KERNEL0_FILENAME};EFI/BOOT/${EFI_BOOT_IMAGE}"
COREOS_IMAGE_GENERATE_UKI = "1"
# Avoid dependancy loop, we are already in an installer image, so we don't need
# to bundle another one
COREOS_IMAGE_GENERATE_INSTALLER = "0"
# IMGDEPLOYDIR has to be used instead of DEPLOY_DIR_IMAGE here, because it will
# run during image generation
COREOS_UKI_PART_INITRAMFS = "${IMGDEPLOYDIR}/${IMAGE_BASENAME}-${MACHINE}.cpio.gz"
COREOS_IMAGE_GENERATE_SWU = "0"
# Change generated UKI filename and bundled command line
# Having the same name to KERNEL0 and KERNEL1 means that KERNEL1 will overwrite
# KERNEL0.
COREOS_KERNEL0_NAME ?= "coreos-installer-${MACHINE}"
COREOS_KERNEL1_NAME ?= "coreos-installer-${MACHINE}"
COREOS_KERNEL0_CMDLINE ?= "${APPEND}"
COREOS_KERNEL1_CMDLINE ?= "${APPEND}"
inherit coreos-image
# Only install a reduced set of package and feature to keep image size small
IMAGE_INSTALL = "packagegroup-coreos-boot coreos-installer swupdate-www util-linux-sfdisk util-linux-fdisk util-linux-cfdisk efibootguard efibootguard-tools"
IMAGE_FEATURES = "debug-tweaks swupdate networkmanager"
NO_RECOMMENDATIONS = "1"
IMAGE_ROOTFS_SIZE = "8192"
INITRAMFS_MAXSIZE = "976562"
IMAGE_ROOTFS_EXTRA_SPACE = "0"
# Use the same restriction as initramfs-module-install
COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*)-(linux.*|freebsd.*)'

2
layers/meta-belden-coreos/recipes-core/packagegroups/packagegroup-coreos-base.bb
View File

@ -15,7 +15,7 @@ COREOS_IMAGE_EFI_PROVIDER_EXTRA = " \
"
RDEPENDS:${PN} = "\
packagegroup-base \
packagegroup-base-extended \
os-release \
${@bb.utils.contains("MACHINE_FEATURES", "efi", "${COREOS_IMAGE_EFI_PROVIDER_EXTRA}", "", d)} \
"

2
layers/meta-belden-coreos/recipes-core/systemd/systemd-conf/system.conf-watchdog
View File

@ -1,2 +0,0 @@
[Manager]
RuntimeWatchdogSec=5

15
layers/meta-belden-coreos/recipes-core/systemd/systemd_%.bbappend
View File

@ -1,15 +0,0 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/systemd-conf:"
SRC_URI += " file://system.conf-watchdog"
do_install:append(){
# the creation date/time of this file will be used as initial boot time.
# Creation time will be set to REPRODUCIBLE_TIMESTAMP_ROOTFS
# More info about the date/time handling here:
# https://www.freedesktop.org/software/systemd/man/latest/systemd-timesyncd.service.html
touch ${D}/${base_libdir}/clock-epoch
install -D -m0644 ${WORKDIR}/system.conf-watchdog ${D}${systemd_unitdir}/system.conf.d/01-${PN}-watchdog.conf
}
FILES:${PN} += "${base_libdir}/clock-epoch"

23
layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended/99-overwrite.sh
View File

@ -1,23 +0,0 @@
#!/usr/bin/env sh
# catch errors from previous source files
if [ "$SWUPDATE_EXIT" != "" ]; then
# Notify the installation status indicator about the failed installation.
# This can result in the red LED lighting up.
dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusFailure
exit 1
fi
# Notify the installation status indicator about the success with partitioning
# the blockdevice. This can result in the first green LED lighting up.
dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusPartitioningSuccess
mount /dev/disk/by-label/image /mnt
if [ ! -f "/mnt/image.swu" ]; then
echo "Could not find image.swu on the vfat partition!"
dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusFailure
exit 1
fi
SWUPDATE_ARGS="${SWUPDATE_ARGS} -p /usr/lib/swupdate/post-install.sh"
SWUPDATE_ARGS="${SWUPDATE_ARGS} -i /mnt/image.swu"

5
layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended/post-install.sh
View File

@ -1,5 +0,0 @@
#!/usr/bin/env sh
# Notify the installation status indicator about the success with flashing the image.
# This can result in the second green LED lighting up.
dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusImageFlashingSuccess

23
layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended_1.0.bb
View File

@ -1,23 +0,0 @@
DESCRIPTION = "CoreOS scripts for unattended installation"
SECTION = "coreos"
LICENSE = "CLOSED"
SRC_URI += "\
file://99-overwrite.sh \
file://post-install.sh \
"
FILES:${PN} = "\
${libdir}/swupdate/conf.d/99-overwrite.sh \
${libdir}/swupdate/post-install.sh \
"
RDEPENDS:${PN} = "coreos-installer"
RCONFLICTS:${PN} = "swupdate-www"
do_install() {
install -d ${D}${libdir}/swupdate/conf.d
install -m 755 ${WORKDIR}/post-install.sh ${D}${libdir}/swupdate/
install -m 755 ${WORKDIR}/99-overwrite.sh ${D}${libdir}/swupdate/conf.d/
}

11
layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer/25-installer-config.sh
View File

@ -1,8 +1,5 @@
#!/usr/bin/env sh
set -o errtrace
trap 'echo "An error occured in line $LINENO: $BASH_COMMAND, exiting..."; SWUPDATE_EXIT=1; exit;' ERR
# Read /etc/hwrevision and turn it into a stripped string
# with the format ${MACHINE}_${VERSION}
HWREVISION=$(tr ' ' '_' < /etc/hwrevision | tr -d '[:space:]')
@ -18,13 +15,6 @@ fi
DISK=$(grep "^device:\s" < "${SFDISK_DUMP_FILE}" | cut -d ' ' -f 2)
# Remove the partition table signature, if there is already one.
# This ensures that sfdisk always finds a 'clean' disk to install / recover
wipefs -a -f ${DISK}
# Give the kernel some time to reload the partition
sleep 3
echo "Flashing ${SFDISK_DUMP_FILE} to ${DISK}"
cat "${SFDISK_DUMP_FILE}"
sfdisk "${DISK}" < "${SFDISK_DUMP_FILE}"
@ -58,4 +48,3 @@ umount /mnt/ebg1
umount /mnt/efi
SWUPDATE_ARGS="${SWUPDATE_ARGS} -e stable,copy0"
SWUPDATE_ARGS="${SWUPDATE_ARGS} -k /usr/lib/swupdate/swupdate.crt"

20
layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer_1.0.bb
View File

@ -1,18 +1,22 @@
DESCRIPTION = "CoreOS Installer scripts"
SECTION = "coreos"
LICENSE = "CLOSED"
SECTION = "coreos"
SRC_URI += "file://25-installer-config.sh"
SRC_URI+= " \
file://25-installer-config.sh \
"
FILES:${PN} = "${libdir}/swupdate/conf.d/25-installer-config.sh"
# This package ship an alternate configuration for SWUpade to disable A/B
# switching and always flash A
RCONFLICTS:${PN}= "swupdate-coreos-config"
FILES:${PN} = " \
${libdir}/swupdate/conf.d/25-installer-config.sh \
"
# glibc-utils provide iconv
# glibc-gconv-utf-16 provide utf-16 support to iconv
RDEPENDS:${PN} = "coreos-installer-config dosfstools glibc-gconv-utf-16 glibc-utils util-linux-lsblk util-linux-sfdisk util-linux-wipefs"
# This package ships an alternate configuration for SWUpdate to disable A/B
# switching and always flash A
RCONFLICTS:${PN} = "swupdate-coreos-config"
RDEPENDS:${PN} = "coreos-installer-config dosfstools util-linux-lsblk util-linux-sfdisk glibc-utils glibc-gconv-utf-16"
do_install() {
install -d ${D}${libdir}/swupdate/conf.d

4
layers/meta-belden-coreos/recipes-kernel/linux/files/secure-storage.cfg
View File

@ -1,4 +0,0 @@
CONFIG_BLK_DEV_DM=y
CONFIG_KEYS=y
CONFIG_ENCRYPTED_KEYS=y
CONFIG_DM_CRYPT=y

8
layers/meta-belden-coreos/recipes-kernel/linux/linux-yocto-coreos.inc
View File

@ -1,8 +0,0 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
# Secure Storage
# ==============================================================================
SRC_URI += "file://secure-storage.cfg"
# Ensure the Kernel EFI STUB is enabled
KERNEL_FEATURES += "cfg/efi.scc cfg/efi-ext.scc"

6
layers/meta-belden-coreos/recipes-kernel/linux/linux-yocto_%.bbappend
View File

@ -1,6 +0,0 @@
# Add CoreOS distro settings to the linux-yocto recipes
LINUX_YOCTO_COREOS_REQUIRE ?= ""
LINUX_YOCTO_COREOS_REQUIRE:coreos = "linux-yocto-coreos.inc"
require ${LINUX_YOCTO_COREOS_REQUIRE}

65
layers/meta-belden-coreos/recipes-security/cos-certificates-and-keys/cos-certificates-and-keys-native_1.0.bb
View File

@ -1,65 +0,0 @@
SUMMARY = "Installs CoreOS certificates and keys"
DESCRIPTION = "Installs CoreOS certificates and keys that are used during the build"
AUTHOR = "Patrick Vogelaar"
LICENSE = "CLOSED"
SRC_URI = "git://git@bitbucket.gad.local:7999/ico/development-keys.git;protocol=ssh;branch=master"
SRCREV = "2b5d6941ea8759db90f07e195bb1855f618cccb7"
S = "${WORKDIR}/git"
inherit deploy native
CERTIFICATES_AND_KEYS_DIR ?= "${datadir}/keys/"
#FILES:${PN} += "${CERTIFICATES_AND_KEYS_DIR}/*"
do_install() {
install -d "${D}/${CERTIFICATES_AND_KEYS_DIR}"
install -m 755 ${S}/db.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.auth
install -m 755 ${S}/db.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.crt
install -m 755 ${S}/db.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.der
install -m 755 ${S}/db.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.esl
install -m 755 ${S}/db.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.key
install -m 755 ${S}/KEK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.auth
install -m 755 ${S}/KEK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.crt
install -m 755 ${S}/KEK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.der
install -m 755 ${S}/KEK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.esl
install -m 755 ${S}/KEK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.key
install -m 755 ${S}/PK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.auth
install -m 755 ${S}/PK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.crt
install -m 755 ${S}/PK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.der
install -m 755 ${S}/PK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.esl
install -m 755 ${S}/PK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.key
install -m 755 ${S}/swupdate.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.crt
install -m 755 ${S}/swupdate.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.key
bbwarn "Development certificates and keys are added into the image (UNSECURE)! This image must not be released!"
}
# Public key needed by firmware very depending on the implementation
# So we copy all type of public key (*.auth, *.esl, *.crt, *der)
addtask deploy after do_compile
do_deploy() {
install -D -m 644 ${S}/KEK.auth ${DEPLOYDIR}/KEK.auth
install -D -m 644 ${S}/db.auth ${DEPLOYDIR}/db.auth
install -D -m 644 ${S}/PK.auth ${DEPLOYDIR}/PK.auth
install -D -m 644 ${S}/KEK.esl ${DEPLOYDIR}/KEK.esl
install -D -m 644 ${S}/db.esl ${DEPLOYDIR}/db.esl
install -D -m 644 ${S}/PK.esl ${DEPLOYDIR}/PK.esl
install -D -m 644 ${S}/KEK.crt ${DEPLOYDIR}/KEK.crt
install -D -m 644 ${S}/db.crt ${DEPLOYDIR}/db.crt
install -D -m 644 ${S}/PK.crt ${DEPLOYDIR}/PK.crt
install -D -m 644 ${S}/KEK.der ${DEPLOYDIR}/KEK.der
install -D -m 644 ${S}/db.der ${DEPLOYDIR}/db.der
install -D -m 644 ${S}/PK.der ${DEPLOYDIR}/PK.der
# !SECURITY WARNING!
# .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
}

93
layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh
View File

@ -1,93 +0,0 @@
#!/usr/bin/env sh
loopdir=/usr/local/data/loopdevices
loopfile=$loopdir/crypt.loop
keyfiledir=/usr/local/data/.crypto
keyfile=$keyfiledir/ss_crypto.keyfile
#megabytes
loopsize=16
#/dev/mapper/xxxxx when open
cryptmapper=secStorage
makefilesystem=ext4
#mountpoint of uncrypted device
mountpoint=/usr/local/data/secure-storage
create_keyfile() {
# echo "Create key file"
systemd-notify --status="Create key file"
mkdir -p $keyfiledir
dd if=/dev/urandom of=$keyfile bs=1 count=256
chown root:root $keyfiledir/*
chmod 000 $keyfiledir/*
}
error() {
echo "Error: $1"
exit $?
}
#creates a new file
create_loopback_and_open() {
# echo "Creating a file with random bits.. this could take a while..."
systemd-notify --status="Creating a file with random bits.. this could take a while..."
mkdir -p $loopdir || error "Creating loopdir"
mkdir -p $mountpoint || error "Creating mountpoint"
dd if=/dev/urandom of=$loopfile bs=1M count=$loopsize || error "Creating loopfile"
loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
echo "Selected loop device: $loopdevice"
cryptsetup luksFormat -q --key-file $keyfile $loopdevice || error "Setting up encrypted loop device"
cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
mkfs.$makefilesystem /dev/mapper/$cryptmapper || error "Creating encrypted FS"
mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
systemd-notify --ready --status="Sucessfully mounted secure storage"
}
#mounts crypted loopback file
open() {
#echo "Open secure-storage"
systemd-notify --status="Open secure storage"
loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
echo "Selected loop device: $ld"
cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
systemd-notify --ready --status="Sucessfully mounted secure storage"
}
#unmounts previously mounted loopback file
close() {
echo "Close secure-storage"
# get loopdevice
loopdevice=$(losetup --list --noheadings --output NAME,BACK-FILE | grep crypt.loop | awk '{print $1}')
umount $mountpoint
cryptsetup close $cryptmapper
losetup -d $loopdevice
}
if [ $# -eq 1 ]
then
#echo "Parameter detected"
$1
exit 0
fi
if [ -e $keyfile ]
then
#echo "Key file available"
if [ -e $loopfile ]
then
#echo "Loop file available"
open
else
#echo "Loop file not available"
create_loopback_and_open
fi
else
#echo "Key file not available"
create_keyfile
create_loopback_and_open
fi

12
layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service
View File

@ -1,12 +0,0 @@
[Unit]
Description=Secure Storage Service
RequiresMountsFor=/usr/local/data
[Service]
Type=notify
ExecStart=/usr/bin/sec-storage-loopback.sh
TimeoutSec=300
[Install]
WantedBy=local-fs.target

34
layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb
View File

@ -1,34 +0,0 @@
SUMMARY = "Provides a Secure Storage"
DESCRIPTION = "The secure storage is a loopback mount that is encrypted. It protects data in rest"
AUTHOR = "Patrick Vogelaar"
LICENSE = "CLOSED"
SRC_URI = "\
file://sec-storage-loopback.sh \
file://secure-storage.service \
"
S = "${WORKDIR}"
inherit systemd
FILES:${PN} += "\
/usr/local/data/ \
${systemd_unitdir}/system \
${bindir}/sec-storage-loopback.sh \
${systemd_unitdir}/system/secure-storage.service \
"
do_install() {
install -d ${D}$/usr/local/data/
install -d ${D}${bindir}
install -m 0731 ${S}/sec-storage-loopback.sh ${D}${bindir}/sec-storage-loopback.sh
install -d ${D}${systemd_unitdir}/system
install -m 0644 ${S}/secure-storage.service ${D}${systemd_unitdir}/system
}
SYSTEMD_SERVICE:${PN} = "secure-storage.service"
SYSTEMD_AUTO_ENABLE = "enable"
RDEPENDS:${PN} += "cryptsetup util-linux-losetup e2fsprogs-mke2fs"

3
layers/meta-belden-coreos/recipes-support/swupdate/swupdate/25-sw-collections-config.sh
View File

@ -37,6 +37,3 @@ case $ROOT_PARTLABEL in
exit 1
;;
esac
echo "Public key used to verify software image is /usr/lib/swupdate/swupdate.crt"
SWUPDATE_ARGS="${SWUPDATE_ARGS} -k /usr/lib/swupdate/swupdate.crt"

5
layers/meta-belden-coreos/recipes-support/swupdate/swupdate/defconfig
View File

@ -24,8 +24,3 @@ CONFIG_DISKPART=y
CONFIG_DISKPART_FORMAT=y
CONFIG_FAT_FILESYSTEM=y
CONFIG_EXT_FILESYSTEM=y
CONFIG_SIGNED=y
CONFIG_SIGNED_IMAGES=y
CONFIG_SIGALG_RAWRSA=n
CONFIG_SIGALG_CMS=y
CONFIG_CMS_IGNORE_CERTIFICATE_PURPOSE=y

12
layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend
View File

@ -1,12 +1,7 @@
inherit features_check
REQUIRED_DISTRO_FEATURES = "swupdate"
# File in the swupdate subdirectory of this recipe should overwrite the
# same file in meta-swupdate
FILESEXTRAPATHS:prepend := "${THISDIR}/swupdate:"
DEPENDS += "cos-certificates-and-keys-native"
SRC_URI += "\
file://50-webserver-config.sh \
file://25-sw-collections-config.sh \
@ -14,6 +9,7 @@ SRC_URI += "\
PACKAGES =+ "${PN}-coreos-config ${PN}-coreos-installer-config"
# Don't use /www as the web root
wwwdir = "${datadir}/swupdate-www"
@ -39,15 +35,9 @@ RRECOMMENDS:${PN} += "${PN}-coreos-config"
# configuration to be installed
RCONFLICTS:${PN}-coreos-installer-config = "${PN}-coreos-config"
inherit coreos-efi-secureboot
do_install:append() {
# Probably replace revision with the value of the device tree
install -m 755 ${WORKDIR}/50-webserver-config.sh ${D}${libdir}/swupdate/conf.d/
install -m 755 ${WORKDIR}/25-sw-collections-config.sh ${D}${libdir}/swupdate/conf.d/
install -m 755 ${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt ${D}${libdir}/swupdate/
echo "${MACHINE} 1.0" > ${D}${sysconfdir}/hwrevision
}
# Fix: libgcc_s.so.1 must be installed for pthread_exit to work
RDEPENDS:${PN} += "libgcc"

15
layers/meta-belden-coreos/recipes-test/bats/bats-assert_2.1.0.bb
View File

@ -1,15 +0,0 @@
SUMMARY = "Common assertions for Bats"
DESCRIPTION = "bats-assert is a helper library providing common assertions for \
Bats."
HOMEPAGE = "https://github.com/bats-core/bats-assert"
LICENSE = "CC0-1.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=7bae63a234e80ee7c6427dce9fdba6cc"
PV = "2.1.0"
SRC_URI = "git://github.com/bats-core/bats-assert.git;protocol=https;branch=master"
SRCREV = "78fa631d1370562d2cd4a1390989e706158e7bf0"
S = "${WORKDIR}/git"
inherit bats-library
RDEPENDS:${PN} += "bats-support"

15
layers/meta-belden-coreos/recipes-test/bats/bats-file_git.bb
View File

@ -1,15 +0,0 @@
SUMMARY = " Common filesystem assertions for Bats"
DESCRIPTION = "bats-file is a helper library providing common filesystem \
related assertions and helpers for Bats."
HOMEPAGE = "https://github.com/bats-core/bats-file"
LICENSE = "CC0-1.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=7bae63a234e80ee7c6427dce9fdba6cc"
PV = "0.3.0+${SRCPV}"
SRC_URI = "git://github.com/bats-core/bats-file.git;protocol=https;branch=master"
SRCREV = "cb914cdc176da00e321d3bc92f88383698c701d6"
S = "${WORKDIR}/git"
inherit bats-library
RDEPENDS:${PN} += "bats-support"

13
layers/meta-belden-coreos/recipes-test/bats/bats-support_0.3.0.bb
View File

@ -1,13 +0,0 @@
SUMMARY = "Supporting library for Bats test helpers"
DESCRIPTION = "bats-support is a supporting library providing common \
functions to test helper libraries written for Bats."
HOMEPAGE = "https://github.com/bats-core/bats-support"
LICENSE = "CC0-1.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=7bae63a234e80ee7c6427dce9fdba6cc"
PV = "0.3.0"
SRC_URI = "git://github.com/bats-core/bats-support.git;protocol=https;branch=master"
SRCREV = "3c8fadc5097c9acfc96d836dced2bb598e48b009"
S = "${WORKDIR}/git"
inherit bats-library

35
layers/meta-belden-coreos/recipes-test/bats/bats_1.10.0.bb
View File

@ -1,35 +0,0 @@
# backported from oe-core master
SUMMARY = "Bash Automated Testing System"
DESCRIPTION = "Bats is a TAP-compliant testing framework for Bash. It \
provides a simple way to verify that the UNIX programs you write behave as expected."
HOMEPAGE = "https://github.com/bats-core/bats-core"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE.md;md5=2970203aedf9e829edb96a137a4fe81b"
SRC_URI = "\
git://github.com/bats-core/bats-core.git;branch=master;protocol=https \
"
# v1.10.0
SRCREV = "f7defb94362f2053a3e73d13086a167448ea9133"
S = "${WORKDIR}/git"
# Numerous scripts assume ${baselib} == lib, which is not true.
#
do_configure:prepend() {
for f in ${S}/libexec/bats-core/* ${S}/lib/bats-core/* ; do
sed -i 's:\$BATS_ROOT/lib/:\$BATS_ROOT/${baselib}/:g' $f
done
}
do_install() {
# Just a bunch of bash scripts to install
${S}/install.sh ${D}${prefix} ${baselib}
}
RDEPENDS:${PN} = "bash"
FILES:${PN} += "${libdir}/bats-core/*"
PACKAGECONFIG ??= "pretty"
PACKAGECONFIG[pretty] = ",,,ncurses"

123
layers/meta-belden-coreos/scripts/cve_to_elastic.py Normal file
View File

@ -0,0 +1,123 @@
import json
import pandas as pd
import argparse
import requests
from requests.auth import HTTPBasicAuth
parser = argparse.ArgumentParser(description='Read the cve-summary.json files and uploads the results to elastic',
epilog='''
Following mapping should be applied to elastic:\n
curl -u "coreos:zPQWfYWZcA" -X PUT "https://ci.gad.local:9200/coreos-cve?pretty" -H 'Content-Type: application/json' -d'
{
"mappings": {
"properties": {
"distro": {
"type": "keyword"
},
"distroCodeName": {
"type": "keyword"
},
"distroVersion": {
"type": "version"
},
"metadataBranch": {
"type": "keyword"
},
"metadataRevision": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"link": {
"type": "text"
},
"scorev2": {
"type": "float"
},
"scorev3": {
"type": "float"
},
"status": {
"type": "keyword"
},
"summary": {
"type": "keyword"
},
"vector": {
"type": "keyword"
},
"layer": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"cvesInRecord": {
"type": "keyword"
},
"product": {
"type": "keyword"
},
"version": {
"type": "version"
}
}
}
}
'
''')
parser.add_argument('filename', help='path to the cve-summary.json')
parser.add_argument('url',
help='server url including the elastic index e.g.: https://ci.gad.local:9200/coreos-cve/_docs')
parser.add_argument('--native', dest='native',
action='store_true', help='include -native packages')
args = parser.parse_args()
with open(args.filename, 'r') as file:
json_data = json.load(file)
json_no_cve = []
json_cve = []
for package in json_data['package']:
# filter out native packages
if not args.native and "-native" in package["name"]:
continue
# split into packages that contain cves and the ones who dont have any
if package["issue"]:
json_cve.append(package)
else:
json_no_cve.append(package)
df_cve = pd.json_normalize(json_cve, record_path=["issue"], meta=[
["name"], ["layer"], ["version"], ["products"]])
json_no_cve_normalized = pd.json_normalize(json_no_cve)
json_cve = json.loads(df_cve.to_json(orient='records', indent=2))
json_no_cve = json.loads(json_no_cve_normalized.to_json(orient='records', indent=2))
json_all_packages = json_cve + json_no_cve
additions = {"distro": json_data["distro"], "distroCodeName": json_data["distroCodeName"], "distroVersion": json_data["distroVersion"],
"metadataBranch": json_data["metadataBranch"], "metadataRevision": json_data["metadataRevision"]}
auth = HTTPBasicAuth('coreos', 'zPQWfYWZcA')
cntr = 0
for package in json_all_packages:
product = package.pop("products")[0]
if "issue" in package:
package.pop("issue")
package.update(product)
package.update(additions)
requests.post(args.url, json=package, auth=auth)
cntr += 1
print(f"{cntr} entries added")

2
layers/meta-belden-marvell-bsp/conf/layer.conf
View File

@ -9,5 +9,5 @@ BBFILE_COLLECTIONS += "meta-belden-marvell-bsp"
BBFILE_PATTERN_meta-belden-marvell-bsp = "^${LAYERDIR}/"
BBFILE_PRIORITY_meta-belden-marvell-bsp = "6"
LAYERDEPENDS_meta-belden-marvell-bsp = "core meta-belden-coreos meta-arm"
LAYERDEPENDS_meta-belden-marvell-bsp = "core meta-belden-coreos"
LAYERSERIES_COMPAT_meta-belden-marvell-bsp = "kirkstone"

2
layers/meta-belden-marvell-bsp/conf/machine/include/cn913x.inc
View File

@ -26,7 +26,7 @@ UBOOT_LOADADDRESS = "0x7000000"
PREFERRED_PROVIDER_virtual/kernel ?= "linux-netmodule"
PREFERRED_VERSION_linux-netmodule ?= "git-5.15-solidrun"
PREFERRED_VERSION_trusted_firmware_a = "2.6"
PREFERRED_VERSION_trusted_firmware_a ?= "2.3-solidrun"
KERNEL_IMAGETYPE = "Image"
KERNEL_EXTRA_ARGS += "LOADADDR=${UBOOT_ENTRYPOINT}"

28
layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/README.md Normal file
View File

@ -0,0 +1,28 @@
# trusted-firmware-a
trusted-firmware-a recipes was copied from:
meta-arm/meta-arm/recipes-bsp/trusted-firmware-a
Repo: git://git.yoctoproject.org/meta-arm
Branch: kirkstone
Git SHA: 78fce73c3803aba82149a3a03fde1b708f5424fa
Theses files were copied:
- trusted-firmware-a.inc
- files/ssl.patch
Theses files were created, by doing the same as done in meta-arm/meta-arm-bsp
but using the same revision and make flags as in https://github.com/SolidRun/cn913x_yocto_meta.git
- trusted-firmware-a_2.3.bb
Theses files were copied from https://github.com/SolidRun/cn913x_yocto_meta.git
- files/mrvl_scp_bl2.img
- files/000*.patch
More info about how to use trusted-firmware-a for Marvell can be found at
https://trustedfirmware-a.readthedocs.io/en/latest/plat/marvell/armada/build.html

11
layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0001-ddr-spd-read-failover-to-defualt-config.patch
View File

@ -1,14 +1,14 @@
From 3f8f24cf82848ef1778f3e1d0a0607d4860dd4f3 Mon Sep 17 00:00:00 2001
From 5aeea052b30604b2f8640960b775cee0f5c877cb Mon Sep 17 00:00:00 2001
From: Alon Rotman <alon.rotman@solid-run.com>
Date: Mon, 22 Nov 2021 13:33:25 +0200
Subject: [PATCH] ddr spd read failover to defualt config
Subject: [PATCH 2/2] ddr spd read failover to defualt config
---
.../octeontx/otx2/t91/t9130/board/dram_port.c | 100 ++++++++++++++++--
1 file changed, 93 insertions(+), 7 deletions(-)
diff --git a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
index 82ce07b09..bb7814e9b 100644
index 0befadfc6..5de71f095 100644
--- a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
+++ b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
@@ -33,7 +33,7 @@ struct mv_ddr_iface dram_iface_ap0 = {
@ -148,7 +148,7 @@ index 82ce07b09..bb7814e9b 100644
{
struct mv_ddr_topology_map *tm = mv_ddr_topology_map_get();
@@ -152,7 +236,9 @@ void plat_marvell_dram_update_topology(void)
i2c_write(I2C_SPD_P0_ADDR, 0x0, 1, tm->spd_data.all_bytes, 0);
i2c_write(I2C_SPD_P0_ADDR, 0x0, 1, tm->spd_data.all_bytes, 1);
/* read data from spd */
- i2c_read(I2C_SPD_ADDR, 0x0, 1, tm->spd_data.all_bytes,
@ -159,3 +159,6 @@ index 82ce07b09..bb7814e9b 100644
+ set_param_based_on_som_strap();
}
}
--
2.25.1

Some files were not shown because too many files have changed in this diff Show More