Pull request #186: Various small changes

Merge in ICO/coreos from various_small_changes to master

* commit 'a0910ef3ff70a53ea410ba205e36a2f5620481b3':
  chore(submodules): update third-party submodules
  feat(coreos-supportd-pkgs): create list of CoreOS supported packages
  chore(belden-coreos): move the initial timestamp to a generic file
  fix(swupdate): add libgcc as a dependency to terminate swupdate correctly
  feat(eagle40-03): strip out unused MACHINE_FEATURES for eagle40-03

.gitignore

@@ -3,4 +3,5 @@ vscode-bitbake-build/
 documentation/_build/
 documentation/oe-logs
 documentation/oe-workdir
-__pycache__
+__pycache__
+.venv/

.gitmodules

@@ -2,23 +2,35 @@
 	path = bitbake
 	url = ssh://git@bitbucket.gad.local:7999/ico/bitbake.git
 	branch = 2.0
-[submodule "layers/openembedded-core"]
-	path = layers/openembedded-core
+[submodule "openembedded-core"]
+	path = external-layers/openembedded-core
 	url = ssh://git@bitbucket.gad.local:7999/ico/openembedded-core.git
 	branch = kirkstone
-[submodule "layers/meta-openembedded"]
-	path = layers/meta-openembedded
+[submodule "meta-openembedded"]
+	path = external-layers/meta-openembedded
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-openembedded.git
 	branch = kirkstone
-[submodule "layers/meta-virtualization"]
-	path = layers/meta-virtualization
+[submodule "meta-virtualization"]
+	path = external-layers/meta-virtualization
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-virtualization.git
 	branch = kirkstone
-[submodule "layers/meta-efibootguard"]
-	path = layers/meta-efibootguard
+[submodule "meta-efibootguard"]
+	path = external-layers/meta-efibootguard
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-efibootguard.git
 	branch = master
-[submodule "layers/meta-swupdate"]
-	path = layers/meta-swupdate
+[submodule "meta-swupdate"]
+	path = external-layers/meta-swupdate
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-swupdate.git
 	branch = kirkstone
+[submodule "meta-arm"]
+	path = external-layers/meta-arm
+	url = ssh://git@bitbucket.gad.local:7999/ico/meta-arm.git
+	branch = kirkstone
+[submodule "meta-ti"]
+	path = external-layers/meta-ti
+	url = ssh://git@bitbucket.gad.local:7999/ico/meta-ti.git
+	branch = kirkstone
+[submodule "meta-lts-kernel-mixin"]
+	path = external-layers/meta-lts-kernel-mixin
+	url = ssh://git@bitbucket.gad.local:7999/ico/meta-lts-mixins.git
+	branch = coreos/kirkstone/kernel

.vscode/extensions.json

@@ -1,6 +1,10 @@
 {
     "recommendations": [
         "ms-vscode.makefile-tools",
-        "timonwong.shellcheck"
+        "timonwong.shellcheck",
+        "kweihmann.oelint-vscode",
+        "lextudio.restructuredtext",
+        "trond-snekvik.simple-rst",
+        "yocto-project.yocto-bitbake"
     ]
 }

.vscode/settings.json

@@ -1,9 +1,47 @@
 {
     "files.watcherExclude": {
-        "**/build/cache/**": true,
-        "**/build/downloads/**": true,
-        "**/build/sstate-cache/**": true,
-        "**/build/tmp/**": true
+        "**/build/**": true,
+        "**/_build/**": true,
     },
-    "python.formatting.provider": "black"
+    "search.exclude": {
+        "**/build/**": true,
+        "**/_build/**": true,
+    },
+    "C_Cpp.files.exclude": {
+        "**/build": true,
+        "**/_build": true,
+    },
+    "python.analysis.exclude": [
+        "**/build/**",
+        "**/_build/**",
+    ],
+    "python.formatting.provider": "black",
+    "editor.rulers": [80,100,120],
+    "bitbake.pathToBuildFolder": "${workspaceFolder}/build",
+    "bitbake.pathToEnvScript": "${workspaceFolder}/coreos-init-build-env",
+    "bitbake.pathToBitbakeFolder": "${workspaceFolder}/bitbake",
+    "python.autoComplete.extraPaths": [
+        "${workspaceFolder}/bitbake/lib",
+        "${workspaceFolder}/meta/lib"
+    ],
+    "python.analysis.extraPaths": [
+        "${workspaceFolder}/bitbake/lib",
+        "${workspaceFolder}/meta/lib"
+    ],
+    "[python]": {
+        "diffEditor.ignoreTrimWhitespace": false,
+        "gitlens.codeLens.symbolScopes": [
+            "!Module"
+        ],
+        "editor.formatOnType": true,
+        "editor.wordBasedSuggestions": "off",
+        "files.trimTrailingWhitespace": false
+    },
+    "[shellscript]": {
+        "files.eol": "\n",
+        "files.trimTrailingWhitespace": false
+    },
+    "bitbake.sdkImage": "coreos-image-minimal",
+    "bitbake.workingDirectory": "${workspaceFolder}",
+    "task.saveBeforeRun": "always",
 }

bitbake

@@ -1 +1 @@
-Subproject commit 0c6f86b60cfba67c20733516957c0a654eb2b44c
+Subproject commit 40fd5f4eef7460ca67f32cfce8e229e67e1ff607

coreos-init-build-env

@@ -26,7 +26,7 @@ COREOS_ROOT=$(readlink -f "${COREOS_ROOT}")
 # Set the path to bitbake, openembedded-core and the template directory
 # All theses values can be overriden by the caller of coreos-init-build-env
 BITBAKEDIR="${BITBAKEDIR:-${COREOS_ROOT}/bitbake}"
-OEROOT="${OEROOT:-${COREOS_ROOT}/layers/openembedded-core}"
+OEROOT="${OEROOT:-${COREOS_ROOT}/external-layers/openembedded-core}"
 TEMPLATECONF="${TEMPLATECONF:-${COREOS_ROOT}/templates}"
 
 # Sanity checks
@@ -84,6 +84,11 @@ coreos_path_add "${COREOS_ROOT}/scripts"
 # Add support for ##COREOS_LAYERSDIR## inside of bblayer template
 coreos-bblayers-envsub COREOS_LAYERSDIR "${COREOS_ROOT}/layers"
 
-# Generate the ${BUILDDIR}/key directory. The scripts doesn't generate anything it
-# the directory already exist, so it's safe to call it everytime
-coreos-keygen > /dev/null 2> /dev/null
+# Add support for ##COREOS_EXTLAYERSDIR## inside of bblayer template
+coreos-bblayers-envsub COREOS_EXTLAYERSDIR "${COREOS_ROOT}/external-layers"
+
+# Generate the ${BUILDDIR}/key directory. The scripts doesn't generate anything
+# if the directory already exist so it's safe to call it everytime
+# stdout is redirected to reduce the amount of output but not stderr
+#
+#Note: if a final build is detected all the dev keys are deleted

documentation/.vscode/extensions.json

@@ -0,0 +1,7 @@
+{
+    "recommendations": [
+        "ms-vscode.makefile-tools",
+        "lextudio.restructuredtext",
+        "trond-snekvik.simple-rst"
+    ]
+}

documentation/.vscode/settings.json

@@ -0,0 +1,12 @@
+{
+    "files.watcherExclude": {
+        "**/_build/**": true,
+    },
+    "python.formatting.provider": "black",
+    "editor.rulers": [
+        80,
+        100,
+        120
+    ],
+    "esbonio.sphinx.confDir": ""
+}

documentation/boot/index.rst

@@ -11,3 +11,4 @@ Belden CoreOS Boot Concepts
 
    overview
    uboot
+   secure-boot

documentation/boot/secure-boot.rst

@@ -0,0 +1,268 @@
+*******************
+Secure Boot Concept
+*******************
+
+Currently CoreOS provide a Proof Of Concept of some of the secure boot element that we want to 
+implement a full secure-boot solution based on UEFI secure boot.
+
+The current proof of concept is structured as follows:
+
+Hardware Requirements
+=====================
+   
+   - The device must have an `eMMC`.
+   - The architecture of the device must be either `ARM32` or `AARCH64`.
+
+
+eMMC Embedded MultiMediaCard
+============================
+
+eMMC, or Embedded MultiMediaCard, represents a prevalent storage format in devices such as 
+smartphones, tablets, and other embedded systems. It encapsulates NAND flash memory and a dedicated
+controller within one package. This structure not only eases integration for device manufacturers
+but also ensures a compact, efficient storage medium.
+
+Within eMMC's architecture, distinct hardware partitions cater to diverse operational demands:
+
+.. graphviz::
+
+    digraph emmcStructure {
+        rankdir=TB;
+        node [shape=box, style=filled, fillcolor="#e6f2ff"];
+        edge [color="#0099cc", fontsize=12];
+
+        compound=true;
+
+        subgraph cluster_eMMC {
+            label="eMMC";
+            color="#0099cc";
+
+            Boot0 [label="Boot0"];
+            Boot1 [label="Boot1"];
+            RPMB [label="RPMB"];
+
+            subgraph cluster_User {
+                label="User";
+                color="#00cc99";
+                GPT [label="GPT Table"];
+
+                subgraph cluster_GPT {
+                    label="Software Partitions (GPT)";
+                    color="#99e6e6";
+
+                    SoftwarePartition1 [label="Partition 1"];
+                    SoftwarePartition2 [label="Partition 2"];
+                    SoftwarePartitionN [label="Partition N"];
+                }
+            }
+        }
+    }
+
+
+#. **Boot0 and Boot1**: The boot partitions cater to device start-up requirements, typically hosting
+   the firmware. Boot0 predominantly initiates the boot-up, while Boot1 stands as a secondary guard 
+   or backup, ensuring booting is resilient and failsafe.
+
+#. **RPMB (Replay Protected Memory Block)**: As a secure partition, RPMB shelters data against
+   potential tampering. It's tailored for sensitive information storage, such as cryptographic keys.
+   Its design counters data replays or rollbacks, fortifying against particular attack types.
+
+#. **User**: The primary storage domain, the User partition accommodates the OS, applications,
+   and user-centric data. It's reminiscent of the primary storage drive in larger computing devices.
+   Importantly, the User partition has a layered structure. Using the GPT (GUID Partition Table), it
+   is further divided into multiple software partitions, which can house diverse datasets or file
+   systems.
+
+The boot concept of CoreOS rely on the presence of an eMMC to implement the following feature:
+
+- Storage of two copy of the firmware with a way to switch from a copy to another using the eMMC
+  boot0 and boot1 hardware partition
+- Storage of keys used by the UEFI Secure Key specification inside the secure RPMB hardware
+  partition.
+- Storage of the bootloader, kernel and rootfs inside the user hardware partition using multiple
+  software partition in the GPT format.
+
+Firmware
+========
+
+The firmware of the device should implement a subset of the UEFI specification as defined in the
+ARM Base Boot Requirements (EBBR) and should implement the optional UEFI Secure Boot part of the
+EBBR specifications.
+
+This is done in CoreOS by levering the built-in EBBR and UEFI Secure Boot present into the u-boot
+project.
+
+The hardware should verify the validity of the firmware using a hardware specific way. Then the
+generic secure boot concept explained here can be used to valide all the following component of
+CoreOS.
+
+UEFI Key used by UEFI Secure Boot
+=================================
+
+
+- **PK (Platform Key)**: This top-tier key shoulders the responsibility of KEK verification and its
+  potential revocation. PK holders have the exclusive privilege to configure the KEK and the `db`
+  database. It's the gatekeeper ensuring only authorized software can touch the firmware or
+  bootloader.
+
+- **KEK (Key Exchange Key)**: As a medium for data exchange, the KEK is pivotal for signing the `db`
+  and `dbx` databases.
+  
+- **db (Allowed Database)**: This is the white list. It houses the keys or hashes of permitted
+  firmware and OS loaders. Execution is only granted to software with a signature that resonates
+  with the keys/hashes in this database.
+  
+- **dbx (Forbidden Database)**: The black sheep are here. Housing keys or hashes of known
+  unauthorized software, it ensures any associated software is prohibited from executing.
+
+Currently all theses public keys are built-in into u-boot at build time and are read only. In the
+future we will use the OP-TEE support into u-boot to use OP-TEE to manage the keys.
+
+OP-TEE and RPMB as key manager
+==============================
+
+OP-TEE, or Open Portable Trusted Execution Environment, is an open-source implementation of the
+Trusted Execution Environment (TEE) designed for ARM-powered platforms. In essence, a TEE is a
+secure enclave that provides a separated, isolated environment where specific applications and their
+data can run independently from the regular operating system, ensuring they are protected against
+potential tampering or unauthorized access.
+
+OP-TEE guarantees confidentiality, integrity, and authenticity for critical applications by
+executing them in this secure space. It offers a wide range of security features, including secure
+storage of cryptographic keys, secure boot, and hardware-backed crypto operations.
+
+In the context of UEFI secure boot, OP-TEE becomes instrumental. UEFI's secure boot mechanism
+ensures that only trusted, signed firmware, OS loaders, and OS kernels are executed during the boot
+process. To enforce this level of trust, UEFI relies on a set of cryptographic keys, including PK
+(Platform Key), KEK (Key Exchange Key), and db/dbx (allowed and forbidden signature databases).
+Safeguarding these keys is paramount to maintain the security and integrity of the boot process.
+
+By leveraging OP-TEE, these UEFI secure boot keys can be securely stored in the RPMB (Replay
+Protected Memory Block) partition of the eMMC. The RPMB is a write-protected, secure area of the
+eMMC designed to hold sensitive data and protect it against tampering and replay attacks.
+Since OP-TEE manages secure access to the RPMB partition, it ensures that the UEFI secure boot keys
+are not only safely stored but are also accessible only by authorized firmware components.
+
+eMMC User Partition
+===================
+
+The user partition of the eMMC must be structured using the GPT (GUID Partition Table) format.
+
+Within the GPT-formatted user partition, specific partitions should be established for efficient
+booting and system operation:
+
+1. **EFI**: This is the Essential Firmware Interface partition. It holds the `efibootguard`
+   os-loader binary, responsible for the boot sequence's initial steps and the kernel's selection
+   based on its configuration. This binary is signed with a key present in the `dbx` database
+
+2. **EBG0 - Efibootguard Config 0**: This partition houses the `efibootguard` configuration for the
+   first kernel option. Alongside the configuration file, it also contains a Unified Kernel Image
+   (UKI), a bundled package comprising the Linux kernel, device trees, and associated boot
+   components. The UKI is signed with a key present in the `dbx` database
+
+3. **EBG1 - Efibootguard Config 1**: Similar to EBG0, this partition carries the `efibootguard`
+   configuration for the second kernel option. It too holds a Unified Kernel Image tailored for this
+   alternate boot choice.
+
+4. **rootfs0**: This partition stores the CoreOS root filesystem designed to complement and operate
+   with the kernel embedded in the EBG0 partition. It provides the essential system files and 
+   structures required for the operating system's functioning when the kernel from EBG0 is booted. 
+   Integrety of this rootfs is assured by storing an hash of the rootfs inside the UKI image.
+
+5. **rootfs1**: Analogous to `rootfs0`, this partition houses the CoreOS root filesystem tailored
+   for the kernel within the EBG1 partition. It ensures that, should the system boot from the kernel
+   in EBG1, the appropriate file structures and system components are readily available.
+
+EFIBootGuard Configuration
+==========================
+
+Efibootguard, as a part of its design, employs a configuration system to determine the appropriate
+kernel and associated resources to boot from. This configuration is stored in distinct partitions, 
+EBG0 and EBG1, each holding its configuration file.
+
+The configuration file itself comprises several fields, but most crucially, it contains a revision
+field. This field is a numerical identifier indicating the version or update level of the contained
+kernel and resources. When the system initiates its boot sequence, Efibootguard assesses the
+revision values in both the EBG0 and EBG1 configuration files.
+
+The selection process is straightforward yet robust: Efibootguard chooses the partition with the
+higher revision value. By doing so, it inherently opts for the most recent or updated kernel version
+available. However, this system also supports failover mechanisms. In case the kernel in the
+partition with the higher revision encounters issues during boot, Efibootguard can revert to the
+other partition, ensuring resilience and continuity in system operations.
+
+Moreover, the choice isn't rigidly fixed. When the system undergoes updates, the configuration files
+can be rewritten, and the revision values adjusted, allowing for dynamic and flexible booting in
+line with system evolutions and updates. In essence, Efibootguard, with its configuration-based
+approach, ensures a blend of up-to-date system booting and built-in fail-safes for dependable
+operation.
+
+Unified Kernel Image
+====================
+
+After having choosen the right configuration file, Efibootguard takes on the responsibility of
+launching the Unified Kernel Image (UKI) linked with the active configuration. This image bundle
+together essential boot components like the Linux kernel, device trees, and the kernel command
+line. The secure initiation of this image is paramount, and Efibootguard ensures this by leveraging
+UEFI's start_image system call.
+
+The UEFI start_image system call  verifies the image's signature against the Secure Boot keys
+(PK, KEK, db, and potentially dbx). If the signature matches, indicating that the image is trusted
+and hasn't been tampered with, the image is permitted to execute. If not, the booting halts,
+preventing any unauthorized or potentially malicious code from running.
+
+Once the UKI has been securely initiated, it undertakes multiple tasks. It first extracts the
+necessary components from the bundled package, identifying and utilizing the appropriate device
+trees based on `compatible` node, by matching with the `compatible` node of the `device-tree` that
+is built into the firmware. These device trees inform the system about the hardware configuration,
+ensuring the kernel interacts correctly with the system's components. 
+
+The UKI os-launcher also has CoreOS specialized patches, enabling dynamic rootfs switching without
+requiring an initramfs by changing the `root=` part of the kernel command line at run time to
+point to the right rootfs partition.
+
+RootFS and dm-verity
+====================
+
+dm-verity is a Linux kernel feature designed to provide transparent integrity checking of block
+devices, particularly for read-only file systems. Rooted in cryptographic principles, dm-verity
+employs a hash-based approach to ensure and validate the integrity of the root filesystem (rootfs).
+
+The way dm-verity operates is by building a Merkle tree, a structure where each leaf node contains a
+hash of a block of the underlying data, while each non-leaf node is a hash of its children. The
+topmost node, the root of the Merkle tree, provides a cumulative hash representing the entirety of
+the data. This top hash, known as the root hash, serves as a concise, cryptographic representation
+of the entire filesystem's state.
+
+When integrating dm-verity with the Unified Kernel Image (UKI), an additional layer of security is
+established. By embedding the root hash into the signed UKI, any tampering or modification in the
+rootfs can be swiftly detected. When the system boots, the UKI, being signed, ensures that the
+embedded root hash is legitimate and untampered. As the OS accesses the rootfs, dm-verity
+recalculates the hash values in real-time and compares them to the values in the original Merkle
+tree, referenced by the embedded root hash.
+
+If any discrepancies are found – that is, if the recalculated hash doesn't match the stored value –
+it indicates potential tampering, and the OS can halt access or take appropriate measures. 
+
+.. graphviz::
+
+    digraph SecureBootFlow {
+        rankdir=TB;
+
+        node [shape=box, style=filled, fillcolor="#e6f2ff"];
+        edge [color="#0099cc", fontsize=12];
+
+        Hardware [label="Hardware\n(ARM32/AARCH64 with eMMC)"];
+        Firmware [label="u-boot Firmware\n(UEFI EBRR subset)"];
+        eMMCConfig [label="eMMC Configuration\n(GPT with EFI partition)"];
+        EFIBootGuard [label="EFIBootGuard\n(A/B Kernel Switching)"];
+        UnifiedKernel [label="Unified Kernel Image\n(Kernel, cmd line, DTB)"];
+        KernelAndRootFS [label="Kernel & RootFS\n(dm-verity validation)"];
+
+        Hardware -> Firmware [label="Flashed with u-boot\n+ Built-in keys"];
+        Firmware -> eMMCConfig [label="eMMC boot"];
+        eMMCConfig -> EFIBootGuard [label="Boots from EFI partition"];
+        EFIBootGuard -> UnifiedKernel [label="Selects kernel A/B"];
+        UnifiedKernel -> KernelAndRootFS [label="Kernel boot\n+ RootFS verification"];
+
+    }

documentation/components/optional/index.rst

@@ -12,3 +12,4 @@ CoreOS Optional Components
    Network Manager: NetworkManager <networkmanager>
    SSH Server: OpenSSH <openssh>
    Container: Podman <podman>
+   CoreOS Installer <installer>

documentation/components/optional/installer.rst

@@ -0,0 +1,37 @@
+.. index:: COREOS_INSTALLER
+
+CoreOS Installer
+****************
+
+The CoreOS installer is a set of scripts running on the target and a
+corresponding bitbake image that is used into the bootstrap process of CoreOS.
+
+coreos-image-installer
+======================
+
+The CoreOS image installer results in an image contairing only a single binary
+EFI file. This EFI file includes a kernel, a device tree and an initramfs with
+all (and only) the tools needed to install CoreOS.
+
+The installer image is not automatically built in parallel of a normal image.
+This can be changed by setting `COREOS_IMAGE_GENERATE_INSTALLER` to 1 in the
+image file (as it is done for example in coreos-image-all-features.bb).
+
+The installer image build by default only a single EFI binary named
+coreos-installer-MACHINE.efi. An SDCard or USB image can be generated if
+`COREOS_INSTALLER_WKS_FILE` is set to a wks file.
+
+coreos-installer
+================
+
+The coreos-installer recipe installs scripts that are used at startup to
+automatically format the internal emmc of the device. The recipe also contains
+a swupdate configuration file to setup swupdate correctly for that use case.
+
+coreos-installer-config
+=======================
+
+The coreos-installer-config recipe installs device specific configuration file
+used by the coreos-installer. This includes the partitioner config file. Distros
+and projects based on CoreOS can change the partioning scheme or partition size
+by installing their own version of this package using a `bbappend file`.

documentation/hardware/beaglebone.rst

@@ -0,0 +1,61 @@
+..  _beaglebone:
+
+**********
+BeagleBone
+**********
+
+.. important::
+
+    The BeagleBone target uses an old TI AM3358 ARM 32 BIT CPU. This processor
+    of the AM335x family is used in a lot of current and legacy device at 
+    Hirschmann and NetModule. Thus we only support this target to ensure
+    that our architecture is working on older architecture too.
+
+CoreOS build instruction
+========================
+
+.. code-block:: 
+
+   MACHINE=beaglebone bitbake coreos-image-all-features
+   cd tmp/deploy/images/beaglebone
+
+.. list-table:: Image artifacts for BeagleBone
+   :widths: 25 75
+   :header-rows: 1
+
+   * - Filename
+     - Description
+   * - <IMAGE>-beaglebone.swu
+     - System image bundle used by the CoreOS installer or the CoreOS updater
+   * - <IMAGE>-beaglebone.wic.xz
+     - System image for SDCard
+   * - coreos-image-installer-beaglebone.wic.xz
+     - CoreOS installer image for SD Card
+
+.. hint:: 
+
+   Only the .swu image is need if you have already a working installation of CoreOS
+   running on the board that you want to update.
+
+CoreOS Pre-installation guide
+=============================
+
+If you want to use the internal emmc storage as boot target, you will need to
+flash coreos-image-installer-beaglebone.wic.xz to your SDCard using bmaptool.
+
+If you want to use the sdcard as boot target, you will need to flash
+<IMAGE>-beaglebone.wic.xz to your SDCard using bmaptool.
+
+By default the board boot on the internal emmc storage. To boot with a SDCard
+instead, you will need to push the S2 button (boot switch) while powering up the
+board.
+
+.. image:: beaglebone/beaglebone-s2-switch.png
+
+Serial access is available on the 5-pin header. See
+`this page <https://elinux.org/Beagleboard:BeagleBone_Black_Serial>`_ for
+more info on the serial connector.
+
+Now that you have the installer running, CoreOS can be installed by following
+the :ref:`generic installation manual<Installation Manual>` using the SDCard
+mehtod.

documentation/hardware/netmodule-hw34.rst

@@ -0,0 +1,126 @@
+..  _netmodule-hw34:
+
+*******************************
+NetModule HW34 (XG900 A-Sample)
+*******************************
+
+.. important::
+
+  netmodule-hw34 support is currently only available on the features branch
+  feat/netmodule-bsp
+
+.. image:: netmodule-hw34/hw34.png
+
+CoreOS build instruction
+========================
+
+.. code-block:: 
+
+   MACHINE=netmodule-hw34 bitbake coreos-image-all-features
+   cd tmp/deploy/images/netmodule-hw34
+
+.. list-table:: Image artifacts for NetModule HW32
+   :widths: 25 75
+   :header-rows: 1
+
+   * - Filename
+     - Description
+   * - <IMAGE>-netmodule-hw34.swu
+     - System image bundle used by the CoreOS installer or the CoreOS updater
+   * - coreos-installer-netmodule-hw34.efi
+     - CoreOS installer bundled in a single EFI binary
+   * - tiboot3.bin
+     - SPL Bootloader for the wakeup domain (arm32 R5 core)
+   * - tispl.bin
+     - SPL bootloader for the main domain (aarch64 main core)
+   * - u-boot.bin
+     - Third stage bootloader the main domain (aarch64 main core)
+
+.. hint:: 
+
+   Only the .swu image is need if you have already a working installation of CoreOS
+   running on the board that you want to update.
+
+CoreOS Pre-installation guide
+=============================
+
+The CoreOS installation process expect a working EFI firmware based on u-boot
+running on the board.
+
+For board that have no firmware or a defect firmware, we can provide the firmware by
+booting over USB.
+
+First, we need to put the board in USB Boot mode by modifying the dip-switch
+on the back of the board:
+
+.. code-block::
+
+            ON
+      S500  ▄ ▀ ▄ ▀ ▄ ▄ ▄ ▄
+            1 2 3 4 5 6 7 8
+
+.. hint::
+
+  Unflashed board or board without a valid tiboot3.bin image will default to
+  USB boot mode, so settings the dip-switch may be skipped in this case.
+
+Then you need to populate the jumper X600 near the USB port:
+
+.. image:: netmodule-hw34/hw34-usb-device.png
+
+Then power-up the board by first apply 12V throug the main connector, then
+connect a USB-C cable. Console access to the board can be accessed using the
+serial port on the main connector.
+
+
+.. important:: 
+
+   When removing the power, ensure that the USB cable is removed first. Otherwise
+   the processor will not get shutdown properly
+
+
+Now you should see the board from you computer:
+
+.. code-block:: sh
+
+   lsusb | grep DFU
+   Bus 003 Device 048: ID 0451:6165 Texas Instruments, Inc. AM64x DFU
+
+Now we start downloading the bootloaders into RAM by using dfu-utils:
+
+.. code-block:: sh
+
+   dfu-util -D tiboot3.bin -a 0
+   dfu-util -D tispl.bin -a 0
+
+   # Eject and start execution of tispl
+   dfu-util -e -a 0
+   dfu-util -D u-boot.img -a 1
+
+   # Eject ans tart of u-boot.img
+   dfu-util -e -a 1
+
+.. hint::
+
+    The firmware was uploaded to the RAM, thus will not survice a reboot.
+    
+
+Now that we have a firmware running, CoreOS can be installed by following
+the :ref:`generic installation manual<Installation Manual>`.
+
+
+CoreOS Post-Installation
+========================
+
+When the installation of CoreOS is done, power down the board by first
+removing the USB-C cable then the main power.
+
+Now, put the board back in emmc boot mode:
+
+.. code-block::
+
+            ON
+      S500  ▀ ▄ ▄ ▀ ▄ ▄ ▄ ▄
+            1 2 3 4 5 6 7 8
+
+Then power-up the board again and CoreOS should boot.

documentation/hardware/overview.rst

@@ -0,0 +1,33 @@
+******************
+Supported Hardware
+******************
+
+..  _Hardware Overview:
+.. list-table:: Supported BitBake MACHINE
+   :widths: 25 75 25
+   :header-rows: 1
+
+   * - BitBake MACHINE
+     - Compatible hardware
+     - Documentation
+   * - cn9131-bldn-mbv
+     - Falcon A3 Sample
+     - 
+   * - netmodule-hw34
+     - NetModule HW34 (XG900 Sample)
+     - :ref:`🔗 links <netmodule-hw34>`
+   * - cn9130-cf-pro
+     - Solidrun cn9130-cf-pro
+     - 
+   * - beaglebone
+     - Beaglebone, Beaglebone Black, Beaglebone Green
+     - :ref:`🔗 links <beaglebone>`
+   * - vm-x64
+     - Virtual Machine
+     - 
+
+.. hint:: 
+
+   Please contact the CoreOS team when starting a new project based on CoreOS
+   or want to contribute the hardware support for an existing Hardware.
+

documentation/index.rst

@@ -28,20 +28,29 @@ same structures.
 
 .. toctree::
    :maxdepth: 1
-   :caption: Software Components
-
-   Core Components <components/core/index>
-   Optional Components <components/optional/index>
+   :caption: Supported Hardware
 
+   Overview <hardware/overview>
+   NetModule HW34 (XG900 Sample) <hardware/netmodule-hw34>
+   BeagleBone <hardware/beaglebone>
 
 .. toctree::
    :maxdepth: 1
    :caption: Manuals
 
+   Installation Manual <installation/index>
    Reference Manual <ref-manual/index>
+   Testing Manual <testing/index>
    Boot Concepts <boot/index>
    Best Practices <best_practices/index>
 
+.. toctree::
+   :maxdepth: 1
+   :caption: Software Components
+
+   Core Components <components/core/index>
+   Optional Components <components/optional/index>
+
 .. toctree::
    :maxdepth: 1
    :caption: Indexes

documentation/installation/index.rst

@@ -0,0 +1,22 @@
+
+.. _Installation Manual:
+
+======================================
+Belden CoreOS EMMC Installation Manual
+======================================
+
+.. important:: 
+
+    This manual expect that the board you want to install CoreOS on have a
+    running UEFI firmware based on u-boot. Information about how to get console
+    access and a running firmware can be found for your hardware in the
+    :ref:`Hardware Overview <Hardware Overview>`
+
+|
+
+.. toctree::
+   :caption: Table of Contents
+   :numbered:
+
+   starting
+   partitionning

documentation/installation/partitionning.rst

@@ -0,0 +1,50 @@
+************
+Installation
+************
+
+The installer automatically creates all the needed partitions when starting up.
+
+Now you have to upload the .swu file to start the flashing process.
+
+Choose one of these methods to upload the system image to the installer:
+
+Upload the .swu file over the network using a browser
+=====================================================
+
+
+Now you can install the desired CoreOS version by uploading the desired
+.swu file to the board using a browser, by going to http://<TARGET_IP>:8080
+
+Upload the .swu file over the network using devtool
+===================================================
+
+If you have a working build environement, you can upload the image using
+the devtool command:
+
+.. code-block::
+
+    MACHINE=<MACHINE> devtool swupdate-www-push <IMAGE> <TARGET_IP>
+
+
+.. hint:: 
+    Replace <IMAGE> with the image recipe name, eg: coreos-image-all-features
+    Replace <MACHINE> by the machine name (if not set in local.conf)
+    Replace <TARGET_IP> by the IP adress of the board
+
+Upload the .swu file over the network using coreos-device
+=========================================================
+
+If you don't have a working build environement, you can upload the image using
+the coreos-device python script:
+
+.. code-block::
+
+    ./coreos-device swupdate-www-push <SWU_PATH> <TARGET_IP>
+
+.. hint:: 
+    Replace <SWU_PATH> with the the path to the SWU, eg: ./coreos-image-all-features-<MACHINE>.swu
+    Replace <TARGET_IP> by the IP adress of the board
+
+.. hint::
+    You will find the coreos-device script under the scripts directory inside
+    the CoreOS repository.

documentation/installation/starting.rst

@@ -0,0 +1,64 @@
+**********************
+Starting the installer
+**********************
+
+Choose one of these methods to start the bootloader:
+
+Starting the installer over the network with TFTP
+=================================================
+
+Put the coreos-installer EFI bundle (coreos-installer-<MACHINE>.efi) into an
+accessible TFTP server, then enter the following command into u-boot:
+
+.. code-block::
+
+   setenv ipaddr <TARGET_IP>; setenv serverip <SERVER_IP>;
+   tftp $loadaddr coreos-installer-<MACHINE>.efi
+   bootefi $loadaddr
+
+.. hint:: 
+
+    Replace <TARGET_IP> by a valid IP adress for the target, eg: 192.168.1.1
+    Replace <SERVER_IP> by the IP adress of the server, eg: 192.168.1.254
+    Replace <MACHINE> by the name of the machine set in bitbake
+
+Starting the installer over the network with DHCP/BOOTP/TFTP
+============================================================
+
+Use a DHCP/BOOTP/TFTP server to configure automatically the device. You can
+use dnsmasq for this task.
+
+
+.. code-block: ini
+
+    interface=<INTERFACE>
+    
+    dhcp-range=<INTERFACE>,10.237.30.2,10.237.30.100,4h
+    dhcp-range=<INTERFACE>,10.237.40.2,10.237.40.100,4h
+    
+    enable-tftp
+    dhcp-boot=tag:<INTERFACE>,coreos-installer-<MACHINE>.efi
+    tftp-root=/var/lib/tftpboot
+
+.. hint:: 
+
+    Replace <INTERFACE> by the name of the network interface that is connected
+    to the target. Eg: enp3s0
+    Replace <MACHINE> by the name of the machine set in bitbake
+
+Put the coreos-installer EFI bundle (coreos-installer-<MACHINE>.efi) into the
+/var/lib/tftpboot folder then enter the following command into u-boot:
+
+.. code-block::
+
+   setenv autoload yes
+   setenv autostart no
+   dhcp
+   bootefi $loadaddr
+
+Starting the installer using an SD Card
+=======================================
+
+Flash the coreos-image-installer.wic.xz into an SDCard and put the board
+in SDCard boot mode. Insert the SDCard and power up the board. The CoreOS
+installer should start automatically.

documentation/ref-manual/features.rst

@@ -10,9 +10,14 @@ to Belden CoreOS.
 Machine Features
 ================
 
-CoreOS doesn't define any custom machine feature for now, but the 
 :external:ref:`MACHINE_FEATURES <ref-features-machine>` of OpenEmbedded-Core
-can be used.
+can be used with CoreOS.
+
+In addition, those CoreOS specific MACHINE_FEATURES can be used too:
+
+-  *sdcard:* the machine as an internal SD Card or MicroSD Slot. 
+-  *emmc:* the machine as an internal emmc based storage
+
 
 .. index:: DISTRO_FEATURES
 

documentation/testing/bats.rst

@@ -0,0 +1,354 @@
+.. index:: BATS
+
+************************************
+BATS - Bash Automated Testing System
+************************************
+
+The CoreOS distribution supports writing tests using shell syntax by providing the `bats` command.
+
+If you want to use `bats`, you will need the following CoreOS packages:
+
+- bats
+- bats-file
+- bats-assert
+
+Overview of BATS
+================
+
+A BATS test can be as simple as a single .bats file. For example:
+
+.. code-block:: bash
+
+    #!/usr/bin/env bats
+   
+    bats_load_library bats-support
+    bats_load_library bats-assert
+
+    @test "can output to stdout" {
+        run echo hello
+        assert_output 'hello'
+    }
+
+You can run it using the command `bats <filename>.bats`
+
+This will give you the following output:
+
+.. code-block:: bash
+
+    sam@SAVE:~/Projects/tests$ bats <filename>.bats 
+    <filename>.bats
+    ✓ can output to stdout
+
+    1 test, 0 failures
+
+The run command
+================
+
+In shell tests, you often need to run commands and capture their output, exit
+status, and error messages. The run command provided by `bats` allows you to
+execute commands within your test cases and collect this information for later
+assertion and validation.
+
+The run command will make the following variables available:
+
+- `${status}`: exit code of the command run by `run`
+- `${output}`: combined content of `stdout` and `stderr`
+- `${lines[@]}`: array of lines of the output
+- `${BATS_RUN_COMMAND}`: command run by the `run` command
+
+.. code-block:: bash
+
+    @test "invoking foo with a nonexistent file prints an error" {
+        run foo nonexistent_filename
+        [ "$status" -eq 1 ]
+        [ "$output" = "foo: no such file 'nonexistent_filename'" ]
+        [ "$BATS_RUN_COMMAND" = "foo nonexistent_filename" ]
+
+    }
+
+The `run` command accepts some parameters:
+
+- `-N`: Expect N as exit status and fail otherwise
+- `-!`: Expect non-zero exit status and fail if the command succeeds.
+- `--keep-empty-lines`: don't remove empty lines from `${lines}`
+- `--separate-stderr`: Use separate variables for stderr `${stderr}` and `${stderr_lines[@]}`
+
+.. code-block:: bash
+
+    @test "invoking foo without arguments prints usage" {
+        run -1 foo
+        [ "${lines[0]}" = "usage: foo <filename>" ]
+    }
+
+The bats-assert helper
+======================
+
+The `bats-assert` helper provides some functions to create more readable tests.
+These assertions use the variables created by the `run` command and can be used
+as follows:
+
+.. code-block:: bash
+
+    @test 'assert_output()' {
+        run echo 'have'
+        assert_output 'want'
+    }
+
+The following functions are provided:
+
+- `assert` and `refute`: Assert that a given expression evaluates to true or false.
+- `assert_equal`: Assert that two parameters are equal.
+- `assert_not_equal`: Assert that two parameters are not equal.
+- `assert_success` and `assert_failure`: Assert that the exit status is 0 or 1.
+- `assert_output` and `refute_output`: Assert that the output does (or does not) contain the given content.
+- `assert_line` and `refute_line`: Assert that a specific line of the output does (or does not) contain the given content.
+- `assert_regex` and `refute_regex`: Assert that a parameter matches (or does not match) the given pattern.
+
+The bats-file helper
+====================
+
+The `bats-file` helper provides functions to help work with files in tests:
+
+**Test File Types:**
+
+- `assert_exists` and `assert_not_exists`: Check if a file or directory exists.
+- `assert_file_exists` and `assert_file_not_exists`: Check if a file exists.
+- `assert_dir_exists` and `assert_dir_not_exists`: Check if a directory exists.
+- `assert_link_exists` and `assert_link_not_exists`: Check if a link exists.
+- `assert_block_exists` and `assert_block_not_exists`: Check if a block special file exists.
+- `assert_character_exists` and `assert_character_not_exists`: Check if a character special file exists.
+- `assert_socket_exists` and `assert_socket_not_exists`: Check if a socket exists.
+- `assert_fifo_exists` and `assert_fifo_not_exists`: Check if a fifo special file exists.
+
+**Test File Attributes:**
+
+- `assert_file_executable` and `assert_file_not_executable`
+- `assert_file_owner` and `assert_file_not_owner`
+- `assert_file_permission` and `assert_not_file_permission`
+- `assert_file_size_equals`
+- `assert_size_zero` and `assert_size_not_zero`
+- `assert_file_group_id_set` and `assert_file_not_group_id_set`
+- `assert_file_user_id_set` and `assert_file_not_user_id_set`
+- `assert_sticky_bit` and `assert_no_sticky_bit`
+
+**Test File Content:**
+
+- `assert_file_empty` and `assert_file_not_empty`
+- `assert_file_contains` and `assert_file_not_contains`
+- `assert_symlink_to` and `assert_not_symlink_to`
+
+**Working with a temporary directory:**
+
+- `temp_make` and `temp_del`
+
+Pre- and Post-test case hooks
+==============================
+
+In some cases, it's useful to have a function that runs before or after each test
+case in a bats file.
+
+A function named `setup` will run before each test case, and a function
+named `teardown` will run after each test case.
+
+This example creates a directory in the setup function but lacks a teardown
+that removes the directory. The second time the setup function is run, the
+setup will fail as the directory already exists:
+
+.. code-block:: bash
+
+    #!/usr/bin/env bats
+
+    bats_load_library bats-support
+    bats_load_library bats-assert
+    bats_load_library bats-file
+
+    setup() {
+        mkdir tmp
+        echo 'a' >> ./tmp/test
+    }
+
+    @test "test contains a single a I" {
+        assert_file_contains ./tmp/test '^a$'
+    }
+
+    @test "test contains a single a II" {
+        assert_file_contains ./tmp/test '^a$'
+    }
+
+.. code-block:: bash
+
+    sam@SAVE:~/Projects/tests$ bats test.bats 
+    test.bats
+    ✓ test contains a single a I
+    ✗ test contains a single a II
+    (from function `setup' in test file test.bats, line 8)
+        `mkdir tmp' failed
+    mkdir: cannot create directory ‘tmp’: File exists
+
+    2 tests, 1 failure
+
+This can be easily fixed by adding a teardown function:
+
+.. code-block:: bash
+
+    #!/usr/bin/env bats
+
+    bats_load_library bats-support
+    bats_load_library bats-assert
+    bats_load_library bats-file
+
+    setup() {
+        mkdir tmp
+        echo 'a' >> ./tmp/test
+    }
+
+    teardown() {
+        rm -rf ./tmp
+    }
+
+
+
+    @test "test contains a single a I" {
+        assert_file_contains ./tmp/test '^a$'
+    }
+
+    @test "test contains a single a II" {
+        assert_file_contains ./tmp/test '^a$'
+    }
+
+.. code-block:: bash
+
+    sam@SAVE:~/Projects/tests$ bats test.bats 
+    test.bats
+     ✓ test contains a single a I
+     ✓ test contains a single a II
+
+    2 tests, 0 failures
+
+Pre- and Post-test file hooks
+=============================
+
+To run some code before executing a test file or after executing it, the
+functions `setup_file` and `teardown_file` can be used.
+
+The last example could be refactored to only create the tmp directory once:
+
+.. code-block:: bash
+
+    #!/usr/bin/env bats
+
+    bats_load_library bats-support
+    bats_load_library bats-assert
+    bats_load_library bats-file
+
+    setup_file() {
+        export DIR="./tmp"
+        export FILE="${DIR}/test"
+        mkdir "${DIR}"
+    }
+
+    teardown_file() {
+        rm -rf "${DIR}"
+    }
+
+    setup() {
+        echo 'a' >> "${FILE}"
+    }
+
+    teardown() {
+        rm "${FILE}"
+    }
+
+    @test "test contains a single a I" {
+        assert_file_contains "${FILE}" '^a$'
+    }
+
+    @test "test contains a single a II" {
+        assert_file_contains "${FILE}" '^a$'
+    }
+
+Multiple files
+==============
+
+With `bats`, a file is a test suite. If you have multiple `bats` files in a
+directory and you provide the directory in the `bats` command line, `bats`
+will execute all the test suites.
+
+Example: `bats .` 
+
+.. code-block:: bash
+
+    sam@SAVE:~/Projects/tests$ bats .
+    ./first.bats
+    ✓ can run our script
+    ✗ second test
+    (in test file ./first.bats, line 27)
+        `false' failed
+    ./second.bats
+    ✓ multi file
+    ./test.bats
+    ✓ test contains a single a I
+    ✓ test contains a single a II
+
+    5 tests, 1 failure
+
+Pre- and Post-suite hooks
+=========================
+
+If you want to execute the same function before each test suite or after
+each test suite, create a file named `setup_suite.bash`. In this file,
+create a function named `setup_suite()` and another named `teardown_suite()`.
+
+Exporting the test results
+==========================
+
+Test results can be exported using the JUnit XML format. This can then be
+used in other tools and merged with other JUnit XML formats to generate a final
+test report.
+
+Example:
+
+.. code-block:: bash
+
+    sam@SAVE:~/Projects/tests$ bats . -F junit
+
+This will produce the following XML content on stdout:
+
+.. code-block:: xml
+
+    <?xml version="1.0" encoding="UTF-8"?>
+    <testsuites time="0.048">
+    <testsuite name="./first.bats" tests="2" failures="1" errors="0" skipped="0" time="0.025" timestamp="2023-08-16T14:22:15" hostname="SAVE">
+        <testcase classname="./first.bats" name="can run our script" time="0.013" />
+        <testcase classname="./first.bats" name="second test" time="0.012">
+            <failure type="failure">(in test file ./first.bats, line 27)
+    `false&#39; failed</failure>
+        </testcase>
+
+    </testsuite>
+    <testsuite name="./second.bats" tests="1" failures="0" errors="0" skipped="0" time="0.008" timestamp="2023-08-16T14:22:15" hostname="SAVE">
+        <testcase classname="./second.bats" name="multi file" time="0.008" />
+
+    </testsuite>
+    <testsuite name="./test.bats" tests="2" failures="0" errors="0" skipped="0" time="0.015" timestamp="2023-08-16T14:22:15" hostname="SAVE">
+        <testcase classname="./test.bats" name="test contains a single a I" time="0.008" />
+        <testcase classname="./test.bats" name="test contains a single a II" time="0.007" />
+
+    </testsuite>
+    </testsuites>
+
+Going further
+=============
+
+`bats` scripts can be checked with shellcheck for common mistakes.
+
+The `bats-assert` add-on provides many helper functions to perform
+assertions with a more readable syntax than the shell's built-in syntax.
+
+See https://github.com/bats-core/bats-assert
+
+The `bats-file` add-on provides helper functions to check for files. See
+https://github.com/bats-core/bats-file/
+
+You can find a list of projects using `bats` on this page:
+https://github.com/bats-core/bats-core/wiki/Projects-Using-Bats

documentation/testing/index.rst

@@ -0,0 +1,15 @@
+
+==============================
+Belden CoreOS Testing Manual
+==============================
+
+This manual is a work on progress on how to test and how to write test for
+CoreOS or CoreOS based distribution.
+
+|
+
+.. toctree::
+   :caption: Table of Contents
+   :numbered:
+
+   bats

external-layers/meta-arm

@@ -0,0 +1 @@
+Subproject commit d7b7b6fb6c7c5545e718e44f38853d1718ce5446

external-layers/meta-efibootguard

@@ -0,0 +1 @@
+Subproject commit e3581b11d30d91d0363acb48a6aee47043b7e0bc

external-layers/meta-lts-kernel-mixin

@@ -0,0 +1 @@
+Subproject commit 09d2f9391813674627ec53cb222da6c7a51221e6

external-layers/meta-openembedded

@@ -0,0 +1 @@
+Subproject commit 8bb16533532b6abc2eded7d9961ab2a108fd7a5b

external-layers/meta-swupdate

@@ -0,0 +1 @@
+Subproject commit 3d12b2788a45d86efcb1ad3e01f209558c54795c

external-layers/meta-ti

@@ -0,0 +1 @@
+Subproject commit bae3658ac0bc1c9adac7a882439cabb385cae720

external-layers/meta-virtualization

@@ -0,0 +1 @@
+Subproject commit cb2bc17e96552cdfc141d27bd9f4dbd95a872846

external-layers/openembedded-core

@@ -0,0 +1 @@
+Subproject commit 1b5405955c7c2579ed1f52522e2e177d0281fa33

layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass

@@ -3,7 +3,7 @@
 # UEFI Secure boot configuration
 # ==============================================================================
 
-COREOS_EFI_SECUREBOOT_KEYDIR ??= "${TOPDIR}/keys"
+COREOS_EFI_SECUREBOOT_KEYDIR ??= "${RECIPE_SYSROOT_NATIVE}/${datadir}/keys"
 COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
 
 # UEFI Secure boot helpers
@@ -16,12 +16,12 @@ HOSTTOOLS += "sbsign"
 
 # Ensure that the public keys are always deployed to the deploy directory
 # before running wic
-do_image_wic[depends] += "efi-secureboot-keys:do_deploy"
+do_image_wic[depends] += "cos-certificates-and-keys-native:do_deploy"
 
 COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
 def get_coreos_secureboot_efi_boot_files(d):
     """
-        Return the list of pubkey file inside deploy if 
+        Return the list of pubkey file inside deploy if
         COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR is set or an empty string
         otherwise
     """
@@ -31,26 +31,4 @@ def get_coreos_secureboot_efi_boot_files(d):
 
 IMAGE_EFI_BOOT_FILES:append = " ${@get_coreos_secureboot_efi_boot_files(d)}"
 
-def get_coreos_secureboot_keydir_hash(d):
-    """
-        Generate a space separate list, with a value for each file inside of 
-        keydir. Fromat: <filename>:md5:<md5sum>
-    """
-    import hashlib
 
-    keydir = d.getVar('COREOS_EFI_SECUREBOOT_KEYDIR')
-    value = ""
-    
-    for keyname in os.listdir(keydir):
-        filepath = os.path.join(keydir, keyname)
-        if os.path.isfile(filepath): 
-            md5 = bb.utils.md5_file(filepath)
-            value += f"{keyname}:md5:{md5} "
-
-    return value
-
-# The build system should detect if someone change one of the key inside
-# COREOS_EFI_SECUREBOOT_KEYDIR and rebuild all the recipes and artifacts that
-# depends on this directory
-COREOS_EFI_SECUREBOOT_KEYDIR_HASH = "${@get_coreos_secureboot_keydir_hash(d)}"
-COREOS_EFI_SECUREBOOT_KEYDIR[vardeps] += "COREOS_EFI_SECUREBOOT_KEYDIR_HASH"

layers/meta-belden-coreos-bsp/classes/coreos-image-swupdate-beaglebone.bbclass

@@ -0,0 +1,26 @@
+
+SWUPDATE_IMAGES += "MLO"
+SWUPDATE_IMAGES += "u-boot-beaglebone"
+SWUPDATE_IMAGES_FSTYPES[MLO] = ""
+SWUPDATE_IMAGES_FSTYPES[u-boot-beaglebone] = ".img"
+
+COREOS_SWUPDATE_EXTENDS_FOR:append = "beaglebone"
+
+def coreos_swupdate_extends_images_for_beaglebone(d,s):
+    mlo = {
+        "filename" : "MLO",
+        "installed-directly" : "true",
+        "device" : "/dev/disk/by-partlabel/mlo",
+        "type" : "raw",
+        "sha256" : swupdate_get_sha256(d, s, "MLO"),
+    }
+
+    uboot = {
+        "filename" : "u-boot-beaglebone.img",
+        "installed-directly" : "true",
+        "device" : "/dev/disk/by-partlabel/uboot",
+        "type" : "raw",
+        "sha256" : swupdate_get_sha256(d, s, "u-boot-beaglebone.img"),
+    }
+
+    return [mlo, uboot]

layers/meta-belden-coreos-bsp/conf/machine/beaglebone.conf

@@ -11,7 +11,8 @@ include conf/machine/include/arm/armv7a/tune-cortexa8.inc
 
 IMAGE_FSTYPES += "wic wic.xz wic.bmap"
 WKS_FILE ?= "beaglebone-sdcard.wks.in"
-MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "kernel-image kernel-devicetree"
+COREOS_INSTALLER_WKS_FILE ?= "beaglebone-sdcard-installer.wks"
+MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "kernel-image"
 do_image_wic[depends] += "mtools-native:do_populate_sysroot dosfstools-native:do_populate_sysroot gptfdisk-native:do_populate_sysroot virtual/bootloader:do_deploy"
 do_image_wic[recrdeptask] += "do_bootimg"
 
@@ -20,10 +21,10 @@ SERIAL_CONSOLES_CHECK = "${SERIAL_CONSOLES}"
 APPEND:append = " console=ttyS0,115200"
 
 PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
-PREFERRED_VERSION_linux-yocto ?= "5.15%"
+PREFERRED_VERSION_linux-yocto ?= "6.6%"
 
 KERNEL_IMAGETYPE = "zImage"
-KERNEL_DEVICETREE = "am335x-bone.dtb am335x-boneblack.dtb am335x-bonegreen.dtb"
+DTB_FILES = "ti/omap/am335x-bone.dtb ti/omap/am335x-boneblack.dtb ti/omap/am335x-bonegreen.dtb"
 KERNEL_EXTRA_ARGS += "LOADADDR=${UBOOT_ENTRYPOINT}"
 
 PREFERRED_PROVIDER_virtual/bootloader ?= "u-boot"
@@ -36,9 +37,6 @@ UBOOT_LOADADDRESS = "0x80008000"
 
 MACHINE_FEATURES = "usbgadget usbhost vfat alsa"
 
-IMAGE_BOOT_FILES ?= "u-boot.${UBOOT_SUFFIX} ${SPL_BINARY}"
-IMAGE_EFI_BOOT_FILES ?= "${KERNEL_DEVICETREE}"
-
 # support runqemu
 EXTRA_IMAGEDEPENDS += "qemu-native qemu-helper-native"
 IMAGE_CLASSES += "qemuboot"
@@ -59,5 +57,7 @@ QB_TCPSERIAL_OPT = "-device virtio-serial-device -chardev socket,id=virtcon,port
 # No watchdog available yet
 EFIBOOTGUARD_TIMEOUT ?= "0"
 
+COREOS_IMAGE_SWUPDATE_EXTRACLASSES += "coreos-image-swupdate-beaglebone"
+
 require conf/machine/include/coreos-generic-features/efi.inc
-require conf/machine/include/coreos-generic-features/emmc.inc
+require conf/machine/include/coreos-generic-features/partitions.inc

layers/meta-belden-coreos-bsp/conf/machine/eagle40-03.conf

@@ -0,0 +1,39 @@
+#@TYPE: Machine
+#@NAME: eagle40-03
+#@DESCRIPTION: Machine support for EAGLE40-03
+#
+
+require include/coreos-generic-arch/x64.inc
+
+MACHINE_FEATURES += "pci usbhost x86 serial efi"
+
+# Kernel configuration
+# ******************************************************************************
+
+PREFERRED_VERSION_linux-yocto ?= "6.6%"
+PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
+
+KERNEL_IMAGETYPE = "bzImage"
+
+#  getty configuration
+# ******************************************************************************
+
+SERIAL_CONSOLES = "115200;ttyS0"
+SERIAL_CONSOLES_CHECK = "ttyS0"
+APPEND += "console=ttyS0,115200"
+
+# Image generation
+# ******************************************************************************
+
+# Ensure that both flash-image.bin and boot.scr are generated as they are needed
+# for a wic image
+WKS_FILE = "generic-uefi.wks.in"
+COREOS_INSTALLER_WKS_FILE ?= "generic-uefi-usb-installer.wks"
+IMAGE_FSTYPES += "wic.xz wic.bmap"
+
+MACHINE_ESSENTIAL_EXTRA_RDEPENDS += " kernel-modules"
+
+# No watchdog available yet
+EFIBOOTGUARD_TIMEOUT ?= "0"
+require conf/machine/include/coreos-generic-features/efi.inc
+require conf/machine/include/coreos-generic-features/partitions.inc

layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/efi.inc

@@ -4,12 +4,3 @@
 MACHINE_FEATURES:append = " efi"
 
 do_image_wic[depends] += "efibootguard-native:do_populate_sysroot efibootguard:do_deploy"
-
-# Variable used in WKS file
-
-WKS_PART_EFI ??= 'part --source efibootguard-efi --label efi --align 1024 --part-type=EF00'
-WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label rootfs0 --align 1024'
-WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label rootfs1 --align 1024'
-WKS_PART_ROOT_SIZE ??= '2G'
-WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --align 1024 --part-type=0700 --sourceparams "watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=kernel0-${MACHINE}.efi;KERNEL.EFI"'
-WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --align 1024 --part-type=0700 --sourceparams "watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=kernel1-${MACHINE}.efi;KERNEL.EFI"'

layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/emmc.inc

@@ -1,7 +0,0 @@
-# This configuration file should be included for all hardware that has an
-# integrated emmc
-
-MACHINE_FEATURES += "emmc"
-
-# Generate a SWU image to flash the emmc
-do_image[depends] += "coreos-emmc-flasher-${MACHINE}:do_swuimage"

layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc

@@ -0,0 +1,20 @@
+# Variables used in WKS file
+WKS_PART_EFI ??= 'part --source efibootguard-efi --label efi --part-type=EF00'
+WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
+WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
+WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label rootfs0'
+WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label rootfs1'
+WKS_PART_USERDATA ??= 'part /usr/local/data --fstype=btrfs --label userdata'
+
+PART_EFI_SIZE ??= '64M'
+PART_ROOT_SIZE ??= '1G'
+PART_EFIBG_SIZE ??= '128M'
+PART_USERDATA_SIZE ??= '1G'
+
+# Variables used in SFDISK file
+SFDISK_PART_EFI ??= 'type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, name="efi"'
+SFDISK_PART_EFIBOOTGUARD_A ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg0"'
+SFDISK_PART_EFIBOOTGUARD_B ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg1"'
+SFDISK_PART_ROOT_A ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs0"'
+SFDISK_PART_ROOT_B ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs1"'
+SFDISK_PART_USERDATA ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="userdata"'

layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-machine/vm.inc

@@ -6,12 +6,12 @@ MACHINE_FEATURES += "wifi efi"
 # Add an override that work for all pc image
 MACHINEOVERRIDES =. "vm:"
 
-PREFERRED_VERSION_linux-yocto ?= "5.15%"
+PREFERRED_VERSION_linux-yocto ?= "6.6%"
 PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
 
 MACHINE_EXTRA_RRECOMMENDS += "kernel-modules linux-firmware"
 
-IMAGE_FSTYPES += "ext4 wic wic.xz wic.bmap wic.vmdk"
+IMAGE_FSTYPES += "ext4 wic wic.xz wic.bmap wic.vmdk wic.vhdx"
 
 WKS_FILE ?= "generic-uefi.wks.in"
 do_image_wic[depends] += "gptfdisk-native:do_populate_sysroot"
@@ -22,3 +22,4 @@ do_image_wic[recrdeptask] += "do_bootimg"
 COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR = "1"
 
 require conf/machine/include/coreos-generic-features/efi.inc
+require conf/machine/include/coreos-generic-features/partitions.inc

layers/meta-belden-coreos-bsp/conf/machine/qemu-coreos-arm64.conf

@@ -0,0 +1,15 @@
+#@TYPE: Machine
+#@NAME: qemu-generic-arm64
+#@DESCRIPTION: Generic Arm64 machine for typical SystemReady platforms, which
+#have working firmware and boot via EFI.
+
+require conf/machine/qemu-generic-arm64.conf
+MACHINEOVERRIDES =. "qemu-generic-arm64:"
+
+COREOS_IMAGE_GENERATE_INSTALLER = "0"
+
+WKS_FILE = "qemu-efi-coreos-generic.wks.in"
+
+EFIBOOTGUARD_TIMEOUT ?= "0"
+require conf/machine/include/coreos-generic-features/efi.inc
+require conf/machine/include/coreos-generic-features/partitions.inc

layers/meta-belden-coreos-bsp/recipes-bsp/coreos-emmc-flasher/coreos-emmc-flasher-beaglebone.bb

@@ -1,6 +0,0 @@
-COMPATIBLE_MACHINE = "beaglebone"
-
-require coreos-emmc-flasher.inc
-require coreos-emmc-flasher-uboot.inc
-
-SWUPDATE_IMAGES += "MLO"

layers/meta-belden-coreos-bsp/recipes-bsp/coreos-emmc-flasher/coreos-emmc-flasher-beaglebone/sw-description

@@ -1,48 +0,0 @@
-software =
-{
-    version = "@@DISTRO_VERSION@@";
-    @@MACHINE@@ = {
-        hardware-compatibility: ["1.0"];
-        factory = {
-            emmc = {
-                partitions: (
-                    {
-                        type = "diskpart";
-                        device = "/dev/mmcblk1";
-                        properties: {
-                                labeltype = "dos";
-                                partition-1 = [ "size=32M", "start=133120", "name=efi", "type=0xef", "fstype=fat16"];
-                        };
-                    }
-                );
-                images: (
-                    {
-                        filename = "MLO";
-                        device = "/dev/mmcblk1";
-                        offset = "128K";
-                        sha256 = "$swupdate_get_sha256(MLO)";
-                    },
-                    {
-                        filename = "u-boot-beaglebone.img";
-                        device = "/dev/mmcblk1";
-                        offset = "384K";
-                        sha256 = "$swupdate_get_sha256(u-boot-beaglebone.img)";
-
-                    }
-                );
-                files: (
-                    {
-                        filename = "efibootguardarm.efi";
-                        path = "/EFI/BOOT/bootarm.efi";
-                        device = "/dev/mmcblk1p1";
-                        filesystem = "vfat";
-                        sha256 = "$swupdate_get_sha256(efibootguardarm.efi)";
-                        properties: {
-                            create-destination = "true";
-                        }
-                    }
-                );
-            }
-        }
-    }
-}

layers/meta-belden-coreos-bsp/recipes-bsp/coreos-emmc-flasher/coreos-emmc-flasher-uboot.inc

@@ -1,10 +0,0 @@
-# Machine that use u-boot can include this file after
-# coreo-swupdate-flasher.inc
-
-# Add support to flash u-boot
-IMAGE_DEPENDS += "virtual/bootloader"
-
-UBOOT_SUFFIX ??= "img"
-SWUPDATE_IMAGES += "u-boot"
-SWUPDATE_IMAGES_FSTYPES[u-boot] = ".${UBOOT_SUFFIX}"
-

layers/meta-belden-coreos-bsp/recipes-bsp/coreos-emmc-flasher/coreos-emmc-flasher.inc

@@ -1,31 +0,0 @@
-
-DESCRIPTION = "SWU Image generation to flash the internal emmc"
-SECTION = "bootloaders"
-LICENSE = "CLOSED"
-PR = "r1"
-
-SRC_URI = " \
-    file://sw-description \
-    "
-
-# efibootguard
-# ==============================================================================
-# efibootguard support is not machine depends so it can be done here
-
-require conf/image-uefi.conf
-
-# The efibootguard binary has to be embedded into the image. swupdate will check
-# that the binary exist
-IMAGE_DEPENDS += "efibootguard"
-SWUPDATE_IMAGES += "efibootguard${EFI_ARCH}"
-
-# Override or variable are not supported in var[flag] statement, but having more
-# flags than necessary doesn't do any arm
-SWUPDATE_IMAGES_FSTYPES[efibootguardx64] = ".efi"
-SWUPDATE_IMAGES_FSTYPES[efibootguardaa64] = ".efi"
-SWUPDATE_IMAGES_FSTYPES[efibootguardarm] = ".efi"
-
-# Image generated should be named coreos-swupdater-flasher-${MACHINE}
-# and not the default coreos-swupdate-flasher-${MACHINE}-${MACHINE}
-IMAGE_BASENAME ?= "coreos-emmc-flasher"
-inherit swupdate

layers/meta-belden-coreos-bsp/recipes-bsp/efi/efi-secureboot-keys.bb

@@ -1,33 +0,0 @@
-SUMMARY = "A recipe to deploy UEFI public keys update files"
-LICENSE = "CLOSED"
-
-
-INHIBIT_DEFAULT_DEPS = "1"
-inherit nopackages
-
-inherit deploy
-inherit coreos-efi-secureboot
-
-# Public key needed by firmware very depending on the implementation
-# So we copy all type of public key (*.auth, *.esl, *.crt, *der)
-addtask deploy after do_compile
-do_deploy() {
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.auth ${DEPLOYDIR}/KEK.auth
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.auth ${DEPLOYDIR}/db.auth
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.auth ${DEPLOYDIR}/PK.auth
-    
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.esl ${DEPLOYDIR}/KEK.esl
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.esl ${DEPLOYDIR}/db.esl
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.esl ${DEPLOYDIR}/PK.esl
-
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.crt ${DEPLOYDIR}/KEK.crt
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.crt ${DEPLOYDIR}/db.crt
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.crt ${DEPLOYDIR}/PK.crt
-
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.der ${DEPLOYDIR}/KEK.der
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.der ${DEPLOYDIR}/db.der
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.der ${DEPLOYDIR}/PK.der
-
-    # !SECURITY WARNING! 
-    # .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
-}

layers/meta-belden-coreos-bsp/recipes-bsp/efibootguard/efibootguard_%.bbappend

@@ -1,11 +0,0 @@
-# Add signature support
-
-inherit coreos-efi-sbsign
-require conf/image-uefi.conf
-
-do_deploy:append() {
-
-    if [ -f "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi" ]; then
-        coreos_efi_secureboot_sign_app "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi"
-    fi
-}

layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos.inc

@@ -1,12 +0,0 @@
-# Ensure that file are found event when this file is included in another layer
-# ==============================================================================
-FILESEXTRAPATHS:prepend := "${THISDIR}/u-boot:"
-
-# Main include file for u-boot to ensure CoreOS compatibility
-# ==============================================================================
-
-SRC_URI += " \
-    ${@bb.utils.contains("IMAGE_FEATURES", "debug-tweaks", "file://debug-tweaks.cfg", "", d)} \
-"
-
-require u-boot-coreos-efi.inc

layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot_2022.01.bbappend

@@ -1,2 +0,0 @@
-FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
-require u-boot-coreos.inc

layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config/beaglebone_1.0.sfdisk

@@ -0,0 +1,19 @@
+label: gpt
+device: /dev/mmcblk1
+unit: sectors
+first-lba: 34
+last-lba: 7471070
+sector-size: 512
+
+# EBBR 2.1.0 section 4.1.1 mandate the use of an unused type UUID and to set
+# the RequiredPartition label for part of the firmware stored in the main disk
+# https://arm-software.github.io/ebbr/#section-gpt-parts
+# next two type were generated
+/dev/mmcblk1p1 : start=         256, size=         512, type=4DA6E9DA-C803-4BE4-BAC4-8192717C5EB0, name="mlo", attrs="RequiredPartition"
+/dev/mmcblk1p2 : start=         768, size=        8192, type=5B97345D-B7A1-47D3-A491-ED40F4841639, name="uboot", attrs="RequiredPartition"
+
+/dev/mmcblk1p3 : size= ${PART_EFI_SIZE}, ${SFDISK_PART_EFI}
+/dev/mmcblk1p4 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_A}
+/dev/mmcblk1p5 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_B}
+/dev/mmcblk1p6 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_A}
+/dev/mmcblk1p7 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_B}

layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config/eagle40-03_1.0.sfdisk

@@ -0,0 +1,13 @@
+label: gpt
+device: /dev/mmcblk2
+unit: sectors
+first-lba: 34
+last-lba: 7471070
+sector-size: 512
+
+/dev/mmcblk2p1 : start= 256, size= ${PART_EFI_SIZE}, ${SFDISK_PART_EFI}
+/dev/mmcblk2p2 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_A}
+/dev/mmcblk2p3 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_B}
+/dev/mmcblk2p4 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_A}
+/dev/mmcblk2p5 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_B}
+/dev/mmcblk2p6 : size= ${PART_USERDATA_SIZE}, ${SFDISK_PART_USERDATA}

layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config_%.bbappend

@@ -0,0 +1,4 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/coreos-installer-config:"
+
+SRC_URI:append:beaglebone = " file://beaglebone_1.0.sfdisk"
+SRC_URI:append:eagle40-03 = " file://eagle40-03_1.0.sfdisk"

layers/meta-belden-coreos-bsp/recipes-kernel/linux/files/eagle40-03.cfg

@@ -0,0 +1,2 @@
+CONFIG_F71808E_WDT=y
+CONFIG_WATCHDOG_SYSFS=y

layers/meta-belden-coreos-bsp/recipes-kernel/linux/files/hyperv.cfg

@@ -0,0 +1,16 @@
+CONFIG_HYPERVISOR_GUEST=y
+CONFIG_PARAVIRT=y
+CONFIG_PARAVIRT_SPINLOCKS=y
+CONFIG_CONNECTOR=y
+CONFIG_SCSI_FC_ATTRS=y
+CONFIG_HYPERV=y
+CONFIG_HYPERV_UTILS=y
+CONFIG_HYPERV_BALLOON=y
+CONFIG_HYPERV_STORAGE=y
+CONFIG_HYPERV_NET=y
+CONFIG_HYPERV_KEYBOARD=y
+CONFIG_FB_HYPERV=y
+CONFIG_HID_HYPERV_MOUSE=y
+CONFIG_PCI_HYPERV=y
+CONFIG_VSOCKETS=y
+CONFIG_HYPERV_VSOCKETS=y

layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos-efi.inc

@@ -1,23 +0,0 @@
-
-inherit coreos-efi-sbsign
-require conf/image-uefi.conf
-
-# Ensure EFI STUB is enabled
-KERNEL_FEATURES:append = " cfg/efi.scc cfg/efi-ext.scc"
-
-# By default we use a Unified Kernel Image that contain the kernel, the
-# kernel command line and some device tree, so we don't need to sign the output
-# of the kernel recipes
-COREOS_KERNEL_EFI_SIGNED ??= "0"
-
-# Extend the kernel_do_deploy function from kernel.bbclass to sign the kernel
-kernel_do_deploy:append() {
-    if [ "${COREOS_KERNEL_EFI_SIGNED}" == "1" ]; then
-      deployDir="${DEPLOYDIR}"
-      for imageType in ${KERNEL_IMAGETYPES} ; do
-        baseName="$imageType-${KERNEL_IMAGE_NAME}"
-        coreos_efi_secureboot_sign_app "$deployDir/$baseName${KERNEL_IMAGE_BIN_EXT}"
-      done
-    fi
-}
-

layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend

@@ -1,13 +1,20 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 KMACHINE:vm-x64 ?= "common-pc-64"
 COMPATIBLE_MACHINE:vm-x64 = "vm-x64"
 
 # Enable some kernel features related to virtualiuzation
 KERNEL_FEATURES:append:vm-x64=" cfg/virtio.scc cfg/paravirt_kvm.scc"
+SRC_URI:append:vm-x64 = " file://hyperv.cfg"
+
+KMACHINE:eagle40-03 ?= "common-pc-64"
+KBRANCH:eagle40-03 = "v5.15/standard/base"
+SRCREV_machine:eagle40-03 ?= "3baf1c5c0e6084b3f4a1d2d805168d657f872e60"
+COMPATIBLE_MACHINE:eagle40-03 = "eagle40-03"
+LINUX_VERSION:eagle40-03 = "5.15.134"
+
 
 KBRANCH:beaglebone = "v5.15/standard/beaglebone"
 KMACHINE:beaglebone ?= "beaglebone"
 SRCREV_machine:beaglebone ?= "9aabbaa89fcb21af7028e814c1f5b61171314d5a"
 COMPATIBLE_MACHINE:beaglebone = "beaglebone"
 LINUX_VERSION:beaglebone = "5.15.54"
-
-require linux-yocto-coreos-efi.inc

layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_6.6.bbappend

@@ -0,0 +1,14 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+KMACHINE:eagle40-03 ?= "common-pc-64"
+COMPATIBLE_MACHINE:eagle40-03 = "eagle40-03"
+
+KMACHINE:beaglebone ?= "beaglebone"
+COMPATIBLE_MACHINE:beaglebone = "beaglebone"
+
+KMACHINE:vm-x64 ?= "common-pc-64"
+COMPATIBLE_MACHINE:vm-x64 = "vm-x64"
+KERNEL_FEATURES:append:vm-x64=" cfg/virtio.scc cfg/paravirt_kvm.scc"
+SRC_URI:append:vm-x64 = " file://hyperv.cfg"
+
+SRC_URI += " file://eagle40-03.cfg"

layers/meta-belden-coreos-bsp/wic/beaglebone-sdcard-installer.wks

@@ -0,0 +1,20 @@
+# short-description: Create SD card image for Beaglebone
+# long-description: Creates a partitioned SD card image for Beaglebone.
+
+# offset 1S => 1 sector (1x512 byte)
+# The bootloader can be at 4 different position in raw mode: 0S, 256S, 512S, 768S
+# MBR disk use only the sector 0, so 1S is free
+# GPT disk use sector 0-33S, so first free slot is 256S
+# Offset are from the BBB default settings
+
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+# Don't name partition in the installer disk image, otherwise the installer may not work as it rely on partition label!
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+part --offset 256S --source rawcopy --sourceparams="file=MLO" --ondisk mmcblk0 --fixed-size 256K
+part --offset 768S --source rawcopy --sourceparams="file=u-boot.img" --ondisk mmcblk0 --fixed-size 4M
+
+# Let's define a 4MiB maximum size for the bootloader
+# 4MiB => 4*1024*1024/512=8192S | 768S + 8192S => 8960S
+part --source bootimg-partition --part-type=EF00 --ondisk mmcblk0 --offset 8960S --fixed-size 125M
+bootloader --ptable gpt

layers/meta-belden-coreos-bsp/wic/beaglebone-sdcard.wks.in

@@ -6,15 +6,15 @@
 # MBR disk use only the sector 0, so 1S is free
 # GPT disk use sector 0-33S, so first free slot is 256S
 # Offset are from the BBB default settings
-part --offset 256S --source rawcopy --sourceparams="file=MLO" --ondisk mmcblk0
-part --offset 768S --source rawcopy --sourceparams="file=u-boot.img" --ondisk mmcblk0
+part --offset 256S --source rawcopy --sourceparams="file=MLO" --ondisk mmcblk0 --fixed-size 256K --part-name "mlo"
+part --offset 768S --source rawcopy --sourceparams="file=u-boot.img" --ondisk mmcblk0 --fixed-size 4M --part-name "uboot"
 
 
 # Let's define a 4MiB maximum size for the bootloader
 # 4MiB => 4*1024*1024/512=8192S | 768S + 8192S => 8960S
-${WKS_PART_EFI} --ondisk mmcblk0 --offset 8960S --align 1024 --size 32M --extra-space 0 --overhead-factor 1
-${WKS_PART_ROOT_A} --ondisk mmcblk0 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
-${WKS_PART_ROOT_B} --ondisk mmcblk0 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
-${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk0 --align 1024 --size 128M --extra-space 0 --overhead-factor 1
-${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk0 --align 1024 --size 128M --extra-space 0 --overhead-factor 1
+${WKS_PART_EFI} --ondisk mmcblk0 --offset 8960S --fixed-size 32M
+${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk0 --fixed-size ${PART_EFIBG_SIZE}
+${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk0 --fixed-size ${PART_EFIBG_SIZE}
+${WKS_PART_ROOT_A} --ondisk mmcblk0 --fixed-size ${PART_ROOT_SIZE}
+${WKS_PART_ROOT_B} --ondisk mmcblk0 --fixed-size ${PART_ROOT_SIZE}
 bootloader --ptable gpt

layers/meta-belden-coreos-bsp/wic/generic-uefi-usb-installer.wks

@@ -0,0 +1,16 @@
+# short-description: Create USB image for Eagle 40-03
+# long-description: Creates a partitioned USB image for Eagle 40-03.
+
+# offset 1S => 1 sector (1x512 byte)
+# The bootloader can be at 4 different position in raw mode: 0S, 256S, 512S, 768S
+# MBR disk use only the sector 0, so 1S is free
+# GPT disk use sector 0-33S, so first free slot is 256S
+# Offset are from the BBB default settings
+
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+# Don't name partition in the installer disk image, otherwise the installer may not work as it rely on partition label!
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+part --offset 256S --source bootimg-partition --part-type=EF00 --ondisk mmcblk0
+part --fixed-size 3G --fstype=vfat --label=image
+bootloader --ptable gpt

layers/meta-belden-coreos-bsp/wic/generic-uefi.wks.in

@@ -1,10 +1,11 @@
 # short-description: Create an EFI disk image for genericx86*
 # long-description: Creates a partitioned EFI disk image for genericx86* machines
-${WKS_PART_EFI} --ondisk sda  --align 1024 --size 64M --extra-space 0 --overhead-factor 1
-${WKS_PART_ROOT_A} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
-${WKS_PART_ROOT_B} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
-${WKS_PART_EFIBOOTGUARD_A} --ondisk sda  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
-${WKS_PART_EFIBOOTGUARD_B} --ondisk sda  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
 
-part swap --ondisk sda --size 44 --label swap1 --fstype=swap
+${WKS_PART_EFI} --align 1024 --size ${PART_EFI_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_ROOT_A} --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_ROOT_B} --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_EFIBOOTGUARD_A} --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_EFIBOOTGUARD_B} --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_USERDATA} --size ${PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
+
 bootloader --ptable gpt

layers/meta-belden-coreos-bsp/wic/qemu-efi-coreos-generic.wks.in

@@ -0,0 +1,12 @@
+# short-description: Create an EFI disk image
+# long-description: Creates a partitioned EFI disk image that the user
+# can directly dd to boot media.
+
+part --source efibootguard-efi --label efi --part-type=EF00 --use-uuid --offset 20480S --size ${PART_EFI_SIZE} --extra-space 0 --overhead-factor 1
+part / --source rootfs --fstype=ext4 --label rootfs0 --use-uuid --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
+part --fstype=ext4 --label rootfs1 --use-uuid --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
+part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --use-uuid --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
+part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --use-uuid --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_USERDATA} --use-uuid --size ${PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
+
+bootloader --ptable gpt

layers/meta-belden-coreos-demo/recipes-core/images/coreos-image-demo-k3s.bb

@@ -0,0 +1,8 @@
+DESCRIPTION = "An image that includes k3s-agent"
+
+require recipes-core/images/coreos-image-all-features.bb
+
+IMAGE_INSTALL += "k3s-agent"
+
+# To use this image, please add k3s to DISTRO_FEATURE inside your
+# local.conf config file.

layers/meta-belden-coreos-demo/recipes-kernel/linux/files/k3s_kernel_adaptions.cfg

@@ -0,0 +1,8 @@
+#this file contains the necssary kernel adaption that k3s an containerd require
+#Reference
+#k3s config check: https://raw.githubusercontent.com/k3s-io/k3s/master/contrib/util/check-config.sh
+#container config check: https://raw.githubusercontent.com/moby/moby/master/contrib/check-config.sh
+#these scripts are provided by moby and rancher
+CONFIG_OABI_COMPAT=n
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y

layers/meta-belden-coreos-demo/recipes-kernel/linux/linux-yocto_%.bbappend

@@ -0,0 +1 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"

layers/meta-belden-coreos/classes/bats-library.bbclass

@@ -0,0 +1,19 @@
+# Library to share code needed to install most available bats library
+
+# Bats library are shell scripts, so they are arch independant
+inherit allarch
+
+RDEPENDS:${PN} += "bats"
+
+# Bats can find library in this folder by default
+BATS_LIB_PATH ?= "${libdir}/bats"
+
+# By default the library will have the same name as the recipe
+BATS_INSTALL_DIR ?= "${BATS_LIB_PATH}/${PN}"
+FILES:${PN} += "${BATS_INSTALL_DIR}"
+
+do_install() {
+    install -d ${D}${BATS_INSTALL_DIR}
+    cp -r ${S}/src ${D}${BATS_INSTALL_DIR}/
+    install ${S}/load.bash ${D}${BATS_INSTALL_DIR}/
+}

layers/meta-belden-coreos/classes/coreos-image-ci.bbclass

@@ -3,6 +3,7 @@
 # > COREOS_IMAGE_EXTRACLASSES += "coreos-image-ci"
 # in auto.conf (or local.conf)
 
+inherit kernel-artifact-names
 
 def get_coreos_ci_artifacts(d):
     artifacts = []
@@ -12,11 +13,11 @@ def get_coreos_ci_artifacts(d):
 
     # Container handling
     # ==========================================================================
-    
+
     if bb.utils.contains('IMAGE_FSTYPES', 'oci', True, False, d):
 
         artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.rootfs-oci.tar')
-        
+
         # Special case for container, we just need the OCI tarball
         return " ".join(artifacts)
 
@@ -25,13 +26,23 @@ def get_coreos_ci_artifacts(d):
 
     if bb.utils.contains('IMAGE_FSTYPES', 'wic.xz', True, False, d):
         artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.xz')
-    
+
     if bb.utils.contains('IMAGE_FSTYPES', 'wic.bmap', True, False, d):
         artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.bmap')
 
+    # This is used for qemu-coreos-arm64
+    if bb.utils.contains('IMAGE_FSTYPES', 'wic.qcow2', True, False, d):
+        artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.qcow2')
+
     if d.getVar('COREOS_IMAGE_GENERATE_SWU') == '1':
         artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.swu')
 
+    # CoreOS Installer
+    # ==========================================================================
+
+    if d.getVar('COREOS_IMAGE_GENERATE_INSTALLER') == '1':
+        artifacts.append('coreos-installer-' + d.getVar('MACHINE') + '.efi')
+
     # Kernel
     # ==========================================================================
 
@@ -40,8 +51,7 @@ def get_coreos_ci_artifacts(d):
     artifacts.append(kernel_imagetype + '-' + machine + kernel_image_bin_ext)
 
     if d.getVar('COREOS_IMAGE_GENERATE_UKI') == '1':
-        artifacts.append(d.getVar('COREOS_KERNEL0_FILENAME'))   
-        artifacts.append(d.getVar('COREOS_KERNEL1_FILENAME'))   
+        artifacts.append(d.getVar('COREOS_KERNEL_FILENAME'))
 
     # Bootloaders
     # ==========================================================================
@@ -85,5 +95,5 @@ do_deploy_ci() {
     for file in ${COREOS_CI_DEPLOY_ARTIFACTS}; do
         echo $file >> $output
     done
-} 
+}
 addtask deploy_ci after do_image before do_build

layers/meta-belden-coreos/classes/coreos-image-installer.bbclass

@@ -0,0 +1,41 @@
+# Class used to generate image based on Belden CoreOS
+
+export IMAGE_BASENAME = "${MLPREFIX}${PN}"
+IMAGE_NAME_SUFFIX ?= ""
+IMAGE_LINGUAS = ""
+
+LICENSE = "MIT"
+
+IMAGE_FSTYPES = "cpio.gz"
+
+# Support for generating a SDCard or USB installer is optional
+COREOS_INSTALLER_WKS_FILE ??= ""
+WKS_FILE = "${COREOS_INSTALLER_WKS_FILE}"
+IMAGE_FSTYPES += "${@'wic.xz wic.bmap' if d.getVar('COREOS_INSTALLER_WKS_FILE') else ''}"
+IMAGE_BOOT_FILES =  "${COREOS_KERNEL_FILENAME};EFI/BOOT/${EFI_BOOT_IMAGE}"
+
+COREOS_IMAGE_GENERATE_UKI = "1"
+
+# IMGDEPLOYDIR has to be used instead of DEPLOY_DIR_IMAGE here, because it will
+# run during image generation
+COREOS_UKI_PART_INITRAMFS = "${IMGDEPLOYDIR}/${IMAGE_BASENAME}-${MACHINE}.cpio.gz"
+COREOS_IMAGE_GENERATE_SWU = "0"
+
+# Change generated UKI filename and reset the bundled command line to "APPEND"
+# to ensure that root is not set in the kernel command line
+COREOS_KERNEL_NAME ?= "coreos-installer-${MACHINE}"
+COREOS_KERNEL_CMDLINE ?= "${APPEND}"
+
+inherit coreos-image
+
+# Only install a reduced set of package and feature to keep image size small
+IMAGE_INSTALL = "packagegroup-coreos-boot coreos-installer coreos-installer-unattended util-linux-sfdisk util-linux-fdisk util-linux-cfdisk efibootguard efibootguard-tools"
+IMAGE_FEATURES = "debug-tweaks swupdate"
+NO_RECOMMENDATIONS = "1"
+
+IMAGE_ROOTFS_SIZE = "8192"
+INITRAMFS_MAXSIZE = "976562"
+IMAGE_ROOTFS_EXTRA_SPACE = "0"
+
+# Use the same restriction as initramfs-module-install
+COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*)-(linux.*|freebsd.*)'

layers/meta-belden-coreos/classes/coreos-image-swupdate.bbclass

@@ -16,21 +16,19 @@ python () {
 inherit swupdate-image
 
 # Ensure than variable used in the sw-description files are watched for change
-do_swuimage[vardeps] += "COREOS_KERNEL0_FILENAME COREOS_KERNEL1_FILENAME EFIBOOTGUARD_TIMEOUT EFIDIR EFI_BOOT_IMAGE COREOS_EFIBOOTGUARD_FILENAME"
+do_swuimage[vardeps] += "COREOS_KERNEL_FILENAME EFIBOOTGUARD_TIMEOUT EFIDIR EFI_BOOT_IMAGE COREOS_EFIBOOTGUARD_FILENAME"
 do_swuimage[deptask] += "do_bundle_uki"
 
 COREOS_EFIBOOTGUARD_NAME ?= "efibootguard${EFI_ARCH}"
 COREOS_EFIBOOTGUARD_EXT ?= ".efi"
 COREOS_EFIBOOTGUARD_FILENAME = "${COREOS_EFIBOOTGUARD_NAME}${COREOS_EFIBOOTGUARD_EXT}"
 
-SWUPDATE_IMAGES += "${COREOS_KERNEL0_NAME} ${COREOS_KERNEL1_NAME} ${COREOS_EFIBOOTGUARD_NAME}"
+SWUPDATE_IMAGES += "${COREOS_KERNEL_NAME} ${COREOS_EFIBOOTGUARD_NAME}"
 
 python () {
-    kernel0 = d.getVar('COREOS_KERNEL0_NAME')
-    kernel1 = d.getVar('COREOS_KERNEL1_NAME')
+    kernel = d.getVar('COREOS_KERNEL_NAME')
     kernelext = d.getVar('COREOS_KERNEL_EXT')
-    d.setVarFlag("SWUPDATE_IMAGES_FSTYPES", kernel0, kernelext)
-    d.setVarFlag("SWUPDATE_IMAGES_FSTYPES", kernel1, kernelext)
+    d.setVarFlag("SWUPDATE_IMAGES_FSTYPES", kernel, kernelext)
 
     efibootguard = d.getVar('COREOS_EFIBOOTGUARD_NAME')
     efibootguardext = d.getVar('COREOS_EFIBOOTGUARD_EXT')
@@ -71,5 +69,11 @@ def coreos_swupdate_extends(d, s, key):
 
     return text
 
+# Signature support
+inherit coreos-efi-secureboot
+SWUPDATE_SIGNING = "CMS"
+SWUPDATE_CMS_KEY  = "${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.key"
+SWUPDATE_CMS_CERT = "${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt"
+
 COREOS_IMAGE_SWUPDATE_EXTRACLASSES ?= ""
 inherit ${COREOS_IMAGE_SWUPDATE_EXTRACLASSES}

layers/meta-belden-coreos/classes/coreos-image-uki.bbclass

@@ -10,32 +10,28 @@ inherit coreos-efi-sbsign
 # ==============================================================================
 
 COREOS_KERNEL_EXT ??= ".efi"
-COREOS_KERNEL0_NAME ??= "kernel0-${MACHINE}"
-COREOS_KERNEL1_NAME ??= "kernel1-${MACHINE}"
-COREOS_KERNEL0_FILENAME ??= "${COREOS_KERNEL0_NAME}${COREOS_KERNEL_EXT}"
-COREOS_KERNEL0 ??= "${DEPLOY_DIR_IMAGE}/${COREOS_KERNEL0_FILENAME}"
-COREOS_KERNEL1_FILENAME ??= "${COREOS_KERNEL1_NAME}${COREOS_KERNEL_EXT}"
-COREOS_KERNEL1 ??= "${DEPLOY_DIR_IMAGE}/${COREOS_KERNEL1_FILENAME}"
+COREOS_KERNEL_NAME ??= "kernel-${MACHINE}"
+COREOS_KERNEL_FILENAME ??= "${COREOS_KERNEL_NAME}${COREOS_KERNEL_EXT}"
+COREOS_KERNEL ??= "${DEPLOY_DIR_IMAGE}/${COREOS_KERNEL_FILENAME}"
 
 # Kernel command line
 # ==============================================================================
 
-APPEND += "rootwait "
-COREOS_ROOTFS0_ROOT ??= "PARTLABEL=rootfs0"
-COREOS_ROOTFS1_ROOT ??= "PARTLABEL=rootfs1"
-COREOS_KERNEL0_CMDLINE ??= "root=${COREOS_ROOTFS0_ROOT} ${APPEND}"
-COREOS_KERNEL1_CMDLINE ??= "root=${COREOS_ROOTFS1_ROOT} ${APPEND}"
+# AUTOLABEL will be replaced by the right PARTLABEL (rootfs0 or rootfs1) at
+# runtime in the efibootguard UKI stub
+COREOS_ROOTFS_ROOT ??= "PARTLABEL=AUTOLABEL"
+COREOS_KERNEL_CMDLINE ??= "root=${COREOS_ROOTFS_ROOT} ${APPEND} rootwait"
 
 COREOS_UKI_PART_KERNEL_FILENAME ??= "${KERNEL_IMAGETYPE}-${MACHINE}${KERNEL_IMAGE_BIN_EXT}"
 COREOS_UKI_PART_KERNEL ??= "${DEPLOY_DIR_IMAGE}/${COREOS_UKI_PART_KERNEL_FILENAME}"
 COREOS_UKI_PART_STUB_FILENAME ??= "kernel-stub${EFI_ARCH}.efi"
 COREOS_UKI_PART_STUB ??= "${STAGING_LIBDIR}/efibootguard/${COREOS_UKI_PART_STUB_FILENAME}"
-
+COREOS_UKI_PART_INITRAMFS ??= ""
 
 # UKI Generation
 # ==============================================================================
 
-do_bundle_uki() {
+do_image_uki() {
     deployDir="${DEPLOY_DIR_IMAGE}"
 
     # Create an array with device tree if any
@@ -49,26 +45,35 @@ do_bundle_uki() {
 
     echo "kernel: ${COREOS_UKI_PART_KERNEL_FILENAME}"
     echo "dtb: ${DTB_PARAMS}"
-    echo "cmdline0: ${COREOS_KERNEL0_CMDLINE}"
-    echo "cmdline1: ${COREOS_KERNEL1_CMDLINE}"
+    echo "cmdline: ${COREOS_KERNEL_CMDLINE}"
+    echo "initramfs: ${COREOS_UKI_PART_INITRAMFS}"
+
+    if [ ! -z "${COREOS_UKI_PART_INITRAMFS}" ]; then
+      DTB_PARAMS="${DTB_PARAMS}  --initrd=${COREOS_UKI_PART_INITRAMFS}"
+    fi
+
+    echo "initramfs: ${INITRAMFS_PARAMS}"
 
     bg_gen_unified_kernel \
         "${COREOS_UKI_PART_STUB}" \
         "${COREOS_UKI_PART_KERNEL}" \
-        "${COREOS_KERNEL0}" \
-        --cmdline "${COREOS_KERNEL0_CMDLINE}" \
+        "${COREOS_KERNEL}" \
+        --cmdline "${COREOS_KERNEL_CMDLINE}" \
         ${DTB_PARAMS}
 
-     bg_gen_unified_kernel \
-        "${COREOS_UKI_PART_STUB}" \
-        "${COREOS_UKI_PART_KERNEL}" \
-        "${COREOS_KERNEL1}" \
-        --cmdline "${COREOS_KERNEL1_CMDLINE}" \
-        ${DTB_PARAMS}
-
-    coreos_efi_secureboot_sign_app "${deployDir}/${COREOS_KERNEL0_FILENAME}"
-    coreos_efi_secureboot_sign_app "${deployDir}/${COREOS_KERNEL1_FILENAME}"
+    coreos_efi_secureboot_sign_app "${deployDir}/${COREOS_KERNEL_FILENAME}"
 }
 
-do_bundle_uki[depends] += "virtual/kernel:do_deploy efibootguard-native:do_populate_sysroot efibootguard:do_populate_sysroot"
-addtask bundle_uki after do_rootfs before do_image
+do_image_uki[depends] += "virtual/kernel:do_deploy efibootguard-native:do_populate_sysroot efibootguard:do_populate_sysroot"
+
+
+addtask image_uki after do_image before do_image_complete
+
+# UKI image is normally embedded into a WIC image
+do_image_wic[recrdeptask] += "do_image_uki"
+
+# UKI image is normally embedded into a SWU image
+do_image_swu[recrdeptask] += "${@'do_image_uki' if d.getVar('COREOS_IMAGE_GENERATE_SWU') == '1' else ''}"
+
+# UKI image may embedded the rootfs as a cpio archive, in this case do_image_uki should run after do_image_cpio
+do_image_uki[recrdeptask] += "${@'do_image_cpio' if d.getVar('COREOS_UKI_PART_INITRAMFS') else ''}"

layers/meta-belden-coreos/classes/coreos-image.bbclass

@@ -68,6 +68,7 @@ PACKAGE_EXCLUDE_COMPLEMENTARY:append = "${@bb.utils.contains_any('PACKAGE_INSTAL
 COREOS_IMAGE_BASE_INSTALL = "\
     packagegroup-coreos-boot \
     packagegroup-coreos-base \
+    secure-storage \
     "
 
 COREOS_IMAGE_EXTRA_INSTALL ?= ""
@@ -89,9 +90,15 @@ IMAGE_ROOTFS_EXTRA_SPACE:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'sys
 # Unified kernel image and swupdate support
 # ==============================================================================
 
-# Support for Unified Kernel Image and Swupdate are optional
-COREOS_IMAGE_GENERATE_UKI ?= "1"
-COREOS_IMAGE_GENERATE_SWU ?= "1"
+# The CoreOS image installer is disabled by default.
+COREOS_IMAGE_GENERATE_INSTALLER ?= "0"
+
+# Support for Unified Kernel Image and Swupdate are optional.
+COREOS_IMAGE_GENERATE_UKI ?= "${@bb.utils.contains("COMBINED_FEATURES", "efi", "1", "0", d)}"
+COREOS_IMAGE_GENERATE_SWU ?= "${@"1" if "efi" in d.getVar('COMBINED_FEATURES') and "swupdate" in d.getVar("DISTRO_FEATURES") else "0"}"
+
+# Generate the installer image if needed
+do_build[depends] += "${@'coreos-image-installer:do_build' if d.getVar('COREOS_IMAGE_GENERATE_INSTALLER') == '1' else ''}"
 
 COREOS_IMAGE_EXTRACLASSES += "${@'coreos-image-uki' if d.getVar('COREOS_IMAGE_GENERATE_UKI') == '1' else ''}"
 COREOS_IMAGE_EXTRACLASSES += "${@'coreos-image-swupdate' if d.getVar('COREOS_IMAGE_GENERATE_SWU') == '1' else ''}"

layers/meta-belden-coreos/classes/coreos-sanity.bbclass

@@ -13,6 +13,8 @@ addhandler check_coreos_sanity_eventhandler
 check_coreos_sanity_eventhandler[eventmask] = "bb.event.SanityCheck"
 python check_coreos_sanity_eventhandler() {
 
+    import datetime
+
     # Checks related to the distribution configuration files
     # ==========================================================================
 
@@ -29,13 +31,22 @@ python check_coreos_sanity_eventhandler() {
             "systemd is not set as `INIT_MANAGER`. "
             "Using SystemD is mandatory on CoreOS based distribution"
         )
-    
+
     if e.data.getVar("TCLIBC") != "glibc":
         bb.fatal(
             "glibc is not set as `TCLIBC`. "
             "Using glibc is mandatory on CoreOS based distribution"
         )
-    
+
+    # Check if the timestamp for REPRODUCIBLE_TIMESTAMP_ROOTFS is still up to date
+    first_of_year = datetime.datetime(datetime.date.today().year, 1, 1, tzinfo=datetime.timezone.utc)
+    foy_ts = str(int(first_of_year.timestamp()))
+    if e.data.getVar("REPRODUCIBLE_TIMESTAMP_ROOTFS") != foy_ts:
+        bb.warn(
+            "`REPRODUCIBLE_TIMESTAMP_ROOTFS` outdated!"
+            "Set to current 01. january of the year."
+        )
+
     # Checks related to the machine configuration files
     # ==========================================================================
 
@@ -47,7 +58,7 @@ python check_coreos_sanity_eventhandler() {
                 "CoreOS recommands to use compressed wic image, please add "
                 "`wic.xz` to your machine `IMAGE_FSTYPES` variables"
             )
-        
+
         if not "wic.bmap":
             bb.warn(
                 "wic image should be flashed with bmaptools, but this require "

layers/meta-belden-coreos/conf/distro/belden-coreos-base.conf

@@ -0,0 +1,8 @@
+require conf/distro/include/belden-coreos-base.inc
+
+DISTRO = "belden-coreos-base"
+DISTRO_NAME = "Belden CoreOS (Base)"
+MAINTAINER = "Belden CoreOS Team"
+
+DISTRO_VERSION = "0.0.1"
+DISTRO_CODENAME = "kirkstone"

layers/meta-belden-coreos/conf/distro/belden-coreos.conf

@@ -1,80 +1,9 @@
+require conf/distro/include/belden-coreos-base.inc
+require conf/distro/include/belden-coreos-extra.inc
+
 DISTRO = "belden-coreos"
 DISTRO_NAME = "Belden CoreOS"
 MAINTAINER = "Belden CoreOS Team"
 
-INHERIT += "coreos_metadata_scm"
-
 DISTRO_VERSION = "0.0.1"
 DISTRO_CODENAME = "kirkstone"
-
-# Distro features and policies
-# ==============================================================================
-
-PACKAGE_CLASSES = "package_ipk"
-INIT_MANAGER = "systemd"
-
-# CoreOS use journald from the systemd package to handle log
-# https://docs.yoctoproject.org/singleindex.html#using-systemd-journald-without-a-traditional-syslog-daemon
-# This remove syslog from packagegroup-core-boot
-VIRTUAL-RUNTIME_syslog = ""
-VIRTUAL-RUNTIME_base-utils-syslog = ""
-
-DISTRO_FEATURES_DEFAULT ?= "bluetooth usbhost pci ipv4 ipv6 wifi multiarch usrmerge ptest efi pam"
-DISTRO_FEATURES ?= "${DISTRO_FEATURES_DEFAULT}"
-DISTRO_FEATURES_BACKFILL_CONSIDERED = "pulseaudio ldconfig"
-DISTRO_EXTRA_RDEPENDS += "packagegroup-core-boot"
-
-# Build configuration
-# ==============================================================================
-
-TARGET_VENDOR = "-belden"
-
-# We don't support multiple libc, so we don't need to append the libc name to
-# the tmp directory: ie use build/tmp instead of build/tmp-glibc
-TCLIBCAPPEND = ""
-
-SANITY_TESTED_DISTROS ?= " \
-            debian-11 \n \
-            ubuntu-22.04 \n \
-            "
-
-# This variable is used to ensure that any distribution using the CoreOS layer
-# include this file. This is checked by the coreos-sanity class
-SANITY_COREOS_COMPATIBLE ?= "1"
-
-require conf/distro/include/no-static-libs.inc
-require conf/distro/include/yocto-uninative.inc
-require conf/distro/include/security_flags.inc
-
-# uninative is need to share the sstates between multiple host distrubtion
-INHERIT += "uninative"
-
-# Bitbake configuration
-# ==============================================================================
-
-BB_SIGNATURE_HANDLER ?= "OEBasicHash"
-
-# SDK Configuration
-# ==============================================================================
-
-SDK_VENDOR = "-coreossdk"
-SDK_VERSION = "${DISTRO_VERSION}"
-SDK_VERSION[vardepvalue] = "${SDK_VERSION}"
-SDK_NAME = "${DISTRO}-${TCLIBC}-${SDKMACHINE}-${IMAGE_BASENAME}-${TUNE_PKGARCH}-${MACHINE}"
-SDKPATHINSTALL = "/opt/${DISTRO}/${SDK_VERSION}"
-
-# EFI and Secure boot
-# ==============================================================================
-
-EFI_PROVIDER = "efibootguard"
-EFIBOOTGUARD_TIMEOUT ??= "60"
-INHERIT += "coreos-efi-secureboot"
-
-# Virtualization configuration
-# ==============================================================================
-
-# Use crun insted of runc as a OCI runtime. crun is faster and need less memory
-# than runc so it's a better fit for embedded
-#PREFERRED_PROVIDER_virtual/runc = "crun"
-PACKAGECONFIG:append:pn-podman = " rootless"
-DISTRO_FEATURES_DEFAULT += "virtualization seccomp ipv6"

layers/meta-belden-coreos/conf/distro/include/belden-coreos-base.inc

@@ -0,0 +1,118 @@
+# This is the base include file for all coreos based distro
+# it should support the most basic distro without optional coreos
+# features
+
+# Using :coreos override should work on all CoreOS based distro
+# Note that :belden-coreos does not work on CoreOS based distro but will
+# work when build for the belden-coreos distro
+DISTROOVERRIDES = "coreos:${DISTRO}"
+
+INHERIT += "coreos_metadata_scm"
+
+# Distro features and policies
+# ==============================================================================
+
+PACKAGE_CLASSES = "package_ipk"
+INIT_MANAGER = "systemd"
+
+# CoreOS use journald from the systemd package to handle log
+# https://docs.yoctoproject.org/singleindex.html#using-systemd-journald-without-a-traditional-syslog-daemon
+# This remove syslog from packagegroup-core-boot
+VIRTUAL-RUNTIME_syslog = ""
+VIRTUAL-RUNTIME_base-utils-syslog = ""
+
+DISTRO_FEATURES ?= "usbhost pci ipv4 ipv6 wifi multiarch usrmerge efi pam"
+
+# CoreOS wasn't compatible with older Yocto version, so we should not have any
+# features backfilled. Value are from DISTRO_FEATURES_BACKFILL
+# with the exception of gobject-introspection-data that are backfilled on
+# purpose, this allow to use C library based on gobject in python or javascript
+DISTRO_FEATURES_BACKFILL_CONSIDERED = "pulseaudio sysvinit ldconfig"
+
+DISTRO_EXTRA_RDEPENDS += "packagegroup-core-boot"
+
+# Build configuration
+# ==============================================================================
+
+TARGET_VENDOR = "-belden"
+
+# We don't support multiple libc, so we don't need to append the libc name to
+# the tmp directory: ie use build/tmp instead of build/tmp-glibc
+TCLIBCAPPEND = ""
+
+SANITY_TESTED_DISTROS ?= " \
+            debian-11 \n \
+            ubuntu-22.04 \n \
+            "
+
+# This variable is used to ensure that any distribution using the CoreOS layer
+# include this file. This is checked by the coreos-sanity class
+SANITY_COREOS_COMPATIBLE ?= "1"
+
+require conf/distro/include/no-static-libs.inc
+require conf/distro/include/yocto-uninative.inc
+require conf/distro/include/security_flags.inc
+
+# uninative is need to share the sstates between multiple host distrubtion
+INHERIT += "uninative"
+
+# Bitbake configuration
+# ==============================================================================
+
+BB_SIGNATURE_HANDLER ?= "OEBasicHash"
+
+# SDK Configuration
+# ==============================================================================
+
+SDK_VENDOR = "-coreossdk"
+SDK_VERSION = "${DISTRO_VERSION}"
+SDK_VERSION[vardepvalue] = "${SDK_VERSION}"
+SDK_NAME = "${DISTRO}-${TCLIBC}-${SDKMACHINE}-${IMAGE_BASENAME}-${TUNE_PKGARCH}-${MACHINE}"
+SDKPATHINSTALL = "/opt/${DISTRO}/${SDK_VERSION}"
+
+# EFI and Secure boot
+# ==============================================================================
+
+EFI_PROVIDER = "efibootguard"
+EFIBOOTGUARD_TIMEOUT ??= "60"
+INHERIT += "coreos-efi-secureboot"
+
+
+# PACKAGECONFIG
+# ==============================================================================
+# Reduce the size of some package by disabling some feature by default
+
+# Distro using coreos can re-enabled a disabled config by changing
+# the COREOS_DISABLED_PACKAGECONFIG variable
+
+PACKAGECONFIG:pn-systemd ?= " \
+    ${@bb.utils.filter('DISTRO_FEATURES', 'acl audit efi ldconfig pam selinux smack usrmerge polkit seccomp', d)} \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'wifi', 'rfkill', '', d)} \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'xkbcommon', '', d)} \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', '', 'link-udev-shared', d)} \
+    hostnamed \
+    kmod \
+    localed \
+    logind \
+    set-time-epoch \
+    sysusers \
+    userdb \
+    vconsole \
+    wheel-group \
+    zstd \
+"
+
+# DNS Configuration
+
+
+# CoreOS specific options
+# ==============================================================================
+
+# Distro based on CoreOS can provide their own configuration files for the
+# CoreOS installer by overriding this variable
+PREFERRED_PROVIDER_coreos-installer-config ??= "coreos-installer-config"
+
+# This TS represents 01.01.2024 generating it dynamically would cause a lot of
+# things to get re-build, we need a good solution for this or change it every
+# year
+REPRODUCIBLE_TIMESTAMP_ROOTFS = "1704067200"

layers/meta-belden-coreos/conf/distro/include/belden-coreos-extra.inc

@@ -0,0 +1,30 @@
+# This is the include all the CoreOS feature that are optional
+
+# Virtualization configuration
+# ==============================================================================
+
+PACKAGECONFIG:append:pn-podman = " rootless"
+DISTRO_FEATURES += "virtualization seccomp"
+
+# swupdate configuration
+# ==============================================================================
+
+# Enable the generation of .swu file for images
+DISTRO_FEATURES += "swupdate"
+
+# Networking configuration
+# ==============================================================================
+
+# Add networking support to systemd. This allow systemd to handle
+# network/dhcp/dns/time
+PACKAGECONFIG:pn-systemd += " \
+    hostnamed \
+    idn \
+    myhostname \
+    nss \
+    nss-resolve \
+    resolved \
+    networkd \
+    timedated \
+    timesyncd \
+"

layers/meta-belden-coreos/conf/distro/include/coreos-support.inc

@@ -0,0 +1,149 @@
+COREOS_RECIPE_MAINTAINER:pn-acl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-arptables = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-attr = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-autoconf-archive = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-base-files = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-base-passwd = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-bash-completion = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-bash = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-binutils-cross-x86_64 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-boost = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-bridge-utils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-busybox = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-bzip2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-ca-certificates = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-conntrack-tools = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-coreutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-cppzmq = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-cracklib = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-cryptsetup = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-curl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-dbus = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-depmodwrapper-cross = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-e2fsprogs = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-ebtables = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-efibootguard = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-elfutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-ethtool = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-expat = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-findutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-flatbuffers = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-flex = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-fmt = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gawk = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gcc-cross-x86_64 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gcc-runtime = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gcc-source-11.4.0 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gdbm = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-glib-2.0 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-glibc = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-glibc-locale = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gmp = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gnu-efi = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gnutls = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-grub-bootconf = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-grub = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-grub-efi = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-icu = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-iproute2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-iptables = "Team CoreOS"
+#iw should be removed
+COREOS_RECIPE_MAINTAINER:pn-json-c = "Team CoreOS"
+# kbd check if it can be removed
+# kmod check if it can be removed
+COREOS_RECIPE_MAINTAINER:pn-libaio = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libarchive = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libcap = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libcap-ng = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libcheck = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libconfig = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libdevmapper = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libestr = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libfastjson = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libffi = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libgcc = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libgcc-initial = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libgcrypt = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libgpg-error = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libidn2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-liblogging = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libmnl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnet = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnetfilter-conntrack = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnetfilter-cthelper = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnetfilter-cttimeout = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnetfilter-log = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnetfilter-queue = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnfnetlink = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnsl2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libpam = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libpcap = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libpcre = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libseccomp = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libsodium = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libsolv = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libssh2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libssh = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libtirpc = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libtool-cross = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libunistring = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libusb1 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libxcrypt = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libxml2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-linux-libc-headers = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-linux-yocto = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-logrotate = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-lrzsz = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-lvm2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-lzo = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-m4 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-mtools = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-ncurses = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-netbase = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-nettle = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-openssh = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-openssl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-opkg-arch-config = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-opkg = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-opkg-utils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-os-release = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-packagegroup-base = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-packagegroup-core-boot = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-packagegroup-coreos-base = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-packagegroup-coreos-boot = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-pciutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-perl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-popt = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-python3 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-qemuwrapper-cross = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-readline = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-rsyslog = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-run-postinsts = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-secure-storage = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-setserial = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-sh = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-shared-mime-info = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-spdlog = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-sqlite3 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-swupdate = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-sysfsutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-syslinux = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-syslog-ng = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-systemd-bootconf = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-systemd-boot = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-systemd-conf = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-systemd = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-systemd-serialgetty = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-tar = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-tcpdump = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-usbutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-util-linux = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-util-linux-libuuid = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-volatile-binds = "Team CoreOS"
+# wpa-supplicant should be removed
+COREOS_RECIPE_MAINTAINER:pn-xz = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-zeromq = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-zip = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-zlib = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-zstd = "Team CoreOS"

layers/meta-belden-coreos/conf/layer.conf

@@ -15,6 +15,7 @@ LAYERDEPENDS_meta-belden-coreos = "\
     networking-layer \
     virtualization-layer \
     webserver \
+    meta-arm \
 "
 
 LAYERSERIES_COMPAT_meta-belden-coreos = "kirkstone"

layers/meta-belden-coreos/files/sw-description

@@ -23,11 +23,11 @@ software =
 
                 files: (
                     {
-                        filename = "@@COREOS_KERNEL0_FILENAME@@";
+                        filename = "@@COREOS_KERNEL_FILENAME@@";
                         path = "/KERNEL.EFI";
                         device = "/dev/disk/by-partlabel/ebg0";
                         filesystem = "vfat";
-                        sha256 = "$swupdate_get_sha256(@@COREOS_KERNEL0_FILENAME@@)";
+                        sha256 = "$swupdate_get_sha256(@@COREOS_KERNEL_FILENAME@@)";
                     },
                     {
                         filename = "@@COREOS_EFIBOOTGUARD_FILENAME@@";
@@ -44,7 +44,7 @@ software =
                 bootenv: (
                         {
                             name = "kernelparams";
-                            value = "";
+                            value = "coreos.root=rootfs0";
                         },
                         {
                             name = "watchdog_timeout_sec";
@@ -80,11 +80,11 @@ software =
 
                 files: (
                     {
-                        filename = "@@COREOS_KERNEL1_FILENAME@@";
+                        filename = "@@COREOS_KERNEL_FILENAME@@";
                         path = "/KERNEL.EFI";
                         device = "/dev/disk/by-partlabel/ebg1";
                         filesystem = "vfat";
-                        sha256 = "$swupdate_get_sha256(@@COREOS_KERNEL1_FILENAME@@)";
+                        sha256 = "$swupdate_get_sha256(@@COREOS_KERNEL_FILENAME@@)";
                     },
                     {
                         filename = "@@COREOS_EFIBOOTGUARD_FILENAME@@";
@@ -100,7 +100,7 @@ software =
                 bootenv: (
                         {
                             name = "kernelparams";
-                            value = "";
+                            value = "coreos.root=rootfs1";
                         },
                         {
                             name = "watchdog_timeout_sec";

layers/meta-belden-coreos/lib/devtool/coreos-efibootguard.py

@@ -272,40 +272,24 @@ def efibootguard_generate_uki(args, config, basepath, workspace):
 
     keydir = os.path.relpath(rd.getVar("COREOS_EFI_SECUREBOOT_KEYDIR"))
 
-    uki0 = UKIGeneratorArgs(
+    uki = UKIGeneratorArgs(
         kernel=kernel,
-        output=os.path.relpath(rd.getVar("COREOS_KERNEL0")),
-        cmdline=rd.getVar("COREOS_KERNEL0_CMDLINE"),
+        output=os.path.relpath(rd.getVar("COREOS_KERNEL")),
+        cmdline=rd.getVar("COREOS_KERNEL_CMDLINE"),
         dtb=dtb,
         stub=stub,
-        root=rd.getVar("COREOS_ROOTFS0_ROOT"),
-        build_binary=build_binary,
-        keydir=keydir,
-    )
-    uki1 = UKIGeneratorArgs(
-        kernel=kernel,
-        output=os.path.relpath(rd.getVar("COREOS_KERNEL1")),
-        cmdline=rd.getVar("COREOS_KERNEL1_CMDLINE"),
-        dtb=dtb,
-        stub=stub,
-        root=rd.getVar("COREOS_ROOTFS1_ROOT"),
+        root=rd.getVar("COREOS_ROOTFS_ROOT"),
         build_binary=build_binary,
         keydir=keydir,
     )
 
     print(f"Applying passed parameters...")
-    uki0.process_args(args)
-    uki1.process_args(args)
+    uki.process_args(args)
 
-    print(f"KERNEL0 image will be generated with the following settings:")
-    printi(f"{uki0}", 1)
-    print()
-    print(f"KERNEL1 image will be generated with the following settings:")
-    printi(f"{uki1}", 1)
+    print(f"KERNEL image will be generated with the following settings:")
+    printi(f"{uki}", 1)
     print()
 
     print(f"Generating the files...")
-    r = uki0.build_and_sign()
-    r += uki1.build_and_sign()
+    return uki0.build_and_sign()
 
-    return r

layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard/0001-coreos-add-a-coreos-specific-rootfs-switch-to-the-UK.patch

@@ -0,0 +1,93 @@
+From 2e8b73826c6ecaf5168002a18282ba7e4ac95e76 Mon Sep 17 00:00:00 2001
+From: Samuel Dolt <samuel.dolt@netmodule.com>
+Date: Mon, 12 Jun 2023 16:29:49 +0200
+Subject: [PATCH] coreos: add a coreos specific rootfs switch to the UKI stub
+
+The unified kernel stub can now replace the substring "AUTOLABEL"
+in the built-in kernel command line by either rootfs0 and rootfs1
+by looking the LoadOption string passed by ther firmware:
+- LoadOptions contain "coreos.root=rootfs0", all occurences of
+  "AUTOLABEL" are replaced by "rootfs0"
+- LoadOptions contain "coreos.root=rootfs1", all occurences of
+  "AUTOLABEL" are replaced by "rootfs1".
+- LoadOptions is empty, the kernel command line will be used as is.
+
+In all other case, the stub will exist without booting the kernel
+with a INVALID PARAMETER error.
+---
+ kernel-stub/main.c | 55 +++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 50 insertions(+), 5 deletions(-)
+
+diff --git a/kernel-stub/main.c b/kernel-stub/main.c
+index c0be1f6..6f456d3 100644
+--- a/kernel-stub/main.c
++++ b/kernel-stub/main.c
+@@ -128,11 +128,6 @@ EFI_STATUS efi_main(EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *system_table)
+ 		error_exit(L"Error getting LoadedImageProtocol", status);
+ 	}
+ 
+-	/* consider zero-termination for string length */
+-	if (stub_image->LoadOptionsSize > sizeof(CHAR16)) {
+-		info(L"WARNING: Passed command line options ignored, only built-in used");
+-	}
+-
+ 	pe_header = get_pe_header(stub_image->ImageBase);
+ 	for (n = 0, section = get_sections(pe_header);
+ 	     n < pe_header->Coff.NumberOfSections;
+@@ -161,6 +156,56 @@ EFI_STATUS efi_main(EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *system_table)
+ 		kernel_image.LoadOptions = (UINT8 *) stub_image->ImageBase +
+ 			cmdline_section->VirtualAddress;
+ 		kernel_image.LoadOptionsSize = cmdline_section->VirtualSize;
++
++		/* CoreOS utilize the option passed from efibootguard to customize the kernel
++		 * command line.
++		 *
++		 * Allowed option are:
++		 *   'coreos.root=rootfs0' => replace "AUTOLABEL" with "rootfs0  " in place in the kernel CLI
++		 *   'coreos.root=rootfs1' => replace "AUTOLABEL" with "rootfs1  " in place in the kernel CLI
++		 *   '' => no option passed
++		 *
++		 * Using another option string will return without booting the kernel
++		 *
++		 * hint: LoadOptions is a null-terminated wide string
++		 * hint: sizeof return the number of byte. StrLen the number of characters
++		 */
++		if (stub_image->LoadOptionsSize > sizeof(CHAR16)) {
++
++			// !!! symbol and rootfs must have the same length !!!
++			const CHAR16 symbol[] = L"AUTOLABEL";
++			CHAR16 rootfs[]       = L"rootfsX  ";
++
++			if (StrnCmp(L"coreos.root=rootfs0", stub_image->LoadOptions, stub_image->LoadOptionsSize) == 0) {
++				rootfs[6] = L'0';
++			} else if (StrnCmp(L"coreos.root=rootfs1", stub_image->LoadOptions, stub_image->LoadOptionsSize) == 0) {
++				rootfs[6] = L'1';
++			} else {
++				error_exit(L"LoadOptions is not valid", EFI_INVALID_PARAMETER);
++			}
++
++			/* Replace symbol by rootfs (AUTOLABEL by either rootfs0 or rootfs1) */
++			CHAR16 * str = kernel_image.LoadOptions;
++			UINTN len = kernel_image.LoadOptionsSize;
++			while (*str  &&  len) {
++
++				/* Ensure that the string still contains enough char for the symbol */
++				if(len < sizeof(symbol)) {
++					break;
++				}
++
++				if(StrnCmp(str, &symbol, StrLen(symbol)) == 0) {
++					/* Replace symbol by rootfs, works because symbole and rootfs has the same length */
++					StrnCpy(str, rootfs, StrLen(rootfs));
++				}
++
++				str += 1;
++				len -= sizeof(CHAR16);
++			}
++
++		}
++
++		Print(L"Unified kernel stub: Kernel Options: %s\n", kernel_image.LoadOptions);
+ 	}
+ 
+ 	if (initrd_section) {

layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend

@@ -0,0 +1,22 @@
+
+# Add CoreOS A/B Switching support
+# ==============================================================================
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += "file://0001-coreos-add-a-coreos-specific-rootfs-switch-to-the-UK.patch"
+
+# Add signature support
+# ==============================================================================
+
+DEPENDS:append = " cos-certificates-and-keys-native"
+
+inherit coreos-efi-sbsign
+require conf/image-uefi.conf
+
+do_deploy:append() {
+
+    if [ -f "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi" ]; then
+        coreos_efi_secureboot_sign_app "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi"
+    fi
+}

layers/meta-belden-coreos/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc

@@ -1,244 +0,0 @@
-DESCRIPTION = "Trusted Firmware-A"
-LICENSE = "BSD-3-Clause & MIT"
-
-PACKAGE_ARCH = "${MACHINE_ARCH}"
-
-inherit deploy
-
-SRC_URI = "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https;name=tfa;branch=master"
-
-UPSTREAM_CHECK_GITTAGREGEX = "^v(?P<pver>\d+(\.\d+)+)$"
-
-SRCREV_FORMAT = "tfa"
-
-COMPATIBLE_MACHINE ?= "invalid"
-
-# Platform must be set for each machine
-TFA_PLATFORM ?= "invalid"
-
-# Some platforms can have multiple board configurations
-# Leave empty for default behavior
-TFA_BOARD ?= ""
-
-# Some platforms use SPD (Secure Payload Dispatcher) services
-# Few options are "opteed", "tlkd", "trusty", "tspd", "spmd"...
-# Leave empty to not use SPD
-TFA_SPD ?= ""
-
-# Variable used when TFA_SPD=spmd
-TFA_SPMD_SPM_AT_SEL2 ?= "1"
-
-# SP layout file location. Used when TFA_SPD=spmd and TFA_SPMD_SPM_AT_SEL2=1
-TFA_SP_LAYOUT_FILE ?= ""
-
-# SPMC manifest file location. Used when TFA_SPD=spmd and TFA_SPMD_SPM_AT_SEL2=1
-TFA_ARM_SPMC_MANIFEST_DTS ?= ""
-
-# Build for debug (set TFA_DEBUG to 1 to activate)
-TFA_DEBUG ?= "0"
-
-S = "${WORKDIR}/git"
-B = "${WORKDIR}/build"
-
-# mbed TLS support (set TFA_MBEDTLS to 1 to activate)
-TFA_MBEDTLS ?= "0"
-# sub-directory in which mbedtls will be downloaded
-TFA_MBEDTLS_DIR ?= "mbedtls"
-# This should be set to MBEDTLS download URL if MBEDTLS is needed
-SRC_URI_MBEDTLS ??= ""
-# This should be set to MBEDTLS LIC FILES checksum
-LIC_FILES_CHKSUM_MBEDTLS ??= ""
-# add MBEDTLS to our sources if activated
-SRC_URI:append = " ${@bb.utils.contains('TFA_MBEDTLS', '1', '${SRC_URI_MBEDTLS}', '', d)}"
-# Update license variables
-LICENSE:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', ' & Apache-2.0', '', d)}"
-LIC_FILES_CHKSUM:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', ' ${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}"
-# add mbed TLS to version
-SRCREV_FORMAT:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '', d)}"
-
-# U-boot support (set TFA_UBOOT to 1 to activate)
-# When U-Boot support is activated BL33 is activated with u-boot.bin file
-TFA_UBOOT ??= "0"
-
-# UEFI support (set TFA_UEFI to 1 to activate)
-# When UEFI support is activated BL33 is activated with uefi.bin file
-TFA_UEFI ??= "0"
-
-# What to build
-# By default we only build bl1, do_deploy will copy
-# everything listed in this variable (by default bl1.bin)
-TFA_BUILD_TARGET ?= "bl1"
-
-# What to install
-# do_install and do_deploy will install everything listed in this
-# variable. It is set by default to TFA_BUILD_TARGET
-TFA_INSTALL_TARGET ?= "${TFA_BUILD_TARGET}"
-
-# Requires CROSS_COMPILE set by hand as there is no configure script
-export CROSS_COMPILE="${TARGET_PREFIX}"
-
-# Let the Makefile handle setting up the CFLAGS and LDFLAGS as it is a standalone application
-CFLAGS[unexport] = "1"
-LDFLAGS[unexport] = "1"
-AS[unexport] = "1"
-LD[unexport] = "1"
-
-# No configure
-do_configure[noexec] = "1"
-
-# Baremetal, just need a compiler
-DEPENDS:remove = "virtual/${TARGET_PREFIX}compilerlibs virtual/libc"
-
-# We need dtc for dtbs compilation
-# We need openssl for fiptool
-DEPENDS = "dtc-native openssl-native"
-DEPENDS:append:toolchain-clang = " compiler-rt"
-
-# CC and LD introduce arguments which conflict with those otherwise provided by
-# this recipe. The heads of these variables excluding those arguments
-# are therefore used instead.
-def remove_options_tail (in_string):
-    from itertools import takewhile
-    return ' '.join(takewhile(lambda x: not x.startswith('-'), in_string.split(' ')))
-
-EXTRA_OEMAKE += "LD=${@remove_options_tail(d.getVar('LD'))}"
-
-EXTRA_OEMAKE += "CC=${@remove_options_tail(d.getVar('CC'))}"
-
-# Verbose builds, no -Werror
-EXTRA_OEMAKE += "V=1 E=0"
-
-# Add platform parameter
-EXTRA_OEMAKE += "BUILD_BASE=${B} PLAT=${TFA_PLATFORM}"
-
-# Handle TFA_BOARD parameter
-EXTRA_OEMAKE += "${@'TARGET_BOARD=${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
-
-# Handle TFA_SPD parameter
-EXTRA_OEMAKE += "${@'SPD=${TFA_SPD}' if d.getVar('TFA_SPD') else ''}"
-
-# If TFA_SPD is spmd, set SPMD_SPM_AT_SEL2
-EXTRA_OEMAKE += "${@'SPMD_SPM_AT_SEL2=${TFA_SPMD_SPM_AT_SEL2}' if d.getVar('TFA_SPD', True) == 'spmd' else ''}"
-
-# Handle TFA_DEBUG parameter
-EXTRA_OEMAKE += "${@bb.utils.contains('TFA_DEBUG', '1', 'DEBUG=${TFA_DEBUG}', '', d)}"
-
-# Handle MBEDTLS
-EXTRA_OEMAKE += "${@bb.utils.contains('TFA_MBEDTLS', '1', 'MBEDTLS_DIR=${TFA_MBEDTLS_DIR}', '', d)}"
-
-# Uboot support
-DEPENDS += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot', '', d)}"
-do_compile[depends] += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot:do_deploy', '', d)}"
-EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UBOOT', '1', 'BL33=${DEPLOY_DIR_IMAGE}/u-boot.bin', '', d)}"
-
-# UEFI support
-DEPENDS += " ${@bb.utils.contains('TFA_UEFI', '1', 'edk2-firmware', '', d)}"
-EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UEFI', '1', 'BL33=${RECIPE_SYSROOT}/firmware/uefi.bin', '', d)}"
-
-# TFTF test support
-DEPENDS += " ${@bb.utils.contains('TFTF_TESTS', '1', 'tf-a-tests', '', d)}"
-EXTRA_OEMAKE += "${@bb.utils.contains('TFTF_TESTS', '1', 'BL33=${RECIPE_SYSROOT}/firmware/tftf.bin', '',d)}"
-
-# Hafnium support
-SEL2_SPMC = "${@'${TFA_SPMD_SPM_AT_SEL2}' if d.getVar('TFA_SPD', True) == 'spmd' else ''}"
-
-DEPENDS += " ${@bb.utils.contains('SEL2_SPMC', '1', 'hafnium', '', d)}"
-
-EXTRA_OEMAKE += "${@bb.utils.contains('SEL2_SPMC', '1', 'CTX_INCLUDE_EL2_REGS=1 ARM_ARCH_MINOR=4 BL32=${RECIPE_SYSROOT}/firmware/hafnium.bin', '', d)}"
-
-# Add SP layout file and spmc manifest for hafnium
-EXTRA_OEMAKE += "${@bb.utils.contains('SEL2_SPMC', '1', 'SP_LAYOUT_FILE=${TFA_SP_LAYOUT_FILE}' if d.getVar('TFA_SP_LAYOUT_FILE') else '', '', d)}"
-
-EXTRA_OEMAKE += "${@bb.utils.contains('SEL2_SPMC', '1', 'ARM_SPMC_MANIFEST_DTS=${TFA_ARM_SPMC_MANIFEST_DTS}' if d.getVar('TFA_ARM_SPMC_MANIFEST_DTS') else '', '', d)}"
-
-# Tell the tools where the native OpenSSL is located
-EXTRA_OEMAKE += "OPENSSL_DIR=${STAGING_DIR_NATIVE}/${prefix_native}"
-# Use the correct native compiler
-EXTRA_OEMAKE += "HOSTCC='${BUILD_CC}'"
-
-# Runtime variables
-EXTRA_OEMAKE += "RUNTIME_SYSROOT=${STAGING_DIR_HOST}"
-
-BUILD_DIR = "${B}/${TFA_PLATFORM}"
-BUILD_DIR .= "${@'/${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
-BUILD_DIR .= "/${@'debug' if d.getVar("TFA_DEBUG") == '1' else 'release'}"
-
-do_compile() {
-    # This is still needed to have the native tools executing properly by
-    # setting the RPATH
-    sed -i '/^LDLIBS/ s,$, \$\{BUILD_LDFLAGS},' ${S}/tools/fiptool/Makefile
-    sed -i '/^INCLUDE_PATHS/ s,$, \$\{BUILD_CFLAGS},' ${S}/tools/fiptool/Makefile
-    sed -i '/^LIB/ s,$, \$\{BUILD_LDFLAGS},' ${S}/tools/cert_create/Makefile
-
-    # Currently there are races if you build all the targets at once in parallel
-    for T in ${TFA_BUILD_TARGET}; do
-        oe_runmake -C ${S} $T
-    done
-}
-do_compile[cleandirs] = "${B}"
-
-do_install() {
-    install -d -m 755 ${D}/firmware
-    for atfbin in ${TFA_INSTALL_TARGET}; do
-        processed="0"
-        if [ "$atfbin" = "all" ]; then
-            # Target all is not handled by default
-            bberror "all as TFA_INSTALL_TARGET is not handled by do_install"
-            bberror "Please specify valid targets in TFA_INSTALL_TARGET or"
-            bberror "rewrite or turn off do_install"
-            exit 1
-        fi
-
-        if [ -f ${BUILD_DIR}/$atfbin.bin ]; then
-            echo "Install $atfbin.bin"
-            install -m 0644 ${BUILD_DIR}/$atfbin.bin \
-                ${D}/firmware/$atfbin-${TFA_PLATFORM}.bin
-            ln -sf $atfbin-${TFA_PLATFORM}.bin ${D}/firmware/$atfbin.bin
-            processed="1"
-        fi
-        if [ -f ${BUILD_DIR}/$atfbin/$atfbin.elf ]; then
-            echo "Install $atfbin.elf"
-            install -m 0644 ${BUILD_DIR}/$atfbin/$atfbin.elf \
-                ${D}/firmware/$atfbin-${TFA_PLATFORM}.elf
-            ln -sf $atfbin-${TFA_PLATFORM}.elf ${D}/firmware/$atfbin.elf
-            processed="1"
-        fi
-        if [ -f ${BUILD_DIR}/$atfbin ]; then
-            echo "Install $atfbin"
-            install -m 0644 ${BUILD_DIR}/$atfbin \
-                ${D}/firmware/$atfbin-${TFA_PLATFORM}
-            ln -sf $atfbin-${TFA_PLATFORM} ${D}/firmware/$atfbin
-            processed="1"
-        fi
-        if [ -f ${BUILD_DIR}/fdts/$atfbin.dtb ]; then
-            echo "Install $atfbin.dtb"
-            install -m 0644 "${BUILD_DIR}/fdts/$atfbin.dtb" \
-                "${D}/firmware/$atfbin.dtb"
-            processed="1"
-        elif [ "$atfbin" = "dtbs" ]; then
-            echo "dtbs install, skipped: set dtbs in TFA_INSTALL_TARGET"
-        elif [ -f ${B}/tools/$atfbin/$atfbin ]; then
-            echo "Tools $atfbin install, skipped"
-        elif [ "$processed" = "0" ]; then
-            bberror "Unsupported TFA_INSTALL_TARGET target $atfbin"
-            exit 1
-        fi
-    done
-}
-
-FILES:${PN} = "/firmware"
-SYSROOT_DIRS += "/firmware"
-
-FILES:${PN}-dbg = "/firmware/*.elf"
-# Skip QA check for relocations in .text of elf binaries
-INSANE_SKIP:${PN}-dbg = "textrel"
-
-do_deploy() {
-    cp -rf ${D}/firmware/* ${DEPLOYDIR}/
-}
-addtask deploy after do_install
-
-CVE_PRODUCT = "arm:arm-trusted-firmware \
-               arm:trusted_firmware-a \
-               arm:arm_trusted_firmware \
-               arm_trusted_firmware_project:arm_trusted_firmware"

layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot-coreos.inc

@@ -1,12 +1,23 @@
+# Ensure that file are found event when this file is included in another layer
+# ==============================================================================
+FILESEXTRAPATHS:prepend := "${THISDIR}/u-boot:"
+
+# U-Boot CoreOS Distro Settings
+# ==============================================================================
+
+# Enable more debug option when debug-tweaks is enabled
+SRC_URI += " \
+    ${@bb.utils.contains("IMAGE_FEATURES", "debug-tweaks", "file://debug-tweaks.cfg", "", d)} \
+"
+
 inherit coreos-efi-secureboot
 
+# Make sure UEFI and secure boot is enabled for every u-boot build
 SRC_URI += " \
     file://uefi.cfg \
     file://uefi-secureboot.cfg \
 "
 
-DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native"
-
 # Generate a ubootefi.var file inside the build directory
 #
 # This file can be directly linked inside the u-boot binary to provide
@@ -15,6 +26,7 @@ DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native"
 #
 # The efivar.py is taken from u-boot-tools recipes, so that we are sure that he
 # is found and don't depend on the u-boot version being used
+DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native cos-certificates-and-keys-native"
 addtask uboot_generate_efivar after do_configure before do_compile
 do_uboot_generate_efivar() {
     # Settings OPENSSL_MODULES is needed, otherwise efivar.py fail with

layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot-tools_2022.01.bbappend

@@ -4,4 +4,6 @@
 
 do_install:append() {
 	install -m 0755 ${S}/tools/efivar.py ${D}${bindir}/uboot-efivar
-}
+}
+
+FILES:${PN} += "${bindir}/uboot-efivar"

layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot_%.bbappend

@@ -0,0 +1,5 @@
+# Add CoreOS distro settings to u-boot
+UBOOT_COREOS_REQUIRE:coreos ?= "u-boot-coreos.inc"
+UBOOT_COREOS_REQUIRE ?= ""
+
+require ${UBOOT_COREOS_REQUIRE}

layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot_2022.10.bb

@@ -4,5 +4,3 @@ require recipes-bsp/u-boot/u-boot.inc
 SRCREV = "4debc57a3da6c3f4d3f89a637e99206f4cea0a96"
 DEPENDS += "bc-native dtc-native python3-setuptools-native"
 LIC_FILES_CHKSUM = "file://Licenses/README;md5=2ca5f2c35c8cc335f0a19756634782f1"
-
-require u-boot-coreos.inc

layers/meta-belden-coreos/recipes-core/images/coreos-image-all-features.bb

@@ -10,3 +10,6 @@ IMAGE_INSTALL:append = "${@bb.utils.contains("IMAGE_FEATURES", "swupdate", " swu
 
 # development tools
 IMAGE_INSTALL:append = " systemd-analyze"
+
+# Enable the optional image installer
+COREOS_IMAGE_GENERATE_INSTALLER = "1"

layers/meta-belden-coreos/recipes-core/images/coreos-image-installer.bb

@@ -0,0 +1,4 @@
+DESCRIPTION = "Initramfs image with the CoreOS emmc installer"
+LICENSE = "MIT"
+
+inherit coreos-image-installer

layers/meta-belden-coreos/recipes-core/packagegroups/packagegroup-coreos-base.bb

@@ -15,7 +15,7 @@ COREOS_IMAGE_EFI_PROVIDER_EXTRA = " \
 "
 
 RDEPENDS:${PN} = "\
-    packagegroup-base-extended \
+    packagegroup-base \
     os-release \
     ${@bb.utils.contains("MACHINE_FEATURES", "efi", "${COREOS_IMAGE_EFI_PROVIDER_EXTRA}", "", d)} \
 "

layers/meta-belden-coreos/recipes-core/packagegroups/packagegroup-coreos-swupdate.bb

@@ -3,14 +3,15 @@ DESCRIPTION = "Install swupdate and related components"
 
 inherit packagegroup
 
-
 PACKAGES = "\
     ${PN} \
 "
 
 RDEPENDS:${PN} = "\
     swupdate \
-    swupdate-progress \
     swupdate-client \
     swupdate-lua \
 "
+
+# swupdate-progress will reboot the device at the end of the update
+RRECOMMENDS:${PN} = "swupdate-progress"

layers/meta-belden-coreos/recipes-core/systemd/systemd-conf/system.conf-watchdog

@@ -0,0 +1,2 @@
+[Manager]
+RuntimeWatchdogSec=5

layers/meta-belden-coreos/recipes-core/systemd/systemd_%.bbappend

@@ -0,0 +1,15 @@
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/systemd-conf:"
+
+SRC_URI += " file://system.conf-watchdog"
+
+do_install:append(){
+	# the creation date/time of this file will be used as initial boot time.
+	# Creation time will be set to REPRODUCIBLE_TIMESTAMP_ROOTFS
+	# More info about the date/time handling here:
+	# https://www.freedesktop.org/software/systemd/man/latest/systemd-timesyncd.service.html
+	touch ${D}/${base_libdir}/clock-epoch
+	install -D -m0644 ${WORKDIR}/system.conf-watchdog ${D}${systemd_unitdir}/system.conf.d/01-${PN}-watchdog.conf
+}
+
+FILES:${PN} += "${base_libdir}/clock-epoch"

layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-config.inc

@@ -0,0 +1,49 @@
+DESCRIPTION = "CoreOS Installer configuration files"
+SECTION = "coreos"
+LICENSE = "CLOSED"
+
+# This file can be included by a CoreOS based distro to ship a customized
+# version
+RPROVIDES:${PN} += "coreos-installer-config"
+PROVIDES += "coreos-installer-config"
+
+# This package is intended to ship machine specific configuration file
+# See bbappend in BSP layers
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+# If the BSP doesn't provide a machine specific configuration file, this
+# package will be empty
+ALLOW_EMPTY:${PN} = "1"
+
+# Don't run default configure and compile task
+do_configure[noexex] = "1"
+
+python do_compile() {
+    from pathlib import Path
+
+    workdir = Path(d.getVar('WORKDIR', True))
+    machine = d.getVar('MACHINE', True)
+    b = Path(d.getVar('B', True))
+    for input_path in workdir.glob(f'{machine}_*.sfdisk'):
+        output_path = b / input_path.relative_to(workdir)
+        process_sfdisk_file(d, input_path, output_path)
+        
+}
+
+def process_sfdisk_file(d, input_path, output_path):
+    """
+    Read the file from input_path and write it to output_path with bitbake
+    variable expanded
+    """
+    with open(output_path, "w") as output_file:
+        with open(input_path, "r") as input_file:
+            for line in input_file.readlines():
+                output_file.write(d.expand(line))
+
+do_install() {
+    install -d ${D}${sysconfdir}
+
+    # Install all files for the current machine but don't fail if no file is
+    # found
+    install -m 755 ${B}/${MACHINE}_*.sfdisk ${D}${sysconfdir}/ || true
+}

layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-config_1.0.bb

@@ -0,0 +1,3 @@
+# Code is in an include file as they can be reused by a CoreOS distro to ship
+# an alternative provided for coreos-installer-config using PREFERRED_PROVIDER
+require coreos-installer-config.inc

layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended/99-overwrite.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env sh
+
+# catch errors from previous source files
+if [ "$SWUPDATE_EXIT" != "" ]; then
+  # Notify the installation status indicator about the failed installation.
+  # This can result in the red LED lighting up.
+  dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusFailure
+  exit 1
+fi
+
+# Notify the installation status indicator about the success with partitioning
+# the blockdevice. This can result in the first green LED lighting up.
+dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusPartitioningSuccess
+
+mount /dev/disk/by-label/image /mnt
+if [ ! -f "/mnt/image.swu" ]; then
+  echo "Could not find image.swu on the vfat partition!"
+  dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusFailure
+  exit 1
+fi
+
+SWUPDATE_ARGS="${SWUPDATE_ARGS} -p /usr/lib/swupdate/post-install.sh"
+SWUPDATE_ARGS="${SWUPDATE_ARGS} -i /mnt/image.swu"