Pull request #186: Various small changes

Merge in ICO/coreos from various_small_changes to master

* commit 'a0910ef3ff70a53ea410ba205e36a2f5620481b3':
  chore(submodules): update third-party submodules
  feat(coreos-supportd-pkgs): create list of CoreOS supported packages
  chore(belden-coreos): move the initial timestamp to a generic file
  fix(swupdate): add libgcc as a dependency to terminate swupdate correctly
  feat(eagle40-03): strip out unused MACHINE_FEATURES for eagle40-03

.gitmodules

@@ -2,23 +2,35 @@
 	path = bitbake
 	url = ssh://git@bitbucket.gad.local:7999/ico/bitbake.git
 	branch = 2.0
-[submodule "layers/openembedded-core"]
+[submodule "openembedded-core"]
 	path = external-layers/openembedded-core
 	url = ssh://git@bitbucket.gad.local:7999/ico/openembedded-core.git
 	branch = kirkstone
-[submodule "layers/meta-openembedded"]
+[submodule "meta-openembedded"]
 	path = external-layers/meta-openembedded
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-openembedded.git
 	branch = kirkstone
-[submodule "layers/meta-virtualization"]
+[submodule "meta-virtualization"]
 	path = external-layers/meta-virtualization
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-virtualization.git
 	branch = kirkstone
-[submodule "layers/meta-efibootguard"]
+[submodule "meta-efibootguard"]
 	path = external-layers/meta-efibootguard
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-efibootguard.git
 	branch = master
-[submodule "layers/meta-swupdate"]
+[submodule "meta-swupdate"]
 	path = external-layers/meta-swupdate
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-swupdate.git
 	branch = kirkstone
+[submodule "meta-arm"]
+	path = external-layers/meta-arm
+	url = ssh://git@bitbucket.gad.local:7999/ico/meta-arm.git
+	branch = kirkstone
+[submodule "meta-ti"]
+	path = external-layers/meta-ti
+	url = ssh://git@bitbucket.gad.local:7999/ico/meta-ti.git
+	branch = kirkstone
+[submodule "meta-lts-kernel-mixin"]
+	path = external-layers/meta-lts-kernel-mixin
+	url = ssh://git@bitbucket.gad.local:7999/ico/meta-lts-mixins.git
+	branch = coreos/kirkstone/kernel

.vscode/extensions.json

@@ -2,9 +2,9 @@
     "recommendations": [
         "ms-vscode.makefile-tools",
         "timonwong.shellcheck",
-        "eugenwiens.bitbake",
         "kweihmann.oelint-vscode",
         "lextudio.restructuredtext",
-        "trond-snekvik.simple-rst"
+        "trond-snekvik.simple-rst",
+        "yocto-project.yocto-bitbake"
     ]
 }

.vscode/settings.json

@@ -1,12 +1,47 @@
 {
     "files.watcherExclude": {
-        "**/build/cache/**": true,
+        "**/build/**": true,
-        "**/build/downloads/**": true,
+        "**/_build/**": true,
-        "**/build/sstate-cache/**": true,
-        "**/build/tmp/**": true,
-        "**/documentation/_build/**": true,
-        "**/build/workspace": true
     },
+    "search.exclude": {
+        "**/build/**": true,
+        "**/_build/**": true,
+    },
+    "C_Cpp.files.exclude": {
+        "**/build": true,
+        "**/_build": true,
+    },
+    "python.analysis.exclude": [
+        "**/build/**",
+        "**/_build/**",
+    ],
     "python.formatting.provider": "black",
-    "editor.rulers": [80,100,120]
+    "editor.rulers": [80,100,120],
+    "bitbake.pathToBuildFolder": "${workspaceFolder}/build",
+    "bitbake.pathToEnvScript": "${workspaceFolder}/coreos-init-build-env",
+    "bitbake.pathToBitbakeFolder": "${workspaceFolder}/bitbake",
+    "python.autoComplete.extraPaths": [
+        "${workspaceFolder}/bitbake/lib",
+        "${workspaceFolder}/meta/lib"
+    ],
+    "python.analysis.extraPaths": [
+        "${workspaceFolder}/bitbake/lib",
+        "${workspaceFolder}/meta/lib"
+    ],
+    "[python]": {
+        "diffEditor.ignoreTrimWhitespace": false,
+        "gitlens.codeLens.symbolScopes": [
+            "!Module"
+        ],
+        "editor.formatOnType": true,
+        "editor.wordBasedSuggestions": "off",
+        "files.trimTrailingWhitespace": false
+    },
+    "[shellscript]": {
+        "files.eol": "\n",
+        "files.trimTrailingWhitespace": false
+    },
+    "bitbake.sdkImage": "coreos-image-minimal",
+    "bitbake.workingDirectory": "${workspaceFolder}",
+    "task.saveBeforeRun": "always",
 }

bitbake

@@ -1 +1 @@
-Subproject commit 41b6684489d0261753344956042be2cc4adb0159
+Subproject commit 40fd5f4eef7460ca67f32cfce8e229e67e1ff607

coreos-init-build-env

@@ -87,10 +87,8 @@ coreos-bblayers-envsub COREOS_LAYERSDIR "${COREOS_ROOT}/layers"
 # Add support for ##COREOS_EXTLAYERSDIR## inside of bblayer template
 coreos-bblayers-envsub COREOS_EXTLAYERSDIR "${COREOS_ROOT}/external-layers"
 
-# Generate the ${BUILDDIR}/key directory. The scripts doesn't generate anything it
+# Generate the ${BUILDDIR}/key directory. The scripts doesn't generate anything
-# the directory already exist, so it's safe to call it everytime
+# if the directory already exist so it's safe to call it everytime
 # stdout is redirected to reduce the amount of output but not stderr
-coreos-keygen > /dev/null || {
+#
-    echo "The coreos-keygen script has failed" >&2
+#Note: if a final build is detected all the dev keys are deleted
-    return 1
-}

documentation/components/optional/installer.rst

@@ -3,33 +3,35 @@
 CoreOS Installer
 ****************
 
-The CoreOS installer is a set of script running on the target and a
+The CoreOS installer is a set of scripts running on the target and a
 corresponding bitbake image that is used into the bootstrap process of CoreOS.
 
 coreos-image-installer
 ======================
 
-The CoreOS installer image is a single binary EFI file that include a kernel,
+The CoreOS image installer results in an image contairing only a single binary
-device tree and an initramfs with all the tools needed to install CoreOS.
+EFI file. This EFI file includes a kernel, a device tree and an initramfs with
+all (and only) the tools needed to install CoreOS.
 
-An installer image is automatically built in parallel of a normal image.
+The installer image is not automatically built in parallel of a normal image.
-This can be deactivated by setting `COREOS_IMAGE_GENERATE_INSTALLER` to 0.
+This can be changed by setting `COREOS_IMAGE_GENERATE_INSTALLER` to 1 in the
+image file (as it is done for example in coreos-image-all-features.bb).
 
 The installer image build by default only a single EFI binary named
-coreos-installer-MACHINE.efi. An SDCard image can be generate if
+coreos-installer-MACHINE.efi. An SDCard or USB image can be generated if
 `COREOS_INSTALLER_WKS_FILE` is set to a wks file.
 
 coreos-installer
 ================
 
-The coreos-installer recipe installs some script that is used at startup
+The coreos-installer recipe installs scripts that are used at startup to
-to automatically format the internal emmc of the device. It also contains
+automatically format the internal emmc of the device. The recipe also contains
 a swupdate configuration file to setup swupdate correctly for that use case.
 
 coreos-installer-config
 =======================
 
 The coreos-installer-config recipe installs device specific configuration file
-used by the coreos-installer. This includes the partitionner config file. Distro
+used by the coreos-installer. This includes the partitioner config file. Distros
-and project based on CoreOS can change the partionning scheme or partition size
+and projects based on CoreOS can change the partioning scheme or partition size
 by installing their own version of this package using a `bbappend file`.

external-layers/meta-arm

@@ -0,0 +1 @@
+Subproject commit d7b7b6fb6c7c5545e718e44f38853d1718ce5446

external-layers/meta-lts-kernel-mixin

@@ -0,0 +1 @@
+Subproject commit 09d2f9391813674627ec53cb222da6c7a51221e6

external-layers/meta-openembedded

@@ -1 +1 @@
-Subproject commit 4da92ed9be41734f6ced46b981958e2e868cbff2
+Subproject commit 8bb16533532b6abc2eded7d9961ab2a108fd7a5b

external-layers/meta-swupdate

@@ -1 +1 @@
-Subproject commit eaa4dcbac224c9f5e7da784dcda78b67f117cf63
+Subproject commit 3d12b2788a45d86efcb1ad3e01f209558c54795c

external-layers/meta-ti

@@ -0,0 +1 @@
+Subproject commit bae3658ac0bc1c9adac7a882439cabb385cae720

external-layers/meta-virtualization

@@ -1 +1 @@
-Subproject commit af02908efda1580e77b3fdeed25b124a2b8d9482
+Subproject commit cb2bc17e96552cdfc141d27bd9f4dbd95a872846

external-layers/openembedded-core

@@ -1 +1 @@
-Subproject commit 2b05f5c1608206cf423f6cc34d6718c7532fa025
+Subproject commit 1b5405955c7c2579ed1f52522e2e177d0281fa33

layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass

@@ -3,7 +3,7 @@
 # UEFI Secure boot configuration
 # ==============================================================================
 
-COREOS_EFI_SECUREBOOT_KEYDIR ??= "${TOPDIR}/keys"
+COREOS_EFI_SECUREBOOT_KEYDIR ??= "${RECIPE_SYSROOT_NATIVE}/${datadir}/keys"
 COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
 
 # UEFI Secure boot helpers
@@ -16,12 +16,12 @@ HOSTTOOLS += "sbsign"
 
 # Ensure that the public keys are always deployed to the deploy directory
 # before running wic
-do_image_wic[depends] += "efi-secureboot-keys:do_deploy"
+do_image_wic[depends] += "cos-certificates-and-keys-native:do_deploy"
 
 COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
 def get_coreos_secureboot_efi_boot_files(d):
     """
-        Return the list of pubkey file inside deploy if 
+        Return the list of pubkey file inside deploy if
         COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR is set or an empty string
         otherwise
     """
@@ -31,26 +31,4 @@ def get_coreos_secureboot_efi_boot_files(d):
 
 IMAGE_EFI_BOOT_FILES:append = " ${@get_coreos_secureboot_efi_boot_files(d)}"
 
-def get_coreos_secureboot_keydir_hash(d):
-    """
-        Generate a space separate list, with a value for each file inside of 
-        keydir. Fromat: <filename>:md5:<md5sum>
-    """
-    import hashlib
 
-    keydir = d.getVar('COREOS_EFI_SECUREBOOT_KEYDIR')
-    value = ""
-    
-    for keyname in os.listdir(keydir):
-        filepath = os.path.join(keydir, keyname)
-        if os.path.isfile(filepath): 
-            md5 = bb.utils.md5_file(filepath)
-            value += f"{keyname}:md5:{md5} "
-
-    return value
-
-# The build system should detect if someone change one of the key inside
-# COREOS_EFI_SECUREBOOT_KEYDIR and rebuild all the recipes and artifacts that
-# depends on this directory
-COREOS_EFI_SECUREBOOT_KEYDIR_HASH = "${@get_coreos_secureboot_keydir_hash(d)}"
-COREOS_EFI_SECUREBOOT_KEYDIR[vardeps] += "COREOS_EFI_SECUREBOOT_KEYDIR_HASH"

layers/meta-belden-coreos-bsp/conf/machine/beaglebone.conf

@@ -12,7 +12,7 @@ include conf/machine/include/arm/armv7a/tune-cortexa8.inc
 IMAGE_FSTYPES += "wic wic.xz wic.bmap"
 WKS_FILE ?= "beaglebone-sdcard.wks.in"
 COREOS_INSTALLER_WKS_FILE ?= "beaglebone-sdcard-installer.wks"
-MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "kernel-image kernel-devicetree"
+MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "kernel-image"
 do_image_wic[depends] += "mtools-native:do_populate_sysroot dosfstools-native:do_populate_sysroot gptfdisk-native:do_populate_sysroot virtual/bootloader:do_deploy"
 do_image_wic[recrdeptask] += "do_bootimg"
 
@@ -21,10 +21,10 @@ SERIAL_CONSOLES_CHECK = "${SERIAL_CONSOLES}"
 APPEND:append = " console=ttyS0,115200"
 
 PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
-PREFERRED_VERSION_linux-yocto ?= "5.15%"
+PREFERRED_VERSION_linux-yocto ?= "6.6%"
 
 KERNEL_IMAGETYPE = "zImage"
-KERNEL_DEVICETREE = "am335x-bone.dtb am335x-boneblack.dtb am335x-bonegreen.dtb"
+DTB_FILES = "ti/omap/am335x-bone.dtb ti/omap/am335x-boneblack.dtb ti/omap/am335x-bonegreen.dtb"
 KERNEL_EXTRA_ARGS += "LOADADDR=${UBOOT_ENTRYPOINT}"
 
 PREFERRED_PROVIDER_virtual/bootloader ?= "u-boot"

layers/meta-belden-coreos-bsp/conf/machine/eagle40-03.conf

@@ -0,0 +1,39 @@
+#@TYPE: Machine
+#@NAME: eagle40-03
+#@DESCRIPTION: Machine support for EAGLE40-03
+#
+
+require include/coreos-generic-arch/x64.inc
+
+MACHINE_FEATURES += "pci usbhost x86 serial efi"
+
+# Kernel configuration
+# ******************************************************************************
+
+PREFERRED_VERSION_linux-yocto ?= "6.6%"
+PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
+
+KERNEL_IMAGETYPE = "bzImage"
+
+#  getty configuration
+# ******************************************************************************
+
+SERIAL_CONSOLES = "115200;ttyS0"
+SERIAL_CONSOLES_CHECK = "ttyS0"
+APPEND += "console=ttyS0,115200"
+
+# Image generation
+# ******************************************************************************
+
+# Ensure that both flash-image.bin and boot.scr are generated as they are needed
+# for a wic image
+WKS_FILE = "generic-uefi.wks.in"
+COREOS_INSTALLER_WKS_FILE ?= "generic-uefi-usb-installer.wks"
+IMAGE_FSTYPES += "wic.xz wic.bmap"
+
+MACHINE_ESSENTIAL_EXTRA_RDEPENDS += " kernel-modules"
+
+# No watchdog available yet
+EFIBOOTGUARD_TIMEOUT ?= "0"
+require conf/machine/include/coreos-generic-features/efi.inc
+require conf/machine/include/coreos-generic-features/partitions.inc

layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc

@@ -1,15 +1,20 @@
-
+# Variables used in WKS file
-# Variable used in WKS file
-
 WKS_PART_EFI ??= 'part --source efibootguard-efi --label efi --part-type=EF00'
-WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=kernel-${MACHINE}.efi;KERNEL.EFI"'
+WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
-WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=kernel-${MACHINE}.efi;KERNEL.EFI"'
+WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
 WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label rootfs0'
 WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label rootfs1'
-WKS_PART_ROOT_SIZE ??= '2G'
+WKS_PART_USERDATA ??= 'part /usr/local/data --fstype=btrfs --label userdata'
 
+PART_EFI_SIZE ??= '64M'
+PART_ROOT_SIZE ??= '1G'
+PART_EFIBG_SIZE ??= '128M'
+PART_USERDATA_SIZE ??= '1G'
+
+# Variables used in SFDISK file
 SFDISK_PART_EFI ??= 'type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, name="efi"'
 SFDISK_PART_EFIBOOTGUARD_A ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg0"'
 SFDISK_PART_EFIBOOTGUARD_B ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg1"'
 SFDISK_PART_ROOT_A ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs0"'
-SFDISK_PART_ROOT_B ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs0"'
+SFDISK_PART_ROOT_B ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs1"'
+SFDISK_PART_USERDATA ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="userdata"'

layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-machine/vm.inc

@@ -6,12 +6,12 @@ MACHINE_FEATURES += "wifi efi"
 # Add an override that work for all pc image
 MACHINEOVERRIDES =. "vm:"
 
-PREFERRED_VERSION_linux-yocto ?= "5.15%"
+PREFERRED_VERSION_linux-yocto ?= "6.6%"
 PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
 
 MACHINE_EXTRA_RRECOMMENDS += "kernel-modules linux-firmware"
 
-IMAGE_FSTYPES += "ext4 wic wic.xz wic.bmap wic.vmdk"
+IMAGE_FSTYPES += "ext4 wic wic.xz wic.bmap wic.vmdk wic.vhdx"
 
 WKS_FILE ?= "generic-uefi.wks.in"
 do_image_wic[depends] += "gptfdisk-native:do_populate_sysroot"

layers/meta-belden-coreos-bsp/conf/machine/qemu-coreos-arm64.conf

@@ -0,0 +1,15 @@
+#@TYPE: Machine
+#@NAME: qemu-generic-arm64
+#@DESCRIPTION: Generic Arm64 machine for typical SystemReady platforms, which
+#have working firmware and boot via EFI.
+
+require conf/machine/qemu-generic-arm64.conf
+MACHINEOVERRIDES =. "qemu-generic-arm64:"
+
+COREOS_IMAGE_GENERATE_INSTALLER = "0"
+
+WKS_FILE = "qemu-efi-coreos-generic.wks.in"
+
+EFIBOOTGUARD_TIMEOUT ?= "0"
+require conf/machine/include/coreos-generic-features/efi.inc
+require conf/machine/include/coreos-generic-features/partitions.inc

layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos.inc

@@ -1,12 +0,0 @@
-# Ensure that file are found event when this file is included in another layer
-# ==============================================================================
-FILESEXTRAPATHS:prepend := "${THISDIR}/u-boot:"
-
-# Main include file for u-boot to ensure CoreOS compatibility
-# ==============================================================================
-
-SRC_URI += " \
-    ${@bb.utils.contains("IMAGE_FEATURES", "debug-tweaks", "file://debug-tweaks.cfg", "", d)} \
-"
-
-require ${@bb.utils.contains("COMBINED_FEATURES", "efi", "u-boot-coreos-efi.inc", "", d)}

layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot_2022.01.bbappend

@@ -1,2 +0,0 @@
-FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
-require u-boot-coreos.inc

layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config/beaglebone_1.0.sfdisk

@@ -12,8 +12,8 @@ sector-size: 512
 /dev/mmcblk1p1 : start=         256, size=         512, type=4DA6E9DA-C803-4BE4-BAC4-8192717C5EB0, name="mlo", attrs="RequiredPartition"
 /dev/mmcblk1p2 : start=         768, size=        8192, type=5B97345D-B7A1-47D3-A491-ED40F4841639, name="uboot", attrs="RequiredPartition"
 
-/dev/mmcblk1p3 : start=        8960, size=      131072, ${SFDISK_PART_EFI}
+/dev/mmcblk1p3 : size= ${PART_EFI_SIZE}, ${SFDISK_PART_EFI}
-/dev/mmcblk1p4 : start=      140032, size=      262144, ${SFDISK_PART_EFIBOOTGUARD_A}
+/dev/mmcblk1p4 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_A}
-/dev/mmcblk1p5 : start=      402176, size=      262144, ${SFDISK_PART_EFIBOOTGUARD_B}
+/dev/mmcblk1p5 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_B}
-/dev/mmcblk1p6 : start=      664320, size=     3403375, ${SFDISK_PART_ROOT_A}
+/dev/mmcblk1p6 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_A}
-/dev/mmcblk1p7 : start=     4067695, size=     3403375, ${SFDISK_PART_ROOT_B}
+/dev/mmcblk1p7 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_B}

layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config/eagle40-03_1.0.sfdisk

@@ -0,0 +1,13 @@
+label: gpt
+device: /dev/mmcblk2
+unit: sectors
+first-lba: 34
+last-lba: 7471070
+sector-size: 512
+
+/dev/mmcblk2p1 : start= 256, size= ${PART_EFI_SIZE}, ${SFDISK_PART_EFI}
+/dev/mmcblk2p2 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_A}
+/dev/mmcblk2p3 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_B}
+/dev/mmcblk2p4 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_A}
+/dev/mmcblk2p5 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_B}
+/dev/mmcblk2p6 : size= ${PART_USERDATA_SIZE}, ${SFDISK_PART_USERDATA}

layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config_%.bbappend

@@ -1,3 +1,4 @@
 FILESEXTRAPATHS:prepend := "${THISDIR}/coreos-installer-config:"
 
 SRC_URI:append:beaglebone = " file://beaglebone_1.0.sfdisk"
+SRC_URI:append:eagle40-03 = " file://eagle40-03_1.0.sfdisk"

layers/meta-belden-coreos-bsp/recipes-kernel/linux/files/eagle40-03.cfg

@@ -0,0 +1,2 @@
+CONFIG_F71808E_WDT=y
+CONFIG_WATCHDOG_SYSFS=y

layers/meta-belden-coreos-bsp/recipes-kernel/linux/files/hyperv.cfg

@@ -0,0 +1,16 @@
+CONFIG_HYPERVISOR_GUEST=y
+CONFIG_PARAVIRT=y
+CONFIG_PARAVIRT_SPINLOCKS=y
+CONFIG_CONNECTOR=y
+CONFIG_SCSI_FC_ATTRS=y
+CONFIG_HYPERV=y
+CONFIG_HYPERV_UTILS=y
+CONFIG_HYPERV_BALLOON=y
+CONFIG_HYPERV_STORAGE=y
+CONFIG_HYPERV_NET=y
+CONFIG_HYPERV_KEYBOARD=y
+CONFIG_FB_HYPERV=y
+CONFIG_HID_HYPERV_MOUSE=y
+CONFIG_PCI_HYPERV=y
+CONFIG_VSOCKETS=y
+CONFIG_HYPERV_VSOCKETS=y

layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos-efi.inc

@@ -1,23 +0,0 @@
-
-inherit coreos-efi-sbsign
-require conf/image-uefi.conf
-
-# Ensure EFI STUB is enabled
-KERNEL_FEATURES:append = " cfg/efi.scc cfg/efi-ext.scc"
-
-# By default we use a Unified Kernel Image that contain the kernel, the
-# kernel command line and some device tree, so we don't need to sign the output
-# of the kernel recipes
-COREOS_KERNEL_EFI_SIGNED ??= "0"
-
-# Extend the kernel_do_deploy function from kernel.bbclass to sign the kernel
-kernel_do_deploy:append() {
-    if [ "${COREOS_KERNEL_EFI_SIGNED}" == "1" ]; then
-      deployDir="${DEPLOYDIR}"
-      for imageType in ${KERNEL_IMAGETYPES} ; do
-        baseName="$imageType-${KERNEL_IMAGE_NAME}"
-        coreos_efi_secureboot_sign_app "$deployDir/$baseName${KERNEL_IMAGE_BIN_EXT}"
-      done
-    fi
-}
-

layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend

@@ -1,13 +1,20 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 KMACHINE:vm-x64 ?= "common-pc-64"
 COMPATIBLE_MACHINE:vm-x64 = "vm-x64"
 
 # Enable some kernel features related to virtualiuzation
 KERNEL_FEATURES:append:vm-x64=" cfg/virtio.scc cfg/paravirt_kvm.scc"
+SRC_URI:append:vm-x64 = " file://hyperv.cfg"
+
+KMACHINE:eagle40-03 ?= "common-pc-64"
+KBRANCH:eagle40-03 = "v5.15/standard/base"
+SRCREV_machine:eagle40-03 ?= "3baf1c5c0e6084b3f4a1d2d805168d657f872e60"
+COMPATIBLE_MACHINE:eagle40-03 = "eagle40-03"
+LINUX_VERSION:eagle40-03 = "5.15.134"
+
 
 KBRANCH:beaglebone = "v5.15/standard/beaglebone"
 KMACHINE:beaglebone ?= "beaglebone"
 SRCREV_machine:beaglebone ?= "9aabbaa89fcb21af7028e814c1f5b61171314d5a"
 COMPATIBLE_MACHINE:beaglebone = "beaglebone"
 LINUX_VERSION:beaglebone = "5.15.54"
-
-require ${@bb.utils.contains("COMBINED_FEATURES", "efi", "linux-yocto-coreos-efi.inc", "", d)}

layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_6.6.bbappend

@@ -0,0 +1,14 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+KMACHINE:eagle40-03 ?= "common-pc-64"
+COMPATIBLE_MACHINE:eagle40-03 = "eagle40-03"
+
+KMACHINE:beaglebone ?= "beaglebone"
+COMPATIBLE_MACHINE:beaglebone = "beaglebone"
+
+KMACHINE:vm-x64 ?= "common-pc-64"
+COMPATIBLE_MACHINE:vm-x64 = "vm-x64"
+KERNEL_FEATURES:append:vm-x64=" cfg/virtio.scc cfg/paravirt_kvm.scc"
+SRC_URI:append:vm-x64 = " file://hyperv.cfg"
+
+SRC_URI += " file://eagle40-03.cfg"

layers/meta-belden-coreos-bsp/wic/beaglebone-sdcard.wks.in

@@ -13,8 +13,8 @@ part --offset 768S --source rawcopy --sourceparams="file=u-boot.img" --ondisk mm
 # Let's define a 4MiB maximum size for the bootloader
 # 4MiB => 4*1024*1024/512=8192S | 768S + 8192S => 8960S
 ${WKS_PART_EFI} --ondisk mmcblk0 --offset 8960S --fixed-size 32M
-${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk0 --fixed-size 128M
+${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk0 --fixed-size ${PART_EFIBG_SIZE}
-${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk0 --fixed-size 128M
+${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk0 --fixed-size ${PART_EFIBG_SIZE}
-${WKS_PART_ROOT_A} --ondisk mmcblk0 --fixed-size ${WKS_PART_ROOT_SIZE}
+${WKS_PART_ROOT_A} --ondisk mmcblk0 --fixed-size ${PART_ROOT_SIZE}
-${WKS_PART_ROOT_B} --ondisk mmcblk0 --fixed-size ${WKS_PART_ROOT_SIZE}
+${WKS_PART_ROOT_B} --ondisk mmcblk0 --fixed-size ${PART_ROOT_SIZE}
 bootloader --ptable gpt

layers/meta-belden-coreos-bsp/wic/generic-uefi-usb-installer.wks

@@ -0,0 +1,16 @@
+# short-description: Create USB image for Eagle 40-03
+# long-description: Creates a partitioned USB image for Eagle 40-03.
+
+# offset 1S => 1 sector (1x512 byte)
+# The bootloader can be at 4 different position in raw mode: 0S, 256S, 512S, 768S
+# MBR disk use only the sector 0, so 1S is free
+# GPT disk use sector 0-33S, so first free slot is 256S
+# Offset are from the BBB default settings
+
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+# Don't name partition in the installer disk image, otherwise the installer may not work as it rely on partition label!
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+part --offset 256S --source bootimg-partition --part-type=EF00 --ondisk mmcblk0
+part --fixed-size 3G --fstype=vfat --label=image
+bootloader --ptable gpt

layers/meta-belden-coreos-bsp/wic/generic-uefi.wks.in

@@ -1,10 +1,11 @@
 # short-description: Create an EFI disk image for genericx86*
 # long-description: Creates a partitioned EFI disk image for genericx86* machines
-${WKS_PART_EFI} --ondisk sda  --align 1024 --size 64M --extra-space 0 --overhead-factor 1
-${WKS_PART_ROOT_A} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
-${WKS_PART_ROOT_B} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
-${WKS_PART_EFIBOOTGUARD_A} --ondisk sda  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
-${WKS_PART_EFIBOOTGUARD_B} --ondisk sda  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
 
-part swap --ondisk sda --size 44 --label swap1 --fstype=swap
+${WKS_PART_EFI} --align 1024 --size ${PART_EFI_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_ROOT_A} --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_ROOT_B} --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_EFIBOOTGUARD_A} --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_EFIBOOTGUARD_B} --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_USERDATA} --size ${PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
+
 bootloader --ptable gpt

layers/meta-belden-coreos-bsp/wic/qemu-efi-coreos-generic.wks.in

@@ -0,0 +1,12 @@
+# short-description: Create an EFI disk image
+# long-description: Creates a partitioned EFI disk image that the user
+# can directly dd to boot media.
+
+part --source efibootguard-efi --label efi --part-type=EF00 --use-uuid --offset 20480S --size ${PART_EFI_SIZE} --extra-space 0 --overhead-factor 1
+part / --source rootfs --fstype=ext4 --label rootfs0 --use-uuid --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
+part --fstype=ext4 --label rootfs1 --use-uuid --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
+part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --use-uuid --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
+part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --use-uuid --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_USERDATA} --use-uuid --size ${PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
+
+bootloader --ptable gpt

layers/meta-belden-coreos-demo/recipes-core/images/coreos-image-demo-k3s.bb

@@ -0,0 +1,8 @@
+DESCRIPTION = "An image that includes k3s-agent"
+
+require recipes-core/images/coreos-image-all-features.bb
+
+IMAGE_INSTALL += "k3s-agent"
+
+# To use this image, please add k3s to DISTRO_FEATURE inside your
+# local.conf config file.

layers/meta-belden-coreos-demo/recipes-kernel/linux/files/k3s_kernel_adaptions.cfg

@@ -0,0 +1,8 @@
+#this file contains the necssary kernel adaption that k3s an containerd require
+#Reference
+#k3s config check: https://raw.githubusercontent.com/k3s-io/k3s/master/contrib/util/check-config.sh
+#container config check: https://raw.githubusercontent.com/moby/moby/master/contrib/check-config.sh
+#these scripts are provided by moby and rancher
+CONFIG_OABI_COMPAT=n
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y

layers/meta-belden-coreos-demo/recipes-kernel/linux/linux-yocto_%.bbappend

@@ -0,0 +1 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"

layers/meta-belden-coreos/classes/coreos-image-ci.bbclass

@@ -3,6 +3,7 @@
 # > COREOS_IMAGE_EXTRACLASSES += "coreos-image-ci"
 # in auto.conf (or local.conf)
 
+inherit kernel-artifact-names
 
 def get_coreos_ci_artifacts(d):
     artifacts = []
@@ -12,11 +13,11 @@ def get_coreos_ci_artifacts(d):
 
     # Container handling
     # ==========================================================================
-    
+
     if bb.utils.contains('IMAGE_FSTYPES', 'oci', True, False, d):
 
         artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.rootfs-oci.tar')
-        
+
         # Special case for container, we just need the OCI tarball
         return " ".join(artifacts)
 
@@ -25,10 +26,14 @@ def get_coreos_ci_artifacts(d):
 
     if bb.utils.contains('IMAGE_FSTYPES', 'wic.xz', True, False, d):
         artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.xz')
-    
+
     if bb.utils.contains('IMAGE_FSTYPES', 'wic.bmap', True, False, d):
         artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.bmap')
 
+    # This is used for qemu-coreos-arm64
+    if bb.utils.contains('IMAGE_FSTYPES', 'wic.qcow2', True, False, d):
+        artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.qcow2')
+
     if d.getVar('COREOS_IMAGE_GENERATE_SWU') == '1':
         artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.swu')
 
@@ -90,5 +95,5 @@ do_deploy_ci() {
     for file in ${COREOS_CI_DEPLOY_ARTIFACTS}; do
         echo $file >> $output
     done
-} 
+}
 addtask deploy_ci after do_image before do_build

layers/meta-belden-coreos/classes/coreos-image-installer.bbclass

@@ -0,0 +1,41 @@
+# Class used to generate image based on Belden CoreOS
+
+export IMAGE_BASENAME = "${MLPREFIX}${PN}"
+IMAGE_NAME_SUFFIX ?= ""
+IMAGE_LINGUAS = ""
+
+LICENSE = "MIT"
+
+IMAGE_FSTYPES = "cpio.gz"
+
+# Support for generating a SDCard or USB installer is optional
+COREOS_INSTALLER_WKS_FILE ??= ""
+WKS_FILE = "${COREOS_INSTALLER_WKS_FILE}"
+IMAGE_FSTYPES += "${@'wic.xz wic.bmap' if d.getVar('COREOS_INSTALLER_WKS_FILE') else ''}"
+IMAGE_BOOT_FILES =  "${COREOS_KERNEL_FILENAME};EFI/BOOT/${EFI_BOOT_IMAGE}"
+
+COREOS_IMAGE_GENERATE_UKI = "1"
+
+# IMGDEPLOYDIR has to be used instead of DEPLOY_DIR_IMAGE here, because it will
+# run during image generation
+COREOS_UKI_PART_INITRAMFS = "${IMGDEPLOYDIR}/${IMAGE_BASENAME}-${MACHINE}.cpio.gz"
+COREOS_IMAGE_GENERATE_SWU = "0"
+
+# Change generated UKI filename and reset the bundled command line to "APPEND"
+# to ensure that root is not set in the kernel command line
+COREOS_KERNEL_NAME ?= "coreos-installer-${MACHINE}"
+COREOS_KERNEL_CMDLINE ?= "${APPEND}"
+
+inherit coreos-image
+
+# Only install a reduced set of package and feature to keep image size small
+IMAGE_INSTALL = "packagegroup-coreos-boot coreos-installer coreos-installer-unattended util-linux-sfdisk util-linux-fdisk util-linux-cfdisk efibootguard efibootguard-tools"
+IMAGE_FEATURES = "debug-tweaks swupdate"
+NO_RECOMMENDATIONS = "1"
+
+IMAGE_ROOTFS_SIZE = "8192"
+INITRAMFS_MAXSIZE = "976562"
+IMAGE_ROOTFS_EXTRA_SPACE = "0"
+
+# Use the same restriction as initramfs-module-install
+COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*)-(linux.*|freebsd.*)'

layers/meta-belden-coreos/classes/coreos-image-swupdate.bbclass

@@ -69,5 +69,11 @@ def coreos_swupdate_extends(d, s, key):
 
     return text
 
+# Signature support
+inherit coreos-efi-secureboot
+SWUPDATE_SIGNING = "CMS"
+SWUPDATE_CMS_KEY  = "${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.key"
+SWUPDATE_CMS_CERT = "${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt"
+
 COREOS_IMAGE_SWUPDATE_EXTRACLASSES ?= ""
 inherit ${COREOS_IMAGE_SWUPDATE_EXTRACLASSES}

layers/meta-belden-coreos/classes/coreos-image.bbclass

@@ -68,6 +68,7 @@ PACKAGE_EXCLUDE_COMPLEMENTARY:append = "${@bb.utils.contains_any('PACKAGE_INSTAL
 COREOS_IMAGE_BASE_INSTALL = "\
     packagegroup-coreos-boot \
     packagegroup-coreos-base \
+    secure-storage \
     "
 
 COREOS_IMAGE_EXTRA_INSTALL ?= ""
@@ -89,10 +90,12 @@ IMAGE_ROOTFS_EXTRA_SPACE:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'sys
 # Unified kernel image and swupdate support
 # ==============================================================================
 
-# Support for Unified Kernel Image and Swupdate are optional
+# The CoreOS image installer is disabled by default.
-COREOS_IMAGE_GENERATE_INSTALLER ?= "${@bb.utils.contains("DISTRO_FEATURES", "swupdate", "1", "0", d)}"
+COREOS_IMAGE_GENERATE_INSTALLER ?= "0"
+
+# Support for Unified Kernel Image and Swupdate are optional.
 COREOS_IMAGE_GENERATE_UKI ?= "${@bb.utils.contains("COMBINED_FEATURES", "efi", "1", "0", d)}"
-COREOS_IMAGE_GENERATE_SWU ?= "${@bb.utils.contains("DISTRO_FEATURES", "swupdate", "1", "0", d)}"
+COREOS_IMAGE_GENERATE_SWU ?= "${@"1" if "efi" in d.getVar('COMBINED_FEATURES') and "swupdate" in d.getVar("DISTRO_FEATURES") else "0"}"
 
 # Generate the installer image if needed
 do_build[depends] += "${@'coreos-image-installer:do_build' if d.getVar('COREOS_IMAGE_GENERATE_INSTALLER') == '1' else ''}"

layers/meta-belden-coreos/classes/coreos-sanity.bbclass

@@ -13,6 +13,8 @@ addhandler check_coreos_sanity_eventhandler
 check_coreos_sanity_eventhandler[eventmask] = "bb.event.SanityCheck"
 python check_coreos_sanity_eventhandler() {
 
+    import datetime
+
     # Checks related to the distribution configuration files
     # ==========================================================================
 
@@ -29,13 +31,22 @@ python check_coreos_sanity_eventhandler() {
             "systemd is not set as `INIT_MANAGER`. "
             "Using SystemD is mandatory on CoreOS based distribution"
         )
-    
+
     if e.data.getVar("TCLIBC") != "glibc":
         bb.fatal(
             "glibc is not set as `TCLIBC`. "
             "Using glibc is mandatory on CoreOS based distribution"
         )
-    
+
+    # Check if the timestamp for REPRODUCIBLE_TIMESTAMP_ROOTFS is still up to date
+    first_of_year = datetime.datetime(datetime.date.today().year, 1, 1, tzinfo=datetime.timezone.utc)
+    foy_ts = str(int(first_of_year.timestamp()))
+    if e.data.getVar("REPRODUCIBLE_TIMESTAMP_ROOTFS") != foy_ts:
+        bb.warn(
+            "`REPRODUCIBLE_TIMESTAMP_ROOTFS` outdated!"
+            "Set to current 01. january of the year."
+        )
+
     # Checks related to the machine configuration files
     # ==========================================================================
 
@@ -47,7 +58,7 @@ python check_coreos_sanity_eventhandler() {
                 "CoreOS recommands to use compressed wic image, please add "
                 "`wic.xz` to your machine `IMAGE_FSTYPES` variables"
             )
-        
+
         if not "wic.bmap":
             bb.warn(
                 "wic image should be flashed with bmaptools, but this require "

layers/meta-belden-coreos/conf/distro/include/belden-coreos-base.inc

@@ -2,6 +2,11 @@
 # it should support the most basic distro without optional coreos
 # features
 
+# Using :coreos override should work on all CoreOS based distro
+# Note that :belden-coreos does not work on CoreOS based distro but will
+# work when build for the belden-coreos distro
+DISTROOVERRIDES = "coreos:${DISTRO}"
+
 INHERIT += "coreos_metadata_scm"
 
 # Distro features and policies
@@ -106,3 +111,8 @@ PACKAGECONFIG:pn-systemd ?= " \
 # Distro based on CoreOS can provide their own configuration files for the
 # CoreOS installer by overriding this variable
 PREFERRED_PROVIDER_coreos-installer-config ??= "coreos-installer-config"
+
+# This TS represents 01.01.2024 generating it dynamically would cause a lot of
+# things to get re-build, we need a good solution for this or change it every
+# year
+REPRODUCIBLE_TIMESTAMP_ROOTFS = "1704067200"

layers/meta-belden-coreos/conf/distro/include/coreos-support.inc

@@ -0,0 +1,149 @@
+COREOS_RECIPE_MAINTAINER:pn-acl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-arptables = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-attr = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-autoconf-archive = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-base-files = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-base-passwd = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-bash-completion = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-bash = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-binutils-cross-x86_64 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-boost = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-bridge-utils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-busybox = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-bzip2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-ca-certificates = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-conntrack-tools = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-coreutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-cppzmq = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-cracklib = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-cryptsetup = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-curl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-dbus = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-depmodwrapper-cross = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-e2fsprogs = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-ebtables = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-efibootguard = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-elfutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-ethtool = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-expat = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-findutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-flatbuffers = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-flex = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-fmt = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gawk = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gcc-cross-x86_64 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gcc-runtime = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gcc-source-11.4.0 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gdbm = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-glib-2.0 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-glibc = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-glibc-locale = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gmp = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gnu-efi = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gnutls = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-grub-bootconf = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-grub = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-grub-efi = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-icu = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-iproute2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-iptables = "Team CoreOS"
+#iw should be removed
+COREOS_RECIPE_MAINTAINER:pn-json-c = "Team CoreOS"
+# kbd check if it can be removed
+# kmod check if it can be removed
+COREOS_RECIPE_MAINTAINER:pn-libaio = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libarchive = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libcap = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libcap-ng = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libcheck = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libconfig = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libdevmapper = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libestr = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libfastjson = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libffi = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libgcc = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libgcc-initial = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libgcrypt = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libgpg-error = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libidn2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-liblogging = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libmnl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnet = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnetfilter-conntrack = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnetfilter-cthelper = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnetfilter-cttimeout = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnetfilter-log = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnetfilter-queue = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnfnetlink = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnsl2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libpam = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libpcap = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libpcre = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libseccomp = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libsodium = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libsolv = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libssh2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libssh = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libtirpc = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libtool-cross = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libunistring = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libusb1 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libxcrypt = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libxml2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-linux-libc-headers = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-linux-yocto = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-logrotate = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-lrzsz = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-lvm2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-lzo = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-m4 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-mtools = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-ncurses = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-netbase = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-nettle = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-openssh = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-openssl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-opkg-arch-config = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-opkg = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-opkg-utils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-os-release = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-packagegroup-base = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-packagegroup-core-boot = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-packagegroup-coreos-base = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-packagegroup-coreos-boot = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-pciutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-perl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-popt = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-python3 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-qemuwrapper-cross = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-readline = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-rsyslog = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-run-postinsts = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-secure-storage = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-setserial = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-sh = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-shared-mime-info = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-spdlog = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-sqlite3 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-swupdate = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-sysfsutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-syslinux = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-syslog-ng = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-systemd-bootconf = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-systemd-boot = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-systemd-conf = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-systemd = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-systemd-serialgetty = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-tar = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-tcpdump = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-usbutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-util-linux = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-util-linux-libuuid = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-volatile-binds = "Team CoreOS"
+# wpa-supplicant should be removed
+COREOS_RECIPE_MAINTAINER:pn-xz = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-zeromq = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-zip = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-zlib = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-zstd = "Team CoreOS"

layers/meta-belden-coreos/conf/layer.conf

@@ -15,6 +15,7 @@ LAYERDEPENDS_meta-belden-coreos = "\
     networking-layer \
     virtualization-layer \
     webserver \
+    meta-arm \
 "
 
 LAYERSERIES_COMPAT_meta-belden-coreos = "kirkstone"

layers/meta-belden-coreos/recipes-bsp/efi/efi-secureboot-keys.bb

@@ -1,33 +0,0 @@
-SUMMARY = "A recipe to deploy UEFI public keys update files"
-LICENSE = "CLOSED"
-
-
-INHIBIT_DEFAULT_DEPS = "1"
-inherit nopackages
-
-inherit deploy
-inherit coreos-efi-secureboot
-
-# Public key needed by firmware very depending on the implementation
-# So we copy all type of public key (*.auth, *.esl, *.crt, *der)
-addtask deploy after do_compile
-do_deploy() {
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.auth ${DEPLOYDIR}/KEK.auth
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.auth ${DEPLOYDIR}/db.auth
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.auth ${DEPLOYDIR}/PK.auth
-    
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.esl ${DEPLOYDIR}/KEK.esl
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.esl ${DEPLOYDIR}/db.esl
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.esl ${DEPLOYDIR}/PK.esl
-
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.crt ${DEPLOYDIR}/KEK.crt
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.crt ${DEPLOYDIR}/db.crt
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.crt ${DEPLOYDIR}/PK.crt
-
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.der ${DEPLOYDIR}/KEK.der
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.der ${DEPLOYDIR}/db.der
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.der ${DEPLOYDIR}/PK.der
-
-    # !SECURITY WARNING! 
-    # .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
-}

layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend

@@ -9,6 +9,8 @@ SRC_URI += "file://0001-coreos-add-a-coreos-specific-rootfs-switch-to-the-UK.pat
 # Add signature support
 # ==============================================================================
 
+DEPENDS:append = " cos-certificates-and-keys-native"
+
 inherit coreos-efi-sbsign
 require conf/image-uefi.conf
 

layers/meta-belden-coreos/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc

@@ -1,244 +0,0 @@
-DESCRIPTION = "Trusted Firmware-A"
-LICENSE = "BSD-3-Clause & MIT"
-
-PACKAGE_ARCH = "${MACHINE_ARCH}"
-
-inherit deploy
-
-SRC_URI = "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https;name=tfa;branch=master"
-
-UPSTREAM_CHECK_GITTAGREGEX = "^v(?P<pver>\d+(\.\d+)+)$"
-
-SRCREV_FORMAT = "tfa"
-
-COMPATIBLE_MACHINE ?= "invalid"
-
-# Platform must be set for each machine
-TFA_PLATFORM ?= "invalid"
-
-# Some platforms can have multiple board configurations
-# Leave empty for default behavior
-TFA_BOARD ?= ""
-
-# Some platforms use SPD (Secure Payload Dispatcher) services
-# Few options are "opteed", "tlkd", "trusty", "tspd", "spmd"...
-# Leave empty to not use SPD
-TFA_SPD ?= ""
-
-# Variable used when TFA_SPD=spmd
-TFA_SPMD_SPM_AT_SEL2 ?= "1"
-
-# SP layout file location. Used when TFA_SPD=spmd and TFA_SPMD_SPM_AT_SEL2=1
-TFA_SP_LAYOUT_FILE ?= ""
-
-# SPMC manifest file location. Used when TFA_SPD=spmd and TFA_SPMD_SPM_AT_SEL2=1
-TFA_ARM_SPMC_MANIFEST_DTS ?= ""
-
-# Build for debug (set TFA_DEBUG to 1 to activate)
-TFA_DEBUG ?= "0"
-
-S = "${WORKDIR}/git"
-B = "${WORKDIR}/build"
-
-# mbed TLS support (set TFA_MBEDTLS to 1 to activate)
-TFA_MBEDTLS ?= "0"
-# sub-directory in which mbedtls will be downloaded
-TFA_MBEDTLS_DIR ?= "mbedtls"
-# This should be set to MBEDTLS download URL if MBEDTLS is needed
-SRC_URI_MBEDTLS ??= ""
-# This should be set to MBEDTLS LIC FILES checksum
-LIC_FILES_CHKSUM_MBEDTLS ??= ""
-# add MBEDTLS to our sources if activated
-SRC_URI:append = " ${@bb.utils.contains('TFA_MBEDTLS', '1', '${SRC_URI_MBEDTLS}', '', d)}"
-# Update license variables
-LICENSE:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', ' & Apache-2.0', '', d)}"
-LIC_FILES_CHKSUM:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', ' ${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}"
-# add mbed TLS to version
-SRCREV_FORMAT:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '', d)}"
-
-# U-boot support (set TFA_UBOOT to 1 to activate)
-# When U-Boot support is activated BL33 is activated with u-boot.bin file
-TFA_UBOOT ??= "0"
-
-# UEFI support (set TFA_UEFI to 1 to activate)
-# When UEFI support is activated BL33 is activated with uefi.bin file
-TFA_UEFI ??= "0"
-
-# What to build
-# By default we only build bl1, do_deploy will copy
-# everything listed in this variable (by default bl1.bin)
-TFA_BUILD_TARGET ?= "bl1"
-
-# What to install
-# do_install and do_deploy will install everything listed in this
-# variable. It is set by default to TFA_BUILD_TARGET
-TFA_INSTALL_TARGET ?= "${TFA_BUILD_TARGET}"
-
-# Requires CROSS_COMPILE set by hand as there is no configure script
-export CROSS_COMPILE="${TARGET_PREFIX}"
-
-# Let the Makefile handle setting up the CFLAGS and LDFLAGS as it is a standalone application
-CFLAGS[unexport] = "1"
-LDFLAGS[unexport] = "1"
-AS[unexport] = "1"
-LD[unexport] = "1"
-
-# No configure
-do_configure[noexec] = "1"
-
-# Baremetal, just need a compiler
-DEPENDS:remove = "virtual/${TARGET_PREFIX}compilerlibs virtual/libc"
-
-# We need dtc for dtbs compilation
-# We need openssl for fiptool
-DEPENDS = "dtc-native openssl-native"
-DEPENDS:append:toolchain-clang = " compiler-rt"
-
-# CC and LD introduce arguments which conflict with those otherwise provided by
-# this recipe. The heads of these variables excluding those arguments
-# are therefore used instead.
-def remove_options_tail (in_string):
-    from itertools import takewhile
-    return ' '.join(takewhile(lambda x: not x.startswith('-'), in_string.split(' ')))
-
-EXTRA_OEMAKE += "LD=${@remove_options_tail(d.getVar('LD'))}"
-
-EXTRA_OEMAKE += "CC=${@remove_options_tail(d.getVar('CC'))}"
-
-# Verbose builds, no -Werror
-EXTRA_OEMAKE += "V=1 E=0"
-
-# Add platform parameter
-EXTRA_OEMAKE += "BUILD_BASE=${B} PLAT=${TFA_PLATFORM}"
-
-# Handle TFA_BOARD parameter
-EXTRA_OEMAKE += "${@'TARGET_BOARD=${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
-
-# Handle TFA_SPD parameter
-EXTRA_OEMAKE += "${@'SPD=${TFA_SPD}' if d.getVar('TFA_SPD') else ''}"
-
-# If TFA_SPD is spmd, set SPMD_SPM_AT_SEL2
-EXTRA_OEMAKE += "${@'SPMD_SPM_AT_SEL2=${TFA_SPMD_SPM_AT_SEL2}' if d.getVar('TFA_SPD', True) == 'spmd' else ''}"
-
-# Handle TFA_DEBUG parameter
-EXTRA_OEMAKE += "${@bb.utils.contains('TFA_DEBUG', '1', 'DEBUG=${TFA_DEBUG}', '', d)}"
-
-# Handle MBEDTLS
-EXTRA_OEMAKE += "${@bb.utils.contains('TFA_MBEDTLS', '1', 'MBEDTLS_DIR=${TFA_MBEDTLS_DIR}', '', d)}"
-
-# Uboot support
-DEPENDS += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot', '', d)}"
-do_compile[depends] += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot:do_deploy', '', d)}"
-EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UBOOT', '1', 'BL33=${DEPLOY_DIR_IMAGE}/u-boot.bin', '', d)}"
-
-# UEFI support
-DEPENDS += " ${@bb.utils.contains('TFA_UEFI', '1', 'edk2-firmware', '', d)}"
-EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UEFI', '1', 'BL33=${RECIPE_SYSROOT}/firmware/uefi.bin', '', d)}"
-
-# TFTF test support
-DEPENDS += " ${@bb.utils.contains('TFTF_TESTS', '1', 'tf-a-tests', '', d)}"
-EXTRA_OEMAKE += "${@bb.utils.contains('TFTF_TESTS', '1', 'BL33=${RECIPE_SYSROOT}/firmware/tftf.bin', '',d)}"
-
-# Hafnium support
-SEL2_SPMC = "${@'${TFA_SPMD_SPM_AT_SEL2}' if d.getVar('TFA_SPD', True) == 'spmd' else ''}"
-
-DEPENDS += " ${@bb.utils.contains('SEL2_SPMC', '1', 'hafnium', '', d)}"
-
-EXTRA_OEMAKE += "${@bb.utils.contains('SEL2_SPMC', '1', 'CTX_INCLUDE_EL2_REGS=1 ARM_ARCH_MINOR=4 BL32=${RECIPE_SYSROOT}/firmware/hafnium.bin', '', d)}"
-
-# Add SP layout file and spmc manifest for hafnium
-EXTRA_OEMAKE += "${@bb.utils.contains('SEL2_SPMC', '1', 'SP_LAYOUT_FILE=${TFA_SP_LAYOUT_FILE}' if d.getVar('TFA_SP_LAYOUT_FILE') else '', '', d)}"
-
-EXTRA_OEMAKE += "${@bb.utils.contains('SEL2_SPMC', '1', 'ARM_SPMC_MANIFEST_DTS=${TFA_ARM_SPMC_MANIFEST_DTS}' if d.getVar('TFA_ARM_SPMC_MANIFEST_DTS') else '', '', d)}"
-
-# Tell the tools where the native OpenSSL is located
-EXTRA_OEMAKE += "OPENSSL_DIR=${STAGING_DIR_NATIVE}/${prefix_native}"
-# Use the correct native compiler
-EXTRA_OEMAKE += "HOSTCC='${BUILD_CC}'"
-
-# Runtime variables
-EXTRA_OEMAKE += "RUNTIME_SYSROOT=${STAGING_DIR_HOST}"
-
-BUILD_DIR = "${B}/${TFA_PLATFORM}"
-BUILD_DIR .= "${@'/${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
-BUILD_DIR .= "/${@'debug' if d.getVar("TFA_DEBUG") == '1' else 'release'}"
-
-do_compile() {
-    # This is still needed to have the native tools executing properly by
-    # setting the RPATH
-    sed -i '/^LDLIBS/ s,$, \$\{BUILD_LDFLAGS},' ${S}/tools/fiptool/Makefile
-    sed -i '/^INCLUDE_PATHS/ s,$, \$\{BUILD_CFLAGS},' ${S}/tools/fiptool/Makefile
-    sed -i '/^LIB/ s,$, \$\{BUILD_LDFLAGS},' ${S}/tools/cert_create/Makefile
-
-    # Currently there are races if you build all the targets at once in parallel
-    for T in ${TFA_BUILD_TARGET}; do
-        oe_runmake -C ${S} $T
-    done
-}
-do_compile[cleandirs] = "${B}"
-
-do_install() {
-    install -d -m 755 ${D}/firmware
-    for atfbin in ${TFA_INSTALL_TARGET}; do
-        processed="0"
-        if [ "$atfbin" = "all" ]; then
-            # Target all is not handled by default
-            bberror "all as TFA_INSTALL_TARGET is not handled by do_install"
-            bberror "Please specify valid targets in TFA_INSTALL_TARGET or"
-            bberror "rewrite or turn off do_install"
-            exit 1
-        fi
-
-        if [ -f ${BUILD_DIR}/$atfbin.bin ]; then
-            echo "Install $atfbin.bin"
-            install -m 0644 ${BUILD_DIR}/$atfbin.bin \
-                ${D}/firmware/$atfbin-${TFA_PLATFORM}.bin
-            ln -sf $atfbin-${TFA_PLATFORM}.bin ${D}/firmware/$atfbin.bin
-            processed="1"
-        fi
-        if [ -f ${BUILD_DIR}/$atfbin/$atfbin.elf ]; then
-            echo "Install $atfbin.elf"
-            install -m 0644 ${BUILD_DIR}/$atfbin/$atfbin.elf \
-                ${D}/firmware/$atfbin-${TFA_PLATFORM}.elf
-            ln -sf $atfbin-${TFA_PLATFORM}.elf ${D}/firmware/$atfbin.elf
-            processed="1"
-        fi
-        if [ -f ${BUILD_DIR}/$atfbin ]; then
-            echo "Install $atfbin"
-            install -m 0644 ${BUILD_DIR}/$atfbin \
-                ${D}/firmware/$atfbin-${TFA_PLATFORM}
-            ln -sf $atfbin-${TFA_PLATFORM} ${D}/firmware/$atfbin
-            processed="1"
-        fi
-        if [ -f ${BUILD_DIR}/fdts/$atfbin.dtb ]; then
-            echo "Install $atfbin.dtb"
-            install -m 0644 "${BUILD_DIR}/fdts/$atfbin.dtb" \
-                "${D}/firmware/$atfbin.dtb"
-            processed="1"
-        elif [ "$atfbin" = "dtbs" ]; then
-            echo "dtbs install, skipped: set dtbs in TFA_INSTALL_TARGET"
-        elif [ -f ${B}/tools/$atfbin/$atfbin ]; then
-            echo "Tools $atfbin install, skipped"
-        elif [ "$processed" = "0" ]; then
-            bberror "Unsupported TFA_INSTALL_TARGET target $atfbin"
-            exit 1
-        fi
-    done
-}
-
-FILES:${PN} = "/firmware"
-SYSROOT_DIRS += "/firmware"
-
-FILES:${PN}-dbg = "/firmware/*.elf"
-# Skip QA check for relocations in .text of elf binaries
-INSANE_SKIP:${PN}-dbg = "textrel"
-
-do_deploy() {
-    cp -rf ${D}/firmware/* ${DEPLOYDIR}/
-}
-addtask deploy after do_install
-
-CVE_PRODUCT = "arm:arm-trusted-firmware \
-               arm:trusted_firmware-a \
-               arm:arm_trusted_firmware \
-               arm_trusted_firmware_project:arm_trusted_firmware"

layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot-coreos.inc

@@ -1,12 +1,23 @@
+# Ensure that file are found event when this file is included in another layer
+# ==============================================================================
+FILESEXTRAPATHS:prepend := "${THISDIR}/u-boot:"
+
+# U-Boot CoreOS Distro Settings
+# ==============================================================================
+
+# Enable more debug option when debug-tweaks is enabled
+SRC_URI += " \
+    ${@bb.utils.contains("IMAGE_FEATURES", "debug-tweaks", "file://debug-tweaks.cfg", "", d)} \
+"
+
 inherit coreos-efi-secureboot
 
+# Make sure UEFI and secure boot is enabled for every u-boot build
 SRC_URI += " \
     file://uefi.cfg \
     file://uefi-secureboot.cfg \
 "
 
-DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native"
-
 # Generate a ubootefi.var file inside the build directory
 #
 # This file can be directly linked inside the u-boot binary to provide
@@ -15,6 +26,7 @@ DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native"
 #
 # The efivar.py is taken from u-boot-tools recipes, so that we are sure that he
 # is found and don't depend on the u-boot version being used
+DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native cos-certificates-and-keys-native"
 addtask uboot_generate_efivar after do_configure before do_compile
 do_uboot_generate_efivar() {
     # Settings OPENSSL_MODULES is needed, otherwise efivar.py fail with

layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot_%.bbappend

@@ -0,0 +1,5 @@
+# Add CoreOS distro settings to u-boot
+UBOOT_COREOS_REQUIRE:coreos ?= "u-boot-coreos.inc"
+UBOOT_COREOS_REQUIRE ?= ""
+
+require ${UBOOT_COREOS_REQUIRE}

layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot_2022.10.bb

@@ -4,5 +4,3 @@ require recipes-bsp/u-boot/u-boot.inc
 SRCREV = "4debc57a3da6c3f4d3f89a637e99206f4cea0a96"
 DEPENDS += "bc-native dtc-native python3-setuptools-native"
 LIC_FILES_CHKSUM = "file://Licenses/README;md5=2ca5f2c35c8cc335f0a19756634782f1"
-
-require u-boot-coreos.inc

layers/meta-belden-coreos/recipes-core/images/coreos-image-all-features.bb

@@ -10,3 +10,6 @@ IMAGE_INSTALL:append = "${@bb.utils.contains("IMAGE_FEATURES", "swupdate", " swu
 
 # development tools
 IMAGE_INSTALL:append = " systemd-analyze"
+
+# Enable the optional image installer
+COREOS_IMAGE_GENERATE_INSTALLER = "1"

layers/meta-belden-coreos/recipes-core/images/coreos-image-installer.bb

@@ -1,50 +1,4 @@
 DESCRIPTION = "Initramfs image with the CoreOS emmc installer"
-
-
-
-# Don't reboot the device at reboot and don't do A/B switching
-BAD_RECOMMENDATIONS = "swupdate-progress swupdate-coreos-config"
-
-export IMAGE_BASENAME = "${MLPREFIX}${PN}"
-IMAGE_NAME_SUFFIX ?= ""
-IMAGE_LINGUAS = ""
-
 LICENSE = "MIT"
 
-IMAGE_FSTYPES = "cpio.gz"
+inherit coreos-image-installer
-
-# Support for generating a SDCard installer is optional
-COREOS_INSTALLER_WKS_FILE ??= ""
-WKS_FILE = "${COREOS_INSTALLER_WKS_FILE}"
-IMAGE_FSTYPES += "${@'wic.xz wic.bmap' if d.getVar('COREOS_INSTALLER_WKS_FILE') else ''}"
-IMAGE_BOOT_FILES =  "${COREOS_KERNEL_FILENAME};EFI/BOOT/${EFI_BOOT_IMAGE}"
-
-COREOS_IMAGE_GENERATE_UKI = "1"
-
-# Avoid dependancy loop, we are already in an installer image, so we don't need
-# to bundle another one
-COREOS_IMAGE_GENERATE_INSTALLER = "0"
-
-# IMGDEPLOYDIR has to be used instead of DEPLOY_DIR_IMAGE here, because it will
-# run during image generation
-COREOS_UKI_PART_INITRAMFS = "${IMGDEPLOYDIR}/${IMAGE_BASENAME}-${MACHINE}.cpio.gz"
-COREOS_IMAGE_GENERATE_SWU = "0"
-
-# Change generated UKI filename and reset the bundled command line to "APPEND"
-# to ensure that root is not set in the kernel command line
-COREOS_KERNEL_NAME ?= "coreos-installer-${MACHINE}"
-COREOS_KERNEL_CMDLINE ?= "${APPEND}"
-
-inherit coreos-image
-
-# Only install a reduced set of package and feature to keep image size small
-IMAGE_INSTALL = "packagegroup-coreos-boot coreos-installer swupdate-www util-linux-sfdisk util-linux-fdisk util-linux-cfdisk efibootguard efibootguard-tools"
-IMAGE_FEATURES = "debug-tweaks swupdate networkmanager"
-NO_RECOMMENDATIONS = "1"
-
-IMAGE_ROOTFS_SIZE = "8192"
-INITRAMFS_MAXSIZE = "976562"
-IMAGE_ROOTFS_EXTRA_SPACE = "0"
-
-# Use the same restriction as initramfs-module-install
-COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*)-(linux.*|freebsd.*)'

layers/meta-belden-coreos/recipes-core/packagegroups/packagegroup-coreos-base.bb

@@ -15,7 +15,7 @@ COREOS_IMAGE_EFI_PROVIDER_EXTRA = " \
 "
 
 RDEPENDS:${PN} = "\
-    packagegroup-base-extended \
+    packagegroup-base \
     os-release \
     ${@bb.utils.contains("MACHINE_FEATURES", "efi", "${COREOS_IMAGE_EFI_PROVIDER_EXTRA}", "", d)} \
 "

layers/meta-belden-coreos/recipes-core/systemd/systemd-conf/system.conf-watchdog

@@ -0,0 +1,2 @@
+[Manager]
+RuntimeWatchdogSec=5

layers/meta-belden-coreos/recipes-core/systemd/systemd_%.bbappend

@@ -0,0 +1,15 @@
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/systemd-conf:"
+
+SRC_URI += " file://system.conf-watchdog"
+
+do_install:append(){
+	# the creation date/time of this file will be used as initial boot time.
+	# Creation time will be set to REPRODUCIBLE_TIMESTAMP_ROOTFS
+	# More info about the date/time handling here:
+	# https://www.freedesktop.org/software/systemd/man/latest/systemd-timesyncd.service.html
+	touch ${D}/${base_libdir}/clock-epoch
+	install -D -m0644 ${WORKDIR}/system.conf-watchdog ${D}${systemd_unitdir}/system.conf.d/01-${PN}-watchdog.conf
+}
+
+FILES:${PN} += "${base_libdir}/clock-epoch"

layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended/99-overwrite.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env sh
+
+# catch errors from previous source files
+if [ "$SWUPDATE_EXIT" != "" ]; then
+  # Notify the installation status indicator about the failed installation.
+  # This can result in the red LED lighting up.
+  dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusFailure
+  exit 1
+fi
+
+# Notify the installation status indicator about the success with partitioning
+# the blockdevice. This can result in the first green LED lighting up.
+dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusPartitioningSuccess
+
+mount /dev/disk/by-label/image /mnt
+if [ ! -f "/mnt/image.swu" ]; then
+  echo "Could not find image.swu on the vfat partition!"
+  dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusFailure
+  exit 1
+fi
+
+SWUPDATE_ARGS="${SWUPDATE_ARGS} -p /usr/lib/swupdate/post-install.sh"
+SWUPDATE_ARGS="${SWUPDATE_ARGS} -i /mnt/image.swu"

layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended/post-install.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env sh
+
+# Notify the installation status indicator about the success with flashing the image.
+# This can result in the second green LED lighting up.
+dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusImageFlashingSuccess

layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended_1.0.bb

@@ -0,0 +1,23 @@
+DESCRIPTION = "CoreOS scripts for unattended installation"
+SECTION = "coreos"
+LICENSE = "CLOSED"
+
+SRC_URI += "\
+    file://99-overwrite.sh \
+    file://post-install.sh \
+"
+
+FILES:${PN} = "\
+    ${libdir}/swupdate/conf.d/99-overwrite.sh \
+    ${libdir}/swupdate/post-install.sh \
+"
+
+RDEPENDS:${PN} = "coreos-installer"
+
+RCONFLICTS:${PN} = "swupdate-www"
+
+do_install() {
+    install -d ${D}${libdir}/swupdate/conf.d
+    install -m 755 ${WORKDIR}/post-install.sh ${D}${libdir}/swupdate/
+    install -m 755 ${WORKDIR}/99-overwrite.sh ${D}${libdir}/swupdate/conf.d/
+}

layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer/25-installer-config.sh

@@ -1,5 +1,8 @@
 #!/usr/bin/env sh
 
+set -o errtrace
+trap 'echo "An error occured in line $LINENO: $BASH_COMMAND, exiting..."; SWUPDATE_EXIT=1; exit;' ERR
+
 # Read /etc/hwrevision and turn it into a stripped string
 # with the format ${MACHINE}_${VERSION}
 HWREVISION=$(tr ' ' '_' < /etc/hwrevision | tr -d '[:space:]')
@@ -15,6 +18,13 @@ fi
 
 DISK=$(grep "^device:\s" < "${SFDISK_DUMP_FILE}" | cut -d ' ' -f 2)
 
+# Remove the partition table signature, if there is already one.
+# This ensures that sfdisk always finds a 'clean' disk to install / recover
+wipefs -a -f ${DISK}
+
+# Give the kernel some time to reload the partition
+sleep 3
+
 echo "Flashing ${SFDISK_DUMP_FILE} to ${DISK}"
 cat "${SFDISK_DUMP_FILE}"
 sfdisk "${DISK}" < "${SFDISK_DUMP_FILE}"
@@ -48,3 +58,4 @@ umount /mnt/ebg1
 umount /mnt/efi
 
 SWUPDATE_ARGS="${SWUPDATE_ARGS} -e stable,copy0"
+SWUPDATE_ARGS="${SWUPDATE_ARGS} -k /usr/lib/swupdate/swupdate.crt"

layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer_1.0.bb

@@ -1,22 +1,18 @@
 DESCRIPTION = "CoreOS Installer scripts"
-LICENSE = "CLOSED"
 SECTION = "coreos"
+LICENSE = "CLOSED"
 
-SRC_URI+= " \
+SRC_URI += "file://25-installer-config.sh"
-    file://25-installer-config.sh \
-"
 
-# This package ship an alternate configuration for SWUpade to disable A/B
+FILES:${PN} = "${libdir}/swupdate/conf.d/25-installer-config.sh"
-# switching and always flash A
-RCONFLICTS:${PN}= "swupdate-coreos-config"
-
-FILES:${PN} = " \
-    ${libdir}/swupdate/conf.d/25-installer-config.sh \
-"
 
 # glibc-utils provide iconv
 # glibc-gconv-utf-16 provide utf-16 support to iconv
-RDEPENDS:${PN} = "coreos-installer-config dosfstools util-linux-lsblk util-linux-sfdisk glibc-utils glibc-gconv-utf-16"
+RDEPENDS:${PN} = "coreos-installer-config dosfstools glibc-gconv-utf-16 glibc-utils util-linux-lsblk util-linux-sfdisk util-linux-wipefs"
+
+# This package ships an alternate configuration for SWUpdate to disable A/B
+# switching and always flash A
+RCONFLICTS:${PN} = "swupdate-coreos-config"
 
 do_install() {
     install -d ${D}${libdir}/swupdate/conf.d

layers/meta-belden-coreos/recipes-kernel/linux/files/secure-storage.cfg

@@ -0,0 +1,4 @@
+CONFIG_BLK_DEV_DM=y
+CONFIG_KEYS=y
+CONFIG_ENCRYPTED_KEYS=y
+CONFIG_DM_CRYPT=y

layers/meta-belden-coreos/recipes-kernel/linux/linux-yocto-coreos.inc

@@ -0,0 +1,8 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+# Secure Storage
+# ==============================================================================
+SRC_URI += "file://secure-storage.cfg"
+
+# Ensure the Kernel EFI STUB is enabled
+KERNEL_FEATURES += "cfg/efi.scc cfg/efi-ext.scc"

layers/meta-belden-coreos/recipes-kernel/linux/linux-yocto_%.bbappend

@@ -0,0 +1,6 @@
+# Add CoreOS distro settings to the linux-yocto recipes
+
+LINUX_YOCTO_COREOS_REQUIRE ?= ""
+LINUX_YOCTO_COREOS_REQUIRE:coreos = "linux-yocto-coreos.inc"
+
+require ${LINUX_YOCTO_COREOS_REQUIRE}

layers/meta-belden-coreos/recipes-security/cos-certificates-and-keys/cos-certificates-and-keys-native_1.0.bb

@@ -0,0 +1,65 @@
+SUMMARY = "Installs CoreOS certificates and keys"
+DESCRIPTION = "Installs CoreOS certificates and keys that are used during the build"
+AUTHOR = "Patrick Vogelaar"
+LICENSE = "CLOSED"
+
+SRC_URI = "git://git@bitbucket.gad.local:7999/ico/development-keys.git;protocol=ssh;branch=master"
+SRCREV = "2b5d6941ea8759db90f07e195bb1855f618cccb7"
+
+S = "${WORKDIR}/git"
+
+inherit deploy native
+
+CERTIFICATES_AND_KEYS_DIR ?= "${datadir}/keys/"
+
+#FILES:${PN} += "${CERTIFICATES_AND_KEYS_DIR}/*"
+
+
+do_install() {
+    install -d "${D}/${CERTIFICATES_AND_KEYS_DIR}"
+    install -m 755 ${S}/db.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.auth
+    install -m 755 ${S}/db.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.crt
+    install -m 755 ${S}/db.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.der
+    install -m 755 ${S}/db.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.esl
+    install -m 755 ${S}/db.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.key
+    install -m 755 ${S}/KEK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.auth
+    install -m 755 ${S}/KEK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.crt
+    install -m 755 ${S}/KEK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.der
+    install -m 755 ${S}/KEK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.esl
+    install -m 755 ${S}/KEK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.key
+    install -m 755 ${S}/PK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.auth
+    install -m 755 ${S}/PK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.crt
+    install -m 755 ${S}/PK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.der
+    install -m 755 ${S}/PK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.esl
+    install -m 755 ${S}/PK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.key
+    install -m 755 ${S}/swupdate.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.crt
+    install -m 755 ${S}/swupdate.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.key
+
+    bbwarn "Development certificates and keys are added into the image (UNSECURE)! This image must not be released!"
+}
+
+
+# Public key needed by firmware very depending on the implementation
+# So we copy all type of public key (*.auth, *.esl, *.crt, *der)
+
+addtask deploy after do_compile
+do_deploy() {
+    install -D -m 644 ${S}/KEK.auth ${DEPLOYDIR}/KEK.auth
+    install -D -m 644 ${S}/db.auth ${DEPLOYDIR}/db.auth
+    install -D -m 644 ${S}/PK.auth ${DEPLOYDIR}/PK.auth
+
+    install -D -m 644 ${S}/KEK.esl ${DEPLOYDIR}/KEK.esl
+    install -D -m 644 ${S}/db.esl ${DEPLOYDIR}/db.esl
+    install -D -m 644 ${S}/PK.esl ${DEPLOYDIR}/PK.esl
+
+    install -D -m 644 ${S}/KEK.crt ${DEPLOYDIR}/KEK.crt
+    install -D -m 644 ${S}/db.crt ${DEPLOYDIR}/db.crt
+    install -D -m 644 ${S}/PK.crt ${DEPLOYDIR}/PK.crt
+
+    install -D -m 644 ${S}/KEK.der ${DEPLOYDIR}/KEK.der
+    install -D -m 644 ${S}/db.der ${DEPLOYDIR}/db.der
+    install -D -m 644 ${S}/PK.der ${DEPLOYDIR}/PK.der
+
+    # !SECURITY WARNING!
+    # .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
+}

layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh

@@ -0,0 +1,93 @@
+#!/usr/bin/env sh
+
+loopdir=/usr/local/data/loopdevices
+loopfile=$loopdir/crypt.loop
+
+keyfiledir=/usr/local/data/.crypto
+keyfile=$keyfiledir/ss_crypto.keyfile
+
+#megabytes
+loopsize=16
+
+#/dev/mapper/xxxxx when open
+cryptmapper=secStorage
+
+makefilesystem=ext4
+
+#mountpoint of uncrypted device
+mountpoint=/usr/local/data/secure-storage
+
+create_keyfile() {
+	# echo "Create key file"
+	systemd-notify --status="Create key file"
+	mkdir -p $keyfiledir
+	dd if=/dev/urandom of=$keyfile bs=1 count=256
+	chown root:root $keyfiledir/*
+	chmod 000 $keyfiledir/*
+}
+
+error() {
+	echo "Error: $1"
+	exit $?
+}
+
+#creates a new file
+create_loopback_and_open() {
+	# echo "Creating a file with random bits.. this could take a while..."
+	systemd-notify --status="Creating a file with random bits.. this could take a while..."
+	mkdir -p $loopdir || error "Creating loopdir"
+	mkdir -p $mountpoint || error "Creating mountpoint"
+	dd if=/dev/urandom of=$loopfile bs=1M count=$loopsize || error "Creating loopfile"
+	loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
+	echo "Selected loop device: $loopdevice"
+	cryptsetup luksFormat -q --key-file $keyfile $loopdevice || error "Setting up encrypted loop device"
+	cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
+	mkfs.$makefilesystem /dev/mapper/$cryptmapper || error "Creating encrypted FS"
+	mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
+	systemd-notify --ready --status="Sucessfully mounted secure storage"
+}
+
+#mounts crypted loopback file
+open() {
+	#echo "Open secure-storage"
+	systemd-notify --status="Open secure storage"
+	loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
+	echo "Selected loop device: $ld"
+	cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
+	mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
+	systemd-notify --ready --status="Sucessfully mounted secure storage"
+}
+
+#unmounts previously mounted loopback file
+close() {
+	echo "Close secure-storage"
+	# get loopdevice
+	loopdevice=$(losetup --list --noheadings --output NAME,BACK-FILE | grep crypt.loop | awk '{print $1}')
+	umount $mountpoint
+	cryptsetup close $cryptmapper
+	losetup -d $loopdevice
+}
+
+if [ $# -eq 1 ]
+then
+	#echo "Parameter detected"
+	$1
+	exit 0
+fi
+
+if [ -e $keyfile ]
+then
+	#echo "Key file available"
+	if [ -e $loopfile ]
+	then
+		#echo "Loop file available"
+		open
+	else
+		#echo "Loop file not available"
+		create_loopback_and_open
+	fi
+else
+	#echo "Key file not available"
+	create_keyfile
+	create_loopback_and_open
+fi

layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Secure Storage Service
+RequiresMountsFor=/usr/local/data
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/sec-storage-loopback.sh
+TimeoutSec=300
+
+[Install]
+WantedBy=local-fs.target
+

layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb

@@ -0,0 +1,34 @@
+SUMMARY = "Provides a Secure Storage"
+DESCRIPTION = "The secure storage is a loopback mount that is encrypted. It protects data in rest"
+AUTHOR = "Patrick Vogelaar"
+LICENSE = "CLOSED"
+
+SRC_URI = "\
+    file://sec-storage-loopback.sh \
+    file://secure-storage.service \
+    "
+
+S = "${WORKDIR}"
+
+inherit systemd
+
+FILES:${PN} += "\
+    /usr/local/data/ \
+    ${systemd_unitdir}/system \
+    ${bindir}/sec-storage-loopback.sh \
+    ${systemd_unitdir}/system/secure-storage.service \
+    "
+
+do_install() {
+    install -d ${D}$/usr/local/data/
+    install -d ${D}${bindir}
+    install -m 0731 ${S}/sec-storage-loopback.sh ${D}${bindir}/sec-storage-loopback.sh
+
+    install -d ${D}${systemd_unitdir}/system
+    install -m 0644 ${S}/secure-storage.service ${D}${systemd_unitdir}/system
+}
+
+SYSTEMD_SERVICE:${PN} = "secure-storage.service"
+SYSTEMD_AUTO_ENABLE = "enable"
+
+RDEPENDS:${PN} += "cryptsetup util-linux-losetup e2fsprogs-mke2fs"

layers/meta-belden-coreos/recipes-support/swupdate/swupdate/25-sw-collections-config.sh

@@ -37,3 +37,6 @@ case $ROOT_PARTLABEL in
         exit 1
         ;;
 esac
+
+echo "Public key used to verify software image is /usr/lib/swupdate/swupdate.crt"
+SWUPDATE_ARGS="${SWUPDATE_ARGS} -k /usr/lib/swupdate/swupdate.crt"

layers/meta-belden-coreos/recipes-support/swupdate/swupdate/defconfig

@@ -24,3 +24,8 @@ CONFIG_DISKPART=y
 CONFIG_DISKPART_FORMAT=y
 CONFIG_FAT_FILESYSTEM=y
 CONFIG_EXT_FILESYSTEM=y
+CONFIG_SIGNED=y
+CONFIG_SIGNED_IMAGES=y
+CONFIG_SIGALG_RAWRSA=n
+CONFIG_SIGALG_CMS=y
+CONFIG_CMS_IGNORE_CERTIFICATE_PURPOSE=y

layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend

@@ -5,6 +5,8 @@ REQUIRED_DISTRO_FEATURES = "swupdate"
 # same file in meta-swupdate
 FILESEXTRAPATHS:prepend := "${THISDIR}/swupdate:"
 
+DEPENDS += "cos-certificates-and-keys-native"
+
 SRC_URI += "\
     file://50-webserver-config.sh \
     file://25-sw-collections-config.sh \
@@ -37,9 +39,15 @@ RRECOMMENDS:${PN} += "${PN}-coreos-config"
 # configuration to be installed
 RCONFLICTS:${PN}-coreos-installer-config = "${PN}-coreos-config"
 
+inherit coreos-efi-secureboot
+
 do_install:append() {
     # Probably replace revision with the value of the device tree
     install -m 755 ${WORKDIR}/50-webserver-config.sh ${D}${libdir}/swupdate/conf.d/
     install -m 755 ${WORKDIR}/25-sw-collections-config.sh ${D}${libdir}/swupdate/conf.d/
+    install -m 755 ${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt ${D}${libdir}/swupdate/
     echo "${MACHINE} 1.0" > ${D}${sysconfdir}/hwrevision
 }
+
+# Fix: libgcc_s.so.1 must be installed for pthread_exit to work
+RDEPENDS:${PN} += "libgcc"

layers/meta-belden-marvell-bsp/conf/layer.conf

@@ -9,5 +9,5 @@ BBFILE_COLLECTIONS += "meta-belden-marvell-bsp"
 BBFILE_PATTERN_meta-belden-marvell-bsp = "^${LAYERDIR}/"
 BBFILE_PRIORITY_meta-belden-marvell-bsp = "6"
 
-LAYERDEPENDS_meta-belden-marvell-bsp = "core meta-belden-coreos"
+LAYERDEPENDS_meta-belden-marvell-bsp = "core meta-belden-coreos meta-arm"
 LAYERSERIES_COMPAT_meta-belden-marvell-bsp = "kirkstone"

layers/meta-belden-marvell-bsp/conf/machine/include/cn913x.inc

@@ -26,7 +26,7 @@ UBOOT_LOADADDRESS = "0x7000000"
 
 PREFERRED_PROVIDER_virtual/kernel ?= "linux-netmodule"
 PREFERRED_VERSION_linux-netmodule ?= "git-5.15-solidrun"
-PREFERRED_VERSION_trusted_firmware_a ?= "2.3-solidrun"
+PREFERRED_VERSION_trusted_firmware_a = "2.6"
 
 KERNEL_IMAGETYPE = "Image"
 KERNEL_EXTRA_ARGS += "LOADADDR=${UBOOT_ENTRYPOINT}"

layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/README.md

@@ -1,28 +0,0 @@
-# trusted-firmware-a
-
-
-trusted-firmware-a recipes was copied from:
-
-meta-arm/meta-arm/recipes-bsp/trusted-firmware-a
-
-Repo:  git://git.yoctoproject.org/meta-arm
-Branch: kirkstone
-Git SHA: 78fce73c3803aba82149a3a03fde1b708f5424fa
-
-Theses files were copied:
-
-- trusted-firmware-a.inc
-- files/ssl.patch
-
-Theses files were created, by doing the same as done in meta-arm/meta-arm-bsp
-but using the same revision and make flags as in https://github.com/SolidRun/cn913x_yocto_meta.git
-
-- trusted-firmware-a_2.3.bb
-
-Theses files were copied from https://github.com/SolidRun/cn913x_yocto_meta.git
-
-- files/mrvl_scp_bl2.img
-- files/000*.patch
-
-More info about how to use trusted-firmware-a for Marvell can be found at
-https://trustedfirmware-a.readthedocs.io/en/latest/plat/marvell/armada/build.html

layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0001-ddr-spd-read-failover-to-defualt-config.patch

@@ -1,14 +1,14 @@
-From 5aeea052b30604b2f8640960b775cee0f5c877cb Mon Sep 17 00:00:00 2001
+From 3f8f24cf82848ef1778f3e1d0a0607d4860dd4f3 Mon Sep 17 00:00:00 2001
 From: Alon Rotman <alon.rotman@solid-run.com>
 Date: Mon, 22 Nov 2021 13:33:25 +0200
-Subject: [PATCH 2/2] ddr spd read failover to defualt config
+Subject: [PATCH] ddr spd read failover to defualt config
 
 ---
  .../octeontx/otx2/t91/t9130/board/dram_port.c | 100 ++++++++++++++++--
  1 file changed, 93 insertions(+), 7 deletions(-)
 
 diff --git a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
-index 0befadfc6..5de71f095 100644
+index 82ce07b09..bb7814e9b 100644
 --- a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
 +++ b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
 @@ -33,7 +33,7 @@ struct mv_ddr_iface dram_iface_ap0 = {
@@ -148,7 +148,7 @@ index 0befadfc6..5de71f095 100644
  {
  	struct mv_ddr_topology_map *tm = mv_ddr_topology_map_get();
 @@ -152,7 +236,9 @@ void plat_marvell_dram_update_topology(void)
- 		i2c_write(I2C_SPD_P0_ADDR, 0x0, 1, tm->spd_data.all_bytes, 1);
+ 		i2c_write(I2C_SPD_P0_ADDR, 0x0, 1, tm->spd_data.all_bytes, 0);
  
  		/* read data from spd */
 -		i2c_read(I2C_SPD_ADDR, 0x0, 1, tm->spd_data.all_bytes,
@@ -159,6 +159,3 @@ index 0befadfc6..5de71f095 100644
 +			set_param_based_on_som_strap();
  	}
  }
--- 
-2.25.1
-

layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0002-som-sdp-failover-using-crc-verification.patch

@@ -1,15 +1,16 @@
-From da25bbba607de35267f4dbe74cd772588260de57 Mon Sep 17 00:00:00 2001
+From 6cbb01ba5a5a5ad2b2247c8401d5fac488bf05c3 Mon Sep 17 00:00:00 2001
 From: Alon Rotman <alon.rotman@solid-run.com>
 Date: Mon, 6 Dec 2021 18:34:37 +0200
 Subject: [PATCH] som sdp failover using crc verification
 
 Signed-off-by: Alon Rotman <alon.rotman@solid-run.com>
+
 ---
  .../octeontx/otx2/t91/t9130/board/dram_port.c | 63 ++++++++++++-------
  1 file changed, 41 insertions(+), 22 deletions(-)
 
 diff --git a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
-index 5de71f095..d59b8100d 100644
+index bb7814e9b..772774215 100644
 --- a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
 +++ b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
 @@ -50,7 +50,7 @@ struct mv_ddr_iface dram_iface_ap0 = {
@@ -122,6 +123,3 @@ index 5de71f095..d59b8100d 100644
 +	
  	}
  }
--- 
-2.25.1
-

layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/ssl.patch

@@ -1,52 +0,0 @@
-fiptool: respect OPENSSL_DIR
-
-fiptool links to libcrypto, so as with the other tools it should respect
-OPENSSL_DIR for include/library paths.
-
-Upstream-Status: Submitted
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-diff --git a/Makefile b/Makefile
-index ec6f88585..2d3b9fc26 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1388,7 +1388,7 @@ fwu_fip: ${BUILD_PLAT}/${FWU_FIP_NAME}
- 
- ${FIPTOOL}: FORCE
- ifdef UNIX_MK
--	${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} --no-print-directory -C ${FIPTOOLPATH}
-+	${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} OPENSSL_DIR=${OPENSSL_DIR} --no-print-directory -C ${FIPTOOLPATH}
- else
- # Clear the MAKEFLAGS as we do not want
- # to pass the gnumake flags to nmake.
-diff --git a/tools/fiptool/Makefile b/tools/fiptool/Makefile
-index 11d2e7b0b..7c2a08379 100644
---- a/tools/fiptool/Makefile
-+++ b/tools/fiptool/Makefile
-@@ -12,6 +12,8 @@ FIPTOOL ?= fiptool${BIN_EXT}
- PROJECT := $(notdir ${FIPTOOL})
- OBJECTS := fiptool.o tbbr_config.o
- V ?= 0
-+OPENSSL_DIR := /usr
-+
- 
- override CPPFLAGS += -D_GNU_SOURCE -D_XOPEN_SOURCE=700
- HOSTCCFLAGS := -Wall -Werror -pedantic -std=c99
-@@ -20,7 +22,7 @@ ifeq (${DEBUG},1)
- else
-   HOSTCCFLAGS += -O2
- endif
--LDLIBS := -lcrypto
-+LDLIBS := -L${OPENSSL_DIR}/lib -lcrypto
- 
- ifeq (${V},0)
-   Q := @
-@@ -28,7 +30,7 @@ else
-   Q :=
- endif
- 
--INCLUDE_PATHS := -I../../include/tools_share
-+INCLUDE_PATHS := -I../../include/tools_share  -I${OPENSSL_DIR}/include
- 
- HOSTCC ?= gcc
- 

layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-cn913x.inc

@@ -1,9 +1,8 @@
-require recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
+# CN913x specific TFA support
 
-PV = "2.3+git${SRCPV}"
+COMPATIBLE_MACHINE = "cn913x"
-SRCREV_tfa = "00ad74c7afe67b2ffaf08300710f18d3dafebb45"
 
-LIC_FILES_CHKSUM += "file://docs/license.rst;md5=189505435dbcdcc8caa63c46fe93fa89"
+DEPENDS += "mv-ddr-marvell coreutils-native"
 
 SRC_URI +=  " \
     file://0001-ddr-spd-read-failover-to-defualt-config.patch \
@@ -11,10 +10,6 @@ SRC_URI +=  " \
     file://mrvl_scp_bl2.img \
 "
 
-COMPATIBLE_MACHINE = "cn913x"
-
-DEPENDS += "mv-ddr-marvell coreutils-native"
-
 CP_NUM:cn9131-bldn-mbv = "2"
 CP_NUM:cn9130-cf-pro = "1"
 

layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bbappend

@@ -0,0 +1,8 @@
+# Machine specific TFAs
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+MACHINE_TFA_REQUIRE ?= ""
+MACHINE_TFA_REQUIRE:cn913x = "trusted-firmware-a-cn913x.inc"
+
+require ${MACHINE_TFA_REQUIRE}

layers/meta-belden-marvell-bsp/recipes-bsp/u-boot/u-boot_2019.10-solidrun.bb

@@ -51,7 +51,6 @@ SRC_URI = "git://git.denx.de/u-boot.git;branch=master \
 S = "${WORKDIR}/git"
 
 require recipes-bsp/u-boot/u-boot.inc
-require recipes-bsp/u-boot/u-boot-coreos.inc
 
 # Solidrun patches require to build out-of-the-tree
 B = "${WORKDIR}/build"

layers/meta-belden-marvell-bsp/recipes-bsp/u-boot/u-boot_2023.04-marvell.bb

@@ -30,7 +30,6 @@ SRC_URI = "git://source.denx.de/u-boot/custodians/u-boot-marvell.git;branch=mast
 S = "${WORKDIR}/git"
 
 require recipes-bsp/u-boot/u-boot.inc
-require recipes-bsp/u-boot/u-boot-coreos.inc
 
 # Solidrun patches require to build out-of-the-tree
 B = "${WORKDIR}/build"

layers/meta-belden-marvell-bsp/recipes-coreos/coreos-installer/coreos-installer-config/cn9130-cf-pro_1.0.sfdisk

@@ -18,8 +18,8 @@ sector-size: 512
 /dev/mmcblk0p1 : start=        4096, size=        8192, type=71B02716-C000-4F0D-AE03-2F5DC0A114CD, name="fw0", attrs="RequiredPartition"
 /dev/mmcblk0p2 : start=       12288, size=        8192, type=71B02716-C000-4F0D-AE03-2F5DC0A114CD, name="fw1", attrs="RequiredPartition"
 
-/dev/mmcblk0p3 : start=       20480, size=      131072, ${SFDISK_PART_EFI}
+/dev/mmcblk0p3 : size= ${PART_EFI_SIZE}, ${SFDISK_PART_EFI}
-/dev/mmcblk0p4 : start=      151552, size=      262144, ${SFDISK_PART_EFIBOOTGUARD_A}
+/dev/mmcblk0p4 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_A}
-/dev/mmcblk0p5 : start=      413696, size=      262144, ${SFDISK_PART_EFIBOOTGUARD_B}
+/dev/mmcblk0p5 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_B}
-/dev/mmcblk0p6 : start=      675840, size=     7294976, ${SFDISK_PART_ROOT_A}
+/dev/mmcblk0p6 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_A}
-/dev/mmcblk0p7 : start=     7970816, size=     7294976, ${SFDISK_PART_ROOT_B}
+/dev/mmcblk0p7 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_B}

layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule/cn913x_additions.cfg

@@ -17,12 +17,13 @@ CONFIG_CPU_FREQ_GOV_CONSERVATIVE=y
 CONFIG_ACPI_CPPC_CPUFREQ=y
 CONFIG_ARM_ARMADA_8K_CPUFREQ=y
 CONFIG_MICROSEMI_PHY=y
-CONFIG_QRTR_MHI=m
+# CONFIG_QRTR_MHI is not set
-CONFIG_MHI_BUS=m
+# CONFIG_QRTR is not set
-CONFIG_ATH11K=m
+# CONFIG_MHI_BUS is not set
-CONFIG_ATH11K_AHB=m
+# CONFIG_ATH11K is not set
-CONFIG_ATH11K_PCI=m
+# CONFIG_ATH11K_AHB is not set
-CONFIG_ATH11K_DEBUG=y
+# CONFIG_ATH11K_PCI is not set
+# CONFIG_ATH11K_DEBUG is not set
 CONFIG_CRYPTO_MICHAEL_MIC=m
 CONFIG_R8169=y
 CONFIG_MTD=y
@@ -49,25 +50,25 @@ CONFIG_WEXT_CORE=y
 CONFIG_WEXT_PROC=y
 CONFIG_WEXT_SPY=y
 CONFIG_WEXT_PRIV=y
-CONFIG_CFG80211_DEBUGFS=y
+# CONFIG_CFG80211_DEBUGFS is not set
-CONFIG_CFG80211_WEXT=y
+# CONFIG_CFG80211_WEXT is not set
-CONFIG_CFG80211_WEXT_EXPORT=y
+# CONFIG_CFG80211_WEXT_EXPORT is not set
-CONFIG_LIB80211=m
+# CONFIG_LIB80211 is not set
-CONFIG_LIB80211_CRYPT_WEP=m
+# CONFIG_LIB80211_CRYPT_WEP is not set
-CONFIG_LIB80211_CRYPT_CCMP=m
+# CONFIG_LIB80211_CRYPT_CCMP is not set
-CONFIG_LIB80211_CRYPT_TKIP=m
+# CONFIG_LIB80211_CRYPT_TKIP is not set
-CONFIG_LIB80211_DEBUG=y
+# CONFIG_LIB80211_DEBUG is not set
-CONFIG_MAC80211_DEBUGFS=y
+# CONFIG_MAC80211_DEBUGFS is not set
-CONFIG_MAC80211_MESSAGE_TRACING=y
+# CONFIG_MAC80211_MESSAGE_TRACING is not set
-CONFIG_MAC80211_DEBUG_MENU=y
+# CONFIG_MAC80211_DEBUG_MENU is not set
 # CONFIG_MAC80211_NOINLINE is not set
-CONFIG_MAC80211_VERBOSE_DEBUG=y
+# CONFIG_MAC80211_VERBOSE_DEBUG is not set
 # CONFIG_MAC80211_MLME_DEBUG is not set
-CONFIG_MAC80211_STA_DEBUG=y
+# CONFIG_MAC80211_STA_DEBUG is not set
 # CONFIG_MAC80211_HT_DEBUG is not set
 # CONFIG_MAC80211_OCB_DEBUG is not set
 # CONFIG_MAC80211_IBSS_DEBUG is not set
-CONFIG_MAC80211_PS_DEBUG=y
+# CONFIG_MAC80211_PS_DEBUG is not set
 # CONFIG_MAC80211_TDLS_DEBUG is not set
 # CONFIG_MAC80211_DEBUG_COUNTERS is not set
 CONFIG_HOTPLUG_PCI_PCIE=y
@@ -79,38 +80,38 @@ CONFIG_PCI_DEBUG=y
 # CONFIG_ATH10K_TRACING is not set
 # CONFIG_ATH11K_DEBUGFS is not set
 # CONFIG_ATH11K_TRACING is not set
-CONFIG_IPW2100=m
+# CONFIG_IPW2100 is not set
-CONFIG_IPW2100_MONITOR=y
+# CONFIG_IPW2100_MONITOR is not set
-CONFIG_IPW2100_DEBUG=y
+# CONFIG_IPW2100_DEBUG is not set
-CONFIG_IPW2200=m
+# CONFIG_IPW2200 is not set
-CONFIG_IPW2200_MONITOR=y
+# CONFIG_IPW2200_MONITOR is not set
-CONFIG_IPW2200_RADIOTAP=y
+# CONFIG_IPW2200_RADIOTAP is not set
-CONFIG_IPW2200_PROMISCUOUS=y
+# CONFIG_IPW2200_PROMISCUOUS is not set
-CONFIG_IPW2200_QOS=y
+# CONFIG_IPW2200_QOS is not set
-CONFIG_IPW2200_DEBUG=y
+# CONFIG_IPW2200_DEBUG is not set
-CONFIG_LIBIPW=m
+# CONFIG_LIBIPW is not set
-CONFIG_LIBIPW_DEBUG=y
+# CONFIG_LIBIPW_DEBUG is not set
-CONFIG_IWLEGACY=m
+# CONFIG_IWLEGACY is not set
-CONFIG_IWL4965=m
+# CONFIG_IWL4965 is not set
-CONFIG_IWL3945=m
+# CONFIG_IWL3945 is not set
 #
 # iwl3945 / iwl4965 Debugging Options
 #
-CONFIG_IWLEGACY_DEBUG=y
+# CONFIG_IWLEGACY_DEBUG is not set
 # CONFIG_IWLEGACY_DEBUGFS is not set
 # end of iwl3945 / iwl4965 Debugging Options
-CONFIG_IWLWIFI=m
+# CONFIG_IWLWIFI is not set
-CONFIG_IWLWIFI_LEDS=y
+# CONFIG_IWLWIFI_LEDS is not set
-CONFIG_IWLDVM=m
+# CONFIG_IWLDVM is not set
-CONFIG_IWLMVM=m
+# CONFIG_IWLMVM is not set
-CONFIG_IWLWIFI_OPMODE_MODULAR=y
+# CONFIG_IWLWIFI_OPMODE_MODULAR is not set
-CONFIG_IWLWIFI_BCAST_FILTERING=y
+# CONFIG_IWLWIFI_BCAST_FILTERING is not set
 #
 # Debugging Options
 #
-CONFIG_IWLWIFI_DEBUG=y
+# CONFIG_IWLWIFI_DEBUG is not set
 # CONFIG_IWLWIFI_DEBUGFS is not set
-CONFIG_IWLWIFI_DEVICE_TRACING=y
+# CONFIG_IWLWIFI_DEVICE_TRACING is not set
 # end of Debugging Options
 # CONFIG_WLAN_VENDOR_INTERSIL is not set
 # CONFIG_WLAN_VENDOR_RALINK is not set
@@ -165,7 +166,7 @@ CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y
 # CONFIG_RING_BUFFER_STARTUP_TEST is not set
 # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
 # CONFIG_PREEMPTIRQ_DELAY_TEST is not set
-CONFIG_CMA_SIZE_MBYTES=128
+CONFIG_CMA_SIZE_MBYTES=256
 CONFIG_FUNCTION_TRACER
 CONFIG_FUNCTION_GRAPH_TRACER
 CONFIG_STACK_TRACER

layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule/secure-storage.cfg

@@ -0,0 +1,4 @@
+CONFIG_BLK_DEV_DM=y
+CONFIG_KEYS=y
+CONFIG_ENCRYPTED_KEYS=y
+CONFIG_DM_CRYPT=y

layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule_git-5.15-solidrun.bb

@@ -12,6 +12,7 @@ SRC_URI = "git://gitlab.com/netmodule/kernel/linux-netmodule.git;protocol=ssh;us
            file://0001-fix-phy-support-for-falcon-board.patch \
            file://0001-refactor-cn913x-defconfig-cleanup.patch \
            file://cn913x_additions.cfg \
+           file://secure-storage.cfg \
            "
 SRCREV ?= "be2f2f0c96e85ecec9d807397194e46bb8bea4a5"
 
@@ -31,4 +32,7 @@ do_configure:append(){
     fi
 }
 
-require recipes-kernel/linux/linux-yocto-coreos-efi.inc
+# linux-yocto-coreos.inc provide some kernel config fragment that we can apply
+# Note that KERNEL_FEATURES are not applied as this recipes doesn't ihnerit
+# the linux-yocto class.
+require recipes-kernel/linux/linux-yocto-coreos.inc

layers/meta-belden-marvell-bsp/wic/cn913x-sdcard.wks.in

@@ -11,10 +11,11 @@
 part --offset 4096S --source rawcopy --sourceparams="file=flash-image.bin" --ondisk mmcblk1 --size 4M --extra-space 0 --overhead-factor 1 --part-name fw0
 part --offset 12288S --source rawcopy --sourceparams="file=flash-image.bin" --ondisk mmcblk1 --size 4M --extra-space 0 --overhead-factor 1 --part-name fw1
 
-${WKS_PART_EFI} --ondisk mmcblk1 --offset 20480S --size 64M --extra-space 0 --overhead-factor 1
+${WKS_PART_EFI} --ondisk mmcblk1 --offset 20480S --size ${PART_EFI_SIZE} --extra-space 0 --overhead-factor 1
-${WKS_PART_ROOT_A} --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_ROOT_A} --ondisk mmcblk1 --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
-${WKS_PART_ROOT_B} --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_ROOT_B} --ondisk mmcblk1 --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
-${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk1  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
+${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk1  --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
-${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk1  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
+${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk1  --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_USERDATA} --ondisk mmcblk1 --size ${PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
 
 bootloader --ptable gpt

layers/meta-netmodule-coreos-bsp/README.md

@@ -0,0 +1,26 @@
+# meta-netmodule-coreos-bsp
+
+BSP layer for NetModule board
+
+This layer depends on:
+
+- meta-ti-bsp
+- meta-arm
+
+## SoC Family
+
+This layer contains all CoreOS supported board manufactured by NetModule
+
+## Availables Machines
+
+This layer contains the following machine configuration:
+
+### Based on the Gemini platform
+
+- netmodule-hw34 (Codename for XG900)
+
+**remarks**: Gemini based board use a TI am64xx (k3) family has a separate
+R5 core that use another architecture as the main core, so for each machine you
+will find a companion machine name `${MACHINE}-k3r5`. This config should not be
+used as is, but will be automatically used for some recipes under the hood when
+using `${MACHINE}` using Bitbake multiconfig feature.

layers/meta-netmodule-coreos-bsp/classes/coreos-image-swupdate-am64xx.bbclass

@@ -0,0 +1,46 @@
+
+SWUPDATE_IMAGES += "tiboot3-am64x-gemini-b"
+SWUPDATE_IMAGES += "tispl"
+SWUPDATE_IMAGES += "u-boot-${MACHINE}"
+SWUPDATE_IMAGES_FSTYPES[tiboot3-am64x-gemini-b] = ".bin"
+SWUPDATE_IMAGES_FSTYPES[tispl] = ".bin"
+
+python () {
+    machine = d.getVar('MACHINE')
+    d.setVarFlag("SWUPDATE_IMAGES_FSTYPES", "u-boot-" + machine, ".img")
+}
+COREOS_SWUPDATE_EXTENDS_FOR:append = "am64xx"
+
+def coreos_swupdate_extends_images_for_am64xx(d,s):
+    machine = d.getVar('MACHINE')
+    uboot_filename = "u-boot-" + machine + ".img"
+
+    SECTOR_SIZE = 512
+    OFFSET = [0x0*SECTOR_SIZE, 0x600*SECTOR_SIZE, 0x1600*SECTOR_SIZE]
+
+    return [
+        {
+            "filename" : "tiboot3-am64x-gemini-b.bin",
+            "installed-directly" : "true",
+            "device" : "/dev/mmcblk0boot0",
+            "offset": str(OFFSET[0]),
+            "type" : "raw",
+            "sha256" : swupdate_get_sha256(d, s, "tiboot3-am64x-gemini-b.bin"),
+        },
+        {
+            "filename" : "tispl.bin",
+            "installed-directly" : "true",
+            "device" : "/dev/mmcblk0boot0",
+            "offset": str(OFFSET[1]),
+            "type" : "raw",
+            "sha256" : swupdate_get_sha256(d, s, "tispl.bin"),
+        },
+        {
+            "filename" : uboot_filename,
+            "installed-directly" : "true",
+            "device" : "/dev/mmcblk0boot0",
+            "offset": str(OFFSET[2]),
+            "type" : "raw",
+            "sha256" : swupdate_get_sha256(d, s, uboot_filename),
+        }
+    ]

layers/meta-netmodule-coreos-bsp/conf/layer.conf

@@ -0,0 +1,13 @@
+# Add layer directory to bbpath
+BBPATH .= ":${LAYERDIR}"
+
+# Add recipe directories
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+            ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "netmodule-coreos-bsp-layer"
+BBFILE_PATTERN_netmodule-coreos-bsp-layer = "^${LAYERDIR}/"
+BBFILE_PRIORITY_netmodule-coreos-bsp-layer = "8"
+
+LAYERSERIES_COMPAT_netmodule-coreos-bsp-layer = "kirkstone"
+LAYERDEPENDS_netmodule-coreos-bsp-layer = "meta-arm meta-ti-bsp"

layers/meta-netmodule-coreos-bsp/conf/machine/include/netmodule-am64xx-common.inc

@@ -0,0 +1,6 @@
+# This file contains the part of the configuration that is common to all
+# board based on the Gemini platform and that are the same for both
+# the Cortex-A53 and Cortex-R5 core (Gemini use a multi-arch SOC)
+
+PREFERRED_PROVIDER_virtual/bootloader = "u-boot-ti-coreos"
+PREFERRED_PROVIDER_u-boot = "u-boot-ti-coreos"

layers/meta-netmodule-coreos-bsp/conf/machine/include/netmodule-am64xx-k3.inc

@@ -0,0 +1,49 @@
+# This file contains the part of the configuration that is common to all
+# board based on the Gemini platform and that are the Cortex-A53 core.
+
+# k3.inc from meta-ti set a default WKS_FILE and add wic to IMAGE_FSTYPE.
+# But we don't need a wic image
+WKS_FILE ?= ""
+
+require conf/machine/include/k3.inc
+require netmodule-am64xx-common.inc
+
+# Workarround to remove wic related settings added to IMAGE_FSTYPE in k3.inc
+# without too much risk of breaking a distro or local config (as remove)
+# are final
+IMAGE_FSTYPES:remove = "${@'wic.xz wic.bmap' if not d.getVar('WKS_FILE') else ''}"
+
+# meta-ti-bsp use the machine override in a lot of recipes, so by adding the
+# name of the machine in meta-ti-bsp to SOC_FAMILY, we ensure that we the
+# device override apply.
+#
+# We don't modify MACHINEOVERRIDES directly as this will not place the string
+# in the same place
+SOC_FAMILY:append = ":am64xx"
+
+# Install u-boot script
+MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "kernel-devicetree"
+
+PREFERRED_PROVIDER_virtual/kernel = "linux-ti-coreos"
+
+KERNEL_DEFCONFIG ?= "gemini_defconfig"
+KERNEL_IMAGETYPE = "Image"
+
+UBOOT_ENTRYPOINT = "0x82000000"
+UBOOT_LOADADDRESS = "0x82000000"
+UBOOT_DTB_LOADADDRESS = "0x88000000"
+UBOOT_RD_LOADADDRESS = "0x88080000"
+UBOOT_RD_ENTRYPOINT = "0x88080000"
+
+
+TFA_BOARD = "lite"
+OPTEEMACHINE = "k3"
+
+
+
+# No watchdog available yet
+EFIBOOTGUARD_TIMEOUT ?= "0"
+
+COREOS_IMAGE_SWUPDATE_EXTRACLASSES += "coreos-image-swupdate-am64xx"
+
+require conf/machine/include/coreos-generic-features/efi.inc

layers/meta-netmodule-coreos-bsp/conf/machine/include/netmodule-am64xx-k3r5.inc

@@ -0,0 +1,13 @@
+# This file contains the part of the configuration that is common to all
+# board based on the Gemini platform and that are the Cortex-R5 core.
+
+require conf/machine/include/k3r5.inc
+require netmodule-am64xx-common.inc
+
+# A variant
+#SPL_BINARY = "tiboot3-am64x-gemini.${SPL_SUFFIX}"
+# B variant
+SPL_BINARY = "tiboot3-am64x-gemini-b.${SPL_SUFFIX}"
+
+# Sanity checks don't apply for real time cores
+INHERIT:remove = "coreos-sanity"

layers/meta-netmodule-coreos-bsp/conf/machine/netmodule-hw34-k3r5.conf

@@ -0,0 +1,7 @@
+#@TYPE: Machine
+#@NAME: AM64xx EVM (R5F)
+#@DESCRIPTION: Machine configuration for the TI AM64xx EVM (R5F core)
+
+
+require conf/machine/include/netmodule-am64xx-k3r5.inc
+UBOOT_MACHINE = "am64x_netmodule_hw34_r5_defconfig"

layers/meta-netmodule-coreos-bsp/conf/machine/netmodule-hw34.conf

@@ -0,0 +1,17 @@
+require conf/machine/include/netmodule-am64xx-k3.inc
+
+KERNEL_DEVICETREE = " \
+    ti/k3-am642-netmodule-hw34.dtb \
+"
+
+UBOOT_MACHINE = "am64x_netmodule_hw34_a53_defconfig"
+
+KERNEL_CONSOLE = "ttyS2"
+SERIAL_CONSOLES = "115200;ttyS2"
+
+
+APPEND += "console=ttyS2,115200"
+
+MACHINE_ESSENTIAL_EXTRA_RDEPENDS:append = " udev-gemini"
+MACHINE_EXTRA_RDEPENDS:append = " prueth-fw-am65x-sr2 linux-firmware-ath10k linux-firmware-ath11k linux-firmware-qca kernel-modules"
+

layers/meta-netmodule-coreos-bsp/recipes-bsp/u-boot/u-boot-ti-coreos_2023.04.bb

@@ -0,0 +1,23 @@
+require recipes-bsp/u-boot/u-boot-ti.inc
+
+SPL_UART_BINARY = "u-boot-spl.bin"
+SPL_UART_BINARY:netmodule-hw34-k3r5 = "u-boot-spl.bin"
+
+LIC_FILES_CHKSUM = "file://Licenses/README;md5=2ca5f2c35c8cc335f0a19756634782f1"
+
+PV = "2023.04"
+
+SRC_URI = "git://bitbucket.gad.local:7999/nm-nsp/netmodule-u-boot.git;protocol=ssh;user=git;branch=gemini/ti/ti-u-boot-2023.04 \
+           "
+SRCREV = "34cf1e583eb263dd6644d0ebf3468b3846fc0925"
+
+PACKAGECONFIG[atf] = "BL31=${STAGING_DIR_HOST}/firmware/bl31.bin,,trusted-firmware-a"
+
+# CoreOS enable EFI by default for all u-boot build, but this machine as a dual architecture u-boot
+# and EFI is not needed on the co-processor. So we enable it only for the main
+# machine
+UBOOT_COREOS_REQUIRE:coreos:netmodule-hw34 ?= "recipes-bsp/u-boot/u-boot-coreos.inc"
+UBOOT_COREOS_REQUIRE ?= ""
+
+require ${UBOOT_COREOS_REQUIRE}
+

layers/meta-netmodule-coreos-bsp/recipes-core/udev/udev-gemini/gemini-can.rules

@@ -0,0 +1,5 @@
+# CAN renaming
+SUBSYSTEM=="net", ACTION=="add", KERNEL=="can*", ENV{ID_PATH}=="platform-20701000.can", NAME="canfd0"
+SUBSYSTEM=="net", ACTION=="add", KERNEL=="can*", ENV{ID_PATH}=="platform-20711000.can", NAME="canfd1"
+SUBSYSTEM=="net", ACTION=="add", KERNEL=="can*", ENV{ID_PATH}=="platform-20110000.spi-cs-0", NAME="canstd0"
+SUBSYSTEM=="net", ACTION=="add", KERNEL=="can*", ENV{ID_PATH}=="platform-20110000.spi-cs-1", NAME="canstd1"