Pull request #186 : Various small changes

Merge in ICO/coreos from various_small_changes to master * commit 'a0910ef3ff70a53ea410ba205e36a2f5620481b3': chore(submodules): update third-party submodules feat(coreos-supportd-pkgs): create list of CoreOS supported packages chore(belden-coreos): move the initial timestamp to a generic file fix(swupdate): add libgcc as a dependency to terminate swupdate correctly feat(eagle40-03): strip out unused MACHINE_FEATURES for eagle40-03
chore(submodules): update third-party submodules
2024-04-08 12:39:55 +02:00 · 2024-04-08 11:17:55 +02:00 · 2024-04-08 11:17:55 +02:00 · 2024-04-03 12:10:07 +00:00 · 2024-04-03 12:04:37 +00:00 · 2024-04-03 11:59:53 +00:00
124 changed files with 2426 additions and 6909 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -2,23 +2,35 @@
 	path = bitbake
 	url = ssh://git@bitbucket.gad.local:7999/ico/bitbake.git
 	branch = 2.0
-[submodule "layers/openembedded-core"]
+[submodule "openembedded-core"]
 	path = external-layers/openembedded-core
 	url = ssh://git@bitbucket.gad.local:7999/ico/openembedded-core.git
 	branch = kirkstone
-[submodule "layers/meta-openembedded"]
+[submodule "meta-openembedded"]
 	path = external-layers/meta-openembedded
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-openembedded.git
 	branch = kirkstone
-[submodule "layers/meta-virtualization"]
+[submodule "meta-virtualization"]
 	path = external-layers/meta-virtualization
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-virtualization.git
 	branch = kirkstone
-[submodule "layers/meta-efibootguard"]
+[submodule "meta-efibootguard"]
 	path = external-layers/meta-efibootguard
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-efibootguard.git
 	branch = master
-[submodule "layers/meta-swupdate"]
+[submodule "meta-swupdate"]
 	path = external-layers/meta-swupdate
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-swupdate.git
 	branch = kirkstone
 [submodule "meta-arm"]
 	path = external-layers/meta-arm
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-arm.git
 	branch = kirkstone
 [submodule "meta-ti"]
 	path = external-layers/meta-ti
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-ti.git
 	branch = kirkstone
 [submodule "meta-lts-kernel-mixin"]
 	path = external-layers/meta-lts-kernel-mixin
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-lts-mixins.git
 	branch = coreos/kirkstone/kernel
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@ -2,9 +2,9 @@
    "recommendations": [
        "ms-vscode.makefile-tools",
        "timonwong.shellcheck",
        "eugenwiens.bitbake",
        "kweihmann.oelint-vscode",
        "lextudio.restructuredtext",
-        "trond-snekvik.simple-rst"
+        "trond-snekvik.simple-rst",
        "yocto-project.yocto-bitbake"
    ]
 }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -1,12 +1,47 @@
 {
    "files.watcherExclude": {
-        "**/build/cache/**": true,
+        "**/build/**": true,
-        "**/build/downloads/**": true,
+        "**/_build/**": true,
        "**/build/sstate-cache/**": true,
        "**/build/tmp/**": true,
        "**/documentation/_build/**": true,
        "**/build/workspace": true
    },
    "search.exclude": {
        "**/build/**": true,
        "**/_build/**": true,
    },
    "C_Cpp.files.exclude": {
        "**/build": true,
        "**/_build": true,
    },
    "python.analysis.exclude": [
        "**/build/**",
        "**/_build/**",
    ],
    "python.formatting.provider": "black",
-    "editor.rulers": [80,100,120]
+    "editor.rulers": [80,100,120],
    "bitbake.pathToBuildFolder": "${workspaceFolder}/build",
    "bitbake.pathToEnvScript": "${workspaceFolder}/coreos-init-build-env",
    "bitbake.pathToBitbakeFolder": "${workspaceFolder}/bitbake",
    "python.autoComplete.extraPaths": [
        "${workspaceFolder}/bitbake/lib",
        "${workspaceFolder}/meta/lib"
    ],
    "python.analysis.extraPaths": [
        "${workspaceFolder}/bitbake/lib",
        "${workspaceFolder}/meta/lib"
    ],
    "[python]": {
        "diffEditor.ignoreTrimWhitespace": false,
        "gitlens.codeLens.symbolScopes": [
            "!Module"
        ],
        "editor.formatOnType": true,
        "editor.wordBasedSuggestions": "off",
        "files.trimTrailingWhitespace": false
    },
    "[shellscript]": {
        "files.eol": "\n",
        "files.trimTrailingWhitespace": false
    },
    "bitbake.sdkImage": "coreos-image-minimal",
    "bitbake.workingDirectory": "${workspaceFolder}",
    "task.saveBeforeRun": "always",
 }
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 0c6f86b60cfba67c20733516957c0a654eb2b44c
+Subproject commit 40fd5f4eef7460ca67f32cfce8e229e67e1ff607
--- a/8
+++ b/8
@ -87,6 +87,8 @@ coreos-bblayers-envsub COREOS_LAYERSDIR "${COREOS_ROOT}/layers"
 # Add support for ##COREOS_EXTLAYERSDIR## inside of bblayer template
 coreos-bblayers-envsub COREOS_EXTLAYERSDIR "${COREOS_ROOT}/external-layers"
-# Generate the ${BUILDDIR}/key directory. The scripts doesn't generate anything it
+# Generate the ${BUILDDIR}/key directory. The scripts doesn't generate anything
-# the directory already exist, so it's safe to call it everytime
+# if the directory already exist so it's safe to call it everytime
-coreos-keygen > /dev/null 2> /dev/null
+# stdout is redirected to reduce the amount of output but not stderr
 #
 #Note: if a final build is detected all the dev keys are deleted
--- a/documentation/.vscode/extensions.json
+++ b/documentation/.vscode/extensions.json
@ -0,0 +1,7 @@
 {
    "recommendations": [
        "ms-vscode.makefile-tools",
        "lextudio.restructuredtext",
        "trond-snekvik.simple-rst"
    ]
 }
--- a/documentation/.vscode/settings.json
+++ b/documentation/.vscode/settings.json
@ -0,0 +1,12 @@
 {
    "files.watcherExclude": {
        "**/_build/**": true,
    },
    "python.formatting.provider": "black",
    "editor.rulers": [
        80,
        100,
        120
    ],
    "esbonio.sphinx.confDir": ""
 }
--- a/documentation/boot/index.rst
+++ b/documentation/boot/index.rst
@ -11,3 +11,4 @@ Belden CoreOS Boot Concepts
   overview
   uboot
   secure-boot
--- a/documentation/boot/secure-boot.rst
+++ b/documentation/boot/secure-boot.rst
@ -0,0 +1,268 @@
 *******************
 Secure Boot Concept
 *******************
 Currently CoreOS provide a Proof Of Concept of some of the secure boot element that we want to 
 implement a full secure-boot solution based on UEFI secure boot.
 The current proof of concept is structured as follows:
 Hardware Requirements
 =====================
   - The device must have an `eMMC`.
   - The architecture of the device must be either `ARM32` or `AARCH64`.
 eMMC Embedded MultiMediaCard
 ============================
 eMMC, or Embedded MultiMediaCard, represents a prevalent storage format in devices such as 
 smartphones, tablets, and other embedded systems. It encapsulates NAND flash memory and a dedicated
 controller within one package. This structure not only eases integration for device manufacturers
 but also ensures a compact, efficient storage medium.
 Within eMMC's architecture, distinct hardware partitions cater to diverse operational demands:
 .. graphviz::
    digraph emmcStructure {
        rankdir=TB;
        node [shape=box, style=filled, fillcolor="#e6f2ff"];
        edge [color="#0099cc", fontsize=12];
        compound=true;
        subgraph cluster_eMMC {
            label="eMMC";
            color="#0099cc";
            Boot0 [label="Boot0"];
            Boot1 [label="Boot1"];
            RPMB [label="RPMB"];
            subgraph cluster_User {
                label="User";
                color="#00cc99";
                GPT [label="GPT Table"];
                subgraph cluster_GPT {
                    label="Software Partitions (GPT)";
                    color="#99e6e6";
                    SoftwarePartition1 [label="Partition 1"];
                    SoftwarePartition2 [label="Partition 2"];
                    SoftwarePartitionN [label="Partition N"];
                }
            }
        }
    }
 #. **Boot0 and Boot1**: The boot partitions cater to device start-up requirements, typically hosting
   the firmware. Boot0 predominantly initiates the boot-up, while Boot1 stands as a secondary guard 
   or backup, ensuring booting is resilient and failsafe.
 #. **RPMB (Replay Protected Memory Block)**: As a secure partition, RPMB shelters data against
   potential tampering. It's tailored for sensitive information storage, such as cryptographic keys.
   Its design counters data replays or rollbacks, fortifying against particular attack types.
 #. **User**: The primary storage domain, the User partition accommodates the OS, applications,
   and user-centric data. It's reminiscent of the primary storage drive in larger computing devices.
   Importantly, the User partition has a layered structure. Using the GPT (GUID Partition Table), it
   is further divided into multiple software partitions, which can house diverse datasets or file
   systems.
 The boot concept of CoreOS rely on the presence of an eMMC to implement the following feature:
 - Storage of two copy of the firmware with a way to switch from a copy to another using the eMMC
  boot0 and boot1 hardware partition
 - Storage of keys used by the UEFI Secure Key specification inside the secure RPMB hardware
  partition.
 - Storage of the bootloader, kernel and rootfs inside the user hardware partition using multiple
  software partition in the GPT format.
 Firmware
 ========
 The firmware of the device should implement a subset of the UEFI specification as defined in the
 ARM Base Boot Requirements (EBBR) and should implement the optional UEFI Secure Boot part of the
 EBBR specifications.
 This is done in CoreOS by levering the built-in EBBR and UEFI Secure Boot present into the u-boot
 project.
 The hardware should verify the validity of the firmware using a hardware specific way. Then the
 generic secure boot concept explained here can be used to valide all the following component of
 CoreOS.
 UEFI Key used by UEFI Secure Boot
 =================================
 - **PK (Platform Key)**: This top-tier key shoulders the responsibility of KEK verification and its
  potential revocation. PK holders have the exclusive privilege to configure the KEK and the `db`
  database. It's the gatekeeper ensuring only authorized software can touch the firmware or
  bootloader.
 - **KEK (Key Exchange Key)**: As a medium for data exchange, the KEK is pivotal for signing the `db`
  and `dbx` databases.
 - **db (Allowed Database)**: This is the white list. It houses the keys or hashes of permitted
  firmware and OS loaders. Execution is only granted to software with a signature that resonates
  with the keys/hashes in this database.
 - **dbx (Forbidden Database)**: The black sheep are here. Housing keys or hashes of known
  unauthorized software, it ensures any associated software is prohibited from executing.
 Currently all theses public keys are built-in into u-boot at build time and are read only. In the
 future we will use the OP-TEE support into u-boot to use OP-TEE to manage the keys.
 OP-TEE and RPMB as key manager
 ==============================
 OP-TEE, or Open Portable Trusted Execution Environment, is an open-source implementation of the
 Trusted Execution Environment (TEE) designed for ARM-powered platforms. In essence, a TEE is a
 secure enclave that provides a separated, isolated environment where specific applications and their
 data can run independently from the regular operating system, ensuring they are protected against
 potential tampering or unauthorized access.
 OP-TEE guarantees confidentiality, integrity, and authenticity for critical applications by
 executing them in this secure space. It offers a wide range of security features, including secure
 storage of cryptographic keys, secure boot, and hardware-backed crypto operations.
 In the context of UEFI secure boot, OP-TEE becomes instrumental. UEFI's secure boot mechanism
 ensures that only trusted, signed firmware, OS loaders, and OS kernels are executed during the boot
 process. To enforce this level of trust, UEFI relies on a set of cryptographic keys, including PK
 (Platform Key), KEK (Key Exchange Key), and db/dbx (allowed and forbidden signature databases).
 Safeguarding these keys is paramount to maintain the security and integrity of the boot process.
 By leveraging OP-TEE, these UEFI secure boot keys can be securely stored in the RPMB (Replay
 Protected Memory Block) partition of the eMMC. The RPMB is a write-protected, secure area of the
 eMMC designed to hold sensitive data and protect it against tampering and replay attacks.
 Since OP-TEE manages secure access to the RPMB partition, it ensures that the UEFI secure boot keys
 are not only safely stored but are also accessible only by authorized firmware components.
 eMMC User Partition
 ===================
 The user partition of the eMMC must be structured using the GPT (GUID Partition Table) format.
 Within the GPT-formatted user partition, specific partitions should be established for efficient
 booting and system operation:
 1. **EFI**: This is the Essential Firmware Interface partition. It holds the `efibootguard`
   os-loader binary, responsible for the boot sequence's initial steps and the kernel's selection
   based on its configuration. This binary is signed with a key present in the `dbx` database
 2. **EBG0 - Efibootguard Config 0**: This partition houses the `efibootguard` configuration for the
   first kernel option. Alongside the configuration file, it also contains a Unified Kernel Image
   (UKI), a bundled package comprising the Linux kernel, device trees, and associated boot
   components. The UKI is signed with a key present in the `dbx` database
 3. **EBG1 - Efibootguard Config 1**: Similar to EBG0, this partition carries the `efibootguard`
   configuration for the second kernel option. It too holds a Unified Kernel Image tailored for this
   alternate boot choice.
 4. **rootfs0**: This partition stores the CoreOS root filesystem designed to complement and operate
   with the kernel embedded in the EBG0 partition. It provides the essential system files and 
   structures required for the operating system's functioning when the kernel from EBG0 is booted. 
   Integrety of this rootfs is assured by storing an hash of the rootfs inside the UKI image.
 5. **rootfs1**: Analogous to `rootfs0`, this partition houses the CoreOS root filesystem tailored
   for the kernel within the EBG1 partition. It ensures that, should the system boot from the kernel
   in EBG1, the appropriate file structures and system components are readily available.
 EFIBootGuard Configuration
 ==========================
 Efibootguard, as a part of its design, employs a configuration system to determine the appropriate
 kernel and associated resources to boot from. This configuration is stored in distinct partitions, 
 EBG0 and EBG1, each holding its configuration file.
 The configuration file itself comprises several fields, but most crucially, it contains a revision
 field. This field is a numerical identifier indicating the version or update level of the contained
 kernel and resources. When the system initiates its boot sequence, Efibootguard assesses the
 revision values in both the EBG0 and EBG1 configuration files.
 The selection process is straightforward yet robust: Efibootguard chooses the partition with the
 higher revision value. By doing so, it inherently opts for the most recent or updated kernel version
 available. However, this system also supports failover mechanisms. In case the kernel in the
 partition with the higher revision encounters issues during boot, Efibootguard can revert to the
 other partition, ensuring resilience and continuity in system operations.
 Moreover, the choice isn't rigidly fixed. When the system undergoes updates, the configuration files
 can be rewritten, and the revision values adjusted, allowing for dynamic and flexible booting in
 line with system evolutions and updates. In essence, Efibootguard, with its configuration-based
 approach, ensures a blend of up-to-date system booting and built-in fail-safes for dependable
 operation.
 Unified Kernel Image
 ====================
 After having choosen the right configuration file, Efibootguard takes on the responsibility of
 launching the Unified Kernel Image (UKI) linked with the active configuration. This image bundle
 together essential boot components like the Linux kernel, device trees, and the kernel command
 line. The secure initiation of this image is paramount, and Efibootguard ensures this by leveraging
 UEFI's start_image system call.
 The UEFI start_image system call  verifies the image's signature against the Secure Boot keys
 (PK, KEK, db, and potentially dbx). If the signature matches, indicating that the image is trusted
 and hasn't been tampered with, the image is permitted to execute. If not, the booting halts,
 preventing any unauthorized or potentially malicious code from running.
 Once the UKI has been securely initiated, it undertakes multiple tasks. It first extracts the
 necessary components from the bundled package, identifying and utilizing the appropriate device
 trees based on `compatible` node, by matching with the `compatible` node of the `device-tree` that
 is built into the firmware. These device trees inform the system about the hardware configuration,
 ensuring the kernel interacts correctly with the system's components. 
 The UKI os-launcher also has CoreOS specialized patches, enabling dynamic rootfs switching without
 requiring an initramfs by changing the `root=` part of the kernel command line at run time to
 point to the right rootfs partition.
 RootFS and dm-verity
 ====================
 dm-verity is a Linux kernel feature designed to provide transparent integrity checking of block
 devices, particularly for read-only file systems. Rooted in cryptographic principles, dm-verity
 employs a hash-based approach to ensure and validate the integrity of the root filesystem (rootfs).
 The way dm-verity operates is by building a Merkle tree, a structure where each leaf node contains a
 hash of a block of the underlying data, while each non-leaf node is a hash of its children. The
 topmost node, the root of the Merkle tree, provides a cumulative hash representing the entirety of
 the data. This top hash, known as the root hash, serves as a concise, cryptographic representation
 of the entire filesystem's state.
 When integrating dm-verity with the Unified Kernel Image (UKI), an additional layer of security is
 established. By embedding the root hash into the signed UKI, any tampering or modification in the
 rootfs can be swiftly detected. When the system boots, the UKI, being signed, ensures that the
 embedded root hash is legitimate and untampered. As the OS accesses the rootfs, dm-verity
 recalculates the hash values in real-time and compares them to the values in the original Merkle
 tree, referenced by the embedded root hash.
 If any discrepancies are found – that is, if the recalculated hash doesn't match the stored value –
 it indicates potential tampering, and the OS can halt access or take appropriate measures. 
 .. graphviz::
    digraph SecureBootFlow {
        rankdir=TB;
        node [shape=box, style=filled, fillcolor="#e6f2ff"];
        edge [color="#0099cc", fontsize=12];
        Hardware [label="Hardware\n(ARM32/AARCH64 with eMMC)"];
        Firmware [label="u-boot Firmware\n(UEFI EBRR subset)"];
        eMMCConfig [label="eMMC Configuration\n(GPT with EFI partition)"];
        EFIBootGuard [label="EFIBootGuard\n(A/B Kernel Switching)"];
        UnifiedKernel [label="Unified Kernel Image\n(Kernel, cmd line, DTB)"];
        KernelAndRootFS [label="Kernel & RootFS\n(dm-verity validation)"];
        Hardware -> Firmware [label="Flashed with u-boot\n+ Built-in keys"];
        Firmware -> eMMCConfig [label="eMMC boot"];
        eMMCConfig -> EFIBootGuard [label="Boots from EFI partition"];
        EFIBootGuard -> UnifiedKernel [label="Selects kernel A/B"];
        UnifiedKernel -> KernelAndRootFS [label="Kernel boot\n+ RootFS verification"];
    }
--- a/documentation/components/optional/installer.rst
+++ b/documentation/components/optional/installer.rst
@ -3,33 +3,35 @@
 CoreOS Installer
 ****************
-The CoreOS installer is a set of script running on the target and a
+The CoreOS installer is a set of scripts running on the target and a
 corresponding bitbake image that is used into the bootstrap process of CoreOS.
 coreos-image-installer
 ======================
-The CoreOS installer image is a single binary EFI file that include a kernel,
+The CoreOS image installer results in an image contairing only a single binary
-device tree and an initramfs with all the tools needed to install CoreOS.
+EFI file. This EFI file includes a kernel, a device tree and an initramfs with
 all (and only) the tools needed to install CoreOS.
-An installer image is automatically built in parallel of a normal image.
+The installer image is not automatically built in parallel of a normal image.
-This can be deactivated by setting `COREOS_IMAGE_GENERATE_INSTALLER` to 0.
+This can be changed by setting `COREOS_IMAGE_GENERATE_INSTALLER` to 1 in the
 image file (as it is done for example in coreos-image-all-features.bb).
 The installer image build by default only a single EFI binary named
-coreos-installer-MACHINE.efi. An SDCard image can be generate if
+coreos-installer-MACHINE.efi. An SDCard or USB image can be generated if
 `COREOS_INSTALLER_WKS_FILE` is set to a wks file.
 coreos-installer
 ================
-The coreos-installer recipe installs some script that is used at startup
+The coreos-installer recipe installs scripts that are used at startup to
-to automatically format the internal emmc of the device. It also contains
+automatically format the internal emmc of the device. The recipe also contains
 a swupdate configuration file to setup swupdate correctly for that use case.
 coreos-installer-config
 =======================
 The coreos-installer-config recipe installs device specific configuration file
-used by the coreos-installer. This includes the partitionner config file. Distro
+used by the coreos-installer. This includes the partitioner config file. Distros
-and project based on CoreOS can change the partionning scheme or partition size
+and projects based on CoreOS can change the partioning scheme or partition size
 by installing their own version of this package using a `bbappend file`.
--- a/documentation/index.rst
+++ b/documentation/index.rst
@ -40,6 +40,7 @@ same structures.
   Installation Manual <installation/index>
   Reference Manual <ref-manual/index>
   Testing Manual <testing/index>
   Boot Concepts <boot/index>
   Best Practices <best_practices/index>
--- a/documentation/testing/bats.rst
+++ b/documentation/testing/bats.rst
@ -0,0 +1,354 @@
 .. index:: BATS
 ************************************
 BATS - Bash Automated Testing System
 ************************************
 The CoreOS distribution supports writing tests using shell syntax by providing the `bats` command.
 If you want to use `bats`, you will need the following CoreOS packages:
 - bats
 - bats-file
 - bats-assert
 Overview of BATS
 ================
 A BATS test can be as simple as a single .bats file. For example:
 .. code-block:: bash
    #!/usr/bin/env bats
    bats_load_library bats-support
    bats_load_library bats-assert
    @test "can output to stdout" {
        run echo hello
        assert_output 'hello'
    }
 You can run it using the command `bats <filename>.bats`
 This will give you the following output:
 .. code-block:: bash
    sam@SAVE:~/Projects/tests$ bats <filename>.bats 
    <filename>.bats
    ✓ can output to stdout
    1 test, 0 failures
 The run command
 ================
 In shell tests, you often need to run commands and capture their output, exit
 status, and error messages. The run command provided by `bats` allows you to
 execute commands within your test cases and collect this information for later
 assertion and validation.
 The run command will make the following variables available:
 - `${status}`: exit code of the command run by `run`
 - `${output}`: combined content of `stdout` and `stderr`
 - `${lines[@]}`: array of lines of the output
 - `${BATS_RUN_COMMAND}`: command run by the `run` command
 .. code-block:: bash
    @test "invoking foo with a nonexistent file prints an error" {
        run foo nonexistent_filename
        [ "$status" -eq 1 ]
        [ "$output" = "foo: no such file 'nonexistent_filename'" ]
        [ "$BATS_RUN_COMMAND" = "foo nonexistent_filename" ]
    }
 The `run` command accepts some parameters:
 - `-N`: Expect N as exit status and fail otherwise
 - `-!`: Expect non-zero exit status and fail if the command succeeds.
 - `--keep-empty-lines`: don't remove empty lines from `${lines}`
 - `--separate-stderr`: Use separate variables for stderr `${stderr}` and `${stderr_lines[@]}`
 .. code-block:: bash
    @test "invoking foo without arguments prints usage" {
        run -1 foo
        [ "${lines[0]}" = "usage: foo <filename>" ]
    }
 The bats-assert helper
 ======================
 The `bats-assert` helper provides some functions to create more readable tests.
 These assertions use the variables created by the `run` command and can be used
 as follows:
 .. code-block:: bash
    @test 'assert_output()' {
        run echo 'have'
        assert_output 'want'
    }
 The following functions are provided:
 - `assert` and `refute`: Assert that a given expression evaluates to true or false.
 - `assert_equal`: Assert that two parameters are equal.
 - `assert_not_equal`: Assert that two parameters are not equal.
 - `assert_success` and `assert_failure`: Assert that the exit status is 0 or 1.
 - `assert_output` and `refute_output`: Assert that the output does (or does not) contain the given content.
 - `assert_line` and `refute_line`: Assert that a specific line of the output does (or does not) contain the given content.
 - `assert_regex` and `refute_regex`: Assert that a parameter matches (or does not match) the given pattern.
 The bats-file helper
 ====================
 The `bats-file` helper provides functions to help work with files in tests:
 **Test File Types:**
 - `assert_exists` and `assert_not_exists`: Check if a file or directory exists.
 - `assert_file_exists` and `assert_file_not_exists`: Check if a file exists.
 - `assert_dir_exists` and `assert_dir_not_exists`: Check if a directory exists.
 - `assert_link_exists` and `assert_link_not_exists`: Check if a link exists.
 - `assert_block_exists` and `assert_block_not_exists`: Check if a block special file exists.
 - `assert_character_exists` and `assert_character_not_exists`: Check if a character special file exists.
 - `assert_socket_exists` and `assert_socket_not_exists`: Check if a socket exists.
 - `assert_fifo_exists` and `assert_fifo_not_exists`: Check if a fifo special file exists.
 **Test File Attributes:**
 - `assert_file_executable` and `assert_file_not_executable`
 - `assert_file_owner` and `assert_file_not_owner`
 - `assert_file_permission` and `assert_not_file_permission`
 - `assert_file_size_equals`
 - `assert_size_zero` and `assert_size_not_zero`
 - `assert_file_group_id_set` and `assert_file_not_group_id_set`
 - `assert_file_user_id_set` and `assert_file_not_user_id_set`
 - `assert_sticky_bit` and `assert_no_sticky_bit`
 **Test File Content:**
 - `assert_file_empty` and `assert_file_not_empty`
 - `assert_file_contains` and `assert_file_not_contains`
 - `assert_symlink_to` and `assert_not_symlink_to`
 **Working with a temporary directory:**
 - `temp_make` and `temp_del`
 Pre- and Post-test case hooks
 ==============================
 In some cases, it's useful to have a function that runs before or after each test
 case in a bats file.
 A function named `setup` will run before each test case, and a function
 named `teardown` will run after each test case.
 This example creates a directory in the setup function but lacks a teardown
 that removes the directory. The second time the setup function is run, the
 setup will fail as the directory already exists:
 .. code-block:: bash
    #!/usr/bin/env bats
    bats_load_library bats-support
    bats_load_library bats-assert
    bats_load_library bats-file
    setup() {
        mkdir tmp
        echo 'a' >> ./tmp/test
    }
    @test "test contains a single a I" {
        assert_file_contains ./tmp/test '^a$'
    }
    @test "test contains a single a II" {
        assert_file_contains ./tmp/test '^a$'
    }
 .. code-block:: bash
    sam@SAVE:~/Projects/tests$ bats test.bats 
    test.bats
    ✓ test contains a single a I
    ✗ test contains a single a II
    (from function `setup' in test file test.bats, line 8)
        `mkdir tmp' failed
    mkdir: cannot create directory ‘tmp’: File exists
    2 tests, 1 failure
 This can be easily fixed by adding a teardown function:
 .. code-block:: bash
    #!/usr/bin/env bats
    bats_load_library bats-support
    bats_load_library bats-assert
    bats_load_library bats-file
    setup() {
        mkdir tmp
        echo 'a' >> ./tmp/test
    }
    teardown() {
        rm -rf ./tmp
    }
    @test "test contains a single a I" {
        assert_file_contains ./tmp/test '^a$'
    }
    @test "test contains a single a II" {
        assert_file_contains ./tmp/test '^a$'
    }
 .. code-block:: bash
    sam@SAVE:~/Projects/tests$ bats test.bats 
    test.bats
     ✓ test contains a single a I
     ✓ test contains a single a II
    2 tests, 0 failures
 Pre- and Post-test file hooks
 =============================
 To run some code before executing a test file or after executing it, the
 functions `setup_file` and `teardown_file` can be used.
 The last example could be refactored to only create the tmp directory once:
 .. code-block:: bash
    #!/usr/bin/env bats
    bats_load_library bats-support
    bats_load_library bats-assert
    bats_load_library bats-file
    setup_file() {
        export DIR="./tmp"
        export FILE="${DIR}/test"
        mkdir "${DIR}"
    }
    teardown_file() {
        rm -rf "${DIR}"
    }
    setup() {
        echo 'a' >> "${FILE}"
    }
    teardown() {
        rm "${FILE}"
    }
    @test "test contains a single a I" {
        assert_file_contains "${FILE}" '^a$'
    }
    @test "test contains a single a II" {
        assert_file_contains "${FILE}" '^a$'
    }
 Multiple files
 ==============
 With `bats`, a file is a test suite. If you have multiple `bats` files in a
 directory and you provide the directory in the `bats` command line, `bats`
 will execute all the test suites.
 Example: `bats .` 
 .. code-block:: bash
    sam@SAVE:~/Projects/tests$ bats .
    ./first.bats
    ✓ can run our script
    ✗ second test
    (in test file ./first.bats, line 27)
        `false' failed
    ./second.bats
    ✓ multi file
    ./test.bats
    ✓ test contains a single a I
    ✓ test contains a single a II
    5 tests, 1 failure
 Pre- and Post-suite hooks
 =========================
 If you want to execute the same function before each test suite or after
 each test suite, create a file named `setup_suite.bash`. In this file,
 create a function named `setup_suite()` and another named `teardown_suite()`.
 Exporting the test results
 ==========================
 Test results can be exported using the JUnit XML format. This can then be
 used in other tools and merged with other JUnit XML formats to generate a final
 test report.
 Example:
 .. code-block:: bash
    sam@SAVE:~/Projects/tests$ bats . -F junit
 This will produce the following XML content on stdout:
 .. code-block:: xml
    <?xml version="1.0" encoding="UTF-8"?>
    <testsuites time="0.048">
    <testsuite name="./first.bats" tests="2" failures="1" errors="0" skipped="0" time="0.025" timestamp="2023-08-16T14:22:15" hostname="SAVE">
        <testcase classname="./first.bats" name="can run our script" time="0.013" />
        <testcase classname="./first.bats" name="second test" time="0.012">
            <failure type="failure">(in test file ./first.bats, line 27)
    `false&#39; failed</failure>
        </testcase>
    </testsuite>
    <testsuite name="./second.bats" tests="1" failures="0" errors="0" skipped="0" time="0.008" timestamp="2023-08-16T14:22:15" hostname="SAVE">
        <testcase classname="./second.bats" name="multi file" time="0.008" />
    </testsuite>
    <testsuite name="./test.bats" tests="2" failures="0" errors="0" skipped="0" time="0.015" timestamp="2023-08-16T14:22:15" hostname="SAVE">
        <testcase classname="./test.bats" name="test contains a single a I" time="0.008" />
        <testcase classname="./test.bats" name="test contains a single a II" time="0.007" />
    </testsuite>
    </testsuites>
 Going further
 =============
 `bats` scripts can be checked with shellcheck for common mistakes.
 The `bats-assert` add-on provides many helper functions to perform
 assertions with a more readable syntax than the shell's built-in syntax.
 See https://github.com/bats-core/bats-assert
 The `bats-file` add-on provides helper functions to check for files. See
 https://github.com/bats-core/bats-file/
 You can find a list of projects using `bats` on this page:
 https://github.com/bats-core/bats-core/wiki/Projects-Using-Bats
--- a/documentation/testing/index.rst
+++ b/documentation/testing/index.rst
@ -0,0 +1,15 @@
 ==============================
 Belden CoreOS Testing Manual
 ==============================
 This manual is a work on progress on how to test and how to write test for
 CoreOS or CoreOS based distribution.
 |
 .. toctree::
   :caption: Table of Contents
   :numbered:
   bats
--- a/external-layers/meta-arm
+++ b/external-layers/meta-arm
@ -0,0 +1 @@
 Subproject commit d7b7b6fb6c7c5545e718e44f38853d1718ce5446
--- a/external-layers/meta-lts-kernel-mixin
+++ b/external-layers/meta-lts-kernel-mixin
@ -0,0 +1 @@
 Subproject commit 09d2f9391813674627ec53cb222da6c7a51221e6
--- a/external-layers/meta-openembedded
+++ b/external-layers/meta-openembedded
@ -1 +1 @@
-Subproject commit bdad2a789e30703a825b876279665720d06d55dc
+Subproject commit 8bb16533532b6abc2eded7d9961ab2a108fd7a5b
--- a/external-layers/meta-swupdate
+++ b/external-layers/meta-swupdate
@ -1 +1 @@
-Subproject commit d1d4abfaf82d37c31e3cec3602d6d8d56d105185
+Subproject commit 3d12b2788a45d86efcb1ad3e01f209558c54795c
--- a/external-layers/meta-ti
+++ b/external-layers/meta-ti
@ -0,0 +1 @@
 Subproject commit bae3658ac0bc1c9adac7a882439cabb385cae720
--- a/external-layers/meta-virtualization
+++ b/external-layers/meta-virtualization
@ -1 +1 @@
-Subproject commit b3b3dbc67504e8cd498d6db202ddcf5a9dd26a9d
+Subproject commit cb2bc17e96552cdfc141d27bd9f4dbd95a872846
--- a/external-layers/openembedded-core
+++ b/external-layers/openembedded-core
@ -1 +1 @@
-Subproject commit a70209cc6b111957b8dda9190e1291911a52286b
+Subproject commit 1b5405955c7c2579ed1f52522e2e177d0281fa33
--- a/layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass
+++ b/layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass
@ -3,7 +3,7 @@
 # UEFI Secure boot configuration
 # ==============================================================================
-COREOS_EFI_SECUREBOOT_KEYDIR ??= "${TOPDIR}/keys"
+COREOS_EFI_SECUREBOOT_KEYDIR ??= "${RECIPE_SYSROOT_NATIVE}/${datadir}/keys"
 COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
 # UEFI Secure boot helpers
@ -16,12 +16,12 @@ HOSTTOOLS += "sbsign"
 # Ensure that the public keys are always deployed to the deploy directory
 # before running wic
-do_image_wic[depends] += "efi-secureboot-keys:do_deploy"
+do_image_wic[depends] += "cos-certificates-and-keys-native:do_deploy"
 COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
 def get_coreos_secureboot_efi_boot_files(d):
    """
-        Return the list of pubkey file inside deploy if 
+        Return the list of pubkey file inside deploy if
        COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR is set or an empty string
        otherwise
    """
@ -31,26 +31,4 @@ def get_coreos_secureboot_efi_boot_files(d):
 IMAGE_EFI_BOOT_FILES:append = " ${@get_coreos_secureboot_efi_boot_files(d)}"
 def get_coreos_secureboot_keydir_hash(d):
    """
        Generate a space separate list, with a value for each file inside of 
        keydir. Fromat: <filename>:md5:<md5sum>
    """
    import hashlib
    keydir = d.getVar('COREOS_EFI_SECUREBOOT_KEYDIR')
    value = ""
    for keyname in os.listdir(keydir):
        filepath = os.path.join(keydir, keyname)
        if os.path.isfile(filepath): 
            md5 = bb.utils.md5_file(filepath)
            value += f"{keyname}:md5:{md5} "
    return value
 # The build system should detect if someone change one of the key inside
 # COREOS_EFI_SECUREBOOT_KEYDIR and rebuild all the recipes and artifacts that
 # depends on this directory
 COREOS_EFI_SECUREBOOT_KEYDIR_HASH = "${@get_coreos_secureboot_keydir_hash(d)}"
 COREOS_EFI_SECUREBOOT_KEYDIR[vardeps] += "COREOS_EFI_SECUREBOOT_KEYDIR_HASH"
--- a/layers/meta-belden-coreos-bsp/conf/machine/beaglebone.conf
+++ b/layers/meta-belden-coreos-bsp/conf/machine/beaglebone.conf
@ -12,7 +12,7 @@ include conf/machine/include/arm/armv7a/tune-cortexa8.inc
 IMAGE_FSTYPES += "wic wic.xz wic.bmap"
 WKS_FILE ?= "beaglebone-sdcard.wks.in"
 COREOS_INSTALLER_WKS_FILE ?= "beaglebone-sdcard-installer.wks"
-MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "kernel-image kernel-devicetree"
+MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "kernel-image"
 do_image_wic[depends] += "mtools-native:do_populate_sysroot dosfstools-native:do_populate_sysroot gptfdisk-native:do_populate_sysroot virtual/bootloader:do_deploy"
 do_image_wic[recrdeptask] += "do_bootimg"
@ -21,10 +21,10 @@ SERIAL_CONSOLES_CHECK = "${SERIAL_CONSOLES}"
 APPEND:append = " console=ttyS0,115200"
 PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
-PREFERRED_VERSION_linux-yocto ?= "5.15%"
+PREFERRED_VERSION_linux-yocto ?= "6.6%"
 KERNEL_IMAGETYPE = "zImage"
-KERNEL_DEVICETREE = "am335x-bone.dtb am335x-boneblack.dtb am335x-bonegreen.dtb"
+DTB_FILES = "ti/omap/am335x-bone.dtb ti/omap/am335x-boneblack.dtb ti/omap/am335x-bonegreen.dtb"
 KERNEL_EXTRA_ARGS += "LOADADDR=${UBOOT_ENTRYPOINT}"
 PREFERRED_PROVIDER_virtual/bootloader ?= "u-boot"
--- a/layers/meta-belden-coreos-bsp/conf/machine/eagle40-03.conf
+++ b/layers/meta-belden-coreos-bsp/conf/machine/eagle40-03.conf
@ -0,0 +1,39 @@
 #@TYPE: Machine
 #@NAME: eagle40-03
 #@DESCRIPTION: Machine support for EAGLE40-03
 #
 require include/coreos-generic-arch/x64.inc
 MACHINE_FEATURES += "pci usbhost x86 serial efi"
 # Kernel configuration
 # ******************************************************************************
 PREFERRED_VERSION_linux-yocto ?= "6.6%"
 PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
 KERNEL_IMAGETYPE = "bzImage"
 #  getty configuration
 # ******************************************************************************
 SERIAL_CONSOLES = "115200;ttyS0"
 SERIAL_CONSOLES_CHECK = "ttyS0"
 APPEND += "console=ttyS0,115200"
 # Image generation
 # ******************************************************************************
 # Ensure that both flash-image.bin and boot.scr are generated as they are needed
 # for a wic image
 WKS_FILE = "generic-uefi.wks.in"
 COREOS_INSTALLER_WKS_FILE ?= "generic-uefi-usb-installer.wks"
 IMAGE_FSTYPES += "wic.xz wic.bmap"
 MACHINE_ESSENTIAL_EXTRA_RDEPENDS += " kernel-modules"
 # No watchdog available yet
 EFIBOOTGUARD_TIMEOUT ?= "0"
 require conf/machine/include/coreos-generic-features/efi.inc
 require conf/machine/include/coreos-generic-features/partitions.inc
--- a/layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc
+++ b/layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc
@ -1,15 +1,20 @@
-
+# Variables used in WKS file
 # Variable used in WKS file
 WKS_PART_EFI ??= 'part --source efibootguard-efi --label efi --part-type=EF00'
-WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=kernel-${MACHINE}.efi;KERNEL.EFI"'
+WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
-WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=kernel-${MACHINE}.efi;KERNEL.EFI"'
+WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
 WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label rootfs0'
 WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label rootfs1'
-WKS_PART_ROOT_SIZE ??= '2G'
+WKS_PART_USERDATA ??= 'part /usr/local/data --fstype=btrfs --label userdata'
 PART_EFI_SIZE ??= '64M'
 PART_ROOT_SIZE ??= '1G'
 PART_EFIBG_SIZE ??= '128M'
 PART_USERDATA_SIZE ??= '1G'
 # Variables used in SFDISK file
 SFDISK_PART_EFI ??= 'type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, name="efi"'
 SFDISK_PART_EFIBOOTGUARD_A ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg0"'
 SFDISK_PART_EFIBOOTGUARD_B ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg1"'
 SFDISK_PART_ROOT_A ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs0"'
-SFDISK_PART_ROOT_B ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs0"'
+SFDISK_PART_ROOT_B ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs1"'
 SFDISK_PART_USERDATA ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="userdata"'
--- a/layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-machine/vm.inc
+++ b/layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-machine/vm.inc
@ -6,12 +6,12 @@ MACHINE_FEATURES += "wifi efi"
 # Add an override that work for all pc image
 MACHINEOVERRIDES =. "vm:"
-PREFERRED_VERSION_linux-yocto ?= "5.15%"
+PREFERRED_VERSION_linux-yocto ?= "6.6%"
 PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
 MACHINE_EXTRA_RRECOMMENDS += "kernel-modules linux-firmware"
-IMAGE_FSTYPES += "ext4 wic wic.xz wic.bmap wic.vmdk"
+IMAGE_FSTYPES += "ext4 wic wic.xz wic.bmap wic.vmdk wic.vhdx"
 WKS_FILE ?= "generic-uefi.wks.in"
 do_image_wic[depends] += "gptfdisk-native:do_populate_sysroot"
--- a/layers/meta-belden-coreos-bsp/conf/machine/qemu-coreos-arm64.conf
+++ b/layers/meta-belden-coreos-bsp/conf/machine/qemu-coreos-arm64.conf
@ -0,0 +1,15 @@
 #@TYPE: Machine
 #@NAME: qemu-generic-arm64
 #@DESCRIPTION: Generic Arm64 machine for typical SystemReady platforms, which
 #have working firmware and boot via EFI.
 require conf/machine/qemu-generic-arm64.conf
 MACHINEOVERRIDES =. "qemu-generic-arm64:"
 COREOS_IMAGE_GENERATE_INSTALLER = "0"
 WKS_FILE = "qemu-efi-coreos-generic.wks.in"
 EFIBOOTGUARD_TIMEOUT ?= "0"
 require conf/machine/include/coreos-generic-features/efi.inc
 require conf/machine/include/coreos-generic-features/partitions.inc
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/efi/efi-secureboot-keys.bb
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/efi/efi-secureboot-keys.bb
@ -1,33 +0,0 @@
 SUMMARY = "A recipe to deploy UEFI public keys update files"
 LICENSE = "CLOSED"
 INHIBIT_DEFAULT_DEPS = "1"
 inherit nopackages
 inherit deploy
 inherit coreos-efi-secureboot
 # Public key needed by firmware very depending on the implementation
 # So we copy all type of public key (*.auth, *.esl, *.crt, *der)
 addtask deploy after do_compile
 do_deploy() {
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.auth ${DEPLOYDIR}/KEK.auth
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.auth ${DEPLOYDIR}/db.auth
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.auth ${DEPLOYDIR}/PK.auth
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.esl ${DEPLOYDIR}/KEK.esl
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.esl ${DEPLOYDIR}/db.esl
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.esl ${DEPLOYDIR}/PK.esl
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.crt ${DEPLOYDIR}/KEK.crt
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.crt ${DEPLOYDIR}/db.crt
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.crt ${DEPLOYDIR}/PK.crt
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.der ${DEPLOYDIR}/KEK.der
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.der ${DEPLOYDIR}/db.der
    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.der ${DEPLOYDIR}/PK.der
    # !SECURITY WARNING! 
    # .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
 }
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/efibootguard/efibootguard_%.bbappend
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/efibootguard/efibootguard_%.bbappend
@ -1,11 +0,0 @@
 # Add signature support
 inherit coreos-efi-sbsign
 require conf/image-uefi.conf
 do_deploy:append() {
    if [ -f "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi" ]; then
        coreos_efi_secureboot_sign_app "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi"
    fi
 }
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos.inc
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos.inc
@ -1,12 +0,0 @@
 # Ensure that file are found event when this file is included in another layer
 # ==============================================================================
 FILESEXTRAPATHS:prepend := "${THISDIR}/u-boot:"
 # Main include file for u-boot to ensure CoreOS compatibility
 # ==============================================================================
 SRC_URI += " \
    ${@bb.utils.contains("IMAGE_FEATURES", "debug-tweaks", "file://debug-tweaks.cfg", "", d)} \
 "
 require u-boot-coreos-efi.inc
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot_2022.01.bbappend
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot_2022.01.bbappend
@ -1,2 +0,0 @@
 FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
 require u-boot-coreos.inc
--- a/layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config/beaglebone_1.0.sfdisk
+++ b/layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config/beaglebone_1.0.sfdisk
@ -12,8 +12,8 @@ sector-size: 512
 /dev/mmcblk1p1 : start=         256, size=         512, type=4DA6E9DA-C803-4BE4-BAC4-8192717C5EB0, name="mlo", attrs="RequiredPartition"
 /dev/mmcblk1p2 : start=         768, size=        8192, type=5B97345D-B7A1-47D3-A491-ED40F4841639, name="uboot", attrs="RequiredPartition"
-/dev/mmcblk1p3 : start=        8960, size=      131072, ${SFDISK_PART_EFI}
+/dev/mmcblk1p3 : size= ${PART_EFI_SIZE}, ${SFDISK_PART_EFI}
-/dev/mmcblk1p4 : start=      140032, size=      262144, ${SFDISK_PART_EFIBOOTGUARD_A}
+/dev/mmcblk1p4 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_A}
-/dev/mmcblk1p5 : start=      402176, size=      262144, ${SFDISK_PART_EFIBOOTGUARD_B}
+/dev/mmcblk1p5 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_B}
-/dev/mmcblk1p6 : start=      664320, size=     3403375, ${SFDISK_PART_ROOT_A}
+/dev/mmcblk1p6 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_A}
-/dev/mmcblk1p7 : start=     4067695, size=     3403375, ${SFDISK_PART_ROOT_B}
+/dev/mmcblk1p7 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_B}
--- a/layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config/eagle40-03_1.0.sfdisk
+++ b/layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config/eagle40-03_1.0.sfdisk
@ -0,0 +1,13 @@
 label: gpt
 device: /dev/mmcblk2
 unit: sectors
 first-lba: 34
 last-lba: 7471070
 sector-size: 512
 /dev/mmcblk2p1 : start= 256, size= ${PART_EFI_SIZE}, ${SFDISK_PART_EFI}
 /dev/mmcblk2p2 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_A}
 /dev/mmcblk2p3 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_B}
 /dev/mmcblk2p4 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_A}
 /dev/mmcblk2p5 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_B}
 /dev/mmcblk2p6 : size= ${PART_USERDATA_SIZE}, ${SFDISK_PART_USERDATA}
--- a/layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config_%.bbappend
+++ b/layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config_%.bbappend
@ -1,3 +1,4 @@
 FILESEXTRAPATHS:prepend := "${THISDIR}/coreos-installer-config:"
 SRC_URI:append:beaglebone = " file://beaglebone_1.0.sfdisk"
 SRC_URI:append:eagle40-03 = " file://eagle40-03_1.0.sfdisk"
--- a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/files/eagle40-03.cfg
+++ b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/files/eagle40-03.cfg
@ -0,0 +1,2 @@
 CONFIG_F71808E_WDT=y
 CONFIG_WATCHDOG_SYSFS=y
--- a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/files/hyperv.cfg
+++ b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/files/hyperv.cfg
@ -0,0 +1,16 @@
 CONFIG_HYPERVISOR_GUEST=y
 CONFIG_PARAVIRT=y
 CONFIG_PARAVIRT_SPINLOCKS=y
 CONFIG_CONNECTOR=y
 CONFIG_SCSI_FC_ATTRS=y
 CONFIG_HYPERV=y
 CONFIG_HYPERV_UTILS=y
 CONFIG_HYPERV_BALLOON=y
 CONFIG_HYPERV_STORAGE=y
 CONFIG_HYPERV_NET=y
 CONFIG_HYPERV_KEYBOARD=y
 CONFIG_FB_HYPERV=y
 CONFIG_HID_HYPERV_MOUSE=y
 CONFIG_PCI_HYPERV=y
 CONFIG_VSOCKETS=y
 CONFIG_HYPERV_VSOCKETS=y
--- a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos-efi.inc
+++ b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos-efi.inc
@ -1,23 +0,0 @@
 inherit coreos-efi-sbsign
 require conf/image-uefi.conf
 # Ensure EFI STUB is enabled
 KERNEL_FEATURES:append = " cfg/efi.scc cfg/efi-ext.scc"
 # By default we use a Unified Kernel Image that contain the kernel, the
 # kernel command line and some device tree, so we don't need to sign the output
 # of the kernel recipes
 COREOS_KERNEL_EFI_SIGNED ??= "0"
 # Extend the kernel_do_deploy function from kernel.bbclass to sign the kernel
 kernel_do_deploy:append() {
    if [ "${COREOS_KERNEL_EFI_SIGNED}" == "1" ]; then
      deployDir="${DEPLOYDIR}"
      for imageType in ${KERNEL_IMAGETYPES} ; do
        baseName="$imageType-${KERNEL_IMAGE_NAME}"
        coreos_efi_secureboot_sign_app "$deployDir/$baseName${KERNEL_IMAGE_BIN_EXT}"
      done
    fi
 }
--- a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend
+++ b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend
@ -1,13 +1,20 @@
 FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 KMACHINE:vm-x64 ?= "common-pc-64"
 COMPATIBLE_MACHINE:vm-x64 = "vm-x64"
 # Enable some kernel features related to virtualiuzation
 KERNEL_FEATURES:append:vm-x64=" cfg/virtio.scc cfg/paravirt_kvm.scc"
 SRC_URI:append:vm-x64 = " file://hyperv.cfg"
 KMACHINE:eagle40-03 ?= "common-pc-64"
 KBRANCH:eagle40-03 = "v5.15/standard/base"
 SRCREV_machine:eagle40-03 ?= "3baf1c5c0e6084b3f4a1d2d805168d657f872e60"
 COMPATIBLE_MACHINE:eagle40-03 = "eagle40-03"
 LINUX_VERSION:eagle40-03 = "5.15.134"
 KBRANCH:beaglebone = "v5.15/standard/beaglebone"
 KMACHINE:beaglebone ?= "beaglebone"
 SRCREV_machine:beaglebone ?= "9aabbaa89fcb21af7028e814c1f5b61171314d5a"
 COMPATIBLE_MACHINE:beaglebone = "beaglebone"
 LINUX_VERSION:beaglebone = "5.15.54"
 require linux-yocto-coreos-efi.inc
--- a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_6.6.bbappend
+++ b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_6.6.bbappend
@ -0,0 +1,14 @@
 FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 KMACHINE:eagle40-03 ?= "common-pc-64"
 COMPATIBLE_MACHINE:eagle40-03 = "eagle40-03"
 KMACHINE:beaglebone ?= "beaglebone"
 COMPATIBLE_MACHINE:beaglebone = "beaglebone"
 KMACHINE:vm-x64 ?= "common-pc-64"
 COMPATIBLE_MACHINE:vm-x64 = "vm-x64"
 KERNEL_FEATURES:append:vm-x64=" cfg/virtio.scc cfg/paravirt_kvm.scc"
 SRC_URI:append:vm-x64 = " file://hyperv.cfg"
 SRC_URI += " file://eagle40-03.cfg"
--- a/layers/meta-belden-coreos-bsp/wic/beaglebone-sdcard.wks.in
+++ b/layers/meta-belden-coreos-bsp/wic/beaglebone-sdcard.wks.in
@ -13,8 +13,8 @@ part --offset 768S --source rawcopy --sourceparams="file=u-boot.img" --ondisk mm
 # Let's define a 4MiB maximum size for the bootloader
 # 4MiB => 4*1024*1024/512=8192S | 768S + 8192S => 8960S
 ${WKS_PART_EFI} --ondisk mmcblk0 --offset 8960S --fixed-size 32M
-${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk0 --fixed-size 128M
+${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk0 --fixed-size ${PART_EFIBG_SIZE}
-${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk0 --fixed-size 128M
+${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk0 --fixed-size ${PART_EFIBG_SIZE}
-${WKS_PART_ROOT_A} --ondisk mmcblk0 --fixed-size ${WKS_PART_ROOT_SIZE}
+${WKS_PART_ROOT_A} --ondisk mmcblk0 --fixed-size ${PART_ROOT_SIZE}
-${WKS_PART_ROOT_B} --ondisk mmcblk0 --fixed-size ${WKS_PART_ROOT_SIZE}
+${WKS_PART_ROOT_B} --ondisk mmcblk0 --fixed-size ${PART_ROOT_SIZE}
 bootloader --ptable gpt
--- a/layers/meta-belden-coreos-bsp/wic/generic-uefi-usb-installer.wks
+++ b/layers/meta-belden-coreos-bsp/wic/generic-uefi-usb-installer.wks
@ -0,0 +1,16 @@
 # short-description: Create USB image for Eagle 40-03
 # long-description: Creates a partitioned USB image for Eagle 40-03.
 # offset 1S => 1 sector (1x512 byte)
 # The bootloader can be at 4 different position in raw mode: 0S, 256S, 512S, 768S
 # MBR disk use only the sector 0, so 1S is free
 # GPT disk use sector 0-33S, so first free slot is 256S
 # Offset are from the BBB default settings
 # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 # Don't name partition in the installer disk image, otherwise the installer may not work as it rely on partition label!
 # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 part --offset 256S --source bootimg-partition --part-type=EF00 --ondisk mmcblk0
 part --fixed-size 3G --fstype=vfat --label=image
 bootloader --ptable gpt
--- a/layers/meta-belden-coreos-bsp/wic/generic-uefi.wks.in
+++ b/layers/meta-belden-coreos-bsp/wic/generic-uefi.wks.in
@ -1,10 +1,11 @@
 # short-description: Create an EFI disk image for genericx86*
 # long-description: Creates a partitioned EFI disk image for genericx86* machines
 ${WKS_PART_EFI} --ondisk sda  --align 1024 --size 64M --extra-space 0 --overhead-factor 1
 ${WKS_PART_ROOT_A} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
 ${WKS_PART_ROOT_B} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
 ${WKS_PART_EFIBOOTGUARD_A} --ondisk sda  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
 ${WKS_PART_EFIBOOTGUARD_B} --ondisk sda  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
-part swap --ondisk sda --size 44 --label swap1 --fstype=swap
+${WKS_PART_EFI} --align 1024 --size ${PART_EFI_SIZE} --extra-space 0 --overhead-factor 1
 ${WKS_PART_ROOT_A} --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
 ${WKS_PART_ROOT_B} --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
 ${WKS_PART_EFIBOOTGUARD_A} --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
 ${WKS_PART_EFIBOOTGUARD_B} --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
 ${WKS_PART_USERDATA} --size ${PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
 bootloader --ptable gpt
--- a/layers/meta-belden-coreos-bsp/wic/qemu-efi-coreos-generic.wks.in
+++ b/layers/meta-belden-coreos-bsp/wic/qemu-efi-coreos-generic.wks.in
@ -0,0 +1,12 @@
 # short-description: Create an EFI disk image
 # long-description: Creates a partitioned EFI disk image that the user
 # can directly dd to boot media.
 part --source efibootguard-efi --label efi --part-type=EF00 --use-uuid --offset 20480S --size ${PART_EFI_SIZE} --extra-space 0 --overhead-factor 1
 part / --source rootfs --fstype=ext4 --label rootfs0 --use-uuid --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
 part --fstype=ext4 --label rootfs1 --use-uuid --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
 part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --use-uuid --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
 part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --use-uuid --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
 ${WKS_PART_USERDATA} --use-uuid --size ${PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
 bootloader --ptable gpt
--- a/layers/meta-belden-coreos-demo/recipes-core/images/coreos-image-demo-k3s.bb
+++ b/layers/meta-belden-coreos-demo/recipes-core/images/coreos-image-demo-k3s.bb
@ -0,0 +1,8 @@
 DESCRIPTION = "An image that includes k3s-agent"
 require recipes-core/images/coreos-image-all-features.bb
 IMAGE_INSTALL += "k3s-agent"
 # To use this image, please add k3s to DISTRO_FEATURE inside your
 # local.conf config file.
--- a/layers/meta-belden-coreos-demo/recipes-kernel/linux/files/k3s_kernel_adaptions.cfg
+++ b/layers/meta-belden-coreos-demo/recipes-kernel/linux/files/k3s_kernel_adaptions.cfg
@ -0,0 +1,8 @@
 #this file contains the necssary kernel adaption that k3s an containerd require
 #Reference
 #k3s config check: https://raw.githubusercontent.com/k3s-io/k3s/master/contrib/util/check-config.sh
 #container config check: https://raw.githubusercontent.com/moby/moby/master/contrib/check-config.sh
 #these scripts are provided by moby and rancher
 CONFIG_OABI_COMPAT=n
 CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
 CONFIG_SECCOMP_FILTER=y
--- a/layers/meta-belden-coreos-demo/recipes-kernel/linux/linux-yocto_%.bbappend
+++ b/layers/meta-belden-coreos-demo/recipes-kernel/linux/linux-yocto_%.bbappend
@ -0,0 +1 @@
 FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
--- a/layers/meta-belden-coreos/classes/bats-library.bbclass
+++ b/layers/meta-belden-coreos/classes/bats-library.bbclass
@ -0,0 +1,19 @@
 # Library to share code needed to install most available bats library
 # Bats library are shell scripts, so they are arch independant
 inherit allarch
 RDEPENDS:${PN} += "bats"
 # Bats can find library in this folder by default
 BATS_LIB_PATH ?= "${libdir}/bats"
 # By default the library will have the same name as the recipe
 BATS_INSTALL_DIR ?= "${BATS_LIB_PATH}/${PN}"
 FILES:${PN} += "${BATS_INSTALL_DIR}"
 do_install() {
    install -d ${D}${BATS_INSTALL_DIR}
    cp -r ${S}/src ${D}${BATS_INSTALL_DIR}/
    install ${S}/load.bash ${D}${BATS_INSTALL_DIR}/
 }
--- a/layers/meta-belden-coreos/classes/coreos-image-ci.bbclass
+++ b/layers/meta-belden-coreos/classes/coreos-image-ci.bbclass
@ -3,6 +3,7 @@
 # > COREOS_IMAGE_EXTRACLASSES += "coreos-image-ci"
 # in auto.conf (or local.conf)
 inherit kernel-artifact-names
 def get_coreos_ci_artifacts(d):
    artifacts = []
@ -12,11 +13,11 @@ def get_coreos_ci_artifacts(d):
    # Container handling
    # ==========================================================================
-    
+
    if bb.utils.contains('IMAGE_FSTYPES', 'oci', True, False, d):
        artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.rootfs-oci.tar')
-        
+
        # Special case for container, we just need the OCI tarball
        return " ".join(artifacts)
@ -25,10 +26,14 @@ def get_coreos_ci_artifacts(d):
    if bb.utils.contains('IMAGE_FSTYPES', 'wic.xz', True, False, d):
        artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.xz')
-    
+
    if bb.utils.contains('IMAGE_FSTYPES', 'wic.bmap', True, False, d):
        artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.bmap')
    # This is used for qemu-coreos-arm64
    if bb.utils.contains('IMAGE_FSTYPES', 'wic.qcow2', True, False, d):
        artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.qcow2')
    if d.getVar('COREOS_IMAGE_GENERATE_SWU') == '1':
        artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.swu')
@ -90,5 +95,5 @@ do_deploy_ci() {
    for file in ${COREOS_CI_DEPLOY_ARTIFACTS}; do
        echo $file >> $output
    done
-} 
+}
 addtask deploy_ci after do_image before do_build
--- a/layers/meta-belden-coreos/classes/coreos-image-installer.bbclass
+++ b/layers/meta-belden-coreos/classes/coreos-image-installer.bbclass
@ -0,0 +1,41 @@
 # Class used to generate image based on Belden CoreOS
 export IMAGE_BASENAME = "${MLPREFIX}${PN}"
 IMAGE_NAME_SUFFIX ?= ""
 IMAGE_LINGUAS = ""
 LICENSE = "MIT"
 IMAGE_FSTYPES = "cpio.gz"
 # Support for generating a SDCard or USB installer is optional
 COREOS_INSTALLER_WKS_FILE ??= ""
 WKS_FILE = "${COREOS_INSTALLER_WKS_FILE}"
 IMAGE_FSTYPES += "${@'wic.xz wic.bmap' if d.getVar('COREOS_INSTALLER_WKS_FILE') else ''}"
 IMAGE_BOOT_FILES =  "${COREOS_KERNEL_FILENAME};EFI/BOOT/${EFI_BOOT_IMAGE}"
 COREOS_IMAGE_GENERATE_UKI = "1"
 # IMGDEPLOYDIR has to be used instead of DEPLOY_DIR_IMAGE here, because it will
 # run during image generation
 COREOS_UKI_PART_INITRAMFS = "${IMGDEPLOYDIR}/${IMAGE_BASENAME}-${MACHINE}.cpio.gz"
 COREOS_IMAGE_GENERATE_SWU = "0"
 # Change generated UKI filename and reset the bundled command line to "APPEND"
 # to ensure that root is not set in the kernel command line
 COREOS_KERNEL_NAME ?= "coreos-installer-${MACHINE}"
 COREOS_KERNEL_CMDLINE ?= "${APPEND}"
 inherit coreos-image
 # Only install a reduced set of package and feature to keep image size small
 IMAGE_INSTALL = "packagegroup-coreos-boot coreos-installer coreos-installer-unattended util-linux-sfdisk util-linux-fdisk util-linux-cfdisk efibootguard efibootguard-tools"
 IMAGE_FEATURES = "debug-tweaks swupdate"
 NO_RECOMMENDATIONS = "1"
 IMAGE_ROOTFS_SIZE = "8192"
 INITRAMFS_MAXSIZE = "976562"
 IMAGE_ROOTFS_EXTRA_SPACE = "0"
 # Use the same restriction as initramfs-module-install
 COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*)-(linux.*|freebsd.*)'
--- a/layers/meta-belden-coreos/classes/coreos-image-swupdate.bbclass
+++ b/layers/meta-belden-coreos/classes/coreos-image-swupdate.bbclass
@ -69,5 +69,11 @@ def coreos_swupdate_extends(d, s, key):
    return text
 # Signature support
 inherit coreos-efi-secureboot
 SWUPDATE_SIGNING = "CMS"
 SWUPDATE_CMS_KEY  = "${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.key"
 SWUPDATE_CMS_CERT = "${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt"
 COREOS_IMAGE_SWUPDATE_EXTRACLASSES ?= ""
 inherit ${COREOS_IMAGE_SWUPDATE_EXTRACLASSES}
--- a/layers/meta-belden-coreos/classes/coreos-image.bbclass
+++ b/layers/meta-belden-coreos/classes/coreos-image.bbclass
@ -68,6 +68,7 @@ PACKAGE_EXCLUDE_COMPLEMENTARY:append = "${@bb.utils.contains_any('PACKAGE_INSTAL
 COREOS_IMAGE_BASE_INSTALL = "\
    packagegroup-coreos-boot \
    packagegroup-coreos-base \
    secure-storage \
    "
 COREOS_IMAGE_EXTRA_INSTALL ?= ""
@ -89,10 +90,12 @@ IMAGE_ROOTFS_EXTRA_SPACE:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'sys
 # Unified kernel image and swupdate support
 # ==============================================================================
-# Support for Unified Kernel Image and Swupdate are optional
+# The CoreOS image installer is disabled by default.
-COREOS_IMAGE_GENERATE_INSTALLER ?= "1"
+COREOS_IMAGE_GENERATE_INSTALLER ?= "0"
-COREOS_IMAGE_GENERATE_UKI ?= "1"
+
-COREOS_IMAGE_GENERATE_SWU ?= "1"
+# Support for Unified Kernel Image and Swupdate are optional.
 COREOS_IMAGE_GENERATE_UKI ?= "${@bb.utils.contains("COMBINED_FEATURES", "efi", "1", "0", d)}"
 COREOS_IMAGE_GENERATE_SWU ?= "${@"1" if "efi" in d.getVar('COMBINED_FEATURES') and "swupdate" in d.getVar("DISTRO_FEATURES") else "0"}"
 # Generate the installer image if needed
 do_build[depends] += "${@'coreos-image-installer:do_build' if d.getVar('COREOS_IMAGE_GENERATE_INSTALLER') == '1' else ''}"
--- a/layers/meta-belden-coreos/classes/coreos-sanity.bbclass
+++ b/layers/meta-belden-coreos/classes/coreos-sanity.bbclass
@ -13,6 +13,8 @@ addhandler check_coreos_sanity_eventhandler
 check_coreos_sanity_eventhandler[eventmask] = "bb.event.SanityCheck"
 python check_coreos_sanity_eventhandler() {
    import datetime
    # Checks related to the distribution configuration files
    # ==========================================================================
@ -29,13 +31,22 @@ python check_coreos_sanity_eventhandler() {
            "systemd is not set as `INIT_MANAGER`. "
            "Using SystemD is mandatory on CoreOS based distribution"
        )
-    
+
    if e.data.getVar("TCLIBC") != "glibc":
        bb.fatal(
            "glibc is not set as `TCLIBC`. "
            "Using glibc is mandatory on CoreOS based distribution"
        )
-    
+
    # Check if the timestamp for REPRODUCIBLE_TIMESTAMP_ROOTFS is still up to date
    first_of_year = datetime.datetime(datetime.date.today().year, 1, 1, tzinfo=datetime.timezone.utc)
    foy_ts = str(int(first_of_year.timestamp()))
    if e.data.getVar("REPRODUCIBLE_TIMESTAMP_ROOTFS") != foy_ts:
        bb.warn(
            "`REPRODUCIBLE_TIMESTAMP_ROOTFS` outdated!"
            "Set to current 01. january of the year."
        )
    # Checks related to the machine configuration files
    # ==========================================================================
@ -47,7 +58,7 @@ python check_coreos_sanity_eventhandler() {
                "CoreOS recommands to use compressed wic image, please add "
                "`wic.xz` to your machine `IMAGE_FSTYPES` variables"
            )
-        
+
        if not "wic.bmap":
            bb.warn(
                "wic image should be flashed with bmaptools, but this require "
--- a/layers/meta-belden-coreos/conf/distro/belden-coreos-base.conf
+++ b/layers/meta-belden-coreos/conf/distro/belden-coreos-base.conf
@ -0,0 +1,8 @@
 require conf/distro/include/belden-coreos-base.inc
 DISTRO = "belden-coreos-base"
 DISTRO_NAME = "Belden CoreOS (Base)"
 MAINTAINER = "Belden CoreOS Team"
 DISTRO_VERSION = "0.0.1"
 DISTRO_CODENAME = "kirkstone"
--- a/layers/meta-belden-coreos/conf/distro/belden-coreos.conf
+++ b/layers/meta-belden-coreos/conf/distro/belden-coreos.conf
@ -1,87 +1,9 @@
 require conf/distro/include/belden-coreos-base.inc
 require conf/distro/include/belden-coreos-extra.inc
 DISTRO = "belden-coreos"
 DISTRO_NAME = "Belden CoreOS"
 MAINTAINER = "Belden CoreOS Team"
 INHERIT += "coreos_metadata_scm"
 DISTRO_VERSION = "0.0.1"
 DISTRO_CODENAME = "kirkstone"
 # Distro features and policies
 # ==============================================================================
 PACKAGE_CLASSES = "package_ipk"
 INIT_MANAGER = "systemd"
 # CoreOS use journald from the systemd package to handle log
 # https://docs.yoctoproject.org/singleindex.html#using-systemd-journald-without-a-traditional-syslog-daemon
 # This remove syslog from packagegroup-core-boot
 VIRTUAL-RUNTIME_syslog = ""
 VIRTUAL-RUNTIME_base-utils-syslog = ""
 DISTRO_FEATURES_DEFAULT ?= "bluetooth usbhost pci ipv4 ipv6 wifi multiarch usrmerge ptest efi pam"
 DISTRO_FEATURES ?= "${DISTRO_FEATURES_DEFAULT}"
 DISTRO_FEATURES_BACKFILL_CONSIDERED = "pulseaudio ldconfig"
 DISTRO_EXTRA_RDEPENDS += "packagegroup-core-boot"
 # Build configuration
 # ==============================================================================
 TARGET_VENDOR = "-belden"
 # We don't support multiple libc, so we don't need to append the libc name to
 # the tmp directory: ie use build/tmp instead of build/tmp-glibc
 TCLIBCAPPEND = ""
 SANITY_TESTED_DISTROS ?= " \
            debian-11 \n \
            ubuntu-22.04 \n \
            "
 # This variable is used to ensure that any distribution using the CoreOS layer
 # include this file. This is checked by the coreos-sanity class
 SANITY_COREOS_COMPATIBLE ?= "1"
 require conf/distro/include/no-static-libs.inc
 require conf/distro/include/yocto-uninative.inc
 require conf/distro/include/security_flags.inc
 # uninative is need to share the sstates between multiple host distrubtion
 INHERIT += "uninative"
 # Bitbake configuration
 # ==============================================================================
 BB_SIGNATURE_HANDLER ?= "OEBasicHash"
 # SDK Configuration
 # ==============================================================================
 SDK_VENDOR = "-coreossdk"
 SDK_VERSION = "${DISTRO_VERSION}"
 SDK_VERSION[vardepvalue] = "${SDK_VERSION}"
 SDK_NAME = "${DISTRO}-${TCLIBC}-${SDKMACHINE}-${IMAGE_BASENAME}-${TUNE_PKGARCH}-${MACHINE}"
 SDKPATHINSTALL = "/opt/${DISTRO}/${SDK_VERSION}"
 # EFI and Secure boot
 # ==============================================================================
 EFI_PROVIDER = "efibootguard"
 EFIBOOTGUARD_TIMEOUT ??= "60"
 INHERIT += "coreos-efi-secureboot"
 # Virtualization configuration
 # ==============================================================================
 # Use crun insted of runc as a OCI runtime. crun is faster and need less memory
 # than runc so it's a better fit for embedded
 #PREFERRED_PROVIDER_virtual/runc = "crun"
 PACKAGECONFIG:append:pn-podman = " rootless"
 DISTRO_FEATURES_DEFAULT += "virtualization seccomp ipv6"
 # CoreOS specific options
 # ==============================================================================
 # Distro based on CoreOS can provide their own configuration files for the
 # CoreOS installer by overriding this variable
 PREFERRED_PROVIDER_coreos-installer-config ??= "coreos-installer-config"
--- a/layers/meta-belden-coreos/conf/distro/include/belden-coreos-base.inc
+++ b/layers/meta-belden-coreos/conf/distro/include/belden-coreos-base.inc
@ -0,0 +1,118 @@
 # This is the base include file for all coreos based distro
 # it should support the most basic distro without optional coreos
 # features
 # Using :coreos override should work on all CoreOS based distro
 # Note that :belden-coreos does not work on CoreOS based distro but will
 # work when build for the belden-coreos distro
 DISTROOVERRIDES = "coreos:${DISTRO}"
 INHERIT += "coreos_metadata_scm"
 # Distro features and policies
 # ==============================================================================
 PACKAGE_CLASSES = "package_ipk"
 INIT_MANAGER = "systemd"
 # CoreOS use journald from the systemd package to handle log
 # https://docs.yoctoproject.org/singleindex.html#using-systemd-journald-without-a-traditional-syslog-daemon
 # This remove syslog from packagegroup-core-boot
 VIRTUAL-RUNTIME_syslog = ""
 VIRTUAL-RUNTIME_base-utils-syslog = ""
 DISTRO_FEATURES ?= "usbhost pci ipv4 ipv6 wifi multiarch usrmerge efi pam"
 # CoreOS wasn't compatible with older Yocto version, so we should not have any
 # features backfilled. Value are from DISTRO_FEATURES_BACKFILL
 # with the exception of gobject-introspection-data that are backfilled on
 # purpose, this allow to use C library based on gobject in python or javascript
 DISTRO_FEATURES_BACKFILL_CONSIDERED = "pulseaudio sysvinit ldconfig"
 DISTRO_EXTRA_RDEPENDS += "packagegroup-core-boot"
 # Build configuration
 # ==============================================================================
 TARGET_VENDOR = "-belden"
 # We don't support multiple libc, so we don't need to append the libc name to
 # the tmp directory: ie use build/tmp instead of build/tmp-glibc
 TCLIBCAPPEND = ""
 SANITY_TESTED_DISTROS ?= " \
            debian-11 \n \
            ubuntu-22.04 \n \
            "
 # This variable is used to ensure that any distribution using the CoreOS layer
 # include this file. This is checked by the coreos-sanity class
 SANITY_COREOS_COMPATIBLE ?= "1"
 require conf/distro/include/no-static-libs.inc
 require conf/distro/include/yocto-uninative.inc
 require conf/distro/include/security_flags.inc
 # uninative is need to share the sstates between multiple host distrubtion
 INHERIT += "uninative"
 # Bitbake configuration
 # ==============================================================================
 BB_SIGNATURE_HANDLER ?= "OEBasicHash"
 # SDK Configuration
 # ==============================================================================
 SDK_VENDOR = "-coreossdk"
 SDK_VERSION = "${DISTRO_VERSION}"
 SDK_VERSION[vardepvalue] = "${SDK_VERSION}"
 SDK_NAME = "${DISTRO}-${TCLIBC}-${SDKMACHINE}-${IMAGE_BASENAME}-${TUNE_PKGARCH}-${MACHINE}"
 SDKPATHINSTALL = "/opt/${DISTRO}/${SDK_VERSION}"
 # EFI and Secure boot
 # ==============================================================================
 EFI_PROVIDER = "efibootguard"
 EFIBOOTGUARD_TIMEOUT ??= "60"
 INHERIT += "coreos-efi-secureboot"
 # PACKAGECONFIG
 # ==============================================================================
 # Reduce the size of some package by disabling some feature by default
 # Distro using coreos can re-enabled a disabled config by changing
 # the COREOS_DISABLED_PACKAGECONFIG variable
 PACKAGECONFIG:pn-systemd ?= " \
    ${@bb.utils.filter('DISTRO_FEATURES', 'acl audit efi ldconfig pam selinux smack usrmerge polkit seccomp', d)} \
    ${@bb.utils.contains('DISTRO_FEATURES', 'wifi', 'rfkill', '', d)} \
    ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'xkbcommon', '', d)} \
    ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', '', 'link-udev-shared', d)} \
    hostnamed \
    kmod \
    localed \
    logind \
    set-time-epoch \
    sysusers \
    userdb \
    vconsole \
    wheel-group \
    zstd \
 "
 # DNS Configuration
 # CoreOS specific options
 # ==============================================================================
 # Distro based on CoreOS can provide their own configuration files for the
 # CoreOS installer by overriding this variable
 PREFERRED_PROVIDER_coreos-installer-config ??= "coreos-installer-config"
 # This TS represents 01.01.2024 generating it dynamically would cause a lot of
 # things to get re-build, we need a good solution for this or change it every
 # year
 REPRODUCIBLE_TIMESTAMP_ROOTFS = "1704067200"
--- a/layers/meta-belden-coreos/conf/distro/include/belden-coreos-extra.inc
+++ b/layers/meta-belden-coreos/conf/distro/include/belden-coreos-extra.inc
@ -0,0 +1,30 @@
 # This is the include all the CoreOS feature that are optional
 # Virtualization configuration
 # ==============================================================================
 PACKAGECONFIG:append:pn-podman = " rootless"
 DISTRO_FEATURES += "virtualization seccomp"
 # swupdate configuration
 # ==============================================================================
 # Enable the generation of .swu file for images
 DISTRO_FEATURES += "swupdate"
 # Networking configuration
 # ==============================================================================
 # Add networking support to systemd. This allow systemd to handle
 # network/dhcp/dns/time
 PACKAGECONFIG:pn-systemd += " \
    hostnamed \
    idn \
    myhostname \
    nss \
    nss-resolve \
    resolved \
    networkd \
    timedated \
    timesyncd \
 "
--- a/layers/meta-belden-coreos/conf/distro/include/coreos-support.inc
+++ b/layers/meta-belden-coreos/conf/distro/include/coreos-support.inc
@ -0,0 +1,149 @@
 COREOS_RECIPE_MAINTAINER:pn-acl = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-arptables = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-attr = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-autoconf-archive = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-base-files = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-base-passwd = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-bash-completion = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-bash = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-binutils-cross-x86_64 = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-boost = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-bridge-utils = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-busybox = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-bzip2 = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-ca-certificates = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-conntrack-tools = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-coreutils = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-cppzmq = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-cracklib = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-cryptsetup = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-curl = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-dbus = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-depmodwrapper-cross = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-e2fsprogs = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-ebtables = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-efibootguard = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-elfutils = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-ethtool = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-expat = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-findutils = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-flatbuffers = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-flex = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-fmt = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-gawk = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-gcc-cross-x86_64 = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-gcc-runtime = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-gcc-source-11.4.0 = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-gdbm = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-glib-2.0 = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-glibc = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-glibc-locale = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-gmp = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-gnu-efi = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-gnutls = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-grub-bootconf = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-grub = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-grub-efi = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-icu = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-iproute2 = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-iptables = "Team CoreOS"
 #iw should be removed
 COREOS_RECIPE_MAINTAINER:pn-json-c = "Team CoreOS"
 # kbd check if it can be removed
 # kmod check if it can be removed
 COREOS_RECIPE_MAINTAINER:pn-libaio = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libarchive = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libcap = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libcap-ng = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libcheck = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libconfig = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libdevmapper = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libestr = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libfastjson = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libffi = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libgcc = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libgcc-initial = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libgcrypt = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libgpg-error = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libidn2 = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-liblogging = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libmnl = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libnet = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libnetfilter-conntrack = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libnetfilter-cthelper = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libnetfilter-cttimeout = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libnetfilter-log = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libnetfilter-queue = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libnfnetlink = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libnl = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libnsl2 = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libpam = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libpcap = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libpcre = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libseccomp = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libsodium = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libsolv = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libssh2 = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libssh = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libtirpc = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libtool-cross = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libunistring = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libusb1 = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libxcrypt = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-libxml2 = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-linux-libc-headers = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-linux-yocto = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-logrotate = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-lrzsz = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-lvm2 = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-lzo = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-m4 = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-mtools = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-ncurses = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-netbase = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-nettle = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-openssh = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-openssl = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-opkg-arch-config = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-opkg = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-opkg-utils = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-os-release = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-packagegroup-base = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-packagegroup-core-boot = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-packagegroup-coreos-base = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-packagegroup-coreos-boot = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-pciutils = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-perl = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-popt = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-python3 = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-qemuwrapper-cross = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-readline = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-rsyslog = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-run-postinsts = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-secure-storage = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-setserial = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-sh = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-shared-mime-info = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-spdlog = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-sqlite3 = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-swupdate = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-sysfsutils = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-syslinux = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-syslog-ng = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-systemd-bootconf = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-systemd-boot = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-systemd-conf = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-systemd = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-systemd-serialgetty = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-tar = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-tcpdump = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-usbutils = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-util-linux = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-util-linux-libuuid = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-volatile-binds = "Team CoreOS"
 # wpa-supplicant should be removed
 COREOS_RECIPE_MAINTAINER:pn-xz = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-zeromq = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-zip = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-zlib = "Team CoreOS"
 COREOS_RECIPE_MAINTAINER:pn-zstd = "Team CoreOS"
--- a/layers/meta-belden-coreos/conf/layer.conf
+++ b/layers/meta-belden-coreos/conf/layer.conf
@ -15,6 +15,7 @@ LAYERDEPENDS_meta-belden-coreos = "\
    networking-layer \
    virtualization-layer \
    webserver \
    meta-arm \
 "
 LAYERSERIES_COMPAT_meta-belden-coreos = "kirkstone"
--- a/layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend
+++ b/layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend
@ -1,4 +1,22 @@
 # Add CoreOS A/B Switching support
 # ==============================================================================
 FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
 SRC_URI += "file://0001-coreos-add-a-coreos-specific-rootfs-switch-to-the-UK.patch"
 # Add signature support
 # ==============================================================================
 DEPENDS:append = " cos-certificates-and-keys-native"
 inherit coreos-efi-sbsign
 require conf/image-uefi.conf
 do_deploy:append() {
    if [ -f "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi" ]; then
        coreos_efi_secureboot_sign_app "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi"
    fi
 }
--- a/layers/meta-belden-coreos/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
+++ b/layers/meta-belden-coreos/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
@ -1,244 +0,0 @@
 DESCRIPTION = "Trusted Firmware-A"
 LICENSE = "BSD-3-Clause & MIT"
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 inherit deploy
 SRC_URI = "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https;name=tfa;branch=master"
 UPSTREAM_CHECK_GITTAGREGEX = "^v(?P<pver>\d+(\.\d+)+)$"
 SRCREV_FORMAT = "tfa"
 COMPATIBLE_MACHINE ?= "invalid"
 # Platform must be set for each machine
 TFA_PLATFORM ?= "invalid"
 # Some platforms can have multiple board configurations
 # Leave empty for default behavior
 TFA_BOARD ?= ""
 # Some platforms use SPD (Secure Payload Dispatcher) services
 # Few options are "opteed", "tlkd", "trusty", "tspd", "spmd"...
 # Leave empty to not use SPD
 TFA_SPD ?= ""
 # Variable used when TFA_SPD=spmd
 TFA_SPMD_SPM_AT_SEL2 ?= "1"
 # SP layout file location. Used when TFA_SPD=spmd and TFA_SPMD_SPM_AT_SEL2=1
 TFA_SP_LAYOUT_FILE ?= ""
 # SPMC manifest file location. Used when TFA_SPD=spmd and TFA_SPMD_SPM_AT_SEL2=1
 TFA_ARM_SPMC_MANIFEST_DTS ?= ""
 # Build for debug (set TFA_DEBUG to 1 to activate)
 TFA_DEBUG ?= "0"
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build"
 # mbed TLS support (set TFA_MBEDTLS to 1 to activate)
 TFA_MBEDTLS ?= "0"
 # sub-directory in which mbedtls will be downloaded
 TFA_MBEDTLS_DIR ?= "mbedtls"
 # This should be set to MBEDTLS download URL if MBEDTLS is needed
 SRC_URI_MBEDTLS ??= ""
 # This should be set to MBEDTLS LIC FILES checksum
 LIC_FILES_CHKSUM_MBEDTLS ??= ""
 # add MBEDTLS to our sources if activated
 SRC_URI:append = " ${@bb.utils.contains('TFA_MBEDTLS', '1', '${SRC_URI_MBEDTLS}', '', d)}"
 # Update license variables
 LICENSE:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', ' & Apache-2.0', '', d)}"
 LIC_FILES_CHKSUM:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', ' ${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}"
 # add mbed TLS to version
 SRCREV_FORMAT:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '', d)}"
 # U-boot support (set TFA_UBOOT to 1 to activate)
 # When U-Boot support is activated BL33 is activated with u-boot.bin file
 TFA_UBOOT ??= "0"
 # UEFI support (set TFA_UEFI to 1 to activate)
 # When UEFI support is activated BL33 is activated with uefi.bin file
 TFA_UEFI ??= "0"
 # What to build
 # By default we only build bl1, do_deploy will copy
 # everything listed in this variable (by default bl1.bin)
 TFA_BUILD_TARGET ?= "bl1"
 # What to install
 # do_install and do_deploy will install everything listed in this
 # variable. It is set by default to TFA_BUILD_TARGET
 TFA_INSTALL_TARGET ?= "${TFA_BUILD_TARGET}"
 # Requires CROSS_COMPILE set by hand as there is no configure script
 export CROSS_COMPILE="${TARGET_PREFIX}"
 # Let the Makefile handle setting up the CFLAGS and LDFLAGS as it is a standalone application
 CFLAGS[unexport] = "1"
 LDFLAGS[unexport] = "1"
 AS[unexport] = "1"
 LD[unexport] = "1"
 # No configure
 do_configure[noexec] = "1"
 # Baremetal, just need a compiler
 DEPENDS:remove = "virtual/${TARGET_PREFIX}compilerlibs virtual/libc"
 # We need dtc for dtbs compilation
 # We need openssl for fiptool
 DEPENDS = "dtc-native openssl-native"
 DEPENDS:append:toolchain-clang = " compiler-rt"
 # CC and LD introduce arguments which conflict with those otherwise provided by
 # this recipe. The heads of these variables excluding those arguments
 # are therefore used instead.
 def remove_options_tail (in_string):
    from itertools import takewhile
    return ' '.join(takewhile(lambda x: not x.startswith('-'), in_string.split(' ')))
 EXTRA_OEMAKE += "LD=${@remove_options_tail(d.getVar('LD'))}"
 EXTRA_OEMAKE += "CC=${@remove_options_tail(d.getVar('CC'))}"
 # Verbose builds, no -Werror
 EXTRA_OEMAKE += "V=1 E=0"
 # Add platform parameter
 EXTRA_OEMAKE += "BUILD_BASE=${B} PLAT=${TFA_PLATFORM}"
 # Handle TFA_BOARD parameter
 EXTRA_OEMAKE += "${@'TARGET_BOARD=${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
 # Handle TFA_SPD parameter
 EXTRA_OEMAKE += "${@'SPD=${TFA_SPD}' if d.getVar('TFA_SPD') else ''}"
 # If TFA_SPD is spmd, set SPMD_SPM_AT_SEL2
 EXTRA_OEMAKE += "${@'SPMD_SPM_AT_SEL2=${TFA_SPMD_SPM_AT_SEL2}' if d.getVar('TFA_SPD', True) == 'spmd' else ''}"
 # Handle TFA_DEBUG parameter
 EXTRA_OEMAKE += "${@bb.utils.contains('TFA_DEBUG', '1', 'DEBUG=${TFA_DEBUG}', '', d)}"
 # Handle MBEDTLS
 EXTRA_OEMAKE += "${@bb.utils.contains('TFA_MBEDTLS', '1', 'MBEDTLS_DIR=${TFA_MBEDTLS_DIR}', '', d)}"
 # Uboot support
 DEPENDS += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot', '', d)}"
 do_compile[depends] += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot:do_deploy', '', d)}"
 EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UBOOT', '1', 'BL33=${DEPLOY_DIR_IMAGE}/u-boot.bin', '', d)}"
 # UEFI support
 DEPENDS += " ${@bb.utils.contains('TFA_UEFI', '1', 'edk2-firmware', '', d)}"
 EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UEFI', '1', 'BL33=${RECIPE_SYSROOT}/firmware/uefi.bin', '', d)}"
 # TFTF test support
 DEPENDS += " ${@bb.utils.contains('TFTF_TESTS', '1', 'tf-a-tests', '', d)}"
 EXTRA_OEMAKE += "${@bb.utils.contains('TFTF_TESTS', '1', 'BL33=${RECIPE_SYSROOT}/firmware/tftf.bin', '',d)}"
 # Hafnium support
 SEL2_SPMC = "${@'${TFA_SPMD_SPM_AT_SEL2}' if d.getVar('TFA_SPD', True) == 'spmd' else ''}"
 DEPENDS += " ${@bb.utils.contains('SEL2_SPMC', '1', 'hafnium', '', d)}"
 EXTRA_OEMAKE += "${@bb.utils.contains('SEL2_SPMC', '1', 'CTX_INCLUDE_EL2_REGS=1 ARM_ARCH_MINOR=4 BL32=${RECIPE_SYSROOT}/firmware/hafnium.bin', '', d)}"
 # Add SP layout file and spmc manifest for hafnium
 EXTRA_OEMAKE += "${@bb.utils.contains('SEL2_SPMC', '1', 'SP_LAYOUT_FILE=${TFA_SP_LAYOUT_FILE}' if d.getVar('TFA_SP_LAYOUT_FILE') else '', '', d)}"
 EXTRA_OEMAKE += "${@bb.utils.contains('SEL2_SPMC', '1', 'ARM_SPMC_MANIFEST_DTS=${TFA_ARM_SPMC_MANIFEST_DTS}' if d.getVar('TFA_ARM_SPMC_MANIFEST_DTS') else '', '', d)}"
 # Tell the tools where the native OpenSSL is located
 EXTRA_OEMAKE += "OPENSSL_DIR=${STAGING_DIR_NATIVE}/${prefix_native}"
 # Use the correct native compiler
 EXTRA_OEMAKE += "HOSTCC='${BUILD_CC}'"
 # Runtime variables
 EXTRA_OEMAKE += "RUNTIME_SYSROOT=${STAGING_DIR_HOST}"
 BUILD_DIR = "${B}/${TFA_PLATFORM}"
 BUILD_DIR .= "${@'/${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
 BUILD_DIR .= "/${@'debug' if d.getVar("TFA_DEBUG") == '1' else 'release'}"
 do_compile() {
    # This is still needed to have the native tools executing properly by
    # setting the RPATH
    sed -i '/^LDLIBS/ s,$, \$\{BUILD_LDFLAGS},' ${S}/tools/fiptool/Makefile
    sed -i '/^INCLUDE_PATHS/ s,$, \$\{BUILD_CFLAGS},' ${S}/tools/fiptool/Makefile
    sed -i '/^LIB/ s,$, \$\{BUILD_LDFLAGS},' ${S}/tools/cert_create/Makefile
    # Currently there are races if you build all the targets at once in parallel
    for T in ${TFA_BUILD_TARGET}; do
        oe_runmake -C ${S} $T
    done
 }
 do_compile[cleandirs] = "${B}"
 do_install() {
    install -d -m 755 ${D}/firmware
    for atfbin in ${TFA_INSTALL_TARGET}; do
        processed="0"
        if [ "$atfbin" = "all" ]; then
            # Target all is not handled by default
            bberror "all as TFA_INSTALL_TARGET is not handled by do_install"
            bberror "Please specify valid targets in TFA_INSTALL_TARGET or"
            bberror "rewrite or turn off do_install"
            exit 1
        fi
        if [ -f ${BUILD_DIR}/$atfbin.bin ]; then
            echo "Install $atfbin.bin"
            install -m 0644 ${BUILD_DIR}/$atfbin.bin \
                ${D}/firmware/$atfbin-${TFA_PLATFORM}.bin
            ln -sf $atfbin-${TFA_PLATFORM}.bin ${D}/firmware/$atfbin.bin
            processed="1"
        fi
        if [ -f ${BUILD_DIR}/$atfbin/$atfbin.elf ]; then
            echo "Install $atfbin.elf"
            install -m 0644 ${BUILD_DIR}/$atfbin/$atfbin.elf \
                ${D}/firmware/$atfbin-${TFA_PLATFORM}.elf
            ln -sf $atfbin-${TFA_PLATFORM}.elf ${D}/firmware/$atfbin.elf
            processed="1"
        fi
        if [ -f ${BUILD_DIR}/$atfbin ]; then
            echo "Install $atfbin"
            install -m 0644 ${BUILD_DIR}/$atfbin \
                ${D}/firmware/$atfbin-${TFA_PLATFORM}
            ln -sf $atfbin-${TFA_PLATFORM} ${D}/firmware/$atfbin
            processed="1"
        fi
        if [ -f ${BUILD_DIR}/fdts/$atfbin.dtb ]; then
            echo "Install $atfbin.dtb"
            install -m 0644 "${BUILD_DIR}/fdts/$atfbin.dtb" \
                "${D}/firmware/$atfbin.dtb"
            processed="1"
        elif [ "$atfbin" = "dtbs" ]; then
            echo "dtbs install, skipped: set dtbs in TFA_INSTALL_TARGET"
        elif [ -f ${B}/tools/$atfbin/$atfbin ]; then
            echo "Tools $atfbin install, skipped"
        elif [ "$processed" = "0" ]; then
            bberror "Unsupported TFA_INSTALL_TARGET target $atfbin"
            exit 1
        fi
    done
 }
 FILES:${PN} = "/firmware"
 SYSROOT_DIRS += "/firmware"
 FILES:${PN}-dbg = "/firmware/*.elf"
 # Skip QA check for relocations in .text of elf binaries
 INSANE_SKIP:${PN}-dbg = "textrel"
 do_deploy() {
    cp -rf ${D}/firmware/* ${DEPLOYDIR}/
 }
 addtask deploy after do_install
 CVE_PRODUCT = "arm:arm-trusted-firmware \
               arm:trusted_firmware-a \
               arm:arm_trusted_firmware \
               arm_trusted_firmware_project:arm_trusted_firmware"
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos-efi.inc
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos-efi.inc
@ -1,12 +1,23 @@
 # Ensure that file are found event when this file is included in another layer
 # ==============================================================================
 FILESEXTRAPATHS:prepend := "${THISDIR}/u-boot:"
 # U-Boot CoreOS Distro Settings
 # ==============================================================================
 # Enable more debug option when debug-tweaks is enabled
 SRC_URI += " \
    ${@bb.utils.contains("IMAGE_FEATURES", "debug-tweaks", "file://debug-tweaks.cfg", "", d)} \
 "
 inherit coreos-efi-secureboot
 # Make sure UEFI and secure boot is enabled for every u-boot build
 SRC_URI += " \
    file://uefi.cfg \
    file://uefi-secureboot.cfg \
 "
 DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native"
 # Generate a ubootefi.var file inside the build directory
 #
 # This file can be directly linked inside the u-boot binary to provide
@ -15,6 +26,7 @@ DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native"
 #
 # The efivar.py is taken from u-boot-tools recipes, so that we are sure that he
 # is found and don't depend on the u-boot version being used
 DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native cos-certificates-and-keys-native"
 addtask uboot_generate_efivar after do_configure before do_compile
 do_uboot_generate_efivar() {
    # Settings OPENSSL_MODULES is needed, otherwise efivar.py fail with
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-tools_2022.01.bbappend
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-tools_2022.01.bbappend
@ -4,4 +4,6 @@
 do_install:append() {
 	install -m 0755 ${S}/tools/efivar.py ${D}${bindir}/uboot-efivar
-}
+}
 FILES:${PN} += "${bindir}/uboot-efivar"
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot/debug-tweaks.cfg
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot/debug-tweaks.cfg
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot/uefi.cfg
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot/uefi.cfg
--- a/layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot_%.bbappend
+++ b/layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot_%.bbappend
@ -0,0 +1,5 @@
 # Add CoreOS distro settings to u-boot
 UBOOT_COREOS_REQUIRE:coreos ?= "u-boot-coreos.inc"
 UBOOT_COREOS_REQUIRE ?= ""
 require ${UBOOT_COREOS_REQUIRE}
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot_2022.10.bb
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot_2022.10.bb
@ -4,5 +4,3 @@ require recipes-bsp/u-boot/u-boot.inc
 SRCREV = "4debc57a3da6c3f4d3f89a637e99206f4cea0a96"
 DEPENDS += "bc-native dtc-native python3-setuptools-native"
 LIC_FILES_CHKSUM = "file://Licenses/README;md5=2ca5f2c35c8cc335f0a19756634782f1"
 require u-boot-coreos.inc
--- a/layers/meta-belden-coreos/recipes-core/images/coreos-image-all-features.bb
+++ b/layers/meta-belden-coreos/recipes-core/images/coreos-image-all-features.bb
@ -10,3 +10,6 @@ IMAGE_INSTALL:append = "${@bb.utils.contains("IMAGE_FEATURES", "swupdate", " swu
 # development tools
 IMAGE_INSTALL:append = " systemd-analyze"
 # Enable the optional image installer
 COREOS_IMAGE_GENERATE_INSTALLER = "1"
--- a/layers/meta-belden-coreos/recipes-core/images/coreos-image-installer.bb
+++ b/layers/meta-belden-coreos/recipes-core/images/coreos-image-installer.bb
@ -1,50 +1,4 @@
 DESCRIPTION = "Initramfs image with the CoreOS emmc installer"
 # Don't reboot the device at reboot and don't do A/B switching
 BAD_RECOMMENDATIONS = "swupdate-progress swupdate-coreos-config"
 export IMAGE_BASENAME = "${MLPREFIX}${PN}"
 IMAGE_NAME_SUFFIX ?= ""
 IMAGE_LINGUAS = ""
 LICENSE = "MIT"
-IMAGE_FSTYPES = "cpio.gz"
+inherit coreos-image-installer
 # Support for generating a SDCard installer is optional
 COREOS_INSTALLER_WKS_FILE ??= ""
 WKS_FILE = "${COREOS_INSTALLER_WKS_FILE}"
 IMAGE_FSTYPES += "${@'wic.xz wic.bmap' if d.getVar('COREOS_INSTALLER_WKS_FILE') else ''}"
 IMAGE_BOOT_FILES =  "${COREOS_KERNEL_FILENAME};EFI/BOOT/${EFI_BOOT_IMAGE}"
 COREOS_IMAGE_GENERATE_UKI = "1"
 # Avoid dependancy loop, we are already in an installer image, so we don't need
 # to bundle another one
 COREOS_IMAGE_GENERATE_INSTALLER = "0"
 # IMGDEPLOYDIR has to be used instead of DEPLOY_DIR_IMAGE here, because it will
 # run during image generation
 COREOS_UKI_PART_INITRAMFS = "${IMGDEPLOYDIR}/${IMAGE_BASENAME}-${MACHINE}.cpio.gz"
 COREOS_IMAGE_GENERATE_SWU = "0"
 # Change generated UKI filename and reset the bundled command line to "APPEND"
 # to ensure that root is not set in the kernel command line
 COREOS_KERNEL_NAME ?= "coreos-installer-${MACHINE}"
 COREOS_KERNEL_CMDLINE ?= "${APPEND}"
 inherit coreos-image
 # Only install a reduced set of package and feature to keep image size small
 IMAGE_INSTALL = "packagegroup-coreos-boot coreos-installer swupdate-www util-linux-sfdisk util-linux-fdisk util-linux-cfdisk efibootguard efibootguard-tools"
 IMAGE_FEATURES = "debug-tweaks swupdate networkmanager"
 NO_RECOMMENDATIONS = "1"
 IMAGE_ROOTFS_SIZE = "8192"
 INITRAMFS_MAXSIZE = "976562"
 IMAGE_ROOTFS_EXTRA_SPACE = "0"
 # Use the same restriction as initramfs-module-install
 COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*)-(linux.*|freebsd.*)'
--- a/layers/meta-belden-coreos/recipes-core/packagegroups/packagegroup-coreos-base.bb
+++ b/layers/meta-belden-coreos/recipes-core/packagegroups/packagegroup-coreos-base.bb
@ -15,7 +15,7 @@ COREOS_IMAGE_EFI_PROVIDER_EXTRA = " \
 "
 RDEPENDS:${PN} = "\
-    packagegroup-base-extended \
+    packagegroup-base \
    os-release \
    ${@bb.utils.contains("MACHINE_FEATURES", "efi", "${COREOS_IMAGE_EFI_PROVIDER_EXTRA}", "", d)} \
 "
--- a/layers/meta-belden-coreos/recipes-core/systemd/systemd-conf/system.conf-watchdog
+++ b/layers/meta-belden-coreos/recipes-core/systemd/systemd-conf/system.conf-watchdog
@ -0,0 +1,2 @@
 [Manager]
 RuntimeWatchdogSec=5
--- a/layers/meta-belden-coreos/recipes-core/systemd/systemd_%.bbappend
+++ b/layers/meta-belden-coreos/recipes-core/systemd/systemd_%.bbappend
@ -0,0 +1,15 @@
 FILESEXTRAPATHS:prepend := "${THISDIR}/systemd-conf:"
 SRC_URI += " file://system.conf-watchdog"
 do_install:append(){
 	# the creation date/time of this file will be used as initial boot time.
 	# Creation time will be set to REPRODUCIBLE_TIMESTAMP_ROOTFS
 	# More info about the date/time handling here:
 	# https://www.freedesktop.org/software/systemd/man/latest/systemd-timesyncd.service.html
 	touch ${D}/${base_libdir}/clock-epoch
 	install -D -m0644 ${WORKDIR}/system.conf-watchdog ${D}${systemd_unitdir}/system.conf.d/01-${PN}-watchdog.conf
 }
 FILES:${PN} += "${base_libdir}/clock-epoch"
--- a/layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended/99-overwrite.sh
+++ b/layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended/99-overwrite.sh
@ -0,0 +1,23 @@
 #!/usr/bin/env sh
 # catch errors from previous source files
 if [ "$SWUPDATE_EXIT" != "" ]; then
  # Notify the installation status indicator about the failed installation.
  # This can result in the red LED lighting up.
  dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusFailure
  exit 1
 fi
 # Notify the installation status indicator about the success with partitioning
 # the blockdevice. This can result in the first green LED lighting up.
 dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusPartitioningSuccess
 mount /dev/disk/by-label/image /mnt
 if [ ! -f "/mnt/image.swu" ]; then
  echo "Could not find image.swu on the vfat partition!"
  dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusFailure
  exit 1
 fi
 SWUPDATE_ARGS="${SWUPDATE_ARGS} -p /usr/lib/swupdate/post-install.sh"
 SWUPDATE_ARGS="${SWUPDATE_ARGS} -i /mnt/image.swu"
--- a/layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended/post-install.sh
+++ b/layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended/post-install.sh
@ -0,0 +1,5 @@
 #!/usr/bin/env sh
 # Notify the installation status indicator about the success with flashing the image.
 # This can result in the second green LED lighting up.
 dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusImageFlashingSuccess
--- a/layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended_1.0.bb
+++ b/layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended_1.0.bb
@ -0,0 +1,23 @@
 DESCRIPTION = "CoreOS scripts for unattended installation"
 SECTION = "coreos"
 LICENSE = "CLOSED"
 SRC_URI += "\
    file://99-overwrite.sh \
    file://post-install.sh \
 "
 FILES:${PN} = "\
    ${libdir}/swupdate/conf.d/99-overwrite.sh \
    ${libdir}/swupdate/post-install.sh \
 "
 RDEPENDS:${PN} = "coreos-installer"
 RCONFLICTS:${PN} = "swupdate-www"
 do_install() {
    install -d ${D}${libdir}/swupdate/conf.d
    install -m 755 ${WORKDIR}/post-install.sh ${D}${libdir}/swupdate/
    install -m 755 ${WORKDIR}/99-overwrite.sh ${D}${libdir}/swupdate/conf.d/
 }
--- a/layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer/25-installer-config.sh
+++ b/layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer/25-installer-config.sh
@ -1,5 +1,8 @@
 #!/usr/bin/env sh
 set -o errtrace
 trap 'echo "An error occured in line $LINENO: $BASH_COMMAND, exiting..."; SWUPDATE_EXIT=1; exit;' ERR
 # Read /etc/hwrevision and turn it into a stripped string
 # with the format ${MACHINE}_${VERSION}
 HWREVISION=$(tr ' ' '_' < /etc/hwrevision | tr -d '[:space:]')
@ -15,6 +18,13 @@ fi
 DISK=$(grep "^device:\s" < "${SFDISK_DUMP_FILE}" | cut -d ' ' -f 2)
 # Remove the partition table signature, if there is already one.
 # This ensures that sfdisk always finds a 'clean' disk to install / recover
 wipefs -a -f ${DISK}
 # Give the kernel some time to reload the partition
 sleep 3
 echo "Flashing ${SFDISK_DUMP_FILE} to ${DISK}"
 cat "${SFDISK_DUMP_FILE}"
 sfdisk "${DISK}" < "${SFDISK_DUMP_FILE}"
@ -48,3 +58,4 @@ umount /mnt/ebg1
 umount /mnt/efi
 SWUPDATE_ARGS="${SWUPDATE_ARGS} -e stable,copy0"
 SWUPDATE_ARGS="${SWUPDATE_ARGS} -k /usr/lib/swupdate/swupdate.crt"
--- a/layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer_1.0.bb
+++ b/layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer_1.0.bb
@ -1,22 +1,18 @@
 DESCRIPTION = "CoreOS Installer scripts"
 LICENSE = "CLOSED"
 SECTION = "coreos"
 LICENSE = "CLOSED"
-SRC_URI+= " \
+SRC_URI += "file://25-installer-config.sh"
    file://25-installer-config.sh \
 "
-# This package ship an alternate configuration for SWUpade to disable A/B
+FILES:${PN} = "${libdir}/swupdate/conf.d/25-installer-config.sh"
 # switching and always flash A
 RCONFLICTS:${PN}= "swupdate-coreos-config"
 FILES:${PN} = " \
    ${libdir}/swupdate/conf.d/25-installer-config.sh \
 "
 # glibc-utils provide iconv
 # glibc-gconv-utf-16 provide utf-16 support to iconv
-RDEPENDS:${PN} = "coreos-installer-config dosfstools util-linux-lsblk util-linux-sfdisk glibc-utils glibc-gconv-utf-16"
+RDEPENDS:${PN} = "coreos-installer-config dosfstools glibc-gconv-utf-16 glibc-utils util-linux-lsblk util-linux-sfdisk util-linux-wipefs"
 # This package ships an alternate configuration for SWUpdate to disable A/B
 # switching and always flash A
 RCONFLICTS:${PN} = "swupdate-coreos-config"
 do_install() {
    install -d ${D}${libdir}/swupdate/conf.d
--- a/layers/meta-belden-coreos/recipes-kernel/linux/files/secure-storage.cfg
+++ b/layers/meta-belden-coreos/recipes-kernel/linux/files/secure-storage.cfg
@ -0,0 +1,4 @@
 CONFIG_BLK_DEV_DM=y
 CONFIG_KEYS=y
 CONFIG_ENCRYPTED_KEYS=y
 CONFIG_DM_CRYPT=y
--- a/layers/meta-belden-coreos/recipes-kernel/linux/linux-yocto-coreos.inc
+++ b/layers/meta-belden-coreos/recipes-kernel/linux/linux-yocto-coreos.inc
@ -0,0 +1,8 @@
 FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 # Secure Storage
 # ==============================================================================
 SRC_URI += "file://secure-storage.cfg"
 # Ensure the Kernel EFI STUB is enabled
 KERNEL_FEATURES += "cfg/efi.scc cfg/efi-ext.scc"
--- a/layers/meta-belden-coreos/recipes-kernel/linux/linux-yocto_%.bbappend
+++ b/layers/meta-belden-coreos/recipes-kernel/linux/linux-yocto_%.bbappend
@ -0,0 +1,6 @@
 # Add CoreOS distro settings to the linux-yocto recipes
 LINUX_YOCTO_COREOS_REQUIRE ?= ""
 LINUX_YOCTO_COREOS_REQUIRE:coreos = "linux-yocto-coreos.inc"
 require ${LINUX_YOCTO_COREOS_REQUIRE}
--- a/layers/meta-belden-coreos/recipes-security/cos-certificates-and-keys/cos-certificates-and-keys-native_1.0.bb
+++ b/layers/meta-belden-coreos/recipes-security/cos-certificates-and-keys/cos-certificates-and-keys-native_1.0.bb
@ -0,0 +1,65 @@
 SUMMARY = "Installs CoreOS certificates and keys"
 DESCRIPTION = "Installs CoreOS certificates and keys that are used during the build"
 AUTHOR = "Patrick Vogelaar"
 LICENSE = "CLOSED"
 SRC_URI = "git://git@bitbucket.gad.local:7999/ico/development-keys.git;protocol=ssh;branch=master"
 SRCREV = "2b5d6941ea8759db90f07e195bb1855f618cccb7"
 S = "${WORKDIR}/git"
 inherit deploy native
 CERTIFICATES_AND_KEYS_DIR ?= "${datadir}/keys/"
 #FILES:${PN} += "${CERTIFICATES_AND_KEYS_DIR}/*"
 do_install() {
    install -d "${D}/${CERTIFICATES_AND_KEYS_DIR}"
    install -m 755 ${S}/db.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.auth
    install -m 755 ${S}/db.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.crt
    install -m 755 ${S}/db.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.der
    install -m 755 ${S}/db.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.esl
    install -m 755 ${S}/db.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.key
    install -m 755 ${S}/KEK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.auth
    install -m 755 ${S}/KEK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.crt
    install -m 755 ${S}/KEK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.der
    install -m 755 ${S}/KEK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.esl
    install -m 755 ${S}/KEK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.key
    install -m 755 ${S}/PK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.auth
    install -m 755 ${S}/PK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.crt
    install -m 755 ${S}/PK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.der
    install -m 755 ${S}/PK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.esl
    install -m 755 ${S}/PK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.key
    install -m 755 ${S}/swupdate.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.crt
    install -m 755 ${S}/swupdate.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.key
    bbwarn "Development certificates and keys are added into the image (UNSECURE)! This image must not be released!"
 }
 # Public key needed by firmware very depending on the implementation
 # So we copy all type of public key (*.auth, *.esl, *.crt, *der)
 addtask deploy after do_compile
 do_deploy() {
    install -D -m 644 ${S}/KEK.auth ${DEPLOYDIR}/KEK.auth
    install -D -m 644 ${S}/db.auth ${DEPLOYDIR}/db.auth
    install -D -m 644 ${S}/PK.auth ${DEPLOYDIR}/PK.auth
    install -D -m 644 ${S}/KEK.esl ${DEPLOYDIR}/KEK.esl
    install -D -m 644 ${S}/db.esl ${DEPLOYDIR}/db.esl
    install -D -m 644 ${S}/PK.esl ${DEPLOYDIR}/PK.esl
    install -D -m 644 ${S}/KEK.crt ${DEPLOYDIR}/KEK.crt
    install -D -m 644 ${S}/db.crt ${DEPLOYDIR}/db.crt
    install -D -m 644 ${S}/PK.crt ${DEPLOYDIR}/PK.crt
    install -D -m 644 ${S}/KEK.der ${DEPLOYDIR}/KEK.der
    install -D -m 644 ${S}/db.der ${DEPLOYDIR}/db.der
    install -D -m 644 ${S}/PK.der ${DEPLOYDIR}/PK.der
    # !SECURITY WARNING!
    # .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
 }
--- a/layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh
+++ b/layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh
@ -0,0 +1,93 @@
 #!/usr/bin/env sh
 loopdir=/usr/local/data/loopdevices
 loopfile=$loopdir/crypt.loop
 keyfiledir=/usr/local/data/.crypto
 keyfile=$keyfiledir/ss_crypto.keyfile
 #megabytes
 loopsize=16
 #/dev/mapper/xxxxx when open
 cryptmapper=secStorage
 makefilesystem=ext4
 #mountpoint of uncrypted device
 mountpoint=/usr/local/data/secure-storage
 create_keyfile() {
 	# echo "Create key file"
 	systemd-notify --status="Create key file"
 	mkdir -p $keyfiledir
 	dd if=/dev/urandom of=$keyfile bs=1 count=256
 	chown root:root $keyfiledir/*
 	chmod 000 $keyfiledir/*
 }
 error() {
 	echo "Error: $1"
 	exit $?
 }
 #creates a new file
 create_loopback_and_open() {
 	# echo "Creating a file with random bits.. this could take a while..."
 	systemd-notify --status="Creating a file with random bits.. this could take a while..."
 	mkdir -p $loopdir || error "Creating loopdir"
 	mkdir -p $mountpoint || error "Creating mountpoint"
 	dd if=/dev/urandom of=$loopfile bs=1M count=$loopsize || error "Creating loopfile"
 	loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
 	echo "Selected loop device: $loopdevice"
 	cryptsetup luksFormat -q --key-file $keyfile $loopdevice || error "Setting up encrypted loop device"
 	cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
 	mkfs.$makefilesystem /dev/mapper/$cryptmapper || error "Creating encrypted FS"
 	mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
 	systemd-notify --ready --status="Sucessfully mounted secure storage"
 }
 #mounts crypted loopback file
 open() {
 	#echo "Open secure-storage"
 	systemd-notify --status="Open secure storage"
 	loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
 	echo "Selected loop device: $ld"
 	cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
 	mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
 	systemd-notify --ready --status="Sucessfully mounted secure storage"
 }
 #unmounts previously mounted loopback file
 close() {
 	echo "Close secure-storage"
 	# get loopdevice
 	loopdevice=$(losetup --list --noheadings --output NAME,BACK-FILE | grep crypt.loop | awk '{print $1}')
 	umount $mountpoint
 	cryptsetup close $cryptmapper
 	losetup -d $loopdevice
 }
 if [ $# -eq 1 ]
 then
 	#echo "Parameter detected"
 	$1
 	exit 0
 fi
 if [ -e $keyfile ]
 then
 	#echo "Key file available"
 	if [ -e $loopfile ]
 	then
 		#echo "Loop file available"
 		open
 	else
 		#echo "Loop file not available"
 		create_loopback_and_open
 	fi
 else
 	#echo "Key file not available"
 	create_keyfile
 	create_loopback_and_open
 fi
--- a/layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service
+++ b/layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service
@ -0,0 +1,12 @@
 [Unit]
 Description=Secure Storage Service
 RequiresMountsFor=/usr/local/data
 [Service]
 Type=notify
 ExecStart=/usr/bin/sec-storage-loopback.sh
 TimeoutSec=300
 [Install]
 WantedBy=local-fs.target
--- a/layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb
+++ b/layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb
@ -0,0 +1,34 @@
 SUMMARY = "Provides a Secure Storage"
 DESCRIPTION = "The secure storage is a loopback mount that is encrypted. It protects data in rest"
 AUTHOR = "Patrick Vogelaar"
 LICENSE = "CLOSED"
 SRC_URI = "\
    file://sec-storage-loopback.sh \
    file://secure-storage.service \
    "
 S = "${WORKDIR}"
 inherit systemd
 FILES:${PN} += "\
    /usr/local/data/ \
    ${systemd_unitdir}/system \
    ${bindir}/sec-storage-loopback.sh \
    ${systemd_unitdir}/system/secure-storage.service \
    "
 do_install() {
    install -d ${D}$/usr/local/data/
    install -d ${D}${bindir}
    install -m 0731 ${S}/sec-storage-loopback.sh ${D}${bindir}/sec-storage-loopback.sh
    install -d ${D}${systemd_unitdir}/system
    install -m 0644 ${S}/secure-storage.service ${D}${systemd_unitdir}/system
 }
 SYSTEMD_SERVICE:${PN} = "secure-storage.service"
 SYSTEMD_AUTO_ENABLE = "enable"
 RDEPENDS:${PN} += "cryptsetup util-linux-losetup e2fsprogs-mke2fs"
--- a/layers/meta-belden-coreos/recipes-support/swupdate/swupdate/25-sw-collections-config.sh
+++ b/layers/meta-belden-coreos/recipes-support/swupdate/swupdate/25-sw-collections-config.sh
@ -37,3 +37,6 @@ case $ROOT_PARTLABEL in
        exit 1
        ;;
 esac
 echo "Public key used to verify software image is /usr/lib/swupdate/swupdate.crt"
 SWUPDATE_ARGS="${SWUPDATE_ARGS} -k /usr/lib/swupdate/swupdate.crt"
--- a/layers/meta-belden-coreos/recipes-support/swupdate/swupdate/defconfig
+++ b/layers/meta-belden-coreos/recipes-support/swupdate/swupdate/defconfig
@ -24,3 +24,8 @@ CONFIG_DISKPART=y
 CONFIG_DISKPART_FORMAT=y
 CONFIG_FAT_FILESYSTEM=y
 CONFIG_EXT_FILESYSTEM=y
 CONFIG_SIGNED=y
 CONFIG_SIGNED_IMAGES=y
 CONFIG_SIGALG_RAWRSA=n
 CONFIG_SIGALG_CMS=y
 CONFIG_CMS_IGNORE_CERTIFICATE_PURPOSE=y
--- a/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend
+++ b/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend
@ -1,7 +1,12 @@
 inherit features_check
 REQUIRED_DISTRO_FEATURES = "swupdate"
 # File in the swupdate subdirectory of this recipe should overwrite the
 # same file in meta-swupdate
 FILESEXTRAPATHS:prepend := "${THISDIR}/swupdate:"
 DEPENDS += "cos-certificates-and-keys-native"
 SRC_URI += "\
    file://50-webserver-config.sh \
    file://25-sw-collections-config.sh \
@ -9,7 +14,6 @@ SRC_URI += "\
 PACKAGES =+ "${PN}-coreos-config ${PN}-coreos-installer-config"
 # Don't use /www as the web root
 wwwdir = "${datadir}/swupdate-www"
@ -35,9 +39,15 @@ RRECOMMENDS:${PN} += "${PN}-coreos-config"
 # configuration to be installed
 RCONFLICTS:${PN}-coreos-installer-config = "${PN}-coreos-config"
 inherit coreos-efi-secureboot
 do_install:append() {
    # Probably replace revision with the value of the device tree
    install -m 755 ${WORKDIR}/50-webserver-config.sh ${D}${libdir}/swupdate/conf.d/
    install -m 755 ${WORKDIR}/25-sw-collections-config.sh ${D}${libdir}/swupdate/conf.d/
    install -m 755 ${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt ${D}${libdir}/swupdate/
    echo "${MACHINE} 1.0" > ${D}${sysconfdir}/hwrevision
 }
 # Fix: libgcc_s.so.1 must be installed for pthread_exit to work
 RDEPENDS:${PN} += "libgcc"
--- a/layers/meta-belden-coreos/recipes-test/bats/bats-assert_2.1.0.bb
+++ b/layers/meta-belden-coreos/recipes-test/bats/bats-assert_2.1.0.bb
@ -0,0 +1,15 @@
 SUMMARY = "Common assertions for Bats"
 DESCRIPTION = "bats-assert is a helper library providing common assertions for \
               Bats."
 HOMEPAGE = "https://github.com/bats-core/bats-assert"
 LICENSE = "CC0-1.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=7bae63a234e80ee7c6427dce9fdba6cc"
 PV = "2.1.0"
 SRC_URI = "git://github.com/bats-core/bats-assert.git;protocol=https;branch=master"
 SRCREV = "78fa631d1370562d2cd4a1390989e706158e7bf0"
 S = "${WORKDIR}/git"
 inherit bats-library
 RDEPENDS:${PN} += "bats-support"
--- a/layers/meta-belden-coreos/recipes-test/bats/bats-file_git.bb
+++ b/layers/meta-belden-coreos/recipes-test/bats/bats-file_git.bb
@ -0,0 +1,15 @@
 SUMMARY = " Common filesystem assertions for Bats"
 DESCRIPTION = "bats-file is a helper library providing common filesystem \
               related assertions and helpers for Bats."
 HOMEPAGE = "https://github.com/bats-core/bats-file"
 LICENSE = "CC0-1.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=7bae63a234e80ee7c6427dce9fdba6cc"
 PV = "0.3.0+${SRCPV}"
 SRC_URI = "git://github.com/bats-core/bats-file.git;protocol=https;branch=master"
 SRCREV = "cb914cdc176da00e321d3bc92f88383698c701d6"
 S = "${WORKDIR}/git"
 inherit bats-library
 RDEPENDS:${PN} += "bats-support"
--- a/layers/meta-belden-coreos/recipes-test/bats/bats-support_0.3.0.bb
+++ b/layers/meta-belden-coreos/recipes-test/bats/bats-support_0.3.0.bb
@ -0,0 +1,13 @@
 SUMMARY = "Supporting library for Bats test helpers"
 DESCRIPTION = "bats-support is a supporting library providing common \
               functions to test helper libraries written for Bats."
 HOMEPAGE = "https://github.com/bats-core/bats-support"
 LICENSE = "CC0-1.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=7bae63a234e80ee7c6427dce9fdba6cc"
 PV = "0.3.0"
 SRC_URI = "git://github.com/bats-core/bats-support.git;protocol=https;branch=master"
 SRCREV = "3c8fadc5097c9acfc96d836dced2bb598e48b009"
 S = "${WORKDIR}/git"
 inherit bats-library
--- a/layers/meta-belden-coreos/recipes-test/bats/bats_1.10.0.bb
+++ b/layers/meta-belden-coreos/recipes-test/bats/bats_1.10.0.bb
@ -0,0 +1,35 @@
 # backported from oe-core master 
 SUMMARY = "Bash Automated Testing System"
 DESCRIPTION = "Bats is a TAP-compliant testing framework for Bash. It \
 provides a simple way to verify that the UNIX programs you write behave as expected."
 HOMEPAGE = "https://github.com/bats-core/bats-core"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE.md;md5=2970203aedf9e829edb96a137a4fe81b"
 SRC_URI = "\
  git://github.com/bats-core/bats-core.git;branch=master;protocol=https \
  "
 # v1.10.0
 SRCREV = "f7defb94362f2053a3e73d13086a167448ea9133"
 S = "${WORKDIR}/git"
 # Numerous scripts assume ${baselib} == lib, which is not true.
 #
 do_configure:prepend() {
 	for f in ${S}/libexec/bats-core/* ${S}/lib/bats-core/* ; do
 		sed -i 's:\$BATS_ROOT/lib/:\$BATS_ROOT/${baselib}/:g' $f
 	done
 }
 do_install() {
 	# Just a bunch of bash scripts to install
 	${S}/install.sh ${D}${prefix} ${baselib}
 }
 RDEPENDS:${PN} = "bash"
 FILES:${PN} += "${libdir}/bats-core/*"
 PACKAGECONFIG ??= "pretty"
 PACKAGECONFIG[pretty] = ",,,ncurses"
--- a/layers/meta-belden-marvell-bsp/conf/layer.conf
+++ b/layers/meta-belden-marvell-bsp/conf/layer.conf
@ -9,5 +9,5 @@ BBFILE_COLLECTIONS += "meta-belden-marvell-bsp"
 BBFILE_PATTERN_meta-belden-marvell-bsp = "^${LAYERDIR}/"
 BBFILE_PRIORITY_meta-belden-marvell-bsp = "6"
-LAYERDEPENDS_meta-belden-marvell-bsp = "core meta-belden-coreos"
+LAYERDEPENDS_meta-belden-marvell-bsp = "core meta-belden-coreos meta-arm"
 LAYERSERIES_COMPAT_meta-belden-marvell-bsp = "kirkstone"
--- a/layers/meta-belden-marvell-bsp/conf/machine/include/cn913x.inc
+++ b/layers/meta-belden-marvell-bsp/conf/machine/include/cn913x.inc
@ -26,7 +26,7 @@ UBOOT_LOADADDRESS = "0x7000000"
 PREFERRED_PROVIDER_virtual/kernel ?= "linux-netmodule"
 PREFERRED_VERSION_linux-netmodule ?= "git-5.15-solidrun"
-PREFERRED_VERSION_trusted_firmware_a ?= "2.3-solidrun"
+PREFERRED_VERSION_trusted_firmware_a = "2.6"
 KERNEL_IMAGETYPE = "Image"
 KERNEL_EXTRA_ARGS += "LOADADDR=${UBOOT_ENTRYPOINT}"
--- a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/README.md
+++ b/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/README.md
@ -1,28 +0,0 @@
 # trusted-firmware-a
 trusted-firmware-a recipes was copied from:
 meta-arm/meta-arm/recipes-bsp/trusted-firmware-a
 Repo:  git://git.yoctoproject.org/meta-arm
 Branch: kirkstone
 Git SHA: 78fce73c3803aba82149a3a03fde1b708f5424fa
 Theses files were copied:
 - trusted-firmware-a.inc
 - files/ssl.patch
 Theses files were created, by doing the same as done in meta-arm/meta-arm-bsp
 but using the same revision and make flags as in https://github.com/SolidRun/cn913x_yocto_meta.git
 - trusted-firmware-a_2.3.bb
 Theses files were copied from https://github.com/SolidRun/cn913x_yocto_meta.git
 - files/mrvl_scp_bl2.img
 - files/000*.patch
 More info about how to use trusted-firmware-a for Marvell can be found at
 https://trustedfirmware-a.readthedocs.io/en/latest/plat/marvell/armada/build.html
--- a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0001-ddr-spd-read-failover-to-defualt-config.patch
+++ b/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0001-ddr-spd-read-failover-to-defualt-config.patch
@ -1,14 +1,14 @@
-From 5aeea052b30604b2f8640960b775cee0f5c877cb Mon Sep 17 00:00:00 2001
+From 3f8f24cf82848ef1778f3e1d0a0607d4860dd4f3 Mon Sep 17 00:00:00 2001
 From: Alon Rotman <alon.rotman@solid-run.com>
 Date: Mon, 22 Nov 2021 13:33:25 +0200
-Subject: [PATCH 2/2] ddr spd read failover to defualt config
+Subject: [PATCH] ddr spd read failover to defualt config
 ---
 .../octeontx/otx2/t91/t9130/board/dram_port.c | 100 ++++++++++++++++--
 1 file changed, 93 insertions(+), 7 deletions(-)
 diff --git a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
-index 0befadfc6..5de71f095 100644
+index 82ce07b09..bb7814e9b 100644
 --- a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
 +++ b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
@@ -33,7 +33,7 @@ struct mv_ddr_iface dram_iface_ap0 = {
@ -148,7 +148,7 @@ index 0befadfc6..5de71f095 100644
 {
 	struct mv_ddr_topology_map *tm = mv_ddr_topology_map_get();
@@ -152,7 +236,9 @@ void plat_marvell_dram_update_topology(void)
- 		i2c_write(I2C_SPD_P0_ADDR, 0x0, 1, tm->spd_data.all_bytes, 1);
+ 		i2c_write(I2C_SPD_P0_ADDR, 0x0, 1, tm->spd_data.all_bytes, 0);
 		/* read data from spd */
 -		i2c_read(I2C_SPD_ADDR, 0x0, 1, tm->spd_data.all_bytes,
@ -159,6 +159,3 @@ index 0befadfc6..5de71f095 100644
 +			set_param_based_on_som_strap();
 	}
 }
 -- 
 2.25.1
--- a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0002-som-sdp-failover-using-crc-verification.patch
+++ b/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0002-som-sdp-failover-using-crc-verification.patch
@ -1,15 +1,16 @@
-From da25bbba607de35267f4dbe74cd772588260de57 Mon Sep 17 00:00:00 2001
+From 6cbb01ba5a5a5ad2b2247c8401d5fac488bf05c3 Mon Sep 17 00:00:00 2001
 From: Alon Rotman <alon.rotman@solid-run.com>
 Date: Mon, 6 Dec 2021 18:34:37 +0200
 Subject: [PATCH] som sdp failover using crc verification
 Signed-off-by: Alon Rotman <alon.rotman@solid-run.com>
 ---
 .../octeontx/otx2/t91/t9130/board/dram_port.c | 63 ++++++++++++-------
 1 file changed, 41 insertions(+), 22 deletions(-)
 diff --git a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
-index 5de71f095..d59b8100d 100644
+index bb7814e9b..772774215 100644
 --- a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
 +++ b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
@@ -50,7 +50,7 @@ struct mv_ddr_iface dram_iface_ap0 = {
@ -122,6 +123,3 @@ index 5de71f095..d59b8100d 100644
 +	
 	}
 }
 -- 
 2.25.1
--- a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/ssl.patch
+++ b/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/ssl.patch
@ -1,52 +0,0 @@
 fiptool: respect OPENSSL_DIR
 fiptool links to libcrypto, so as with the other tools it should respect
 OPENSSL_DIR for include/library paths.
 Upstream-Status: Submitted
 Signed-off-by: Ross Burton <ross.burton@arm.com>
 diff --git a/Makefile b/Makefile
 index ec6f88585..2d3b9fc26 100644
 --- a/Makefile
 +++ b/Makefile
@@ -1388,7 +1388,7 @@ fwu_fip: ${BUILD_PLAT}/${FWU_FIP_NAME}
 ${FIPTOOL}: FORCE
 ifdef UNIX_MK
 -	${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} --no-print-directory -C ${FIPTOOLPATH}
 +	${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} OPENSSL_DIR=${OPENSSL_DIR} --no-print-directory -C ${FIPTOOLPATH}
 else
 # Clear the MAKEFLAGS as we do not want
 # to pass the gnumake flags to nmake.
 diff --git a/tools/fiptool/Makefile b/tools/fiptool/Makefile
 index 11d2e7b0b..7c2a08379 100644
 --- a/tools/fiptool/Makefile
 +++ b/tools/fiptool/Makefile
@@ -12,6 +12,8 @@ FIPTOOL ?= fiptool${BIN_EXT}
 PROJECT := $(notdir ${FIPTOOL})
 OBJECTS := fiptool.o tbbr_config.o
 V ?= 0
 +OPENSSL_DIR := /usr
 +
 override CPPFLAGS += -D_GNU_SOURCE -D_XOPEN_SOURCE=700
 HOSTCCFLAGS := -Wall -Werror -pedantic -std=c99
@@ -20,7 +22,7 @@ ifeq (${DEBUG},1)
 else
   HOSTCCFLAGS += -O2
 endif
 -LDLIBS := -lcrypto
 +LDLIBS := -L${OPENSSL_DIR}/lib -lcrypto
 ifeq (${V},0)
   Q := @
@@ -28,7 +30,7 @@ else
   Q :=
 endif
 -INCLUDE_PATHS := -I../../include/tools_share
 +INCLUDE_PATHS := -I../../include/tools_share  -I${OPENSSL_DIR}/include
 HOSTCC ?= gcc
--- a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.3-solidrun.bb
+++ b/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.3-solidrun.bb
@ -1,9 +1,8 @@
-require recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
+# CN913x specific TFA support
-PV = "2.3+git${SRCPV}"
+COMPATIBLE_MACHINE = "cn913x"
 SRCREV_tfa = "00ad74c7afe67b2ffaf08300710f18d3dafebb45"
-LIC_FILES_CHKSUM += "file://docs/license.rst;md5=189505435dbcdcc8caa63c46fe93fa89"
+DEPENDS += "mv-ddr-marvell coreutils-native"
 SRC_URI +=  " \
    file://0001-ddr-spd-read-failover-to-defualt-config.patch \
@ -11,10 +10,6 @@ SRC_URI +=  " \
    file://mrvl_scp_bl2.img \
 "
 COMPATIBLE_MACHINE = "cn913x"
 DEPENDS += "mv-ddr-marvell coreutils-native"
 CP_NUM:cn9131-bldn-mbv = "2"
 CP_NUM:cn9130-cf-pro = "1"
--- a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bbappend
+++ b/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bbappend
@ -0,0 +1,8 @@
 # Machine specific TFAs
 FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 MACHINE_TFA_REQUIRE ?= ""
 MACHINE_TFA_REQUIRE:cn913x = "trusted-firmware-a-cn913x.inc"
 require ${MACHINE_TFA_REQUIRE}
--- a/layers/meta-belden-marvell-bsp/recipes-bsp/u-boot/u-boot_2019.10-solidrun.bb
+++ b/layers/meta-belden-marvell-bsp/recipes-bsp/u-boot/u-boot_2019.10-solidrun.bb
@ -51,7 +51,6 @@ SRC_URI = "git://git.denx.de/u-boot.git;branch=master \
 S = "${WORKDIR}/git"
 require recipes-bsp/u-boot/u-boot.inc
 require recipes-bsp/u-boot/u-boot-coreos.inc
 # Solidrun patches require to build out-of-the-tree
 B = "${WORKDIR}/build"
--- a/layers/meta-belden-marvell-bsp/recipes-bsp/u-boot/u-boot_2023.04-marvell.bb
+++ b/layers/meta-belden-marvell-bsp/recipes-bsp/u-boot/u-boot_2023.04-marvell.bb
@ -30,7 +30,6 @@ SRC_URI = "git://source.denx.de/u-boot/custodians/u-boot-marvell.git;branch=mast
 S = "${WORKDIR}/git"
 require recipes-bsp/u-boot/u-boot.inc
 require recipes-bsp/u-boot/u-boot-coreos.inc
 # Solidrun patches require to build out-of-the-tree
 B = "${WORKDIR}/build"
--- a/Show More
+++ b/Show More
		`@ -1 +1 @@`
			`Subproject commit 0c6f86b60cfba67c20733516957c0a654eb2b44c`				`Subproject commit 40fd5f4eef7460ca67f32cfce8e229e67e1ff607`
		`@ -0,0 +1 @@`
							`Subproject commit d7b7b6fb6c7c5545e718e44f38853d1718ce5446`
		`@ -0,0 +1 @@`
							`Subproject commit 09d2f9391813674627ec53cb222da6c7a51221e6`
		`@ -1 +1 @@`
			`Subproject commit bdad2a789e30703a825b876279665720d06d55dc`				`Subproject commit 8bb16533532b6abc2eded7d9961ab2a108fd7a5b`
		`@ -1 +1 @@`
			`Subproject commit d1d4abfaf82d37c31e3cec3602d6d8d56d105185`				`Subproject commit 3d12b2788a45d86efcb1ad3e01f209558c54795c`
		`@ -0,0 +1 @@`
							`Subproject commit bae3658ac0bc1c9adac7a882439cabb385cae720`
		`@ -1 +1 @@`
			`Subproject commit b3b3dbc67504e8cd498d6db202ddcf5a9dd26a9d`				`Subproject commit cb2bc17e96552cdfc141d27bd9f4dbd95a872846`
		`@ -1 +1 @@`
			`Subproject commit a70209cc6b111957b8dda9190e1291911a52286b`				`Subproject commit 1b5405955c7c2579ed1f52522e2e177d0281fa33`
		`@ -1,2 +0,0 @@`
			`FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"`
			`require u-boot-coreos.inc`
		`@ -0,0 +1,2 @@`
							`CONFIG_F71808E_WDT=y`
							`CONFIG_WATCHDOG_SYSFS=y`