Pull request #186 : Various small changes

Merge in ICO/coreos from various_small_changes to master * commit 'a0910ef3ff70a53ea410ba205e36a2f5620481b3': chore(submodules): update third-party submodules feat(coreos-supportd-pkgs): create list of CoreOS supported packages chore(belden-coreos): move the initial timestamp to a generic file fix(swupdate): add libgcc as a dependency to terminate swupdate correctly feat(eagle40-03): strip out unused MACHINE_FEATURES for eagle40-03
chore(submodules): update third-party submodules
2024-04-08 12:39:55 +02:00 · 2024-04-08 11:17:55 +02:00 · 2024-04-08 11:17:55 +02:00 · 2024-04-03 12:10:07 +00:00 · 2024-04-03 12:04:37 +00:00 · 2024-04-03 11:59:53 +00:00
120 changed files with 2197 additions and 6855 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -2,31 +2,35 @@
 	path = bitbake
 	url = ssh://git@bitbucket.gad.local:7999/ico/bitbake.git
 	branch = 2.0
-[submodule "layers/openembedded-core"]
+[submodule "openembedded-core"]
 	path = external-layers/openembedded-core
 	url = ssh://git@bitbucket.gad.local:7999/ico/openembedded-core.git
 	branch = kirkstone
-[submodule "layers/meta-openembedded"]
+[submodule "meta-openembedded"]
 	path = external-layers/meta-openembedded
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-openembedded.git
 	branch = kirkstone
-[submodule "layers/meta-virtualization"]
+[submodule "meta-virtualization"]
 	path = external-layers/meta-virtualization
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-virtualization.git
 	branch = kirkstone
-[submodule "layers/meta-efibootguard"]
+[submodule "meta-efibootguard"]
 	path = external-layers/meta-efibootguard
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-efibootguard.git
 	branch = master
-[submodule "layers/meta-swupdate"]
+[submodule "meta-swupdate"]
 	path = external-layers/meta-swupdate
 	url = ssh://git@bitbucket.gad.local:7999/ico/meta-swupdate.git
 	branch = kirkstone
-[submodule "external-layers/meta-arm"]
+[submodule "meta-arm"]
 	path = external-layers/meta-arm
-	url = git://git.yoctoproject.org/meta-arm
+	url = ssh://git@bitbucket.gad.local:7999/ico/meta-arm.git
 	branch = kirkstone
-[submodule "external-layers/meta-ti"]
+[submodule "meta-ti"]
 	path = external-layers/meta-ti
-	url = git://git.yoctoproject.org/meta-ti
+	url = ssh://git@bitbucket.gad.local:7999/ico/meta-ti.git
 	branch = kirkstone
+[submodule "meta-lts-kernel-mixin"]
+	path = external-layers/meta-lts-kernel-mixin
+	url = ssh://git@bitbucket.gad.local:7999/ico/meta-lts-mixins.git
+	branch = coreos/kirkstone/kernel
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@ -2,9 +2,9 @@
    "recommendations": [
        "ms-vscode.makefile-tools",
        "timonwong.shellcheck",
-        "eugenwiens.bitbake",
        "kweihmann.oelint-vscode",
        "lextudio.restructuredtext",
-        "trond-snekvik.simple-rst"
+        "trond-snekvik.simple-rst",
+        "yocto-project.yocto-bitbake"
    ]
 }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -1,12 +1,47 @@
 {
    "files.watcherExclude": {
-        "**/build/cache/**": true,
-        "**/build/downloads/**": true,
-        "**/build/sstate-cache/**": true,
-        "**/build/tmp/**": true,
-        "**/documentation/_build/**": true,
-        "**/build/workspace": true
+        "**/build/**": true,
+        "**/_build/**": true,
    },
+    "search.exclude": {
+        "**/build/**": true,
+        "**/_build/**": true,
+    },
+    "C_Cpp.files.exclude": {
+        "**/build": true,
+        "**/_build": true,
+    },
+    "python.analysis.exclude": [
+        "**/build/**",
+        "**/_build/**",
+    ],
    "python.formatting.provider": "black",
-    "editor.rulers": [80,100,120]
+    "editor.rulers": [80,100,120],
+    "bitbake.pathToBuildFolder": "${workspaceFolder}/build",
+    "bitbake.pathToEnvScript": "${workspaceFolder}/coreos-init-build-env",
+    "bitbake.pathToBitbakeFolder": "${workspaceFolder}/bitbake",
+    "python.autoComplete.extraPaths": [
+        "${workspaceFolder}/bitbake/lib",
+        "${workspaceFolder}/meta/lib"
+    ],
+    "python.analysis.extraPaths": [
+        "${workspaceFolder}/bitbake/lib",
+        "${workspaceFolder}/meta/lib"
+    ],
+    "[python]": {
+        "diffEditor.ignoreTrimWhitespace": false,
+        "gitlens.codeLens.symbolScopes": [
+            "!Module"
+        ],
+        "editor.formatOnType": true,
+        "editor.wordBasedSuggestions": "off",
+        "files.trimTrailingWhitespace": false
+    },
+    "[shellscript]": {
+        "files.eol": "\n",
+        "files.trimTrailingWhitespace": false
+    },
+    "bitbake.sdkImage": "coreos-image-minimal",
+    "bitbake.workingDirectory": "${workspaceFolder}",
+    "task.saveBeforeRun": "always",
 }
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 0c6f86b60cfba67c20733516957c0a654eb2b44c
+Subproject commit 40fd5f4eef7460ca67f32cfce8e229e67e1ff607
--- a/8
+++ b/8
@ -87,6 +87,8 @@ coreos-bblayers-envsub COREOS_LAYERSDIR "${COREOS_ROOT}/layers"
 # Add support for ##COREOS_EXTLAYERSDIR## inside of bblayer template
 coreos-bblayers-envsub COREOS_EXTLAYERSDIR "${COREOS_ROOT}/external-layers"

-# Generate the ${BUILDDIR}/key directory. The scripts doesn't generate anything it
-# the directory already exist, so it's safe to call it everytime
-coreos-keygen > /dev/null 2> /dev/null
+# Generate the ${BUILDDIR}/key directory. The scripts doesn't generate anything
+# if the directory already exist so it's safe to call it everytime
+# stdout is redirected to reduce the amount of output but not stderr
+#
+#Note: if a final build is detected all the dev keys are deleted
--- a/documentation/.vscode/extensions.json
+++ b/documentation/.vscode/extensions.json
@ -0,0 +1,7 @@
+{
+    "recommendations": [
+        "ms-vscode.makefile-tools",
+        "lextudio.restructuredtext",
+        "trond-snekvik.simple-rst"
+    ]
+}
--- a/documentation/.vscode/settings.json
+++ b/documentation/.vscode/settings.json
@ -0,0 +1,12 @@
+{
+    "files.watcherExclude": {
+        "**/_build/**": true,
+    },
+    "python.formatting.provider": "black",
+    "editor.rulers": [
+        80,
+        100,
+        120
+    ],
+    "esbonio.sphinx.confDir": ""
+}
--- a/documentation/boot/index.rst
+++ b/documentation/boot/index.rst
@ -11,3 +11,4 @@ Belden CoreOS Boot Concepts

   overview
   uboot
+   secure-boot
--- a/documentation/boot/secure-boot.rst
+++ b/documentation/boot/secure-boot.rst
@ -0,0 +1,268 @@
+*******************
+Secure Boot Concept
+*******************
+
+Currently CoreOS provide a Proof Of Concept of some of the secure boot element that we want to 
+implement a full secure-boot solution based on UEFI secure boot.
+
+The current proof of concept is structured as follows:
+
+Hardware Requirements
+=====================
+   
+   - The device must have an `eMMC`.
+   - The architecture of the device must be either `ARM32` or `AARCH64`.
+
+
+eMMC Embedded MultiMediaCard
+============================
+
+eMMC, or Embedded MultiMediaCard, represents a prevalent storage format in devices such as 
+smartphones, tablets, and other embedded systems. It encapsulates NAND flash memory and a dedicated
+controller within one package. This structure not only eases integration for device manufacturers
+but also ensures a compact, efficient storage medium.
+
+Within eMMC's architecture, distinct hardware partitions cater to diverse operational demands:
+
+.. graphviz::
+
+    digraph emmcStructure {
+        rankdir=TB;
+        node [shape=box, style=filled, fillcolor="#e6f2ff"];
+        edge [color="#0099cc", fontsize=12];
+
+        compound=true;
+
+        subgraph cluster_eMMC {
+            label="eMMC";
+            color="#0099cc";
+
+            Boot0 [label="Boot0"];
+            Boot1 [label="Boot1"];
+            RPMB [label="RPMB"];
+
+            subgraph cluster_User {
+                label="User";
+                color="#00cc99";
+                GPT [label="GPT Table"];
+
+                subgraph cluster_GPT {
+                    label="Software Partitions (GPT)";
+                    color="#99e6e6";
+
+                    SoftwarePartition1 [label="Partition 1"];
+                    SoftwarePartition2 [label="Partition 2"];
+                    SoftwarePartitionN [label="Partition N"];
+                }
+            }
+        }
+    }
+
+
+#. **Boot0 and Boot1**: The boot partitions cater to device start-up requirements, typically hosting
+   the firmware. Boot0 predominantly initiates the boot-up, while Boot1 stands as a secondary guard 
+   or backup, ensuring booting is resilient and failsafe.
+
+#. **RPMB (Replay Protected Memory Block)**: As a secure partition, RPMB shelters data against
+   potential tampering. It's tailored for sensitive information storage, such as cryptographic keys.
+   Its design counters data replays or rollbacks, fortifying against particular attack types.
+
+#. **User**: The primary storage domain, the User partition accommodates the OS, applications,
+   and user-centric data. It's reminiscent of the primary storage drive in larger computing devices.
+   Importantly, the User partition has a layered structure. Using the GPT (GUID Partition Table), it
+   is further divided into multiple software partitions, which can house diverse datasets or file
+   systems.
+
+The boot concept of CoreOS rely on the presence of an eMMC to implement the following feature:
+
+- Storage of two copy of the firmware with a way to switch from a copy to another using the eMMC
+  boot0 and boot1 hardware partition
+- Storage of keys used by the UEFI Secure Key specification inside the secure RPMB hardware
+  partition.
+- Storage of the bootloader, kernel and rootfs inside the user hardware partition using multiple
+  software partition in the GPT format.
+
+Firmware
+========
+
+The firmware of the device should implement a subset of the UEFI specification as defined in the
+ARM Base Boot Requirements (EBBR) and should implement the optional UEFI Secure Boot part of the
+EBBR specifications.
+
+This is done in CoreOS by levering the built-in EBBR and UEFI Secure Boot present into the u-boot
+project.
+
+The hardware should verify the validity of the firmware using a hardware specific way. Then the
+generic secure boot concept explained here can be used to valide all the following component of
+CoreOS.
+
+UEFI Key used by UEFI Secure Boot
+=================================
+
+
+- **PK (Platform Key)**: This top-tier key shoulders the responsibility of KEK verification and its
+  potential revocation. PK holders have the exclusive privilege to configure the KEK and the `db`
+  database. It's the gatekeeper ensuring only authorized software can touch the firmware or
+  bootloader.
+
+- **KEK (Key Exchange Key)**: As a medium for data exchange, the KEK is pivotal for signing the `db`
+  and `dbx` databases.
+  
+- **db (Allowed Database)**: This is the white list. It houses the keys or hashes of permitted
+  firmware and OS loaders. Execution is only granted to software with a signature that resonates
+  with the keys/hashes in this database.
+  
+- **dbx (Forbidden Database)**: The black sheep are here. Housing keys or hashes of known
+  unauthorized software, it ensures any associated software is prohibited from executing.
+
+Currently all theses public keys are built-in into u-boot at build time and are read only. In the
+future we will use the OP-TEE support into u-boot to use OP-TEE to manage the keys.
+
+OP-TEE and RPMB as key manager
+==============================
+
+OP-TEE, or Open Portable Trusted Execution Environment, is an open-source implementation of the
+Trusted Execution Environment (TEE) designed for ARM-powered platforms. In essence, a TEE is a
+secure enclave that provides a separated, isolated environment where specific applications and their
+data can run independently from the regular operating system, ensuring they are protected against
+potential tampering or unauthorized access.
+
+OP-TEE guarantees confidentiality, integrity, and authenticity for critical applications by
+executing them in this secure space. It offers a wide range of security features, including secure
+storage of cryptographic keys, secure boot, and hardware-backed crypto operations.
+
+In the context of UEFI secure boot, OP-TEE becomes instrumental. UEFI's secure boot mechanism
+ensures that only trusted, signed firmware, OS loaders, and OS kernels are executed during the boot
+process. To enforce this level of trust, UEFI relies on a set of cryptographic keys, including PK
+(Platform Key), KEK (Key Exchange Key), and db/dbx (allowed and forbidden signature databases).
+Safeguarding these keys is paramount to maintain the security and integrity of the boot process.
+
+By leveraging OP-TEE, these UEFI secure boot keys can be securely stored in the RPMB (Replay
+Protected Memory Block) partition of the eMMC. The RPMB is a write-protected, secure area of the
+eMMC designed to hold sensitive data and protect it against tampering and replay attacks.
+Since OP-TEE manages secure access to the RPMB partition, it ensures that the UEFI secure boot keys
+are not only safely stored but are also accessible only by authorized firmware components.
+
+eMMC User Partition
+===================
+
+The user partition of the eMMC must be structured using the GPT (GUID Partition Table) format.
+
+Within the GPT-formatted user partition, specific partitions should be established for efficient
+booting and system operation:
+
+1. **EFI**: This is the Essential Firmware Interface partition. It holds the `efibootguard`
+   os-loader binary, responsible for the boot sequence's initial steps and the kernel's selection
+   based on its configuration. This binary is signed with a key present in the `dbx` database
+
+2. **EBG0 - Efibootguard Config 0**: This partition houses the `efibootguard` configuration for the
+   first kernel option. Alongside the configuration file, it also contains a Unified Kernel Image
+   (UKI), a bundled package comprising the Linux kernel, device trees, and associated boot
+   components. The UKI is signed with a key present in the `dbx` database
+
+3. **EBG1 - Efibootguard Config 1**: Similar to EBG0, this partition carries the `efibootguard`
+   configuration for the second kernel option. It too holds a Unified Kernel Image tailored for this
+   alternate boot choice.
+
+4. **rootfs0**: This partition stores the CoreOS root filesystem designed to complement and operate
+   with the kernel embedded in the EBG0 partition. It provides the essential system files and 
+   structures required for the operating system's functioning when the kernel from EBG0 is booted. 
+   Integrety of this rootfs is assured by storing an hash of the rootfs inside the UKI image.
+
+5. **rootfs1**: Analogous to `rootfs0`, this partition houses the CoreOS root filesystem tailored
+   for the kernel within the EBG1 partition. It ensures that, should the system boot from the kernel
+   in EBG1, the appropriate file structures and system components are readily available.
+
+EFIBootGuard Configuration
+==========================
+
+Efibootguard, as a part of its design, employs a configuration system to determine the appropriate
+kernel and associated resources to boot from. This configuration is stored in distinct partitions, 
+EBG0 and EBG1, each holding its configuration file.
+
+The configuration file itself comprises several fields, but most crucially, it contains a revision
+field. This field is a numerical identifier indicating the version or update level of the contained
+kernel and resources. When the system initiates its boot sequence, Efibootguard assesses the
+revision values in both the EBG0 and EBG1 configuration files.
+
+The selection process is straightforward yet robust: Efibootguard chooses the partition with the
+higher revision value. By doing so, it inherently opts for the most recent or updated kernel version
+available. However, this system also supports failover mechanisms. In case the kernel in the
+partition with the higher revision encounters issues during boot, Efibootguard can revert to the
+other partition, ensuring resilience and continuity in system operations.
+
+Moreover, the choice isn't rigidly fixed. When the system undergoes updates, the configuration files
+can be rewritten, and the revision values adjusted, allowing for dynamic and flexible booting in
+line with system evolutions and updates. In essence, Efibootguard, with its configuration-based
+approach, ensures a blend of up-to-date system booting and built-in fail-safes for dependable
+operation.
+
+Unified Kernel Image
+====================
+
+After having choosen the right configuration file, Efibootguard takes on the responsibility of
+launching the Unified Kernel Image (UKI) linked with the active configuration. This image bundle
+together essential boot components like the Linux kernel, device trees, and the kernel command
+line. The secure initiation of this image is paramount, and Efibootguard ensures this by leveraging
+UEFI's start_image system call.
+
+The UEFI start_image system call  verifies the image's signature against the Secure Boot keys
+(PK, KEK, db, and potentially dbx). If the signature matches, indicating that the image is trusted
+and hasn't been tampered with, the image is permitted to execute. If not, the booting halts,
+preventing any unauthorized or potentially malicious code from running.
+
+Once the UKI has been securely initiated, it undertakes multiple tasks. It first extracts the
+necessary components from the bundled package, identifying and utilizing the appropriate device
+trees based on `compatible` node, by matching with the `compatible` node of the `device-tree` that
+is built into the firmware. These device trees inform the system about the hardware configuration,
+ensuring the kernel interacts correctly with the system's components. 
+
+The UKI os-launcher also has CoreOS specialized patches, enabling dynamic rootfs switching without
+requiring an initramfs by changing the `root=` part of the kernel command line at run time to
+point to the right rootfs partition.
+
+RootFS and dm-verity
+====================
+
+dm-verity is a Linux kernel feature designed to provide transparent integrity checking of block
+devices, particularly for read-only file systems. Rooted in cryptographic principles, dm-verity
+employs a hash-based approach to ensure and validate the integrity of the root filesystem (rootfs).
+
+The way dm-verity operates is by building a Merkle tree, a structure where each leaf node contains a
+hash of a block of the underlying data, while each non-leaf node is a hash of its children. The
+topmost node, the root of the Merkle tree, provides a cumulative hash representing the entirety of
+the data. This top hash, known as the root hash, serves as a concise, cryptographic representation
+of the entire filesystem's state.
+
+When integrating dm-verity with the Unified Kernel Image (UKI), an additional layer of security is
+established. By embedding the root hash into the signed UKI, any tampering or modification in the
+rootfs can be swiftly detected. When the system boots, the UKI, being signed, ensures that the
+embedded root hash is legitimate and untampered. As the OS accesses the rootfs, dm-verity
+recalculates the hash values in real-time and compares them to the values in the original Merkle
+tree, referenced by the embedded root hash.
+
+If any discrepancies are found – that is, if the recalculated hash doesn't match the stored value –
+it indicates potential tampering, and the OS can halt access or take appropriate measures. 
+
+.. graphviz::
+
+    digraph SecureBootFlow {
+        rankdir=TB;
+
+        node [shape=box, style=filled, fillcolor="#e6f2ff"];
+        edge [color="#0099cc", fontsize=12];
+
+        Hardware [label="Hardware\n(ARM32/AARCH64 with eMMC)"];
+        Firmware [label="u-boot Firmware\n(UEFI EBRR subset)"];
+        eMMCConfig [label="eMMC Configuration\n(GPT with EFI partition)"];
+        EFIBootGuard [label="EFIBootGuard\n(A/B Kernel Switching)"];
+        UnifiedKernel [label="Unified Kernel Image\n(Kernel, cmd line, DTB)"];
+        KernelAndRootFS [label="Kernel & RootFS\n(dm-verity validation)"];
+
+        Hardware -> Firmware [label="Flashed with u-boot\n+ Built-in keys"];
+        Firmware -> eMMCConfig [label="eMMC boot"];
+        eMMCConfig -> EFIBootGuard [label="Boots from EFI partition"];
+        EFIBootGuard -> UnifiedKernel [label="Selects kernel A/B"];
+        UnifiedKernel -> KernelAndRootFS [label="Kernel boot\n+ RootFS verification"];
+
+    }
--- a/documentation/components/optional/installer.rst
+++ b/documentation/components/optional/installer.rst
@ -3,33 +3,35 @@
 CoreOS Installer
 ****************

-The CoreOS installer is a set of script running on the target and a
+The CoreOS installer is a set of scripts running on the target and a
 corresponding bitbake image that is used into the bootstrap process of CoreOS.

 coreos-image-installer
 ======================

-The CoreOS installer image is a single binary EFI file that include a kernel,
-device tree and an initramfs with all the tools needed to install CoreOS.
+The CoreOS image installer results in an image contairing only a single binary
+EFI file. This EFI file includes a kernel, a device tree and an initramfs with
+all (and only) the tools needed to install CoreOS.

-An installer image is automatically built in parallel of a normal image.
-This can be deactivated by setting `COREOS_IMAGE_GENERATE_INSTALLER` to 0.
+The installer image is not automatically built in parallel of a normal image.
+This can be changed by setting `COREOS_IMAGE_GENERATE_INSTALLER` to 1 in the
+image file (as it is done for example in coreos-image-all-features.bb).

 The installer image build by default only a single EFI binary named
-coreos-installer-MACHINE.efi. An SDCard image can be generate if
+coreos-installer-MACHINE.efi. An SDCard or USB image can be generated if
 `COREOS_INSTALLER_WKS_FILE` is set to a wks file.

 coreos-installer
 ================

-The coreos-installer recipe installs some script that is used at startup
-to automatically format the internal emmc of the device. It also contains
+The coreos-installer recipe installs scripts that are used at startup to
+automatically format the internal emmc of the device. The recipe also contains
 a swupdate configuration file to setup swupdate correctly for that use case.

 coreos-installer-config
 =======================

 The coreos-installer-config recipe installs device specific configuration file
-used by the coreos-installer. This includes the partitionner config file. Distro
-and project based on CoreOS can change the partionning scheme or partition size
+used by the coreos-installer. This includes the partitioner config file. Distros
+and projects based on CoreOS can change the partioning scheme or partition size
 by installing their own version of this package using a `bbappend file`.
--- a/documentation/index.rst
+++ b/documentation/index.rst
@ -40,6 +40,7 @@ same structures.

   Installation Manual <installation/index>
   Reference Manual <ref-manual/index>
+   Testing Manual <testing/index>
   Boot Concepts <boot/index>
   Best Practices <best_practices/index>

--- a/documentation/testing/bats.rst
+++ b/documentation/testing/bats.rst
@ -0,0 +1,354 @@
+.. index:: BATS
+
+************************************
+BATS - Bash Automated Testing System
+************************************
+
+The CoreOS distribution supports writing tests using shell syntax by providing the `bats` command.
+
+If you want to use `bats`, you will need the following CoreOS packages:
+
+- bats
+- bats-file
+- bats-assert
+
+Overview of BATS
+================
+
+A BATS test can be as simple as a single .bats file. For example:
+
+.. code-block:: bash
+
+    #!/usr/bin/env bats
+   
+    bats_load_library bats-support
+    bats_load_library bats-assert
+
+    @test "can output to stdout" {
+        run echo hello
+        assert_output 'hello'
+    }
+
+You can run it using the command `bats <filename>.bats`
+
+This will give you the following output:
+
+.. code-block:: bash
+
+    sam@SAVE:~/Projects/tests$ bats <filename>.bats 
+    <filename>.bats
+    ✓ can output to stdout
+
+    1 test, 0 failures
+
+The run command
+================
+
+In shell tests, you often need to run commands and capture their output, exit
+status, and error messages. The run command provided by `bats` allows you to
+execute commands within your test cases and collect this information for later
+assertion and validation.
+
+The run command will make the following variables available:
+
+- `${status}`: exit code of the command run by `run`
+- `${output}`: combined content of `stdout` and `stderr`
+- `${lines[@]}`: array of lines of the output
+- `${BATS_RUN_COMMAND}`: command run by the `run` command
+
+.. code-block:: bash
+
+    @test "invoking foo with a nonexistent file prints an error" {
+        run foo nonexistent_filename
+        [ "$status" -eq 1 ]
+        [ "$output" = "foo: no such file 'nonexistent_filename'" ]
+        [ "$BATS_RUN_COMMAND" = "foo nonexistent_filename" ]
+
+    }
+
+The `run` command accepts some parameters:
+
+- `-N`: Expect N as exit status and fail otherwise
+- `-!`: Expect non-zero exit status and fail if the command succeeds.
+- `--keep-empty-lines`: don't remove empty lines from `${lines}`
+- `--separate-stderr`: Use separate variables for stderr `${stderr}` and `${stderr_lines[@]}`
+
+.. code-block:: bash
+
+    @test "invoking foo without arguments prints usage" {
+        run -1 foo
+        [ "${lines[0]}" = "usage: foo <filename>" ]
+    }
+
+The bats-assert helper
+======================
+
+The `bats-assert` helper provides some functions to create more readable tests.
+These assertions use the variables created by the `run` command and can be used
+as follows:
+
+.. code-block:: bash
+
+    @test 'assert_output()' {
+        run echo 'have'
+        assert_output 'want'
+    }
+
+The following functions are provided:
+
+- `assert` and `refute`: Assert that a given expression evaluates to true or false.
+- `assert_equal`: Assert that two parameters are equal.
+- `assert_not_equal`: Assert that two parameters are not equal.
+- `assert_success` and `assert_failure`: Assert that the exit status is 0 or 1.
+- `assert_output` and `refute_output`: Assert that the output does (or does not) contain the given content.
+- `assert_line` and `refute_line`: Assert that a specific line of the output does (or does not) contain the given content.
+- `assert_regex` and `refute_regex`: Assert that a parameter matches (or does not match) the given pattern.
+
+The bats-file helper
+====================
+
+The `bats-file` helper provides functions to help work with files in tests:
+
+**Test File Types:**
+
+- `assert_exists` and `assert_not_exists`: Check if a file or directory exists.
+- `assert_file_exists` and `assert_file_not_exists`: Check if a file exists.
+- `assert_dir_exists` and `assert_dir_not_exists`: Check if a directory exists.
+- `assert_link_exists` and `assert_link_not_exists`: Check if a link exists.
+- `assert_block_exists` and `assert_block_not_exists`: Check if a block special file exists.
+- `assert_character_exists` and `assert_character_not_exists`: Check if a character special file exists.
+- `assert_socket_exists` and `assert_socket_not_exists`: Check if a socket exists.
+- `assert_fifo_exists` and `assert_fifo_not_exists`: Check if a fifo special file exists.
+
+**Test File Attributes:**
+
+- `assert_file_executable` and `assert_file_not_executable`
+- `assert_file_owner` and `assert_file_not_owner`
+- `assert_file_permission` and `assert_not_file_permission`
+- `assert_file_size_equals`
+- `assert_size_zero` and `assert_size_not_zero`
+- `assert_file_group_id_set` and `assert_file_not_group_id_set`
+- `assert_file_user_id_set` and `assert_file_not_user_id_set`
+- `assert_sticky_bit` and `assert_no_sticky_bit`
+
+**Test File Content:**
+
+- `assert_file_empty` and `assert_file_not_empty`
+- `assert_file_contains` and `assert_file_not_contains`
+- `assert_symlink_to` and `assert_not_symlink_to`
+
+**Working with a temporary directory:**
+
+- `temp_make` and `temp_del`
+
+Pre- and Post-test case hooks
+==============================
+
+In some cases, it's useful to have a function that runs before or after each test
+case in a bats file.
+
+A function named `setup` will run before each test case, and a function
+named `teardown` will run after each test case.
+
+This example creates a directory in the setup function but lacks a teardown
+that removes the directory. The second time the setup function is run, the
+setup will fail as the directory already exists:
+
+.. code-block:: bash
+
+    #!/usr/bin/env bats
+
+    bats_load_library bats-support
+    bats_load_library bats-assert
+    bats_load_library bats-file
+
+    setup() {
+        mkdir tmp
+        echo 'a' >> ./tmp/test
+    }
+
+    @test "test contains a single a I" {
+        assert_file_contains ./tmp/test '^a$'
+    }
+
+    @test "test contains a single a II" {
+        assert_file_contains ./tmp/test '^a$'
+    }
+
+.. code-block:: bash
+
+    sam@SAVE:~/Projects/tests$ bats test.bats 
+    test.bats
+    ✓ test contains a single a I
+    ✗ test contains a single a II
+    (from function `setup' in test file test.bats, line 8)
+        `mkdir tmp' failed
+    mkdir: cannot create directory ‘tmp’: File exists
+
+    2 tests, 1 failure
+
+This can be easily fixed by adding a teardown function:
+
+.. code-block:: bash
+
+    #!/usr/bin/env bats
+
+    bats_load_library bats-support
+    bats_load_library bats-assert
+    bats_load_library bats-file
+
+    setup() {
+        mkdir tmp
+        echo 'a' >> ./tmp/test
+    }
+
+    teardown() {
+        rm -rf ./tmp
+    }
+
+
+
+    @test "test contains a single a I" {
+        assert_file_contains ./tmp/test '^a$'
+    }
+
+    @test "test contains a single a II" {
+        assert_file_contains ./tmp/test '^a$'
+    }
+
+.. code-block:: bash
+
+    sam@SAVE:~/Projects/tests$ bats test.bats 
+    test.bats
+     ✓ test contains a single a I
+     ✓ test contains a single a II
+
+    2 tests, 0 failures
+
+Pre- and Post-test file hooks
+=============================
+
+To run some code before executing a test file or after executing it, the
+functions `setup_file` and `teardown_file` can be used.
+
+The last example could be refactored to only create the tmp directory once:
+
+.. code-block:: bash
+
+    #!/usr/bin/env bats
+
+    bats_load_library bats-support
+    bats_load_library bats-assert
+    bats_load_library bats-file
+
+    setup_file() {
+        export DIR="./tmp"
+        export FILE="${DIR}/test"
+        mkdir "${DIR}"
+    }
+
+    teardown_file() {
+        rm -rf "${DIR}"
+    }
+
+    setup() {
+        echo 'a' >> "${FILE}"
+    }
+
+    teardown() {
+        rm "${FILE}"
+    }
+
+    @test "test contains a single a I" {
+        assert_file_contains "${FILE}" '^a$'
+    }
+
+    @test "test contains a single a II" {
+        assert_file_contains "${FILE}" '^a$'
+    }
+
+Multiple files
+==============
+
+With `bats`, a file is a test suite. If you have multiple `bats` files in a
+directory and you provide the directory in the `bats` command line, `bats`
+will execute all the test suites.
+
+Example: `bats .` 
+
+.. code-block:: bash
+
+    sam@SAVE:~/Projects/tests$ bats .
+    ./first.bats
+    ✓ can run our script
+    ✗ second test
+    (in test file ./first.bats, line 27)
+        `false' failed
+    ./second.bats
+    ✓ multi file
+    ./test.bats
+    ✓ test contains a single a I
+    ✓ test contains a single a II
+
+    5 tests, 1 failure
+
+Pre- and Post-suite hooks
+=========================
+
+If you want to execute the same function before each test suite or after
+each test suite, create a file named `setup_suite.bash`. In this file,
+create a function named `setup_suite()` and another named `teardown_suite()`.
+
+Exporting the test results
+==========================
+
+Test results can be exported using the JUnit XML format. This can then be
+used in other tools and merged with other JUnit XML formats to generate a final
+test report.
+
+Example:
+
+.. code-block:: bash
+
+    sam@SAVE:~/Projects/tests$ bats . -F junit
+
+This will produce the following XML content on stdout:
+
+.. code-block:: xml
+
+    <?xml version="1.0" encoding="UTF-8"?>
+    <testsuites time="0.048">
+    <testsuite name="./first.bats" tests="2" failures="1" errors="0" skipped="0" time="0.025" timestamp="2023-08-16T14:22:15" hostname="SAVE">
+        <testcase classname="./first.bats" name="can run our script" time="0.013" />
+        <testcase classname="./first.bats" name="second test" time="0.012">
+            <failure type="failure">(in test file ./first.bats, line 27)
+    `false&#39; failed</failure>
+        </testcase>
+
+    </testsuite>
+    <testsuite name="./second.bats" tests="1" failures="0" errors="0" skipped="0" time="0.008" timestamp="2023-08-16T14:22:15" hostname="SAVE">
+        <testcase classname="./second.bats" name="multi file" time="0.008" />
+
+    </testsuite>
+    <testsuite name="./test.bats" tests="2" failures="0" errors="0" skipped="0" time="0.015" timestamp="2023-08-16T14:22:15" hostname="SAVE">
+        <testcase classname="./test.bats" name="test contains a single a I" time="0.008" />
+        <testcase classname="./test.bats" name="test contains a single a II" time="0.007" />
+
+    </testsuite>
+    </testsuites>
+
+Going further
+=============
+
+`bats` scripts can be checked with shellcheck for common mistakes.
+
+The `bats-assert` add-on provides many helper functions to perform
+assertions with a more readable syntax than the shell's built-in syntax.
+
+See https://github.com/bats-core/bats-assert
+
+The `bats-file` add-on provides helper functions to check for files. See
+https://github.com/bats-core/bats-file/
+
+You can find a list of projects using `bats` on this page:
+https://github.com/bats-core/bats-core/wiki/Projects-Using-Bats
--- a/documentation/testing/index.rst
+++ b/documentation/testing/index.rst
@ -0,0 +1,15 @@
+
+==============================
+Belden CoreOS Testing Manual
+==============================
+
+This manual is a work on progress on how to test and how to write test for
+CoreOS or CoreOS based distribution.
+
+|
+
+.. toctree::
+   :caption: Table of Contents
+   :numbered:
+
+   bats
--- a/external-layers/meta-arm
+++ b/external-layers/meta-arm
@ -1 +1 @@
-Subproject commit 96aad3b29aa7a5ee4df5cf617a6336e5218fa9bd
+Subproject commit d7b7b6fb6c7c5545e718e44f38853d1718ce5446
--- a/external-layers/meta-lts-kernel-mixin
+++ b/external-layers/meta-lts-kernel-mixin
@ -0,0 +1 @@
+Subproject commit 09d2f9391813674627ec53cb222da6c7a51221e6
--- a/external-layers/meta-openembedded
+++ b/external-layers/meta-openembedded
@ -1 +1 @@
-Subproject commit bdad2a789e30703a825b876279665720d06d55dc
+Subproject commit 8bb16533532b6abc2eded7d9961ab2a108fd7a5b
--- a/external-layers/meta-swupdate
+++ b/external-layers/meta-swupdate
@ -1 +1 @@
-Subproject commit d1d4abfaf82d37c31e3cec3602d6d8d56d105185
+Subproject commit 3d12b2788a45d86efcb1ad3e01f209558c54795c
--- a/external-layers/meta-ti
+++ b/external-layers/meta-ti
@ -1 +1 @@
-Subproject commit 51ce439263e9de02a800c0285f2d9c3c6d259676
+Subproject commit bae3658ac0bc1c9adac7a882439cabb385cae720
--- a/external-layers/meta-virtualization
+++ b/external-layers/meta-virtualization
@ -1 +1 @@
-Subproject commit b3b3dbc67504e8cd498d6db202ddcf5a9dd26a9d
+Subproject commit cb2bc17e96552cdfc141d27bd9f4dbd95a872846
--- a/external-layers/openembedded-core
+++ b/external-layers/openembedded-core
@ -1 +1 @@
-Subproject commit a70209cc6b111957b8dda9190e1291911a52286b
+Subproject commit 1b5405955c7c2579ed1f52522e2e177d0281fa33
--- a/layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass
+++ b/layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass
@ -3,7 +3,7 @@
 # UEFI Secure boot configuration
 # ==============================================================================

-COREOS_EFI_SECUREBOOT_KEYDIR ??= "${TOPDIR}/keys"
+COREOS_EFI_SECUREBOOT_KEYDIR ??= "${RECIPE_SYSROOT_NATIVE}/${datadir}/keys"
 COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"

 # UEFI Secure boot helpers
@ -16,12 +16,12 @@ HOSTTOOLS += "sbsign"

 # Ensure that the public keys are always deployed to the deploy directory
 # before running wic
-do_image_wic[depends] += "efi-secureboot-keys:do_deploy"
+do_image_wic[depends] += "cos-certificates-and-keys-native:do_deploy"

 COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
 def get_coreos_secureboot_efi_boot_files(d):
    """
-        Return the list of pubkey file inside deploy if 
+        Return the list of pubkey file inside deploy if
        COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR is set or an empty string
        otherwise
    """
@ -31,26 +31,4 @@ def get_coreos_secureboot_efi_boot_files(d):

 IMAGE_EFI_BOOT_FILES:append = " ${@get_coreos_secureboot_efi_boot_files(d)}"

-def get_coreos_secureboot_keydir_hash(d):
-    """
-        Generate a space separate list, with a value for each file inside of 
-        keydir. Fromat: <filename>:md5:<md5sum>
-    """
-    import hashlib

-    keydir = d.getVar('COREOS_EFI_SECUREBOOT_KEYDIR')
-    value = ""
-    
-    for keyname in os.listdir(keydir):
-        filepath = os.path.join(keydir, keyname)
-        if os.path.isfile(filepath): 
-            md5 = bb.utils.md5_file(filepath)
-            value += f"{keyname}:md5:{md5} "
-
-    return value
-
-# The build system should detect if someone change one of the key inside
-# COREOS_EFI_SECUREBOOT_KEYDIR and rebuild all the recipes and artifacts that
-# depends on this directory
-COREOS_EFI_SECUREBOOT_KEYDIR_HASH = "${@get_coreos_secureboot_keydir_hash(d)}"
-COREOS_EFI_SECUREBOOT_KEYDIR[vardeps] += "COREOS_EFI_SECUREBOOT_KEYDIR_HASH"
--- a/layers/meta-belden-coreos-bsp/conf/machine/beaglebone.conf
+++ b/layers/meta-belden-coreos-bsp/conf/machine/beaglebone.conf
@ -12,7 +12,7 @@ include conf/machine/include/arm/armv7a/tune-cortexa8.inc
 IMAGE_FSTYPES += "wic wic.xz wic.bmap"
 WKS_FILE ?= "beaglebone-sdcard.wks.in"
 COREOS_INSTALLER_WKS_FILE ?= "beaglebone-sdcard-installer.wks"
-MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "kernel-image kernel-devicetree"
+MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "kernel-image"
 do_image_wic[depends] += "mtools-native:do_populate_sysroot dosfstools-native:do_populate_sysroot gptfdisk-native:do_populate_sysroot virtual/bootloader:do_deploy"
 do_image_wic[recrdeptask] += "do_bootimg"

@ -21,10 +21,10 @@ SERIAL_CONSOLES_CHECK = "${SERIAL_CONSOLES}"
 APPEND:append = " console=ttyS0,115200"

 PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
-PREFERRED_VERSION_linux-yocto ?= "5.15%"
+PREFERRED_VERSION_linux-yocto ?= "6.6%"

 KERNEL_IMAGETYPE = "zImage"
-KERNEL_DEVICETREE = "am335x-bone.dtb am335x-boneblack.dtb am335x-bonegreen.dtb"
+DTB_FILES = "ti/omap/am335x-bone.dtb ti/omap/am335x-boneblack.dtb ti/omap/am335x-bonegreen.dtb"
 KERNEL_EXTRA_ARGS += "LOADADDR=${UBOOT_ENTRYPOINT}"

 PREFERRED_PROVIDER_virtual/bootloader ?= "u-boot"
--- a/layers/meta-belden-coreos-bsp/conf/machine/eagle40-03.conf
+++ b/layers/meta-belden-coreos-bsp/conf/machine/eagle40-03.conf
@ -0,0 +1,39 @@
+#@TYPE: Machine
+#@NAME: eagle40-03
+#@DESCRIPTION: Machine support for EAGLE40-03
+#
+
+require include/coreos-generic-arch/x64.inc
+
+MACHINE_FEATURES += "pci usbhost x86 serial efi"
+
+# Kernel configuration
+# ******************************************************************************
+
+PREFERRED_VERSION_linux-yocto ?= "6.6%"
+PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
+
+KERNEL_IMAGETYPE = "bzImage"
+
+#  getty configuration
+# ******************************************************************************
+
+SERIAL_CONSOLES = "115200;ttyS0"
+SERIAL_CONSOLES_CHECK = "ttyS0"
+APPEND += "console=ttyS0,115200"
+
+# Image generation
+# ******************************************************************************
+
+# Ensure that both flash-image.bin and boot.scr are generated as they are needed
+# for a wic image
+WKS_FILE = "generic-uefi.wks.in"
+COREOS_INSTALLER_WKS_FILE ?= "generic-uefi-usb-installer.wks"
+IMAGE_FSTYPES += "wic.xz wic.bmap"
+
+MACHINE_ESSENTIAL_EXTRA_RDEPENDS += " kernel-modules"
+
+# No watchdog available yet
+EFIBOOTGUARD_TIMEOUT ?= "0"
+require conf/machine/include/coreos-generic-features/efi.inc
+require conf/machine/include/coreos-generic-features/partitions.inc
--- a/layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc
+++ b/layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc
@ -1,15 +1,20 @@
-
-# Variable used in WKS file
-
+# Variables used in WKS file
 WKS_PART_EFI ??= 'part --source efibootguard-efi --label efi --part-type=EF00'
-WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=kernel-${MACHINE}.efi;KERNEL.EFI"'
-WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=kernel-${MACHINE}.efi;KERNEL.EFI"'
+WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
+WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
 WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label rootfs0'
 WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label rootfs1'
-WKS_PART_ROOT_SIZE ??= '2G'
+WKS_PART_USERDATA ??= 'part /usr/local/data --fstype=btrfs --label userdata'

+PART_EFI_SIZE ??= '64M'
+PART_ROOT_SIZE ??= '1G'
+PART_EFIBG_SIZE ??= '128M'
+PART_USERDATA_SIZE ??= '1G'
+
+# Variables used in SFDISK file
 SFDISK_PART_EFI ??= 'type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, name="efi"'
 SFDISK_PART_EFIBOOTGUARD_A ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg0"'
 SFDISK_PART_EFIBOOTGUARD_B ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg1"'
 SFDISK_PART_ROOT_A ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs0"'
-SFDISK_PART_ROOT_B ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs0"'
+SFDISK_PART_ROOT_B ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs1"'
+SFDISK_PART_USERDATA ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="userdata"'
--- a/layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-machine/vm.inc
+++ b/layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-machine/vm.inc
@ -6,12 +6,12 @@ MACHINE_FEATURES += "wifi efi"
 # Add an override that work for all pc image
 MACHINEOVERRIDES =. "vm:"

-PREFERRED_VERSION_linux-yocto ?= "5.15%"
+PREFERRED_VERSION_linux-yocto ?= "6.6%"
 PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"

 MACHINE_EXTRA_RRECOMMENDS += "kernel-modules linux-firmware"

-IMAGE_FSTYPES += "ext4 wic wic.xz wic.bmap wic.vmdk"
+IMAGE_FSTYPES += "ext4 wic wic.xz wic.bmap wic.vmdk wic.vhdx"

 WKS_FILE ?= "generic-uefi.wks.in"
 do_image_wic[depends] += "gptfdisk-native:do_populate_sysroot"
--- a/layers/meta-belden-coreos-bsp/conf/machine/qemu-coreos-arm64.conf
+++ b/layers/meta-belden-coreos-bsp/conf/machine/qemu-coreos-arm64.conf
@ -0,0 +1,15 @@
+#@TYPE: Machine
+#@NAME: qemu-generic-arm64
+#@DESCRIPTION: Generic Arm64 machine for typical SystemReady platforms, which
+#have working firmware and boot via EFI.
+
+require conf/machine/qemu-generic-arm64.conf
+MACHINEOVERRIDES =. "qemu-generic-arm64:"
+
+COREOS_IMAGE_GENERATE_INSTALLER = "0"
+
+WKS_FILE = "qemu-efi-coreos-generic.wks.in"
+
+EFIBOOTGUARD_TIMEOUT ?= "0"
+require conf/machine/include/coreos-generic-features/efi.inc
+require conf/machine/include/coreos-generic-features/partitions.inc
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/efi/efi-secureboot-keys.bb
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/efi/efi-secureboot-keys.bb
@ -1,33 +0,0 @@
-SUMMARY = "A recipe to deploy UEFI public keys update files"
-LICENSE = "CLOSED"
-
-
-INHIBIT_DEFAULT_DEPS = "1"
-inherit nopackages
-
-inherit deploy
-inherit coreos-efi-secureboot
-
-# Public key needed by firmware very depending on the implementation
-# So we copy all type of public key (*.auth, *.esl, *.crt, *der)
-addtask deploy after do_compile
-do_deploy() {
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.auth ${DEPLOYDIR}/KEK.auth
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.auth ${DEPLOYDIR}/db.auth
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.auth ${DEPLOYDIR}/PK.auth
-    
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.esl ${DEPLOYDIR}/KEK.esl
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.esl ${DEPLOYDIR}/db.esl
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.esl ${DEPLOYDIR}/PK.esl
-
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.crt ${DEPLOYDIR}/KEK.crt
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.crt ${DEPLOYDIR}/db.crt
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.crt ${DEPLOYDIR}/PK.crt
-
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.der ${DEPLOYDIR}/KEK.der
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.der ${DEPLOYDIR}/db.der
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.der ${DEPLOYDIR}/PK.der
-
-    # !SECURITY WARNING! 
-    # .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
-}
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/efibootguard/efibootguard_%.bbappend
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/efibootguard/efibootguard_%.bbappend
@ -1,11 +0,0 @@
-# Add signature support
-
-inherit coreos-efi-sbsign
-require conf/image-uefi.conf
-
-do_deploy:append() {
-
-    if [ -f "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi" ]; then
-        coreos_efi_secureboot_sign_app "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi"
-    fi
-}
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos.inc
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos.inc
@ -1,12 +0,0 @@
-# Ensure that file are found event when this file is included in another layer
-# ==============================================================================
-FILESEXTRAPATHS:prepend := "${THISDIR}/u-boot:"
-
-# Main include file for u-boot to ensure CoreOS compatibility
-# ==============================================================================
-
-SRC_URI += " \
-    ${@bb.utils.contains("IMAGE_FEATURES", "debug-tweaks", "file://debug-tweaks.cfg", "", d)} \
-"
-
-require u-boot-coreos-efi.inc
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot_2022.01.bbappend
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot_2022.01.bbappend
@ -1,2 +0,0 @@
-FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
-require u-boot-coreos.inc
--- a/layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config/beaglebone_1.0.sfdisk
+++ b/layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config/beaglebone_1.0.sfdisk
@ -12,8 +12,8 @@ sector-size: 512
 /dev/mmcblk1p1 : start=         256, size=         512, type=4DA6E9DA-C803-4BE4-BAC4-8192717C5EB0, name="mlo", attrs="RequiredPartition"
 /dev/mmcblk1p2 : start=         768, size=        8192, type=5B97345D-B7A1-47D3-A491-ED40F4841639, name="uboot", attrs="RequiredPartition"

-/dev/mmcblk1p3 : start=        8960, size=      131072, ${SFDISK_PART_EFI}
-/dev/mmcblk1p4 : start=      140032, size=      262144, ${SFDISK_PART_EFIBOOTGUARD_A}
-/dev/mmcblk1p5 : start=      402176, size=      262144, ${SFDISK_PART_EFIBOOTGUARD_B}
-/dev/mmcblk1p6 : start=      664320, size=     3403375, ${SFDISK_PART_ROOT_A}
-/dev/mmcblk1p7 : start=     4067695, size=     3403375, ${SFDISK_PART_ROOT_B}
+/dev/mmcblk1p3 : size= ${PART_EFI_SIZE}, ${SFDISK_PART_EFI}
+/dev/mmcblk1p4 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_A}
+/dev/mmcblk1p5 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_B}
+/dev/mmcblk1p6 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_A}
+/dev/mmcblk1p7 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_B}
--- a/layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config/eagle40-03_1.0.sfdisk
+++ b/layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config/eagle40-03_1.0.sfdisk
@ -0,0 +1,13 @@
+label: gpt
+device: /dev/mmcblk2
+unit: sectors
+first-lba: 34
+last-lba: 7471070
+sector-size: 512
+
+/dev/mmcblk2p1 : start= 256, size= ${PART_EFI_SIZE}, ${SFDISK_PART_EFI}
+/dev/mmcblk2p2 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_A}
+/dev/mmcblk2p3 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_B}
+/dev/mmcblk2p4 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_A}
+/dev/mmcblk2p5 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_B}
+/dev/mmcblk2p6 : size= ${PART_USERDATA_SIZE}, ${SFDISK_PART_USERDATA}
--- a/layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config_%.bbappend
+++ b/layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config_%.bbappend
@ -1,3 +1,4 @@
 FILESEXTRAPATHS:prepend := "${THISDIR}/coreos-installer-config:"

 SRC_URI:append:beaglebone = " file://beaglebone_1.0.sfdisk"
+SRC_URI:append:eagle40-03 = " file://eagle40-03_1.0.sfdisk"
--- a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/files/eagle40-03.cfg
+++ b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/files/eagle40-03.cfg
@ -0,0 +1,2 @@
+CONFIG_F71808E_WDT=y
+CONFIG_WATCHDOG_SYSFS=y
--- a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/files/hyperv.cfg
+++ b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/files/hyperv.cfg
@ -0,0 +1,16 @@
+CONFIG_HYPERVISOR_GUEST=y
+CONFIG_PARAVIRT=y
+CONFIG_PARAVIRT_SPINLOCKS=y
+CONFIG_CONNECTOR=y
+CONFIG_SCSI_FC_ATTRS=y
+CONFIG_HYPERV=y
+CONFIG_HYPERV_UTILS=y
+CONFIG_HYPERV_BALLOON=y
+CONFIG_HYPERV_STORAGE=y
+CONFIG_HYPERV_NET=y
+CONFIG_HYPERV_KEYBOARD=y
+CONFIG_FB_HYPERV=y
+CONFIG_HID_HYPERV_MOUSE=y
+CONFIG_PCI_HYPERV=y
+CONFIG_VSOCKETS=y
+CONFIG_HYPERV_VSOCKETS=y
--- a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos-efi.inc
+++ b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos-efi.inc
@ -1,23 +0,0 @@
-
-inherit coreos-efi-sbsign
-require conf/image-uefi.conf
-
-# Ensure EFI STUB is enabled
-KERNEL_FEATURES:append = " cfg/efi.scc cfg/efi-ext.scc"
-
-# By default we use a Unified Kernel Image that contain the kernel, the
-# kernel command line and some device tree, so we don't need to sign the output
-# of the kernel recipes
-COREOS_KERNEL_EFI_SIGNED ??= "0"
-
-# Extend the kernel_do_deploy function from kernel.bbclass to sign the kernel
-kernel_do_deploy:append() {
-    if [ "${COREOS_KERNEL_EFI_SIGNED}" == "1" ]; then
-      deployDir="${DEPLOYDIR}"
-      for imageType in ${KERNEL_IMAGETYPES} ; do
-        baseName="$imageType-${KERNEL_IMAGE_NAME}"
-        coreos_efi_secureboot_sign_app "$deployDir/$baseName${KERNEL_IMAGE_BIN_EXT}"
-      done
-    fi
-}
-
--- a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend
+++ b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend
@ -1,13 +1,20 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 KMACHINE:vm-x64 ?= "common-pc-64"
 COMPATIBLE_MACHINE:vm-x64 = "vm-x64"

 # Enable some kernel features related to virtualiuzation
 KERNEL_FEATURES:append:vm-x64=" cfg/virtio.scc cfg/paravirt_kvm.scc"
+SRC_URI:append:vm-x64 = " file://hyperv.cfg"
+
+KMACHINE:eagle40-03 ?= "common-pc-64"
+KBRANCH:eagle40-03 = "v5.15/standard/base"
+SRCREV_machine:eagle40-03 ?= "3baf1c5c0e6084b3f4a1d2d805168d657f872e60"
+COMPATIBLE_MACHINE:eagle40-03 = "eagle40-03"
+LINUX_VERSION:eagle40-03 = "5.15.134"
+

 KBRANCH:beaglebone = "v5.15/standard/beaglebone"
 KMACHINE:beaglebone ?= "beaglebone"
 SRCREV_machine:beaglebone ?= "9aabbaa89fcb21af7028e814c1f5b61171314d5a"
 COMPATIBLE_MACHINE:beaglebone = "beaglebone"
 LINUX_VERSION:beaglebone = "5.15.54"
-
-require linux-yocto-coreos-efi.inc
--- a/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_6.6.bbappend
+++ b/layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_6.6.bbappend
@ -0,0 +1,14 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+KMACHINE:eagle40-03 ?= "common-pc-64"
+COMPATIBLE_MACHINE:eagle40-03 = "eagle40-03"
+
+KMACHINE:beaglebone ?= "beaglebone"
+COMPATIBLE_MACHINE:beaglebone = "beaglebone"
+
+KMACHINE:vm-x64 ?= "common-pc-64"
+COMPATIBLE_MACHINE:vm-x64 = "vm-x64"
+KERNEL_FEATURES:append:vm-x64=" cfg/virtio.scc cfg/paravirt_kvm.scc"
+SRC_URI:append:vm-x64 = " file://hyperv.cfg"
+
+SRC_URI += " file://eagle40-03.cfg"
--- a/layers/meta-belden-coreos-bsp/wic/beaglebone-sdcard.wks.in
+++ b/layers/meta-belden-coreos-bsp/wic/beaglebone-sdcard.wks.in
@ -13,8 +13,8 @@ part --offset 768S --source rawcopy --sourceparams="file=u-boot.img" --ondisk mm
 # Let's define a 4MiB maximum size for the bootloader
 # 4MiB => 4*1024*1024/512=8192S | 768S + 8192S => 8960S
 ${WKS_PART_EFI} --ondisk mmcblk0 --offset 8960S --fixed-size 32M
-${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk0 --fixed-size 128M
-${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk0 --fixed-size 128M
-${WKS_PART_ROOT_A} --ondisk mmcblk0 --fixed-size ${WKS_PART_ROOT_SIZE}
-${WKS_PART_ROOT_B} --ondisk mmcblk0 --fixed-size ${WKS_PART_ROOT_SIZE}
+${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk0 --fixed-size ${PART_EFIBG_SIZE}
+${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk0 --fixed-size ${PART_EFIBG_SIZE}
+${WKS_PART_ROOT_A} --ondisk mmcblk0 --fixed-size ${PART_ROOT_SIZE}
+${WKS_PART_ROOT_B} --ondisk mmcblk0 --fixed-size ${PART_ROOT_SIZE}
 bootloader --ptable gpt
--- a/layers/meta-belden-coreos-bsp/wic/generic-uefi-usb-installer.wks
+++ b/layers/meta-belden-coreos-bsp/wic/generic-uefi-usb-installer.wks
@ -0,0 +1,16 @@
+# short-description: Create USB image for Eagle 40-03
+# long-description: Creates a partitioned USB image for Eagle 40-03.
+
+# offset 1S => 1 sector (1x512 byte)
+# The bootloader can be at 4 different position in raw mode: 0S, 256S, 512S, 768S
+# MBR disk use only the sector 0, so 1S is free
+# GPT disk use sector 0-33S, so first free slot is 256S
+# Offset are from the BBB default settings
+
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+# Don't name partition in the installer disk image, otherwise the installer may not work as it rely on partition label!
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+part --offset 256S --source bootimg-partition --part-type=EF00 --ondisk mmcblk0
+part --fixed-size 3G --fstype=vfat --label=image
+bootloader --ptable gpt
--- a/layers/meta-belden-coreos-bsp/wic/generic-uefi.wks.in
+++ b/layers/meta-belden-coreos-bsp/wic/generic-uefi.wks.in
@ -1,9 +1,11 @@
 # short-description: Create an EFI disk image for genericx86*
 # long-description: Creates a partitioned EFI disk image for genericx86* machines
-${WKS_PART_EFI}  --align 1024 --size 64M --extra-space 0 --overhead-factor 1
-${WKS_PART_ROOT_A} --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
-${WKS_PART_ROOT_B} --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
-${WKS_PART_EFIBOOTGUARD_A}  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
-${WKS_PART_EFIBOOTGUARD_B}  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
+
+${WKS_PART_EFI} --align 1024 --size ${PART_EFI_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_ROOT_A} --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_ROOT_B} --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_EFIBOOTGUARD_A} --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_EFIBOOTGUARD_B} --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_USERDATA} --size ${PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1

 bootloader --ptable gpt
--- a/layers/meta-belden-coreos-bsp/wic/qemu-efi-coreos-generic.wks.in
+++ b/layers/meta-belden-coreos-bsp/wic/qemu-efi-coreos-generic.wks.in
@ -0,0 +1,12 @@
+# short-description: Create an EFI disk image
+# long-description: Creates a partitioned EFI disk image that the user
+# can directly dd to boot media.
+
+part --source efibootguard-efi --label efi --part-type=EF00 --use-uuid --offset 20480S --size ${PART_EFI_SIZE} --extra-space 0 --overhead-factor 1
+part / --source rootfs --fstype=ext4 --label rootfs0 --use-uuid --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
+part --fstype=ext4 --label rootfs1 --use-uuid --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
+part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --use-uuid --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
+part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --use-uuid --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_USERDATA} --use-uuid --size ${PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
+
+bootloader --ptable gpt
--- a/layers/meta-belden-coreos-demo/recipes-core/images/coreos-image-demo-k3s.bb
+++ b/layers/meta-belden-coreos-demo/recipes-core/images/coreos-image-demo-k3s.bb
@ -0,0 +1,8 @@
+DESCRIPTION = "An image that includes k3s-agent"
+
+require recipes-core/images/coreos-image-all-features.bb
+
+IMAGE_INSTALL += "k3s-agent"
+
+# To use this image, please add k3s to DISTRO_FEATURE inside your
+# local.conf config file.
--- a/layers/meta-belden-coreos-demo/recipes-kernel/linux/files/k3s_kernel_adaptions.cfg
+++ b/layers/meta-belden-coreos-demo/recipes-kernel/linux/files/k3s_kernel_adaptions.cfg
@ -0,0 +1,8 @@
+#this file contains the necssary kernel adaption that k3s an containerd require
+#Reference
+#k3s config check: https://raw.githubusercontent.com/k3s-io/k3s/master/contrib/util/check-config.sh
+#container config check: https://raw.githubusercontent.com/moby/moby/master/contrib/check-config.sh
+#these scripts are provided by moby and rancher
+CONFIG_OABI_COMPAT=n
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
--- a/layers/meta-belden-coreos-demo/recipes-kernel/linux/linux-yocto_%.bbappend
+++ b/layers/meta-belden-coreos-demo/recipes-kernel/linux/linux-yocto_%.bbappend
@ -0,0 +1 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
--- a/layers/meta-belden-coreos/classes/bats-library.bbclass
+++ b/layers/meta-belden-coreos/classes/bats-library.bbclass
@ -0,0 +1,19 @@
+# Library to share code needed to install most available bats library
+
+# Bats library are shell scripts, so they are arch independant
+inherit allarch
+
+RDEPENDS:${PN} += "bats"
+
+# Bats can find library in this folder by default
+BATS_LIB_PATH ?= "${libdir}/bats"
+
+# By default the library will have the same name as the recipe
+BATS_INSTALL_DIR ?= "${BATS_LIB_PATH}/${PN}"
+FILES:${PN} += "${BATS_INSTALL_DIR}"
+
+do_install() {
+    install -d ${D}${BATS_INSTALL_DIR}
+    cp -r ${S}/src ${D}${BATS_INSTALL_DIR}/
+    install ${S}/load.bash ${D}${BATS_INSTALL_DIR}/
+}
--- a/layers/meta-belden-coreos/classes/coreos-image-ci.bbclass
+++ b/layers/meta-belden-coreos/classes/coreos-image-ci.bbclass
@ -3,6 +3,7 @@
 # > COREOS_IMAGE_EXTRACLASSES += "coreos-image-ci"
 # in auto.conf (or local.conf)

+inherit kernel-artifact-names

 def get_coreos_ci_artifacts(d):
    artifacts = []
@ -12,11 +13,11 @@ def get_coreos_ci_artifacts(d):

    # Container handling
    # ==========================================================================
-    
+
    if bb.utils.contains('IMAGE_FSTYPES', 'oci', True, False, d):

        artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.rootfs-oci.tar')
-        
+
        # Special case for container, we just need the OCI tarball
        return " ".join(artifacts)

@ -25,10 +26,14 @@ def get_coreos_ci_artifacts(d):

    if bb.utils.contains('IMAGE_FSTYPES', 'wic.xz', True, False, d):
        artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.xz')
-    
+
    if bb.utils.contains('IMAGE_FSTYPES', 'wic.bmap', True, False, d):
        artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.bmap')

+    # This is used for qemu-coreos-arm64
+    if bb.utils.contains('IMAGE_FSTYPES', 'wic.qcow2', True, False, d):
+        artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.qcow2')
+
    if d.getVar('COREOS_IMAGE_GENERATE_SWU') == '1':
        artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.swu')

@ -90,5 +95,5 @@ do_deploy_ci() {
    for file in ${COREOS_CI_DEPLOY_ARTIFACTS}; do
        echo $file >> $output
    done
-} 
+}
 addtask deploy_ci after do_image before do_build
--- a/layers/meta-belden-coreos/classes/coreos-image-installer.bbclass
+++ b/layers/meta-belden-coreos/classes/coreos-image-installer.bbclass
@ -0,0 +1,41 @@
+# Class used to generate image based on Belden CoreOS
+
+export IMAGE_BASENAME = "${MLPREFIX}${PN}"
+IMAGE_NAME_SUFFIX ?= ""
+IMAGE_LINGUAS = ""
+
+LICENSE = "MIT"
+
+IMAGE_FSTYPES = "cpio.gz"
+
+# Support for generating a SDCard or USB installer is optional
+COREOS_INSTALLER_WKS_FILE ??= ""
+WKS_FILE = "${COREOS_INSTALLER_WKS_FILE}"
+IMAGE_FSTYPES += "${@'wic.xz wic.bmap' if d.getVar('COREOS_INSTALLER_WKS_FILE') else ''}"
+IMAGE_BOOT_FILES =  "${COREOS_KERNEL_FILENAME};EFI/BOOT/${EFI_BOOT_IMAGE}"
+
+COREOS_IMAGE_GENERATE_UKI = "1"
+
+# IMGDEPLOYDIR has to be used instead of DEPLOY_DIR_IMAGE here, because it will
+# run during image generation
+COREOS_UKI_PART_INITRAMFS = "${IMGDEPLOYDIR}/${IMAGE_BASENAME}-${MACHINE}.cpio.gz"
+COREOS_IMAGE_GENERATE_SWU = "0"
+
+# Change generated UKI filename and reset the bundled command line to "APPEND"
+# to ensure that root is not set in the kernel command line
+COREOS_KERNEL_NAME ?= "coreos-installer-${MACHINE}"
+COREOS_KERNEL_CMDLINE ?= "${APPEND}"
+
+inherit coreos-image
+
+# Only install a reduced set of package and feature to keep image size small
+IMAGE_INSTALL = "packagegroup-coreos-boot coreos-installer coreos-installer-unattended util-linux-sfdisk util-linux-fdisk util-linux-cfdisk efibootguard efibootguard-tools"
+IMAGE_FEATURES = "debug-tweaks swupdate"
+NO_RECOMMENDATIONS = "1"
+
+IMAGE_ROOTFS_SIZE = "8192"
+INITRAMFS_MAXSIZE = "976562"
+IMAGE_ROOTFS_EXTRA_SPACE = "0"
+
+# Use the same restriction as initramfs-module-install
+COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*)-(linux.*|freebsd.*)'
--- a/layers/meta-belden-coreos/classes/coreos-image-swupdate.bbclass
+++ b/layers/meta-belden-coreos/classes/coreos-image-swupdate.bbclass
@ -69,5 +69,11 @@ def coreos_swupdate_extends(d, s, key):

    return text

+# Signature support
+inherit coreos-efi-secureboot
+SWUPDATE_SIGNING = "CMS"
+SWUPDATE_CMS_KEY  = "${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.key"
+SWUPDATE_CMS_CERT = "${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt"
+
 COREOS_IMAGE_SWUPDATE_EXTRACLASSES ?= ""
 inherit ${COREOS_IMAGE_SWUPDATE_EXTRACLASSES}
--- a/layers/meta-belden-coreos/classes/coreos-image.bbclass
+++ b/layers/meta-belden-coreos/classes/coreos-image.bbclass
@ -68,6 +68,7 @@ PACKAGE_EXCLUDE_COMPLEMENTARY:append = "${@bb.utils.contains_any('PACKAGE_INSTAL
 COREOS_IMAGE_BASE_INSTALL = "\
    packagegroup-coreos-boot \
    packagegroup-coreos-base \
+    secure-storage \
    "

 COREOS_IMAGE_EXTRA_INSTALL ?= ""
@ -89,10 +90,12 @@ IMAGE_ROOTFS_EXTRA_SPACE:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'sys
 # Unified kernel image and swupdate support
 # ==============================================================================

-# Support for Unified Kernel Image and Swupdate are optional
-COREOS_IMAGE_GENERATE_INSTALLER ?= "1"
-COREOS_IMAGE_GENERATE_UKI ?= "1"
-COREOS_IMAGE_GENERATE_SWU ?= "1"
+# The CoreOS image installer is disabled by default.
+COREOS_IMAGE_GENERATE_INSTALLER ?= "0"
+
+# Support for Unified Kernel Image and Swupdate are optional.
+COREOS_IMAGE_GENERATE_UKI ?= "${@bb.utils.contains("COMBINED_FEATURES", "efi", "1", "0", d)}"
+COREOS_IMAGE_GENERATE_SWU ?= "${@"1" if "efi" in d.getVar('COMBINED_FEATURES') and "swupdate" in d.getVar("DISTRO_FEATURES") else "0"}"

 # Generate the installer image if needed
 do_build[depends] += "${@'coreos-image-installer:do_build' if d.getVar('COREOS_IMAGE_GENERATE_INSTALLER') == '1' else ''}"
--- a/layers/meta-belden-coreos/classes/coreos-sanity.bbclass
+++ b/layers/meta-belden-coreos/classes/coreos-sanity.bbclass
@ -13,6 +13,8 @@ addhandler check_coreos_sanity_eventhandler
 check_coreos_sanity_eventhandler[eventmask] = "bb.event.SanityCheck"
 python check_coreos_sanity_eventhandler() {

+    import datetime
+
    # Checks related to the distribution configuration files
    # ==========================================================================

@ -29,13 +31,22 @@ python check_coreos_sanity_eventhandler() {
            "systemd is not set as `INIT_MANAGER`. "
            "Using SystemD is mandatory on CoreOS based distribution"
        )
-    
+
    if e.data.getVar("TCLIBC") != "glibc":
        bb.fatal(
            "glibc is not set as `TCLIBC`. "
            "Using glibc is mandatory on CoreOS based distribution"
        )
-    
+
+    # Check if the timestamp for REPRODUCIBLE_TIMESTAMP_ROOTFS is still up to date
+    first_of_year = datetime.datetime(datetime.date.today().year, 1, 1, tzinfo=datetime.timezone.utc)
+    foy_ts = str(int(first_of_year.timestamp()))
+    if e.data.getVar("REPRODUCIBLE_TIMESTAMP_ROOTFS") != foy_ts:
+        bb.warn(
+            "`REPRODUCIBLE_TIMESTAMP_ROOTFS` outdated!"
+            "Set to current 01. january of the year."
+        )
+
    # Checks related to the machine configuration files
    # ==========================================================================

@ -47,7 +58,7 @@ python check_coreos_sanity_eventhandler() {
                "CoreOS recommands to use compressed wic image, please add "
                "`wic.xz` to your machine `IMAGE_FSTYPES` variables"
            )
-        
+
        if not "wic.bmap":
            bb.warn(
                "wic image should be flashed with bmaptools, but this require "
--- a/layers/meta-belden-coreos/conf/distro/belden-coreos-base.conf
+++ b/layers/meta-belden-coreos/conf/distro/belden-coreos-base.conf
@ -0,0 +1,8 @@
+require conf/distro/include/belden-coreos-base.inc
+
+DISTRO = "belden-coreos-base"
+DISTRO_NAME = "Belden CoreOS (Base)"
+MAINTAINER = "Belden CoreOS Team"
+
+DISTRO_VERSION = "0.0.1"
+DISTRO_CODENAME = "kirkstone"
--- a/layers/meta-belden-coreos/conf/distro/belden-coreos.conf
+++ b/layers/meta-belden-coreos/conf/distro/belden-coreos.conf
@ -1,87 +1,9 @@
+require conf/distro/include/belden-coreos-base.inc
+require conf/distro/include/belden-coreos-extra.inc
+
 DISTRO = "belden-coreos"
 DISTRO_NAME = "Belden CoreOS"
 MAINTAINER = "Belden CoreOS Team"

-INHERIT += "coreos_metadata_scm"
-
 DISTRO_VERSION = "0.0.1"
 DISTRO_CODENAME = "kirkstone"
-
-# Distro features and policies
-# ==============================================================================
-
-PACKAGE_CLASSES = "package_ipk"
-INIT_MANAGER = "systemd"
-
-# CoreOS use journald from the systemd package to handle log
-# https://docs.yoctoproject.org/singleindex.html#using-systemd-journald-without-a-traditional-syslog-daemon
-# This remove syslog from packagegroup-core-boot
-VIRTUAL-RUNTIME_syslog = ""
-VIRTUAL-RUNTIME_base-utils-syslog = ""
-
-DISTRO_FEATURES_DEFAULT ?= "bluetooth usbhost pci ipv4 ipv6 wifi multiarch usrmerge ptest efi pam"
-DISTRO_FEATURES ?= "${DISTRO_FEATURES_DEFAULT}"
-DISTRO_FEATURES_BACKFILL_CONSIDERED = "pulseaudio ldconfig"
-DISTRO_EXTRA_RDEPENDS += "packagegroup-core-boot"
-
-# Build configuration
-# ==============================================================================
-
-TARGET_VENDOR = "-belden"
-
-# We don't support multiple libc, so we don't need to append the libc name to
-# the tmp directory: ie use build/tmp instead of build/tmp-glibc
-TCLIBCAPPEND = ""
-
-SANITY_TESTED_DISTROS ?= " \
-            debian-11 \n \
-            ubuntu-22.04 \n \
-            "
-
-# This variable is used to ensure that any distribution using the CoreOS layer
-# include this file. This is checked by the coreos-sanity class
-SANITY_COREOS_COMPATIBLE ?= "1"
-
-require conf/distro/include/no-static-libs.inc
-require conf/distro/include/yocto-uninative.inc
-require conf/distro/include/security_flags.inc
-
-# uninative is need to share the sstates between multiple host distrubtion
-INHERIT += "uninative"
-
-# Bitbake configuration
-# ==============================================================================
-
-BB_SIGNATURE_HANDLER ?= "OEBasicHash"
-
-# SDK Configuration
-# ==============================================================================
-
-SDK_VENDOR = "-coreossdk"
-SDK_VERSION = "${DISTRO_VERSION}"
-SDK_VERSION[vardepvalue] = "${SDK_VERSION}"
-SDK_NAME = "${DISTRO}-${TCLIBC}-${SDKMACHINE}-${IMAGE_BASENAME}-${TUNE_PKGARCH}-${MACHINE}"
-SDKPATHINSTALL = "/opt/${DISTRO}/${SDK_VERSION}"
-
-# EFI and Secure boot
-# ==============================================================================
-
-EFI_PROVIDER = "efibootguard"
-EFIBOOTGUARD_TIMEOUT ??= "60"
-INHERIT += "coreos-efi-secureboot"
-
-# Virtualization configuration
-# ==============================================================================
-
-# Use crun insted of runc as a OCI runtime. crun is faster and need less memory
-# than runc so it's a better fit for embedded
-#PREFERRED_PROVIDER_virtual/runc = "crun"
-PACKAGECONFIG:append:pn-podman = " rootless"
-DISTRO_FEATURES_DEFAULT += "virtualization seccomp ipv6"
-
-# CoreOS specific options
-# ==============================================================================
-
-# Distro based on CoreOS can provide their own configuration files for the
-# CoreOS installer by overriding this variable
-PREFERRED_PROVIDER_coreos-installer-config ??= "coreos-installer-config"
--- a/layers/meta-belden-coreos/conf/distro/include/belden-coreos-base.inc
+++ b/layers/meta-belden-coreos/conf/distro/include/belden-coreos-base.inc
@ -0,0 +1,118 @@
+# This is the base include file for all coreos based distro
+# it should support the most basic distro without optional coreos
+# features
+
+# Using :coreos override should work on all CoreOS based distro
+# Note that :belden-coreos does not work on CoreOS based distro but will
+# work when build for the belden-coreos distro
+DISTROOVERRIDES = "coreos:${DISTRO}"
+
+INHERIT += "coreos_metadata_scm"
+
+# Distro features and policies
+# ==============================================================================
+
+PACKAGE_CLASSES = "package_ipk"
+INIT_MANAGER = "systemd"
+
+# CoreOS use journald from the systemd package to handle log
+# https://docs.yoctoproject.org/singleindex.html#using-systemd-journald-without-a-traditional-syslog-daemon
+# This remove syslog from packagegroup-core-boot
+VIRTUAL-RUNTIME_syslog = ""
+VIRTUAL-RUNTIME_base-utils-syslog = ""
+
+DISTRO_FEATURES ?= "usbhost pci ipv4 ipv6 wifi multiarch usrmerge efi pam"
+
+# CoreOS wasn't compatible with older Yocto version, so we should not have any
+# features backfilled. Value are from DISTRO_FEATURES_BACKFILL
+# with the exception of gobject-introspection-data that are backfilled on
+# purpose, this allow to use C library based on gobject in python or javascript
+DISTRO_FEATURES_BACKFILL_CONSIDERED = "pulseaudio sysvinit ldconfig"
+
+DISTRO_EXTRA_RDEPENDS += "packagegroup-core-boot"
+
+# Build configuration
+# ==============================================================================
+
+TARGET_VENDOR = "-belden"
+
+# We don't support multiple libc, so we don't need to append the libc name to
+# the tmp directory: ie use build/tmp instead of build/tmp-glibc
+TCLIBCAPPEND = ""
+
+SANITY_TESTED_DISTROS ?= " \
+            debian-11 \n \
+            ubuntu-22.04 \n \
+            "
+
+# This variable is used to ensure that any distribution using the CoreOS layer
+# include this file. This is checked by the coreos-sanity class
+SANITY_COREOS_COMPATIBLE ?= "1"
+
+require conf/distro/include/no-static-libs.inc
+require conf/distro/include/yocto-uninative.inc
+require conf/distro/include/security_flags.inc
+
+# uninative is need to share the sstates between multiple host distrubtion
+INHERIT += "uninative"
+
+# Bitbake configuration
+# ==============================================================================
+
+BB_SIGNATURE_HANDLER ?= "OEBasicHash"
+
+# SDK Configuration
+# ==============================================================================
+
+SDK_VENDOR = "-coreossdk"
+SDK_VERSION = "${DISTRO_VERSION}"
+SDK_VERSION[vardepvalue] = "${SDK_VERSION}"
+SDK_NAME = "${DISTRO}-${TCLIBC}-${SDKMACHINE}-${IMAGE_BASENAME}-${TUNE_PKGARCH}-${MACHINE}"
+SDKPATHINSTALL = "/opt/${DISTRO}/${SDK_VERSION}"
+
+# EFI and Secure boot
+# ==============================================================================
+
+EFI_PROVIDER = "efibootguard"
+EFIBOOTGUARD_TIMEOUT ??= "60"
+INHERIT += "coreos-efi-secureboot"
+
+
+# PACKAGECONFIG
+# ==============================================================================
+# Reduce the size of some package by disabling some feature by default
+
+# Distro using coreos can re-enabled a disabled config by changing
+# the COREOS_DISABLED_PACKAGECONFIG variable
+
+PACKAGECONFIG:pn-systemd ?= " \
+    ${@bb.utils.filter('DISTRO_FEATURES', 'acl audit efi ldconfig pam selinux smack usrmerge polkit seccomp', d)} \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'wifi', 'rfkill', '', d)} \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'xkbcommon', '', d)} \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', '', 'link-udev-shared', d)} \
+    hostnamed \
+    kmod \
+    localed \
+    logind \
+    set-time-epoch \
+    sysusers \
+    userdb \
+    vconsole \
+    wheel-group \
+    zstd \
+"
+
+# DNS Configuration
+
+
+# CoreOS specific options
+# ==============================================================================
+
+# Distro based on CoreOS can provide their own configuration files for the
+# CoreOS installer by overriding this variable
+PREFERRED_PROVIDER_coreos-installer-config ??= "coreos-installer-config"
+
+# This TS represents 01.01.2024 generating it dynamically would cause a lot of
+# things to get re-build, we need a good solution for this or change it every
+# year
+REPRODUCIBLE_TIMESTAMP_ROOTFS = "1704067200"
--- a/layers/meta-belden-coreos/conf/distro/include/belden-coreos-extra.inc
+++ b/layers/meta-belden-coreos/conf/distro/include/belden-coreos-extra.inc
@ -0,0 +1,30 @@
+# This is the include all the CoreOS feature that are optional
+
+# Virtualization configuration
+# ==============================================================================
+
+PACKAGECONFIG:append:pn-podman = " rootless"
+DISTRO_FEATURES += "virtualization seccomp"
+
+# swupdate configuration
+# ==============================================================================
+
+# Enable the generation of .swu file for images
+DISTRO_FEATURES += "swupdate"
+
+# Networking configuration
+# ==============================================================================
+
+# Add networking support to systemd. This allow systemd to handle
+# network/dhcp/dns/time
+PACKAGECONFIG:pn-systemd += " \
+    hostnamed \
+    idn \
+    myhostname \
+    nss \
+    nss-resolve \
+    resolved \
+    networkd \
+    timedated \
+    timesyncd \
+"
--- a/layers/meta-belden-coreos/conf/distro/include/coreos-support.inc
+++ b/layers/meta-belden-coreos/conf/distro/include/coreos-support.inc
@ -0,0 +1,149 @@
+COREOS_RECIPE_MAINTAINER:pn-acl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-arptables = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-attr = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-autoconf-archive = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-base-files = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-base-passwd = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-bash-completion = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-bash = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-binutils-cross-x86_64 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-boost = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-bridge-utils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-busybox = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-bzip2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-ca-certificates = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-conntrack-tools = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-coreutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-cppzmq = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-cracklib = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-cryptsetup = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-curl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-dbus = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-depmodwrapper-cross = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-e2fsprogs = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-ebtables = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-efibootguard = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-elfutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-ethtool = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-expat = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-findutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-flatbuffers = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-flex = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-fmt = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gawk = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gcc-cross-x86_64 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gcc-runtime = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gcc-source-11.4.0 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gdbm = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-glib-2.0 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-glibc = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-glibc-locale = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gmp = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gnu-efi = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gnutls = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-grub-bootconf = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-grub = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-grub-efi = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-icu = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-iproute2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-iptables = "Team CoreOS"
+#iw should be removed
+COREOS_RECIPE_MAINTAINER:pn-json-c = "Team CoreOS"
+# kbd check if it can be removed
+# kmod check if it can be removed
+COREOS_RECIPE_MAINTAINER:pn-libaio = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libarchive = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libcap = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libcap-ng = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libcheck = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libconfig = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libdevmapper = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libestr = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libfastjson = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libffi = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libgcc = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libgcc-initial = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libgcrypt = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libgpg-error = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libidn2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-liblogging = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libmnl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnet = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnetfilter-conntrack = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnetfilter-cthelper = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnetfilter-cttimeout = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnetfilter-log = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnetfilter-queue = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnfnetlink = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnsl2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libpam = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libpcap = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libpcre = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libseccomp = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libsodium = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libsolv = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libssh2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libssh = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libtirpc = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libtool-cross = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libunistring = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libusb1 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libxcrypt = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libxml2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-linux-libc-headers = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-linux-yocto = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-logrotate = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-lrzsz = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-lvm2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-lzo = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-m4 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-mtools = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-ncurses = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-netbase = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-nettle = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-openssh = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-openssl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-opkg-arch-config = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-opkg = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-opkg-utils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-os-release = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-packagegroup-base = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-packagegroup-core-boot = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-packagegroup-coreos-base = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-packagegroup-coreos-boot = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-pciutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-perl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-popt = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-python3 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-qemuwrapper-cross = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-readline = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-rsyslog = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-run-postinsts = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-secure-storage = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-setserial = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-sh = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-shared-mime-info = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-spdlog = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-sqlite3 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-swupdate = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-sysfsutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-syslinux = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-syslog-ng = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-systemd-bootconf = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-systemd-boot = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-systemd-conf = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-systemd = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-systemd-serialgetty = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-tar = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-tcpdump = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-usbutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-util-linux = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-util-linux-libuuid = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-volatile-binds = "Team CoreOS"
+# wpa-supplicant should be removed
+COREOS_RECIPE_MAINTAINER:pn-xz = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-zeromq = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-zip = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-zlib = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-zstd = "Team CoreOS"
--- a/layers/meta-belden-coreos/conf/layer.conf
+++ b/layers/meta-belden-coreos/conf/layer.conf
@ -15,6 +15,7 @@ LAYERDEPENDS_meta-belden-coreos = "\
    networking-layer \
    virtualization-layer \
    webserver \
+    meta-arm \
 "

 LAYERSERIES_COMPAT_meta-belden-coreos = "kirkstone"
--- a/layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend
+++ b/layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend
@ -1,4 +1,22 @@
+
+# Add CoreOS A/B Switching support
+# ==============================================================================
+
 FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"

 SRC_URI += "file://0001-coreos-add-a-coreos-specific-rootfs-switch-to-the-UK.patch"

+# Add signature support
+# ==============================================================================
+
+DEPENDS:append = " cos-certificates-and-keys-native"
+
+inherit coreos-efi-sbsign
+require conf/image-uefi.conf
+
+do_deploy:append() {
+
+    if [ -f "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi" ]; then
+        coreos_efi_secureboot_sign_app "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi"
+    fi
+}
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos-efi.inc
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos-efi.inc
@ -1,12 +1,23 @@
+# Ensure that file are found event when this file is included in another layer
+# ==============================================================================
+FILESEXTRAPATHS:prepend := "${THISDIR}/u-boot:"
+
+# U-Boot CoreOS Distro Settings
+# ==============================================================================
+
+# Enable more debug option when debug-tweaks is enabled
+SRC_URI += " \
+    ${@bb.utils.contains("IMAGE_FEATURES", "debug-tweaks", "file://debug-tweaks.cfg", "", d)} \
+"
+
 inherit coreos-efi-secureboot

+# Make sure UEFI and secure boot is enabled for every u-boot build
 SRC_URI += " \
    file://uefi.cfg \
    file://uefi-secureboot.cfg \
 "

-DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native"
-
 # Generate a ubootefi.var file inside the build directory
 #
 # This file can be directly linked inside the u-boot binary to provide
@ -15,6 +26,7 @@ DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native"
 #
 # The efivar.py is taken from u-boot-tools recipes, so that we are sure that he
 # is found and don't depend on the u-boot version being used
+DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native cos-certificates-and-keys-native"
 addtask uboot_generate_efivar after do_configure before do_compile
 do_uboot_generate_efivar() {
    # Settings OPENSSL_MODULES is needed, otherwise efivar.py fail with
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-tools_2022.01.bbappend
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-tools_2022.01.bbappend
@ -4,4 +4,6 @@

 do_install:append() {
 	install -m 0755 ${S}/tools/efivar.py ${D}${bindir}/uboot-efivar
-}
+}
+
+FILES:${PN} += "${bindir}/uboot-efivar"
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot/debug-tweaks.cfg
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot/debug-tweaks.cfg
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot/uefi.cfg
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot/uefi.cfg
--- a/layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot_%.bbappend
+++ b/layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot_%.bbappend
@ -0,0 +1,5 @@
+# Add CoreOS distro settings to u-boot
+UBOOT_COREOS_REQUIRE:coreos ?= "u-boot-coreos.inc"
+UBOOT_COREOS_REQUIRE ?= ""
+
+require ${UBOOT_COREOS_REQUIRE}
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot_2022.10.bb
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot_2022.10.bb
@ -4,5 +4,3 @@ require recipes-bsp/u-boot/u-boot.inc
 SRCREV = "4debc57a3da6c3f4d3f89a637e99206f4cea0a96"
 DEPENDS += "bc-native dtc-native python3-setuptools-native"
 LIC_FILES_CHKSUM = "file://Licenses/README;md5=2ca5f2c35c8cc335f0a19756634782f1"
-
-require u-boot-coreos.inc
--- a/layers/meta-belden-coreos/recipes-core/images/coreos-image-all-features.bb
+++ b/layers/meta-belden-coreos/recipes-core/images/coreos-image-all-features.bb
@ -10,3 +10,6 @@ IMAGE_INSTALL:append = "${@bb.utils.contains("IMAGE_FEATURES", "swupdate", " swu

 # development tools
 IMAGE_INSTALL:append = " systemd-analyze"
+
+# Enable the optional image installer
+COREOS_IMAGE_GENERATE_INSTALLER = "1"
--- a/layers/meta-belden-coreos/recipes-core/images/coreos-image-installer.bb
+++ b/layers/meta-belden-coreos/recipes-core/images/coreos-image-installer.bb
@ -1,50 +1,4 @@
 DESCRIPTION = "Initramfs image with the CoreOS emmc installer"
-
-
-
-# Don't reboot the device at reboot and don't do A/B switching
-BAD_RECOMMENDATIONS = "swupdate-progress swupdate-coreos-config"
-
-export IMAGE_BASENAME = "${MLPREFIX}${PN}"
-IMAGE_NAME_SUFFIX ?= ""
-IMAGE_LINGUAS = ""
-
 LICENSE = "MIT"

-IMAGE_FSTYPES = "cpio.gz"
-
-# Support for generating a SDCard installer is optional
-COREOS_INSTALLER_WKS_FILE ??= ""
-WKS_FILE = "${COREOS_INSTALLER_WKS_FILE}"
-IMAGE_FSTYPES += "${@'wic.xz wic.bmap' if d.getVar('COREOS_INSTALLER_WKS_FILE') else ''}"
-IMAGE_BOOT_FILES =  "${COREOS_KERNEL_FILENAME};EFI/BOOT/${EFI_BOOT_IMAGE}"
-
-COREOS_IMAGE_GENERATE_UKI = "1"
-
-# Avoid dependancy loop, we are already in an installer image, so we don't need
-# to bundle another one
-COREOS_IMAGE_GENERATE_INSTALLER = "0"
-
-# IMGDEPLOYDIR has to be used instead of DEPLOY_DIR_IMAGE here, because it will
-# run during image generation
-COREOS_UKI_PART_INITRAMFS = "${IMGDEPLOYDIR}/${IMAGE_BASENAME}-${MACHINE}.cpio.gz"
-COREOS_IMAGE_GENERATE_SWU = "0"
-
-# Change generated UKI filename and reset the bundled command line to "APPEND"
-# to ensure that root is not set in the kernel command line
-COREOS_KERNEL_NAME ?= "coreos-installer-${MACHINE}"
-COREOS_KERNEL_CMDLINE ?= "${APPEND}"
-
-inherit coreos-image
-
-# Only install a reduced set of package and feature to keep image size small
-IMAGE_INSTALL = "packagegroup-coreos-boot coreos-installer swupdate-www util-linux-sfdisk util-linux-fdisk util-linux-cfdisk efibootguard efibootguard-tools"
-IMAGE_FEATURES = "debug-tweaks swupdate networkmanager"
-NO_RECOMMENDATIONS = "1"
-
-IMAGE_ROOTFS_SIZE = "8192"
-INITRAMFS_MAXSIZE = "976562"
-IMAGE_ROOTFS_EXTRA_SPACE = "0"
-
-# Use the same restriction as initramfs-module-install
-COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*)-(linux.*|freebsd.*)'
+inherit coreos-image-installer
--- a/layers/meta-belden-coreos/recipes-core/packagegroups/packagegroup-coreos-base.bb
+++ b/layers/meta-belden-coreos/recipes-core/packagegroups/packagegroup-coreos-base.bb
@ -15,7 +15,7 @@ COREOS_IMAGE_EFI_PROVIDER_EXTRA = " \
 "

 RDEPENDS:${PN} = "\
-    packagegroup-base-extended \
+    packagegroup-base \
    os-release \
    ${@bb.utils.contains("MACHINE_FEATURES", "efi", "${COREOS_IMAGE_EFI_PROVIDER_EXTRA}", "", d)} \
 "
--- a/layers/meta-belden-coreos/recipes-core/systemd/systemd-conf/system.conf-watchdog
+++ b/layers/meta-belden-coreos/recipes-core/systemd/systemd-conf/system.conf-watchdog
@ -0,0 +1,2 @@
+[Manager]
+RuntimeWatchdogSec=5
--- a/layers/meta-belden-coreos/recipes-core/systemd/systemd_%.bbappend
+++ b/layers/meta-belden-coreos/recipes-core/systemd/systemd_%.bbappend
@ -0,0 +1,15 @@
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/systemd-conf:"
+
+SRC_URI += " file://system.conf-watchdog"
+
+do_install:append(){
+	# the creation date/time of this file will be used as initial boot time.
+	# Creation time will be set to REPRODUCIBLE_TIMESTAMP_ROOTFS
+	# More info about the date/time handling here:
+	# https://www.freedesktop.org/software/systemd/man/latest/systemd-timesyncd.service.html
+	touch ${D}/${base_libdir}/clock-epoch
+	install -D -m0644 ${WORKDIR}/system.conf-watchdog ${D}${systemd_unitdir}/system.conf.d/01-${PN}-watchdog.conf
+}
+
+FILES:${PN} += "${base_libdir}/clock-epoch"
--- a/layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended/99-overwrite.sh
+++ b/layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended/99-overwrite.sh
@ -0,0 +1,23 @@
+#!/usr/bin/env sh
+
+# catch errors from previous source files
+if [ "$SWUPDATE_EXIT" != "" ]; then
+  # Notify the installation status indicator about the failed installation.
+  # This can result in the red LED lighting up.
+  dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusFailure
+  exit 1
+fi
+
+# Notify the installation status indicator about the success with partitioning
+# the blockdevice. This can result in the first green LED lighting up.
+dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusPartitioningSuccess
+
+mount /dev/disk/by-label/image /mnt
+if [ ! -f "/mnt/image.swu" ]; then
+  echo "Could not find image.swu on the vfat partition!"
+  dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusFailure
+  exit 1
+fi
+
+SWUPDATE_ARGS="${SWUPDATE_ARGS} -p /usr/lib/swupdate/post-install.sh"
+SWUPDATE_ARGS="${SWUPDATE_ARGS} -i /mnt/image.swu"
--- a/layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended/post-install.sh
+++ b/layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended/post-install.sh
@ -0,0 +1,5 @@
+#!/usr/bin/env sh
+
+# Notify the installation status indicator about the success with flashing the image.
+# This can result in the second green LED lighting up.
+dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusImageFlashingSuccess
--- a/layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended_1.0.bb
+++ b/layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended_1.0.bb
@ -0,0 +1,23 @@
+DESCRIPTION = "CoreOS scripts for unattended installation"
+SECTION = "coreos"
+LICENSE = "CLOSED"
+
+SRC_URI += "\
+    file://99-overwrite.sh \
+    file://post-install.sh \
+"
+
+FILES:${PN} = "\
+    ${libdir}/swupdate/conf.d/99-overwrite.sh \
+    ${libdir}/swupdate/post-install.sh \
+"
+
+RDEPENDS:${PN} = "coreos-installer"
+
+RCONFLICTS:${PN} = "swupdate-www"
+
+do_install() {
+    install -d ${D}${libdir}/swupdate/conf.d
+    install -m 755 ${WORKDIR}/post-install.sh ${D}${libdir}/swupdate/
+    install -m 755 ${WORKDIR}/99-overwrite.sh ${D}${libdir}/swupdate/conf.d/
+}
--- a/layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer/25-installer-config.sh
+++ b/layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer/25-installer-config.sh
@ -1,5 +1,8 @@
 #!/usr/bin/env sh

+set -o errtrace
+trap 'echo "An error occured in line $LINENO: $BASH_COMMAND, exiting..."; SWUPDATE_EXIT=1; exit;' ERR
+
 # Read /etc/hwrevision and turn it into a stripped string
 # with the format ${MACHINE}_${VERSION}
 HWREVISION=$(tr ' ' '_' < /etc/hwrevision | tr -d '[:space:]')
@ -15,6 +18,13 @@ fi

 DISK=$(grep "^device:\s" < "${SFDISK_DUMP_FILE}" | cut -d ' ' -f 2)

+# Remove the partition table signature, if there is already one.
+# This ensures that sfdisk always finds a 'clean' disk to install / recover
+wipefs -a -f ${DISK}
+
+# Give the kernel some time to reload the partition
+sleep 3
+
 echo "Flashing ${SFDISK_DUMP_FILE} to ${DISK}"
 cat "${SFDISK_DUMP_FILE}"
 sfdisk "${DISK}" < "${SFDISK_DUMP_FILE}"
@ -48,3 +58,4 @@ umount /mnt/ebg1
 umount /mnt/efi

 SWUPDATE_ARGS="${SWUPDATE_ARGS} -e stable,copy0"
+SWUPDATE_ARGS="${SWUPDATE_ARGS} -k /usr/lib/swupdate/swupdate.crt"
--- a/layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer_1.0.bb
+++ b/layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer_1.0.bb
@ -1,22 +1,18 @@
 DESCRIPTION = "CoreOS Installer scripts"
-LICENSE = "CLOSED"
 SECTION = "coreos"
+LICENSE = "CLOSED"

-SRC_URI+= " \
-    file://25-installer-config.sh \
-"
+SRC_URI += "file://25-installer-config.sh"

-# This package ship an alternate configuration for SWUpade to disable A/B
-# switching and always flash A
-RCONFLICTS:${PN}= "swupdate-coreos-config"
-
-FILES:${PN} = " \
-    ${libdir}/swupdate/conf.d/25-installer-config.sh \
-"
+FILES:${PN} = "${libdir}/swupdate/conf.d/25-installer-config.sh"

 # glibc-utils provide iconv
 # glibc-gconv-utf-16 provide utf-16 support to iconv
-RDEPENDS:${PN} = "coreos-installer-config dosfstools util-linux-lsblk util-linux-sfdisk glibc-utils glibc-gconv-utf-16"
+RDEPENDS:${PN} = "coreos-installer-config dosfstools glibc-gconv-utf-16 glibc-utils util-linux-lsblk util-linux-sfdisk util-linux-wipefs"
+
+# This package ships an alternate configuration for SWUpdate to disable A/B
+# switching and always flash A
+RCONFLICTS:${PN} = "swupdate-coreos-config"

 do_install() {
    install -d ${D}${libdir}/swupdate/conf.d
--- a/layers/meta-belden-coreos/recipes-kernel/linux/files/secure-storage.cfg
+++ b/layers/meta-belden-coreos/recipes-kernel/linux/files/secure-storage.cfg
@ -0,0 +1,4 @@
+CONFIG_BLK_DEV_DM=y
+CONFIG_KEYS=y
+CONFIG_ENCRYPTED_KEYS=y
+CONFIG_DM_CRYPT=y
--- a/layers/meta-belden-coreos/recipes-kernel/linux/linux-yocto-coreos.inc
+++ b/layers/meta-belden-coreos/recipes-kernel/linux/linux-yocto-coreos.inc
@ -0,0 +1,8 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+# Secure Storage
+# ==============================================================================
+SRC_URI += "file://secure-storage.cfg"
+
+# Ensure the Kernel EFI STUB is enabled
+KERNEL_FEATURES += "cfg/efi.scc cfg/efi-ext.scc"
--- a/layers/meta-belden-coreos/recipes-kernel/linux/linux-yocto_%.bbappend
+++ b/layers/meta-belden-coreos/recipes-kernel/linux/linux-yocto_%.bbappend
@ -0,0 +1,6 @@
+# Add CoreOS distro settings to the linux-yocto recipes
+
+LINUX_YOCTO_COREOS_REQUIRE ?= ""
+LINUX_YOCTO_COREOS_REQUIRE:coreos = "linux-yocto-coreos.inc"
+
+require ${LINUX_YOCTO_COREOS_REQUIRE}
--- a/layers/meta-belden-coreos/recipes-security/cos-certificates-and-keys/cos-certificates-and-keys-native_1.0.bb
+++ b/layers/meta-belden-coreos/recipes-security/cos-certificates-and-keys/cos-certificates-and-keys-native_1.0.bb
@ -0,0 +1,65 @@
+SUMMARY = "Installs CoreOS certificates and keys"
+DESCRIPTION = "Installs CoreOS certificates and keys that are used during the build"
+AUTHOR = "Patrick Vogelaar"
+LICENSE = "CLOSED"
+
+SRC_URI = "git://git@bitbucket.gad.local:7999/ico/development-keys.git;protocol=ssh;branch=master"
+SRCREV = "2b5d6941ea8759db90f07e195bb1855f618cccb7"
+
+S = "${WORKDIR}/git"
+
+inherit deploy native
+
+CERTIFICATES_AND_KEYS_DIR ?= "${datadir}/keys/"
+
+#FILES:${PN} += "${CERTIFICATES_AND_KEYS_DIR}/*"
+
+
+do_install() {
+    install -d "${D}/${CERTIFICATES_AND_KEYS_DIR}"
+    install -m 755 ${S}/db.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.auth
+    install -m 755 ${S}/db.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.crt
+    install -m 755 ${S}/db.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.der
+    install -m 755 ${S}/db.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.esl
+    install -m 755 ${S}/db.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.key
+    install -m 755 ${S}/KEK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.auth
+    install -m 755 ${S}/KEK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.crt
+    install -m 755 ${S}/KEK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.der
+    install -m 755 ${S}/KEK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.esl
+    install -m 755 ${S}/KEK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.key
+    install -m 755 ${S}/PK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.auth
+    install -m 755 ${S}/PK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.crt
+    install -m 755 ${S}/PK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.der
+    install -m 755 ${S}/PK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.esl
+    install -m 755 ${S}/PK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.key
+    install -m 755 ${S}/swupdate.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.crt
+    install -m 755 ${S}/swupdate.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.key
+
+    bbwarn "Development certificates and keys are added into the image (UNSECURE)! This image must not be released!"
+}
+
+
+# Public key needed by firmware very depending on the implementation
+# So we copy all type of public key (*.auth, *.esl, *.crt, *der)
+
+addtask deploy after do_compile
+do_deploy() {
+    install -D -m 644 ${S}/KEK.auth ${DEPLOYDIR}/KEK.auth
+    install -D -m 644 ${S}/db.auth ${DEPLOYDIR}/db.auth
+    install -D -m 644 ${S}/PK.auth ${DEPLOYDIR}/PK.auth
+
+    install -D -m 644 ${S}/KEK.esl ${DEPLOYDIR}/KEK.esl
+    install -D -m 644 ${S}/db.esl ${DEPLOYDIR}/db.esl
+    install -D -m 644 ${S}/PK.esl ${DEPLOYDIR}/PK.esl
+
+    install -D -m 644 ${S}/KEK.crt ${DEPLOYDIR}/KEK.crt
+    install -D -m 644 ${S}/db.crt ${DEPLOYDIR}/db.crt
+    install -D -m 644 ${S}/PK.crt ${DEPLOYDIR}/PK.crt
+
+    install -D -m 644 ${S}/KEK.der ${DEPLOYDIR}/KEK.der
+    install -D -m 644 ${S}/db.der ${DEPLOYDIR}/db.der
+    install -D -m 644 ${S}/PK.der ${DEPLOYDIR}/PK.der
+
+    # !SECURITY WARNING!
+    # .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
+}
--- a/layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh
+++ b/layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh
@ -0,0 +1,93 @@
+#!/usr/bin/env sh
+
+loopdir=/usr/local/data/loopdevices
+loopfile=$loopdir/crypt.loop
+
+keyfiledir=/usr/local/data/.crypto
+keyfile=$keyfiledir/ss_crypto.keyfile
+
+#megabytes
+loopsize=16
+
+#/dev/mapper/xxxxx when open
+cryptmapper=secStorage
+
+makefilesystem=ext4
+
+#mountpoint of uncrypted device
+mountpoint=/usr/local/data/secure-storage
+
+create_keyfile() {
+	# echo "Create key file"
+	systemd-notify --status="Create key file"
+	mkdir -p $keyfiledir
+	dd if=/dev/urandom of=$keyfile bs=1 count=256
+	chown root:root $keyfiledir/*
+	chmod 000 $keyfiledir/*
+}
+
+error() {
+	echo "Error: $1"
+	exit $?
+}
+
+#creates a new file
+create_loopback_and_open() {
+	# echo "Creating a file with random bits.. this could take a while..."
+	systemd-notify --status="Creating a file with random bits.. this could take a while..."
+	mkdir -p $loopdir || error "Creating loopdir"
+	mkdir -p $mountpoint || error "Creating mountpoint"
+	dd if=/dev/urandom of=$loopfile bs=1M count=$loopsize || error "Creating loopfile"
+	loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
+	echo "Selected loop device: $loopdevice"
+	cryptsetup luksFormat -q --key-file $keyfile $loopdevice || error "Setting up encrypted loop device"
+	cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
+	mkfs.$makefilesystem /dev/mapper/$cryptmapper || error "Creating encrypted FS"
+	mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
+	systemd-notify --ready --status="Sucessfully mounted secure storage"
+}
+
+#mounts crypted loopback file
+open() {
+	#echo "Open secure-storage"
+	systemd-notify --status="Open secure storage"
+	loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
+	echo "Selected loop device: $ld"
+	cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
+	mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
+	systemd-notify --ready --status="Sucessfully mounted secure storage"
+}
+
+#unmounts previously mounted loopback file
+close() {
+	echo "Close secure-storage"
+	# get loopdevice
+	loopdevice=$(losetup --list --noheadings --output NAME,BACK-FILE | grep crypt.loop | awk '{print $1}')
+	umount $mountpoint
+	cryptsetup close $cryptmapper
+	losetup -d $loopdevice
+}
+
+if [ $# -eq 1 ]
+then
+	#echo "Parameter detected"
+	$1
+	exit 0
+fi
+
+if [ -e $keyfile ]
+then
+	#echo "Key file available"
+	if [ -e $loopfile ]
+	then
+		#echo "Loop file available"
+		open
+	else
+		#echo "Loop file not available"
+		create_loopback_and_open
+	fi
+else
+	#echo "Key file not available"
+	create_keyfile
+	create_loopback_and_open
+fi
--- a/layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service
+++ b/layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service
@ -0,0 +1,12 @@
+[Unit]
+Description=Secure Storage Service
+RequiresMountsFor=/usr/local/data
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/sec-storage-loopback.sh
+TimeoutSec=300
+
+[Install]
+WantedBy=local-fs.target
+
--- a/layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb
+++ b/layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb
@ -0,0 +1,34 @@
+SUMMARY = "Provides a Secure Storage"
+DESCRIPTION = "The secure storage is a loopback mount that is encrypted. It protects data in rest"
+AUTHOR = "Patrick Vogelaar"
+LICENSE = "CLOSED"
+
+SRC_URI = "\
+    file://sec-storage-loopback.sh \
+    file://secure-storage.service \
+    "
+
+S = "${WORKDIR}"
+
+inherit systemd
+
+FILES:${PN} += "\
+    /usr/local/data/ \
+    ${systemd_unitdir}/system \
+    ${bindir}/sec-storage-loopback.sh \
+    ${systemd_unitdir}/system/secure-storage.service \
+    "
+
+do_install() {
+    install -d ${D}$/usr/local/data/
+    install -d ${D}${bindir}
+    install -m 0731 ${S}/sec-storage-loopback.sh ${D}${bindir}/sec-storage-loopback.sh
+
+    install -d ${D}${systemd_unitdir}/system
+    install -m 0644 ${S}/secure-storage.service ${D}${systemd_unitdir}/system
+}
+
+SYSTEMD_SERVICE:${PN} = "secure-storage.service"
+SYSTEMD_AUTO_ENABLE = "enable"
+
+RDEPENDS:${PN} += "cryptsetup util-linux-losetup e2fsprogs-mke2fs"
--- a/layers/meta-belden-coreos/recipes-support/swupdate/swupdate/25-sw-collections-config.sh
+++ b/layers/meta-belden-coreos/recipes-support/swupdate/swupdate/25-sw-collections-config.sh
@ -37,3 +37,6 @@ case $ROOT_PARTLABEL in
        exit 1
        ;;
 esac
+
+echo "Public key used to verify software image is /usr/lib/swupdate/swupdate.crt"
+SWUPDATE_ARGS="${SWUPDATE_ARGS} -k /usr/lib/swupdate/swupdate.crt"
--- a/layers/meta-belden-coreos/recipes-support/swupdate/swupdate/defconfig
+++ b/layers/meta-belden-coreos/recipes-support/swupdate/swupdate/defconfig
@ -24,3 +24,8 @@ CONFIG_DISKPART=y
 CONFIG_DISKPART_FORMAT=y
 CONFIG_FAT_FILESYSTEM=y
 CONFIG_EXT_FILESYSTEM=y
+CONFIG_SIGNED=y
+CONFIG_SIGNED_IMAGES=y
+CONFIG_SIGALG_RAWRSA=n
+CONFIG_SIGALG_CMS=y
+CONFIG_CMS_IGNORE_CERTIFICATE_PURPOSE=y
--- a/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend
+++ b/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend
@ -1,7 +1,12 @@
+inherit features_check
+REQUIRED_DISTRO_FEATURES = "swupdate"
+
 # File in the swupdate subdirectory of this recipe should overwrite the
 # same file in meta-swupdate
 FILESEXTRAPATHS:prepend := "${THISDIR}/swupdate:"

+DEPENDS += "cos-certificates-and-keys-native"
+
 SRC_URI += "\
    file://50-webserver-config.sh \
    file://25-sw-collections-config.sh \
@ -9,7 +14,6 @@ SRC_URI += "\

 PACKAGES =+ "${PN}-coreos-config ${PN}-coreos-installer-config"

-
 # Don't use /www as the web root
 wwwdir = "${datadir}/swupdate-www"

@ -35,9 +39,15 @@ RRECOMMENDS:${PN} += "${PN}-coreos-config"
 # configuration to be installed
 RCONFLICTS:${PN}-coreos-installer-config = "${PN}-coreos-config"

+inherit coreos-efi-secureboot
+
 do_install:append() {
    # Probably replace revision with the value of the device tree
    install -m 755 ${WORKDIR}/50-webserver-config.sh ${D}${libdir}/swupdate/conf.d/
    install -m 755 ${WORKDIR}/25-sw-collections-config.sh ${D}${libdir}/swupdate/conf.d/
+    install -m 755 ${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt ${D}${libdir}/swupdate/
    echo "${MACHINE} 1.0" > ${D}${sysconfdir}/hwrevision
 }
+
+# Fix: libgcc_s.so.1 must be installed for pthread_exit to work
+RDEPENDS:${PN} += "libgcc"
--- a/layers/meta-belden-coreos/recipes-test/bats/bats-assert_2.1.0.bb
+++ b/layers/meta-belden-coreos/recipes-test/bats/bats-assert_2.1.0.bb
@ -0,0 +1,15 @@
+SUMMARY = "Common assertions for Bats"
+DESCRIPTION = "bats-assert is a helper library providing common assertions for \
+               Bats."
+HOMEPAGE = "https://github.com/bats-core/bats-assert"
+LICENSE = "CC0-1.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=7bae63a234e80ee7c6427dce9fdba6cc"
+
+PV = "2.1.0"
+SRC_URI = "git://github.com/bats-core/bats-assert.git;protocol=https;branch=master"
+SRCREV = "78fa631d1370562d2cd4a1390989e706158e7bf0"
+S = "${WORKDIR}/git"
+
+inherit bats-library
+
+RDEPENDS:${PN} += "bats-support"
--- a/layers/meta-belden-coreos/recipes-test/bats/bats-file_git.bb
+++ b/layers/meta-belden-coreos/recipes-test/bats/bats-file_git.bb
@ -0,0 +1,15 @@
+SUMMARY = " Common filesystem assertions for Bats"
+DESCRIPTION = "bats-file is a helper library providing common filesystem \
+               related assertions and helpers for Bats."
+HOMEPAGE = "https://github.com/bats-core/bats-file"
+LICENSE = "CC0-1.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=7bae63a234e80ee7c6427dce9fdba6cc"
+
+PV = "0.3.0+${SRCPV}"
+SRC_URI = "git://github.com/bats-core/bats-file.git;protocol=https;branch=master"
+SRCREV = "cb914cdc176da00e321d3bc92f88383698c701d6"
+S = "${WORKDIR}/git"
+
+inherit bats-library
+
+RDEPENDS:${PN} += "bats-support"
--- a/layers/meta-belden-coreos/recipes-test/bats/bats-support_0.3.0.bb
+++ b/layers/meta-belden-coreos/recipes-test/bats/bats-support_0.3.0.bb
@ -0,0 +1,13 @@
+SUMMARY = "Supporting library for Bats test helpers"
+DESCRIPTION = "bats-support is a supporting library providing common \
+               functions to test helper libraries written for Bats."
+HOMEPAGE = "https://github.com/bats-core/bats-support"
+LICENSE = "CC0-1.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=7bae63a234e80ee7c6427dce9fdba6cc"
+
+PV = "0.3.0"
+SRC_URI = "git://github.com/bats-core/bats-support.git;protocol=https;branch=master"
+SRCREV = "3c8fadc5097c9acfc96d836dced2bb598e48b009"
+S = "${WORKDIR}/git"
+
+inherit bats-library
--- a/layers/meta-belden-coreos/recipes-test/bats/bats_1.10.0.bb
+++ b/layers/meta-belden-coreos/recipes-test/bats/bats_1.10.0.bb
@ -0,0 +1,35 @@
+# backported from oe-core master 
+SUMMARY = "Bash Automated Testing System"
+DESCRIPTION = "Bats is a TAP-compliant testing framework for Bash. It \
+provides a simple way to verify that the UNIX programs you write behave as expected."
+HOMEPAGE = "https://github.com/bats-core/bats-core"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=2970203aedf9e829edb96a137a4fe81b"
+
+SRC_URI = "\
+  git://github.com/bats-core/bats-core.git;branch=master;protocol=https \
+  "
+
+# v1.10.0
+SRCREV = "f7defb94362f2053a3e73d13086a167448ea9133"
+
+S = "${WORKDIR}/git"
+
+# Numerous scripts assume ${baselib} == lib, which is not true.
+#
+do_configure:prepend() {
+	for f in ${S}/libexec/bats-core/* ${S}/lib/bats-core/* ; do
+		sed -i 's:\$BATS_ROOT/lib/:\$BATS_ROOT/${baselib}/:g' $f
+	done
+}
+
+do_install() {
+	# Just a bunch of bash scripts to install
+	${S}/install.sh ${D}${prefix} ${baselib}
+}
+
+RDEPENDS:${PN} = "bash"
+FILES:${PN} += "${libdir}/bats-core/*"
+
+PACKAGECONFIG ??= "pretty"
+PACKAGECONFIG[pretty] = ",,,ncurses"
--- a/layers/meta-belden-marvell-bsp/conf/machine/include/cn913x.inc
+++ b/layers/meta-belden-marvell-bsp/conf/machine/include/cn913x.inc
@ -26,7 +26,7 @@ UBOOT_LOADADDRESS = "0x7000000"

 PREFERRED_PROVIDER_virtual/kernel ?= "linux-netmodule"
 PREFERRED_VERSION_linux-netmodule ?= "git-5.15-solidrun"
-PREFERRED_VERSION_trusted_firmware_a ?= "2.3-solidrun"
+PREFERRED_VERSION_trusted_firmware_a = "2.6"

 KERNEL_IMAGETYPE = "Image"
 KERNEL_EXTRA_ARGS += "LOADADDR=${UBOOT_ENTRYPOINT}"
--- a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/README.md
+++ b/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/README.md
@ -1,28 +0,0 @@
-# trusted-firmware-a
-
-
-trusted-firmware-a recipes was copied from:
-
-meta-arm/meta-arm/recipes-bsp/trusted-firmware-a
-
-Repo:  git://git.yoctoproject.org/meta-arm
-Branch: kirkstone
-Git SHA: 78fce73c3803aba82149a3a03fde1b708f5424fa
-
-Theses files were copied:
-
- trusted-firmware-a.inc
- files/ssl.patch
-
-Theses files were created, by doing the same as done in meta-arm/meta-arm-bsp
-but using the same revision and make flags as in https://github.com/SolidRun/cn913x_yocto_meta.git
-
- trusted-firmware-a_2.3.bb
-
-Theses files were copied from https://github.com/SolidRun/cn913x_yocto_meta.git
-
- files/mrvl_scp_bl2.img
- files/000*.patch
-
-More info about how to use trusted-firmware-a for Marvell can be found at
-https://trustedfirmware-a.readthedocs.io/en/latest/plat/marvell/armada/build.html
--- a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0001-ddr-spd-read-failover-to-defualt-config.patch
+++ b/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0001-ddr-spd-read-failover-to-defualt-config.patch
@ -1,14 +1,14 @@
-From 5aeea052b30604b2f8640960b775cee0f5c877cb Mon Sep 17 00:00:00 2001
+From 3f8f24cf82848ef1778f3e1d0a0607d4860dd4f3 Mon Sep 17 00:00:00 2001
 From: Alon Rotman <alon.rotman@solid-run.com>
 Date: Mon, 22 Nov 2021 13:33:25 +0200
-Subject: [PATCH 2/2] ddr spd read failover to defualt config
+Subject: [PATCH] ddr spd read failover to defualt config

 ---
 .../octeontx/otx2/t91/t9130/board/dram_port.c | 100 ++++++++++++++++--
 1 file changed, 93 insertions(+), 7 deletions(-)

 diff --git a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
-index 0befadfc6..5de71f095 100644
+index 82ce07b09..bb7814e9b 100644
 --- a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
 +++ b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
@@ -33,7 +33,7 @@ struct mv_ddr_iface dram_iface_ap0 = {
@ -148,7 +148,7 @@ index 0befadfc6..5de71f095 100644
 {
 	struct mv_ddr_topology_map *tm = mv_ddr_topology_map_get();
@@ -152,7 +236,9 @@ void plat_marvell_dram_update_topology(void)
- 		i2c_write(I2C_SPD_P0_ADDR, 0x0, 1, tm->spd_data.all_bytes, 1);
+ 		i2c_write(I2C_SPD_P0_ADDR, 0x0, 1, tm->spd_data.all_bytes, 0);
 
 		/* read data from spd */
 -		i2c_read(I2C_SPD_ADDR, 0x0, 1, tm->spd_data.all_bytes,
@ -159,6 +159,3 @@ index 0befadfc6..5de71f095 100644
 +			set_param_based_on_som_strap();
 	}
 }
-- 
-2.25.1
-
--- a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0002-som-sdp-failover-using-crc-verification.patch
+++ b/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0002-som-sdp-failover-using-crc-verification.patch
@ -1,15 +1,16 @@
-From da25bbba607de35267f4dbe74cd772588260de57 Mon Sep 17 00:00:00 2001
+From 6cbb01ba5a5a5ad2b2247c8401d5fac488bf05c3 Mon Sep 17 00:00:00 2001
 From: Alon Rotman <alon.rotman@solid-run.com>
 Date: Mon, 6 Dec 2021 18:34:37 +0200
 Subject: [PATCH] som sdp failover using crc verification

 Signed-off-by: Alon Rotman <alon.rotman@solid-run.com>
+
 ---
 .../octeontx/otx2/t91/t9130/board/dram_port.c | 63 ++++++++++++-------
 1 file changed, 41 insertions(+), 22 deletions(-)

 diff --git a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
-index 5de71f095..d59b8100d 100644
+index bb7814e9b..772774215 100644
 --- a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
 +++ b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
@@ -50,7 +50,7 @@ struct mv_ddr_iface dram_iface_ap0 = {
@ -122,6 +123,3 @@ index 5de71f095..d59b8100d 100644
 +	
 	}
 }
-- 
-2.25.1
-
--- a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/ssl.patch
+++ b/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/ssl.patch
@ -1,52 +0,0 @@
-fiptool: respect OPENSSL_DIR
-
-fiptool links to libcrypto, so as with the other tools it should respect
-OPENSSL_DIR for include/library paths.
-
-Upstream-Status: Submitted
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-diff --git a/Makefile b/Makefile
-index ec6f88585..2d3b9fc26 100644
--- a/Makefile
-+++ b/Makefile
-@@ -1388,7 +1388,7 @@ fwu_fip: ${BUILD_PLAT}/${FWU_FIP_NAME}
- 
- ${FIPTOOL}: FORCE
- ifdef UNIX_MK
-	${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} --no-print-directory -C ${FIPTOOLPATH}
-+	${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} OPENSSL_DIR=${OPENSSL_DIR} --no-print-directory -C ${FIPTOOLPATH}
- else
- # Clear the MAKEFLAGS as we do not want
- # to pass the gnumake flags to nmake.
-diff --git a/tools/fiptool/Makefile b/tools/fiptool/Makefile
-index 11d2e7b0b..7c2a08379 100644
--- a/tools/fiptool/Makefile
-+++ b/tools/fiptool/Makefile
-@@ -12,6 +12,8 @@ FIPTOOL ?= fiptool${BIN_EXT}
- PROJECT := $(notdir ${FIPTOOL})
- OBJECTS := fiptool.o tbbr_config.o
- V ?= 0
-+OPENSSL_DIR := /usr
-+
- 
- override CPPFLAGS += -D_GNU_SOURCE -D_XOPEN_SOURCE=700
- HOSTCCFLAGS := -Wall -Werror -pedantic -std=c99
-@@ -20,7 +22,7 @@ ifeq (${DEBUG},1)
- else
-   HOSTCCFLAGS += -O2
- endif
-LDLIBS := -lcrypto
-+LDLIBS := -L${OPENSSL_DIR}/lib -lcrypto
- 
- ifeq (${V},0)
-   Q := @
-@@ -28,7 +30,7 @@ else
-   Q :=
- endif
- 
-INCLUDE_PATHS := -I../../include/tools_share
-+INCLUDE_PATHS := -I../../include/tools_share  -I${OPENSSL_DIR}/include
- 
- HOSTCC ?= gcc
- 
--- a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.3-solidrun.bb
+++ b/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.3-solidrun.bb
@ -1,10 +1,8 @@
+# CN913x specific TFA support
+
 COMPATIBLE_MACHINE = "cn913x"
-require recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc

-PV = "2.3+git${SRCPV}"
-SRCREV_tfa = "00ad74c7afe67b2ffaf08300710f18d3dafebb45"
-
-LIC_FILES_CHKSUM += "file://docs/license.rst;md5=189505435dbcdcc8caa63c46fe93fa89"
+DEPENDS += "mv-ddr-marvell coreutils-native"

 SRC_URI +=  " \
    file://0001-ddr-spd-read-failover-to-defualt-config.patch \
@ -12,8 +10,6 @@ SRC_URI +=  " \
    file://mrvl_scp_bl2.img \
 "

-DEPENDS += "mv-ddr-marvell coreutils-native"
-
 CP_NUM:cn9131-bldn-mbv = "2"
 CP_NUM:cn9130-cf-pro = "1"

--- a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bbappend
+++ b/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bbappend
@ -0,0 +1,8 @@
+# Machine specific TFAs
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+MACHINE_TFA_REQUIRE ?= ""
+MACHINE_TFA_REQUIRE:cn913x = "trusted-firmware-a-cn913x.inc"
+
+require ${MACHINE_TFA_REQUIRE}
--- a/layers/meta-belden-marvell-bsp/recipes-bsp/u-boot/u-boot_2019.10-solidrun.bb
+++ b/layers/meta-belden-marvell-bsp/recipes-bsp/u-boot/u-boot_2019.10-solidrun.bb
@ -51,7 +51,6 @@ SRC_URI = "git://git.denx.de/u-boot.git;branch=master \
 S = "${WORKDIR}/git"

 require recipes-bsp/u-boot/u-boot.inc
-require recipes-bsp/u-boot/u-boot-coreos.inc

 # Solidrun patches require to build out-of-the-tree
 B = "${WORKDIR}/build"
--- a/layers/meta-belden-marvell-bsp/recipes-bsp/u-boot/u-boot_2023.04-marvell.bb
+++ b/layers/meta-belden-marvell-bsp/recipes-bsp/u-boot/u-boot_2023.04-marvell.bb
@ -30,7 +30,6 @@ SRC_URI = "git://source.denx.de/u-boot/custodians/u-boot-marvell.git;branch=mast
 S = "${WORKDIR}/git"

 require recipes-bsp/u-boot/u-boot.inc
-require recipes-bsp/u-boot/u-boot-coreos.inc

 # Solidrun patches require to build out-of-the-tree
 B = "${WORKDIR}/build"
--- a/layers/meta-belden-marvell-bsp/recipes-coreos/coreos-installer/coreos-installer-config/cn9130-cf-pro_1.0.sfdisk
+++ b/layers/meta-belden-marvell-bsp/recipes-coreos/coreos-installer/coreos-installer-config/cn9130-cf-pro_1.0.sfdisk
@ -18,8 +18,8 @@ sector-size: 512
 /dev/mmcblk0p1 : start=        4096, size=        8192, type=71B02716-C000-4F0D-AE03-2F5DC0A114CD, name="fw0", attrs="RequiredPartition"
 /dev/mmcblk0p2 : start=       12288, size=        8192, type=71B02716-C000-4F0D-AE03-2F5DC0A114CD, name="fw1", attrs="RequiredPartition"

-/dev/mmcblk0p3 : start=       20480, size=      131072, ${SFDISK_PART_EFI}
-/dev/mmcblk0p4 : start=      151552, size=      262144, ${SFDISK_PART_EFIBOOTGUARD_A}
-/dev/mmcblk0p5 : start=      413696, size=      262144, ${SFDISK_PART_EFIBOOTGUARD_B}
-/dev/mmcblk0p6 : start=      675840, size=     7294976, ${SFDISK_PART_ROOT_A}
-/dev/mmcblk0p7 : start=     7970816, size=     7294976, ${SFDISK_PART_ROOT_B}
+/dev/mmcblk0p3 : size= ${PART_EFI_SIZE}, ${SFDISK_PART_EFI}
+/dev/mmcblk0p4 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_A}
+/dev/mmcblk0p5 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_B}
+/dev/mmcblk0p6 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_A}
+/dev/mmcblk0p7 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_B}
--- a/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule/0001-refactor-cn913x-defconfig-cleanup.patch
+++ b/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule/0001-refactor-cn913x-defconfig-cleanup.patch
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`Subproject commit 09d2f9391813674627ec53cb222da6c7a51221e6`
				`@ -0,0 +1 @@`
				`FILESEXTRAPATHS:prepend := "${THISDIR}/files:"`