Compare commits
92 Commits
kirkstone-
...
HEAD
| Author | SHA1 | Date |
|---|---|---|
Patrick Vogelaar
|
fc389b0543 | |
|
Patrick Vogelaar
|
a0910ef3ff | |
|
Patrick Vogelaar
|
f8d02a5ecc | |
|
Patrick Vogelaar
|
056cad3dc2 | |
|
Patrick Vogelaar
|
ab82a90113 | |
|
Patrick Vogelaar
|
81cca5dde2 | |
|
Patrick Vogelaar
|
6cfbd888e4 | |
Patrick Walther
|
44e5596d4a | |
|
Patrick Vogelaar
|
706f597d5c | |
|
Patrick Vogelaar
|
0075255036 | |
|
Patrick Vogelaar
|
25d363debd | |
Sam Dolt
|
e504af5cbc | |
|
Sam Dolt
|
396ac98972 | |
|
Sam Dolt
|
70ed96f8d9 | |
|
Sam Dolt
|
cc9a93d4a6 | |
|
Sam Dolt
|
33b5b7d65c | |
|
Sam Dolt
|
965982dc7b | |
|
Sam Dolt
|
29de6abb55 | |
Darko Trogrlic
|
ca18bbaa0c | |
|
Patrick Vogelaar
|
9cf698f318 | |
|
Patrick Vogelaar
|
d754d6492d | |
Peter Kindler
|
f0865a1ee7 | |
|
Peter Kindler
|
689a92ec08 | |
|
Sam Dolt
|
6a87dab5a8 | |
|
Darko Trogrlic
|
5cadfef489 | |
|
Patrick Walther
|
a4d86aeea8 | |
|
Patrick Vogelaar
|
dd11a6ccbc | |
|
Patrick Vogelaar
|
0d7f00dc88 | |
|
Patrick Walther
|
11a095763c | |
|
Patrick Walther
|
e87917c9ef | |
|
Patrick Vogelaar
|
3df46aebac | |
|
Patrick Vogelaar
|
9ebee57d3b | |
|
Patrick Vogelaar
|
7f18f3d4b9 | |
|
Patrick Vogelaar
|
af777ece70 | |
|
Patrick Vogelaar
|
a2d125458f | |
Alexandre Bard
|
fd9b3e0a0f | |
|
Patrick Vogelaar
|
1929136249 | |
|
Patrick Vogelaar
|
c2ebce47f1 | |
|
Patrick Vogelaar
|
e18d9b87a8 | |
|
Alexandre Bard
|
e29f9f33d9 | |
|
Sam Dolt
|
13a6f17abd | |
|
Alexandre Bard
|
90fb120676 | |
|
Alexandre Bard
|
fab454f422 | |
|
Alexandre Bard
|
8ab4fd47df | |
|
Sam Dolt
|
cfd63890a7 | |
|
Patrick Vogelaar
|
d57a9b7a70 | |
|
Patrick Vogelaar
|
12ba99370a | |
|
Patrick Vogelaar
|
c7c3793c9e | |
|
Patrick Vogelaar
|
5b23df1199 | |
|
Patrick Vogelaar
|
b819d0746d | |
|
Patrick Vogelaar
|
e4fd830aa8 | |
|
Patrick Vogelaar
|
ac8f81d4a1 | |
|
Patrick Vogelaar
|
fd2a0835ac | |
|
Patrick Vogelaar
|
94c8692f43 | |
|
Patrick Vogelaar
|
027ffafd72 | |
|
Patrick Vogelaar
|
d37d5515f5 | |
|
Patrick Vogelaar
|
414496b7cb | |
|
Patrick Vogelaar
|
c1eafd4289 | |
|
Patrick Vogelaar
|
8229cef5bb | |
|
Patrick Vogelaar
|
5a4fa9e32e | |
|
Patrick Vogelaar
|
b786afc271 | |
|
Patrick Vogelaar
|
6cb0182491 | |
|
Patrick Vogelaar
|
78487d86b6 | |
|
Patrick Vogelaar
|
e071b04038 | |
Holger Dihlmann
|
09ece07958 | |
Dimitry Shapovalov
|
ecc4ca19f4 | |
|
Patrick Vogelaar
|
50381ef6ff | |
|
Patrick Vogelaar
|
f04afe073a | |
|
Holger Dihlmann
|
a757360a2d | |
|
Patrick Vogelaar
|
ea134d867e | |
|
Patrick Vogelaar
|
3bf28622c1 | |
Samuel Dolt
|
3eeedd8412 | |
|
Patrick Vogelaar
|
9148fc12da | |
|
Samuel Dolt
|
27f3b6657a | |
|
Samuel Dolt
|
00b61e52c6 | |
|
Samuel Dolt
|
5e0d938b9c | |
|
Patrick Vogelaar
|
c17db5dbd5 | |
|
Patrick Vogelaar
|
8703fd2efd | |
|
Patrick Vogelaar
|
afa1a784c1 | |
Uli Stein
|
f0e6da1c10 | |
|
Uli Stein
|
af33b55ec0 | |
|
Uli Stein
|
77a25e9c7b | |
|
Samuel Dolt
|
99b84ba10c | |
|
Samuel Dolt
|
e89a0c5195 | |
|
Samuel Dolt
|
db27468370 | |
|
Samuel Dolt
|
9337a5d7d2 | |
|
Samuel Dolt
|
91cff2b07a | |
|
Samuel Dolt
|
53b2d1e3ee | |
|
Samuel Dolt
|
2b3406e5b5 | |
|
Patrick Vogelaar
|
fdd1f19102 | |
|
Samuel Dolt
|
0d5e631162 | |
|
Patrick Vogelaar
|
1af92365f1 |
|
|
@ -2,23 +2,35 @@
|
|||
path = bitbake
|
||||
url = ssh://git@bitbucket.gad.local:7999/ico/bitbake.git
|
||||
branch = 2.0
|
||||
[submodule "layers/openembedded-core"]
|
||||
[submodule "openembedded-core"]
|
||||
path = external-layers/openembedded-core
|
||||
url = ssh://git@bitbucket.gad.local:7999/ico/openembedded-core.git
|
||||
branch = kirkstone
|
||||
[submodule "layers/meta-openembedded"]
|
||||
[submodule "meta-openembedded"]
|
||||
path = external-layers/meta-openembedded
|
||||
url = ssh://git@bitbucket.gad.local:7999/ico/meta-openembedded.git
|
||||
branch = kirkstone
|
||||
[submodule "layers/meta-virtualization"]
|
||||
[submodule "meta-virtualization"]
|
||||
path = external-layers/meta-virtualization
|
||||
url = ssh://git@bitbucket.gad.local:7999/ico/meta-virtualization.git
|
||||
branch = kirkstone
|
||||
[submodule "layers/meta-efibootguard"]
|
||||
[submodule "meta-efibootguard"]
|
||||
path = external-layers/meta-efibootguard
|
||||
url = ssh://git@bitbucket.gad.local:7999/ico/meta-efibootguard.git
|
||||
branch = master
|
||||
[submodule "layers/meta-swupdate"]
|
||||
[submodule "meta-swupdate"]
|
||||
path = external-layers/meta-swupdate
|
||||
url = ssh://git@bitbucket.gad.local:7999/ico/meta-swupdate.git
|
||||
branch = kirkstone
|
||||
[submodule "meta-arm"]
|
||||
path = external-layers/meta-arm
|
||||
url = ssh://git@bitbucket.gad.local:7999/ico/meta-arm.git
|
||||
branch = kirkstone
|
||||
[submodule "meta-ti"]
|
||||
path = external-layers/meta-ti
|
||||
url = ssh://git@bitbucket.gad.local:7999/ico/meta-ti.git
|
||||
branch = kirkstone
|
||||
[submodule "meta-lts-kernel-mixin"]
|
||||
path = external-layers/meta-lts-kernel-mixin
|
||||
url = ssh://git@bitbucket.gad.local:7999/ico/meta-lts-mixins.git
|
||||
branch = coreos/kirkstone/kernel
|
||||
|
|
|
|||
|
|
@ -2,9 +2,9 @@
|
|||
"recommendations": [
|
||||
"ms-vscode.makefile-tools",
|
||||
"timonwong.shellcheck",
|
||||
"eugenwiens.bitbake",
|
||||
"kweihmann.oelint-vscode",
|
||||
"lextudio.restructuredtext",
|
||||
"trond-snekvik.simple-rst"
|
||||
"trond-snekvik.simple-rst",
|
||||
"yocto-project.yocto-bitbake"
|
||||
]
|
||||
}
|
||||
|
|
@ -1,12 +1,47 @@
|
|||
{
|
||||
"files.watcherExclude": {
|
||||
"**/build/cache/**": true,
|
||||
"**/build/downloads/**": true,
|
||||
"**/build/sstate-cache/**": true,
|
||||
"**/build/tmp/**": true,
|
||||
"**/documentation/_build/**": true,
|
||||
"**/build/workspace": true
|
||||
"**/build/**": true,
|
||||
"**/_build/**": true,
|
||||
},
|
||||
"search.exclude": {
|
||||
"**/build/**": true,
|
||||
"**/_build/**": true,
|
||||
},
|
||||
"C_Cpp.files.exclude": {
|
||||
"**/build": true,
|
||||
"**/_build": true,
|
||||
},
|
||||
"python.analysis.exclude": [
|
||||
"**/build/**",
|
||||
"**/_build/**",
|
||||
],
|
||||
"python.formatting.provider": "black",
|
||||
"editor.rulers": [80,100,120]
|
||||
"editor.rulers": [80,100,120],
|
||||
"bitbake.pathToBuildFolder": "${workspaceFolder}/build",
|
||||
"bitbake.pathToEnvScript": "${workspaceFolder}/coreos-init-build-env",
|
||||
"bitbake.pathToBitbakeFolder": "${workspaceFolder}/bitbake",
|
||||
"python.autoComplete.extraPaths": [
|
||||
"${workspaceFolder}/bitbake/lib",
|
||||
"${workspaceFolder}/meta/lib"
|
||||
],
|
||||
"python.analysis.extraPaths": [
|
||||
"${workspaceFolder}/bitbake/lib",
|
||||
"${workspaceFolder}/meta/lib"
|
||||
],
|
||||
"[python]": {
|
||||
"diffEditor.ignoreTrimWhitespace": false,
|
||||
"gitlens.codeLens.symbolScopes": [
|
||||
"!Module"
|
||||
],
|
||||
"editor.formatOnType": true,
|
||||
"editor.wordBasedSuggestions": "off",
|
||||
"files.trimTrailingWhitespace": false
|
||||
},
|
||||
"[shellscript]": {
|
||||
"files.eol": "\n",
|
||||
"files.trimTrailingWhitespace": false
|
||||
},
|
||||
"bitbake.sdkImage": "coreos-image-minimal",
|
||||
"bitbake.workingDirectory": "${workspaceFolder}",
|
||||
"task.saveBeforeRun": "always",
|
||||
}
|
||||
2
bitbake
2
bitbake
|
|
@ -1 +1 @@
|
|||
Subproject commit 907416ee1062f87f5844ab0638b54616abfc1a22
|
||||
Subproject commit 40fd5f4eef7460ca67f32cfce8e229e67e1ff607
|
||||
|
|
@ -87,10 +87,8 @@ coreos-bblayers-envsub COREOS_LAYERSDIR "${COREOS_ROOT}/layers"
|
|||
# Add support for ##COREOS_EXTLAYERSDIR## inside of bblayer template
|
||||
coreos-bblayers-envsub COREOS_EXTLAYERSDIR "${COREOS_ROOT}/external-layers"
|
||||
|
||||
# Generate the ${BUILDDIR}/key directory. The scripts doesn't generate anything it
|
||||
# the directory already exist, so it's safe to call it everytime
|
||||
# Generate the ${BUILDDIR}/key directory. The scripts doesn't generate anything
|
||||
# if the directory already exist so it's safe to call it everytime
|
||||
# stdout is redirected to reduce the amount of output but not stderr
|
||||
coreos-keygen > /dev/null || {
|
||||
echo "The coreos-keygen script has failed" >&2
|
||||
return 1
|
||||
}
|
||||
#
|
||||
#Note: if a final build is detected all the dev keys are deleted
|
||||
|
|
|
|||
|
|
@ -0,0 +1,7 @@
|
|||
{
|
||||
"recommendations": [
|
||||
"ms-vscode.makefile-tools",
|
||||
"lextudio.restructuredtext",
|
||||
"trond-snekvik.simple-rst"
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
{
|
||||
"files.watcherExclude": {
|
||||
"**/_build/**": true,
|
||||
},
|
||||
"python.formatting.provider": "black",
|
||||
"editor.rulers": [
|
||||
80,
|
||||
100,
|
||||
120
|
||||
],
|
||||
"esbonio.sphinx.confDir": ""
|
||||
}
|
||||
|
|
@ -11,3 +11,4 @@ Belden CoreOS Boot Concepts
|
|||
|
||||
overview
|
||||
uboot
|
||||
secure-boot
|
||||
|
|
|
|||
|
|
@ -0,0 +1,268 @@
|
|||
*******************
|
||||
Secure Boot Concept
|
||||
*******************
|
||||
|
||||
Currently CoreOS provide a Proof Of Concept of some of the secure boot element that we want to
|
||||
implement a full secure-boot solution based on UEFI secure boot.
|
||||
|
||||
The current proof of concept is structured as follows:
|
||||
|
||||
Hardware Requirements
|
||||
=====================
|
||||
|
||||
- The device must have an `eMMC`.
|
||||
- The architecture of the device must be either `ARM32` or `AARCH64`.
|
||||
|
||||
|
||||
eMMC Embedded MultiMediaCard
|
||||
============================
|
||||
|
||||
eMMC, or Embedded MultiMediaCard, represents a prevalent storage format in devices such as
|
||||
smartphones, tablets, and other embedded systems. It encapsulates NAND flash memory and a dedicated
|
||||
controller within one package. This structure not only eases integration for device manufacturers
|
||||
but also ensures a compact, efficient storage medium.
|
||||
|
||||
Within eMMC's architecture, distinct hardware partitions cater to diverse operational demands:
|
||||
|
||||
.. graphviz::
|
||||
|
||||
digraph emmcStructure {
|
||||
rankdir=TB;
|
||||
node [shape=box, style=filled, fillcolor="#e6f2ff"];
|
||||
edge [color="#0099cc", fontsize=12];
|
||||
|
||||
compound=true;
|
||||
|
||||
subgraph cluster_eMMC {
|
||||
label="eMMC";
|
||||
color="#0099cc";
|
||||
|
||||
Boot0 [label="Boot0"];
|
||||
Boot1 [label="Boot1"];
|
||||
RPMB [label="RPMB"];
|
||||
|
||||
subgraph cluster_User {
|
||||
label="User";
|
||||
color="#00cc99";
|
||||
GPT [label="GPT Table"];
|
||||
|
||||
subgraph cluster_GPT {
|
||||
label="Software Partitions (GPT)";
|
||||
color="#99e6e6";
|
||||
|
||||
SoftwarePartition1 [label="Partition 1"];
|
||||
SoftwarePartition2 [label="Partition 2"];
|
||||
SoftwarePartitionN [label="Partition N"];
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
#. **Boot0 and Boot1**: The boot partitions cater to device start-up requirements, typically hosting
|
||||
the firmware. Boot0 predominantly initiates the boot-up, while Boot1 stands as a secondary guard
|
||||
or backup, ensuring booting is resilient and failsafe.
|
||||
|
||||
#. **RPMB (Replay Protected Memory Block)**: As a secure partition, RPMB shelters data against
|
||||
potential tampering. It's tailored for sensitive information storage, such as cryptographic keys.
|
||||
Its design counters data replays or rollbacks, fortifying against particular attack types.
|
||||
|
||||
#. **User**: The primary storage domain, the User partition accommodates the OS, applications,
|
||||
and user-centric data. It's reminiscent of the primary storage drive in larger computing devices.
|
||||
Importantly, the User partition has a layered structure. Using the GPT (GUID Partition Table), it
|
||||
is further divided into multiple software partitions, which can house diverse datasets or file
|
||||
systems.
|
||||
|
||||
The boot concept of CoreOS rely on the presence of an eMMC to implement the following feature:
|
||||
|
||||
- Storage of two copy of the firmware with a way to switch from a copy to another using the eMMC
|
||||
boot0 and boot1 hardware partition
|
||||
- Storage of keys used by the UEFI Secure Key specification inside the secure RPMB hardware
|
||||
partition.
|
||||
- Storage of the bootloader, kernel and rootfs inside the user hardware partition using multiple
|
||||
software partition in the GPT format.
|
||||
|
||||
Firmware
|
||||
========
|
||||
|
||||
The firmware of the device should implement a subset of the UEFI specification as defined in the
|
||||
ARM Base Boot Requirements (EBBR) and should implement the optional UEFI Secure Boot part of the
|
||||
EBBR specifications.
|
||||
|
||||
This is done in CoreOS by levering the built-in EBBR and UEFI Secure Boot present into the u-boot
|
||||
project.
|
||||
|
||||
The hardware should verify the validity of the firmware using a hardware specific way. Then the
|
||||
generic secure boot concept explained here can be used to valide all the following component of
|
||||
CoreOS.
|
||||
|
||||
UEFI Key used by UEFI Secure Boot
|
||||
=================================
|
||||
|
||||
|
||||
- **PK (Platform Key)**: This top-tier key shoulders the responsibility of KEK verification and its
|
||||
potential revocation. PK holders have the exclusive privilege to configure the KEK and the `db`
|
||||
database. It's the gatekeeper ensuring only authorized software can touch the firmware or
|
||||
bootloader.
|
||||
|
||||
- **KEK (Key Exchange Key)**: As a medium for data exchange, the KEK is pivotal for signing the `db`
|
||||
and `dbx` databases.
|
||||
|
||||
- **db (Allowed Database)**: This is the white list. It houses the keys or hashes of permitted
|
||||
firmware and OS loaders. Execution is only granted to software with a signature that resonates
|
||||
with the keys/hashes in this database.
|
||||
|
||||
- **dbx (Forbidden Database)**: The black sheep are here. Housing keys or hashes of known
|
||||
unauthorized software, it ensures any associated software is prohibited from executing.
|
||||
|
||||
Currently all theses public keys are built-in into u-boot at build time and are read only. In the
|
||||
future we will use the OP-TEE support into u-boot to use OP-TEE to manage the keys.
|
||||
|
||||
OP-TEE and RPMB as key manager
|
||||
==============================
|
||||
|
||||
OP-TEE, or Open Portable Trusted Execution Environment, is an open-source implementation of the
|
||||
Trusted Execution Environment (TEE) designed for ARM-powered platforms. In essence, a TEE is a
|
||||
secure enclave that provides a separated, isolated environment where specific applications and their
|
||||
data can run independently from the regular operating system, ensuring they are protected against
|
||||
potential tampering or unauthorized access.
|
||||
|
||||
OP-TEE guarantees confidentiality, integrity, and authenticity for critical applications by
|
||||
executing them in this secure space. It offers a wide range of security features, including secure
|
||||
storage of cryptographic keys, secure boot, and hardware-backed crypto operations.
|
||||
|
||||
In the context of UEFI secure boot, OP-TEE becomes instrumental. UEFI's secure boot mechanism
|
||||
ensures that only trusted, signed firmware, OS loaders, and OS kernels are executed during the boot
|
||||
process. To enforce this level of trust, UEFI relies on a set of cryptographic keys, including PK
|
||||
(Platform Key), KEK (Key Exchange Key), and db/dbx (allowed and forbidden signature databases).
|
||||
Safeguarding these keys is paramount to maintain the security and integrity of the boot process.
|
||||
|
||||
By leveraging OP-TEE, these UEFI secure boot keys can be securely stored in the RPMB (Replay
|
||||
Protected Memory Block) partition of the eMMC. The RPMB is a write-protected, secure area of the
|
||||
eMMC designed to hold sensitive data and protect it against tampering and replay attacks.
|
||||
Since OP-TEE manages secure access to the RPMB partition, it ensures that the UEFI secure boot keys
|
||||
are not only safely stored but are also accessible only by authorized firmware components.
|
||||
|
||||
eMMC User Partition
|
||||
===================
|
||||
|
||||
The user partition of the eMMC must be structured using the GPT (GUID Partition Table) format.
|
||||
|
||||
Within the GPT-formatted user partition, specific partitions should be established for efficient
|
||||
booting and system operation:
|
||||
|
||||
1. **EFI**: This is the Essential Firmware Interface partition. It holds the `efibootguard`
|
||||
os-loader binary, responsible for the boot sequence's initial steps and the kernel's selection
|
||||
based on its configuration. This binary is signed with a key present in the `dbx` database
|
||||
|
||||
2. **EBG0 - Efibootguard Config 0**: This partition houses the `efibootguard` configuration for the
|
||||
first kernel option. Alongside the configuration file, it also contains a Unified Kernel Image
|
||||
(UKI), a bundled package comprising the Linux kernel, device trees, and associated boot
|
||||
components. The UKI is signed with a key present in the `dbx` database
|
||||
|
||||
3. **EBG1 - Efibootguard Config 1**: Similar to EBG0, this partition carries the `efibootguard`
|
||||
configuration for the second kernel option. It too holds a Unified Kernel Image tailored for this
|
||||
alternate boot choice.
|
||||
|
||||
4. **rootfs0**: This partition stores the CoreOS root filesystem designed to complement and operate
|
||||
with the kernel embedded in the EBG0 partition. It provides the essential system files and
|
||||
structures required for the operating system's functioning when the kernel from EBG0 is booted.
|
||||
Integrety of this rootfs is assured by storing an hash of the rootfs inside the UKI image.
|
||||
|
||||
5. **rootfs1**: Analogous to `rootfs0`, this partition houses the CoreOS root filesystem tailored
|
||||
for the kernel within the EBG1 partition. It ensures that, should the system boot from the kernel
|
||||
in EBG1, the appropriate file structures and system components are readily available.
|
||||
|
||||
EFIBootGuard Configuration
|
||||
==========================
|
||||
|
||||
Efibootguard, as a part of its design, employs a configuration system to determine the appropriate
|
||||
kernel and associated resources to boot from. This configuration is stored in distinct partitions,
|
||||
EBG0 and EBG1, each holding its configuration file.
|
||||
|
||||
The configuration file itself comprises several fields, but most crucially, it contains a revision
|
||||
field. This field is a numerical identifier indicating the version or update level of the contained
|
||||
kernel and resources. When the system initiates its boot sequence, Efibootguard assesses the
|
||||
revision values in both the EBG0 and EBG1 configuration files.
|
||||
|
||||
The selection process is straightforward yet robust: Efibootguard chooses the partition with the
|
||||
higher revision value. By doing so, it inherently opts for the most recent or updated kernel version
|
||||
available. However, this system also supports failover mechanisms. In case the kernel in the
|
||||
partition with the higher revision encounters issues during boot, Efibootguard can revert to the
|
||||
other partition, ensuring resilience and continuity in system operations.
|
||||
|
||||
Moreover, the choice isn't rigidly fixed. When the system undergoes updates, the configuration files
|
||||
can be rewritten, and the revision values adjusted, allowing for dynamic and flexible booting in
|
||||
line with system evolutions and updates. In essence, Efibootguard, with its configuration-based
|
||||
approach, ensures a blend of up-to-date system booting and built-in fail-safes for dependable
|
||||
operation.
|
||||
|
||||
Unified Kernel Image
|
||||
====================
|
||||
|
||||
After having choosen the right configuration file, Efibootguard takes on the responsibility of
|
||||
launching the Unified Kernel Image (UKI) linked with the active configuration. This image bundle
|
||||
together essential boot components like the Linux kernel, device trees, and the kernel command
|
||||
line. The secure initiation of this image is paramount, and Efibootguard ensures this by leveraging
|
||||
UEFI's start_image system call.
|
||||
|
||||
The UEFI start_image system call verifies the image's signature against the Secure Boot keys
|
||||
(PK, KEK, db, and potentially dbx). If the signature matches, indicating that the image is trusted
|
||||
and hasn't been tampered with, the image is permitted to execute. If not, the booting halts,
|
||||
preventing any unauthorized or potentially malicious code from running.
|
||||
|
||||
Once the UKI has been securely initiated, it undertakes multiple tasks. It first extracts the
|
||||
necessary components from the bundled package, identifying and utilizing the appropriate device
|
||||
trees based on `compatible` node, by matching with the `compatible` node of the `device-tree` that
|
||||
is built into the firmware. These device trees inform the system about the hardware configuration,
|
||||
ensuring the kernel interacts correctly with the system's components.
|
||||
|
||||
The UKI os-launcher also has CoreOS specialized patches, enabling dynamic rootfs switching without
|
||||
requiring an initramfs by changing the `root=` part of the kernel command line at run time to
|
||||
point to the right rootfs partition.
|
||||
|
||||
RootFS and dm-verity
|
||||
====================
|
||||
|
||||
dm-verity is a Linux kernel feature designed to provide transparent integrity checking of block
|
||||
devices, particularly for read-only file systems. Rooted in cryptographic principles, dm-verity
|
||||
employs a hash-based approach to ensure and validate the integrity of the root filesystem (rootfs).
|
||||
|
||||
The way dm-verity operates is by building a Merkle tree, a structure where each leaf node contains a
|
||||
hash of a block of the underlying data, while each non-leaf node is a hash of its children. The
|
||||
topmost node, the root of the Merkle tree, provides a cumulative hash representing the entirety of
|
||||
the data. This top hash, known as the root hash, serves as a concise, cryptographic representation
|
||||
of the entire filesystem's state.
|
||||
|
||||
When integrating dm-verity with the Unified Kernel Image (UKI), an additional layer of security is
|
||||
established. By embedding the root hash into the signed UKI, any tampering or modification in the
|
||||
rootfs can be swiftly detected. When the system boots, the UKI, being signed, ensures that the
|
||||
embedded root hash is legitimate and untampered. As the OS accesses the rootfs, dm-verity
|
||||
recalculates the hash values in real-time and compares them to the values in the original Merkle
|
||||
tree, referenced by the embedded root hash.
|
||||
|
||||
If any discrepancies are found – that is, if the recalculated hash doesn't match the stored value –
|
||||
it indicates potential tampering, and the OS can halt access or take appropriate measures.
|
||||
|
||||
.. graphviz::
|
||||
|
||||
digraph SecureBootFlow {
|
||||
rankdir=TB;
|
||||
|
||||
node [shape=box, style=filled, fillcolor="#e6f2ff"];
|
||||
edge [color="#0099cc", fontsize=12];
|
||||
|
||||
Hardware [label="Hardware\n(ARM32/AARCH64 with eMMC)"];
|
||||
Firmware [label="u-boot Firmware\n(UEFI EBRR subset)"];
|
||||
eMMCConfig [label="eMMC Configuration\n(GPT with EFI partition)"];
|
||||
EFIBootGuard [label="EFIBootGuard\n(A/B Kernel Switching)"];
|
||||
UnifiedKernel [label="Unified Kernel Image\n(Kernel, cmd line, DTB)"];
|
||||
KernelAndRootFS [label="Kernel & RootFS\n(dm-verity validation)"];
|
||||
|
||||
Hardware -> Firmware [label="Flashed with u-boot\n+ Built-in keys"];
|
||||
Firmware -> eMMCConfig [label="eMMC boot"];
|
||||
eMMCConfig -> EFIBootGuard [label="Boots from EFI partition"];
|
||||
EFIBootGuard -> UnifiedKernel [label="Selects kernel A/B"];
|
||||
UnifiedKernel -> KernelAndRootFS [label="Kernel boot\n+ RootFS verification"];
|
||||
|
||||
}
|
||||
|
|
@ -3,33 +3,35 @@
|
|||
CoreOS Installer
|
||||
****************
|
||||
|
||||
The CoreOS installer is a set of script running on the target and a
|
||||
The CoreOS installer is a set of scripts running on the target and a
|
||||
corresponding bitbake image that is used into the bootstrap process of CoreOS.
|
||||
|
||||
coreos-image-installer
|
||||
======================
|
||||
|
||||
The CoreOS installer image is a single binary EFI file that include a kernel,
|
||||
device tree and an initramfs with all the tools needed to install CoreOS.
|
||||
The CoreOS image installer results in an image contairing only a single binary
|
||||
EFI file. This EFI file includes a kernel, a device tree and an initramfs with
|
||||
all (and only) the tools needed to install CoreOS.
|
||||
|
||||
An installer image is automatically built in parallel of a normal image.
|
||||
This can be deactivated by setting `COREOS_IMAGE_GENERATE_INSTALLER` to 0.
|
||||
The installer image is not automatically built in parallel of a normal image.
|
||||
This can be changed by setting `COREOS_IMAGE_GENERATE_INSTALLER` to 1 in the
|
||||
image file (as it is done for example in coreos-image-all-features.bb).
|
||||
|
||||
The installer image build by default only a single EFI binary named
|
||||
coreos-installer-MACHINE.efi. An SDCard image can be generate if
|
||||
coreos-installer-MACHINE.efi. An SDCard or USB image can be generated if
|
||||
`COREOS_INSTALLER_WKS_FILE` is set to a wks file.
|
||||
|
||||
coreos-installer
|
||||
================
|
||||
|
||||
The coreos-installer recipe installs some script that is used at startup
|
||||
to automatically format the internal emmc of the device. It also contains
|
||||
The coreos-installer recipe installs scripts that are used at startup to
|
||||
automatically format the internal emmc of the device. The recipe also contains
|
||||
a swupdate configuration file to setup swupdate correctly for that use case.
|
||||
|
||||
coreos-installer-config
|
||||
=======================
|
||||
|
||||
The coreos-installer-config recipe installs device specific configuration file
|
||||
used by the coreos-installer. This includes the partitionner config file. Distro
|
||||
and project based on CoreOS can change the partionning scheme or partition size
|
||||
used by the coreos-installer. This includes the partitioner config file. Distros
|
||||
and projects based on CoreOS can change the partioning scheme or partition size
|
||||
by installing their own version of this package using a `bbappend file`.
|
||||
|
|
|
|||
|
|
@ -40,6 +40,7 @@ same structures.
|
|||
|
||||
Installation Manual <installation/index>
|
||||
Reference Manual <ref-manual/index>
|
||||
Testing Manual <testing/index>
|
||||
Boot Concepts <boot/index>
|
||||
Best Practices <best_practices/index>
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,354 @@
|
|||
.. index:: BATS
|
||||
|
||||
************************************
|
||||
BATS - Bash Automated Testing System
|
||||
************************************
|
||||
|
||||
The CoreOS distribution supports writing tests using shell syntax by providing the `bats` command.
|
||||
|
||||
If you want to use `bats`, you will need the following CoreOS packages:
|
||||
|
||||
- bats
|
||||
- bats-file
|
||||
- bats-assert
|
||||
|
||||
Overview of BATS
|
||||
================
|
||||
|
||||
A BATS test can be as simple as a single .bats file. For example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
#!/usr/bin/env bats
|
||||
|
||||
bats_load_library bats-support
|
||||
bats_load_library bats-assert
|
||||
|
||||
@test "can output to stdout" {
|
||||
run echo hello
|
||||
assert_output 'hello'
|
||||
}
|
||||
|
||||
You can run it using the command `bats <filename>.bats`
|
||||
|
||||
This will give you the following output:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
sam@SAVE:~/Projects/tests$ bats <filename>.bats
|
||||
<filename>.bats
|
||||
✓ can output to stdout
|
||||
|
||||
1 test, 0 failures
|
||||
|
||||
The run command
|
||||
================
|
||||
|
||||
In shell tests, you often need to run commands and capture their output, exit
|
||||
status, and error messages. The run command provided by `bats` allows you to
|
||||
execute commands within your test cases and collect this information for later
|
||||
assertion and validation.
|
||||
|
||||
The run command will make the following variables available:
|
||||
|
||||
- `${status}`: exit code of the command run by `run`
|
||||
- `${output}`: combined content of `stdout` and `stderr`
|
||||
- `${lines[@]}`: array of lines of the output
|
||||
- `${BATS_RUN_COMMAND}`: command run by the `run` command
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
@test "invoking foo with a nonexistent file prints an error" {
|
||||
run foo nonexistent_filename
|
||||
[ "$status" -eq 1 ]
|
||||
[ "$output" = "foo: no such file 'nonexistent_filename'" ]
|
||||
[ "$BATS_RUN_COMMAND" = "foo nonexistent_filename" ]
|
||||
|
||||
}
|
||||
|
||||
The `run` command accepts some parameters:
|
||||
|
||||
- `-N`: Expect N as exit status and fail otherwise
|
||||
- `-!`: Expect non-zero exit status and fail if the command succeeds.
|
||||
- `--keep-empty-lines`: don't remove empty lines from `${lines}`
|
||||
- `--separate-stderr`: Use separate variables for stderr `${stderr}` and `${stderr_lines[@]}`
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
@test "invoking foo without arguments prints usage" {
|
||||
run -1 foo
|
||||
[ "${lines[0]}" = "usage: foo <filename>" ]
|
||||
}
|
||||
|
||||
The bats-assert helper
|
||||
======================
|
||||
|
||||
The `bats-assert` helper provides some functions to create more readable tests.
|
||||
These assertions use the variables created by the `run` command and can be used
|
||||
as follows:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
@test 'assert_output()' {
|
||||
run echo 'have'
|
||||
assert_output 'want'
|
||||
}
|
||||
|
||||
The following functions are provided:
|
||||
|
||||
- `assert` and `refute`: Assert that a given expression evaluates to true or false.
|
||||
- `assert_equal`: Assert that two parameters are equal.
|
||||
- `assert_not_equal`: Assert that two parameters are not equal.
|
||||
- `assert_success` and `assert_failure`: Assert that the exit status is 0 or 1.
|
||||
- `assert_output` and `refute_output`: Assert that the output does (or does not) contain the given content.
|
||||
- `assert_line` and `refute_line`: Assert that a specific line of the output does (or does not) contain the given content.
|
||||
- `assert_regex` and `refute_regex`: Assert that a parameter matches (or does not match) the given pattern.
|
||||
|
||||
The bats-file helper
|
||||
====================
|
||||
|
||||
The `bats-file` helper provides functions to help work with files in tests:
|
||||
|
||||
**Test File Types:**
|
||||
|
||||
- `assert_exists` and `assert_not_exists`: Check if a file or directory exists.
|
||||
- `assert_file_exists` and `assert_file_not_exists`: Check if a file exists.
|
||||
- `assert_dir_exists` and `assert_dir_not_exists`: Check if a directory exists.
|
||||
- `assert_link_exists` and `assert_link_not_exists`: Check if a link exists.
|
||||
- `assert_block_exists` and `assert_block_not_exists`: Check if a block special file exists.
|
||||
- `assert_character_exists` and `assert_character_not_exists`: Check if a character special file exists.
|
||||
- `assert_socket_exists` and `assert_socket_not_exists`: Check if a socket exists.
|
||||
- `assert_fifo_exists` and `assert_fifo_not_exists`: Check if a fifo special file exists.
|
||||
|
||||
**Test File Attributes:**
|
||||
|
||||
- `assert_file_executable` and `assert_file_not_executable`
|
||||
- `assert_file_owner` and `assert_file_not_owner`
|
||||
- `assert_file_permission` and `assert_not_file_permission`
|
||||
- `assert_file_size_equals`
|
||||
- `assert_size_zero` and `assert_size_not_zero`
|
||||
- `assert_file_group_id_set` and `assert_file_not_group_id_set`
|
||||
- `assert_file_user_id_set` and `assert_file_not_user_id_set`
|
||||
- `assert_sticky_bit` and `assert_no_sticky_bit`
|
||||
|
||||
**Test File Content:**
|
||||
|
||||
- `assert_file_empty` and `assert_file_not_empty`
|
||||
- `assert_file_contains` and `assert_file_not_contains`
|
||||
- `assert_symlink_to` and `assert_not_symlink_to`
|
||||
|
||||
**Working with a temporary directory:**
|
||||
|
||||
- `temp_make` and `temp_del`
|
||||
|
||||
Pre- and Post-test case hooks
|
||||
==============================
|
||||
|
||||
In some cases, it's useful to have a function that runs before or after each test
|
||||
case in a bats file.
|
||||
|
||||
A function named `setup` will run before each test case, and a function
|
||||
named `teardown` will run after each test case.
|
||||
|
||||
This example creates a directory in the setup function but lacks a teardown
|
||||
that removes the directory. The second time the setup function is run, the
|
||||
setup will fail as the directory already exists:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
#!/usr/bin/env bats
|
||||
|
||||
bats_load_library bats-support
|
||||
bats_load_library bats-assert
|
||||
bats_load_library bats-file
|
||||
|
||||
setup() {
|
||||
mkdir tmp
|
||||
echo 'a' >> ./tmp/test
|
||||
}
|
||||
|
||||
@test "test contains a single a I" {
|
||||
assert_file_contains ./tmp/test '^a$'
|
||||
}
|
||||
|
||||
@test "test contains a single a II" {
|
||||
assert_file_contains ./tmp/test '^a$'
|
||||
}
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
sam@SAVE:~/Projects/tests$ bats test.bats
|
||||
test.bats
|
||||
✓ test contains a single a I
|
||||
✗ test contains a single a II
|
||||
(from function `setup' in test file test.bats, line 8)
|
||||
`mkdir tmp' failed
|
||||
mkdir: cannot create directory ‘tmp’: File exists
|
||||
|
||||
2 tests, 1 failure
|
||||
|
||||
This can be easily fixed by adding a teardown function:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
#!/usr/bin/env bats
|
||||
|
||||
bats_load_library bats-support
|
||||
bats_load_library bats-assert
|
||||
bats_load_library bats-file
|
||||
|
||||
setup() {
|
||||
mkdir tmp
|
||||
echo 'a' >> ./tmp/test
|
||||
}
|
||||
|
||||
teardown() {
|
||||
rm -rf ./tmp
|
||||
}
|
||||
|
||||
|
||||
|
||||
@test "test contains a single a I" {
|
||||
assert_file_contains ./tmp/test '^a$'
|
||||
}
|
||||
|
||||
@test "test contains a single a II" {
|
||||
assert_file_contains ./tmp/test '^a$'
|
||||
}
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
sam@SAVE:~/Projects/tests$ bats test.bats
|
||||
test.bats
|
||||
✓ test contains a single a I
|
||||
✓ test contains a single a II
|
||||
|
||||
2 tests, 0 failures
|
||||
|
||||
Pre- and Post-test file hooks
|
||||
=============================
|
||||
|
||||
To run some code before executing a test file or after executing it, the
|
||||
functions `setup_file` and `teardown_file` can be used.
|
||||
|
||||
The last example could be refactored to only create the tmp directory once:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
#!/usr/bin/env bats
|
||||
|
||||
bats_load_library bats-support
|
||||
bats_load_library bats-assert
|
||||
bats_load_library bats-file
|
||||
|
||||
setup_file() {
|
||||
export DIR="./tmp"
|
||||
export FILE="${DIR}/test"
|
||||
mkdir "${DIR}"
|
||||
}
|
||||
|
||||
teardown_file() {
|
||||
rm -rf "${DIR}"
|
||||
}
|
||||
|
||||
setup() {
|
||||
echo 'a' >> "${FILE}"
|
||||
}
|
||||
|
||||
teardown() {
|
||||
rm "${FILE}"
|
||||
}
|
||||
|
||||
@test "test contains a single a I" {
|
||||
assert_file_contains "${FILE}" '^a$'
|
||||
}
|
||||
|
||||
@test "test contains a single a II" {
|
||||
assert_file_contains "${FILE}" '^a$'
|
||||
}
|
||||
|
||||
Multiple files
|
||||
==============
|
||||
|
||||
With `bats`, a file is a test suite. If you have multiple `bats` files in a
|
||||
directory and you provide the directory in the `bats` command line, `bats`
|
||||
will execute all the test suites.
|
||||
|
||||
Example: `bats .`
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
sam@SAVE:~/Projects/tests$ bats .
|
||||
./first.bats
|
||||
✓ can run our script
|
||||
✗ second test
|
||||
(in test file ./first.bats, line 27)
|
||||
`false' failed
|
||||
./second.bats
|
||||
✓ multi file
|
||||
./test.bats
|
||||
✓ test contains a single a I
|
||||
✓ test contains a single a II
|
||||
|
||||
5 tests, 1 failure
|
||||
|
||||
Pre- and Post-suite hooks
|
||||
=========================
|
||||
|
||||
If you want to execute the same function before each test suite or after
|
||||
each test suite, create a file named `setup_suite.bash`. In this file,
|
||||
create a function named `setup_suite()` and another named `teardown_suite()`.
|
||||
|
||||
Exporting the test results
|
||||
==========================
|
||||
|
||||
Test results can be exported using the JUnit XML format. This can then be
|
||||
used in other tools and merged with other JUnit XML formats to generate a final
|
||||
test report.
|
||||
|
||||
Example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
sam@SAVE:~/Projects/tests$ bats . -F junit
|
||||
|
||||
This will produce the following XML content on stdout:
|
||||
|
||||
.. code-block:: xml
|
||||
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<testsuites time="0.048">
|
||||
<testsuite name="./first.bats" tests="2" failures="1" errors="0" skipped="0" time="0.025" timestamp="2023-08-16T14:22:15" hostname="SAVE">
|
||||
<testcase classname="./first.bats" name="can run our script" time="0.013" />
|
||||
<testcase classname="./first.bats" name="second test" time="0.012">
|
||||
<failure type="failure">(in test file ./first.bats, line 27)
|
||||
`false' failed</failure>
|
||||
</testcase>
|
||||
|
||||
</testsuite>
|
||||
<testsuite name="./second.bats" tests="1" failures="0" errors="0" skipped="0" time="0.008" timestamp="2023-08-16T14:22:15" hostname="SAVE">
|
||||
<testcase classname="./second.bats" name="multi file" time="0.008" />
|
||||
|
||||
</testsuite>
|
||||
<testsuite name="./test.bats" tests="2" failures="0" errors="0" skipped="0" time="0.015" timestamp="2023-08-16T14:22:15" hostname="SAVE">
|
||||
<testcase classname="./test.bats" name="test contains a single a I" time="0.008" />
|
||||
<testcase classname="./test.bats" name="test contains a single a II" time="0.007" />
|
||||
|
||||
</testsuite>
|
||||
</testsuites>
|
||||
|
||||
Going further
|
||||
=============
|
||||
|
||||
`bats` scripts can be checked with shellcheck for common mistakes.
|
||||
|
||||
The `bats-assert` add-on provides many helper functions to perform
|
||||
assertions with a more readable syntax than the shell's built-in syntax.
|
||||
|
||||
See https://github.com/bats-core/bats-assert
|
||||
|
||||
The `bats-file` add-on provides helper functions to check for files. See
|
||||
https://github.com/bats-core/bats-file/
|
||||
|
||||
You can find a list of projects using `bats` on this page:
|
||||
https://github.com/bats-core/bats-core/wiki/Projects-Using-Bats
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
|
||||
==============================
|
||||
Belden CoreOS Testing Manual
|
||||
==============================
|
||||
|
||||
This manual is a work on progress on how to test and how to write test for
|
||||
CoreOS or CoreOS based distribution.
|
||||
|
||||
|
|
||||
|
||||
.. toctree::
|
||||
:caption: Table of Contents
|
||||
:numbered:
|
||||
|
||||
bats
|
||||
|
|
@ -0,0 +1 @@
|
|||
Subproject commit d7b7b6fb6c7c5545e718e44f38853d1718ce5446
|
||||
|
|
@ -0,0 +1 @@
|
|||
Subproject commit 09d2f9391813674627ec53cb222da6c7a51221e6
|
||||
|
|
@ -1 +1 @@
|
|||
Subproject commit 346753705e49a2486867dc150181a1c7f4d69377
|
||||
Subproject commit 8bb16533532b6abc2eded7d9961ab2a108fd7a5b
|
||||
|
|
@ -1 +1 @@
|
|||
Subproject commit eaa4dcbac224c9f5e7da784dcda78b67f117cf63
|
||||
Subproject commit 3d12b2788a45d86efcb1ad3e01f209558c54795c
|
||||
|
|
@ -0,0 +1 @@
|
|||
Subproject commit bae3658ac0bc1c9adac7a882439cabb385cae720
|
||||
|
|
@ -1 +1 @@
|
|||
Subproject commit af02908efda1580e77b3fdeed25b124a2b8d9482
|
||||
Subproject commit cb2bc17e96552cdfc141d27bd9f4dbd95a872846
|
||||
|
|
@ -1 +1 @@
|
|||
Subproject commit 8ce2b1a3083f61e5a3df3a80c3de7d294bc71bb5
|
||||
Subproject commit 1b5405955c7c2579ed1f52522e2e177d0281fa33
|
||||
|
|
@ -3,7 +3,7 @@
|
|||
# UEFI Secure boot configuration
|
||||
# ==============================================================================
|
||||
|
||||
COREOS_EFI_SECUREBOOT_KEYDIR ??= "${TOPDIR}/keys"
|
||||
COREOS_EFI_SECUREBOOT_KEYDIR ??= "${RECIPE_SYSROOT_NATIVE}/${datadir}/keys"
|
||||
COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
|
||||
|
||||
# UEFI Secure boot helpers
|
||||
|
|
@ -16,7 +16,7 @@ HOSTTOOLS += "sbsign"
|
|||
|
||||
# Ensure that the public keys are always deployed to the deploy directory
|
||||
# before running wic
|
||||
do_image_wic[depends] += "efi-secureboot-keys:do_deploy"
|
||||
do_image_wic[depends] += "cos-certificates-and-keys-native:do_deploy"
|
||||
|
||||
COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
|
||||
def get_coreos_secureboot_efi_boot_files(d):
|
||||
|
|
@ -31,26 +31,4 @@ def get_coreos_secureboot_efi_boot_files(d):
|
|||
|
||||
IMAGE_EFI_BOOT_FILES:append = " ${@get_coreos_secureboot_efi_boot_files(d)}"
|
||||
|
||||
def get_coreos_secureboot_keydir_hash(d):
|
||||
"""
|
||||
Generate a space separate list, with a value for each file inside of
|
||||
keydir. Fromat: <filename>:md5:<md5sum>
|
||||
"""
|
||||
import hashlib
|
||||
|
||||
keydir = d.getVar('COREOS_EFI_SECUREBOOT_KEYDIR')
|
||||
value = ""
|
||||
|
||||
for keyname in os.listdir(keydir):
|
||||
filepath = os.path.join(keydir, keyname)
|
||||
if os.path.isfile(filepath):
|
||||
md5 = bb.utils.md5_file(filepath)
|
||||
value += f"{keyname}:md5:{md5} "
|
||||
|
||||
return value
|
||||
|
||||
# The build system should detect if someone change one of the key inside
|
||||
# COREOS_EFI_SECUREBOOT_KEYDIR and rebuild all the recipes and artifacts that
|
||||
# depends on this directory
|
||||
COREOS_EFI_SECUREBOOT_KEYDIR_HASH = "${@get_coreos_secureboot_keydir_hash(d)}"
|
||||
COREOS_EFI_SECUREBOOT_KEYDIR[vardeps] += "COREOS_EFI_SECUREBOOT_KEYDIR_HASH"
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ include conf/machine/include/arm/armv7a/tune-cortexa8.inc
|
|||
IMAGE_FSTYPES += "wic wic.xz wic.bmap"
|
||||
WKS_FILE ?= "beaglebone-sdcard.wks.in"
|
||||
COREOS_INSTALLER_WKS_FILE ?= "beaglebone-sdcard-installer.wks"
|
||||
MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "kernel-image kernel-devicetree"
|
||||
MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "kernel-image"
|
||||
do_image_wic[depends] += "mtools-native:do_populate_sysroot dosfstools-native:do_populate_sysroot gptfdisk-native:do_populate_sysroot virtual/bootloader:do_deploy"
|
||||
do_image_wic[recrdeptask] += "do_bootimg"
|
||||
|
||||
|
|
@ -21,10 +21,10 @@ SERIAL_CONSOLES_CHECK = "${SERIAL_CONSOLES}"
|
|||
APPEND:append = " console=ttyS0,115200"
|
||||
|
||||
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
|
||||
PREFERRED_VERSION_linux-yocto ?= "5.15%"
|
||||
PREFERRED_VERSION_linux-yocto ?= "6.6%"
|
||||
|
||||
KERNEL_IMAGETYPE = "zImage"
|
||||
KERNEL_DEVICETREE = "am335x-bone.dtb am335x-boneblack.dtb am335x-bonegreen.dtb"
|
||||
DTB_FILES = "ti/omap/am335x-bone.dtb ti/omap/am335x-boneblack.dtb ti/omap/am335x-bonegreen.dtb"
|
||||
KERNEL_EXTRA_ARGS += "LOADADDR=${UBOOT_ENTRYPOINT}"
|
||||
|
||||
PREFERRED_PROVIDER_virtual/bootloader ?= "u-boot"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,39 @@
|
|||
#@TYPE: Machine
|
||||
#@NAME: eagle40-03
|
||||
#@DESCRIPTION: Machine support for EAGLE40-03
|
||||
#
|
||||
|
||||
require include/coreos-generic-arch/x64.inc
|
||||
|
||||
MACHINE_FEATURES += "pci usbhost x86 serial efi"
|
||||
|
||||
# Kernel configuration
|
||||
# ******************************************************************************
|
||||
|
||||
PREFERRED_VERSION_linux-yocto ?= "6.6%"
|
||||
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
|
||||
|
||||
KERNEL_IMAGETYPE = "bzImage"
|
||||
|
||||
# getty configuration
|
||||
# ******************************************************************************
|
||||
|
||||
SERIAL_CONSOLES = "115200;ttyS0"
|
||||
SERIAL_CONSOLES_CHECK = "ttyS0"
|
||||
APPEND += "console=ttyS0,115200"
|
||||
|
||||
# Image generation
|
||||
# ******************************************************************************
|
||||
|
||||
# Ensure that both flash-image.bin and boot.scr are generated as they are needed
|
||||
# for a wic image
|
||||
WKS_FILE = "generic-uefi.wks.in"
|
||||
COREOS_INSTALLER_WKS_FILE ?= "generic-uefi-usb-installer.wks"
|
||||
IMAGE_FSTYPES += "wic.xz wic.bmap"
|
||||
|
||||
MACHINE_ESSENTIAL_EXTRA_RDEPENDS += " kernel-modules"
|
||||
|
||||
# No watchdog available yet
|
||||
EFIBOOTGUARD_TIMEOUT ?= "0"
|
||||
require conf/machine/include/coreos-generic-features/efi.inc
|
||||
require conf/machine/include/coreos-generic-features/partitions.inc
|
||||
|
|
@ -1,15 +1,20 @@
|
|||
|
||||
# Variable used in WKS file
|
||||
|
||||
# Variables used in WKS file
|
||||
WKS_PART_EFI ??= 'part --source efibootguard-efi --label efi --part-type=EF00'
|
||||
WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=kernel-${MACHINE}.efi;KERNEL.EFI"'
|
||||
WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=kernel-${MACHINE}.efi;KERNEL.EFI"'
|
||||
WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
|
||||
WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
|
||||
WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label rootfs0'
|
||||
WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label rootfs1'
|
||||
WKS_PART_ROOT_SIZE ??= '2G'
|
||||
WKS_PART_USERDATA ??= 'part /usr/local/data --fstype=btrfs --label userdata'
|
||||
|
||||
PART_EFI_SIZE ??= '64M'
|
||||
PART_ROOT_SIZE ??= '1G'
|
||||
PART_EFIBG_SIZE ??= '128M'
|
||||
PART_USERDATA_SIZE ??= '1G'
|
||||
|
||||
# Variables used in SFDISK file
|
||||
SFDISK_PART_EFI ??= 'type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, name="efi"'
|
||||
SFDISK_PART_EFIBOOTGUARD_A ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg0"'
|
||||
SFDISK_PART_EFIBOOTGUARD_B ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg1"'
|
||||
SFDISK_PART_ROOT_A ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs0"'
|
||||
SFDISK_PART_ROOT_B ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs0"'
|
||||
SFDISK_PART_ROOT_B ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs1"'
|
||||
SFDISK_PART_USERDATA ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="userdata"'
|
||||
|
|
|
|||
|
|
@ -6,12 +6,12 @@ MACHINE_FEATURES += "wifi efi"
|
|||
# Add an override that work for all pc image
|
||||
MACHINEOVERRIDES =. "vm:"
|
||||
|
||||
PREFERRED_VERSION_linux-yocto ?= "5.15%"
|
||||
PREFERRED_VERSION_linux-yocto ?= "6.6%"
|
||||
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
|
||||
|
||||
MACHINE_EXTRA_RRECOMMENDS += "kernel-modules linux-firmware"
|
||||
|
||||
IMAGE_FSTYPES += "ext4 wic wic.xz wic.bmap wic.vmdk"
|
||||
IMAGE_FSTYPES += "ext4 wic wic.xz wic.bmap wic.vmdk wic.vhdx"
|
||||
|
||||
WKS_FILE ?= "generic-uefi.wks.in"
|
||||
do_image_wic[depends] += "gptfdisk-native:do_populate_sysroot"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,15 @@
|
|||
#@TYPE: Machine
|
||||
#@NAME: qemu-generic-arm64
|
||||
#@DESCRIPTION: Generic Arm64 machine for typical SystemReady platforms, which
|
||||
#have working firmware and boot via EFI.
|
||||
|
||||
require conf/machine/qemu-generic-arm64.conf
|
||||
MACHINEOVERRIDES =. "qemu-generic-arm64:"
|
||||
|
||||
COREOS_IMAGE_GENERATE_INSTALLER = "0"
|
||||
|
||||
WKS_FILE = "qemu-efi-coreos-generic.wks.in"
|
||||
|
||||
EFIBOOTGUARD_TIMEOUT ?= "0"
|
||||
require conf/machine/include/coreos-generic-features/efi.inc
|
||||
require conf/machine/include/coreos-generic-features/partitions.inc
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
SUMMARY = "A recipe to deploy UEFI public keys update files"
|
||||
LICENSE = "CLOSED"
|
||||
|
||||
|
||||
INHIBIT_DEFAULT_DEPS = "1"
|
||||
inherit nopackages
|
||||
|
||||
inherit deploy
|
||||
inherit coreos-efi-secureboot
|
||||
|
||||
# Public key needed by firmware very depending on the implementation
|
||||
# So we copy all type of public key (*.auth, *.esl, *.crt, *der)
|
||||
addtask deploy after do_compile
|
||||
do_deploy() {
|
||||
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.auth ${DEPLOYDIR}/KEK.auth
|
||||
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.auth ${DEPLOYDIR}/db.auth
|
||||
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.auth ${DEPLOYDIR}/PK.auth
|
||||
|
||||
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.esl ${DEPLOYDIR}/KEK.esl
|
||||
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.esl ${DEPLOYDIR}/db.esl
|
||||
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.esl ${DEPLOYDIR}/PK.esl
|
||||
|
||||
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.crt ${DEPLOYDIR}/KEK.crt
|
||||
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.crt ${DEPLOYDIR}/db.crt
|
||||
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.crt ${DEPLOYDIR}/PK.crt
|
||||
|
||||
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.der ${DEPLOYDIR}/KEK.der
|
||||
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.der ${DEPLOYDIR}/db.der
|
||||
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.der ${DEPLOYDIR}/PK.der
|
||||
|
||||
# !SECURITY WARNING!
|
||||
# .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
|
||||
}
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
# Add signature support
|
||||
|
||||
inherit coreos-efi-sbsign
|
||||
require conf/image-uefi.conf
|
||||
|
||||
do_deploy:append() {
|
||||
|
||||
if [ -f "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi" ]; then
|
||||
coreos_efi_secureboot_sign_app "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi"
|
||||
fi
|
||||
}
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
# Ensure that file are found event when this file is included in another layer
|
||||
# ==============================================================================
|
||||
FILESEXTRAPATHS:prepend := "${THISDIR}/u-boot:"
|
||||
|
||||
# Main include file for u-boot to ensure CoreOS compatibility
|
||||
# ==============================================================================
|
||||
|
||||
SRC_URI += " \
|
||||
${@bb.utils.contains("IMAGE_FEATURES", "debug-tweaks", "file://debug-tweaks.cfg", "", d)} \
|
||||
"
|
||||
|
||||
require u-boot-coreos-efi.inc
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
|
||||
require u-boot-coreos.inc
|
||||
|
|
@ -12,8 +12,8 @@ sector-size: 512
|
|||
/dev/mmcblk1p1 : start= 256, size= 512, type=4DA6E9DA-C803-4BE4-BAC4-8192717C5EB0, name="mlo", attrs="RequiredPartition"
|
||||
/dev/mmcblk1p2 : start= 768, size= 8192, type=5B97345D-B7A1-47D3-A491-ED40F4841639, name="uboot", attrs="RequiredPartition"
|
||||
|
||||
/dev/mmcblk1p3 : start= 8960, size= 131072, ${SFDISK_PART_EFI}
|
||||
/dev/mmcblk1p4 : start= 140032, size= 262144, ${SFDISK_PART_EFIBOOTGUARD_A}
|
||||
/dev/mmcblk1p5 : start= 402176, size= 262144, ${SFDISK_PART_EFIBOOTGUARD_B}
|
||||
/dev/mmcblk1p6 : start= 664320, size= 3403375, ${SFDISK_PART_ROOT_A}
|
||||
/dev/mmcblk1p7 : start= 4067695, size= 3403375, ${SFDISK_PART_ROOT_B}
|
||||
/dev/mmcblk1p3 : size= ${PART_EFI_SIZE}, ${SFDISK_PART_EFI}
|
||||
/dev/mmcblk1p4 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_A}
|
||||
/dev/mmcblk1p5 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_B}
|
||||
/dev/mmcblk1p6 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_A}
|
||||
/dev/mmcblk1p7 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_B}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
label: gpt
|
||||
device: /dev/mmcblk2
|
||||
unit: sectors
|
||||
first-lba: 34
|
||||
last-lba: 7471070
|
||||
sector-size: 512
|
||||
|
||||
/dev/mmcblk2p1 : start= 256, size= ${PART_EFI_SIZE}, ${SFDISK_PART_EFI}
|
||||
/dev/mmcblk2p2 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_A}
|
||||
/dev/mmcblk2p3 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_B}
|
||||
/dev/mmcblk2p4 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_A}
|
||||
/dev/mmcblk2p5 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_B}
|
||||
/dev/mmcblk2p6 : size= ${PART_USERDATA_SIZE}, ${SFDISK_PART_USERDATA}
|
||||
|
|
@ -1,3 +1,4 @@
|
|||
FILESEXTRAPATHS:prepend := "${THISDIR}/coreos-installer-config:"
|
||||
|
||||
SRC_URI:append:beaglebone = " file://beaglebone_1.0.sfdisk"
|
||||
SRC_URI:append:eagle40-03 = " file://eagle40-03_1.0.sfdisk"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,2 @@
|
|||
CONFIG_F71808E_WDT=y
|
||||
CONFIG_WATCHDOG_SYSFS=y
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
CONFIG_HYPERVISOR_GUEST=y
|
||||
CONFIG_PARAVIRT=y
|
||||
CONFIG_PARAVIRT_SPINLOCKS=y
|
||||
CONFIG_CONNECTOR=y
|
||||
CONFIG_SCSI_FC_ATTRS=y
|
||||
CONFIG_HYPERV=y
|
||||
CONFIG_HYPERV_UTILS=y
|
||||
CONFIG_HYPERV_BALLOON=y
|
||||
CONFIG_HYPERV_STORAGE=y
|
||||
CONFIG_HYPERV_NET=y
|
||||
CONFIG_HYPERV_KEYBOARD=y
|
||||
CONFIG_FB_HYPERV=y
|
||||
CONFIG_HID_HYPERV_MOUSE=y
|
||||
CONFIG_PCI_HYPERV=y
|
||||
CONFIG_VSOCKETS=y
|
||||
CONFIG_HYPERV_VSOCKETS=y
|
||||
|
|
@ -1,23 +0,0 @@
|
|||
|
||||
inherit coreos-efi-sbsign
|
||||
require conf/image-uefi.conf
|
||||
|
||||
# Ensure EFI STUB is enabled
|
||||
KERNEL_FEATURES:append = " cfg/efi.scc cfg/efi-ext.scc"
|
||||
|
||||
# By default we use a Unified Kernel Image that contain the kernel, the
|
||||
# kernel command line and some device tree, so we don't need to sign the output
|
||||
# of the kernel recipes
|
||||
COREOS_KERNEL_EFI_SIGNED ??= "0"
|
||||
|
||||
# Extend the kernel_do_deploy function from kernel.bbclass to sign the kernel
|
||||
kernel_do_deploy:append() {
|
||||
if [ "${COREOS_KERNEL_EFI_SIGNED}" == "1" ]; then
|
||||
deployDir="${DEPLOYDIR}"
|
||||
for imageType in ${KERNEL_IMAGETYPES} ; do
|
||||
baseName="$imageType-${KERNEL_IMAGE_NAME}"
|
||||
coreos_efi_secureboot_sign_app "$deployDir/$baseName${KERNEL_IMAGE_BIN_EXT}"
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
@ -1,13 +1,20 @@
|
|||
FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
|
||||
KMACHINE:vm-x64 ?= "common-pc-64"
|
||||
COMPATIBLE_MACHINE:vm-x64 = "vm-x64"
|
||||
|
||||
# Enable some kernel features related to virtualiuzation
|
||||
KERNEL_FEATURES:append:vm-x64=" cfg/virtio.scc cfg/paravirt_kvm.scc"
|
||||
SRC_URI:append:vm-x64 = " file://hyperv.cfg"
|
||||
|
||||
KMACHINE:eagle40-03 ?= "common-pc-64"
|
||||
KBRANCH:eagle40-03 = "v5.15/standard/base"
|
||||
SRCREV_machine:eagle40-03 ?= "3baf1c5c0e6084b3f4a1d2d805168d657f872e60"
|
||||
COMPATIBLE_MACHINE:eagle40-03 = "eagle40-03"
|
||||
LINUX_VERSION:eagle40-03 = "5.15.134"
|
||||
|
||||
|
||||
KBRANCH:beaglebone = "v5.15/standard/beaglebone"
|
||||
KMACHINE:beaglebone ?= "beaglebone"
|
||||
SRCREV_machine:beaglebone ?= "9aabbaa89fcb21af7028e814c1f5b61171314d5a"
|
||||
COMPATIBLE_MACHINE:beaglebone = "beaglebone"
|
||||
LINUX_VERSION:beaglebone = "5.15.54"
|
||||
|
||||
require linux-yocto-coreos-efi.inc
|
||||
|
|
|
|||
|
|
@ -0,0 +1,14 @@
|
|||
FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
|
||||
|
||||
KMACHINE:eagle40-03 ?= "common-pc-64"
|
||||
COMPATIBLE_MACHINE:eagle40-03 = "eagle40-03"
|
||||
|
||||
KMACHINE:beaglebone ?= "beaglebone"
|
||||
COMPATIBLE_MACHINE:beaglebone = "beaglebone"
|
||||
|
||||
KMACHINE:vm-x64 ?= "common-pc-64"
|
||||
COMPATIBLE_MACHINE:vm-x64 = "vm-x64"
|
||||
KERNEL_FEATURES:append:vm-x64=" cfg/virtio.scc cfg/paravirt_kvm.scc"
|
||||
SRC_URI:append:vm-x64 = " file://hyperv.cfg"
|
||||
|
||||
SRC_URI += " file://eagle40-03.cfg"
|
||||
|
|
@ -13,8 +13,8 @@ part --offset 768S --source rawcopy --sourceparams="file=u-boot.img" --ondisk mm
|
|||
# Let's define a 4MiB maximum size for the bootloader
|
||||
# 4MiB => 4*1024*1024/512=8192S | 768S + 8192S => 8960S
|
||||
${WKS_PART_EFI} --ondisk mmcblk0 --offset 8960S --fixed-size 32M
|
||||
${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk0 --fixed-size 128M
|
||||
${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk0 --fixed-size 128M
|
||||
${WKS_PART_ROOT_A} --ondisk mmcblk0 --fixed-size ${WKS_PART_ROOT_SIZE}
|
||||
${WKS_PART_ROOT_B} --ondisk mmcblk0 --fixed-size ${WKS_PART_ROOT_SIZE}
|
||||
${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk0 --fixed-size ${PART_EFIBG_SIZE}
|
||||
${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk0 --fixed-size ${PART_EFIBG_SIZE}
|
||||
${WKS_PART_ROOT_A} --ondisk mmcblk0 --fixed-size ${PART_ROOT_SIZE}
|
||||
${WKS_PART_ROOT_B} --ondisk mmcblk0 --fixed-size ${PART_ROOT_SIZE}
|
||||
bootloader --ptable gpt
|
||||
|
|
|
|||
|
|
@ -0,0 +1,16 @@
|
|||
# short-description: Create USB image for Eagle 40-03
|
||||
# long-description: Creates a partitioned USB image for Eagle 40-03.
|
||||
|
||||
# offset 1S => 1 sector (1x512 byte)
|
||||
# The bootloader can be at 4 different position in raw mode: 0S, 256S, 512S, 768S
|
||||
# MBR disk use only the sector 0, so 1S is free
|
||||
# GPT disk use sector 0-33S, so first free slot is 256S
|
||||
# Offset are from the BBB default settings
|
||||
|
||||
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
||||
# Don't name partition in the installer disk image, otherwise the installer may not work as it rely on partition label!
|
||||
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
||||
|
||||
part --offset 256S --source bootimg-partition --part-type=EF00 --ondisk mmcblk0
|
||||
part --fixed-size 3G --fstype=vfat --label=image
|
||||
bootloader --ptable gpt
|
||||
|
|
@ -1,10 +1,11 @@
|
|||
# short-description: Create an EFI disk image for genericx86*
|
||||
# long-description: Creates a partitioned EFI disk image for genericx86* machines
|
||||
${WKS_PART_EFI} --ondisk sda --align 1024 --size 64M --extra-space 0 --overhead-factor 1
|
||||
${WKS_PART_ROOT_A} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
|
||||
${WKS_PART_ROOT_B} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
|
||||
${WKS_PART_EFIBOOTGUARD_A} --ondisk sda --align 1024 --size 128M --extra-space 0 --overhead-factor 1
|
||||
${WKS_PART_EFIBOOTGUARD_B} --ondisk sda --align 1024 --size 128M --extra-space 0 --overhead-factor 1
|
||||
|
||||
part swap --ondisk sda --size 44 --label swap1 --fstype=swap
|
||||
${WKS_PART_EFI} --align 1024 --size ${PART_EFI_SIZE} --extra-space 0 --overhead-factor 1
|
||||
${WKS_PART_ROOT_A} --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
|
||||
${WKS_PART_ROOT_B} --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
|
||||
${WKS_PART_EFIBOOTGUARD_A} --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
|
||||
${WKS_PART_EFIBOOTGUARD_B} --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
|
||||
${WKS_PART_USERDATA} --size ${PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
|
||||
|
||||
bootloader --ptable gpt
|
||||
|
|
|
|||
|
|
@ -0,0 +1,12 @@
|
|||
# short-description: Create an EFI disk image
|
||||
# long-description: Creates a partitioned EFI disk image that the user
|
||||
# can directly dd to boot media.
|
||||
|
||||
part --source efibootguard-efi --label efi --part-type=EF00 --use-uuid --offset 20480S --size ${PART_EFI_SIZE} --extra-space 0 --overhead-factor 1
|
||||
part / --source rootfs --fstype=ext4 --label rootfs0 --use-uuid --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
|
||||
part --fstype=ext4 --label rootfs1 --use-uuid --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
|
||||
part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --use-uuid --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
|
||||
part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --use-uuid --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
|
||||
${WKS_PART_USERDATA} --use-uuid --size ${PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
|
||||
|
||||
bootloader --ptable gpt
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
DESCRIPTION = "An image that includes k3s-agent"
|
||||
|
||||
require recipes-core/images/coreos-image-all-features.bb
|
||||
|
||||
IMAGE_INSTALL += "k3s-agent"
|
||||
|
||||
# To use this image, please add k3s to DISTRO_FEATURE inside your
|
||||
# local.conf config file.
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
#this file contains the necssary kernel adaption that k3s an containerd require
|
||||
#Reference
|
||||
#k3s config check: https://raw.githubusercontent.com/k3s-io/k3s/master/contrib/util/check-config.sh
|
||||
#container config check: https://raw.githubusercontent.com/moby/moby/master/contrib/check-config.sh
|
||||
#these scripts are provided by moby and rancher
|
||||
CONFIG_OABI_COMPAT=n
|
||||
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
|
||||
CONFIG_SECCOMP_FILTER=y
|
||||
|
|
@ -0,0 +1 @@
|
|||
FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
# Library to share code needed to install most available bats library
|
||||
|
||||
# Bats library are shell scripts, so they are arch independant
|
||||
inherit allarch
|
||||
|
||||
RDEPENDS:${PN} += "bats"
|
||||
|
||||
# Bats can find library in this folder by default
|
||||
BATS_LIB_PATH ?= "${libdir}/bats"
|
||||
|
||||
# By default the library will have the same name as the recipe
|
||||
BATS_INSTALL_DIR ?= "${BATS_LIB_PATH}/${PN}"
|
||||
FILES:${PN} += "${BATS_INSTALL_DIR}"
|
||||
|
||||
do_install() {
|
||||
install -d ${D}${BATS_INSTALL_DIR}
|
||||
cp -r ${S}/src ${D}${BATS_INSTALL_DIR}/
|
||||
install ${S}/load.bash ${D}${BATS_INSTALL_DIR}/
|
||||
}
|
||||
|
|
@ -3,6 +3,7 @@
|
|||
# > COREOS_IMAGE_EXTRACLASSES += "coreos-image-ci"
|
||||
# in auto.conf (or local.conf)
|
||||
|
||||
inherit kernel-artifact-names
|
||||
|
||||
def get_coreos_ci_artifacts(d):
|
||||
artifacts = []
|
||||
|
|
@ -29,6 +30,10 @@ def get_coreos_ci_artifacts(d):
|
|||
if bb.utils.contains('IMAGE_FSTYPES', 'wic.bmap', True, False, d):
|
||||
artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.bmap')
|
||||
|
||||
# This is used for qemu-coreos-arm64
|
||||
if bb.utils.contains('IMAGE_FSTYPES', 'wic.qcow2', True, False, d):
|
||||
artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.qcow2')
|
||||
|
||||
if d.getVar('COREOS_IMAGE_GENERATE_SWU') == '1':
|
||||
artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.swu')
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,41 @@
|
|||
# Class used to generate image based on Belden CoreOS
|
||||
|
||||
export IMAGE_BASENAME = "${MLPREFIX}${PN}"
|
||||
IMAGE_NAME_SUFFIX ?= ""
|
||||
IMAGE_LINGUAS = ""
|
||||
|
||||
LICENSE = "MIT"
|
||||
|
||||
IMAGE_FSTYPES = "cpio.gz"
|
||||
|
||||
# Support for generating a SDCard or USB installer is optional
|
||||
COREOS_INSTALLER_WKS_FILE ??= ""
|
||||
WKS_FILE = "${COREOS_INSTALLER_WKS_FILE}"
|
||||
IMAGE_FSTYPES += "${@'wic.xz wic.bmap' if d.getVar('COREOS_INSTALLER_WKS_FILE') else ''}"
|
||||
IMAGE_BOOT_FILES = "${COREOS_KERNEL_FILENAME};EFI/BOOT/${EFI_BOOT_IMAGE}"
|
||||
|
||||
COREOS_IMAGE_GENERATE_UKI = "1"
|
||||
|
||||
# IMGDEPLOYDIR has to be used instead of DEPLOY_DIR_IMAGE here, because it will
|
||||
# run during image generation
|
||||
COREOS_UKI_PART_INITRAMFS = "${IMGDEPLOYDIR}/${IMAGE_BASENAME}-${MACHINE}.cpio.gz"
|
||||
COREOS_IMAGE_GENERATE_SWU = "0"
|
||||
|
||||
# Change generated UKI filename and reset the bundled command line to "APPEND"
|
||||
# to ensure that root is not set in the kernel command line
|
||||
COREOS_KERNEL_NAME ?= "coreos-installer-${MACHINE}"
|
||||
COREOS_KERNEL_CMDLINE ?= "${APPEND}"
|
||||
|
||||
inherit coreos-image
|
||||
|
||||
# Only install a reduced set of package and feature to keep image size small
|
||||
IMAGE_INSTALL = "packagegroup-coreos-boot coreos-installer coreos-installer-unattended util-linux-sfdisk util-linux-fdisk util-linux-cfdisk efibootguard efibootguard-tools"
|
||||
IMAGE_FEATURES = "debug-tweaks swupdate"
|
||||
NO_RECOMMENDATIONS = "1"
|
||||
|
||||
IMAGE_ROOTFS_SIZE = "8192"
|
||||
INITRAMFS_MAXSIZE = "976562"
|
||||
IMAGE_ROOTFS_EXTRA_SPACE = "0"
|
||||
|
||||
# Use the same restriction as initramfs-module-install
|
||||
COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*)-(linux.*|freebsd.*)'
|
||||
|
|
@ -69,5 +69,11 @@ def coreos_swupdate_extends(d, s, key):
|
|||
|
||||
return text
|
||||
|
||||
# Signature support
|
||||
inherit coreos-efi-secureboot
|
||||
SWUPDATE_SIGNING = "CMS"
|
||||
SWUPDATE_CMS_KEY = "${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.key"
|
||||
SWUPDATE_CMS_CERT = "${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt"
|
||||
|
||||
COREOS_IMAGE_SWUPDATE_EXTRACLASSES ?= ""
|
||||
inherit ${COREOS_IMAGE_SWUPDATE_EXTRACLASSES}
|
||||
|
|
|
|||
|
|
@ -68,6 +68,7 @@ PACKAGE_EXCLUDE_COMPLEMENTARY:append = "${@bb.utils.contains_any('PACKAGE_INSTAL
|
|||
COREOS_IMAGE_BASE_INSTALL = "\
|
||||
packagegroup-coreos-boot \
|
||||
packagegroup-coreos-base \
|
||||
secure-storage \
|
||||
"
|
||||
|
||||
COREOS_IMAGE_EXTRA_INSTALL ?= ""
|
||||
|
|
@ -89,10 +90,12 @@ IMAGE_ROOTFS_EXTRA_SPACE:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'sys
|
|||
# Unified kernel image and swupdate support
|
||||
# ==============================================================================
|
||||
|
||||
# Support for Unified Kernel Image and Swupdate are optional
|
||||
COREOS_IMAGE_GENERATE_INSTALLER ?= "1"
|
||||
COREOS_IMAGE_GENERATE_UKI ?= "1"
|
||||
COREOS_IMAGE_GENERATE_SWU ?= "1"
|
||||
# The CoreOS image installer is disabled by default.
|
||||
COREOS_IMAGE_GENERATE_INSTALLER ?= "0"
|
||||
|
||||
# Support for Unified Kernel Image and Swupdate are optional.
|
||||
COREOS_IMAGE_GENERATE_UKI ?= "${@bb.utils.contains("COMBINED_FEATURES", "efi", "1", "0", d)}"
|
||||
COREOS_IMAGE_GENERATE_SWU ?= "${@"1" if "efi" in d.getVar('COMBINED_FEATURES') and "swupdate" in d.getVar("DISTRO_FEATURES") else "0"}"
|
||||
|
||||
# Generate the installer image if needed
|
||||
do_build[depends] += "${@'coreos-image-installer:do_build' if d.getVar('COREOS_IMAGE_GENERATE_INSTALLER') == '1' else ''}"
|
||||
|
|
|
|||
|
|
@ -13,6 +13,8 @@ addhandler check_coreos_sanity_eventhandler
|
|||
check_coreos_sanity_eventhandler[eventmask] = "bb.event.SanityCheck"
|
||||
python check_coreos_sanity_eventhandler() {
|
||||
|
||||
import datetime
|
||||
|
||||
# Checks related to the distribution configuration files
|
||||
# ==========================================================================
|
||||
|
||||
|
|
@ -36,6 +38,15 @@ python check_coreos_sanity_eventhandler() {
|
|||
"Using glibc is mandatory on CoreOS based distribution"
|
||||
)
|
||||
|
||||
# Check if the timestamp for REPRODUCIBLE_TIMESTAMP_ROOTFS is still up to date
|
||||
first_of_year = datetime.datetime(datetime.date.today().year, 1, 1, tzinfo=datetime.timezone.utc)
|
||||
foy_ts = str(int(first_of_year.timestamp()))
|
||||
if e.data.getVar("REPRODUCIBLE_TIMESTAMP_ROOTFS") != foy_ts:
|
||||
bb.warn(
|
||||
"`REPRODUCIBLE_TIMESTAMP_ROOTFS` outdated!"
|
||||
"Set to current 01. january of the year."
|
||||
)
|
||||
|
||||
# Checks related to the machine configuration files
|
||||
# ==========================================================================
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,8 @@
|
|||
require conf/distro/include/belden-coreos-base.inc
|
||||
|
||||
DISTRO = "belden-coreos-base"
|
||||
DISTRO_NAME = "Belden CoreOS (Base)"
|
||||
MAINTAINER = "Belden CoreOS Team"
|
||||
|
||||
DISTRO_VERSION = "0.0.1"
|
||||
DISTRO_CODENAME = "kirkstone"
|
||||
|
|
@ -1,87 +1,9 @@
|
|||
require conf/distro/include/belden-coreos-base.inc
|
||||
require conf/distro/include/belden-coreos-extra.inc
|
||||
|
||||
DISTRO = "belden-coreos"
|
||||
DISTRO_NAME = "Belden CoreOS"
|
||||
MAINTAINER = "Belden CoreOS Team"
|
||||
|
||||
INHERIT += "coreos_metadata_scm"
|
||||
|
||||
DISTRO_VERSION = "0.0.1"
|
||||
DISTRO_CODENAME = "kirkstone"
|
||||
|
||||
# Distro features and policies
|
||||
# ==============================================================================
|
||||
|
||||
PACKAGE_CLASSES = "package_ipk"
|
||||
INIT_MANAGER = "systemd"
|
||||
|
||||
# CoreOS use journald from the systemd package to handle log
|
||||
# https://docs.yoctoproject.org/singleindex.html#using-systemd-journald-without-a-traditional-syslog-daemon
|
||||
# This remove syslog from packagegroup-core-boot
|
||||
VIRTUAL-RUNTIME_syslog = ""
|
||||
VIRTUAL-RUNTIME_base-utils-syslog = ""
|
||||
|
||||
DISTRO_FEATURES_DEFAULT ?= "bluetooth usbhost pci ipv4 ipv6 wifi multiarch usrmerge ptest efi pam"
|
||||
DISTRO_FEATURES ?= "${DISTRO_FEATURES_DEFAULT}"
|
||||
DISTRO_FEATURES_BACKFILL_CONSIDERED = "pulseaudio ldconfig"
|
||||
DISTRO_EXTRA_RDEPENDS += "packagegroup-core-boot"
|
||||
|
||||
# Build configuration
|
||||
# ==============================================================================
|
||||
|
||||
TARGET_VENDOR = "-belden"
|
||||
|
||||
# We don't support multiple libc, so we don't need to append the libc name to
|
||||
# the tmp directory: ie use build/tmp instead of build/tmp-glibc
|
||||
TCLIBCAPPEND = ""
|
||||
|
||||
SANITY_TESTED_DISTROS ?= " \
|
||||
debian-11 \n \
|
||||
ubuntu-22.04 \n \
|
||||
"
|
||||
|
||||
# This variable is used to ensure that any distribution using the CoreOS layer
|
||||
# include this file. This is checked by the coreos-sanity class
|
||||
SANITY_COREOS_COMPATIBLE ?= "1"
|
||||
|
||||
require conf/distro/include/no-static-libs.inc
|
||||
require conf/distro/include/yocto-uninative.inc
|
||||
require conf/distro/include/security_flags.inc
|
||||
|
||||
# uninative is need to share the sstates between multiple host distrubtion
|
||||
INHERIT += "uninative"
|
||||
|
||||
# Bitbake configuration
|
||||
# ==============================================================================
|
||||
|
||||
BB_SIGNATURE_HANDLER ?= "OEBasicHash"
|
||||
|
||||
# SDK Configuration
|
||||
# ==============================================================================
|
||||
|
||||
SDK_VENDOR = "-coreossdk"
|
||||
SDK_VERSION = "${DISTRO_VERSION}"
|
||||
SDK_VERSION[vardepvalue] = "${SDK_VERSION}"
|
||||
SDK_NAME = "${DISTRO}-${TCLIBC}-${SDKMACHINE}-${IMAGE_BASENAME}-${TUNE_PKGARCH}-${MACHINE}"
|
||||
SDKPATHINSTALL = "/opt/${DISTRO}/${SDK_VERSION}"
|
||||
|
||||
# EFI and Secure boot
|
||||
# ==============================================================================
|
||||
|
||||
EFI_PROVIDER = "efibootguard"
|
||||
EFIBOOTGUARD_TIMEOUT ??= "60"
|
||||
INHERIT += "coreos-efi-secureboot"
|
||||
|
||||
# Virtualization configuration
|
||||
# ==============================================================================
|
||||
|
||||
# Use crun insted of runc as a OCI runtime. crun is faster and need less memory
|
||||
# than runc so it's a better fit for embedded
|
||||
#PREFERRED_PROVIDER_virtual/runc = "crun"
|
||||
PACKAGECONFIG:append:pn-podman = " rootless"
|
||||
DISTRO_FEATURES_DEFAULT += "virtualization seccomp ipv6"
|
||||
|
||||
# CoreOS specific options
|
||||
# ==============================================================================
|
||||
|
||||
# Distro based on CoreOS can provide their own configuration files for the
|
||||
# CoreOS installer by overriding this variable
|
||||
PREFERRED_PROVIDER_coreos-installer-config ??= "coreos-installer-config"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,118 @@
|
|||
# This is the base include file for all coreos based distro
|
||||
# it should support the most basic distro without optional coreos
|
||||
# features
|
||||
|
||||
# Using :coreos override should work on all CoreOS based distro
|
||||
# Note that :belden-coreos does not work on CoreOS based distro but will
|
||||
# work when build for the belden-coreos distro
|
||||
DISTROOVERRIDES = "coreos:${DISTRO}"
|
||||
|
||||
INHERIT += "coreos_metadata_scm"
|
||||
|
||||
# Distro features and policies
|
||||
# ==============================================================================
|
||||
|
||||
PACKAGE_CLASSES = "package_ipk"
|
||||
INIT_MANAGER = "systemd"
|
||||
|
||||
# CoreOS use journald from the systemd package to handle log
|
||||
# https://docs.yoctoproject.org/singleindex.html#using-systemd-journald-without-a-traditional-syslog-daemon
|
||||
# This remove syslog from packagegroup-core-boot
|
||||
VIRTUAL-RUNTIME_syslog = ""
|
||||
VIRTUAL-RUNTIME_base-utils-syslog = ""
|
||||
|
||||
DISTRO_FEATURES ?= "usbhost pci ipv4 ipv6 wifi multiarch usrmerge efi pam"
|
||||
|
||||
# CoreOS wasn't compatible with older Yocto version, so we should not have any
|
||||
# features backfilled. Value are from DISTRO_FEATURES_BACKFILL
|
||||
# with the exception of gobject-introspection-data that are backfilled on
|
||||
# purpose, this allow to use C library based on gobject in python or javascript
|
||||
DISTRO_FEATURES_BACKFILL_CONSIDERED = "pulseaudio sysvinit ldconfig"
|
||||
|
||||
DISTRO_EXTRA_RDEPENDS += "packagegroup-core-boot"
|
||||
|
||||
# Build configuration
|
||||
# ==============================================================================
|
||||
|
||||
TARGET_VENDOR = "-belden"
|
||||
|
||||
# We don't support multiple libc, so we don't need to append the libc name to
|
||||
# the tmp directory: ie use build/tmp instead of build/tmp-glibc
|
||||
TCLIBCAPPEND = ""
|
||||
|
||||
SANITY_TESTED_DISTROS ?= " \
|
||||
debian-11 \n \
|
||||
ubuntu-22.04 \n \
|
||||
"
|
||||
|
||||
# This variable is used to ensure that any distribution using the CoreOS layer
|
||||
# include this file. This is checked by the coreos-sanity class
|
||||
SANITY_COREOS_COMPATIBLE ?= "1"
|
||||
|
||||
require conf/distro/include/no-static-libs.inc
|
||||
require conf/distro/include/yocto-uninative.inc
|
||||
require conf/distro/include/security_flags.inc
|
||||
|
||||
# uninative is need to share the sstates between multiple host distrubtion
|
||||
INHERIT += "uninative"
|
||||
|
||||
# Bitbake configuration
|
||||
# ==============================================================================
|
||||
|
||||
BB_SIGNATURE_HANDLER ?= "OEBasicHash"
|
||||
|
||||
# SDK Configuration
|
||||
# ==============================================================================
|
||||
|
||||
SDK_VENDOR = "-coreossdk"
|
||||
SDK_VERSION = "${DISTRO_VERSION}"
|
||||
SDK_VERSION[vardepvalue] = "${SDK_VERSION}"
|
||||
SDK_NAME = "${DISTRO}-${TCLIBC}-${SDKMACHINE}-${IMAGE_BASENAME}-${TUNE_PKGARCH}-${MACHINE}"
|
||||
SDKPATHINSTALL = "/opt/${DISTRO}/${SDK_VERSION}"
|
||||
|
||||
# EFI and Secure boot
|
||||
# ==============================================================================
|
||||
|
||||
EFI_PROVIDER = "efibootguard"
|
||||
EFIBOOTGUARD_TIMEOUT ??= "60"
|
||||
INHERIT += "coreos-efi-secureboot"
|
||||
|
||||
|
||||
# PACKAGECONFIG
|
||||
# ==============================================================================
|
||||
# Reduce the size of some package by disabling some feature by default
|
||||
|
||||
# Distro using coreos can re-enabled a disabled config by changing
|
||||
# the COREOS_DISABLED_PACKAGECONFIG variable
|
||||
|
||||
PACKAGECONFIG:pn-systemd ?= " \
|
||||
${@bb.utils.filter('DISTRO_FEATURES', 'acl audit efi ldconfig pam selinux smack usrmerge polkit seccomp', d)} \
|
||||
${@bb.utils.contains('DISTRO_FEATURES', 'wifi', 'rfkill', '', d)} \
|
||||
${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'xkbcommon', '', d)} \
|
||||
${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', '', 'link-udev-shared', d)} \
|
||||
hostnamed \
|
||||
kmod \
|
||||
localed \
|
||||
logind \
|
||||
set-time-epoch \
|
||||
sysusers \
|
||||
userdb \
|
||||
vconsole \
|
||||
wheel-group \
|
||||
zstd \
|
||||
"
|
||||
|
||||
# DNS Configuration
|
||||
|
||||
|
||||
# CoreOS specific options
|
||||
# ==============================================================================
|
||||
|
||||
# Distro based on CoreOS can provide their own configuration files for the
|
||||
# CoreOS installer by overriding this variable
|
||||
PREFERRED_PROVIDER_coreos-installer-config ??= "coreos-installer-config"
|
||||
|
||||
# This TS represents 01.01.2024 generating it dynamically would cause a lot of
|
||||
# things to get re-build, we need a good solution for this or change it every
|
||||
# year
|
||||
REPRODUCIBLE_TIMESTAMP_ROOTFS = "1704067200"
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
# This is the include all the CoreOS feature that are optional
|
||||
|
||||
# Virtualization configuration
|
||||
# ==============================================================================
|
||||
|
||||
PACKAGECONFIG:append:pn-podman = " rootless"
|
||||
DISTRO_FEATURES += "virtualization seccomp"
|
||||
|
||||
# swupdate configuration
|
||||
# ==============================================================================
|
||||
|
||||
# Enable the generation of .swu file for images
|
||||
DISTRO_FEATURES += "swupdate"
|
||||
|
||||
# Networking configuration
|
||||
# ==============================================================================
|
||||
|
||||
# Add networking support to systemd. This allow systemd to handle
|
||||
# network/dhcp/dns/time
|
||||
PACKAGECONFIG:pn-systemd += " \
|
||||
hostnamed \
|
||||
idn \
|
||||
myhostname \
|
||||
nss \
|
||||
nss-resolve \
|
||||
resolved \
|
||||
networkd \
|
||||
timedated \
|
||||
timesyncd \
|
||||
"
|
||||
|
|
@ -0,0 +1,149 @@
|
|||
COREOS_RECIPE_MAINTAINER:pn-acl = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-arptables = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-attr = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-autoconf-archive = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-base-files = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-base-passwd = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-bash-completion = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-bash = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-binutils-cross-x86_64 = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-boost = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-bridge-utils = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-busybox = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-bzip2 = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-ca-certificates = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-conntrack-tools = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-coreutils = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-cppzmq = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-cracklib = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-cryptsetup = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-curl = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-dbus = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-depmodwrapper-cross = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-e2fsprogs = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-ebtables = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-efibootguard = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-elfutils = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-ethtool = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-expat = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-findutils = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-flatbuffers = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-flex = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-fmt = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-gawk = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-gcc-cross-x86_64 = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-gcc-runtime = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-gcc-source-11.4.0 = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-gdbm = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-glib-2.0 = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-glibc = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-glibc-locale = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-gmp = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-gnu-efi = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-gnutls = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-grub-bootconf = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-grub = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-grub-efi = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-icu = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-iproute2 = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-iptables = "Team CoreOS"
|
||||
#iw should be removed
|
||||
COREOS_RECIPE_MAINTAINER:pn-json-c = "Team CoreOS"
|
||||
# kbd check if it can be removed
|
||||
# kmod check if it can be removed
|
||||
COREOS_RECIPE_MAINTAINER:pn-libaio = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libarchive = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libcap = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libcap-ng = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libcheck = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libconfig = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libdevmapper = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libestr = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libfastjson = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libffi = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libgcc = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libgcc-initial = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libgcrypt = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libgpg-error = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libidn2 = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-liblogging = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libmnl = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libnet = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libnetfilter-conntrack = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libnetfilter-cthelper = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libnetfilter-cttimeout = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libnetfilter-log = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libnetfilter-queue = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libnfnetlink = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libnl = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libnsl2 = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libpam = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libpcap = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libpcre = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libseccomp = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libsodium = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libsolv = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libssh2 = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libssh = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libtirpc = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libtool-cross = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libunistring = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libusb1 = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libxcrypt = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-libxml2 = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-linux-libc-headers = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-linux-yocto = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-logrotate = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-lrzsz = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-lvm2 = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-lzo = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-m4 = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-mtools = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-ncurses = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-netbase = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-nettle = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-openssh = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-openssl = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-opkg-arch-config = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-opkg = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-opkg-utils = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-os-release = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-packagegroup-base = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-packagegroup-core-boot = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-packagegroup-coreos-base = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-packagegroup-coreos-boot = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-pciutils = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-perl = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-popt = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-python3 = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-qemuwrapper-cross = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-readline = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-rsyslog = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-run-postinsts = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-secure-storage = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-setserial = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-sh = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-shared-mime-info = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-spdlog = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-sqlite3 = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-swupdate = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-sysfsutils = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-syslinux = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-syslog-ng = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-systemd-bootconf = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-systemd-boot = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-systemd-conf = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-systemd = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-systemd-serialgetty = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-tar = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-tcpdump = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-usbutils = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-util-linux = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-util-linux-libuuid = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-volatile-binds = "Team CoreOS"
|
||||
# wpa-supplicant should be removed
|
||||
COREOS_RECIPE_MAINTAINER:pn-xz = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-zeromq = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-zip = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-zlib = "Team CoreOS"
|
||||
COREOS_RECIPE_MAINTAINER:pn-zstd = "Team CoreOS"
|
||||
|
|
@ -15,6 +15,7 @@ LAYERDEPENDS_meta-belden-coreos = "\
|
|||
networking-layer \
|
||||
virtualization-layer \
|
||||
webserver \
|
||||
meta-arm \
|
||||
"
|
||||
|
||||
LAYERSERIES_COMPAT_meta-belden-coreos = "kirkstone"
|
||||
|
|
|
|||
|
|
@ -1,4 +1,22 @@
|
|||
|
||||
# Add CoreOS A/B Switching support
|
||||
# ==============================================================================
|
||||
|
||||
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
|
||||
|
||||
SRC_URI += "file://0001-coreos-add-a-coreos-specific-rootfs-switch-to-the-UK.patch"
|
||||
|
||||
# Add signature support
|
||||
# ==============================================================================
|
||||
|
||||
DEPENDS:append = " cos-certificates-and-keys-native"
|
||||
|
||||
inherit coreos-efi-sbsign
|
||||
require conf/image-uefi.conf
|
||||
|
||||
do_deploy:append() {
|
||||
|
||||
if [ -f "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi" ]; then
|
||||
coreos_efi_secureboot_sign_app "${DEPLOYDIR}/efibootguard${EFI_ARCH}.efi"
|
||||
fi
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,244 +0,0 @@
|
|||
DESCRIPTION = "Trusted Firmware-A"
|
||||
LICENSE = "BSD-3-Clause & MIT"
|
||||
|
||||
PACKAGE_ARCH = "${MACHINE_ARCH}"
|
||||
|
||||
inherit deploy
|
||||
|
||||
SRC_URI = "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https;name=tfa;branch=master"
|
||||
|
||||
UPSTREAM_CHECK_GITTAGREGEX = "^v(?P<pver>\d+(\.\d+)+)$"
|
||||
|
||||
SRCREV_FORMAT = "tfa"
|
||||
|
||||
COMPATIBLE_MACHINE ?= "invalid"
|
||||
|
||||
# Platform must be set for each machine
|
||||
TFA_PLATFORM ?= "invalid"
|
||||
|
||||
# Some platforms can have multiple board configurations
|
||||
# Leave empty for default behavior
|
||||
TFA_BOARD ?= ""
|
||||
|
||||
# Some platforms use SPD (Secure Payload Dispatcher) services
|
||||
# Few options are "opteed", "tlkd", "trusty", "tspd", "spmd"...
|
||||
# Leave empty to not use SPD
|
||||
TFA_SPD ?= ""
|
||||
|
||||
# Variable used when TFA_SPD=spmd
|
||||
TFA_SPMD_SPM_AT_SEL2 ?= "1"
|
||||
|
||||
# SP layout file location. Used when TFA_SPD=spmd and TFA_SPMD_SPM_AT_SEL2=1
|
||||
TFA_SP_LAYOUT_FILE ?= ""
|
||||
|
||||
# SPMC manifest file location. Used when TFA_SPD=spmd and TFA_SPMD_SPM_AT_SEL2=1
|
||||
TFA_ARM_SPMC_MANIFEST_DTS ?= ""
|
||||
|
||||
# Build for debug (set TFA_DEBUG to 1 to activate)
|
||||
TFA_DEBUG ?= "0"
|
||||
|
||||
S = "${WORKDIR}/git"
|
||||
B = "${WORKDIR}/build"
|
||||
|
||||
# mbed TLS support (set TFA_MBEDTLS to 1 to activate)
|
||||
TFA_MBEDTLS ?= "0"
|
||||
# sub-directory in which mbedtls will be downloaded
|
||||
TFA_MBEDTLS_DIR ?= "mbedtls"
|
||||
# This should be set to MBEDTLS download URL if MBEDTLS is needed
|
||||
SRC_URI_MBEDTLS ??= ""
|
||||
# This should be set to MBEDTLS LIC FILES checksum
|
||||
LIC_FILES_CHKSUM_MBEDTLS ??= ""
|
||||
# add MBEDTLS to our sources if activated
|
||||
SRC_URI:append = " ${@bb.utils.contains('TFA_MBEDTLS', '1', '${SRC_URI_MBEDTLS}', '', d)}"
|
||||
# Update license variables
|
||||
LICENSE:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', ' & Apache-2.0', '', d)}"
|
||||
LIC_FILES_CHKSUM:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', ' ${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}"
|
||||
# add mbed TLS to version
|
||||
SRCREV_FORMAT:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '', d)}"
|
||||
|
||||
# U-boot support (set TFA_UBOOT to 1 to activate)
|
||||
# When U-Boot support is activated BL33 is activated with u-boot.bin file
|
||||
TFA_UBOOT ??= "0"
|
||||
|
||||
# UEFI support (set TFA_UEFI to 1 to activate)
|
||||
# When UEFI support is activated BL33 is activated with uefi.bin file
|
||||
TFA_UEFI ??= "0"
|
||||
|
||||
# What to build
|
||||
# By default we only build bl1, do_deploy will copy
|
||||
# everything listed in this variable (by default bl1.bin)
|
||||
TFA_BUILD_TARGET ?= "bl1"
|
||||
|
||||
# What to install
|
||||
# do_install and do_deploy will install everything listed in this
|
||||
# variable. It is set by default to TFA_BUILD_TARGET
|
||||
TFA_INSTALL_TARGET ?= "${TFA_BUILD_TARGET}"
|
||||
|
||||
# Requires CROSS_COMPILE set by hand as there is no configure script
|
||||
export CROSS_COMPILE="${TARGET_PREFIX}"
|
||||
|
||||
# Let the Makefile handle setting up the CFLAGS and LDFLAGS as it is a standalone application
|
||||
CFLAGS[unexport] = "1"
|
||||
LDFLAGS[unexport] = "1"
|
||||
AS[unexport] = "1"
|
||||
LD[unexport] = "1"
|
||||
|
||||
# No configure
|
||||
do_configure[noexec] = "1"
|
||||
|
||||
# Baremetal, just need a compiler
|
||||
DEPENDS:remove = "virtual/${TARGET_PREFIX}compilerlibs virtual/libc"
|
||||
|
||||
# We need dtc for dtbs compilation
|
||||
# We need openssl for fiptool
|
||||
DEPENDS = "dtc-native openssl-native"
|
||||
DEPENDS:append:toolchain-clang = " compiler-rt"
|
||||
|
||||
# CC and LD introduce arguments which conflict with those otherwise provided by
|
||||
# this recipe. The heads of these variables excluding those arguments
|
||||
# are therefore used instead.
|
||||
def remove_options_tail (in_string):
|
||||
from itertools import takewhile
|
||||
return ' '.join(takewhile(lambda x: not x.startswith('-'), in_string.split(' ')))
|
||||
|
||||
EXTRA_OEMAKE += "LD=${@remove_options_tail(d.getVar('LD'))}"
|
||||
|
||||
EXTRA_OEMAKE += "CC=${@remove_options_tail(d.getVar('CC'))}"
|
||||
|
||||
# Verbose builds, no -Werror
|
||||
EXTRA_OEMAKE += "V=1 E=0"
|
||||
|
||||
# Add platform parameter
|
||||
EXTRA_OEMAKE += "BUILD_BASE=${B} PLAT=${TFA_PLATFORM}"
|
||||
|
||||
# Handle TFA_BOARD parameter
|
||||
EXTRA_OEMAKE += "${@'TARGET_BOARD=${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
|
||||
|
||||
# Handle TFA_SPD parameter
|
||||
EXTRA_OEMAKE += "${@'SPD=${TFA_SPD}' if d.getVar('TFA_SPD') else ''}"
|
||||
|
||||
# If TFA_SPD is spmd, set SPMD_SPM_AT_SEL2
|
||||
EXTRA_OEMAKE += "${@'SPMD_SPM_AT_SEL2=${TFA_SPMD_SPM_AT_SEL2}' if d.getVar('TFA_SPD', True) == 'spmd' else ''}"
|
||||
|
||||
# Handle TFA_DEBUG parameter
|
||||
EXTRA_OEMAKE += "${@bb.utils.contains('TFA_DEBUG', '1', 'DEBUG=${TFA_DEBUG}', '', d)}"
|
||||
|
||||
# Handle MBEDTLS
|
||||
EXTRA_OEMAKE += "${@bb.utils.contains('TFA_MBEDTLS', '1', 'MBEDTLS_DIR=${TFA_MBEDTLS_DIR}', '', d)}"
|
||||
|
||||
# Uboot support
|
||||
DEPENDS += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot', '', d)}"
|
||||
do_compile[depends] += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot:do_deploy', '', d)}"
|
||||
EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UBOOT', '1', 'BL33=${DEPLOY_DIR_IMAGE}/u-boot.bin', '', d)}"
|
||||
|
||||
# UEFI support
|
||||
DEPENDS += " ${@bb.utils.contains('TFA_UEFI', '1', 'edk2-firmware', '', d)}"
|
||||
EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UEFI', '1', 'BL33=${RECIPE_SYSROOT}/firmware/uefi.bin', '', d)}"
|
||||
|
||||
# TFTF test support
|
||||
DEPENDS += " ${@bb.utils.contains('TFTF_TESTS', '1', 'tf-a-tests', '', d)}"
|
||||
EXTRA_OEMAKE += "${@bb.utils.contains('TFTF_TESTS', '1', 'BL33=${RECIPE_SYSROOT}/firmware/tftf.bin', '',d)}"
|
||||
|
||||
# Hafnium support
|
||||
SEL2_SPMC = "${@'${TFA_SPMD_SPM_AT_SEL2}' if d.getVar('TFA_SPD', True) == 'spmd' else ''}"
|
||||
|
||||
DEPENDS += " ${@bb.utils.contains('SEL2_SPMC', '1', 'hafnium', '', d)}"
|
||||
|
||||
EXTRA_OEMAKE += "${@bb.utils.contains('SEL2_SPMC', '1', 'CTX_INCLUDE_EL2_REGS=1 ARM_ARCH_MINOR=4 BL32=${RECIPE_SYSROOT}/firmware/hafnium.bin', '', d)}"
|
||||
|
||||
# Add SP layout file and spmc manifest for hafnium
|
||||
EXTRA_OEMAKE += "${@bb.utils.contains('SEL2_SPMC', '1', 'SP_LAYOUT_FILE=${TFA_SP_LAYOUT_FILE}' if d.getVar('TFA_SP_LAYOUT_FILE') else '', '', d)}"
|
||||
|
||||
EXTRA_OEMAKE += "${@bb.utils.contains('SEL2_SPMC', '1', 'ARM_SPMC_MANIFEST_DTS=${TFA_ARM_SPMC_MANIFEST_DTS}' if d.getVar('TFA_ARM_SPMC_MANIFEST_DTS') else '', '', d)}"
|
||||
|
||||
# Tell the tools where the native OpenSSL is located
|
||||
EXTRA_OEMAKE += "OPENSSL_DIR=${STAGING_DIR_NATIVE}/${prefix_native}"
|
||||
# Use the correct native compiler
|
||||
EXTRA_OEMAKE += "HOSTCC='${BUILD_CC}'"
|
||||
|
||||
# Runtime variables
|
||||
EXTRA_OEMAKE += "RUNTIME_SYSROOT=${STAGING_DIR_HOST}"
|
||||
|
||||
BUILD_DIR = "${B}/${TFA_PLATFORM}"
|
||||
BUILD_DIR .= "${@'/${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
|
||||
BUILD_DIR .= "/${@'debug' if d.getVar("TFA_DEBUG") == '1' else 'release'}"
|
||||
|
||||
do_compile() {
|
||||
# This is still needed to have the native tools executing properly by
|
||||
# setting the RPATH
|
||||
sed -i '/^LDLIBS/ s,$, \$\{BUILD_LDFLAGS},' ${S}/tools/fiptool/Makefile
|
||||
sed -i '/^INCLUDE_PATHS/ s,$, \$\{BUILD_CFLAGS},' ${S}/tools/fiptool/Makefile
|
||||
sed -i '/^LIB/ s,$, \$\{BUILD_LDFLAGS},' ${S}/tools/cert_create/Makefile
|
||||
|
||||
# Currently there are races if you build all the targets at once in parallel
|
||||
for T in ${TFA_BUILD_TARGET}; do
|
||||
oe_runmake -C ${S} $T
|
||||
done
|
||||
}
|
||||
do_compile[cleandirs] = "${B}"
|
||||
|
||||
do_install() {
|
||||
install -d -m 755 ${D}/firmware
|
||||
for atfbin in ${TFA_INSTALL_TARGET}; do
|
||||
processed="0"
|
||||
if [ "$atfbin" = "all" ]; then
|
||||
# Target all is not handled by default
|
||||
bberror "all as TFA_INSTALL_TARGET is not handled by do_install"
|
||||
bberror "Please specify valid targets in TFA_INSTALL_TARGET or"
|
||||
bberror "rewrite or turn off do_install"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -f ${BUILD_DIR}/$atfbin.bin ]; then
|
||||
echo "Install $atfbin.bin"
|
||||
install -m 0644 ${BUILD_DIR}/$atfbin.bin \
|
||||
${D}/firmware/$atfbin-${TFA_PLATFORM}.bin
|
||||
ln -sf $atfbin-${TFA_PLATFORM}.bin ${D}/firmware/$atfbin.bin
|
||||
processed="1"
|
||||
fi
|
||||
if [ -f ${BUILD_DIR}/$atfbin/$atfbin.elf ]; then
|
||||
echo "Install $atfbin.elf"
|
||||
install -m 0644 ${BUILD_DIR}/$atfbin/$atfbin.elf \
|
||||
${D}/firmware/$atfbin-${TFA_PLATFORM}.elf
|
||||
ln -sf $atfbin-${TFA_PLATFORM}.elf ${D}/firmware/$atfbin.elf
|
||||
processed="1"
|
||||
fi
|
||||
if [ -f ${BUILD_DIR}/$atfbin ]; then
|
||||
echo "Install $atfbin"
|
||||
install -m 0644 ${BUILD_DIR}/$atfbin \
|
||||
${D}/firmware/$atfbin-${TFA_PLATFORM}
|
||||
ln -sf $atfbin-${TFA_PLATFORM} ${D}/firmware/$atfbin
|
||||
processed="1"
|
||||
fi
|
||||
if [ -f ${BUILD_DIR}/fdts/$atfbin.dtb ]; then
|
||||
echo "Install $atfbin.dtb"
|
||||
install -m 0644 "${BUILD_DIR}/fdts/$atfbin.dtb" \
|
||||
"${D}/firmware/$atfbin.dtb"
|
||||
processed="1"
|
||||
elif [ "$atfbin" = "dtbs" ]; then
|
||||
echo "dtbs install, skipped: set dtbs in TFA_INSTALL_TARGET"
|
||||
elif [ -f ${B}/tools/$atfbin/$atfbin ]; then
|
||||
echo "Tools $atfbin install, skipped"
|
||||
elif [ "$processed" = "0" ]; then
|
||||
bberror "Unsupported TFA_INSTALL_TARGET target $atfbin"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
FILES:${PN} = "/firmware"
|
||||
SYSROOT_DIRS += "/firmware"
|
||||
|
||||
FILES:${PN}-dbg = "/firmware/*.elf"
|
||||
# Skip QA check for relocations in .text of elf binaries
|
||||
INSANE_SKIP:${PN}-dbg = "textrel"
|
||||
|
||||
do_deploy() {
|
||||
cp -rf ${D}/firmware/* ${DEPLOYDIR}/
|
||||
}
|
||||
addtask deploy after do_install
|
||||
|
||||
CVE_PRODUCT = "arm:arm-trusted-firmware \
|
||||
arm:trusted_firmware-a \
|
||||
arm:arm_trusted_firmware \
|
||||
arm_trusted_firmware_project:arm_trusted_firmware"
|
||||
|
|
@ -1,12 +1,23 @@
|
|||
# Ensure that file are found event when this file is included in another layer
|
||||
# ==============================================================================
|
||||
FILESEXTRAPATHS:prepend := "${THISDIR}/u-boot:"
|
||||
|
||||
# U-Boot CoreOS Distro Settings
|
||||
# ==============================================================================
|
||||
|
||||
# Enable more debug option when debug-tweaks is enabled
|
||||
SRC_URI += " \
|
||||
${@bb.utils.contains("IMAGE_FEATURES", "debug-tweaks", "file://debug-tweaks.cfg", "", d)} \
|
||||
"
|
||||
|
||||
inherit coreos-efi-secureboot
|
||||
|
||||
# Make sure UEFI and secure boot is enabled for every u-boot build
|
||||
SRC_URI += " \
|
||||
file://uefi.cfg \
|
||||
file://uefi-secureboot.cfg \
|
||||
"
|
||||
|
||||
DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native"
|
||||
|
||||
# Generate a ubootefi.var file inside the build directory
|
||||
#
|
||||
# This file can be directly linked inside the u-boot binary to provide
|
||||
|
|
@ -15,6 +26,7 @@ DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native"
|
|||
#
|
||||
# The efivar.py is taken from u-boot-tools recipes, so that we are sure that he
|
||||
# is found and don't depend on the u-boot version being used
|
||||
DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native cos-certificates-and-keys-native"
|
||||
addtask uboot_generate_efivar after do_configure before do_compile
|
||||
do_uboot_generate_efivar() {
|
||||
# Settings OPENSSL_MODULES is needed, otherwise efivar.py fail with
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
# Add CoreOS distro settings to u-boot
|
||||
UBOOT_COREOS_REQUIRE:coreos ?= "u-boot-coreos.inc"
|
||||
UBOOT_COREOS_REQUIRE ?= ""
|
||||
|
||||
require ${UBOOT_COREOS_REQUIRE}
|
||||
|
|
@ -4,5 +4,3 @@ require recipes-bsp/u-boot/u-boot.inc
|
|||
SRCREV = "4debc57a3da6c3f4d3f89a637e99206f4cea0a96"
|
||||
DEPENDS += "bc-native dtc-native python3-setuptools-native"
|
||||
LIC_FILES_CHKSUM = "file://Licenses/README;md5=2ca5f2c35c8cc335f0a19756634782f1"
|
||||
|
||||
require u-boot-coreos.inc
|
||||
|
|
@ -10,3 +10,6 @@ IMAGE_INSTALL:append = "${@bb.utils.contains("IMAGE_FEATURES", "swupdate", " swu
|
|||
|
||||
# development tools
|
||||
IMAGE_INSTALL:append = " systemd-analyze"
|
||||
|
||||
# Enable the optional image installer
|
||||
COREOS_IMAGE_GENERATE_INSTALLER = "1"
|
||||
|
|
|
|||
|
|
@ -1,50 +1,4 @@
|
|||
DESCRIPTION = "Initramfs image with the CoreOS emmc installer"
|
||||
|
||||
|
||||
|
||||
# Don't reboot the device at reboot and don't do A/B switching
|
||||
BAD_RECOMMENDATIONS = "swupdate-progress swupdate-coreos-config"
|
||||
|
||||
export IMAGE_BASENAME = "${MLPREFIX}${PN}"
|
||||
IMAGE_NAME_SUFFIX ?= ""
|
||||
IMAGE_LINGUAS = ""
|
||||
|
||||
LICENSE = "MIT"
|
||||
|
||||
IMAGE_FSTYPES = "cpio.gz"
|
||||
|
||||
# Support for generating a SDCard installer is optional
|
||||
COREOS_INSTALLER_WKS_FILE ??= ""
|
||||
WKS_FILE = "${COREOS_INSTALLER_WKS_FILE}"
|
||||
IMAGE_FSTYPES += "${@'wic.xz wic.bmap' if d.getVar('COREOS_INSTALLER_WKS_FILE') else ''}"
|
||||
IMAGE_BOOT_FILES = "${COREOS_KERNEL_FILENAME};EFI/BOOT/${EFI_BOOT_IMAGE}"
|
||||
|
||||
COREOS_IMAGE_GENERATE_UKI = "1"
|
||||
|
||||
# Avoid dependancy loop, we are already in an installer image, so we don't need
|
||||
# to bundle another one
|
||||
COREOS_IMAGE_GENERATE_INSTALLER = "0"
|
||||
|
||||
# IMGDEPLOYDIR has to be used instead of DEPLOY_DIR_IMAGE here, because it will
|
||||
# run during image generation
|
||||
COREOS_UKI_PART_INITRAMFS = "${IMGDEPLOYDIR}/${IMAGE_BASENAME}-${MACHINE}.cpio.gz"
|
||||
COREOS_IMAGE_GENERATE_SWU = "0"
|
||||
|
||||
# Change generated UKI filename and reset the bundled command line to "APPEND"
|
||||
# to ensure that root is not set in the kernel command line
|
||||
COREOS_KERNEL_NAME ?= "coreos-installer-${MACHINE}"
|
||||
COREOS_KERNEL_CMDLINE ?= "${APPEND}"
|
||||
|
||||
inherit coreos-image
|
||||
|
||||
# Only install a reduced set of package and feature to keep image size small
|
||||
IMAGE_INSTALL = "packagegroup-coreos-boot coreos-installer swupdate-www util-linux-sfdisk util-linux-fdisk util-linux-cfdisk efibootguard efibootguard-tools"
|
||||
IMAGE_FEATURES = "debug-tweaks swupdate networkmanager"
|
||||
NO_RECOMMENDATIONS = "1"
|
||||
|
||||
IMAGE_ROOTFS_SIZE = "8192"
|
||||
INITRAMFS_MAXSIZE = "976562"
|
||||
IMAGE_ROOTFS_EXTRA_SPACE = "0"
|
||||
|
||||
# Use the same restriction as initramfs-module-install
|
||||
COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*)-(linux.*|freebsd.*)'
|
||||
inherit coreos-image-installer
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ COREOS_IMAGE_EFI_PROVIDER_EXTRA = " \
|
|||
"
|
||||
|
||||
RDEPENDS:${PN} = "\
|
||||
packagegroup-base-extended \
|
||||
packagegroup-base \
|
||||
os-release \
|
||||
${@bb.utils.contains("MACHINE_FEATURES", "efi", "${COREOS_IMAGE_EFI_PROVIDER_EXTRA}", "", d)} \
|
||||
"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,2 @@
|
|||
[Manager]
|
||||
RuntimeWatchdogSec=5
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
|
||||
FILESEXTRAPATHS:prepend := "${THISDIR}/systemd-conf:"
|
||||
|
||||
SRC_URI += " file://system.conf-watchdog"
|
||||
|
||||
do_install:append(){
|
||||
# the creation date/time of this file will be used as initial boot time.
|
||||
# Creation time will be set to REPRODUCIBLE_TIMESTAMP_ROOTFS
|
||||
# More info about the date/time handling here:
|
||||
# https://www.freedesktop.org/software/systemd/man/latest/systemd-timesyncd.service.html
|
||||
touch ${D}/${base_libdir}/clock-epoch
|
||||
install -D -m0644 ${WORKDIR}/system.conf-watchdog ${D}${systemd_unitdir}/system.conf.d/01-${PN}-watchdog.conf
|
||||
}
|
||||
|
||||
FILES:${PN} += "${base_libdir}/clock-epoch"
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
#!/usr/bin/env sh
|
||||
|
||||
# catch errors from previous source files
|
||||
if [ "$SWUPDATE_EXIT" != "" ]; then
|
||||
# Notify the installation status indicator about the failed installation.
|
||||
# This can result in the red LED lighting up.
|
||||
dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusFailure
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Notify the installation status indicator about the success with partitioning
|
||||
# the blockdevice. This can result in the first green LED lighting up.
|
||||
dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusPartitioningSuccess
|
||||
|
||||
mount /dev/disk/by-label/image /mnt
|
||||
if [ ! -f "/mnt/image.swu" ]; then
|
||||
echo "Could not find image.swu on the vfat partition!"
|
||||
dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusFailure
|
||||
exit 1
|
||||
fi
|
||||
|
||||
SWUPDATE_ARGS="${SWUPDATE_ARGS} -p /usr/lib/swupdate/post-install.sh"
|
||||
SWUPDATE_ARGS="${SWUPDATE_ARGS} -i /mnt/image.swu"
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
#!/usr/bin/env sh
|
||||
|
||||
# Notify the installation status indicator about the success with flashing the image.
|
||||
# This can result in the second green LED lighting up.
|
||||
dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusImageFlashingSuccess
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
DESCRIPTION = "CoreOS scripts for unattended installation"
|
||||
SECTION = "coreos"
|
||||
LICENSE = "CLOSED"
|
||||
|
||||
SRC_URI += "\
|
||||
file://99-overwrite.sh \
|
||||
file://post-install.sh \
|
||||
"
|
||||
|
||||
FILES:${PN} = "\
|
||||
${libdir}/swupdate/conf.d/99-overwrite.sh \
|
||||
${libdir}/swupdate/post-install.sh \
|
||||
"
|
||||
|
||||
RDEPENDS:${PN} = "coreos-installer"
|
||||
|
||||
RCONFLICTS:${PN} = "swupdate-www"
|
||||
|
||||
do_install() {
|
||||
install -d ${D}${libdir}/swupdate/conf.d
|
||||
install -m 755 ${WORKDIR}/post-install.sh ${D}${libdir}/swupdate/
|
||||
install -m 755 ${WORKDIR}/99-overwrite.sh ${D}${libdir}/swupdate/conf.d/
|
||||
}
|
||||
|
|
@ -1,5 +1,8 @@
|
|||
#!/usr/bin/env sh
|
||||
|
||||
set -o errtrace
|
||||
trap 'echo "An error occured in line $LINENO: $BASH_COMMAND, exiting..."; SWUPDATE_EXIT=1; exit;' ERR
|
||||
|
||||
# Read /etc/hwrevision and turn it into a stripped string
|
||||
# with the format ${MACHINE}_${VERSION}
|
||||
HWREVISION=$(tr ' ' '_' < /etc/hwrevision | tr -d '[:space:]')
|
||||
|
|
@ -15,6 +18,13 @@ fi
|
|||
|
||||
DISK=$(grep "^device:\s" < "${SFDISK_DUMP_FILE}" | cut -d ' ' -f 2)
|
||||
|
||||
# Remove the partition table signature, if there is already one.
|
||||
# This ensures that sfdisk always finds a 'clean' disk to install / recover
|
||||
wipefs -a -f ${DISK}
|
||||
|
||||
# Give the kernel some time to reload the partition
|
||||
sleep 3
|
||||
|
||||
echo "Flashing ${SFDISK_DUMP_FILE} to ${DISK}"
|
||||
cat "${SFDISK_DUMP_FILE}"
|
||||
sfdisk "${DISK}" < "${SFDISK_DUMP_FILE}"
|
||||
|
|
@ -48,3 +58,4 @@ umount /mnt/ebg1
|
|||
umount /mnt/efi
|
||||
|
||||
SWUPDATE_ARGS="${SWUPDATE_ARGS} -e stable,copy0"
|
||||
SWUPDATE_ARGS="${SWUPDATE_ARGS} -k /usr/lib/swupdate/swupdate.crt"
|
||||
|
|
|
|||
|
|
@ -1,22 +1,18 @@
|
|||
DESCRIPTION = "CoreOS Installer scripts"
|
||||
LICENSE = "CLOSED"
|
||||
SECTION = "coreos"
|
||||
LICENSE = "CLOSED"
|
||||
|
||||
SRC_URI+= " \
|
||||
file://25-installer-config.sh \
|
||||
"
|
||||
SRC_URI += "file://25-installer-config.sh"
|
||||
|
||||
# This package ship an alternate configuration for SWUpade to disable A/B
|
||||
# switching and always flash A
|
||||
RCONFLICTS:${PN}= "swupdate-coreos-config"
|
||||
|
||||
FILES:${PN} = " \
|
||||
${libdir}/swupdate/conf.d/25-installer-config.sh \
|
||||
"
|
||||
FILES:${PN} = "${libdir}/swupdate/conf.d/25-installer-config.sh"
|
||||
|
||||
# glibc-utils provide iconv
|
||||
# glibc-gconv-utf-16 provide utf-16 support to iconv
|
||||
RDEPENDS:${PN} = "coreos-installer-config dosfstools util-linux-lsblk util-linux-sfdisk glibc-utils glibc-gconv-utf-16"
|
||||
RDEPENDS:${PN} = "coreos-installer-config dosfstools glibc-gconv-utf-16 glibc-utils util-linux-lsblk util-linux-sfdisk util-linux-wipefs"
|
||||
|
||||
# This package ships an alternate configuration for SWUpdate to disable A/B
|
||||
# switching and always flash A
|
||||
RCONFLICTS:${PN} = "swupdate-coreos-config"
|
||||
|
||||
do_install() {
|
||||
install -d ${D}${libdir}/swupdate/conf.d
|
||||
|
|
|
|||
|
|
@ -0,0 +1,4 @@
|
|||
CONFIG_BLK_DEV_DM=y
|
||||
CONFIG_KEYS=y
|
||||
CONFIG_ENCRYPTED_KEYS=y
|
||||
CONFIG_DM_CRYPT=y
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
|
||||
|
||||
# Secure Storage
|
||||
# ==============================================================================
|
||||
SRC_URI += "file://secure-storage.cfg"
|
||||
|
||||
# Ensure the Kernel EFI STUB is enabled
|
||||
KERNEL_FEATURES += "cfg/efi.scc cfg/efi-ext.scc"
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
# Add CoreOS distro settings to the linux-yocto recipes
|
||||
|
||||
LINUX_YOCTO_COREOS_REQUIRE ?= ""
|
||||
LINUX_YOCTO_COREOS_REQUIRE:coreos = "linux-yocto-coreos.inc"
|
||||
|
||||
require ${LINUX_YOCTO_COREOS_REQUIRE}
|
||||
|
|
@ -0,0 +1,65 @@
|
|||
SUMMARY = "Installs CoreOS certificates and keys"
|
||||
DESCRIPTION = "Installs CoreOS certificates and keys that are used during the build"
|
||||
AUTHOR = "Patrick Vogelaar"
|
||||
LICENSE = "CLOSED"
|
||||
|
||||
SRC_URI = "git://git@bitbucket.gad.local:7999/ico/development-keys.git;protocol=ssh;branch=master"
|
||||
SRCREV = "2b5d6941ea8759db90f07e195bb1855f618cccb7"
|
||||
|
||||
S = "${WORKDIR}/git"
|
||||
|
||||
inherit deploy native
|
||||
|
||||
CERTIFICATES_AND_KEYS_DIR ?= "${datadir}/keys/"
|
||||
|
||||
#FILES:${PN} += "${CERTIFICATES_AND_KEYS_DIR}/*"
|
||||
|
||||
|
||||
do_install() {
|
||||
install -d "${D}/${CERTIFICATES_AND_KEYS_DIR}"
|
||||
install -m 755 ${S}/db.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.auth
|
||||
install -m 755 ${S}/db.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.crt
|
||||
install -m 755 ${S}/db.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.der
|
||||
install -m 755 ${S}/db.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.esl
|
||||
install -m 755 ${S}/db.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.key
|
||||
install -m 755 ${S}/KEK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.auth
|
||||
install -m 755 ${S}/KEK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.crt
|
||||
install -m 755 ${S}/KEK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.der
|
||||
install -m 755 ${S}/KEK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.esl
|
||||
install -m 755 ${S}/KEK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.key
|
||||
install -m 755 ${S}/PK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.auth
|
||||
install -m 755 ${S}/PK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.crt
|
||||
install -m 755 ${S}/PK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.der
|
||||
install -m 755 ${S}/PK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.esl
|
||||
install -m 755 ${S}/PK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.key
|
||||
install -m 755 ${S}/swupdate.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.crt
|
||||
install -m 755 ${S}/swupdate.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.key
|
||||
|
||||
bbwarn "Development certificates and keys are added into the image (UNSECURE)! This image must not be released!"
|
||||
}
|
||||
|
||||
|
||||
# Public key needed by firmware very depending on the implementation
|
||||
# So we copy all type of public key (*.auth, *.esl, *.crt, *der)
|
||||
|
||||
addtask deploy after do_compile
|
||||
do_deploy() {
|
||||
install -D -m 644 ${S}/KEK.auth ${DEPLOYDIR}/KEK.auth
|
||||
install -D -m 644 ${S}/db.auth ${DEPLOYDIR}/db.auth
|
||||
install -D -m 644 ${S}/PK.auth ${DEPLOYDIR}/PK.auth
|
||||
|
||||
install -D -m 644 ${S}/KEK.esl ${DEPLOYDIR}/KEK.esl
|
||||
install -D -m 644 ${S}/db.esl ${DEPLOYDIR}/db.esl
|
||||
install -D -m 644 ${S}/PK.esl ${DEPLOYDIR}/PK.esl
|
||||
|
||||
install -D -m 644 ${S}/KEK.crt ${DEPLOYDIR}/KEK.crt
|
||||
install -D -m 644 ${S}/db.crt ${DEPLOYDIR}/db.crt
|
||||
install -D -m 644 ${S}/PK.crt ${DEPLOYDIR}/PK.crt
|
||||
|
||||
install -D -m 644 ${S}/KEK.der ${DEPLOYDIR}/KEK.der
|
||||
install -D -m 644 ${S}/db.der ${DEPLOYDIR}/db.der
|
||||
install -D -m 644 ${S}/PK.der ${DEPLOYDIR}/PK.der
|
||||
|
||||
# !SECURITY WARNING!
|
||||
# .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
|
||||
}
|
||||
|
|
@ -0,0 +1,93 @@
|
|||
#!/usr/bin/env sh
|
||||
|
||||
loopdir=/usr/local/data/loopdevices
|
||||
loopfile=$loopdir/crypt.loop
|
||||
|
||||
keyfiledir=/usr/local/data/.crypto
|
||||
keyfile=$keyfiledir/ss_crypto.keyfile
|
||||
|
||||
#megabytes
|
||||
loopsize=16
|
||||
|
||||
#/dev/mapper/xxxxx when open
|
||||
cryptmapper=secStorage
|
||||
|
||||
makefilesystem=ext4
|
||||
|
||||
#mountpoint of uncrypted device
|
||||
mountpoint=/usr/local/data/secure-storage
|
||||
|
||||
create_keyfile() {
|
||||
# echo "Create key file"
|
||||
systemd-notify --status="Create key file"
|
||||
mkdir -p $keyfiledir
|
||||
dd if=/dev/urandom of=$keyfile bs=1 count=256
|
||||
chown root:root $keyfiledir/*
|
||||
chmod 000 $keyfiledir/*
|
||||
}
|
||||
|
||||
error() {
|
||||
echo "Error: $1"
|
||||
exit $?
|
||||
}
|
||||
|
||||
#creates a new file
|
||||
create_loopback_and_open() {
|
||||
# echo "Creating a file with random bits.. this could take a while..."
|
||||
systemd-notify --status="Creating a file with random bits.. this could take a while..."
|
||||
mkdir -p $loopdir || error "Creating loopdir"
|
||||
mkdir -p $mountpoint || error "Creating mountpoint"
|
||||
dd if=/dev/urandom of=$loopfile bs=1M count=$loopsize || error "Creating loopfile"
|
||||
loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
|
||||
echo "Selected loop device: $loopdevice"
|
||||
cryptsetup luksFormat -q --key-file $keyfile $loopdevice || error "Setting up encrypted loop device"
|
||||
cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
|
||||
mkfs.$makefilesystem /dev/mapper/$cryptmapper || error "Creating encrypted FS"
|
||||
mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
|
||||
systemd-notify --ready --status="Sucessfully mounted secure storage"
|
||||
}
|
||||
|
||||
#mounts crypted loopback file
|
||||
open() {
|
||||
#echo "Open secure-storage"
|
||||
systemd-notify --status="Open secure storage"
|
||||
loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
|
||||
echo "Selected loop device: $ld"
|
||||
cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
|
||||
mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
|
||||
systemd-notify --ready --status="Sucessfully mounted secure storage"
|
||||
}
|
||||
|
||||
#unmounts previously mounted loopback file
|
||||
close() {
|
||||
echo "Close secure-storage"
|
||||
# get loopdevice
|
||||
loopdevice=$(losetup --list --noheadings --output NAME,BACK-FILE | grep crypt.loop | awk '{print $1}')
|
||||
umount $mountpoint
|
||||
cryptsetup close $cryptmapper
|
||||
losetup -d $loopdevice
|
||||
}
|
||||
|
||||
if [ $# -eq 1 ]
|
||||
then
|
||||
#echo "Parameter detected"
|
||||
$1
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ -e $keyfile ]
|
||||
then
|
||||
#echo "Key file available"
|
||||
if [ -e $loopfile ]
|
||||
then
|
||||
#echo "Loop file available"
|
||||
open
|
||||
else
|
||||
#echo "Loop file not available"
|
||||
create_loopback_and_open
|
||||
fi
|
||||
else
|
||||
#echo "Key file not available"
|
||||
create_keyfile
|
||||
create_loopback_and_open
|
||||
fi
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
[Unit]
|
||||
Description=Secure Storage Service
|
||||
RequiresMountsFor=/usr/local/data
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
ExecStart=/usr/bin/sec-storage-loopback.sh
|
||||
TimeoutSec=300
|
||||
|
||||
[Install]
|
||||
WantedBy=local-fs.target
|
||||
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
SUMMARY = "Provides a Secure Storage"
|
||||
DESCRIPTION = "The secure storage is a loopback mount that is encrypted. It protects data in rest"
|
||||
AUTHOR = "Patrick Vogelaar"
|
||||
LICENSE = "CLOSED"
|
||||
|
||||
SRC_URI = "\
|
||||
file://sec-storage-loopback.sh \
|
||||
file://secure-storage.service \
|
||||
"
|
||||
|
||||
S = "${WORKDIR}"
|
||||
|
||||
inherit systemd
|
||||
|
||||
FILES:${PN} += "\
|
||||
/usr/local/data/ \
|
||||
${systemd_unitdir}/system \
|
||||
${bindir}/sec-storage-loopback.sh \
|
||||
${systemd_unitdir}/system/secure-storage.service \
|
||||
"
|
||||
|
||||
do_install() {
|
||||
install -d ${D}$/usr/local/data/
|
||||
install -d ${D}${bindir}
|
||||
install -m 0731 ${S}/sec-storage-loopback.sh ${D}${bindir}/sec-storage-loopback.sh
|
||||
|
||||
install -d ${D}${systemd_unitdir}/system
|
||||
install -m 0644 ${S}/secure-storage.service ${D}${systemd_unitdir}/system
|
||||
}
|
||||
|
||||
SYSTEMD_SERVICE:${PN} = "secure-storage.service"
|
||||
SYSTEMD_AUTO_ENABLE = "enable"
|
||||
|
||||
RDEPENDS:${PN} += "cryptsetup util-linux-losetup e2fsprogs-mke2fs"
|
||||
|
|
@ -37,3 +37,6 @@ case $ROOT_PARTLABEL in
|
|||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
echo "Public key used to verify software image is /usr/lib/swupdate/swupdate.crt"
|
||||
SWUPDATE_ARGS="${SWUPDATE_ARGS} -k /usr/lib/swupdate/swupdate.crt"
|
||||
|
|
|
|||
|
|
@ -24,3 +24,8 @@ CONFIG_DISKPART=y
|
|||
CONFIG_DISKPART_FORMAT=y
|
||||
CONFIG_FAT_FILESYSTEM=y
|
||||
CONFIG_EXT_FILESYSTEM=y
|
||||
CONFIG_SIGNED=y
|
||||
CONFIG_SIGNED_IMAGES=y
|
||||
CONFIG_SIGALG_RAWRSA=n
|
||||
CONFIG_SIGALG_CMS=y
|
||||
CONFIG_CMS_IGNORE_CERTIFICATE_PURPOSE=y
|
||||
|
|
|
|||
|
|
@ -1,7 +1,12 @@
|
|||
inherit features_check
|
||||
REQUIRED_DISTRO_FEATURES = "swupdate"
|
||||
|
||||
# File in the swupdate subdirectory of this recipe should overwrite the
|
||||
# same file in meta-swupdate
|
||||
FILESEXTRAPATHS:prepend := "${THISDIR}/swupdate:"
|
||||
|
||||
DEPENDS += "cos-certificates-and-keys-native"
|
||||
|
||||
SRC_URI += "\
|
||||
file://50-webserver-config.sh \
|
||||
file://25-sw-collections-config.sh \
|
||||
|
|
@ -9,7 +14,6 @@ SRC_URI += "\
|
|||
|
||||
PACKAGES =+ "${PN}-coreos-config ${PN}-coreos-installer-config"
|
||||
|
||||
|
||||
# Don't use /www as the web root
|
||||
wwwdir = "${datadir}/swupdate-www"
|
||||
|
||||
|
|
@ -35,9 +39,15 @@ RRECOMMENDS:${PN} += "${PN}-coreos-config"
|
|||
# configuration to be installed
|
||||
RCONFLICTS:${PN}-coreos-installer-config = "${PN}-coreos-config"
|
||||
|
||||
inherit coreos-efi-secureboot
|
||||
|
||||
do_install:append() {
|
||||
# Probably replace revision with the value of the device tree
|
||||
install -m 755 ${WORKDIR}/50-webserver-config.sh ${D}${libdir}/swupdate/conf.d/
|
||||
install -m 755 ${WORKDIR}/25-sw-collections-config.sh ${D}${libdir}/swupdate/conf.d/
|
||||
install -m 755 ${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt ${D}${libdir}/swupdate/
|
||||
echo "${MACHINE} 1.0" > ${D}${sysconfdir}/hwrevision
|
||||
}
|
||||
|
||||
# Fix: libgcc_s.so.1 must be installed for pthread_exit to work
|
||||
RDEPENDS:${PN} += "libgcc"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,15 @@
|
|||
SUMMARY = "Common assertions for Bats"
|
||||
DESCRIPTION = "bats-assert is a helper library providing common assertions for \
|
||||
Bats."
|
||||
HOMEPAGE = "https://github.com/bats-core/bats-assert"
|
||||
LICENSE = "CC0-1.0"
|
||||
LIC_FILES_CHKSUM = "file://LICENSE;md5=7bae63a234e80ee7c6427dce9fdba6cc"
|
||||
|
||||
PV = "2.1.0"
|
||||
SRC_URI = "git://github.com/bats-core/bats-assert.git;protocol=https;branch=master"
|
||||
SRCREV = "78fa631d1370562d2cd4a1390989e706158e7bf0"
|
||||
S = "${WORKDIR}/git"
|
||||
|
||||
inherit bats-library
|
||||
|
||||
RDEPENDS:${PN} += "bats-support"
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
SUMMARY = " Common filesystem assertions for Bats"
|
||||
DESCRIPTION = "bats-file is a helper library providing common filesystem \
|
||||
related assertions and helpers for Bats."
|
||||
HOMEPAGE = "https://github.com/bats-core/bats-file"
|
||||
LICENSE = "CC0-1.0"
|
||||
LIC_FILES_CHKSUM = "file://LICENSE;md5=7bae63a234e80ee7c6427dce9fdba6cc"
|
||||
|
||||
PV = "0.3.0+${SRCPV}"
|
||||
SRC_URI = "git://github.com/bats-core/bats-file.git;protocol=https;branch=master"
|
||||
SRCREV = "cb914cdc176da00e321d3bc92f88383698c701d6"
|
||||
S = "${WORKDIR}/git"
|
||||
|
||||
inherit bats-library
|
||||
|
||||
RDEPENDS:${PN} += "bats-support"
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
SUMMARY = "Supporting library for Bats test helpers"
|
||||
DESCRIPTION = "bats-support is a supporting library providing common \
|
||||
functions to test helper libraries written for Bats."
|
||||
HOMEPAGE = "https://github.com/bats-core/bats-support"
|
||||
LICENSE = "CC0-1.0"
|
||||
LIC_FILES_CHKSUM = "file://LICENSE;md5=7bae63a234e80ee7c6427dce9fdba6cc"
|
||||
|
||||
PV = "0.3.0"
|
||||
SRC_URI = "git://github.com/bats-core/bats-support.git;protocol=https;branch=master"
|
||||
SRCREV = "3c8fadc5097c9acfc96d836dced2bb598e48b009"
|
||||
S = "${WORKDIR}/git"
|
||||
|
||||
inherit bats-library
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
# backported from oe-core master
|
||||
SUMMARY = "Bash Automated Testing System"
|
||||
DESCRIPTION = "Bats is a TAP-compliant testing framework for Bash. It \
|
||||
provides a simple way to verify that the UNIX programs you write behave as expected."
|
||||
HOMEPAGE = "https://github.com/bats-core/bats-core"
|
||||
LICENSE = "MIT"
|
||||
LIC_FILES_CHKSUM = "file://LICENSE.md;md5=2970203aedf9e829edb96a137a4fe81b"
|
||||
|
||||
SRC_URI = "\
|
||||
git://github.com/bats-core/bats-core.git;branch=master;protocol=https \
|
||||
"
|
||||
|
||||
# v1.10.0
|
||||
SRCREV = "f7defb94362f2053a3e73d13086a167448ea9133"
|
||||
|
||||
S = "${WORKDIR}/git"
|
||||
|
||||
# Numerous scripts assume ${baselib} == lib, which is not true.
|
||||
#
|
||||
do_configure:prepend() {
|
||||
for f in ${S}/libexec/bats-core/* ${S}/lib/bats-core/* ; do
|
||||
sed -i 's:\$BATS_ROOT/lib/:\$BATS_ROOT/${baselib}/:g' $f
|
||||
done
|
||||
}
|
||||
|
||||
do_install() {
|
||||
# Just a bunch of bash scripts to install
|
||||
${S}/install.sh ${D}${prefix} ${baselib}
|
||||
}
|
||||
|
||||
RDEPENDS:${PN} = "bash"
|
||||
FILES:${PN} += "${libdir}/bats-core/*"
|
||||
|
||||
PACKAGECONFIG ??= "pretty"
|
||||
PACKAGECONFIG[pretty] = ",,,ncurses"
|
||||
|
|
@ -9,5 +9,5 @@ BBFILE_COLLECTIONS += "meta-belden-marvell-bsp"
|
|||
BBFILE_PATTERN_meta-belden-marvell-bsp = "^${LAYERDIR}/"
|
||||
BBFILE_PRIORITY_meta-belden-marvell-bsp = "6"
|
||||
|
||||
LAYERDEPENDS_meta-belden-marvell-bsp = "core meta-belden-coreos"
|
||||
LAYERDEPENDS_meta-belden-marvell-bsp = "core meta-belden-coreos meta-arm"
|
||||
LAYERSERIES_COMPAT_meta-belden-marvell-bsp = "kirkstone"
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ UBOOT_LOADADDRESS = "0x7000000"
|
|||
|
||||
PREFERRED_PROVIDER_virtual/kernel ?= "linux-netmodule"
|
||||
PREFERRED_VERSION_linux-netmodule ?= "git-5.15-solidrun"
|
||||
PREFERRED_VERSION_trusted_firmware_a ?= "2.3-solidrun"
|
||||
PREFERRED_VERSION_trusted_firmware_a = "2.6"
|
||||
|
||||
KERNEL_IMAGETYPE = "Image"
|
||||
KERNEL_EXTRA_ARGS += "LOADADDR=${UBOOT_ENTRYPOINT}"
|
||||
|
|
|
|||
|
|
@ -1,28 +0,0 @@
|
|||
# trusted-firmware-a
|
||||
|
||||
|
||||
trusted-firmware-a recipes was copied from:
|
||||
|
||||
meta-arm/meta-arm/recipes-bsp/trusted-firmware-a
|
||||
|
||||
Repo: git://git.yoctoproject.org/meta-arm
|
||||
Branch: kirkstone
|
||||
Git SHA: 78fce73c3803aba82149a3a03fde1b708f5424fa
|
||||
|
||||
Theses files were copied:
|
||||
|
||||
- trusted-firmware-a.inc
|
||||
- files/ssl.patch
|
||||
|
||||
Theses files were created, by doing the same as done in meta-arm/meta-arm-bsp
|
||||
but using the same revision and make flags as in https://github.com/SolidRun/cn913x_yocto_meta.git
|
||||
|
||||
- trusted-firmware-a_2.3.bb
|
||||
|
||||
Theses files were copied from https://github.com/SolidRun/cn913x_yocto_meta.git
|
||||
|
||||
- files/mrvl_scp_bl2.img
|
||||
- files/000*.patch
|
||||
|
||||
More info about how to use trusted-firmware-a for Marvell can be found at
|
||||
https://trustedfirmware-a.readthedocs.io/en/latest/plat/marvell/armada/build.html
|
||||
|
|
@ -1,14 +1,14 @@
|
|||
From 5aeea052b30604b2f8640960b775cee0f5c877cb Mon Sep 17 00:00:00 2001
|
||||
From 3f8f24cf82848ef1778f3e1d0a0607d4860dd4f3 Mon Sep 17 00:00:00 2001
|
||||
From: Alon Rotman <alon.rotman@solid-run.com>
|
||||
Date: Mon, 22 Nov 2021 13:33:25 +0200
|
||||
Subject: [PATCH 2/2] ddr spd read failover to defualt config
|
||||
Subject: [PATCH] ddr spd read failover to defualt config
|
||||
|
||||
---
|
||||
.../octeontx/otx2/t91/t9130/board/dram_port.c | 100 ++++++++++++++++--
|
||||
1 file changed, 93 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
|
||||
index 0befadfc6..5de71f095 100644
|
||||
index 82ce07b09..bb7814e9b 100644
|
||||
--- a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
|
||||
+++ b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
|
||||
@@ -33,7 +33,7 @@ struct mv_ddr_iface dram_iface_ap0 = {
|
||||
|
|
@ -148,7 +148,7 @@ index 0befadfc6..5de71f095 100644
|
|||
{
|
||||
struct mv_ddr_topology_map *tm = mv_ddr_topology_map_get();
|
||||
@@ -152,7 +236,9 @@ void plat_marvell_dram_update_topology(void)
|
||||
i2c_write(I2C_SPD_P0_ADDR, 0x0, 1, tm->spd_data.all_bytes, 1);
|
||||
i2c_write(I2C_SPD_P0_ADDR, 0x0, 1, tm->spd_data.all_bytes, 0);
|
||||
|
||||
/* read data from spd */
|
||||
- i2c_read(I2C_SPD_ADDR, 0x0, 1, tm->spd_data.all_bytes,
|
||||
|
|
@ -159,6 +159,3 @@ index 0befadfc6..5de71f095 100644
|
|||
+ set_param_based_on_som_strap();
|
||||
}
|
||||
}
|
||||
--
|
||||
2.25.1
|
||||
|
||||
|
|
|
|||
|
|
@ -1,15 +1,16 @@
|
|||
From da25bbba607de35267f4dbe74cd772588260de57 Mon Sep 17 00:00:00 2001
|
||||
From 6cbb01ba5a5a5ad2b2247c8401d5fac488bf05c3 Mon Sep 17 00:00:00 2001
|
||||
From: Alon Rotman <alon.rotman@solid-run.com>
|
||||
Date: Mon, 6 Dec 2021 18:34:37 +0200
|
||||
Subject: [PATCH] som sdp failover using crc verification
|
||||
|
||||
Signed-off-by: Alon Rotman <alon.rotman@solid-run.com>
|
||||
|
||||
---
|
||||
.../octeontx/otx2/t91/t9130/board/dram_port.c | 63 ++++++++++++-------
|
||||
1 file changed, 41 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
|
||||
index 5de71f095..d59b8100d 100644
|
||||
index bb7814e9b..772774215 100644
|
||||
--- a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
|
||||
+++ b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
|
||||
@@ -50,7 +50,7 @@ struct mv_ddr_iface dram_iface_ap0 = {
|
||||
|
|
@ -122,6 +123,3 @@ index 5de71f095..d59b8100d 100644
|
|||
+
|
||||
}
|
||||
}
|
||||
--
|
||||
2.25.1
|
||||
|
||||
|
|
|
|||
|
|
@ -1,52 +0,0 @@
|
|||
fiptool: respect OPENSSL_DIR
|
||||
|
||||
fiptool links to libcrypto, so as with the other tools it should respect
|
||||
OPENSSL_DIR for include/library paths.
|
||||
|
||||
Upstream-Status: Submitted
|
||||
Signed-off-by: Ross Burton <ross.burton@arm.com>
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index ec6f88585..2d3b9fc26 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -1388,7 +1388,7 @@ fwu_fip: ${BUILD_PLAT}/${FWU_FIP_NAME}
|
||||
|
||||
${FIPTOOL}: FORCE
|
||||
ifdef UNIX_MK
|
||||
- ${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} --no-print-directory -C ${FIPTOOLPATH}
|
||||
+ ${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} OPENSSL_DIR=${OPENSSL_DIR} --no-print-directory -C ${FIPTOOLPATH}
|
||||
else
|
||||
# Clear the MAKEFLAGS as we do not want
|
||||
# to pass the gnumake flags to nmake.
|
||||
diff --git a/tools/fiptool/Makefile b/tools/fiptool/Makefile
|
||||
index 11d2e7b0b..7c2a08379 100644
|
||||
--- a/tools/fiptool/Makefile
|
||||
+++ b/tools/fiptool/Makefile
|
||||
@@ -12,6 +12,8 @@ FIPTOOL ?= fiptool${BIN_EXT}
|
||||
PROJECT := $(notdir ${FIPTOOL})
|
||||
OBJECTS := fiptool.o tbbr_config.o
|
||||
V ?= 0
|
||||
+OPENSSL_DIR := /usr
|
||||
+
|
||||
|
||||
override CPPFLAGS += -D_GNU_SOURCE -D_XOPEN_SOURCE=700
|
||||
HOSTCCFLAGS := -Wall -Werror -pedantic -std=c99
|
||||
@@ -20,7 +22,7 @@ ifeq (${DEBUG},1)
|
||||
else
|
||||
HOSTCCFLAGS += -O2
|
||||
endif
|
||||
-LDLIBS := -lcrypto
|
||||
+LDLIBS := -L${OPENSSL_DIR}/lib -lcrypto
|
||||
|
||||
ifeq (${V},0)
|
||||
Q := @
|
||||
@@ -28,7 +30,7 @@ else
|
||||
Q :=
|
||||
endif
|
||||
|
||||
-INCLUDE_PATHS := -I../../include/tools_share
|
||||
+INCLUDE_PATHS := -I../../include/tools_share -I${OPENSSL_DIR}/include
|
||||
|
||||
HOSTCC ?= gcc
|
||||
|
||||
|
|
@ -1,9 +1,8 @@
|
|||
require recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
|
||||
# CN913x specific TFA support
|
||||
|
||||
PV = "2.3+git${SRCPV}"
|
||||
SRCREV_tfa = "00ad74c7afe67b2ffaf08300710f18d3dafebb45"
|
||||
COMPATIBLE_MACHINE = "cn913x"
|
||||
|
||||
LIC_FILES_CHKSUM += "file://docs/license.rst;md5=189505435dbcdcc8caa63c46fe93fa89"
|
||||
DEPENDS += "mv-ddr-marvell coreutils-native"
|
||||
|
||||
SRC_URI += " \
|
||||
file://0001-ddr-spd-read-failover-to-defualt-config.patch \
|
||||
|
|
@ -11,10 +10,6 @@ SRC_URI += " \
|
|||
file://mrvl_scp_bl2.img \
|
||||
"
|
||||
|
||||
COMPATIBLE_MACHINE = "cn913x"
|
||||
|
||||
DEPENDS += "mv-ddr-marvell coreutils-native"
|
||||
|
||||
CP_NUM:cn9131-bldn-mbv = "2"
|
||||
CP_NUM:cn9130-cf-pro = "1"
|
||||
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
# Machine specific TFAs
|
||||
|
||||
FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
|
||||
|
||||
MACHINE_TFA_REQUIRE ?= ""
|
||||
MACHINE_TFA_REQUIRE:cn913x = "trusted-firmware-a-cn913x.inc"
|
||||
|
||||
require ${MACHINE_TFA_REQUIRE}
|
||||
|
|
@ -51,7 +51,6 @@ SRC_URI = "git://git.denx.de/u-boot.git;branch=master \
|
|||
S = "${WORKDIR}/git"
|
||||
|
||||
require recipes-bsp/u-boot/u-boot.inc
|
||||
require recipes-bsp/u-boot/u-boot-coreos.inc
|
||||
|
||||
# Solidrun patches require to build out-of-the-tree
|
||||
B = "${WORKDIR}/build"
|
||||
|
|
|
|||
|
|
@ -30,7 +30,6 @@ SRC_URI = "git://source.denx.de/u-boot/custodians/u-boot-marvell.git;branch=mast
|
|||
S = "${WORKDIR}/git"
|
||||
|
||||
require recipes-bsp/u-boot/u-boot.inc
|
||||
require recipes-bsp/u-boot/u-boot-coreos.inc
|
||||
|
||||
# Solidrun patches require to build out-of-the-tree
|
||||
B = "${WORKDIR}/build"
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue