Pull request #186: Various small changes

Merge in ICO/coreos from various_small_changes to master

* commit 'a0910ef3ff70a53ea410ba205e36a2f5620481b3':
  chore(submodules): update third-party submodules
  feat(coreos-supportd-pkgs): create list of CoreOS supported packages
  chore(belden-coreos): move the initial timestamp to a generic file
  fix(swupdate): add libgcc as a dependency to terminate swupdate correctly
  feat(eagle40-03): strip out unused MACHINE_FEATURES for eagle40-03

.gitmodules

@@ -24,5 +24,13 @@
 	branch = kirkstone
 [submodule "meta-arm"]
 	path = external-layers/meta-arm
-	url = git://git.yoctoproject.org/meta-arm
+	url = ssh://git@bitbucket.gad.local:7999/ico/meta-arm.git
 	branch = kirkstone
+[submodule "meta-ti"]
+	path = external-layers/meta-ti
+	url = ssh://git@bitbucket.gad.local:7999/ico/meta-ti.git
+	branch = kirkstone
+[submodule "meta-lts-kernel-mixin"]
+	path = external-layers/meta-lts-kernel-mixin
+	url = ssh://git@bitbucket.gad.local:7999/ico/meta-lts-mixins.git
+	branch = coreos/kirkstone/kernel

.vscode/extensions.json

@@ -2,9 +2,9 @@
     "recommendations": [
         "ms-vscode.makefile-tools",
         "timonwong.shellcheck",
-        "eugenwiens.bitbake",
         "kweihmann.oelint-vscode",
         "lextudio.restructuredtext",
-        "trond-snekvik.simple-rst"
+        "trond-snekvik.simple-rst",
+        "yocto-project.yocto-bitbake"
     ]
 }

.vscode/settings.json

@@ -1,12 +1,47 @@
 {
     "files.watcherExclude": {
-        "**/build/cache/**": true,
+        "**/build/**": true,
-        "**/build/downloads/**": true,
+        "**/_build/**": true,
-        "**/build/sstate-cache/**": true,
-        "**/build/tmp/**": true,
-        "**/documentation/_build/**": true,
-        "**/build/workspace": true
     },
+    "search.exclude": {
+        "**/build/**": true,
+        "**/_build/**": true,
+    },
+    "C_Cpp.files.exclude": {
+        "**/build": true,
+        "**/_build": true,
+    },
+    "python.analysis.exclude": [
+        "**/build/**",
+        "**/_build/**",
+    ],
     "python.formatting.provider": "black",
-    "editor.rulers": [80,100,120]
+    "editor.rulers": [80,100,120],
+    "bitbake.pathToBuildFolder": "${workspaceFolder}/build",
+    "bitbake.pathToEnvScript": "${workspaceFolder}/coreos-init-build-env",
+    "bitbake.pathToBitbakeFolder": "${workspaceFolder}/bitbake",
+    "python.autoComplete.extraPaths": [
+        "${workspaceFolder}/bitbake/lib",
+        "${workspaceFolder}/meta/lib"
+    ],
+    "python.analysis.extraPaths": [
+        "${workspaceFolder}/bitbake/lib",
+        "${workspaceFolder}/meta/lib"
+    ],
+    "[python]": {
+        "diffEditor.ignoreTrimWhitespace": false,
+        "gitlens.codeLens.symbolScopes": [
+            "!Module"
+        ],
+        "editor.formatOnType": true,
+        "editor.wordBasedSuggestions": "off",
+        "files.trimTrailingWhitespace": false
+    },
+    "[shellscript]": {
+        "files.eol": "\n",
+        "files.trimTrailingWhitespace": false
+    },
+    "bitbake.sdkImage": "coreos-image-minimal",
+    "bitbake.workingDirectory": "${workspaceFolder}",
+    "task.saveBeforeRun": "always",
 }

bitbake

@@ -1 +1 @@
-Subproject commit 41b6684489d0261753344956042be2cc4adb0159
+Subproject commit 40fd5f4eef7460ca67f32cfce8e229e67e1ff607

coreos-init-build-env

@@ -92,18 +92,3 @@ coreos-bblayers-envsub COREOS_EXTLAYERSDIR "${COREOS_ROOT}/external-layers"
 # stdout is redirected to reduce the amount of output but not stderr
 #
 #Note: if a final build is detected all the dev keys are deleted
-
-if [ "$CreateFinal" = "true" ]; then
-    echo "\nFinal build detected delete dev keys and dont use or generate them" >&2
-    rm -rf "${BUILDDIR}/keys"
-else
-    echo "\nNo final build detected use development keys" >&2
-    coreos-get-dev-keys > /dev/null || {
-        echo "The coreos-get-dev-keys script has failed" >&2
-    }
-
-    coreos-keygen > /dev/null || {
-        echo "The coreos-keygen script has failed" >&2
-        return 1
-    }
-fi

documentation/components/optional/installer.rst

@@ -3,33 +3,35 @@
 CoreOS Installer
 ****************
 
-The CoreOS installer is a set of script running on the target and a
+The CoreOS installer is a set of scripts running on the target and a
 corresponding bitbake image that is used into the bootstrap process of CoreOS.
 
 coreos-image-installer
 ======================
 
-The CoreOS installer image is a single binary EFI file that include a kernel,
+The CoreOS image installer results in an image contairing only a single binary
-device tree and an initramfs with all the tools needed to install CoreOS.
+EFI file. This EFI file includes a kernel, a device tree and an initramfs with
+all (and only) the tools needed to install CoreOS.
 
-An installer image is automatically built in parallel of a normal image.
+The installer image is not automatically built in parallel of a normal image.
-This can be deactivated by setting `COREOS_IMAGE_GENERATE_INSTALLER` to 0.
+This can be changed by setting `COREOS_IMAGE_GENERATE_INSTALLER` to 1 in the
+image file (as it is done for example in coreos-image-all-features.bb).
 
 The installer image build by default only a single EFI binary named
-coreos-installer-MACHINE.efi. An SDCard image can be generate if
+coreos-installer-MACHINE.efi. An SDCard or USB image can be generated if
 `COREOS_INSTALLER_WKS_FILE` is set to a wks file.
 
 coreos-installer
 ================
 
-The coreos-installer recipe installs some script that is used at startup
+The coreos-installer recipe installs scripts that are used at startup to
-to automatically format the internal emmc of the device. It also contains
+automatically format the internal emmc of the device. The recipe also contains
 a swupdate configuration file to setup swupdate correctly for that use case.
 
 coreos-installer-config
 =======================
 
 The coreos-installer-config recipe installs device specific configuration file
-used by the coreos-installer. This includes the partitionner config file. Distro
+used by the coreos-installer. This includes the partitioner config file. Distros
-and project based on CoreOS can change the partionning scheme or partition size
+and projects based on CoreOS can change the partioning scheme or partition size
 by installing their own version of this package using a `bbappend file`.

external-layers/meta-arm

@@ -1 +1 @@
-Subproject commit b187fb9232ca0a6b5f8f90b4715958546fc41d73
+Subproject commit d7b7b6fb6c7c5545e718e44f38853d1718ce5446

external-layers/meta-lts-kernel-mixin

@@ -0,0 +1 @@
+Subproject commit 09d2f9391813674627ec53cb222da6c7a51221e6

external-layers/meta-openembedded

@@ -1 +1 @@
-Subproject commit 4da92ed9be41734f6ced46b981958e2e868cbff2
+Subproject commit 8bb16533532b6abc2eded7d9961ab2a108fd7a5b

external-layers/meta-swupdate

@@ -1 +1 @@
-Subproject commit eaa4dcbac224c9f5e7da784dcda78b67f117cf63
+Subproject commit 3d12b2788a45d86efcb1ad3e01f209558c54795c

external-layers/meta-ti

@@ -0,0 +1 @@
+Subproject commit bae3658ac0bc1c9adac7a882439cabb385cae720

external-layers/meta-virtualization

@@ -1 +1 @@
-Subproject commit af02908efda1580e77b3fdeed25b124a2b8d9482
+Subproject commit cb2bc17e96552cdfc141d27bd9f4dbd95a872846

external-layers/openembedded-core

@@ -1 +1 @@
-Subproject commit 2b05f5c1608206cf423f6cc34d6718c7532fa025
+Subproject commit 1b5405955c7c2579ed1f52522e2e177d0281fa33

layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass

@@ -3,7 +3,7 @@
 # UEFI Secure boot configuration
 # ==============================================================================
 
-COREOS_EFI_SECUREBOOT_KEYDIR ??= "${TOPDIR}/keys"
+COREOS_EFI_SECUREBOOT_KEYDIR ??= "${RECIPE_SYSROOT_NATIVE}/${datadir}/keys"
 COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
 
 # UEFI Secure boot helpers
@@ -16,7 +16,7 @@ HOSTTOOLS += "sbsign"
 
 # Ensure that the public keys are always deployed to the deploy directory
 # before running wic
-do_image_wic[depends] += "efi-secureboot-keys:do_deploy"
+do_image_wic[depends] += "cos-certificates-and-keys-native:do_deploy"
 
 COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
 def get_coreos_secureboot_efi_boot_files(d):
@@ -31,26 +31,4 @@ def get_coreos_secureboot_efi_boot_files(d):
 
 IMAGE_EFI_BOOT_FILES:append = " ${@get_coreos_secureboot_efi_boot_files(d)}"
 
-def get_coreos_secureboot_keydir_hash(d):
-    """
-        Generate a space separate list, with a value for each file inside of 
-        keydir. Fromat: <filename>:md5:<md5sum>
-    """
-    import hashlib
 
-    keydir = d.getVar('COREOS_EFI_SECUREBOOT_KEYDIR')
-    value = ""
-    
-    for keyname in os.listdir(keydir):
-        filepath = os.path.join(keydir, keyname)
-        if os.path.isfile(filepath): 
-            md5 = bb.utils.md5_file(filepath)
-            value += f"{keyname}:md5:{md5} "
-
-    return value
-
-# The build system should detect if someone change one of the key inside
-# COREOS_EFI_SECUREBOOT_KEYDIR and rebuild all the recipes and artifacts that
-# depends on this directory
-COREOS_EFI_SECUREBOOT_KEYDIR_HASH = "${@get_coreos_secureboot_keydir_hash(d)}"
-COREOS_EFI_SECUREBOOT_KEYDIR[vardeps] += "COREOS_EFI_SECUREBOOT_KEYDIR_HASH"

layers/meta-belden-coreos-bsp/conf/machine/beaglebone.conf

@@ -12,7 +12,7 @@ include conf/machine/include/arm/armv7a/tune-cortexa8.inc
 IMAGE_FSTYPES += "wic wic.xz wic.bmap"
 WKS_FILE ?= "beaglebone-sdcard.wks.in"
 COREOS_INSTALLER_WKS_FILE ?= "beaglebone-sdcard-installer.wks"
-MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "kernel-image kernel-devicetree"
+MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "kernel-image"
 do_image_wic[depends] += "mtools-native:do_populate_sysroot dosfstools-native:do_populate_sysroot gptfdisk-native:do_populate_sysroot virtual/bootloader:do_deploy"
 do_image_wic[recrdeptask] += "do_bootimg"
 
@@ -21,10 +21,10 @@ SERIAL_CONSOLES_CHECK = "${SERIAL_CONSOLES}"
 APPEND:append = " console=ttyS0,115200"
 
 PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
-PREFERRED_VERSION_linux-yocto ?= "5.15%"
+PREFERRED_VERSION_linux-yocto ?= "6.6%"
 
 KERNEL_IMAGETYPE = "zImage"
-KERNEL_DEVICETREE = "am335x-bone.dtb am335x-boneblack.dtb am335x-bonegreen.dtb"
+DTB_FILES = "ti/omap/am335x-bone.dtb ti/omap/am335x-boneblack.dtb ti/omap/am335x-bonegreen.dtb"
 KERNEL_EXTRA_ARGS += "LOADADDR=${UBOOT_ENTRYPOINT}"
 
 PREFERRED_PROVIDER_virtual/bootloader ?= "u-boot"

layers/meta-belden-coreos-bsp/conf/machine/eagle40-03.conf

@@ -5,12 +5,12 @@
 
 require include/coreos-generic-arch/x64.inc
 
-MACHINE_FEATURES += "pci usbhost x86 acpi serial efi tpm2 "
+MACHINE_FEATURES += "pci usbhost x86 serial efi"
 
 # Kernel configuration
 # ******************************************************************************
 
-PREFERRED_VERSION_linux-yocto ?= "5.15%"
+PREFERRED_VERSION_linux-yocto ?= "6.6%"
 PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
 
 KERNEL_IMAGETYPE = "bzImage"
@@ -28,11 +28,10 @@ APPEND += "console=ttyS0,115200"
 # Ensure that both flash-image.bin and boot.scr are generated as they are needed
 # for a wic image
 WKS_FILE = "generic-uefi.wks.in"
-# COREOS_INSTALLER_WKS_FILE ?= ""  --> TBD
+COREOS_INSTALLER_WKS_FILE ?= "generic-uefi-usb-installer.wks"
 IMAGE_FSTYPES += "wic.xz wic.bmap"
 
 MACHINE_ESSENTIAL_EXTRA_RDEPENDS += " kernel-modules"
-# COREOS_IMAGE_SWUPDATE_EXTRACLASSES += "" --> TBD
 
 # No watchdog available yet
 EFIBOOTGUARD_TIMEOUT ?= "0"

layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc

@@ -1,15 +1,20 @@
-
+# Variables used in WKS file
-# Variable used in WKS file
-
 WKS_PART_EFI ??= 'part --source efibootguard-efi --label efi --part-type=EF00'
 WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
 WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
 WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label rootfs0'
 WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label rootfs1'
-WKS_PART_ROOT_SIZE ??= '2G'
+WKS_PART_USERDATA ??= 'part /usr/local/data --fstype=btrfs --label userdata'
 
+PART_EFI_SIZE ??= '64M'
+PART_ROOT_SIZE ??= '1G'
+PART_EFIBG_SIZE ??= '128M'
+PART_USERDATA_SIZE ??= '1G'
+
+# Variables used in SFDISK file
 SFDISK_PART_EFI ??= 'type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, name="efi"'
 SFDISK_PART_EFIBOOTGUARD_A ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg0"'
 SFDISK_PART_EFIBOOTGUARD_B ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg1"'
 SFDISK_PART_ROOT_A ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs0"'
-SFDISK_PART_ROOT_B ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs0"'
+SFDISK_PART_ROOT_B ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs1"'
+SFDISK_PART_USERDATA ??= 'type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="userdata"'

layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-machine/vm.inc

@@ -6,7 +6,7 @@ MACHINE_FEATURES += "wifi efi"
 # Add an override that work for all pc image
 MACHINEOVERRIDES =. "vm:"
 
-PREFERRED_VERSION_linux-yocto ?= "5.15%"
+PREFERRED_VERSION_linux-yocto ?= "6.6%"
 PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
 
 MACHINE_EXTRA_RRECOMMENDS += "kernel-modules linux-firmware"

layers/meta-belden-coreos-bsp/conf/machine/qemu-coreos-arm64.conf

@@ -6,9 +6,9 @@
 require conf/machine/qemu-generic-arm64.conf
 MACHINEOVERRIDES =. "qemu-generic-arm64:"
 
-IMAGE_FSTYPES += "wic.xz wic.bmap"
+COREOS_IMAGE_GENERATE_INSTALLER = "0"
+
 WKS_FILE = "qemu-efi-coreos-generic.wks.in"
-QB_DRIVE_TYPE = "/dev/sd"
 
 EFIBOOTGUARD_TIMEOUT ?= "0"
 require conf/machine/include/coreos-generic-features/efi.inc

layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos.inc

@@ -1,12 +0,0 @@
-# Ensure that file are found event when this file is included in another layer
-# ==============================================================================
-FILESEXTRAPATHS:prepend := "${THISDIR}/u-boot:"
-
-# Main include file for u-boot to ensure CoreOS compatibility
-# ==============================================================================
-
-SRC_URI += " \
-    ${@bb.utils.contains("IMAGE_FEATURES", "debug-tweaks", "file://debug-tweaks.cfg", "", d)} \
-"
-
-require ${@bb.utils.contains("COMBINED_FEATURES", "efi", "u-boot-coreos-efi.inc", "", d)}

layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot_2022.01.bbappend

@@ -1,2 +0,0 @@
-FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
-require u-boot-coreos.inc

layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config/beaglebone_1.0.sfdisk

@@ -12,8 +12,8 @@ sector-size: 512
 /dev/mmcblk1p1 : start=         256, size=         512, type=4DA6E9DA-C803-4BE4-BAC4-8192717C5EB0, name="mlo", attrs="RequiredPartition"
 /dev/mmcblk1p2 : start=         768, size=        8192, type=5B97345D-B7A1-47D3-A491-ED40F4841639, name="uboot", attrs="RequiredPartition"
 
-/dev/mmcblk1p3 : start=        8960, size=      131072, ${SFDISK_PART_EFI}
+/dev/mmcblk1p3 : size= ${PART_EFI_SIZE}, ${SFDISK_PART_EFI}
-/dev/mmcblk1p4 : start=      140032, size=      262144, ${SFDISK_PART_EFIBOOTGUARD_A}
+/dev/mmcblk1p4 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_A}
-/dev/mmcblk1p5 : start=      402176, size=      262144, ${SFDISK_PART_EFIBOOTGUARD_B}
+/dev/mmcblk1p5 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_B}
-/dev/mmcblk1p6 : start=      664320, size=     3403375, ${SFDISK_PART_ROOT_A}
+/dev/mmcblk1p6 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_A}
-/dev/mmcblk1p7 : start=     4067695, size=     3403375, ${SFDISK_PART_ROOT_B}
+/dev/mmcblk1p7 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_B}

layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config/eagle40-03_1.0.sfdisk

@@ -0,0 +1,13 @@
+label: gpt
+device: /dev/mmcblk2
+unit: sectors
+first-lba: 34
+last-lba: 7471070
+sector-size: 512
+
+/dev/mmcblk2p1 : start= 256, size= ${PART_EFI_SIZE}, ${SFDISK_PART_EFI}
+/dev/mmcblk2p2 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_A}
+/dev/mmcblk2p3 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_B}
+/dev/mmcblk2p4 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_A}
+/dev/mmcblk2p5 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_B}
+/dev/mmcblk2p6 : size= ${PART_USERDATA_SIZE}, ${SFDISK_PART_USERDATA}

layers/meta-belden-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config_%.bbappend

@@ -1,3 +1,4 @@
 FILESEXTRAPATHS:prepend := "${THISDIR}/coreos-installer-config:"
 
 SRC_URI:append:beaglebone = " file://beaglebone_1.0.sfdisk"
+SRC_URI:append:eagle40-03 = " file://eagle40-03_1.0.sfdisk"

layers/meta-belden-coreos-bsp/recipes-kernel/linux/files/eagle40-03.cfg

@@ -0,0 +1,2 @@
+CONFIG_F71808E_WDT=y
+CONFIG_WATCHDOG_SYSFS=y

layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto-coreos-efi.inc

@@ -1,23 +0,0 @@
-
-inherit coreos-efi-sbsign
-require conf/image-uefi.conf
-
-# Ensure EFI STUB is enabled
-KERNEL_FEATURES:append = " cfg/efi.scc cfg/efi-ext.scc"
-
-# By default we use a Unified Kernel Image that contain the kernel, the
-# kernel command line and some device tree, so we don't need to sign the output
-# of the kernel recipes
-COREOS_KERNEL_EFI_SIGNED ??= "0"
-
-# Extend the kernel_do_deploy function from kernel.bbclass to sign the kernel
-kernel_do_deploy:append() {
-    if [ "${COREOS_KERNEL_EFI_SIGNED}" == "1" ]; then
-      deployDir="${DEPLOYDIR}"
-      for imageType in ${KERNEL_IMAGETYPES} ; do
-        baseName="$imageType-${KERNEL_IMAGE_NAME}"
-        coreos_efi_secureboot_sign_app "$deployDir/$baseName${KERNEL_IMAGE_BIN_EXT}"
-      done
-    fi
-}
-

layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend

@@ -4,7 +4,7 @@ COMPATIBLE_MACHINE:vm-x64 = "vm-x64"
 
 # Enable some kernel features related to virtualiuzation
 KERNEL_FEATURES:append:vm-x64=" cfg/virtio.scc cfg/paravirt_kvm.scc"
-
+SRC_URI:append:vm-x64 = " file://hyperv.cfg"
 
 KMACHINE:eagle40-03 ?= "common-pc-64"
 KBRANCH:eagle40-03 = "v5.15/standard/base"
@@ -18,8 +18,3 @@ KMACHINE:beaglebone ?= "beaglebone"
 SRCREV_machine:beaglebone ?= "9aabbaa89fcb21af7028e814c1f5b61171314d5a"
 COMPATIBLE_MACHINE:beaglebone = "beaglebone"
 LINUX_VERSION:beaglebone = "5.15.54"
-
-require ${@bb.utils.contains("COMBINED_FEATURES", "efi", "linux-yocto-coreos-efi.inc", "", d)}
-
-SRC_URI += " file://k3s_kernel_adaptions.cfg"
-SRC_URI:append:vm-x64 = " file://hyperv.cfg"

layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_6.6.bbappend

@@ -0,0 +1,14 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+KMACHINE:eagle40-03 ?= "common-pc-64"
+COMPATIBLE_MACHINE:eagle40-03 = "eagle40-03"
+
+KMACHINE:beaglebone ?= "beaglebone"
+COMPATIBLE_MACHINE:beaglebone = "beaglebone"
+
+KMACHINE:vm-x64 ?= "common-pc-64"
+COMPATIBLE_MACHINE:vm-x64 = "vm-x64"
+KERNEL_FEATURES:append:vm-x64=" cfg/virtio.scc cfg/paravirt_kvm.scc"
+SRC_URI:append:vm-x64 = " file://hyperv.cfg"
+
+SRC_URI += " file://eagle40-03.cfg"

layers/meta-belden-coreos-bsp/wic/beaglebone-sdcard.wks.in

@@ -13,8 +13,8 @@ part --offset 768S --source rawcopy --sourceparams="file=u-boot.img" --ondisk mm
 # Let's define a 4MiB maximum size for the bootloader
 # 4MiB => 4*1024*1024/512=8192S | 768S + 8192S => 8960S
 ${WKS_PART_EFI} --ondisk mmcblk0 --offset 8960S --fixed-size 32M
-${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk0 --fixed-size 128M
+${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk0 --fixed-size ${PART_EFIBG_SIZE}
-${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk0 --fixed-size 128M
+${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk0 --fixed-size ${PART_EFIBG_SIZE}
-${WKS_PART_ROOT_A} --ondisk mmcblk0 --fixed-size ${WKS_PART_ROOT_SIZE}
+${WKS_PART_ROOT_A} --ondisk mmcblk0 --fixed-size ${PART_ROOT_SIZE}
-${WKS_PART_ROOT_B} --ondisk mmcblk0 --fixed-size ${WKS_PART_ROOT_SIZE}
+${WKS_PART_ROOT_B} --ondisk mmcblk0 --fixed-size ${PART_ROOT_SIZE}
 bootloader --ptable gpt

layers/meta-belden-coreos-bsp/wic/generic-uefi-usb-installer.wks

@@ -0,0 +1,16 @@
+# short-description: Create USB image for Eagle 40-03
+# long-description: Creates a partitioned USB image for Eagle 40-03.
+
+# offset 1S => 1 sector (1x512 byte)
+# The bootloader can be at 4 different position in raw mode: 0S, 256S, 512S, 768S
+# MBR disk use only the sector 0, so 1S is free
+# GPT disk use sector 0-33S, so first free slot is 256S
+# Offset are from the BBB default settings
+
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+# Don't name partition in the installer disk image, otherwise the installer may not work as it rely on partition label!
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+part --offset 256S --source bootimg-partition --part-type=EF00 --ondisk mmcblk0
+part --fixed-size 3G --fstype=vfat --label=image
+bootloader --ptable gpt

layers/meta-belden-coreos-bsp/wic/generic-uefi.wks.in

@@ -1,10 +1,11 @@
 # short-description: Create an EFI disk image for genericx86*
 # long-description: Creates a partitioned EFI disk image for genericx86* machines
-${WKS_PART_EFI} --ondisk sda  --align 1024 --size 64M --extra-space 0 --overhead-factor 1
-${WKS_PART_ROOT_A} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
-${WKS_PART_ROOT_B} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
-${WKS_PART_EFIBOOTGUARD_A} --ondisk sda  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
-${WKS_PART_EFIBOOTGUARD_B} --ondisk sda  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
 
-part swap --ondisk sda --size 44 --label swap1 --fstype=swap
+${WKS_PART_EFI} --align 1024 --size ${PART_EFI_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_ROOT_A} --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_ROOT_B} --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_EFIBOOTGUARD_A} --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_EFIBOOTGUARD_B} --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_USERDATA} --size ${PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
+
 bootloader --ptable gpt

layers/meta-belden-coreos-bsp/wic/qemu-efi-coreos-generic.wks.in

@@ -2,10 +2,11 @@
 # long-description: Creates a partitioned EFI disk image that the user
 # can directly dd to boot media.
 
-part --source efibootguard-efi --label efi --part-type=EF00 --ondisk mmcblk1 --offset 20480S --size 64M --extra-space 0 --overhead-factor 1
+part --source efibootguard-efi --label efi --part-type=EF00 --use-uuid --offset 20480S --size ${PART_EFI_SIZE} --extra-space 0 --overhead-factor 1
-part / --source rootfs --fstype=ext4 --label rootfs0 --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
+part / --source rootfs --fstype=ext4 --label rootfs0 --use-uuid --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
-part --fstype=ext4 --label rootfs1 --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
+part --fstype=ext4 --label rootfs1 --use-uuid --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
-part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --ondisk mmcblk1  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
+part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --use-uuid --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
-part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --ondisk mmcblk1  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
+part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --use-uuid --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_USERDATA} --use-uuid --size ${PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
 
 bootloader --ptable gpt

layers/meta-belden-coreos-demo/recipes-core/images/coreos-image-demo-k3s.bb

@@ -4,3 +4,5 @@ require recipes-core/images/coreos-image-all-features.bb
 
 IMAGE_INSTALL += "k3s-agent"
 
+# To use this image, please add k3s to DISTRO_FEATURE inside your
+# local.conf config file.

layers/meta-belden-coreos-demo/recipes-kernel/linux/linux-yocto_%.bbappend

@@ -0,0 +1 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"

layers/meta-belden-coreos/classes/coreos-image-ci.bbclass

@@ -3,6 +3,7 @@
 # > COREOS_IMAGE_EXTRACLASSES += "coreos-image-ci"
 # in auto.conf (or local.conf)
 
+inherit kernel-artifact-names
 
 def get_coreos_ci_artifacts(d):
     artifacts = []
@@ -29,6 +30,10 @@ def get_coreos_ci_artifacts(d):
     if bb.utils.contains('IMAGE_FSTYPES', 'wic.bmap', True, False, d):
         artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.bmap')
 
+    # This is used for qemu-coreos-arm64
+    if bb.utils.contains('IMAGE_FSTYPES', 'wic.qcow2', True, False, d):
+        artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.qcow2')
+
     if d.getVar('COREOS_IMAGE_GENERATE_SWU') == '1':
         artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.swu')
 

layers/meta-belden-coreos/classes/coreos-image-installer.bbclass

@@ -0,0 +1,41 @@
+# Class used to generate image based on Belden CoreOS
+
+export IMAGE_BASENAME = "${MLPREFIX}${PN}"
+IMAGE_NAME_SUFFIX ?= ""
+IMAGE_LINGUAS = ""
+
+LICENSE = "MIT"
+
+IMAGE_FSTYPES = "cpio.gz"
+
+# Support for generating a SDCard or USB installer is optional
+COREOS_INSTALLER_WKS_FILE ??= ""
+WKS_FILE = "${COREOS_INSTALLER_WKS_FILE}"
+IMAGE_FSTYPES += "${@'wic.xz wic.bmap' if d.getVar('COREOS_INSTALLER_WKS_FILE') else ''}"
+IMAGE_BOOT_FILES =  "${COREOS_KERNEL_FILENAME};EFI/BOOT/${EFI_BOOT_IMAGE}"
+
+COREOS_IMAGE_GENERATE_UKI = "1"
+
+# IMGDEPLOYDIR has to be used instead of DEPLOY_DIR_IMAGE here, because it will
+# run during image generation
+COREOS_UKI_PART_INITRAMFS = "${IMGDEPLOYDIR}/${IMAGE_BASENAME}-${MACHINE}.cpio.gz"
+COREOS_IMAGE_GENERATE_SWU = "0"
+
+# Change generated UKI filename and reset the bundled command line to "APPEND"
+# to ensure that root is not set in the kernel command line
+COREOS_KERNEL_NAME ?= "coreos-installer-${MACHINE}"
+COREOS_KERNEL_CMDLINE ?= "${APPEND}"
+
+inherit coreos-image
+
+# Only install a reduced set of package and feature to keep image size small
+IMAGE_INSTALL = "packagegroup-coreos-boot coreos-installer coreos-installer-unattended util-linux-sfdisk util-linux-fdisk util-linux-cfdisk efibootguard efibootguard-tools"
+IMAGE_FEATURES = "debug-tweaks swupdate"
+NO_RECOMMENDATIONS = "1"
+
+IMAGE_ROOTFS_SIZE = "8192"
+INITRAMFS_MAXSIZE = "976562"
+IMAGE_ROOTFS_EXTRA_SPACE = "0"
+
+# Use the same restriction as initramfs-module-install
+COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*)-(linux.*|freebsd.*)'

layers/meta-belden-coreos/classes/coreos-image.bbclass

@@ -68,6 +68,7 @@ PACKAGE_EXCLUDE_COMPLEMENTARY:append = "${@bb.utils.contains_any('PACKAGE_INSTAL
 COREOS_IMAGE_BASE_INSTALL = "\
     packagegroup-coreos-boot \
     packagegroup-coreos-base \
+    secure-storage \
     "
 
 COREOS_IMAGE_EXTRA_INSTALL ?= ""
@@ -89,8 +90,10 @@ IMAGE_ROOTFS_EXTRA_SPACE:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'sys
 # Unified kernel image and swupdate support
 # ==============================================================================
 
-# Support for Unified Kernel Image and Swupdate are optional
+# The CoreOS image installer is disabled by default.
-COREOS_IMAGE_GENERATE_INSTALLER ?= "${@"1" if "efi" in d.getVar('COMBINED_FEATURES') and "swupdate" in d.getVar("DISTRO_FEATURES") else "0"}"
+COREOS_IMAGE_GENERATE_INSTALLER ?= "0"
+
+# Support for Unified Kernel Image and Swupdate are optional.
 COREOS_IMAGE_GENERATE_UKI ?= "${@bb.utils.contains("COMBINED_FEATURES", "efi", "1", "0", d)}"
 COREOS_IMAGE_GENERATE_SWU ?= "${@"1" if "efi" in d.getVar('COMBINED_FEATURES') and "swupdate" in d.getVar("DISTRO_FEATURES") else "0"}"
 

layers/meta-belden-coreos/classes/coreos-sanity.bbclass

@@ -13,6 +13,8 @@ addhandler check_coreos_sanity_eventhandler
 check_coreos_sanity_eventhandler[eventmask] = "bb.event.SanityCheck"
 python check_coreos_sanity_eventhandler() {
 
+    import datetime
+
     # Checks related to the distribution configuration files
     # ==========================================================================
 
@@ -36,6 +38,15 @@ python check_coreos_sanity_eventhandler() {
             "Using glibc is mandatory on CoreOS based distribution"
         )
 
+    # Check if the timestamp for REPRODUCIBLE_TIMESTAMP_ROOTFS is still up to date
+    first_of_year = datetime.datetime(datetime.date.today().year, 1, 1, tzinfo=datetime.timezone.utc)
+    foy_ts = str(int(first_of_year.timestamp()))
+    if e.data.getVar("REPRODUCIBLE_TIMESTAMP_ROOTFS") != foy_ts:
+        bb.warn(
+            "`REPRODUCIBLE_TIMESTAMP_ROOTFS` outdated!"
+            "Set to current 01. january of the year."
+        )
+
     # Checks related to the machine configuration files
     # ==========================================================================
 

layers/meta-belden-coreos/conf/distro/include/belden-coreos-base.inc

@@ -2,6 +2,11 @@
 # it should support the most basic distro without optional coreos
 # features
 
+# Using :coreos override should work on all CoreOS based distro
+# Note that :belden-coreos does not work on CoreOS based distro but will
+# work when build for the belden-coreos distro
+DISTROOVERRIDES = "coreos:${DISTRO}"
+
 INHERIT += "coreos_metadata_scm"
 
 # Distro features and policies
@@ -106,3 +111,8 @@ PACKAGECONFIG:pn-systemd ?= " \
 # Distro based on CoreOS can provide their own configuration files for the
 # CoreOS installer by overriding this variable
 PREFERRED_PROVIDER_coreos-installer-config ??= "coreos-installer-config"
+
+# This TS represents 01.01.2024 generating it dynamically would cause a lot of
+# things to get re-build, we need a good solution for this or change it every
+# year
+REPRODUCIBLE_TIMESTAMP_ROOTFS = "1704067200"

layers/meta-belden-coreos/conf/distro/include/coreos-support.inc

@@ -0,0 +1,149 @@
+COREOS_RECIPE_MAINTAINER:pn-acl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-arptables = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-attr = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-autoconf-archive = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-base-files = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-base-passwd = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-bash-completion = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-bash = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-binutils-cross-x86_64 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-boost = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-bridge-utils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-busybox = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-bzip2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-ca-certificates = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-conntrack-tools = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-coreutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-cppzmq = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-cracklib = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-cryptsetup = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-curl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-dbus = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-depmodwrapper-cross = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-e2fsprogs = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-ebtables = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-efibootguard = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-elfutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-ethtool = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-expat = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-findutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-flatbuffers = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-flex = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-fmt = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gawk = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gcc-cross-x86_64 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gcc-runtime = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gcc-source-11.4.0 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gdbm = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-glib-2.0 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-glibc = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-glibc-locale = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gmp = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gnu-efi = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-gnutls = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-grub-bootconf = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-grub = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-grub-efi = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-icu = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-iproute2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-iptables = "Team CoreOS"
+#iw should be removed
+COREOS_RECIPE_MAINTAINER:pn-json-c = "Team CoreOS"
+# kbd check if it can be removed
+# kmod check if it can be removed
+COREOS_RECIPE_MAINTAINER:pn-libaio = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libarchive = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libcap = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libcap-ng = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libcheck = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libconfig = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libdevmapper = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libestr = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libfastjson = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libffi = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libgcc = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libgcc-initial = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libgcrypt = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libgpg-error = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libidn2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-liblogging = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libmnl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnet = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnetfilter-conntrack = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnetfilter-cthelper = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnetfilter-cttimeout = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnetfilter-log = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnetfilter-queue = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnfnetlink = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libnsl2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libpam = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libpcap = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libpcre = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libseccomp = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libsodium = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libsolv = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libssh2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libssh = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libtirpc = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libtool-cross = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libunistring = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libusb1 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libxcrypt = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-libxml2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-linux-libc-headers = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-linux-yocto = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-logrotate = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-lrzsz = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-lvm2 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-lzo = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-m4 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-mtools = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-ncurses = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-netbase = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-nettle = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-openssh = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-openssl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-opkg-arch-config = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-opkg = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-opkg-utils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-os-release = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-packagegroup-base = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-packagegroup-core-boot = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-packagegroup-coreos-base = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-packagegroup-coreos-boot = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-pciutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-perl = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-popt = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-python3 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-qemuwrapper-cross = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-readline = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-rsyslog = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-run-postinsts = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-secure-storage = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-setserial = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-sh = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-shared-mime-info = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-spdlog = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-sqlite3 = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-swupdate = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-sysfsutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-syslinux = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-syslog-ng = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-systemd-bootconf = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-systemd-boot = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-systemd-conf = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-systemd = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-systemd-serialgetty = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-tar = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-tcpdump = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-usbutils = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-util-linux = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-util-linux-libuuid = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-volatile-binds = "Team CoreOS"
+# wpa-supplicant should be removed
+COREOS_RECIPE_MAINTAINER:pn-xz = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-zeromq = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-zip = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-zlib = "Team CoreOS"
+COREOS_RECIPE_MAINTAINER:pn-zstd = "Team CoreOS"

layers/meta-belden-coreos/recipes-bsp/efi/efi-secureboot-keys.bb

@@ -1,33 +0,0 @@
-SUMMARY = "A recipe to deploy UEFI public keys update files"
-LICENSE = "CLOSED"
-
-
-INHIBIT_DEFAULT_DEPS = "1"
-inherit nopackages
-
-inherit deploy
-inherit coreos-efi-secureboot
-
-# Public key needed by firmware very depending on the implementation
-# So we copy all type of public key (*.auth, *.esl, *.crt, *der)
-addtask deploy after do_compile
-do_deploy() {
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.auth ${DEPLOYDIR}/KEK.auth
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.auth ${DEPLOYDIR}/db.auth
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.auth ${DEPLOYDIR}/PK.auth
-    
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.esl ${DEPLOYDIR}/KEK.esl
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.esl ${DEPLOYDIR}/db.esl
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.esl ${DEPLOYDIR}/PK.esl
-
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.crt ${DEPLOYDIR}/KEK.crt
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.crt ${DEPLOYDIR}/db.crt
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.crt ${DEPLOYDIR}/PK.crt
-
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.der ${DEPLOYDIR}/KEK.der
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.der ${DEPLOYDIR}/db.der
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.der ${DEPLOYDIR}/PK.der
-
-    # !SECURITY WARNING! 
-    # .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
-}

layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend

@@ -9,6 +9,8 @@ SRC_URI += "file://0001-coreos-add-a-coreos-specific-rootfs-switch-to-the-UK.pat
 # Add signature support
 # ==============================================================================
 
+DEPENDS:append = " cos-certificates-and-keys-native"
+
 inherit coreos-efi-sbsign
 require conf/image-uefi.conf
 

layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot-coreos.inc

@@ -1,12 +1,23 @@
+# Ensure that file are found event when this file is included in another layer
+# ==============================================================================
+FILESEXTRAPATHS:prepend := "${THISDIR}/u-boot:"
+
+# U-Boot CoreOS Distro Settings
+# ==============================================================================
+
+# Enable more debug option when debug-tweaks is enabled
+SRC_URI += " \
+    ${@bb.utils.contains("IMAGE_FEATURES", "debug-tweaks", "file://debug-tweaks.cfg", "", d)} \
+"
+
 inherit coreos-efi-secureboot
 
+# Make sure UEFI and secure boot is enabled for every u-boot build
 SRC_URI += " \
     file://uefi.cfg \
     file://uefi-secureboot.cfg \
 "
 
-DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native"
-
 # Generate a ubootefi.var file inside the build directory
 #
 # This file can be directly linked inside the u-boot binary to provide
@@ -15,6 +26,7 @@ DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native"
 #
 # The efivar.py is taken from u-boot-tools recipes, so that we are sure that he
 # is found and don't depend on the u-boot version being used
+DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native cos-certificates-and-keys-native"
 addtask uboot_generate_efivar after do_configure before do_compile
 do_uboot_generate_efivar() {
     # Settings OPENSSL_MODULES is needed, otherwise efivar.py fail with

layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot_%.bbappend

@@ -0,0 +1,5 @@
+# Add CoreOS distro settings to u-boot
+UBOOT_COREOS_REQUIRE:coreos ?= "u-boot-coreos.inc"
+UBOOT_COREOS_REQUIRE ?= ""
+
+require ${UBOOT_COREOS_REQUIRE}

layers/meta-belden-coreos/recipes-bsp/u-boot/u-boot_2022.10.bb

@@ -4,5 +4,3 @@ require recipes-bsp/u-boot/u-boot.inc
 SRCREV = "4debc57a3da6c3f4d3f89a637e99206f4cea0a96"
 DEPENDS += "bc-native dtc-native python3-setuptools-native"
 LIC_FILES_CHKSUM = "file://Licenses/README;md5=2ca5f2c35c8cc335f0a19756634782f1"
-
-require u-boot-coreos.inc

layers/meta-belden-coreos/recipes-core/images/coreos-image-all-features.bb

@@ -10,3 +10,6 @@ IMAGE_INSTALL:append = "${@bb.utils.contains("IMAGE_FEATURES", "swupdate", " swu
 
 # development tools
 IMAGE_INSTALL:append = " systemd-analyze"
+
+# Enable the optional image installer
+COREOS_IMAGE_GENERATE_INSTALLER = "1"

layers/meta-belden-coreos/recipes-core/images/coreos-image-installer.bb

@@ -1,50 +1,4 @@
 DESCRIPTION = "Initramfs image with the CoreOS emmc installer"
-
-
-
-# Don't reboot the device at reboot and don't do A/B switching
-BAD_RECOMMENDATIONS = "swupdate-progress swupdate-coreos-config"
-
-export IMAGE_BASENAME = "${MLPREFIX}${PN}"
-IMAGE_NAME_SUFFIX ?= ""
-IMAGE_LINGUAS = ""
-
 LICENSE = "MIT"
 
-IMAGE_FSTYPES = "cpio.gz"
+inherit coreos-image-installer
-
-# Support for generating a SDCard installer is optional
-COREOS_INSTALLER_WKS_FILE ??= ""
-WKS_FILE = "${COREOS_INSTALLER_WKS_FILE}"
-IMAGE_FSTYPES += "${@'wic.xz wic.bmap' if d.getVar('COREOS_INSTALLER_WKS_FILE') else ''}"
-IMAGE_BOOT_FILES =  "${COREOS_KERNEL_FILENAME};EFI/BOOT/${EFI_BOOT_IMAGE}"
-
-COREOS_IMAGE_GENERATE_UKI = "1"
-
-# Avoid dependancy loop, we are already in an installer image, so we don't need
-# to bundle another one
-COREOS_IMAGE_GENERATE_INSTALLER = "0"
-
-# IMGDEPLOYDIR has to be used instead of DEPLOY_DIR_IMAGE here, because it will
-# run during image generation
-COREOS_UKI_PART_INITRAMFS = "${IMGDEPLOYDIR}/${IMAGE_BASENAME}-${MACHINE}.cpio.gz"
-COREOS_IMAGE_GENERATE_SWU = "0"
-
-# Change generated UKI filename and reset the bundled command line to "APPEND"
-# to ensure that root is not set in the kernel command line
-COREOS_KERNEL_NAME ?= "coreos-installer-${MACHINE}"
-COREOS_KERNEL_CMDLINE ?= "${APPEND}"
-
-inherit coreos-image
-
-# Only install a reduced set of package and feature to keep image size small
-IMAGE_INSTALL = "packagegroup-coreos-boot coreos-installer swupdate-www util-linux-sfdisk util-linux-fdisk util-linux-cfdisk efibootguard efibootguard-tools"
-IMAGE_FEATURES = "debug-tweaks swupdate networkmanager"
-NO_RECOMMENDATIONS = "1"
-
-IMAGE_ROOTFS_SIZE = "8192"
-INITRAMFS_MAXSIZE = "976562"
-IMAGE_ROOTFS_EXTRA_SPACE = "0"
-
-# Use the same restriction as initramfs-module-install
-COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*)-(linux.*|freebsd.*)'

layers/meta-belden-coreos/recipes-core/packagegroups/packagegroup-coreos-base.bb

@@ -15,7 +15,7 @@ COREOS_IMAGE_EFI_PROVIDER_EXTRA = " \
 "
 
 RDEPENDS:${PN} = "\
-    packagegroup-base-extended \
+    packagegroup-base \
     os-release \
     ${@bb.utils.contains("MACHINE_FEATURES", "efi", "${COREOS_IMAGE_EFI_PROVIDER_EXTRA}", "", d)} \
 "

layers/meta-belden-coreos/recipes-core/systemd/systemd-conf/system.conf-watchdog

@@ -0,0 +1,2 @@
+[Manager]
+RuntimeWatchdogSec=5

layers/meta-belden-coreos/recipes-core/systemd/systemd_%.bbappend

@@ -0,0 +1,15 @@
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/systemd-conf:"
+
+SRC_URI += " file://system.conf-watchdog"
+
+do_install:append(){
+	# the creation date/time of this file will be used as initial boot time.
+	# Creation time will be set to REPRODUCIBLE_TIMESTAMP_ROOTFS
+	# More info about the date/time handling here:
+	# https://www.freedesktop.org/software/systemd/man/latest/systemd-timesyncd.service.html
+	touch ${D}/${base_libdir}/clock-epoch
+	install -D -m0644 ${WORKDIR}/system.conf-watchdog ${D}${systemd_unitdir}/system.conf.d/01-${PN}-watchdog.conf
+}
+
+FILES:${PN} += "${base_libdir}/clock-epoch"

layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended/99-overwrite.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env sh
+
+# catch errors from previous source files
+if [ "$SWUPDATE_EXIT" != "" ]; then
+  # Notify the installation status indicator about the failed installation.
+  # This can result in the red LED lighting up.
+  dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusFailure
+  exit 1
+fi
+
+# Notify the installation status indicator about the success with partitioning
+# the blockdevice. This can result in the first green LED lighting up.
+dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusPartitioningSuccess
+
+mount /dev/disk/by-label/image /mnt
+if [ ! -f "/mnt/image.swu" ]; then
+  echo "Could not find image.swu on the vfat partition!"
+  dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusFailure
+  exit 1
+fi
+
+SWUPDATE_ARGS="${SWUPDATE_ARGS} -p /usr/lib/swupdate/post-install.sh"
+SWUPDATE_ARGS="${SWUPDATE_ARGS} -i /mnt/image.swu"

layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended/post-install.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env sh
+
+# Notify the installation status indicator about the success with flashing the image.
+# This can result in the second green LED lighting up.
+dbus-send --system /org/belden/CoreOSInstallationStatusIndicator org.belden.CoreOSInstallationStatusIndicator.InstallationStatusImageFlashingSuccess

layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer-unattended_1.0.bb

@@ -0,0 +1,23 @@
+DESCRIPTION = "CoreOS scripts for unattended installation"
+SECTION = "coreos"
+LICENSE = "CLOSED"
+
+SRC_URI += "\
+    file://99-overwrite.sh \
+    file://post-install.sh \
+"
+
+FILES:${PN} = "\
+    ${libdir}/swupdate/conf.d/99-overwrite.sh \
+    ${libdir}/swupdate/post-install.sh \
+"
+
+RDEPENDS:${PN} = "coreos-installer"
+
+RCONFLICTS:${PN} = "swupdate-www"
+
+do_install() {
+    install -d ${D}${libdir}/swupdate/conf.d
+    install -m 755 ${WORKDIR}/post-install.sh ${D}${libdir}/swupdate/
+    install -m 755 ${WORKDIR}/99-overwrite.sh ${D}${libdir}/swupdate/conf.d/
+}

layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer/25-installer-config.sh

@@ -1,5 +1,8 @@
 #!/usr/bin/env sh
 
+set -o errtrace
+trap 'echo "An error occured in line $LINENO: $BASH_COMMAND, exiting..."; SWUPDATE_EXIT=1; exit;' ERR
+
 # Read /etc/hwrevision and turn it into a stripped string
 # with the format ${MACHINE}_${VERSION}
 HWREVISION=$(tr ' ' '_' < /etc/hwrevision | tr -d '[:space:]')
@@ -15,6 +18,13 @@ fi
 
 DISK=$(grep "^device:\s" < "${SFDISK_DUMP_FILE}" | cut -d ' ' -f 2)
 
+# Remove the partition table signature, if there is already one.
+# This ensures that sfdisk always finds a 'clean' disk to install / recover
+wipefs -a -f ${DISK}
+
+# Give the kernel some time to reload the partition
+sleep 3
+
 echo "Flashing ${SFDISK_DUMP_FILE} to ${DISK}"
 cat "${SFDISK_DUMP_FILE}"
 sfdisk "${DISK}" < "${SFDISK_DUMP_FILE}"
@@ -48,3 +58,4 @@ umount /mnt/ebg1
 umount /mnt/efi
 
 SWUPDATE_ARGS="${SWUPDATE_ARGS} -e stable,copy0"
+SWUPDATE_ARGS="${SWUPDATE_ARGS} -k /usr/lib/swupdate/swupdate.crt"

layers/meta-belden-coreos/recipes-coreos/coreos-installer/coreos-installer_1.0.bb

@@ -1,22 +1,18 @@
 DESCRIPTION = "CoreOS Installer scripts"
-LICENSE = "CLOSED"
 SECTION = "coreos"
+LICENSE = "CLOSED"
 
-SRC_URI+= " \
+SRC_URI += "file://25-installer-config.sh"
-    file://25-installer-config.sh \
-"
 
-# This package ship an alternate configuration for SWUpade to disable A/B
+FILES:${PN} = "${libdir}/swupdate/conf.d/25-installer-config.sh"
-# switching and always flash A
-RCONFLICTS:${PN}= "swupdate-coreos-config"
-
-FILES:${PN} = " \
-    ${libdir}/swupdate/conf.d/25-installer-config.sh \
-"
 
 # glibc-utils provide iconv
 # glibc-gconv-utf-16 provide utf-16 support to iconv
-RDEPENDS:${PN} = "coreos-installer-config dosfstools util-linux-lsblk util-linux-sfdisk glibc-utils glibc-gconv-utf-16"
+RDEPENDS:${PN} = "coreos-installer-config dosfstools glibc-gconv-utf-16 glibc-utils util-linux-lsblk util-linux-sfdisk util-linux-wipefs"
+
+# This package ships an alternate configuration for SWUpdate to disable A/B
+# switching and always flash A
+RCONFLICTS:${PN} = "swupdate-coreos-config"
 
 do_install() {
     install -d ${D}${libdir}/swupdate/conf.d

layers/meta-belden-coreos/recipes-kernel/linux/files/secure-storage.cfg

@@ -0,0 +1,4 @@
+CONFIG_BLK_DEV_DM=y
+CONFIG_KEYS=y
+CONFIG_ENCRYPTED_KEYS=y
+CONFIG_DM_CRYPT=y

layers/meta-belden-coreos/recipes-kernel/linux/linux-yocto-coreos.inc

@@ -0,0 +1,8 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+# Secure Storage
+# ==============================================================================
+SRC_URI += "file://secure-storage.cfg"
+
+# Ensure the Kernel EFI STUB is enabled
+KERNEL_FEATURES += "cfg/efi.scc cfg/efi-ext.scc"

layers/meta-belden-coreos/recipes-kernel/linux/linux-yocto_%.bbappend

@@ -0,0 +1,6 @@
+# Add CoreOS distro settings to the linux-yocto recipes
+
+LINUX_YOCTO_COREOS_REQUIRE ?= ""
+LINUX_YOCTO_COREOS_REQUIRE:coreos = "linux-yocto-coreos.inc"
+
+require ${LINUX_YOCTO_COREOS_REQUIRE}

layers/meta-belden-coreos/recipes-security/cos-certificates-and-keys/cos-certificates-and-keys-native_1.0.bb

@@ -0,0 +1,65 @@
+SUMMARY = "Installs CoreOS certificates and keys"
+DESCRIPTION = "Installs CoreOS certificates and keys that are used during the build"
+AUTHOR = "Patrick Vogelaar"
+LICENSE = "CLOSED"
+
+SRC_URI = "git://git@bitbucket.gad.local:7999/ico/development-keys.git;protocol=ssh;branch=master"
+SRCREV = "2b5d6941ea8759db90f07e195bb1855f618cccb7"
+
+S = "${WORKDIR}/git"
+
+inherit deploy native
+
+CERTIFICATES_AND_KEYS_DIR ?= "${datadir}/keys/"
+
+#FILES:${PN} += "${CERTIFICATES_AND_KEYS_DIR}/*"
+
+
+do_install() {
+    install -d "${D}/${CERTIFICATES_AND_KEYS_DIR}"
+    install -m 755 ${S}/db.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.auth
+    install -m 755 ${S}/db.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.crt
+    install -m 755 ${S}/db.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.der
+    install -m 755 ${S}/db.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.esl
+    install -m 755 ${S}/db.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.key
+    install -m 755 ${S}/KEK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.auth
+    install -m 755 ${S}/KEK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.crt
+    install -m 755 ${S}/KEK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.der
+    install -m 755 ${S}/KEK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.esl
+    install -m 755 ${S}/KEK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.key
+    install -m 755 ${S}/PK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.auth
+    install -m 755 ${S}/PK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.crt
+    install -m 755 ${S}/PK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.der
+    install -m 755 ${S}/PK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.esl
+    install -m 755 ${S}/PK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.key
+    install -m 755 ${S}/swupdate.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.crt
+    install -m 755 ${S}/swupdate.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.key
+
+    bbwarn "Development certificates and keys are added into the image (UNSECURE)! This image must not be released!"
+}
+
+
+# Public key needed by firmware very depending on the implementation
+# So we copy all type of public key (*.auth, *.esl, *.crt, *der)
+
+addtask deploy after do_compile
+do_deploy() {
+    install -D -m 644 ${S}/KEK.auth ${DEPLOYDIR}/KEK.auth
+    install -D -m 644 ${S}/db.auth ${DEPLOYDIR}/db.auth
+    install -D -m 644 ${S}/PK.auth ${DEPLOYDIR}/PK.auth
+
+    install -D -m 644 ${S}/KEK.esl ${DEPLOYDIR}/KEK.esl
+    install -D -m 644 ${S}/db.esl ${DEPLOYDIR}/db.esl
+    install -D -m 644 ${S}/PK.esl ${DEPLOYDIR}/PK.esl
+
+    install -D -m 644 ${S}/KEK.crt ${DEPLOYDIR}/KEK.crt
+    install -D -m 644 ${S}/db.crt ${DEPLOYDIR}/db.crt
+    install -D -m 644 ${S}/PK.crt ${DEPLOYDIR}/PK.crt
+
+    install -D -m 644 ${S}/KEK.der ${DEPLOYDIR}/KEK.der
+    install -D -m 644 ${S}/db.der ${DEPLOYDIR}/db.der
+    install -D -m 644 ${S}/PK.der ${DEPLOYDIR}/PK.der
+
+    # !SECURITY WARNING!
+    # .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
+}

layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh

@@ -0,0 +1,93 @@
+#!/usr/bin/env sh
+
+loopdir=/usr/local/data/loopdevices
+loopfile=$loopdir/crypt.loop
+
+keyfiledir=/usr/local/data/.crypto
+keyfile=$keyfiledir/ss_crypto.keyfile
+
+#megabytes
+loopsize=16
+
+#/dev/mapper/xxxxx when open
+cryptmapper=secStorage
+
+makefilesystem=ext4
+
+#mountpoint of uncrypted device
+mountpoint=/usr/local/data/secure-storage
+
+create_keyfile() {
+	# echo "Create key file"
+	systemd-notify --status="Create key file"
+	mkdir -p $keyfiledir
+	dd if=/dev/urandom of=$keyfile bs=1 count=256
+	chown root:root $keyfiledir/*
+	chmod 000 $keyfiledir/*
+}
+
+error() {
+	echo "Error: $1"
+	exit $?
+}
+
+#creates a new file
+create_loopback_and_open() {
+	# echo "Creating a file with random bits.. this could take a while..."
+	systemd-notify --status="Creating a file with random bits.. this could take a while..."
+	mkdir -p $loopdir || error "Creating loopdir"
+	mkdir -p $mountpoint || error "Creating mountpoint"
+	dd if=/dev/urandom of=$loopfile bs=1M count=$loopsize || error "Creating loopfile"
+	loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
+	echo "Selected loop device: $loopdevice"
+	cryptsetup luksFormat -q --key-file $keyfile $loopdevice || error "Setting up encrypted loop device"
+	cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
+	mkfs.$makefilesystem /dev/mapper/$cryptmapper || error "Creating encrypted FS"
+	mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
+	systemd-notify --ready --status="Sucessfully mounted secure storage"
+}
+
+#mounts crypted loopback file
+open() {
+	#echo "Open secure-storage"
+	systemd-notify --status="Open secure storage"
+	loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
+	echo "Selected loop device: $ld"
+	cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
+	mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
+	systemd-notify --ready --status="Sucessfully mounted secure storage"
+}
+
+#unmounts previously mounted loopback file
+close() {
+	echo "Close secure-storage"
+	# get loopdevice
+	loopdevice=$(losetup --list --noheadings --output NAME,BACK-FILE | grep crypt.loop | awk '{print $1}')
+	umount $mountpoint
+	cryptsetup close $cryptmapper
+	losetup -d $loopdevice
+}
+
+if [ $# -eq 1 ]
+then
+	#echo "Parameter detected"
+	$1
+	exit 0
+fi
+
+if [ -e $keyfile ]
+then
+	#echo "Key file available"
+	if [ -e $loopfile ]
+	then
+		#echo "Loop file available"
+		open
+	else
+		#echo "Loop file not available"
+		create_loopback_and_open
+	fi
+else
+	#echo "Key file not available"
+	create_keyfile
+	create_loopback_and_open
+fi

layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Secure Storage Service
+RequiresMountsFor=/usr/local/data
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/sec-storage-loopback.sh
+TimeoutSec=300
+
+[Install]
+WantedBy=local-fs.target
+

layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb

@@ -0,0 +1,34 @@
+SUMMARY = "Provides a Secure Storage"
+DESCRIPTION = "The secure storage is a loopback mount that is encrypted. It protects data in rest"
+AUTHOR = "Patrick Vogelaar"
+LICENSE = "CLOSED"
+
+SRC_URI = "\
+    file://sec-storage-loopback.sh \
+    file://secure-storage.service \
+    "
+
+S = "${WORKDIR}"
+
+inherit systemd
+
+FILES:${PN} += "\
+    /usr/local/data/ \
+    ${systemd_unitdir}/system \
+    ${bindir}/sec-storage-loopback.sh \
+    ${systemd_unitdir}/system/secure-storage.service \
+    "
+
+do_install() {
+    install -d ${D}$/usr/local/data/
+    install -d ${D}${bindir}
+    install -m 0731 ${S}/sec-storage-loopback.sh ${D}${bindir}/sec-storage-loopback.sh
+
+    install -d ${D}${systemd_unitdir}/system
+    install -m 0644 ${S}/secure-storage.service ${D}${systemd_unitdir}/system
+}
+
+SYSTEMD_SERVICE:${PN} = "secure-storage.service"
+SYSTEMD_AUTO_ENABLE = "enable"
+
+RDEPENDS:${PN} += "cryptsetup util-linux-losetup e2fsprogs-mke2fs"

layers/meta-belden-coreos/recipes-support/swupdate/swupdate/defconfig

@@ -24,6 +24,7 @@ CONFIG_DISKPART=y
 CONFIG_DISKPART_FORMAT=y
 CONFIG_FAT_FILESYSTEM=y
 CONFIG_EXT_FILESYSTEM=y
+CONFIG_SIGNED=y
 CONFIG_SIGNED_IMAGES=y
 CONFIG_SIGALG_RAWRSA=n
 CONFIG_SIGALG_CMS=y

layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend

@@ -5,6 +5,8 @@ REQUIRED_DISTRO_FEATURES = "swupdate"
 # same file in meta-swupdate
 FILESEXTRAPATHS:prepend := "${THISDIR}/swupdate:"
 
+DEPENDS += "cos-certificates-and-keys-native"
+
 SRC_URI += "\
     file://50-webserver-config.sh \
     file://25-sw-collections-config.sh \
@@ -46,3 +48,6 @@ do_install:append() {
     install -m 755 ${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt ${D}${libdir}/swupdate/
     echo "${MACHINE} 1.0" > ${D}${sysconfdir}/hwrevision
 }
+
+# Fix: libgcc_s.so.1 must be installed for pthread_exit to work
+RDEPENDS:${PN} += "libgcc"

layers/meta-belden-marvell-bsp/conf/layer.conf

@@ -9,5 +9,5 @@ BBFILE_COLLECTIONS += "meta-belden-marvell-bsp"
 BBFILE_PATTERN_meta-belden-marvell-bsp = "^${LAYERDIR}/"
 BBFILE_PRIORITY_meta-belden-marvell-bsp = "6"
 
-LAYERDEPENDS_meta-belden-marvell-bsp = "core meta-belden-coreos"
+LAYERDEPENDS_meta-belden-marvell-bsp = "core meta-belden-coreos meta-arm"
 LAYERSERIES_COMPAT_meta-belden-marvell-bsp = "kirkstone"

layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0001-ddr-spd-read-failover-to-defualt-config.patch

@@ -1,14 +1,14 @@
-From 5aeea052b30604b2f8640960b775cee0f5c877cb Mon Sep 17 00:00:00 2001
+From 3f8f24cf82848ef1778f3e1d0a0607d4860dd4f3 Mon Sep 17 00:00:00 2001
 From: Alon Rotman <alon.rotman@solid-run.com>
 Date: Mon, 22 Nov 2021 13:33:25 +0200
-Subject: [PATCH 2/2] ddr spd read failover to defualt config
+Subject: [PATCH] ddr spd read failover to defualt config
 
 ---
  .../octeontx/otx2/t91/t9130/board/dram_port.c | 100 ++++++++++++++++--
  1 file changed, 93 insertions(+), 7 deletions(-)
 
 diff --git a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
-index 0befadfc6..5de71f095 100644
+index 82ce07b09..bb7814e9b 100644
 --- a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
 +++ b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
 @@ -33,7 +33,7 @@ struct mv_ddr_iface dram_iface_ap0 = {
@@ -148,7 +148,7 @@ index 0befadfc6..5de71f095 100644
  {
  	struct mv_ddr_topology_map *tm = mv_ddr_topology_map_get();
 @@ -152,7 +236,9 @@ void plat_marvell_dram_update_topology(void)
- 		i2c_write(I2C_SPD_P0_ADDR, 0x0, 1, tm->spd_data.all_bytes, 1);
+ 		i2c_write(I2C_SPD_P0_ADDR, 0x0, 1, tm->spd_data.all_bytes, 0);
  
  		/* read data from spd */
 -		i2c_read(I2C_SPD_ADDR, 0x0, 1, tm->spd_data.all_bytes,
@@ -159,6 +159,3 @@ index 0befadfc6..5de71f095 100644
 +			set_param_based_on_som_strap();
  	}
  }
--- 
-2.25.1
-

layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0002-som-sdp-failover-using-crc-verification.patch

@@ -1,15 +1,16 @@
-From da25bbba607de35267f4dbe74cd772588260de57 Mon Sep 17 00:00:00 2001
+From 6cbb01ba5a5a5ad2b2247c8401d5fac488bf05c3 Mon Sep 17 00:00:00 2001
 From: Alon Rotman <alon.rotman@solid-run.com>
 Date: Mon, 6 Dec 2021 18:34:37 +0200
 Subject: [PATCH] som sdp failover using crc verification
 
 Signed-off-by: Alon Rotman <alon.rotman@solid-run.com>
+
 ---
  .../octeontx/otx2/t91/t9130/board/dram_port.c | 63 ++++++++++++-------
  1 file changed, 41 insertions(+), 22 deletions(-)
 
 diff --git a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
-index 5de71f095..d59b8100d 100644
+index bb7814e9b..772774215 100644
 --- a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
 +++ b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c
 @@ -50,7 +50,7 @@ struct mv_ddr_iface dram_iface_ap0 = {
@@ -122,6 +123,3 @@ index 5de71f095..d59b8100d 100644
 +	
  	}
  }
--- 
-2.25.1
-

layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/ssl.patch

@@ -1,52 +0,0 @@
-fiptool: respect OPENSSL_DIR
-
-fiptool links to libcrypto, so as with the other tools it should respect
-OPENSSL_DIR for include/library paths.
-
-Upstream-Status: Submitted
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-diff --git a/Makefile b/Makefile
-index ec6f88585..2d3b9fc26 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1388,7 +1388,7 @@ fwu_fip: ${BUILD_PLAT}/${FWU_FIP_NAME}
- 
- ${FIPTOOL}: FORCE
- ifdef UNIX_MK
--	${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} --no-print-directory -C ${FIPTOOLPATH}
-+	${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} OPENSSL_DIR=${OPENSSL_DIR} --no-print-directory -C ${FIPTOOLPATH}
- else
- # Clear the MAKEFLAGS as we do not want
- # to pass the gnumake flags to nmake.
-diff --git a/tools/fiptool/Makefile b/tools/fiptool/Makefile
-index 11d2e7b0b..7c2a08379 100644
---- a/tools/fiptool/Makefile
-+++ b/tools/fiptool/Makefile
-@@ -12,6 +12,8 @@ FIPTOOL ?= fiptool${BIN_EXT}
- PROJECT := $(notdir ${FIPTOOL})
- OBJECTS := fiptool.o tbbr_config.o
- V ?= 0
-+OPENSSL_DIR := /usr
-+
- 
- override CPPFLAGS += -D_GNU_SOURCE -D_XOPEN_SOURCE=700
- HOSTCCFLAGS := -Wall -Werror -pedantic -std=c99
-@@ -20,7 +22,7 @@ ifeq (${DEBUG},1)
- else
-   HOSTCCFLAGS += -O2
- endif
--LDLIBS := -lcrypto
-+LDLIBS := -L${OPENSSL_DIR}/lib -lcrypto
- 
- ifeq (${V},0)
-   Q := @
-@@ -28,7 +30,7 @@ else
-   Q :=
- endif
- 
--INCLUDE_PATHS := -I../../include/tools_share
-+INCLUDE_PATHS := -I../../include/tools_share  -I${OPENSSL_DIR}/include
- 
- HOSTCC ?= gcc
- 

layers/meta-belden-marvell-bsp/recipes-bsp/u-boot/u-boot_2019.10-solidrun.bb

@@ -51,7 +51,6 @@ SRC_URI = "git://git.denx.de/u-boot.git;branch=master \
 S = "${WORKDIR}/git"
 
 require recipes-bsp/u-boot/u-boot.inc
-require recipes-bsp/u-boot/u-boot-coreos.inc
 
 # Solidrun patches require to build out-of-the-tree
 B = "${WORKDIR}/build"

layers/meta-belden-marvell-bsp/recipes-bsp/u-boot/u-boot_2023.04-marvell.bb

@@ -30,7 +30,6 @@ SRC_URI = "git://source.denx.de/u-boot/custodians/u-boot-marvell.git;branch=mast
 S = "${WORKDIR}/git"
 
 require recipes-bsp/u-boot/u-boot.inc
-require recipes-bsp/u-boot/u-boot-coreos.inc
 
 # Solidrun patches require to build out-of-the-tree
 B = "${WORKDIR}/build"

layers/meta-belden-marvell-bsp/recipes-coreos/coreos-installer/coreos-installer-config/cn9130-cf-pro_1.0.sfdisk

@@ -18,8 +18,8 @@ sector-size: 512
 /dev/mmcblk0p1 : start=        4096, size=        8192, type=71B02716-C000-4F0D-AE03-2F5DC0A114CD, name="fw0", attrs="RequiredPartition"
 /dev/mmcblk0p2 : start=       12288, size=        8192, type=71B02716-C000-4F0D-AE03-2F5DC0A114CD, name="fw1", attrs="RequiredPartition"
 
-/dev/mmcblk0p3 : start=       20480, size=      131072, ${SFDISK_PART_EFI}
+/dev/mmcblk0p3 : size= ${PART_EFI_SIZE}, ${SFDISK_PART_EFI}
-/dev/mmcblk0p4 : start=      151552, size=      262144, ${SFDISK_PART_EFIBOOTGUARD_A}
+/dev/mmcblk0p4 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_A}
-/dev/mmcblk0p5 : start=      413696, size=      262144, ${SFDISK_PART_EFIBOOTGUARD_B}
+/dev/mmcblk0p5 : size= ${PART_EFIBG_SIZE}, ${SFDISK_PART_EFIBOOTGUARD_B}
-/dev/mmcblk0p6 : start=      675840, size=     7294976, ${SFDISK_PART_ROOT_A}
+/dev/mmcblk0p6 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_A}
-/dev/mmcblk0p7 : start=     7970816, size=     7294976, ${SFDISK_PART_ROOT_B}
+/dev/mmcblk0p7 : size= ${PART_ROOT_SIZE}, ${SFDISK_PART_ROOT_B}

layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule/cn913x_additions.cfg

@@ -18,11 +18,12 @@ CONFIG_ACPI_CPPC_CPUFREQ=y
 CONFIG_ARM_ARMADA_8K_CPUFREQ=y
 CONFIG_MICROSEMI_PHY=y
 # CONFIG_QRTR_MHI is not set
+# CONFIG_QRTR is not set
 # CONFIG_MHI_BUS is not set
-CONFIG_ATH11K=m
+# CONFIG_ATH11K is not set
-CONFIG_ATH11K_AHB=m
+# CONFIG_ATH11K_AHB is not set
-CONFIG_ATH11K_PCI=m
+# CONFIG_ATH11K_PCI is not set
-CONFIG_ATH11K_DEBUG=y
+# CONFIG_ATH11K_DEBUG is not set
 CONFIG_CRYPTO_MICHAEL_MIC=m
 CONFIG_R8169=y
 CONFIG_MTD=y
@@ -49,25 +50,25 @@ CONFIG_WEXT_CORE=y
 CONFIG_WEXT_PROC=y
 CONFIG_WEXT_SPY=y
 CONFIG_WEXT_PRIV=y
-CONFIG_CFG80211_DEBUGFS=y
+# CONFIG_CFG80211_DEBUGFS is not set
-CONFIG_CFG80211_WEXT=y
+# CONFIG_CFG80211_WEXT is not set
-CONFIG_CFG80211_WEXT_EXPORT=y
+# CONFIG_CFG80211_WEXT_EXPORT is not set
-CONFIG_LIB80211=m
+# CONFIG_LIB80211 is not set
-CONFIG_LIB80211_CRYPT_WEP=m
+# CONFIG_LIB80211_CRYPT_WEP is not set
-CONFIG_LIB80211_CRYPT_CCMP=m
+# CONFIG_LIB80211_CRYPT_CCMP is not set
-CONFIG_LIB80211_CRYPT_TKIP=m
+# CONFIG_LIB80211_CRYPT_TKIP is not set
-CONFIG_LIB80211_DEBUG=y
+# CONFIG_LIB80211_DEBUG is not set
-CONFIG_MAC80211_DEBUGFS=y
+# CONFIG_MAC80211_DEBUGFS is not set
-CONFIG_MAC80211_MESSAGE_TRACING=y
+# CONFIG_MAC80211_MESSAGE_TRACING is not set
-CONFIG_MAC80211_DEBUG_MENU=y
+# CONFIG_MAC80211_DEBUG_MENU is not set
 # CONFIG_MAC80211_NOINLINE is not set
-CONFIG_MAC80211_VERBOSE_DEBUG=y
+# CONFIG_MAC80211_VERBOSE_DEBUG is not set
 # CONFIG_MAC80211_MLME_DEBUG is not set
-CONFIG_MAC80211_STA_DEBUG=y
+# CONFIG_MAC80211_STA_DEBUG is not set
 # CONFIG_MAC80211_HT_DEBUG is not set
 # CONFIG_MAC80211_OCB_DEBUG is not set
 # CONFIG_MAC80211_IBSS_DEBUG is not set
-CONFIG_MAC80211_PS_DEBUG=y
+# CONFIG_MAC80211_PS_DEBUG is not set
 # CONFIG_MAC80211_TDLS_DEBUG is not set
 # CONFIG_MAC80211_DEBUG_COUNTERS is not set
 CONFIG_HOTPLUG_PCI_PCIE=y
@@ -79,38 +80,38 @@ CONFIG_PCI_DEBUG=y
 # CONFIG_ATH10K_TRACING is not set
 # CONFIG_ATH11K_DEBUGFS is not set
 # CONFIG_ATH11K_TRACING is not set
-CONFIG_IPW2100=m
+# CONFIG_IPW2100 is not set
-CONFIG_IPW2100_MONITOR=y
+# CONFIG_IPW2100_MONITOR is not set
-CONFIG_IPW2100_DEBUG=y
+# CONFIG_IPW2100_DEBUG is not set
-CONFIG_IPW2200=m
+# CONFIG_IPW2200 is not set
-CONFIG_IPW2200_MONITOR=y
+# CONFIG_IPW2200_MONITOR is not set
-CONFIG_IPW2200_RADIOTAP=y
+# CONFIG_IPW2200_RADIOTAP is not set
-CONFIG_IPW2200_PROMISCUOUS=y
+# CONFIG_IPW2200_PROMISCUOUS is not set
-CONFIG_IPW2200_QOS=y
+# CONFIG_IPW2200_QOS is not set
-CONFIG_IPW2200_DEBUG=y
+# CONFIG_IPW2200_DEBUG is not set
-CONFIG_LIBIPW=m
+# CONFIG_LIBIPW is not set
-CONFIG_LIBIPW_DEBUG=y
+# CONFIG_LIBIPW_DEBUG is not set
-CONFIG_IWLEGACY=m
+# CONFIG_IWLEGACY is not set
-CONFIG_IWL4965=m
+# CONFIG_IWL4965 is not set
-CONFIG_IWL3945=m
+# CONFIG_IWL3945 is not set
 #
 # iwl3945 / iwl4965 Debugging Options
 #
-CONFIG_IWLEGACY_DEBUG=y
+# CONFIG_IWLEGACY_DEBUG is not set
 # CONFIG_IWLEGACY_DEBUGFS is not set
 # end of iwl3945 / iwl4965 Debugging Options
-CONFIG_IWLWIFI=m
+# CONFIG_IWLWIFI is not set
-CONFIG_IWLWIFI_LEDS=y
+# CONFIG_IWLWIFI_LEDS is not set
-CONFIG_IWLDVM=m
+# CONFIG_IWLDVM is not set
-CONFIG_IWLMVM=m
+# CONFIG_IWLMVM is not set
-CONFIG_IWLWIFI_OPMODE_MODULAR=y
+# CONFIG_IWLWIFI_OPMODE_MODULAR is not set
-CONFIG_IWLWIFI_BCAST_FILTERING=y
+# CONFIG_IWLWIFI_BCAST_FILTERING is not set
 #
 # Debugging Options
 #
-CONFIG_IWLWIFI_DEBUG=y
+# CONFIG_IWLWIFI_DEBUG is not set
 # CONFIG_IWLWIFI_DEBUGFS is not set
-CONFIG_IWLWIFI_DEVICE_TRACING=y
+# CONFIG_IWLWIFI_DEVICE_TRACING is not set
 # end of Debugging Options
 # CONFIG_WLAN_VENDOR_INTERSIL is not set
 # CONFIG_WLAN_VENDOR_RALINK is not set
@@ -165,7 +166,7 @@ CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y
 # CONFIG_RING_BUFFER_STARTUP_TEST is not set
 # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
 # CONFIG_PREEMPTIRQ_DELAY_TEST is not set
-CONFIG_CMA_SIZE_MBYTES=128
+CONFIG_CMA_SIZE_MBYTES=256
 CONFIG_FUNCTION_TRACER
 CONFIG_FUNCTION_GRAPH_TRACER
 CONFIG_STACK_TRACER

layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule/secure-storage.cfg

@@ -0,0 +1,4 @@
+CONFIG_BLK_DEV_DM=y
+CONFIG_KEYS=y
+CONFIG_ENCRYPTED_KEYS=y
+CONFIG_DM_CRYPT=y

layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule_git-5.15-solidrun.bb

@@ -12,6 +12,7 @@ SRC_URI = "git://gitlab.com/netmodule/kernel/linux-netmodule.git;protocol=ssh;us
            file://0001-fix-phy-support-for-falcon-board.patch \
            file://0001-refactor-cn913x-defconfig-cleanup.patch \
            file://cn913x_additions.cfg \
+           file://secure-storage.cfg \
            "
 SRCREV ?= "be2f2f0c96e85ecec9d807397194e46bb8bea4a5"
 
@@ -31,4 +32,7 @@ do_configure:append(){
     fi
 }
 
-require recipes-kernel/linux/linux-yocto-coreos-efi.inc
+# linux-yocto-coreos.inc provide some kernel config fragment that we can apply
+# Note that KERNEL_FEATURES are not applied as this recipes doesn't ihnerit
+# the linux-yocto class.
+require recipes-kernel/linux/linux-yocto-coreos.inc

layers/meta-belden-marvell-bsp/wic/cn913x-sdcard.wks.in

@@ -11,10 +11,11 @@
 part --offset 4096S --source rawcopy --sourceparams="file=flash-image.bin" --ondisk mmcblk1 --size 4M --extra-space 0 --overhead-factor 1 --part-name fw0
 part --offset 12288S --source rawcopy --sourceparams="file=flash-image.bin" --ondisk mmcblk1 --size 4M --extra-space 0 --overhead-factor 1 --part-name fw1
 
-${WKS_PART_EFI} --ondisk mmcblk1 --offset 20480S --size 64M --extra-space 0 --overhead-factor 1
+${WKS_PART_EFI} --ondisk mmcblk1 --offset 20480S --size ${PART_EFI_SIZE} --extra-space 0 --overhead-factor 1
-${WKS_PART_ROOT_A} --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_ROOT_A} --ondisk mmcblk1 --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
-${WKS_PART_ROOT_B} --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_ROOT_B} --ondisk mmcblk1 --size ${PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
-${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk1  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
+${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk1  --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
-${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk1  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
+${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk1  --align 1024 --size ${PART_EFIBG_SIZE} --extra-space 0 --overhead-factor 1
+${WKS_PART_USERDATA} --ondisk mmcblk1 --size ${PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
 
 bootloader --ptable gpt

layers/meta-netmodule-coreos-bsp/README.md

@@ -0,0 +1,26 @@
+# meta-netmodule-coreos-bsp
+
+BSP layer for NetModule board
+
+This layer depends on:
+
+- meta-ti-bsp
+- meta-arm
+
+## SoC Family
+
+This layer contains all CoreOS supported board manufactured by NetModule
+
+## Availables Machines
+
+This layer contains the following machine configuration:
+
+### Based on the Gemini platform
+
+- netmodule-hw34 (Codename for XG900)
+
+**remarks**: Gemini based board use a TI am64xx (k3) family has a separate
+R5 core that use another architecture as the main core, so for each machine you
+will find a companion machine name `${MACHINE}-k3r5`. This config should not be
+used as is, but will be automatically used for some recipes under the hood when
+using `${MACHINE}` using Bitbake multiconfig feature.

layers/meta-netmodule-coreos-bsp/classes/coreos-image-swupdate-am64xx.bbclass

@@ -0,0 +1,46 @@
+
+SWUPDATE_IMAGES += "tiboot3-am64x-gemini-b"
+SWUPDATE_IMAGES += "tispl"
+SWUPDATE_IMAGES += "u-boot-${MACHINE}"
+SWUPDATE_IMAGES_FSTYPES[tiboot3-am64x-gemini-b] = ".bin"
+SWUPDATE_IMAGES_FSTYPES[tispl] = ".bin"
+
+python () {
+    machine = d.getVar('MACHINE')
+    d.setVarFlag("SWUPDATE_IMAGES_FSTYPES", "u-boot-" + machine, ".img")
+}
+COREOS_SWUPDATE_EXTENDS_FOR:append = "am64xx"
+
+def coreos_swupdate_extends_images_for_am64xx(d,s):
+    machine = d.getVar('MACHINE')
+    uboot_filename = "u-boot-" + machine + ".img"
+
+    SECTOR_SIZE = 512
+    OFFSET = [0x0*SECTOR_SIZE, 0x600*SECTOR_SIZE, 0x1600*SECTOR_SIZE]
+
+    return [
+        {
+            "filename" : "tiboot3-am64x-gemini-b.bin",
+            "installed-directly" : "true",
+            "device" : "/dev/mmcblk0boot0",
+            "offset": str(OFFSET[0]),
+            "type" : "raw",
+            "sha256" : swupdate_get_sha256(d, s, "tiboot3-am64x-gemini-b.bin"),
+        },
+        {
+            "filename" : "tispl.bin",
+            "installed-directly" : "true",
+            "device" : "/dev/mmcblk0boot0",
+            "offset": str(OFFSET[1]),
+            "type" : "raw",
+            "sha256" : swupdate_get_sha256(d, s, "tispl.bin"),
+        },
+        {
+            "filename" : uboot_filename,
+            "installed-directly" : "true",
+            "device" : "/dev/mmcblk0boot0",
+            "offset": str(OFFSET[2]),
+            "type" : "raw",
+            "sha256" : swupdate_get_sha256(d, s, uboot_filename),
+        }
+    ]

layers/meta-netmodule-coreos-bsp/conf/layer.conf

@@ -0,0 +1,13 @@
+# Add layer directory to bbpath
+BBPATH .= ":${LAYERDIR}"
+
+# Add recipe directories
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+            ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "netmodule-coreos-bsp-layer"
+BBFILE_PATTERN_netmodule-coreos-bsp-layer = "^${LAYERDIR}/"
+BBFILE_PRIORITY_netmodule-coreos-bsp-layer = "8"
+
+LAYERSERIES_COMPAT_netmodule-coreos-bsp-layer = "kirkstone"
+LAYERDEPENDS_netmodule-coreos-bsp-layer = "meta-arm meta-ti-bsp"

layers/meta-netmodule-coreos-bsp/conf/machine/include/netmodule-am64xx-common.inc

@@ -0,0 +1,6 @@
+# This file contains the part of the configuration that is common to all
+# board based on the Gemini platform and that are the same for both
+# the Cortex-A53 and Cortex-R5 core (Gemini use a multi-arch SOC)
+
+PREFERRED_PROVIDER_virtual/bootloader = "u-boot-ti-coreos"
+PREFERRED_PROVIDER_u-boot = "u-boot-ti-coreos"

layers/meta-netmodule-coreos-bsp/conf/machine/include/netmodule-am64xx-k3.inc

@@ -0,0 +1,49 @@
+# This file contains the part of the configuration that is common to all
+# board based on the Gemini platform and that are the Cortex-A53 core.
+
+# k3.inc from meta-ti set a default WKS_FILE and add wic to IMAGE_FSTYPE.
+# But we don't need a wic image
+WKS_FILE ?= ""
+
+require conf/machine/include/k3.inc
+require netmodule-am64xx-common.inc
+
+# Workarround to remove wic related settings added to IMAGE_FSTYPE in k3.inc
+# without too much risk of breaking a distro or local config (as remove)
+# are final
+IMAGE_FSTYPES:remove = "${@'wic.xz wic.bmap' if not d.getVar('WKS_FILE') else ''}"
+
+# meta-ti-bsp use the machine override in a lot of recipes, so by adding the
+# name of the machine in meta-ti-bsp to SOC_FAMILY, we ensure that we the
+# device override apply.
+#
+# We don't modify MACHINEOVERRIDES directly as this will not place the string
+# in the same place
+SOC_FAMILY:append = ":am64xx"
+
+# Install u-boot script
+MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "kernel-devicetree"
+
+PREFERRED_PROVIDER_virtual/kernel = "linux-ti-coreos"
+
+KERNEL_DEFCONFIG ?= "gemini_defconfig"
+KERNEL_IMAGETYPE = "Image"
+
+UBOOT_ENTRYPOINT = "0x82000000"
+UBOOT_LOADADDRESS = "0x82000000"
+UBOOT_DTB_LOADADDRESS = "0x88000000"
+UBOOT_RD_LOADADDRESS = "0x88080000"
+UBOOT_RD_ENTRYPOINT = "0x88080000"
+
+
+TFA_BOARD = "lite"
+OPTEEMACHINE = "k3"
+
+
+
+# No watchdog available yet
+EFIBOOTGUARD_TIMEOUT ?= "0"
+
+COREOS_IMAGE_SWUPDATE_EXTRACLASSES += "coreos-image-swupdate-am64xx"
+
+require conf/machine/include/coreos-generic-features/efi.inc

layers/meta-netmodule-coreos-bsp/conf/machine/include/netmodule-am64xx-k3r5.inc

@@ -0,0 +1,13 @@
+# This file contains the part of the configuration that is common to all
+# board based on the Gemini platform and that are the Cortex-R5 core.
+
+require conf/machine/include/k3r5.inc
+require netmodule-am64xx-common.inc
+
+# A variant
+#SPL_BINARY = "tiboot3-am64x-gemini.${SPL_SUFFIX}"
+# B variant
+SPL_BINARY = "tiboot3-am64x-gemini-b.${SPL_SUFFIX}"
+
+# Sanity checks don't apply for real time cores
+INHERIT:remove = "coreos-sanity"

layers/meta-netmodule-coreos-bsp/conf/machine/netmodule-hw34-k3r5.conf

@@ -0,0 +1,7 @@
+#@TYPE: Machine
+#@NAME: AM64xx EVM (R5F)
+#@DESCRIPTION: Machine configuration for the TI AM64xx EVM (R5F core)
+
+
+require conf/machine/include/netmodule-am64xx-k3r5.inc
+UBOOT_MACHINE = "am64x_netmodule_hw34_r5_defconfig"

layers/meta-netmodule-coreos-bsp/conf/machine/netmodule-hw34.conf

@@ -0,0 +1,17 @@
+require conf/machine/include/netmodule-am64xx-k3.inc
+
+KERNEL_DEVICETREE = " \
+    ti/k3-am642-netmodule-hw34.dtb \
+"
+
+UBOOT_MACHINE = "am64x_netmodule_hw34_a53_defconfig"
+
+KERNEL_CONSOLE = "ttyS2"
+SERIAL_CONSOLES = "115200;ttyS2"
+
+
+APPEND += "console=ttyS2,115200"
+
+MACHINE_ESSENTIAL_EXTRA_RDEPENDS:append = " udev-gemini"
+MACHINE_EXTRA_RDEPENDS:append = " prueth-fw-am65x-sr2 linux-firmware-ath10k linux-firmware-ath11k linux-firmware-qca kernel-modules"
+

layers/meta-netmodule-coreos-bsp/recipes-bsp/u-boot/u-boot-ti-coreos_2023.04.bb

@@ -0,0 +1,23 @@
+require recipes-bsp/u-boot/u-boot-ti.inc
+
+SPL_UART_BINARY = "u-boot-spl.bin"
+SPL_UART_BINARY:netmodule-hw34-k3r5 = "u-boot-spl.bin"
+
+LIC_FILES_CHKSUM = "file://Licenses/README;md5=2ca5f2c35c8cc335f0a19756634782f1"
+
+PV = "2023.04"
+
+SRC_URI = "git://bitbucket.gad.local:7999/nm-nsp/netmodule-u-boot.git;protocol=ssh;user=git;branch=gemini/ti/ti-u-boot-2023.04 \
+           "
+SRCREV = "34cf1e583eb263dd6644d0ebf3468b3846fc0925"
+
+PACKAGECONFIG[atf] = "BL31=${STAGING_DIR_HOST}/firmware/bl31.bin,,trusted-firmware-a"
+
+# CoreOS enable EFI by default for all u-boot build, but this machine as a dual architecture u-boot
+# and EFI is not needed on the co-processor. So we enable it only for the main
+# machine
+UBOOT_COREOS_REQUIRE:coreos:netmodule-hw34 ?= "recipes-bsp/u-boot/u-boot-coreos.inc"
+UBOOT_COREOS_REQUIRE ?= ""
+
+require ${UBOOT_COREOS_REQUIRE}
+

layers/meta-netmodule-coreos-bsp/recipes-core/udev/udev-gemini/gemini-can.rules

@@ -0,0 +1,5 @@
+# CAN renaming
+SUBSYSTEM=="net", ACTION=="add", KERNEL=="can*", ENV{ID_PATH}=="platform-20701000.can", NAME="canfd0"
+SUBSYSTEM=="net", ACTION=="add", KERNEL=="can*", ENV{ID_PATH}=="platform-20711000.can", NAME="canfd1"
+SUBSYSTEM=="net", ACTION=="add", KERNEL=="can*", ENV{ID_PATH}=="platform-20110000.spi-cs-0", NAME="canstd0"
+SUBSYSTEM=="net", ACTION=="add", KERNEL=="can*", ENV{ID_PATH}=="platform-20110000.spi-cs-1", NAME="canstd1"

layers/meta-netmodule-coreos-bsp/recipes-core/udev/udev-gemini_1.0.bb

@@ -0,0 +1,18 @@
+SUMMARY = "Extra Gemini specific configuration files"
+DESCRIPTION = "Extra machine specific configuration files for udev that are Gemini related."
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+SRC_URI = " \
+       file://gemini-can.rules \
+"
+
+S = "${WORKDIR}"
+
+do_install() {
+    install -d ${D}${sysconfdir}/udev/rules.d
+
+    install -m 0644 ${WORKDIR}/gemini-can.rules ${D}${sysconfdir}/udev/rules.d/gemini-can.rules
+}
+
+RDEPENDS:${PN} = "udev"

layers/meta-netmodule-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config/netmodule-hw34_1.0.sfdisk

@@ -0,0 +1,12 @@
+label: gpt
+device: /dev/mmcblk0
+unit: sectors
+first-lba: 34
+last-lba: 15273566
+sector-size: 512
+
+/dev/mmcblk0p1 : start=          34, size=      131072, type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, name="efi"
+/dev/mmcblk0p2 : start=      131106, size=      262144, type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg0"
+/dev/mmcblk0p3 : start=      393250, size=      262144, type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg1"
+/dev/mmcblk0p4 : start=      655394, size=     7309086, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs0"
+/dev/mmcblk0p5 : start=     7964480, size=     7309086, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="rootfs1"

layers/meta-netmodule-coreos-bsp/recipes-coreos/coreos-installer/coreos-installer-config_%.bbappend

@@ -0,0 +1,7 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/coreos-installer-config:"
+
+SRC_URI:append:netmodule-hw34 = " file://netmodule-hw34_1.0.sfdisk"
+
+do_install:append:netmodule-hw34() {
+    install -m 755 ${WORKDIR}/netmodule-hw34_1.0.sfdisk ${D}${sysconfdir}/
+}

layers/meta-netmodule-coreos-bsp/recipes-kernel/linux/linux-ti-coreos_git-5.10.bb

@@ -0,0 +1,29 @@
+DESCRIPTION = "Linux kernel for various NetModule hardware"
+COMPATIBLE_MACHINE = "k3"
+
+inherit kernel
+
+SRC_URI = "git://bitbucket.gad.local:7999/ico/ti-linux-kernel.git;protocol=ssh;user=git;branch=coreos/5.10 \
+           "
+SRCREV = "1debdf5926e98255e7c97e3c160a91f3aa094ffc"
+
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
+
+S = "${WORKDIR}/git"
+
+#If a KERNEL_DEFCONFIG is specified, the defconfig specified in SRC_URI will be overwritten!
+do_configure:append(){
+    if [ "${KERNEL_DEFCONFIG}" != "" ]; then
+        oe_runmake ${KERNEL_DEFCONFIG}
+    fi
+    configs="${@" ".join(find_cfgs(d))}"
+    if [ ! -z "${configs}" ]; then
+        ${S}/scripts/kconfig/merge_config.sh -m -O ${WORKDIR}/build ${WORKDIR}/build/.config ${WORKDIR}/*.cfg
+    fi
+}
+
+# linux-yocto-coreos.inc provide some kernel config fragment that we can apply
+# Note that KERNEL_FEATURES are not applied as this recipes doesn't ihnerit
+# the linux-yocto class.
+require recipes-kernel/linux/linux-yocto-coreos.inc

scripts/coreos-get-dev-keys

@@ -1,88 +0,0 @@
-#!/usr/bin/env bash
-
-# This script will get development keys needed by the UEFI secure boot
-# implementation from the k-stufen web share and put the under $BUILDDIR/keys
-#
-# The reason for every developer to have the same keys is that image/update
-# filest are interchangable.
-# Those developer keys are used for all builds except the ones that are marked
-# as final. Here the official keys will be used.
-#
-# Following keys will be downloaded
-# db.auth  db.der  db.key    KEK.crt  KEK.esl  PK.auth  PK.der  PK.key
-# db.crt   db.esl  KEK.auth  KEK.der  KEK.key  PK.crt   PK.esl
-
-# This script is used every time the build environment of CoreOS is sourced
-# Note: in the build environment stdout is redirected to /dev/null but not
-# stderr.
-
-set -e
-
-# Logging helper
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-BOLD='\033[1m'
-RESET='\033[0m'
-
-# Ensure that BUILDDIR is defined
-# ==============================================================================
-# This is usually done inside the coreos-init-build-env script
-
-
-if [ -z "$BUILDDIR" ]; then 
-    echo -e "${RED}BUILDDIR is not defined${RESET}" 2>&1
-    echo -e "Have you run the coreos-init-buildenv script?" 2>&1
-    exit 1
-fi
-
-# We need the KEYDIR directory to exist
-# ==============================================================================
-
-KEYDIR="${BUILDDIR}/keys"
-mkdir -p "${KEYDIR}"
-cd "${KEYDIR}"
-
-# we need wget and tar
-# ==============================================================================
-
-assert_command_in_path() {
-    if command -v "$1" >/dev/null 2>&1; then
-        echo -e "✓ Command ${GREEN}${1}${RESET} was found"
-    else
-        echo -e "✗ ${RED}Command ${BOLD}${1}${RESET}${RED} was not found in your path${RESET}" >&2 
-        echo -e "Please check the coreos-documentation for the list of required packages" >&2 
-        exit 1
-    fi
-}
-
-assert_command_in_path wget
-assert_command_in_path tar
-
-
-# Generate all they keys, as needed
-# ==============================================================================
-# Only generate the file if it's missing and don't fail if the file already
-# exist
-
-check_files_exist() {
-    RET=0
-    for file in "$@"; do
-        if [ ! -e "$file" ]; then
-            echo -e "𐄂 File ${RED}${file}${RESET} missing"
-            RET=1
-        else
-            echo -e "✓ File ${GREEN}${file}${RESET} already exist"
-        fi
-    done
-    return $RET
-}
-
-check_files_exist db.auth db.crt db.der db.esl db.key KEK.auth KEK.crt KEK.der \
-                  KEK.esl KEK.key PK.auth PK.crt PK.der PK.esl PK.key || \
-{
-    echo -e "${RED}Incosistent or no keys.${RESET}"
-    echo "Downloading Keys"
-    wget -q https://platform-nas.gad.local/K-Stufen/CoreOS/.signing/coreos_developer_signing.keys.tar.gz && \
-    tar -xzf coreos_developer_signing.keys.tar.gz -C ${BUILDDIR}/keys && \
-    rm coreos_developer_signing.keys.tar.gz
-}

scripts/coreos-keygen

@@ -1,117 +0,0 @@
-#!/usr/bin/env bash
-
-# This script will generate key needed by the UEFI secure boot implementation
-# under $BUILDDIR/keys
-# db.auth  db.der  db.key    KEK.crt  KEK.esl  PK.auth  PK.der  PK.key
-# db.crt   db.esl  KEK.auth  KEK.der  KEK.key  PK.crt   PK.esl
-
-# This script is used every time the build environment of CoreOS is sourced
-# Note: in the build environment stdout is redirected to /dev/null but not
-# stderr.
-
-set -e
-
-# Logging helper
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-BOLD='\033[1m'
-RESET='\033[0m'
-
-# Ensure that BUILDDIR is defined
-# ==============================================================================
-# This is usually done inside the coreos-init-build-env script
-
-
-if [ -z "$BUILDDIR" ]; then 
-    echo -e "${RED}BUILDDIR is not defined${RESET}" 2>&1
-    echo -e "Have you run the coreos-init-buildenv script?" 2>&1
-    exit 1
-fi
-
-# We need the KEYDIR directory to exist
-# ==============================================================================
-
-KEYDIR="${BUILDDIR}/keys"
-mkdir -p "${KEYDIR}"
-cd "${KEYDIR}"
-
-# we need openssl, cert-to-efi-sig-list and sign-efi-sig-list 
-# ==============================================================================
-
-assert_command_in_path() {
-    if command -v "$1" >/dev/null 2>&1; then
-        echo -e "✓ Command ${GREEN}${1}${RESET} was found"
-    else
-        echo -e "✗ ${RED}Command ${BOLD}${1}${RESET}${RED} was not found in your path${RESET}" >&2 
-        echo -e "Please check the coreos-documentation for the list of required packages" >&2 
-        exit 1
-    fi
-}
-
-assert_command_in_path openssl
-assert_command_in_path cert-to-efi-sig-list
-assert_command_in_path sign-efi-sig-list
-
-# Generate all they keys, as needed
-# ==============================================================================
-# Only generate the file if it's missing and don't fail if the file already
-# exist
-
-check_files_exist() {
-    RET=0
-    for file in "$@"; do
-        if [ ! -e "$file" ]; then
-            echo -e "𐄂 File ${RED}${file}${RESET} missing"
-            RET=1
-        else
-            echo -e "✓ File ${GREEN}${file}${RESET} already exist"
-        fi
-    done
-    return $RET
-}
-
-echo "Generating private/public keys in .key/.crt format for PK, KEK et db"
-
-check_files_exist PK.key PK.crt || \
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ \
-        -keyout PK.key -out PK.crt -nodes -days 365
-
-check_files_exist KEK.key KEK.crt || \
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ \
-        -keyout KEK.key -out KEK.crt -nodes -days 365
-
-check_files_exist db.key db.crt || \
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db/ \
-		-keyout db.key -out db.crt -nodes -days 365
-
-
-echo "Generatic EFI signature list file with PK, KEK et db public key"
-
-check_files_exist PK.esl || \
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \
-        PK.crt PK.esl;
-
-check_files_exist KEK.esl || \
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \
-        KEK.crt KEK.esl
-
-check_files_exist db.esl || \
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \
-        db.crt db.esl
-
-echo "Generatic EFI AUTH file with PK, KEK et db public key"
-
-check_files_exist PK.auth || sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
-check_files_exist KEK.auth || sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
-check_files_exist db.auth || sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
-
-echo "Generatic DER files with PK, KEK et db public key"
-
-# der certificate are need for OVMF based firmware (virtual machine)
-check_files_exist PK.der || openssl x509 -in PK.crt -outform der -out PK.der
-check_files_exist KEK.der || openssl x509 -in KEK.crt -outform der -out KEK.der
-check_files_exist db.der || openssl x509 -in db.crt -outform der -out db.der
-
-# keys needed to sign and verify SWUpdate
-check_files_exist swupdate.key swupdate.crt || openssl req -x509 -newkey rsa:4096 -nodes -keyout swupdate.key \
-    -out swupdate.crt -subj "/O=SWUpdate /CN=target"

scripts/coreos-resign-swu-file.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+#title           :coreos-resign-swu-file.sh
+#description     :This script signs/resigns an already existent swu file with a
+#                 provided private key and a certificate
+#author          :Patrick Vogelaar
+#date            :20240325
+#version         :0.1
+#usage           :coreos-resign-swu-file.sh -i <in>.swu -k <key> -c <cert>
+#                 -o <output_file>
+#notes           :openssl and cpio are required
+#==============================================================================
+
+SW_DESC_FILE_NAME="sw-description"
+SW_DESC_SIG_FILE_NAME="sw-description.sig"
+FIRMWARE_TMP_DIR="firmware_tmp"
+CPIO_ORDER_FILE="cpio_order"
+
+while getopts i:k:c:o flag
+do
+	case "${flag}" in
+		i) swupdate_in_file=${OPTARG};;
+		k) key_file=${OPTARG};;
+		c) certificate=${OPTARG};;
+		o) output_file=${OPTARG};;
+		*);; # TODO: error handling -> unknown flag
+	esac
+done
+
+### Some basic checks
+if [[ -d $FIRMWARE_TMP_DIR ]]; then
+	echo "ERROR: $FIRMWARE_TMP_DIR directory alread exists in this directory"
+	exit 1
+fi
+
+if ! command -v openssl &> /dev/null
+then
+	echo "openssl could not be found"
+	exit 1
+fi
+
+if ! command -v cpio &> /dev/null
+then
+	echo "cpio could not be found"
+	exit 1
+fi
+
+
+mkdir -p $FIRMWARE_TMP_DIR
+cd $FIRMWARE_TMP_DIR || exit 1
+
+# store the exact order in a file
+cpio --quiet --list < "../$swupdate_in_file" > $CPIO_ORDER_FILE
+
+cpio --quiet -id < "../$swupdate_in_file"
+
+# resign
+openssl cms -sign -in $SW_DESC_FILE_NAME -out $SW_DESC_SIG_FILE_NAME -signer\
+        "$certificate" -inkey "$key_file" -outform DER -nosmimecap -binary
+
+# recreate the swu file
+echo "cat < $CPIO_ORDER_FILE | cpio --quiet -ov > $output_file"
+cat < $CPIO_ORDER_FILE | cpio --quiet -ov > "$output_file"

scripts/coreos-supported-pkgs.py

@@ -0,0 +1,164 @@
+#!/usr/bin/env python3
+
+# Copyright (C) 2023 Hirschmann Automation and Control GmbH
+#
+# - list all recipes that are supported by the CoreOS team
+
+import sys
+import optparse
+import os
+import re
+
+scripts_path = os.path.abspath(os.path.dirname(os.path.abspath(sys.argv[0])))
+# Add the path if we have own libs
+lib_path = os.path.abspath(scripts_path + '/../lib')
+sys.path = sys.path + [lib_path]
+# Add the OE lib path
+lib_path = os.path.abspath(scripts_path + '/../external-layers/openembedded-core/scripts/lib')
+sys.path = sys.path + [lib_path]
+
+import scriptpath
+
+# For importing the following modules
+bitbakepath = scriptpath.add_bitbake_lib_path()
+if not bitbakepath:
+    sys.stderr.write("Unable to find bitbake by searching parent directory of this script or PATH\n")
+    sys.exit(1)
+
+import bb.cooker
+import bb.providers
+import bb.tinfoil
+from pprint import pprint
+
+def get_fnlist(bbhandler, pkg_pn):
+    ''' Get all recipe file names '''
+    (latest_versions, preferred_versions, required_versions) = bb.providers.findProviders(bbhandler.config_data, bbhandler.cooker.recipecaches[''], pkg_pn)
+
+    fn_list = []
+    for pn in sorted(pkg_pn):
+            # use the preferred version
+            fn_list.append(preferred_versions[pn][1])
+
+    return fn_list
+
+
+def get_recipesdata(bbhandler):
+    ''' Get data of all available recipes '''
+    pkg_pn = bbhandler.cooker.recipecaches[''].pkg_pn
+
+    pkg_dict = {}
+    supported_pkg_dict = {}
+    fn_list = get_fnlist(bbhandler, pkg_pn)
+    size = str(len(fn_list))
+    i = 0
+    for fn in fn_list:
+        print(size + "/" + str(i))
+        i += 1
+        data = bbhandler.parse_recipe_file(fn)
+        maintainer = data.getVar("COREOS_RECIPE_MAINTAINER")
+        pn = data.getVar("PN")
+        packages = data.getVar("PACKAGES")
+        packages += data.getVar("PROVIDES")
+        pkg_dict[pn] = data
+        if maintainer:
+            supported_pkg_dict[pn] = data
+        for pkg in packages.split():
+            pkg_dict[pkg] = data
+            if maintainer:
+                supported_pkg_dict[pkg] = data
+
+    return pkg_dict, supported_pkg_dict
+
+def resolve_dependencies(pkg_dict, supported_pkg_dict):
+    ''' Resolve dependencies and add them to supported packages '''
+    sup_with_dep_dict = {}
+    for pkg in supported_pkg_dict:
+        depends = supported_pkg_dict[pkg].getVar("DEPENDS") or ''
+        rdepends = supported_pkg_dict[pkg].getVar("RDEPENDS") or ''
+        sup_with_dep_dict[pkg] = pkg_dict[pkg]
+
+        for d_pkg in depends.split():
+            if ("virtual/" in d_pkg) or ("native" in d_pkg):
+                continue
+            sup_with_dep_dict[d_pkg] = pkg_dict[d_pkg]
+
+        for r_pkg in rdepends.split():
+            if ("virtual/" in r_pkg) or ("native" in r_pkg):
+                continue
+            sup_with_dep_dict[r_pkg] = pkg_dict[r_pkg]
+
+    return sup_with_dep_dict
+
+
+def display(supported_pkg_dict):
+    ''' Display all pkgs and COREOS_RECIPE_MAINTAINER information '''
+    print(f'{str("RECIPE NAMES:"):40} {str("META-LAYER:"):40} {str("COS-MAINTAINER:"):50}')
+    for pn in supported_pkg_dict:
+        recipe_name = supported_pkg_dict[pn].getVar("P")
+        recipe_path = supported_pkg_dict[pn].getVar("FILE")
+        meta_layer = re.search("(?<=/layers/)(.*)(?=/recipe)", recipe_path).group(0)
+        maintainer = supported_pkg_dict[pn].getVar("COREOS_RECIPE_MAINTAINER") or 'Supported by Dependency'
+
+        print(f'{recipe_name:40} {meta_layer:40} {maintainer:50}')
+
+
+def get_unique_list(supported_pkg_dict):
+    ''' Create a list that only contains one package based on PN '''
+    unique_dict = {}
+    for pkg in supported_pkg_dict:
+        pn = supported_pkg_dict[pkg].getVar("P")
+        unique_dict[pn] = supported_pkg_dict[pkg]
+
+    return unique_dict
+
+def print_to_file(supported_pkg_dict, file):
+    ''' print list to a file '''
+    with open(file, "w") as file:
+        file.write(f'{str("RECIPE NAMES:"):40} {str("META-LAYER:"):40} {str("COS-MAINTAINER:"):50}\n')
+        for pn in supported_pkg_dict:
+            recipe_name = supported_pkg_dict[pn].getVar("P")
+            recipe_path = supported_pkg_dict[pn].getVar("FILE")
+            meta_layer = re.search("(?<=/layers/)(.*)(?=/recipe)", recipe_path).group(0)
+            maintainer = supported_pkg_dict[pn].getVar("COREOS_RECIPE_MAINTAINER") or 'Supported by Dependency'
+
+            file.write(f'{recipe_name:40} {meta_layer:40} {maintainer:50}\n')
+
+def main():
+    parser = optparse.OptionParser(
+        description = "Lists all recipes supported by CoreOS.",
+        usage = """
+    %prog [options]""")
+
+    parser.add_option("-p", "--print",
+            help = "print all recipes that are supported",
+            action="store_const", dest="print", default=True)
+    parser.add_option("-f", "--file",
+            help = "store in file",
+            action="store", dest="file", type="string")
+
+    options, args = parser.parse_args(sys.argv)
+
+    with bb.tinfoil.Tinfoil() as bbhandler:
+        bbhandler.prepare()
+        print("Gathering recipe data...")
+        pkg_dict, supported_pkg_dict = get_recipesdata(bbhandler)
+        new_len = len(supported_pkg_dict)
+        old_len = 0
+
+        while old_len != new_len:
+            supported_pkg_dict = resolve_dependencies(pkg_dict, supported_pkg_dict)
+            old_len = new_len
+            new_len = len(supported_pkg_dict)
+
+        unique_dict = get_unique_list(supported_pkg_dict)
+        supported_pkg_dict = unique_dict
+
+        if options.print:
+            display(supported_pkg_dict)
+
+        if options.file:
+            print_to_file(supported_pkg_dict, options.file)
+
+
+if __name__ == "__main__":
+    main()

templates/bblayers.conf.sample

@@ -11,6 +11,7 @@ BBLAYERS ?= " \
   ##COREOS_LAYERSDIR##/meta-belden-coreos-bsp \
   ##COREOS_LAYERSDIR##/meta-belden-coreos-demo \
   ##COREOS_LAYERSDIR##/meta-belden-marvell-bsp \
+  ##COREOS_LAYERSDIR##/meta-netmodule-coreos-bsp \
   ##COREOS_EXTLAYERSDIR##/meta-openembedded/meta-oe \
   ##COREOS_EXTLAYERSDIR##/meta-openembedded/meta-networking \
   ##COREOS_EXTLAYERSDIR##/meta-openembedded/meta-filesystems \
@@ -21,4 +22,6 @@ BBLAYERS ?= " \
   ##COREOS_EXTLAYERSDIR##/meta-swupdate \
   ##COREOS_EXTLAYERSDIR##/meta-arm/meta-arm \
   ##COREOS_EXTLAYERSDIR##/meta-arm/meta-arm-toolchain \
+  ##COREOS_EXTLAYERSDIR##/meta-ti/meta-ti-bsp \
+  ##COREOS_EXTLAYERSDIR##/meta-lts-kernel-mixin \
   "