Date   

[isar-cip-core PATCH v2 4/5] wic: Add wks files for A/B Partition update

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add wks for:
- simatic-ipc227e
- qemu-amd64

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
kas/opt/ebg-swu.yml | 26 ++++++++++++++++++++++++++
wic/ebg-sysparts.inc | 8 ++++++++
wic/qemu-amd64-efibootguard.wks | 5 +++++
wic/simatic-ipc227e-efibootguard.wks | 5 +++++
wic/swupdate-partition.inc | 4 ++++
5 files changed, 48 insertions(+)
create mode 100644 kas/opt/ebg-swu.yml
create mode 100644 wic/ebg-sysparts.inc
create mode 100644 wic/qemu-amd64-efibootguard.wks
create mode 100644 wic/simatic-ipc227e-efibootguard.wks
create mode 100644 wic/swupdate-partition.inc

diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml
new file mode 100644
index 0000000..5b39730
--- /dev/null
+++ b/kas/opt/ebg-swu.yml
@@ -0,0 +1,26 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 8
+
+local_conf_header:
+ swupdate: |
+ IMAGE_INSTALL_append = " swupdate efibootguard"
+ BOOTLOADER = "efibootguard"
+
+ efibootguard: |
+ WDOG_TIMEOUT = "0"
+ WICVARS += "WDOG_TIMEOUT"
+
+ wic: |
+ IMAGE_TYPE = "wic-img"
+ WKS_FILE = "${MACHINE}-${BOOTLOADER}.wks"
diff --git a/wic/ebg-sysparts.inc b/wic/ebg-sysparts.inc
new file mode 100644
index 0000000..dea99e8
--- /dev/null
+++ b/wic/ebg-sysparts.inc
@@ -0,0 +1,8 @@
+# default partition layout EFI Boot Guard usage
+
+# EFI partition containing efibootguard bootloader binary
+part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000001"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000002"
diff --git a/wic/qemu-amd64-efibootguard.wks b/wic/qemu-amd64-efibootguard.wks
new file mode 100644
index 0000000..3cd7360
--- /dev/null
+++ b/wic/qemu-amd64-efibootguard.wks
@@ -0,0 +1,5 @@
+# short-description: Qemu-amd64 with Efibootguard and SWUpdate
+# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
+
+include ebg-sysparts.inc
+include swupdate-partition.inc
diff --git a/wic/simatic-ipc227e-efibootguard.wks b/wic/simatic-ipc227e-efibootguard.wks
new file mode 100644
index 0000000..74446d3
--- /dev/null
+++ b/wic/simatic-ipc227e-efibootguard.wks
@@ -0,0 +1,5 @@
+# short-description: Simatic-ipc227e with EFI Boot Guard and SWUpdate
+# long-description: Disk image for Simatic-ipc227e with EFI Boot Guard and SWUpdate
+
+include ebg-sysparts.inc
+include swupdate-partition.inc
diff --git a/wic/swupdate-partition.inc b/wic/swupdate-partition.inc
new file mode 100644
index 0000000..15fbe80
--- /dev/null
+++ b/wic/swupdate-partition.inc
@@ -0,0 +1,4 @@
+part --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000001" --size 1000M --extra-space 128M --overhead-factor 1 --label systema --align 1024 --fstype=ext4
+part --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000002" --size 1000M --extra-space 128M --overhead-factor 1 --label systemb --align 1024 --fstype=ext4
+
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
--
2.20.1


[isar-cip-core PATCH v2 1/5] recipes-bsp: Add efibootguard

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add the bootloader efibootguard for A/B partition update
on x86 with EFI.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../efibootguard/efibootguard_0.7-git+isar.bb | 46 +++++
recipes-bsp/efibootguard/files/debian/compat | 1 +
.../efibootguard/files/debian/control.tmpl | 20 +++
.../files/debian/efibootguard-dev.install | 3 +
.../files/debian/efibootguard.install | 2 +
recipes-bsp/efibootguard/files/debian/rules | 21 +++
.../wic/plugins/source/efibootguard-boot.py | 162 ++++++++++++++++++
.../wic/plugins/source/efibootguard-efi.py | 102 +++++++++++
8 files changed, 357 insertions(+)
create mode 100644 recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb
create mode 100644 recipes-bsp/efibootguard/files/debian/compat
create mode 100644 recipes-bsp/efibootguard/files/debian/control.tmpl
create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard-dev.install
create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard.install
create mode 100755 recipes-bsp/efibootguard/files/debian/rules
create mode 100644 scripts/lib/wic/plugins/source/efibootguard-boot.py
create mode 100644 scripts/lib/wic/plugins/source/efibootguard-efi.py

diff --git a/recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb b/recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb
new file mode 100644
index 0000000..4bdf76a
--- /dev/null
+++ b/recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb
@@ -0,0 +1,46 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "efibootguard boot loader"
+DESCRIPTION_DEV = "efibootguard development library"
+HOMEPAGE = "https://github.com/siemens/efibootguard"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://${LAYERDIR_isar}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe"
+MAINTAINER = "Jan Kiszka <jan.kiszka@siemens.com>"
+
+SRC_URI = "git://github.com/siemens/efibootguard.git;branch=master;protocol=https \
+ file://debian \
+ "
+
+S = "${WORKDIR}/git"
+
+SRCREV = "442e87bafb480ada2b9074f02350a30408d4cf9c"
+
+PROVIDES = "${PN}"
+PROVIDES += "${PN}-dev"
+
+BUILD_DEB_DEPENDS = "gnu-efi,libpci-dev,check,pkg-config,libc6-dev-i386"
+
+inherit dpkg
+
+TEMPLATE_FILES = "debian/control.tmpl"
+TEMPLATE_VARS += "DESCRIPTION_DEV BUILD_DEB_DEPENDS"
+
+do_prepare_build() {
+ cp -R ${WORKDIR}/debian ${S}
+ deb_add_changelog
+}
+
+dpkg_runbuild_append() {
+ install -m 0755 -d ${DEPLOY_DIR_IMAGE}
+ install -m 0755 ${S}/efibootguardx64.efi ${DEPLOY_DIR_IMAGE}/bootx64.efi
+ install -m 0755 ${S}/bg_setenv ${DEPLOY_DIR_IMAGE}/bg_setenv
+}
diff --git a/recipes-bsp/efibootguard/files/debian/compat b/recipes-bsp/efibootguard/files/debian/compat
new file mode 100644
index 0000000..ec63514
--- /dev/null
+++ b/recipes-bsp/efibootguard/files/debian/compat
@@ -0,0 +1 @@
+9
diff --git a/recipes-bsp/efibootguard/files/debian/control.tmpl b/recipes-bsp/efibootguard/files/debian/control.tmpl
new file mode 100644
index 0000000..54b1994
--- /dev/null
+++ b/recipes-bsp/efibootguard/files/debian/control.tmpl
@@ -0,0 +1,20 @@
+Source: ${PN}
+Section: base
+Priority: optional
+Standards-Version: 3.9.6
+Build-Depends: ${BUILD_DEB_DEPENDS}
+Homepage: ${HOMEPAGE}
+Maintainer: ${MAINTAINER}
+
+Package: ${PN}
+Depends: ${shlibs:Depends}
+Section: base
+Architecture: ${DISTRO_ARCH}
+Priority: required
+Description: ${DESCRIPTION}
+
+Package: ${PN}-dev
+Section: base
+Architecture: ${DISTRO_ARCH}
+Priority: optional
+Description: ${DESCRIPTION_DEV}
diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard-dev.install b/recipes-bsp/efibootguard/files/debian/efibootguard-dev.install
new file mode 100644
index 0000000..7b45bd8
--- /dev/null
+++ b/recipes-bsp/efibootguard/files/debian/efibootguard-dev.install
@@ -0,0 +1,3 @@
+include/ebgenv.h usr/include/efibootguard
+libebgenv.a usr/lib/x86_64-linux-gnu
+
diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard.install b/recipes-bsp/efibootguard/files/debian/efibootguard.install
new file mode 100644
index 0000000..8a8d9d3
--- /dev/null
+++ b/recipes-bsp/efibootguard/files/debian/efibootguard.install
@@ -0,0 +1,2 @@
+bg_setenv usr/bin
+bg_printenv usr/bin
diff --git a/recipes-bsp/efibootguard/files/debian/rules b/recipes-bsp/efibootguard/files/debian/rules
new file mode 100755
index 0000000..82e9e0e
--- /dev/null
+++ b/recipes-bsp/efibootguard/files/debian/rules
@@ -0,0 +1,21 @@
+#!/usr/bin/make -f
+export DH_VERBOSE=1
+export DEB_BUILD_OPTIONS=hardening=-stackprotector
+export DPKG_EXPORT_BUILDFLAGS=1
+include /usr/share/dpkg/default.mk
+
+override_dh_auto_test:
+ # we do not run the tests; that avoids having to pull the fff submodule
+
+override_dh_auto_install:
+ # install using Debian's .install files rather than
+ # make install in order to have a proper package split.
+
+override_dh_installchangelogs:
+ # we're not interested in changelogs
+
+override_dh_installdocs:
+ # we're not interested in docs
+
+%:
+ dh $@ --with autoreconf
diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
new file mode 100644
index 0000000..38d2b2e
--- /dev/null
+++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
@@ -0,0 +1,162 @@
+# ex:ts=4:sw=4:sts=4:et
+# -*- tab-width: 4; c-basic-offset: 4; indent-tabs-mode: nil -*-
+#
+# Copyright (c) 2014, Intel Corporation.
+# Copyright (c) 2018, Siemens AG.
+# All rights reserved.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# DESCRIPTION
+# This implements the 'efibootguard-boot' source plugin class for 'wic'
+#
+# AUTHORS
+# Tom Zanussi <tom.zanussi (at] linux.intel.com>
+# Claudius Heine <ch (at] denx.de>
+# Andreas Reichel <andreas.reichel.ext (at] siemens.com>
+# Christian Storm <christian.storm (at] siemens.com>
+
+import os
+import fnmatch
+import sys
+import logging
+
+msger = logging.getLogger('wic')
+
+from wic.pluginbase import SourcePlugin
+from wic.utils.misc import exec_cmd, get_bitbake_var, BOOTDD_EXTRA_SPACE
+
+class EfibootguardBootPlugin(SourcePlugin):
+ """
+ Create EFI Boot Guard partition hosting the
+ environment file plus Kernel files.
+ """
+
+ name = 'efibootguard-boot'
+
+ @classmethod
+ def do_prepare_partition(cls, part, source_params, creator, cr_workdir,
+ oe_builddir, deploy_dir, kernel_dir,
+ rootfs_dir, native_sysroot):
+ """
+ Called to do the actual content population for a partition, i.e.,
+ populate an EFI Boot Guard environment partition plus Kernel files.
+ """
+
+ kernel_image = get_bitbake_var("KERNEL_IMAGE")
+ if not kernel_image:
+ msger.warning("KERNEL_IMAGE not set. Use default:")
+ kernel_image = "vmlinuz"
+ boot_image = kernel_image
+
+ initrd_image = get_bitbake_var("INITRD_IMAGE")
+ if not initrd_image:
+ msger.warning("INITRD_IMAGE not set\n")
+ initrd_image = "initrd.img"
+ bootloader = creator.ks.bootloader
+
+ deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE")
+ if not deploy_dir:
+ msger.error("DEPLOY_DIR_IMAGE not set, exiting\n")
+ sys.exit(1)
+ creator.deploy_dir = deploy_dir
+
+ wdog_timeout = get_bitbake_var("WDOG_TIMEOUT")
+ if not wdog_timeout:
+ msger.error("Specify watchdog timeout for \
+ efibootguard in local.conf with WDOG_TIMEOUT=")
+ exit(1)
+
+
+ boot_files = source_params.get("files", "").split(' ')
+ cmdline = bootloader.append
+ root_dev = source_params.get("root", None)
+ if not root_dev:
+ msger.error("Specify root in source params")
+ exit(1)
+ root_dev = root_dev.replace(":", "=")
+
+ cmdline += " root=%s rw" % root_dev
+ boot_files.append(kernel_image)
+ boot_files.append(initrd_image)
+ cmdline += "initrd=%s" % initrd_image if initrd_image else ""
+
+ part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir,
+ part.label, part.lineno)
+ create_dir_cmd = "install -d %s" % part_rootfs_dir
+ exec_cmd(create_dir_cmd)
+
+ cwd = os.getcwd()
+ os.chdir(part_rootfs_dir)
+ config_cmd = '%s/bg_setenv -f . -k "C:%s:%s" %s -r %s -w %s' \
+ % (
+ deploy_dir,
+ part.label.upper(),
+ boot_image,
+ '-a "%s"' % cmdline if cmdline else "",
+ source_params.get("revision", 1),
+ wdog_timeout
+ )
+ exec_cmd(config_cmd, True)
+ os.chdir(cwd)
+
+ boot_files = list(filter(None, boot_files))
+ for boot_file in boot_files:
+ if os.path.isfile("%s/%s" % (kernel_dir, kernel_image)):
+ install_cmd = "install -m 0644 %s/%s %s/%s" % \
+ (kernel_dir, boot_file, part_rootfs_dir, boot_file)
+ exec_cmd(install_cmd)
+ else:
+ msger.error("file %s not found in directory %s",
+ boot_file, kernel_dir)
+ exit(1)
+ cls._create_img(part_rootfs_dir, part, cr_workdir)
+
+ @classmethod
+ def _create_img(cls, part_rootfs_dir, part, cr_workdir):
+ # Write label as utf-16le to EFILABEL file
+ with open("%s/EFILABEL" % part_rootfs_dir, 'wb') as filedescriptor:
+ filedescriptor.write(part.label.upper().encode("utf-16le"))
+
+ du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir
+ blocks = int(exec_cmd(du_cmd).split()[0])
+
+ extra_blocks = part.get_extra_block_count(blocks)
+ if extra_blocks < BOOTDD_EXTRA_SPACE:
+ extra_blocks = BOOTDD_EXTRA_SPACE
+
+ blocks += extra_blocks
+ blocks = blocks + (16 - (blocks % 16))
+
+ msger.debug("Added %d extra blocks to %s to get to %d total blocks",
+ extra_blocks, part.mountpoint, blocks)
+
+ # dosfs image, created by mkdosfs
+ bootimg = "%s/%s.%s.img" % (cr_workdir, part.label, part.lineno)
+
+ dosfs_cmd = "mkdosfs -F 16 -S 512 -n %s -C %s %d" % \
+ (part.label.upper(), bootimg, blocks)
+ exec_cmd(dosfs_cmd)
+
+ mcopy_cmd = "mcopy -v -i %s -s %s/* ::/" % (bootimg, part_rootfs_dir)
+ exec_cmd(mcopy_cmd, True)
+
+ chmod_cmd = "chmod 644 %s" % bootimg
+ exec_cmd(chmod_cmd)
+
+ du_cmd = "du -Lbks %s" % bootimg
+ bootimg_size = int(exec_cmd(du_cmd).split()[0])
+
+ part.size = bootimg_size
+ part.source_file = bootimg
diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py
new file mode 100644
index 0000000..5ee451f
--- /dev/null
+++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py
@@ -0,0 +1,102 @@
+# ex:ts=4:sw=4:sts=4:et
+# -*- tab-width: 4; c-basic-offset: 4; indent-tabs-mode: nil -*-
+#
+# Copyright (c) 2014, Intel Corporation.
+# Copyright (c) 2018, Siemens AG.
+# All rights reserved.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# DESCRIPTION
+# This implements the 'efibootguard-efi' source plugin class for 'wic'
+#
+# AUTHORS
+# Tom Zanussi <tom.zanussi (at] linux.intel.com>
+# Claudius Heine <ch (at] denx.de>
+# Andreas Reichel <andreas.reichel.ext (at] siemens.com>
+# Christian Storm <christian.storm (at] siemens.com>
+
+import logging
+import os
+
+msger = logging.getLogger('wic')
+
+from wic.pluginbase import SourcePlugin
+from wic.utils.misc import exec_cmd, get_bitbake_var, BOOTDD_EXTRA_SPACE
+
+class EfibootguardEFIPlugin(SourcePlugin):
+ """
+ Create EFI bootloader partition containing the EFI Boot Guard Bootloader.
+ """
+
+ name = 'efibootguard-efi'
+
+ @classmethod
+ def do_prepare_partition(cls, part, source_params, creator, cr_workdir,
+ oe_builddir, deploy_dir, kernel_dir,
+ rootfs_dir, native_sysroot):
+ """
+ Called to do the actual content population for a partition, i.e.,
+ populate an EFI boot partition containing the EFI Boot Guard
+ bootloader binary.
+ """
+ deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE")
+ creator.deploy_dir = deploy_dir
+ bootloader_files = source_params.get("bootloader")
+ if not bootloader_files:
+ bootloader_files = "bootx64.efi"
+ bootloader_files = bootloader_files.split(' ')
+ part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir,
+ part.label,
+ part.lineno)
+ create_dir_cmd = "install -d %s/EFI/BOOT" % part_rootfs_dir
+ exec_cmd(create_dir_cmd)
+
+ for bootloader in bootloader_files:
+ cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (deploy_dir,
+ bootloader,
+ part_rootfs_dir,
+ bootloader)
+ exec_cmd(cp_cmd, True)
+ du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir
+ blocks = int(exec_cmd(du_cmd).split()[0])
+
+ extra_blocks = part.get_extra_block_count(blocks)
+ if extra_blocks < BOOTDD_EXTRA_SPACE:
+ extra_blocks = BOOTDD_EXTRA_SPACE
+ blocks += extra_blocks
+ blocks = blocks + (16 - (blocks % 16))
+
+ msger.debug("Added %d extra blocks to %s to get to %d total blocks",
+ extra_blocks, part.mountpoint, blocks)
+
+ # dosfs image, created by mkdosfs
+ efi_part_image = "%s/%s.%s.img" % (cr_workdir, part.label, part.lineno)
+
+ dosfs_cmd = "mkdosfs -S 512 -n %s -C %s %d" % \
+ (part.label.upper(), efi_part_image, blocks)
+ exec_cmd(dosfs_cmd)
+
+ mcopy_cmd = "mcopy -v -i %s -s %s/* ::/" % \
+ (efi_part_image, part_rootfs_dir)
+ exec_cmd(mcopy_cmd, True)
+
+ chmod_cmd = "chmod 644 %s" % efi_part_image
+ exec_cmd(chmod_cmd)
+
+ du_cmd = "du -Lbks %s" % efi_part_image
+ efi_part_image_size = int(exec_cmd(du_cmd).split()[0])
+
+ part.size = efi_part_image_size
+ part.source_file = efi_part_image
--
2.20.1


[isar-cip-core PATCH v2 0/5] A/B Rootfs update with software update

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This patchset adds efibootguard, swupdate to allow A/B updates in
cip-core. The update mechanism is currently only implemented for x86_64.

Changes V2:
- update efibootguard to v0.7
- add swdescription and kas option to build qemu-amd64 test image
- swupdate set to upstream mirror and no longer use gitsm

Quirin Gylstorff (5):
recipes-bsp: Add efibootguard
patches: add libubootenv
recipes-core: add swupdate
wic: Add wks files for A/B Partition update
swupdate: create swu file from wic image

classes/extract-partition.bbclass | 26 +
classes/kconfig-snippets.bbclass | 90 ++++
classes/swupdate-config.bbclass | 76 +++
classes/swupdate-img.bbclass | 75 +++
classes/wic-swu-img.bbclass | 20 +
.../0001-u-boot-add-libubootenv.patch | 169 +++++++
kas-cip.yml | 4 +
kas/opt/ebg-swu.yml | 26 +
kas/opt/qemu-swupdate.yml | 19 +
.../efibootguard/efibootguard_0.7-git+isar.bb | 46 ++
recipes-bsp/efibootguard/files/debian/compat | 1 +
.../efibootguard/files/debian/control.tmpl | 20 +
.../files/debian/efibootguard-dev.install | 3 +
.../files/debian/efibootguard.install | 2 +
recipes-bsp/efibootguard/files/debian/rules | 21 +
recipes-core/images/cip-core-image.bb | 10 +
recipes-core/images/files/sw-description.tmpl | 29 ++
.../swupdate/files/debian/changelog.tmpl | 6 +
recipes-core/swupdate/files/debian/compat | 1 +
.../swupdate/files/debian/control.tmpl | 15 +
recipes-core/swupdate/files/debian/copyright | 36 ++
recipes-core/swupdate/files/debian/rules.tmpl | 30 ++
.../swupdate/files/debian/swupdate.examples | 2 +
.../swupdate/files/debian/swupdate.install | 2 +
.../swupdate/files/debian/swupdate.manpages | 5 +
.../swupdate/files/debian/swupdate.tmpfile | 2 +
recipes-core/swupdate/files/debian/watch | 12 +
recipes-core/swupdate/files/postinst | 2 +
recipes-core/swupdate/files/swupdate.cfg | 6 +
.../swupdate/files/swupdate.service.example | 11 +
.../swupdate/files/swupdate.socket.example | 11 +
.../swupdate/files/swupdate.socket.tmpl | 13 +
.../swupdate/files/swupdate_defconfig | 83 ++++
.../swupdate_defconfig_efibootguard.snippet | 3 +
.../files/swupdate_defconfig_lua.snippet | 2 +
.../swupdate_defconfig_luahandler.snippet | 4 +
.../files/swupdate_defconfig_mtd.snippet | 1 +
.../files/swupdate_defconfig_u-boot.snippet | 3 +
.../files/swupdate_defconfig_ubi.snippet | 6 +
.../swupdate/files/swupdate_handlers.lua | 453 ++++++++++++++++++
recipes-core/swupdate/swupdate.bb | 54 +++
.../wic/plugins/source/efibootguard-boot.py | 162 +++++++
.../wic/plugins/source/efibootguard-efi.py | 102 ++++
wic/ebg-sysparts.inc | 8 +
wic/qemu-amd64-efibootguard.wks | 5 +
wic/simatic-ipc227e-efibootguard.wks | 5 +
wic/swupdate-partition.inc | 4 +
47 files changed, 1686 insertions(+)
create mode 100644 classes/extract-partition.bbclass
create mode 100644 classes/kconfig-snippets.bbclass
create mode 100644 classes/swupdate-config.bbclass
create mode 100644 classes/swupdate-img.bbclass
create mode 100644 classes/wic-swu-img.bbclass
create mode 100644 isar-patches/0001-u-boot-add-libubootenv.patch
create mode 100644 kas/opt/ebg-swu.yml
create mode 100644 kas/opt/qemu-swupdate.yml
create mode 100644 recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb
create mode 100644 recipes-bsp/efibootguard/files/debian/compat
create mode 100644 recipes-bsp/efibootguard/files/debian/control.tmpl
create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard-dev.install
create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard.install
create mode 100755 recipes-bsp/efibootguard/files/debian/rules
create mode 100644 recipes-core/images/files/sw-description.tmpl
create mode 100644 recipes-core/swupdate/files/debian/changelog.tmpl
create mode 100644 recipes-core/swupdate/files/debian/compat
create mode 100644 recipes-core/swupdate/files/debian/control.tmpl
create mode 100644 recipes-core/swupdate/files/debian/copyright
create mode 100755 recipes-core/swupdate/files/debian/rules.tmpl
create mode 100644 recipes-core/swupdate/files/debian/swupdate.examples
create mode 100644 recipes-core/swupdate/files/debian/swupdate.install
create mode 100644 recipes-core/swupdate/files/debian/swupdate.manpages
create mode 100644 recipes-core/swupdate/files/debian/swupdate.tmpfile
create mode 100644 recipes-core/swupdate/files/debian/watch
create mode 100644 recipes-core/swupdate/files/postinst
create mode 100644 recipes-core/swupdate/files/swupdate.cfg
create mode 100644 recipes-core/swupdate/files/swupdate.service.example
create mode 100644 recipes-core/swupdate/files/swupdate.socket.example
create mode 100644 recipes-core/swupdate/files/swupdate.socket.tmpl
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_lua.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_handlers.lua
create mode 100644 recipes-core/swupdate/swupdate.bb
create mode 100644 scripts/lib/wic/plugins/source/efibootguard-boot.py
create mode 100644 scripts/lib/wic/plugins/source/efibootguard-efi.py
create mode 100644 wic/ebg-sysparts.inc
create mode 100644 wic/qemu-amd64-efibootguard.wks
create mode 100644 wic/simatic-ipc227e-efibootguard.wks
create mode 100644 wic/swupdate-partition.inc

--
2.20.1


[isar-cip-core PATCH v2 2/5] patches: add libubootenv

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

swupdate 2020.04 requires libubootenv as build dependency.

libubootenv is a library that provides a hardware independent
way to access to U-Boot environment. U-Boot has its default environment
compiled board-dependently and this means that tools to access the environment
are also board specific, too.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../0001-u-boot-add-libubootenv.patch | 169 ++++++++++++++++++
kas-cip.yml | 4 +
2 files changed, 173 insertions(+)
create mode 100644 isar-patches/0001-u-boot-add-libubootenv.patch

diff --git a/isar-patches/0001-u-boot-add-libubootenv.patch b/isar-patches/0001-u-boot-add-libubootenv.patch
new file mode 100644
index 0000000..10a5b4a
--- /dev/null
+++ b/isar-patches/0001-u-boot-add-libubootenv.patch
@@ -0,0 +1,169 @@
+From 76897e89977f895495e21e37cb76f90392d55ef9 Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+Date: Fri, 19 Jun 2020 17:00:36 +0200
+Subject: [PATCH v2] u-boot: add libubootenv
+
+Add the new library libubootenv and remove fw_printenv and fw_setenv
+form u-boot-tools as the are now part of the new library.
+
+libubootenv is a library that provides a hardware independent
+way to access to U-Boot environment. U-Boot has its default environment
+compiled board-dependently and this means that tools to access the environment
+are also board specific, too.
+
+libubootenv conflicts with u-boot-tools from Debian 10
+as both try to install fw_printenv and fw_sentenv. This conflict is not
+part of the control file as it breaks the installation of custom u-boot-tools
+from the u-boot-sources.
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+---
+ meta-isar/conf/machine/de0-nano-soc.conf | 2 +-
+ .../libubootenv/files/debian/compat | 1 +
+ .../libubootenv/files/debian/control.tmpl | 15 +++++++++
+ .../libubootenv/files/debian/rules.tmpl | 24 ++++++++++++++
+ .../libubootenv/libubootenv_0.2.bb | 32 +++++++++++++++++++
+ .../files/debian/u-boot-tools.conffiles | 1 -
+ .../u-boot/files/debian/u-boot-tools.install | 2 --
+ .../u-boot/files/debian/u-boot-tools.links | 1 -
+ 8 files changed, 73 insertions(+), 5 deletions(-)
+ create mode 100644 meta/recipes-bsp/libubootenv/files/debian/compat
+ create mode 100644 meta/recipes-bsp/libubootenv/files/debian/control.tmpl
+ create mode 100644 meta/recipes-bsp/libubootenv/files/debian/rules.tmpl
+ create mode 100644 meta/recipes-bsp/libubootenv/libubootenv_0.2.bb
+ delete mode 100644 meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles
+ delete mode 100644 meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links
+
+diff --git a/meta-isar/conf/machine/de0-nano-soc.conf b/meta-isar/conf/machine/de0-nano-soc.conf
+index 3a2c009..6558d90 100644
+--- a/meta-isar/conf/machine/de0-nano-soc.conf
++++ b/meta-isar/conf/machine/de0-nano-soc.conf
+@@ -15,4 +15,4 @@ WKS_FILE ?= "de0-nano-soc.wks.in"
+ IMAGER_INSTALL += "u-boot-de0-nano-soc"
+ IMAGER_BUILD_DEPS += "u-boot-de0-nano-soc"
+
+-IMAGE_INSTALL += "u-boot-tools u-boot-script"
++IMAGE_INSTALL += "u-boot-tools libubootenv u-boot-script"
+diff --git a/meta/recipes-bsp/libubootenv/files/debian/compat b/meta/recipes-bsp/libubootenv/files/debian/compat
+new file mode 100644
+index 0000000..b4de394
+--- /dev/null
++++ b/meta/recipes-bsp/libubootenv/files/debian/compat
+@@ -0,0 +1 @@
++11
+diff --git a/meta/recipes-bsp/libubootenv/files/debian/control.tmpl b/meta/recipes-bsp/libubootenv/files/debian/control.tmpl
+new file mode 100644
+index 0000000..fade69a
+--- /dev/null
++++ b/meta/recipes-bsp/libubootenv/files/debian/control.tmpl
+@@ -0,0 +1,15 @@
++Source: libubootenv
++Section: embedded
++Priority: optional
++Maintainer: Stefano Babic <sbabic@denx.de>
++Build-Depends: ${BUILD_DEB_DEPENDS}
++Standards-Version: 4.2.1
++Homepage: https://sbabic.github.io/libubootenv
++
++Package: libubootenv
++Architecture: any
++Depends: ${DEBIAN_DEPENDS}
++Description: libubootenv is a library that provides a hardware independent
++ way to access to U-Boot environment. U-Boot has its default environment
++ compiled board-dependently and this means that tools to access the environment
++ are also board specific, too.
+diff --git a/meta/recipes-bsp/libubootenv/files/debian/rules.tmpl b/meta/recipes-bsp/libubootenv/files/debian/rules.tmpl
+new file mode 100644
+index 0000000..56ccd19
+--- /dev/null
++++ b/meta/recipes-bsp/libubootenv/files/debian/rules.tmpl
+@@ -0,0 +1,24 @@
++#!/usr/bin/make -f
++
++ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
++export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
++export CC=$(DEB_HOST_GNU_TYPE)-gcc
++export LD=$(DEB_HOST_GNU_TYPE)-gcc
++endif
++
++export DH_VERBOSE = 1
++
++export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow
++
++override_dh_auto_configure:
++ dh_auto_configure --
++
++%:
++ echo $@
++ dh $@
++
++override_dh_installchangelogs:
++ true
++
++override_dh_installdocs:
++ true
+diff --git a/meta/recipes-bsp/libubootenv/libubootenv_0.2.bb b/meta/recipes-bsp/libubootenv/libubootenv_0.2.bb
+new file mode 100644
+index 0000000..1be058c
+--- /dev/null
++++ b/meta/recipes-bsp/libubootenv/libubootenv_0.2.bb
+@@ -0,0 +1,32 @@
++# libubootenv
++#
++# This software is a part of ISAR.
++# Copyright (c) Siemens AG, 2020
++#
++# SPDX-License-Identifier: MIT
++
++DESCRIPTION = "swupdate utility for software updates"
++HOMEPAGE= "https://github.com/sbabic/swupdate"
++LICENSE = "GPL-2.0"
++LIC_FILES_CHKSUM = "file://${LAYERDIR_isar}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe"
++SRC_URI = "gitsm://github.com/sbabic/libubootenv.git;branch=master;protocol=https"
++
++SRCREV = "bf6ff631c0e38cede67268ceb8bf1383b5f8848e"
++
++BUILD_DEB_DEPENDS = "cmake, zlib1g-dev"
++
++SRC_URI += "file://debian"
++TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
++TEMPLATE_VARS += "BUILD_DEB_DEPENDS DEFCONFIG DEBIAN_DEPENDS"
++
++
++inherit dpkg
++
++S = "${WORKDIR}/git"
++
++do_prepare_build() {
++ DEBDIR=${S}/debian
++ install -d ${DEBDIR}
++ cp -R ${WORKDIR}/debian ${S}
++ deb_add_changelog
++}
+diff --git a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles
+deleted file mode 100644
+index d49a8fb..0000000
+--- a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles
++++ /dev/null
+@@ -1 +0,0 @@
+-/etc/fw_env.config
+diff --git a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.install b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.install
+index d1ae3e0..2893b9a 100644
+--- a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.install
++++ b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.install
+@@ -1,5 +1,3 @@
+ tools/dumpimage /usr/bin/
+-tools/env/fw_printenv /usr/bin/
+ tools/mkenvimage /usr/bin/
+ tools/mkimage /usr/bin/
+-tools/env/fw_env.config /etc
+diff --git a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links
+deleted file mode 100644
+index 92f5a6c..0000000
+--- a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links
++++ /dev/null
+@@ -1 +0,0 @@
+-/usr/bin/fw_printenv /usr/bin/fw_setenv
+--
+2.20.1
+
diff --git a/kas-cip.yml b/kas-cip.yml
index 019b31e..0da07db 100644
--- a/kas-cip.yml
+++ b/kas-cip.yml
@@ -22,6 +22,10 @@ repos:
refspec: 351af175bc54a201c6f44307d4e998bd6c0afdb8
layers:
meta:
+ patches:
+ 01-libubootenv:
+ path: isar-patches/0001-u-boot-add-libubootenv.patch
+ repo: cip-core

bblayers_conf_header:
standard: |
--
2.20.1


Re: [isar-cip-core RFC 3/4] recipes-core: add swupdate

Quirin Gylstorff
 

On 6/26/20 3:05 PM, Jan Kiszka wrote:
On 25.06.20 15:21, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add swupdate for A/B software updates. Currently the Round Robin
handler in lua supports efibootguard as bootloader. The u-boot
implementation is outstanding.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
  classes/kconfig-snippets.bbclass              |  90 ++++
  classes/swupdate-config.bbclass               |  76 +++
  classes/swupdate-img.bbclass                  |  75 +++
  .../swupdate/files/debian/changelog.tmpl      |   6 +
  recipes-core/swupdate/files/debian/compat     |   1 +
  .../swupdate/files/debian/control.tmpl        |  15 +
  recipes-core/swupdate/files/debian/copyright  |  36 ++
  recipes-core/swupdate/files/debian/rules.tmpl |  30 ++
  .../swupdate/files/debian/swupdate.examples   |   2 +
  .../swupdate/files/debian/swupdate.install    |   2 +
  .../swupdate/files/debian/swupdate.manpages   |   5 +
  .../swupdate/files/debian/swupdate.tmpfile    |   2 +
  recipes-core/swupdate/files/debian/watch      |  12 +
  recipes-core/swupdate/files/postinst          |   2 +
  recipes-core/swupdate/files/swupdate.cfg      |   6 +
  .../swupdate/files/swupdate.service.example   |  11 +
  .../swupdate/files/swupdate.socket.example    |  11 +
  .../swupdate/files/swupdate.socket.tmpl       |  13 +
  .../swupdate/files/swupdate_defconfig         |  83 ++++
  .../swupdate_defconfig_efibootguard.snippet   |   3 +
  .../files/swupdate_defconfig_lua.snippet      |   2 +
  .../swupdate_defconfig_luahandler.snippet     |   4 +
  .../files/swupdate_defconfig_mtd.snippet      |   1 +
  .../files/swupdate_defconfig_u-boot.snippet   |   3 +
  .../files/swupdate_defconfig_ubi.snippet      |   6 +
  .../swupdate/files/swupdate_handlers.lua      | 449 ++++++++++++++++++
  recipes-core/swupdate/swupdate.bb             |  54 +++
  27 files changed, 1000 insertions(+)
  create mode 100644 classes/kconfig-snippets.bbclass
  create mode 100644 classes/swupdate-config.bbclass
  create mode 100644 classes/swupdate-img.bbclass
  create mode 100644 recipes-core/swupdate/files/debian/changelog.tmpl
  create mode 100644 recipes-core/swupdate/files/debian/compat
  create mode 100644 recipes-core/swupdate/files/debian/control.tmpl
  create mode 100644 recipes-core/swupdate/files/debian/copyright
  create mode 100755 recipes-core/swupdate/files/debian/rules.tmpl
  create mode 100644 recipes-core/swupdate/files/debian/swupdate.examples
  create mode 100644 recipes-core/swupdate/files/debian/swupdate.install
  create mode 100644 recipes-core/swupdate/files/debian/swupdate.manpages
  create mode 100644 recipes-core/swupdate/files/debian/swupdate.tmpfile
  create mode 100644 recipes-core/swupdate/files/debian/watch
  create mode 100644 recipes-core/swupdate/files/postinst
  create mode 100644 recipes-core/swupdate/files/swupdate.cfg
  create mode 100644 recipes-core/swupdate/files/swupdate.service.example
  create mode 100644 recipes-core/swupdate/files/swupdate.socket.example
  create mode 100644 recipes-core/swupdate/files/swupdate.socket.tmpl
  create mode 100644 recipes-core/swupdate/files/swupdate_defconfig
  create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet
  create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_lua.snippet
  create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet
  create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet
  create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet
  create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet
  create mode 100644 recipes-core/swupdate/files/swupdate_handlers.lua
  create mode 100644 recipes-core/swupdate/swupdate.bb

diff --git a/classes/kconfig-snippets.bbclass b/classes/kconfig-snippets.bbclass
new file mode 100644
index 0000000..d754654
--- /dev/null
+++ b/classes/kconfig-snippets.bbclass
@@ -0,0 +1,90 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+#  Christian Storm <christian.storm@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+KCONFIG_SNIPPETS = ""
+
+# The following function defines the kconfig snippet system
+# with automatich debian dependency injection
+#
+# To define a feature set, the user has to define the following
+# variable to an empty string:
+#
+# KFEATURE_featurename = ""
+#
+# Then, required additions to the variables can be defined:
+#
+# KFEATURE_featurename[KCONFIG_SNIPPETS] = "file://snippet-file-name.snippet"
+# KFEATURE_featurename[SRC_URI] = "file://required-file.txt"
+# KFEATURE_featurename[DEPENDS] = "deb-pkg1 deb-pkg2 deb-pkg3"
+# KFEATURE_featurename[DEBIAN_DEPENDS] = "deb-pkg1"
+# KFEATURE_featurename[BUILD_DEB_DEPENDS] = "deb-pkg1,deb-pkg2,deb-pkg3"
+
+# The 'KCONFIG_SNIPPETS' flag gives a list of URI entries, where only
+# file:// is supported. These snippets are appended to the DEFCONFIG file.
+#
+# Features can depend on other features via the following mechanism:
+#
+# KFEATURE_DEPS[feature1] = "feature2"
+
+python () {
+    requested_features = d.getVar("KFEATURES", True) or ""
+
+    features = set(requested_features.split())
+    old_features = set()
+    feature_deps = d.getVarFlags("KFEATURE_DEPS") or {}
+    while old_features != features:
+        diff_features = old_features.symmetric_difference(features)
+        old_features = features.copy()
+        for i in diff_features:
+            features.update(feature_deps.get(i, "").split())
+
+    for f in sorted(features):
+        bb.debug(2, "Feature: " + f)
+        varname = "KFEATURE_" + f
+        dummyvar = d.getVar(varname, False)
+        if dummyvar == None:
+            bb.error("Feature var " + f + " must be defined with needed flags.")
+        else:
+            feature_flags = d.getVarFlags(varname)
+            for feature_varname in sorted(feature_flags):
+                if feature_flags.get(feature_varname, "") != "":
+                    sep = " "
+
+                    # Required to add KCONFIG_SNIPPETS to SRC_URI here,
+                    # because 'SRC_URI += "${KCONFIG_SNIPPETS}"' would
+                    # conflict with SRC_APT feature.
+                    if feature_varname == "KCONFIG_SNIPPETS":
+                        d.appendVar('SRC_URI',
+                            " " + feature_flags[feature_varname].strip())
+
+                    # BUILD_DEP_DEPENDS and DEBIAN_DEPENDS is ',' separated
+                    # Only add ',' if there is already something there
+                    if feature_varname in ["BUILD_DEB_DEPENDS",
+                                           "DEBIAN_DEPENDS"]:
+                        sep = "," if d.getVar(feature_varname) else ""
+
+                    d.appendVar(feature_varname,
+                        sep + feature_flags[feature_varname].strip())
+}
+
+# DEFCONFIG must be a predefined bitbake variable and the corresponding file
+# must exist in the WORKDIR.
+# The resulting generated config is the same file suffixed with ".gen"
+
+do_prepare_build_prepend() {
+        sh -x
+        GENCONFIG="${WORKDIR}/${DEFCONFIG}".gen
+        rm -f "$GENCONFIG"
+        cp "${WORKDIR}/${DEFCONFIG}" "$GENCONFIG"
+        for CONFIG_SNIPPET in $(echo "${KCONFIG_SNIPPETS}" | sed 's#file://##g')
+        do
+                cat ${WORKDIR}/$CONFIG_SNIPPET >> "$GENCONFIG"
+        done
+}
diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass
new file mode 100644
index 0000000..7ce51c5
--- /dev/null
+++ b/classes/swupdate-config.bbclass
@@ -0,0 +1,76 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+#  Christian Storm <christian.storm@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+# This class manages the config snippets together with their dependencies
+# to build SWUpdate
+
+inherit kconfig-snippets
+
+BUILD_DEB_DEPENDS = " \
+    zlib1g-dev, debhelper, libconfig-dev, libarchive-dev, \
+    python-sphinx:native, dh-systemd, libsystemd-dev"
+
+KFEATURE_lua = ""
+KFEATURE_lua[BUILD_DEB_DEPENDS] = "liblua5.3-dev"
+KFEATURE_lua[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_lua.snippet"
+
+KFEATURE_luahandler = ""
+KFEATURE_luahandler[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_luahandler.snippet"
+KFEATURE_luahandler[SRC_URI] = "file://${SWUPDATE_LUASCRIPT}"
+
+KFEATURE_DEPS = ""
+KFEATURE_DEPS[luahandler] = "lua"
+
+KFEATURE_efibootguard = ""
+KFEATURE_efibootguard[BUILD_DEB_DEPENDS] = "efibootguard-dev"
+KFEATURE_efibootguard[DEBIAN_DEPENDS] = "efibootguard-dev"
+KFEATURE_efibootguard[DEPENDS] = "efibootguard-dev"
+KFEATURE_efibootguard[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_efibootguard.snippet"
+
+KFEATURE_mtd = ""
+KFEATURE_mtd[BUILD_DEB_DEPENDS] = "libmtd-dev"
+KFEATURE_mtd[DEPENDS] = "mtd-utils"
+KFEATURE_mtd[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_mtd.snippet"
+
+KFEATURE_ubi = ""
+KFEATURE_ubi[BUILD_DEB_DEPENDS] = "libubi-dev"
+KFEATURE_ubi[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_ubi.snippet"
+
+KFEATURE_DEPS[ubi] = "mtd"
+
+KFEATURE_u-boot = ""
+KFEATURE_u-boot[BUILD_DEB_DEPENDS] = "u-boot-${MACHINE}-dev"
+KFEATURE_u-boot[DEBIAN_DEPENDS] = "u-boot-tools"
+KFEATURE_u-boot[DEPENDS] = "${U_BOOT}"
+KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet"
+
+SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua"
+
+def get_bootloader_featureset(d):
+    bootloader = d.getVar("BOOTLOADER", True) or ""
+    if bootloader == "efibootguard":
+        return "efibootguard"
+    if bootloader == "u-boot":
+        return "u-boot"
+    return ""
+
+SWUPDATE_KFEATURES ??= ""
+KFEATURES = "${SWUPDATE_KFEATURES}"
+KFEATURES += "${@get_bootloader_featureset(d)}"
+
+# Astonishingly, as an anonymous python function, BOOTLOADER is always None
+# one time before it gets set. So the following must be a task.
+python do_check_bootloader () {
+    bootloader = d.getVar("BOOTLOADER", True) or "None"
+    if not bootloader in ["efibootguard", "u-boot"]:
+        bb.warn("swupdate: BOOTLOADER set to incompatible value: " + bootloader)
+}
+addtask check_bootloader before do_fetch
+
diff --git a/classes/swupdate-img.bbclass b/classes/swupdate-img.bbclass
new file mode 100644
index 0000000..a21d6ec
--- /dev/null
+++ b/classes/swupdate-img.bbclass
@@ -0,0 +1,75 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+#  Christian Storm <christian.storm@siemens.com>
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+SWU_IMAGE_FILE ?= "${PN}-${DISTRO}-${MACHINE}.swu"
+SWU_DESCRIPTION_FILE ?= "sw-description"
+SWU_ADDITIONAL_FILES ?= ""
+SWU_SIGNED ?= ""
+SWU_SIGNATURE_EXT ?= "sig"
+SWU_SIGNATURE_TYPE ?= "rsa"
+
+IMAGER_INSTALL += "${@'openssl' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
+
+do_swupdate_image[stamp-extra-info] = "${DISTRO}-${MACHINE}"
+do_swupdate_image[cleandirs] += "${WORKDIR}/swu"
+do_swupdate_image() {
+    rm -f '${DEPLOY_DIR_IMAGE}/${SWU_IMAGE_FILE}'
+    cp '${WORKDIR}/${SWU_DESCRIPTION_FILE}' '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}'
+
+    # Create symlinks for files used in the update image
+    for file in ${SWU_ADDITIONAL_FILES}; do
+        if [ -e "${WORKDIR}/$file" ]; then
+            ln -s "${WORKDIR}/$file" "${WORKDIR}/swu/$file"
+        else
+            ln -s "${DEPLOY_DIR_IMAGE}/$file" "${WORKDIR}/swu/$file"
+        fi
+    done
+
+    # Prepare for signing
+    sign='${@'x' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}'
+    if [ -n "$sign" ]; then
+        image_do_mounts
+        cp -f '${SIGN_KEY}' '${WORKDIR}/dev.key'
+        test -e '${SIGN_CRT}' && cp -f '${SIGN_CRT}' '${WORKDIR}/dev.crt'
+
+        # Fill in file check sums
+        for file in ${SWU_ADDITIONAL_FILES}; do
+            sed -i "s:$file-sha256:$(sha256sum '${WORKDIR}/swu/'$file | cut -f 1 -d ' '):g" \
+                '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}'
+        done
+    fi
+
+    cd "${WORKDIR}/swu"
+    for file in '${SWU_DESCRIPTION_FILE}' ${SWU_ADDITIONAL_FILES}; do
+        echo "$file"
+        if [ -n "$sign" -a \
+             '${SWU_DESCRIPTION_FILE}' = "$file" ]; then
+            if [ "${SWU_SIGNATURE_TYPE}" = "rsa" ]; then
+                sudo chroot ${BUILDCHROOT_DIR} /usr/bin/openssl dgst \
+                    -sha256 -sign '${PP_WORK}/dev.key' \
+                    '${PP_WORK}/swu/'"$file" \
+                        > '${WORKDIR}/swu/'"$file".'${SWU_SIGNATURE_EXT}'
+            elif [ "${SWU_SIGNATURE_TYPE}" = "cms" ]; then
+                sudo chroot ${BUILDCHROOT_DIR} /usr/bin/openssl cms \
+                    -sign -in '${PP_WORK}/swu/'"$file" \
+                    -out '${WORKDIR}/swu/'"$file".'${SWU_SIGNATURE_EXT}' \
+                    -signer '${PP_WORK}/dev.crt' \
+                    -inkey '${PP_WORK}/dev.key' \
+                    -outform DER -nosmimecap -binary
+            fi
+            echo "$file".'${SWU_SIGNATURE_EXT}'
+        fi
+    done | cpio -ovL -H crc \
+        > '${DEPLOY_DIR_IMAGE}/${SWU_IMAGE_FILE}'
+    cd -
+}
+
+addtask swupdate_image before do_build after do_copy_boot_files do_install_imager_deps do_transform_template
diff --git a/recipes-core/swupdate/files/debian/changelog.tmpl b/recipes-core/swupdate/files/debian/changelog.tmpl
new file mode 100644
index 0000000..81087d3
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/changelog.tmpl
@@ -0,0 +1,6 @@
+swupdate (${PV}) unstable; urgency=medium
+
+  * SWUpdate
+
+ --  Christian Storm <christian.storm@siemens.com>  Thu, 31 Jan 2019 15:23:56 +0100
+
diff --git a/recipes-core/swupdate/files/debian/compat b/recipes-core/swupdate/files/debian/compat
new file mode 100644
index 0000000..b4de394
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/compat
@@ -0,0 +1 @@
+11
diff --git a/recipes-core/swupdate/files/debian/control.tmpl b/recipes-core/swupdate/files/debian/control.tmpl
new file mode 100644
index 0000000..2b92850
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/control.tmpl
@@ -0,0 +1,15 @@
+Source: swupdate
+Section: embedded
+Priority: optional
+Maintainer: Stefano Babic <sbabic@denx.de>
+Build-Depends: ${BUILD_DEB_DEPENDS}
+Standards-Version: 4.2.1
+Homepage: http://sbabic.github.io/swupdate
+
+Package: swupdate
+Architecture: any
+Depends: ${DEBIAN_DEPENDS}
+Description: reliable way to update an embedded system
+ This project is thought to help to update an embedded system from a storage media or from network.
+ However, it should be mainly considered as a framework, where further protocols or installers
+ (in SWUpdate they are called handlers) can be easily added to the application.
diff --git a/recipes-core/swupdate/files/debian/copyright b/recipes-core/swupdate/files/debian/copyright
new file mode 100644
index 0000000..f920942
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/copyright
@@ -0,0 +1,36 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: swupdate
+Maintainer: Stefano Babic <sbabic@denx.de>
+Source: http://github.com/sbabic/swupdate
+
+Files: *
+Copyright: 2014-2017 Stefano Babic <sbabic@denx.de>
+
+License: GPL-2 with OpenSSL exception
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ In addition, as a special exception, the author of this
+ program gives permission to link the code of its
+ release with the OpenSSL project's "OpenSSL" library (or
+ with modified versions of it that use the same license as
+ the "OpenSSL" library), and distribute the linked
+ executables. You must obey the GNU General Public
+ License in all respects for all of the code used other
+ than "OpenSSL".  If you modify this file, you may extend
+ this exception to your version of the file, but you are
+ not obligated to do so.  If you do not wish to do so,
+ delete this exception statement from your version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
diff --git a/recipes-core/swupdate/files/debian/rules.tmpl b/recipes-core/swupdate/files/debian/rules.tmpl
new file mode 100755
index 0000000..54cca57
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/rules.tmpl
@@ -0,0 +1,30 @@
+#!/usr/bin/make -f
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+export CC=$(DEB_HOST_GNU_TYPE)-gcc
+export LD=$(DEB_HOST_GNU_TYPE)-gcc
+endif
+
+export DH_VERBOSE = 1
+
+export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow
+
+documentation: configure
+    make man
+
+configure:
+    make ${DEFCONFIG}
+
+build: documentation configure
+    dh $@
+
+%:
+    echo $@
+    dh $@
+
+override_dh_installchangelogs:
+    true
+
+override_dh_installdocs:
+    true
diff --git a/recipes-core/swupdate/files/debian/swupdate.examples b/recipes-core/swupdate/files/debian/swupdate.examples
new file mode 100644
index 0000000..c257b75
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/swupdate.examples
@@ -0,0 +1,2 @@
+examples/configuration
+examples/description
diff --git a/recipes-core/swupdate/files/debian/swupdate.install b/recipes-core/swupdate/files/debian/swupdate.install
new file mode 100644
index 0000000..8957cc6
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/swupdate.install
@@ -0,0 +1,2 @@
+swupdate usr/bin
+swupdate.cfg /etc
diff --git a/recipes-core/swupdate/files/debian/swupdate.manpages b/recipes-core/swupdate/files/debian/swupdate.manpages
new file mode 100644
index 0000000..c3438e0
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/swupdate.manpages
@@ -0,0 +1,5 @@
+doc/build/man/swupdate.1
+doc/build/man/client.1
+doc/build/man/sendtohawkbit.1
+doc/build/man/hawkbitcfg.1
+doc/build/man/progress.1
diff --git a/recipes-core/swupdate/files/debian/swupdate.tmpfile b/recipes-core/swupdate/files/debian/swupdate.tmpfile
new file mode 100644
index 0000000..4743672
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/swupdate.tmpfile
@@ -0,0 +1,2 @@
+X /tmp/datadst
+X /tmp/scripts
diff --git a/recipes-core/swupdate/files/debian/watch b/recipes-core/swupdate/files/debian/watch
new file mode 100644
index 0000000..bc4c53e
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/watch
@@ -0,0 +1,12 @@
+# Example watch control file for uscan
+# Rename this file to "watch" and then you can run the "uscan" command
+# to check for upstream updates and more.
+# See uscan(1) for format
+
+# Compulsory line, this is a version 4 file
+version=4
+
+# GitHub hosted projects
+opts="filenamemangle="s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%<project>-$1.tar.gz%" \
+   https://github.com/<user>/swupdate/tags \
+   (?:.*?/)?v?(\d[\d.]*)\.tar\.gz debian uupdate
diff --git a/recipes-core/swupdate/files/postinst b/recipes-core/swupdate/files/postinst
new file mode 100644
index 0000000..f15ac10
--- /dev/null
+++ b/recipes-core/swupdate/files/postinst
@@ -0,0 +1,2 @@
+#!/bin/sh
+deb-systemd-helper enable swupdate.socket || true
diff --git a/recipes-core/swupdate/files/swupdate.cfg b/recipes-core/swupdate/files/swupdate.cfg
new file mode 100644
index 0000000..e0222f1
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate.cfg
@@ -0,0 +1,6 @@
+globals :
+{
+    verbose = true;
+    loglevel = 10;
+    syslog = false;
+};
diff --git a/recipes-core/swupdate/files/swupdate.service.example b/recipes-core/swupdate/files/swupdate.service.example
new file mode 100644
index 0000000..d0b821e
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate.service.example
@@ -0,0 +1,11 @@
+[Unit]
+Description=SWUpdate daemon
+Documentation=https://github.com/sbabic/swupdate
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/swupdate -f /etc/swupdate.cfg
+KillMode=mixed
+
+[Install]
+WantedBy=multi-user.target
diff --git a/recipes-core/swupdate/files/swupdate.socket.example b/recipes-core/swupdate/files/swupdate.socket.example
new file mode 100644
index 0000000..2b75671
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate.socket.example
@@ -0,0 +1,11 @@
+[Unit]
+Description=SWUpdate socket listener
+Documentation=https://github.com/sbabic/swupdate
+Documentation=https://sbabic.github.io/swupdate
+
+[Socket]
+ListenStream=/tmp/sockinstctrl
+ListenStream=/tmp/swupdateprog
+
+[Install]
+WantedBy=sockets.target
diff --git a/recipes-core/swupdate/files/swupdate.socket.tmpl b/recipes-core/swupdate/files/swupdate.socket.tmpl
new file mode 100644
index 0000000..8e7fc1d
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate.socket.tmpl
@@ -0,0 +1,13 @@
+[Unit]
+Description=SWUpdate socket listener
+Documentation=https://github.com/sbabic/swupdate
+Documentation=https://sbabic.github.io/swupdate
+
+[Socket]
+SocketUser=${SWUPDATE_SOCKET_OWNER}
+SocketGroup=root
+ListenStream=/tmp/sockinstctrl
+ListenStream=/tmp/swupdateprog
+
+[Install]
+WantedBy=sockets.target
diff --git a/recipes-core/swupdate/files/swupdate_defconfig b/recipes-core/swupdate/files/swupdate_defconfig
new file mode 100644
index 0000000..9ae7cb5
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig
@@ -0,0 +1,83 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Swupdate Configuration
+#
+CONFIG_HAVE_DOT_CONFIG=y
+
+#
+# Swupdate Settings
+#
+
+#
+# General Configuration
+#
+# CONFIG_CURL is not set
+# CONFIG_CURL_SSL is not set
+CONFIG_SYSTEMD=y
+CONFIG_SCRIPTS=y
+# CONFIG_HW_COMPATIBILITY is not set
+CONFIG_SW_VERSIONS_FILE="/etc/sw-versions"
+
+#
+# Socket Paths
+#
+CONFIG_SOCKET_CTRL_PATH="/tmp/sockinstctrl"
+CONFIG_SOCKET_PROGRESS_PATH="/tmp/swupdateprog"
+CONFIG_SOCKET_REMOTE_HANDLER_DIRECTORY="/tmp/"
+# CONFIG_MTD is not set
+# CONFIG_LUA is not set
+# CONFIG_LUAPKG is not set
+# CONFIG_FEATURE_SYSLOG is not set
+
+#
+# Build Options
+#
+CONFIG_CROSS_COMPILE=""
+CONFIG_SYSROOT=""
+CONFIG_EXTRA_CFLAGS=""
+CONFIG_EXTRA_LDFLAGS=""
+CONFIG_EXTRA_LDLIBS=""
+
+#
+# Debugging Options
+#
+# CONFIG_DEBUG is not set
+# CONFIG_WERROR is not set
+# CONFIG_NOCLEANUP is not set
+# CONFIG_BOOTLOADER_EBG is not set
+# CONFIG_UBOOT is not set
+# CONFIG_BOOTLOADER_NONE is not set
+# CONFIG_BOOTLOADER_GRUB is not set
+# CONFIG_DOWNLOAD is not set
+# CONFIG_DOWNLOAD_SSL is not set
+# CONFIG_CHANNEL_CURL is not set
+# CONFIG_HASH_VERIFY=y
+# CONFIG_SIGNED_IMAGES is not set
+# CONFIG_ENCRYPTED_IMAGES is not set
+# CONFIG_SURICATTA is not set
+# CONFIG_WEBSERVER is not set
+CONFIG_GUNZIP=y
+
+#
+# Parser Features
+#
+CONFIG_LIBCONFIG=y
+CONFIG_PARSERROOT=""
+# CONFIG_JSON is not set
+# CONFIG_LUAEXTERNAL is not set
+# CONFIG_SETEXTPARSERNAME is not set
+# CONFIG_SETSWDESCRIPTION is not set
+
+#
+# Image Handlers
+#
+CONFIG_RAW=y
+# CONFIG_LUASCRIPTHANDLER is not set
+# CONFIG_SHELLSCRIPTHANDLER is not set
+# CONFIG_HANDLER_IN_LUA is not set
+# CONFIG_EMBEDDED_LUA_HANDLER is not set
+# CONFIG_EMBEDDED_LUA_HANDLER_SOURCE is not set
+CONFIG_ARCHIVE=y
+# CONFIG_REMOTE_HANDLER is not set
+# CONFIG_SWUFORWARDER_HANDLER is not set
+# CONFIG_BOOTLOADERHANDLER is not set
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet b/recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet
new file mode 100644
index 0000000..8e3688c
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet
@@ -0,0 +1,3 @@
+CONFIG_BOOTLOADER_NONE=n
+CONFIG_BOOTLOADER_EBG=y
+CONFIG_BOOTLOADERHANDLER=y
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_lua.snippet b/recipes-core/swupdate/files/swupdate_defconfig_lua.snippet
new file mode 100644
index 0000000..b39f9df
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_lua.snippet
@@ -0,0 +1,2 @@
+CONFIG_LUA=y
+CONFIG_LUAPKG="lua53"
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet b/recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet
new file mode 100644
index 0000000..b4a2de8
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet
@@ -0,0 +1,4 @@
+CONFIG_LUASCRIPTHANDLER=y
+CONFIG_HANDLER_IN_LUA=y
+CONFIG_EMBEDDED_LUA_HANDLER=y
+CONFIG_EMBEDDED_LUA_HANDLER_SOURCE="swupdate_handlers.lua"
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet b/recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet
new file mode 100644
index 0000000..eab98dd
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet
@@ -0,0 +1 @@
+CONFIG_MTD=y
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet b/recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet
new file mode 100644
index 0000000..6b5832a
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet
@@ -0,0 +1,3 @@
+CONFIG_UBOOT=y
+CONFIG_UBOOT_FWENV="/etc/fw_env.config"
+CONFIG_BOOTLOADERHANDLER=y
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet b/recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet
new file mode 100644
index 0000000..d1c7732
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet
@@ -0,0 +1,6 @@
+CONFIG_UBIVOL=y
+CONFIG_UBIATTACH=y
+CONFIG_UBIBLACKLIST=""
+CONFIG_UBIWHITELIST=""
+CONFIG_UBIVIDOFFSET=0
+CONFIG_CFI=y
diff --git a/recipes-core/swupdate/files/swupdate_handlers.lua b/recipes-core/swupdate/files/swupdate_handlers.lua
new file mode 100644
index 0000000..c9b9962
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_handlers.lua
@@ -0,0 +1,449 @@
+--[[
+
+    Round-robin Image and File Handler.
+
+    Copyright (C) 2019, Siemens AG
+
+    Author: Christian Storm <christian.storm@siemens.com>
+
+    SPDX-License-Identifier: GPL-2.0-or-later
+
+    An `sw-description` file using these handlers may look like:
+        software =
+        {
+            version = "0.1.0";
+            images: ({
+                filename = "rootfs.ext4";
+                device = "sda4,sda5";
+                type = "roundrobin";
+                compressed = false;
+            });
+            files: ({
+                filename = "vmlinuz";
+                path = "vmlinuz";
+                type = "kernelfile";
+                device = "sda2,sda3";
+                filesystem = "vfat";
+            },
+            {
+                filename = "initrd.img";
+                path = "initrd.img";
+                type = "kernelfile";
+                device = "sda2,sda3";
+                filesystem = "vfat";
+            });
+        }
+
+    The semantics is as follows: Instead of having a fixed target device,
+    the 'roundrobin' image handler calculates the target device by parsing
+    /proc/cmdline, matching the root=<device> kernel parameter against its
+    'device' attribute's list of devices, and sets the actual target
+    device to the next 'device' attribute list entry in a round-robin
+    manner. The actual flashing is done via chain-calling another handler,
+    defaulting to the "raw" handler.
+
+    The 'kernelfile' file handler reuses the 'roundrobin' handler's target
+    device calculation by reading the actual target device from the same
+    index into its 'device' attribute's list of devices. The actual placing
+    of files into this partition is done via chain-calling another handler,
+    defaulting to the "rawfile" handler.
+
+    In the above example, if /dev/sda4 is currently booted according to
+    /proc/cmdline, /dev/sda5 will be flashed and the vmlinuz and initrd.img
+    files will be placed on /dev/sda3. If /dev/sda5 is booted, /dev/sda4
+    will be flashed and the vmlinuz and initrd.img files are placed on
+    /dev/sda2.
+    In addition to "classical" device nodes as in this example, partition
+    UUIDs as reported, e.g., by `blkid -s PARTUUID` are also supported.
+    UBI volumes are supported as well by specifying a CSV list of
+    ubi<number>:<label> items.
+
+    Configuration is done via an INI-style configuration file located at
+    /etc/swupdate.handler.ini or via compiled-in configuration (by
+    embedding the Lua handler script into the SWUpdate binary via using
+    CONFIG_EMBEDDED_LUA_HANDLER), the latter having precedence over the
+    former. See the example configuration below.
+    If uncommenting this example block, it will take precedence over any
+    /etc/swupdate.handler.ini configuration file.
+
+    The chain-called handlers can either be specified in the configuration,
+    i.e., a static run-time setting, or via the 'chainhandler' property of
+    an 'image' or 'file' section in the sw-description, with the latter
+    taking precedence over the former, e.g.,
+        ...
+        images: ({
+                filename = "rootfs.ext4";
+                device = "sda4,sda5";
+                type = "roundrobin";
+                properties: {
+                    chainhandler = "myraw";
+                };
+            });
+        ...
+    Such a sw-description fragment will chain-call the imaginary "myraw"
+    handler regardless of what's been configured in the compiled-in or the
+    configuration file.
+    When chain-calling the "rdiff_image" handler, its 'rdiffbase' property
+    is subject to round-robin as well, i.e., the 'rdiffbase' property is
+    expected to be a CSV list as for the 'device' property, and the actual
+    'rdiffbase' property value is calculated following the same round-robin
+    calculation mechanism stated above prior to chain-calling the actual
+    "rdiff_image" handler, e.g.,
+        images: ({
+                filename = "rootfs.ext4";
+                type = "roundrobin";
+                device = "sda4,sda5";
+                properties: {
+                    chainhandler = "rdiff_image";
+                    rdiffbase="sda1,sda2";
+                };
+            });
+    will set the 'rdiffbase' property to /dev/sda2 (/dev/sda1) if /dev/sda4
+    (/dev/sda5) is the currently booted root file system according to
+    /proc/cmdline parsing.
+
+]]
+
+
+local configuration = [[
+[bootloader]
+# Required: bootloader name, uboot and ebg currently supported.
+name=ebg
+# Required: bootloader-specific key-value pairs, e.g., for ebg:
+kernelname=linux.signed.efi
+# For relying on FAT labels, prefix bootlabels with 'L:', e.g., L:BOOT0.
+# For using custom labels, i.e., relying on the contents of an EFILABEL
+# file within the partition, prefix it with 'C:', e.g., C:BOOT0.
+bootlabel={ "C:BOOT0:", "C:BOOT1:" }
+
+# Optional: handler to chain-call for the 'roundrobin' handler,
+# defaulting to 'raw'
+[roundrobin]
+chainhandler=raw
+
+# Optional: handler to chain-call for the 'kernelfile' handler,
+# defaulting to 'rawfile'
+[kernelfile]
+chainhandler=rawfile
+]]
+
+-- Default configuration file, tried if no compiled-in config is available.
+local cfgfile = "/etc/swupdate.handler.ini"
+
+-- Table holding the configuration.
+local config = {}
+
+-- Mandatory configuration [section] and keys
+local BOOTLOADERCFG = {
+    ebg   = {
+        bootloader = {"name", "bootlabel", "kernelname"}
+    },
+    -- TODO fill with mandatory U-Boot configuration
+    uboot = {
+        bootloader = {"name"}
+    }
+}
+
+-- enum-alikes to make code more readable
+local BOOTLOADER = { EBG = "ebg", UBOOT = "uboot" }
+local PARTTYPE   = { UUID = 1, PLAIN = 2, UBI = 3 }
+
+-- Target table describing the target device the image is to be/has been flashed to.
+local rrtarget = {
+    size = function(self)
+        local _size = 0
+        for index in pairs(self) do _size = _size + 1 end
+        return _size - 1
+    end
+}
+
+-- Helper function parsing CSV fields of a struct img_type such as
+-- the "device" fields or the "rdiffbase" property.
+local get_device_list = function(device_node_csv_list)
+    local device_list = {}
+    for item in device_node_csv_list:gmatch("([^,]+)") do
+        local device_node = item:gsub("/dev/", "")
+        device_list[#device_list+1] = device_node
+        device_list[device_node] = #device_list
+    end
+    return device_list
+end
+
+-- Helper function to determine device node location.
+local get_device_path = function(device_node)
+    if device_node:match("ubi%d+:%S+") then
+        return 0, device_node, PARTTYPE.UBI
+    end
+    local device_path = string.format("/dev/disk/by-partuuid/%s", device_node)
+    local file = io.open(device_path, "rb" )
+    if file then
+        file:close()
+        return 0, device_path, PARTTYPE.UUID
+    end
+    device_path = string.format("/dev/%s", device_node)
+    file = io.open(device_path, "rb" )
+    if file then
+        file:close()
+        return 0, device_path, PARTTYPE.PLAIN
+    end
+    swupdate.error(string.format("Cannot access target device node /dev/{,disk/by-partuuid}/%s", device_node))
+    return 1, nil, nil
+end
+
+-- Helper function parsing the INI-style configuration.
+local get_config = function()
+    -- Return configuration right away if it's already parsed.
+    if config ~= nil and #config > 0 then
+        return config
+    end
+
+    -- Get configuration INI-style string.
+    if not configuration then
+        swupdate.trace(string.format("No compiled-in config found, trying %s", cfgfile))
+        local file = io.open(cfgfile, "r" )
+        if not file then
+            swupdate.error(string.format("Cannot open config file %s", cfgfile))
+            return nil
+        end
+        configuration = file:read("*a")
+        file:close()
+    end
+    if configuration:sub(-1) ~= "\n" then
+        configuration=configuration.."\n"
+    end
+
+    -- Parse INI-style contents into config table.
+    local sec, key, value
+    for line in configuration:gmatch("(.-)\n") do
+        if line:match("^%[([%w%p]+)%][%s]*") then
+            sec = line:match("^%[([%w%p]+)%][%s]*")
+            config[sec] = {}
+        elseif sec then
+            key, value = line:match("^([%w%p]-)=(.*)$")
+            if key and value then
+                if tonumber(value)  then value = tonumber(value) end
+                if value == "true"  then value = true            end
+                if value == "false" then value = false           end
+                if value:sub(1,1) == "{" then
+                    local _value = {}
+                    for _key, _ in value:gmatch("\"(%S+)\"") do
+                        table.insert(_value, _key)
+                    end
+                    value = _value
+                end
+                config[sec][key] = value
+            else
+                if not line:match("^$") and not line:match("^#") then
+                    swupdate.warn(string.format("Syntax error, skipping '%s'", line))
+                end
+            end
+        else
+            swupdate.error(string.format("Syntax error. no [section] encountered."))
+            return nil
+        end
+    end
+
+    -- Check config table for mandatory key existence.
+    if config["bootloader"] == nil or config["bootloader"]["name"] == nil then
+        swupdate.error(string.format("Syntax error. no [bootloader] encountered or name= missing therein."))
+        return nil
+    end
+    local bcfg = BOOTLOADERCFG[config.bootloader.name]
+    if not bcfg then
+        swupdate.error(string.format("Bootloader unsupported, name=uboot|ebg missing in [bootloader]?."))
+        return nil
+    end
+    for sec, _ in pairs(bcfg) do
+        for _, key in pairs(bcfg[sec]) do
+            if config[sec] == nil or config[sec][key] == nil then
+                swupdate.error(string.format("Mandatory config key %s= in [%s] not found.", key, sec))
+            end
+        end
+    end
+
+    return config
+end
+
+-- Round-robin image handler for updating the root partition.
+function handler_roundrobin(image)
+    -- Read configuration.
+    if not get_config() then
+        swupdate.error("Cannot read configuration.")
+        return 1
+    end
+
+    -- Check if we can chain-call the handler.
+    local chained_handler = "raw"
+    if image.properties ~= nil and image.properties["chainhandler"] ~= nil then
+        chained_handler = image.properties["chainhandler"]
+    elseif config["roundrobin"] ~= nil and config["roundrobin"]["chainhandler"] ~= nil then
+        chained_handler = config["roundrobin"]["chainhandler"]
+    end
+    if not swupdate.handler[chained_handler] then
+        swupdate.error(string.format("'%s' handler not available in SWUpdate distribution.", chained_handler))
+        return 1
+    end
+
+    -- Get device list for round-robin.
+    local devices = get_device_list(image.device)
+    if #devices < 2 then
+        swupdate.error("Specify at least 2 devices in the device= property for 'roundrobin'.")
+        return 1
+    end
+
+    -- Check that rrtarget is unset, else a reboot may be pending.
+    if rrtarget:size() > 0 then
+        swupdate.warn("The 'roundrobin' handler has been run. Is a reboot pending?")
+    end
+
+    -- Determine current root device.
+    local file = io.open("/proc/cmdline", "r")
+    if not file then
+        swupdate.error("Cannot open /proc/cmdline.")
+        return 1
+    end
+    local cmdline = file:read("*l")
+    file:close()
+
+    local rootparam, rootdevice
+    for item in cmdline:gmatch("%S+") do
+        rootparam, rootdevice = item:match("(root=[%u=]*[/dev/]*(%S+))")
+        if rootparam and rootdevice then break end
+    end
+    if not rootdevice then
+      swupdate.error("Cannot determine current root device.")
+      return 1
+    end
+    swupdate.info(string.format("Current root device is: %s", rootdevice))
+
+    if not devices[rootdevice] then
+        swupdate.error(string.format("Current root device '%s' is not in round-robin root devices list: %s", rootdevice, image.device:gsub("/dev/", "")))
+        return 1
+    end
+
+    -- Perform round-robin calculation for target.
+    local err
+    rrtarget.index = devices[rootdevice] % #devices + 1
+    rrtarget.device_node = devices[rrtarget.index]
+    err, rrtarget.device_path, rrtarget.parttype = get_device_path(devices[rrtarget.index])
+    if err ~= 0 then
+        return 1
+    end
+    swupdate.info(string.format("Using '%s' as 'roundrobin' target via '%s' handler.", rrtarget.device_path, chained_handler))
+
+    -- If the chain-called handler is rdiff_image, adapt the rdiffbase property
+    if chained_handler == "rdiff_image" then
+        if image.properties ~= nil and image.properties["rdiffbase"] ~= nil then
+            local rdiffbase_devices = get_device_list(image.properties["rdiffbase"])
+            if #rdiffbase_devices < 2 then
+                swupdate.error("Specify at least 2 devices in the rdiffbase= property for 'roundrobin'.")
+                return 1
+            end
+            err, image.propierties["rdiffbase"], _ = get_device_path(rdiffbase_devices[rrtarget.index])
+            if err ~= 0 then
+                return 1
+            end
+            swupdate.info(string.format("Using device %s as rdiffbase.", image.properties["rdiffbase"]))
+        else
+            swupdate.error("Property 'rdiffbase' is missing in sw-description.")
+            return 1
+        end
+    end
+
+    -- Actually flash the partition.
+    local msg
+    image.type = chained_handler
+    image.device = rrtarget.device_path
+    err, msg = swupdate.call_handler(chained_handler, image)
+    if err ~= 0 then
+        swupdate.error(string.format("Error chain-calling '%s' handler: %s", chained_handler, (msg or "")))
+        return 1
+    end
+
+    if config.bootloader.name == BOOTLOADER.EBG then
+      if rootparam then
+        local value = cmdline:gsub(
+            rootparam:gsub("%-", "%%-"),
+            string.format("root=%s%s",
+                (rrtarget.parttype == PARTTYPE.PLAIN and "") or (rrtarget.parttype == PARTTYPE.UBI and "") or "PARTUUID=",
+                 rrtarget.parttype == PARTTYPE.PLAIN and rrtarget.device_path or devices[rrtarget.index]
+            )
+        )
+        swupdate.info(string.format("Setting EFI Bootguard environment: kernelparams=%s", value))
+        swupdate.set_bootenv("kernelparams", value)
+      end
+    elseif config.bootloader.name == BOOTLOADER.UBOOT then
+        -- Update U-Boot environment.
+        swupdate.info(string.format("Setting U-Boot environment"))
+        local value = rrtarget.index
+        swupdate.set_bootenv("swupdpart", value);
+    end
+
+    return 0
+end
+
+-- File handler for updating kernel files.
+function handler_kernelfile(image)
+    -- Check if we can chain-call the handler.
+    local chained_handler = "rawfile"
+    if image.properties ~= nil and image.properties["chainhandler"] ~= nil then
+        chained_handler = image.properties["chainhandler"]
+    elseif config["kernelfile"] ~= nil and config["kernelfile"]["chainhandler"] ~= nil then
+        chained_handler = config["kernelfile"]["chainhandler"]
+    end
+    if not swupdate.handler[chained_handler] then
+        swupdate.error(string.format("'%s' handler not available in SWUpdate distribution."), chained_handler)
+        return 1
+    end
+
+    -- Check that rrtarget is set, else the 'roundrobin' handler hasn't been run.
+    if rrtarget:size() == 0 then
+        swupdate.error("The 'roundrobin' handler hasn't been run.")
+        swupdate.info("Place 'roundrobin' above 'kernelfile' in sw-description.")
+        return 1
+    end
+
+    -- Get device list for round-robin.
+    local devices = get_device_list(image.device)
+    if #devices < 2 then
+        swupdate.error("Specify at least 2 devices in the device= property for 'kernelfile'.")
+        return 1
+    end
+    if rrtarget.index > #devices then
+        swupdate.error("Cannot map kernel partition to root partition.")
+        return 1
+    end
+
+    -- Perform round-robin indexing for target.
+    local err
+    err, image.device, _ = get_device_path(devices[rrtarget.index])
+    if err ~= 0 then
+        return 1
+    end
+    swupdate.info(string.format("Using '%s' as 'kernelfile' target via '%s' handler.", image.device, chained_handler))
+
+    -- Actually copy the 'kernelfile' files.
+    local msg
+    image.type = chained_handler
+    err, msg = swupdate.call_handler(chained_handler, image)
+    if err ~= 0 then
+        swupdate.error(string.format("Error chain-calling '%s' handler: %s", chained_handler, (msg or "")))
+        return 1
+    end
+
+    if config.bootloader.name == BOOTLOADER.EBG then
+        -- Update EFI Boot Guard environment: kernelfile
+        local value = string.format("%s%s", config.bootloader.bootlabel[rrtarget.index], config.bootloader.kernelname)
+        swupdate.info(string.format("Setting EFI Bootguard environment: kernelfile=%s", value))
+        swupdate.set_bootenv("kernelfile", value)
+    elseif config.bootloader.name == BOOTLOADER.UBOOT then
+        -- Update U-Boot environment.
+        swupdate.info(string.format("Setting U-Boot environment"))
+        -- TODO
+    end
+
+    return 0
+end
+
+swupdate.register_handler("roundrobin", handler_roundrobin, swupdate.HANDLER_MASK.IMAGE_HANDLER)
+swupdate.register_handler("kernelfile", handler_kernelfile, swupdate.HANDLER_MASK.FILE_HANDLER)
diff --git a/recipes-core/swupdate/swupdate.bb b/recipes-core/swupdate/swupdate.bb
new file mode 100644
index 0000000..9c58f7d
--- /dev/null
+++ b/recipes-core/swupdate/swupdate.bb
@@ -0,0 +1,54 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+hDESCRIPTION = "swupdate utility for software updates"
+HOMEPAGE= "https://github.com/sbabic/swupdate"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://${LAYERDIR_isar}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe"
+
+SRC_URI = "gitsm://code.siemens.com/mirror/swupdate.git;branch=master;protocol=https"
Internal mirror. You need to go back to upstream.
And do we actually need gitsm? It is not a mature feature of bitbake, thus generally discouraged.
Jan
I will fix that in v2


Re: [isar-cip-core RFC 1/4] recipes-bsp: Add efibootguard

Quirin Gylstorff
 

On 6/26/20 3:37 PM, Jan Kiszka wrote:
On 25.06.20 15:21, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add the bootloader efibootguard for A/B partition update
on x86 with EFI.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
  .../efibootguard/efibootguard_0.6-git+isar.bb |  46 +++++
I just released 0.7. Maybe you could update when preparing v2.
Jan
Sure


Re: [isar-cip-core RFC 6/7] swupdate: Add luahandler for secureboot

Quirin Gylstorff
 

On 6/29/20 10:14 AM, Jan Kiszka wrote:
On 25.06.20 16:10, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
  recipes-core/swupdate/files/swupdate_handlers.lua | 8 ++++++--
  1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/recipes-core/swupdate/files/swupdate_handlers.lua b/recipes-core/swupdate/files/swupdate_handlers.lua
index c9b9962..f2ecc54 100644
--- a/recipes-core/swupdate/files/swupdate_handlers.lua
+++ b/recipes-core/swupdate/files/swupdate_handlers.lua
@@ -311,8 +311,12 @@ function handler_roundrobin(image)
          if rootparam and rootdevice then break end
      end
      if not rootdevice then
-      swupdate.error("Cannot determine current root device.")
-      return 1
+        -- Use findmnt to get the rootdev
+      rootdevice = io.popen('findmnt -nl / -o PARTUUID'):read("*l")
+      if not rootdevice then
+        swupdate.error("Cannot determine current root device.")
+        return 1
+      end
      end
      swupdate.info(string.format("Current root device is: %s", rootdevice))
Seems not really specific to secure-boot, rather related to the initramfs-based rootfs selection. But is that one actually using PARTUUID in the end? Or rather device paths?
it uses the partuuid from root. If someone finds a better way to get
the current root without parsing the kernel commandline I would use
that.
Anyway, I'm not against merging this. It should just be correctly labeled. Or maybe even merged into the swupdate patch from the first series.
I move the patch to the a/b update patch.

Jan
--
Quirin


Re: [isar-cip-core RFC 6/7] swupdate: Add luahandler for secureboot

Jan Kiszka
 

On 25.06.20 16:10, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
recipes-core/swupdate/files/swupdate_handlers.lua | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/recipes-core/swupdate/files/swupdate_handlers.lua b/recipes-core/swupdate/files/swupdate_handlers.lua
index c9b9962..f2ecc54 100644
--- a/recipes-core/swupdate/files/swupdate_handlers.lua
+++ b/recipes-core/swupdate/files/swupdate_handlers.lua
@@ -311,8 +311,12 @@ function handler_roundrobin(image)
if rootparam and rootdevice then break end
end
if not rootdevice then
- swupdate.error("Cannot determine current root device.")
- return 1
+ -- Use findmnt to get the rootdev
+ rootdevice = io.popen('findmnt -nl / -o PARTUUID'):read("*l")
+ if not rootdevice then
+ swupdate.error("Cannot determine current root device.")
+ return 1
+ end
end
swupdate.info(string.format("Current root device is: %s", rootdevice))
Seems not really specific to secure-boot, rather related to the initramfs-based rootfs selection. But is that one actually using PARTUUID in the end? Or rather device paths?

Anyway, I'm not against merging this. It should just be correctly labeled. Or maybe even merged into the swupdate patch from the first series.

Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux


Re: [cip-kernel-config PATCH] ipc227e: Add missing options to mount fat

Nobuhiro Iwamatsu
 

Hi,

-----Original Message-----
From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Quirin Gylstorff
Sent: Thursday, June 25, 2020 10:23 PM
To: cip-dev@lists.cip-project.org; Jan.Kiszka@siemens.com
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Subject: [cip-dev] [cip-kernel-config PATCH] ipc227e: Add missing options to mount fat

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

To install a swupdate package into a system with a A/B partition
scheme and EFI it is necessary to access a FAT partition.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
4.19.y-cip/x86/siemens_ipc227e_defconfig | 4 ++++
1 file changed, 4 insertions(+)
Applied, thanks.

Nobuhiro



diff --git a/4.19.y-cip/x86/siemens_ipc227e_defconfig b/4.19.y-cip/x86/siemens_ipc227e_defconfig
index 0bbd649..273d20e 100644
--- a/4.19.y-cip/x86/siemens_ipc227e_defconfig
+++ b/4.19.y-cip/x86/siemens_ipc227e_defconfig
@@ -404,6 +404,10 @@ CONFIG_NFSD=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFSD_V4=y
CONFIG_NLS_DEFAULT="utf8"
+CONFIG_NLS_ASCII=y
+CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_ISO8859_1=y
+CONFIG_NLS_UTF8=y
CONFIG_PERSISTENT_KEYRINGS=y
CONFIG_ENCRYPTED_KEYS=m
CONFIG_SECURITY_DMESG_RESTRICT=y
--
2.20.1


[ANNOUNCE] Release v4.19.130-cip29

Nobuhiro Iwamatsu
 

Hi,

CIP kernel team has released Linux kernel v4.19.130-cip29.
The linux-4.19.y-cip tree has been updated base version from v4.19.128 to v4.19.130.

You can get this release via the git tree at:

v4.19.130-cip29:
repository:
https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git
branch:
linux-4.19.y-cip
commit hash:
4adb19da3f20208071f38c9a7706ba6a4ea0a632
added commits:
CIP: Bump version suffix to -cip29 after merge from stable

Best regards,
Nobuhiro


Re: [isar-cip-core PATCH v2 1/1] kas: Restructure kas files.

Jan Kiszka
 

On 26.06.20 18:56, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Create folder structure
kas -> general configuration
kas/board -> all supported boards
kas/opt -> all kas option files
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.gitlab-ci.yml | 8 ++++----
README.md | 4 ++--
kas.yml => kas-cip.yml | 0
board-bbb.yml => kas/board/bbb.yml | 0
board-iwg20m.yml => kas/board/iwg20m.yml | 0
board-qemu-amd64.yml => kas/board/qemu-amd64.yml | 0
board-rzg2m.yml => kas/board/rzg2m.yml | 0
.../board/simatic-ipc227e.yml | 0
opt-4.4.yml => kas/opt/4.4.yml | 0
opt-rt.yml => kas/opt/rt.yml | 0
opt-stretch.yml => kas/opt/stretch.yml | 0
opt-targz-img.yml => kas/opt/targz-img.yml | 0
12 files changed, 6 insertions(+), 6 deletions(-)
rename kas.yml => kas-cip.yml (100%)
rename board-bbb.yml => kas/board/bbb.yml (100%)
rename board-iwg20m.yml => kas/board/iwg20m.yml (100%)
rename board-qemu-amd64.yml => kas/board/qemu-amd64.yml (100%)
rename board-rzg2m.yml => kas/board/rzg2m.yml (100%)
rename board-simatic-ipc227e.yml => kas/board/simatic-ipc227e.yml (100%)
rename opt-4.4.yml => kas/opt/4.4.yml (100%)
rename opt-rt.yml => kas/opt/rt.yml (100%)
rename opt-stretch.yml => kas/opt/stretch.yml (100%)
rename opt-targz-img.yml => kas/opt/targz-img.yml (100%)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6f1dc91..241b09e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -13,17 +13,17 @@ all:
- export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
- export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
- - kas build kas.yml:board-simatic-ipc227e.yml:opt-rt.yml:opt-targz-img.yml
+ - kas build kas-cip.yml:kas/board/simatic-ipc227e.yml:kas/opt/rt.yml:kas/opt/targz-img.yml
- scripts/deploy-cip-core.sh buster simatic-ipc227e
- sudo rm -rf build/tmp
- - kas build kas.yml:board-bbb.yml:opt-rt.yml:opt-targz-img.yml
+ - kas build kas-cip.yml:kas/board/bbb.yml:kas/opt/rt.yml:kas/opt/targz-img.yml
- scripts/deploy-cip-core.sh buster bbb am335x-boneblack.dtb
- sudo rm -rf build/tmp
- - kas build kas.yml:board-iwg20m.yml:opt-rt.yml:opt-targz-img.yml
+ - kas build kas-cip.yml:kas/board/iwg20m.yml:kas/opt/rt.yml:kas/opt/targz-img.yml
- scripts/deploy-cip-core.sh buster iwg20m r8a7743-iwg20d-q7-dbcm-ca.dtb
- sudo rm -rf build/tmp
- - kas build kas.yml:board-rzg2m.yml:opt-rt.yml:opt-targz-img.yml
+ - kas build kas-cip.yml:kas/board/rzg2m.yml:kas/opt/rt.yml:kas/opt/targz-img.yml
- scripts/deploy-cip-core.sh buster hihope-rzg2m renesas/r8a774a1-hihope-rzg2m-ex.dtb
diff --git a/README.md b/README.md
index bbad1a0..1a7af21 100644
--- a/README.md
+++ b/README.md
@@ -21,11 +21,11 @@ start containers.
To build, e.g., the QEMU AMD64 target inside Docker, invoke kas-docker like
this:
- ./kas-docker --isar build kas.yml:board-qemu-amd64.yml
+ ./kas-docker --isar build kas-cip.yml:kas/board/qemu-amd64.yml
This image can be run using `start-qemu.sh x86`.
-The BeagleBone Black target is selected by `... kas.yml:board-bbb.yml`. In
+The BeagleBone Black target is selected by `... kas-cip.yml:kas/board/bbb.yml`. In
order to build the image with the PREEMPT-RT kernel, append `:opt-rt.yml` to
the above. Append ':opt-4.4.yml' to use the kernel version 4.4 instead of 4.19.
diff --git a/kas.yml b/kas-cip.yml
similarity index 100%
rename from kas.yml
rename to kas-cip.yml
diff --git a/board-bbb.yml b/kas/board/bbb.yml
similarity index 100%
rename from board-bbb.yml
rename to kas/board/bbb.yml
diff --git a/board-iwg20m.yml b/kas/board/iwg20m.yml
similarity index 100%
rename from board-iwg20m.yml
rename to kas/board/iwg20m.yml
diff --git a/board-qemu-amd64.yml b/kas/board/qemu-amd64.yml
similarity index 100%
rename from board-qemu-amd64.yml
rename to kas/board/qemu-amd64.yml
diff --git a/board-rzg2m.yml b/kas/board/rzg2m.yml
similarity index 100%
rename from board-rzg2m.yml
rename to kas/board/rzg2m.yml
diff --git a/board-simatic-ipc227e.yml b/kas/board/simatic-ipc227e.yml
similarity index 100%
rename from board-simatic-ipc227e.yml
rename to kas/board/simatic-ipc227e.yml
diff --git a/opt-4.4.yml b/kas/opt/4.4.yml
similarity index 100%
rename from opt-4.4.yml
rename to kas/opt/4.4.yml
diff --git a/opt-rt.yml b/kas/opt/rt.yml
similarity index 100%
rename from opt-rt.yml
rename to kas/opt/rt.yml
diff --git a/opt-stretch.yml b/kas/opt/stretch.yml
similarity index 100%
rename from opt-stretch.yml
rename to kas/opt/stretch.yml
diff --git a/opt-targz-img.yml b/kas/opt/targz-img.yml
similarity index 100%
rename from opt-targz-img.yml
rename to kas/opt/targz-img.yml
Applied to next, also fixing up the remaining README spots.

Thanks,
Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux


[isar-cip-core PATCH v2 0/1] Cleanup

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Move kas related files into folder kas for a cleaner repository root.
Update isar to remove patches folder for now

Changes V2:
- move kas-cip back to repository root
- remove applied Update ISAR patch

Quirin Gylstorff (1):
kas: Restructure kas files.

.gitlab-ci.yml | 8 ++++----
README.md | 4 ++--
kas.yml => kas-cip.yml | 0
board-bbb.yml => kas/board/bbb.yml | 0
board-iwg20m.yml => kas/board/iwg20m.yml | 0
board-qemu-amd64.yml => kas/board/qemu-amd64.yml | 0
board-rzg2m.yml => kas/board/rzg2m.yml | 0
.../board/simatic-ipc227e.yml | 0
opt-4.4.yml => kas/opt/4.4.yml | 0
opt-rt.yml => kas/opt/rt.yml | 0
opt-stretch.yml => kas/opt/stretch.yml | 0
opt-targz-img.yml => kas/opt/targz-img.yml | 0
12 files changed, 6 insertions(+), 6 deletions(-)
rename kas.yml => kas-cip.yml (100%)
rename board-bbb.yml => kas/board/bbb.yml (100%)
rename board-iwg20m.yml => kas/board/iwg20m.yml (100%)
rename board-qemu-amd64.yml => kas/board/qemu-amd64.yml (100%)
rename board-rzg2m.yml => kas/board/rzg2m.yml (100%)
rename board-simatic-ipc227e.yml => kas/board/simatic-ipc227e.yml (100%)
rename opt-4.4.yml => kas/opt/4.4.yml (100%)
rename opt-rt.yml => kas/opt/rt.yml (100%)
rename opt-stretch.yml => kas/opt/stretch.yml (100%)
rename opt-targz-img.yml => kas/opt/targz-img.yml (100%)

--
2.20.1


[isar-cip-core PATCH v2 1/1] kas: Restructure kas files.

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Create folder structure
kas -> general configuration
kas/board -> all supported boards
kas/opt -> all kas option files

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.gitlab-ci.yml | 8 ++++----
README.md | 4 ++--
kas.yml => kas-cip.yml | 0
board-bbb.yml => kas/board/bbb.yml | 0
board-iwg20m.yml => kas/board/iwg20m.yml | 0
board-qemu-amd64.yml => kas/board/qemu-amd64.yml | 0
board-rzg2m.yml => kas/board/rzg2m.yml | 0
.../board/simatic-ipc227e.yml | 0
opt-4.4.yml => kas/opt/4.4.yml | 0
opt-rt.yml => kas/opt/rt.yml | 0
opt-stretch.yml => kas/opt/stretch.yml | 0
opt-targz-img.yml => kas/opt/targz-img.yml | 0
12 files changed, 6 insertions(+), 6 deletions(-)
rename kas.yml => kas-cip.yml (100%)
rename board-bbb.yml => kas/board/bbb.yml (100%)
rename board-iwg20m.yml => kas/board/iwg20m.yml (100%)
rename board-qemu-amd64.yml => kas/board/qemu-amd64.yml (100%)
rename board-rzg2m.yml => kas/board/rzg2m.yml (100%)
rename board-simatic-ipc227e.yml => kas/board/simatic-ipc227e.yml (100%)
rename opt-4.4.yml => kas/opt/4.4.yml (100%)
rename opt-rt.yml => kas/opt/rt.yml (100%)
rename opt-stretch.yml => kas/opt/stretch.yml (100%)
rename opt-targz-img.yml => kas/opt/targz-img.yml (100%)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6f1dc91..241b09e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -13,17 +13,17 @@ all:
- export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
- export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY

- - kas build kas.yml:board-simatic-ipc227e.yml:opt-rt.yml:opt-targz-img.yml
+ - kas build kas-cip.yml:kas/board/simatic-ipc227e.yml:kas/opt/rt.yml:kas/opt/targz-img.yml
- scripts/deploy-cip-core.sh buster simatic-ipc227e

- sudo rm -rf build/tmp
- - kas build kas.yml:board-bbb.yml:opt-rt.yml:opt-targz-img.yml
+ - kas build kas-cip.yml:kas/board/bbb.yml:kas/opt/rt.yml:kas/opt/targz-img.yml
- scripts/deploy-cip-core.sh buster bbb am335x-boneblack.dtb

- sudo rm -rf build/tmp
- - kas build kas.yml:board-iwg20m.yml:opt-rt.yml:opt-targz-img.yml
+ - kas build kas-cip.yml:kas/board/iwg20m.yml:kas/opt/rt.yml:kas/opt/targz-img.yml
- scripts/deploy-cip-core.sh buster iwg20m r8a7743-iwg20d-q7-dbcm-ca.dtb

- sudo rm -rf build/tmp
- - kas build kas.yml:board-rzg2m.yml:opt-rt.yml:opt-targz-img.yml
+ - kas build kas-cip.yml:kas/board/rzg2m.yml:kas/opt/rt.yml:kas/opt/targz-img.yml
- scripts/deploy-cip-core.sh buster hihope-rzg2m renesas/r8a774a1-hihope-rzg2m-ex.dtb
diff --git a/README.md b/README.md
index bbad1a0..1a7af21 100644
--- a/README.md
+++ b/README.md
@@ -21,11 +21,11 @@ start containers.
To build, e.g., the QEMU AMD64 target inside Docker, invoke kas-docker like
this:

- ./kas-docker --isar build kas.yml:board-qemu-amd64.yml
+ ./kas-docker --isar build kas-cip.yml:kas/board/qemu-amd64.yml

This image can be run using `start-qemu.sh x86`.

-The BeagleBone Black target is selected by `... kas.yml:board-bbb.yml`. In
+The BeagleBone Black target is selected by `... kas-cip.yml:kas/board/bbb.yml`. In
order to build the image with the PREEMPT-RT kernel, append `:opt-rt.yml` to
the above. Append ':opt-4.4.yml' to use the kernel version 4.4 instead of 4.19.

diff --git a/kas.yml b/kas-cip.yml
similarity index 100%
rename from kas.yml
rename to kas-cip.yml
diff --git a/board-bbb.yml b/kas/board/bbb.yml
similarity index 100%
rename from board-bbb.yml
rename to kas/board/bbb.yml
diff --git a/board-iwg20m.yml b/kas/board/iwg20m.yml
similarity index 100%
rename from board-iwg20m.yml
rename to kas/board/iwg20m.yml
diff --git a/board-qemu-amd64.yml b/kas/board/qemu-amd64.yml
similarity index 100%
rename from board-qemu-amd64.yml
rename to kas/board/qemu-amd64.yml
diff --git a/board-rzg2m.yml b/kas/board/rzg2m.yml
similarity index 100%
rename from board-rzg2m.yml
rename to kas/board/rzg2m.yml
diff --git a/board-simatic-ipc227e.yml b/kas/board/simatic-ipc227e.yml
similarity index 100%
rename from board-simatic-ipc227e.yml
rename to kas/board/simatic-ipc227e.yml
diff --git a/opt-4.4.yml b/kas/opt/4.4.yml
similarity index 100%
rename from opt-4.4.yml
rename to kas/opt/4.4.yml
diff --git a/opt-rt.yml b/kas/opt/rt.yml
similarity index 100%
rename from opt-rt.yml
rename to kas/opt/rt.yml
diff --git a/opt-stretch.yml b/kas/opt/stretch.yml
similarity index 100%
rename from opt-stretch.yml
rename to kas/opt/stretch.yml
diff --git a/opt-targz-img.yml b/kas/opt/targz-img.yml
similarity index 100%
rename from opt-targz-img.yml
rename to kas/opt/targz-img.yml
--
2.20.1


Re: [isar-cip-core RFC 1/4] recipes-bsp: Add efibootguard

Jan Kiszka
 

On 25.06.20 15:21, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Add the bootloader efibootguard for A/B partition update
on x86 with EFI.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../efibootguard/efibootguard_0.6-git+isar.bb | 46 +++++
I just released 0.7. Maybe you could update when preparing v2.

Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux


Re: [isar-cip-core RFC 3/4] recipes-core: add swupdate

Jan Kiszka
 

On 25.06.20 15:21, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Add swupdate for A/B software updates. Currently the Round Robin
handler in lua supports efibootguard as bootloader. The u-boot
implementation is outstanding.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/kconfig-snippets.bbclass | 90 ++++
classes/swupdate-config.bbclass | 76 +++
classes/swupdate-img.bbclass | 75 +++
.../swupdate/files/debian/changelog.tmpl | 6 +
recipes-core/swupdate/files/debian/compat | 1 +
.../swupdate/files/debian/control.tmpl | 15 +
recipes-core/swupdate/files/debian/copyright | 36 ++
recipes-core/swupdate/files/debian/rules.tmpl | 30 ++
.../swupdate/files/debian/swupdate.examples | 2 +
.../swupdate/files/debian/swupdate.install | 2 +
.../swupdate/files/debian/swupdate.manpages | 5 +
.../swupdate/files/debian/swupdate.tmpfile | 2 +
recipes-core/swupdate/files/debian/watch | 12 +
recipes-core/swupdate/files/postinst | 2 +
recipes-core/swupdate/files/swupdate.cfg | 6 +
.../swupdate/files/swupdate.service.example | 11 +
.../swupdate/files/swupdate.socket.example | 11 +
.../swupdate/files/swupdate.socket.tmpl | 13 +
.../swupdate/files/swupdate_defconfig | 83 ++++
.../swupdate_defconfig_efibootguard.snippet | 3 +
.../files/swupdate_defconfig_lua.snippet | 2 +
.../swupdate_defconfig_luahandler.snippet | 4 +
.../files/swupdate_defconfig_mtd.snippet | 1 +
.../files/swupdate_defconfig_u-boot.snippet | 3 +
.../files/swupdate_defconfig_ubi.snippet | 6 +
.../swupdate/files/swupdate_handlers.lua | 449 ++++++++++++++++++
recipes-core/swupdate/swupdate.bb | 54 +++
27 files changed, 1000 insertions(+)
create mode 100644 classes/kconfig-snippets.bbclass
create mode 100644 classes/swupdate-config.bbclass
create mode 100644 classes/swupdate-img.bbclass
create mode 100644 recipes-core/swupdate/files/debian/changelog.tmpl
create mode 100644 recipes-core/swupdate/files/debian/compat
create mode 100644 recipes-core/swupdate/files/debian/control.tmpl
create mode 100644 recipes-core/swupdate/files/debian/copyright
create mode 100755 recipes-core/swupdate/files/debian/rules.tmpl
create mode 100644 recipes-core/swupdate/files/debian/swupdate.examples
create mode 100644 recipes-core/swupdate/files/debian/swupdate.install
create mode 100644 recipes-core/swupdate/files/debian/swupdate.manpages
create mode 100644 recipes-core/swupdate/files/debian/swupdate.tmpfile
create mode 100644 recipes-core/swupdate/files/debian/watch
create mode 100644 recipes-core/swupdate/files/postinst
create mode 100644 recipes-core/swupdate/files/swupdate.cfg
create mode 100644 recipes-core/swupdate/files/swupdate.service.example
create mode 100644 recipes-core/swupdate/files/swupdate.socket.example
create mode 100644 recipes-core/swupdate/files/swupdate.socket.tmpl
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_lua.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_handlers.lua
create mode 100644 recipes-core/swupdate/swupdate.bb
diff --git a/classes/kconfig-snippets.bbclass b/classes/kconfig-snippets.bbclass
new file mode 100644
index 0000000..d754654
--- /dev/null
+++ b/classes/kconfig-snippets.bbclass
@@ -0,0 +1,90 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Christian Storm <christian.storm@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+KCONFIG_SNIPPETS = ""
+
+# The following function defines the kconfig snippet system
+# with automatich debian dependency injection
+#
+# To define a feature set, the user has to define the following
+# variable to an empty string:
+#
+# KFEATURE_featurename = ""
+#
+# Then, required additions to the variables can be defined:
+#
+# KFEATURE_featurename[KCONFIG_SNIPPETS] = "file://snippet-file-name.snippet"
+# KFEATURE_featurename[SRC_URI] = "file://required-file.txt"
+# KFEATURE_featurename[DEPENDS] = "deb-pkg1 deb-pkg2 deb-pkg3"
+# KFEATURE_featurename[DEBIAN_DEPENDS] = "deb-pkg1"
+# KFEATURE_featurename[BUILD_DEB_DEPENDS] = "deb-pkg1,deb-pkg2,deb-pkg3"
+
+# The 'KCONFIG_SNIPPETS' flag gives a list of URI entries, where only
+# file:// is supported. These snippets are appended to the DEFCONFIG file.
+#
+# Features can depend on other features via the following mechanism:
+#
+# KFEATURE_DEPS[feature1] = "feature2"
+
+python () {
+ requested_features = d.getVar("KFEATURES", True) or ""
+
+ features = set(requested_features.split())
+ old_features = set()
+ feature_deps = d.getVarFlags("KFEATURE_DEPS") or {}
+ while old_features != features:
+ diff_features = old_features.symmetric_difference(features)
+ old_features = features.copy()
+ for i in diff_features:
+ features.update(feature_deps.get(i, "").split())
+
+ for f in sorted(features):
+ bb.debug(2, "Feature: " + f)
+ varname = "KFEATURE_" + f
+ dummyvar = d.getVar(varname, False)
+ if dummyvar == None:
+ bb.error("Feature var " + f + " must be defined with needed flags.")
+ else:
+ feature_flags = d.getVarFlags(varname)
+ for feature_varname in sorted(feature_flags):
+ if feature_flags.get(feature_varname, "") != "":
+ sep = " "
+
+ # Required to add KCONFIG_SNIPPETS to SRC_URI here,
+ # because 'SRC_URI += "${KCONFIG_SNIPPETS}"' would
+ # conflict with SRC_APT feature.
+ if feature_varname == "KCONFIG_SNIPPETS":
+ d.appendVar('SRC_URI',
+ " " + feature_flags[feature_varname].strip())
+
+ # BUILD_DEP_DEPENDS and DEBIAN_DEPENDS is ',' separated
+ # Only add ',' if there is already something there
+ if feature_varname in ["BUILD_DEB_DEPENDS",
+ "DEBIAN_DEPENDS"]:
+ sep = "," if d.getVar(feature_varname) else ""
+
+ d.appendVar(feature_varname,
+ sep + feature_flags[feature_varname].strip())
+}
+
+# DEFCONFIG must be a predefined bitbake variable and the corresponding file
+# must exist in the WORKDIR.
+# The resulting generated config is the same file suffixed with ".gen"
+
+do_prepare_build_prepend() {
+ sh -x
+ GENCONFIG="${WORKDIR}/${DEFCONFIG}".gen
+ rm -f "$GENCONFIG"
+ cp "${WORKDIR}/${DEFCONFIG}" "$GENCONFIG"
+ for CONFIG_SNIPPET in $(echo "${KCONFIG_SNIPPETS}" | sed 's#file://##g')
+ do
+ cat ${WORKDIR}/$CONFIG_SNIPPET >> "$GENCONFIG"
+ done
+}
diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass
new file mode 100644
index 0000000..7ce51c5
--- /dev/null
+++ b/classes/swupdate-config.bbclass
@@ -0,0 +1,76 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Christian Storm <christian.storm@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+# This class manages the config snippets together with their dependencies
+# to build SWUpdate
+
+inherit kconfig-snippets
+
+BUILD_DEB_DEPENDS = " \
+ zlib1g-dev, debhelper, libconfig-dev, libarchive-dev, \
+ python-sphinx:native, dh-systemd, libsystemd-dev"
+
+KFEATURE_lua = ""
+KFEATURE_lua[BUILD_DEB_DEPENDS] = "liblua5.3-dev"
+KFEATURE_lua[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_lua.snippet"
+
+KFEATURE_luahandler = ""
+KFEATURE_luahandler[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_luahandler.snippet"
+KFEATURE_luahandler[SRC_URI] = "file://${SWUPDATE_LUASCRIPT}"
+
+KFEATURE_DEPS = ""
+KFEATURE_DEPS[luahandler] = "lua"
+
+KFEATURE_efibootguard = ""
+KFEATURE_efibootguard[BUILD_DEB_DEPENDS] = "efibootguard-dev"
+KFEATURE_efibootguard[DEBIAN_DEPENDS] = "efibootguard-dev"
+KFEATURE_efibootguard[DEPENDS] = "efibootguard-dev"
+KFEATURE_efibootguard[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_efibootguard.snippet"
+
+KFEATURE_mtd = ""
+KFEATURE_mtd[BUILD_DEB_DEPENDS] = "libmtd-dev"
+KFEATURE_mtd[DEPENDS] = "mtd-utils"
+KFEATURE_mtd[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_mtd.snippet"
+
+KFEATURE_ubi = ""
+KFEATURE_ubi[BUILD_DEB_DEPENDS] = "libubi-dev"
+KFEATURE_ubi[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_ubi.snippet"
+
+KFEATURE_DEPS[ubi] = "mtd"
+
+KFEATURE_u-boot = ""
+KFEATURE_u-boot[BUILD_DEB_DEPENDS] = "u-boot-${MACHINE}-dev"
+KFEATURE_u-boot[DEBIAN_DEPENDS] = "u-boot-tools"
+KFEATURE_u-boot[DEPENDS] = "${U_BOOT}"
+KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet"
+
+SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua"
+
+def get_bootloader_featureset(d):
+ bootloader = d.getVar("BOOTLOADER", True) or ""
+ if bootloader == "efibootguard":
+ return "efibootguard"
+ if bootloader == "u-boot":
+ return "u-boot"
+ return ""
+
+SWUPDATE_KFEATURES ??= ""
+KFEATURES = "${SWUPDATE_KFEATURES}"
+KFEATURES += "${@get_bootloader_featureset(d)}"
+
+# Astonishingly, as an anonymous python function, BOOTLOADER is always None
+# one time before it gets set. So the following must be a task.
+python do_check_bootloader () {
+ bootloader = d.getVar("BOOTLOADER", True) or "None"
+ if not bootloader in ["efibootguard", "u-boot"]:
+ bb.warn("swupdate: BOOTLOADER set to incompatible value: " + bootloader)
+}
+addtask check_bootloader before do_fetch
+
diff --git a/classes/swupdate-img.bbclass b/classes/swupdate-img.bbclass
new file mode 100644
index 0000000..a21d6ec
--- /dev/null
+++ b/classes/swupdate-img.bbclass
@@ -0,0 +1,75 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Christian Storm <christian.storm@siemens.com>
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+SWU_IMAGE_FILE ?= "${PN}-${DISTRO}-${MACHINE}.swu"
+SWU_DESCRIPTION_FILE ?= "sw-description"
+SWU_ADDITIONAL_FILES ?= ""
+SWU_SIGNED ?= ""
+SWU_SIGNATURE_EXT ?= "sig"
+SWU_SIGNATURE_TYPE ?= "rsa"
+
+IMAGER_INSTALL += "${@'openssl' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
+
+do_swupdate_image[stamp-extra-info] = "${DISTRO}-${MACHINE}"
+do_swupdate_image[cleandirs] += "${WORKDIR}/swu"
+do_swupdate_image() {
+ rm -f '${DEPLOY_DIR_IMAGE}/${SWU_IMAGE_FILE}'
+ cp '${WORKDIR}/${SWU_DESCRIPTION_FILE}' '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}'
+
+ # Create symlinks for files used in the update image
+ for file in ${SWU_ADDITIONAL_FILES}; do
+ if [ -e "${WORKDIR}/$file" ]; then
+ ln -s "${WORKDIR}/$file" "${WORKDIR}/swu/$file"
+ else
+ ln -s "${DEPLOY_DIR_IMAGE}/$file" "${WORKDIR}/swu/$file"
+ fi
+ done
+
+ # Prepare for signing
+ sign='${@'x' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}'
+ if [ -n "$sign" ]; then
+ image_do_mounts
+ cp -f '${SIGN_KEY}' '${WORKDIR}/dev.key'
+ test -e '${SIGN_CRT}' && cp -f '${SIGN_CRT}' '${WORKDIR}/dev.crt'
+
+ # Fill in file check sums
+ for file in ${SWU_ADDITIONAL_FILES}; do
+ sed -i "s:$file-sha256:$(sha256sum '${WORKDIR}/swu/'$file | cut -f 1 -d ' '):g" \
+ '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}'
+ done
+ fi
+
+ cd "${WORKDIR}/swu"
+ for file in '${SWU_DESCRIPTION_FILE}' ${SWU_ADDITIONAL_FILES}; do
+ echo "$file"
+ if [ -n "$sign" -a \
+ '${SWU_DESCRIPTION_FILE}' = "$file" ]; then
+ if [ "${SWU_SIGNATURE_TYPE}" = "rsa" ]; then
+ sudo chroot ${BUILDCHROOT_DIR} /usr/bin/openssl dgst \
+ -sha256 -sign '${PP_WORK}/dev.key' \
+ '${PP_WORK}/swu/'"$file" \
+ > '${WORKDIR}/swu/'"$file".'${SWU_SIGNATURE_EXT}'
+ elif [ "${SWU_SIGNATURE_TYPE}" = "cms" ]; then
+ sudo chroot ${BUILDCHROOT_DIR} /usr/bin/openssl cms \
+ -sign -in '${PP_WORK}/swu/'"$file" \
+ -out '${WORKDIR}/swu/'"$file".'${SWU_SIGNATURE_EXT}' \
+ -signer '${PP_WORK}/dev.crt' \
+ -inkey '${PP_WORK}/dev.key' \
+ -outform DER -nosmimecap -binary
+ fi
+ echo "$file".'${SWU_SIGNATURE_EXT}'
+ fi
+ done | cpio -ovL -H crc \
+ > '${DEPLOY_DIR_IMAGE}/${SWU_IMAGE_FILE}'
+ cd -
+}
+
+addtask swupdate_image before do_build after do_copy_boot_files do_install_imager_deps do_transform_template
diff --git a/recipes-core/swupdate/files/debian/changelog.tmpl b/recipes-core/swupdate/files/debian/changelog.tmpl
new file mode 100644
index 0000000..81087d3
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/changelog.tmpl
@@ -0,0 +1,6 @@
+swupdate (${PV}) unstable; urgency=medium
+
+ * SWUpdate
+
+ -- Christian Storm <christian.storm@siemens.com> Thu, 31 Jan 2019 15:23:56 +0100
+
diff --git a/recipes-core/swupdate/files/debian/compat b/recipes-core/swupdate/files/debian/compat
new file mode 100644
index 0000000..b4de394
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/compat
@@ -0,0 +1 @@
+11
diff --git a/recipes-core/swupdate/files/debian/control.tmpl b/recipes-core/swupdate/files/debian/control.tmpl
new file mode 100644
index 0000000..2b92850
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/control.tmpl
@@ -0,0 +1,15 @@
+Source: swupdate
+Section: embedded
+Priority: optional
+Maintainer: Stefano Babic <sbabic@denx.de>
+Build-Depends: ${BUILD_DEB_DEPENDS}
+Standards-Version: 4.2.1
+Homepage: http://sbabic.github.io/swupdate
+
+Package: swupdate
+Architecture: any
+Depends: ${DEBIAN_DEPENDS}
+Description: reliable way to update an embedded system
+ This project is thought to help to update an embedded system from a storage media or from network.
+ However, it should be mainly considered as a framework, where further protocols or installers
+ (in SWUpdate they are called handlers) can be easily added to the application.
diff --git a/recipes-core/swupdate/files/debian/copyright b/recipes-core/swupdate/files/debian/copyright
new file mode 100644
index 0000000..f920942
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/copyright
@@ -0,0 +1,36 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: swupdate
+Maintainer: Stefano Babic <sbabic@denx.de>
+Source: http://github.com/sbabic/swupdate
+
+Files: *
+Copyright: 2014-2017 Stefano Babic <sbabic@denx.de>
+
+License: GPL-2 with OpenSSL exception
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ In addition, as a special exception, the author of this
+ program gives permission to link the code of its
+ release with the OpenSSL project's "OpenSSL" library (or
+ with modified versions of it that use the same license as
+ the "OpenSSL" library), and distribute the linked
+ executables. You must obey the GNU General Public
+ License in all respects for all of the code used other
+ than "OpenSSL". If you modify this file, you may extend
+ this exception to your version of the file, but you are
+ not obligated to do so. If you do not wish to do so,
+ delete this exception statement from your version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
diff --git a/recipes-core/swupdate/files/debian/rules.tmpl b/recipes-core/swupdate/files/debian/rules.tmpl
new file mode 100755
index 0000000..54cca57
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/rules.tmpl
@@ -0,0 +1,30 @@
+#!/usr/bin/make -f
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+export CC=$(DEB_HOST_GNU_TYPE)-gcc
+export LD=$(DEB_HOST_GNU_TYPE)-gcc
+endif
+
+export DH_VERBOSE = 1
+
+export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow
+
+documentation: configure
+ make man
+
+configure:
+ make ${DEFCONFIG}
+
+build: documentation configure
+ dh $@
+
+%:
+ echo $@
+ dh $@
+
+override_dh_installchangelogs:
+ true
+
+override_dh_installdocs:
+ true
diff --git a/recipes-core/swupdate/files/debian/swupdate.examples b/recipes-core/swupdate/files/debian/swupdate.examples
new file mode 100644
index 0000000..c257b75
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/swupdate.examples
@@ -0,0 +1,2 @@
+examples/configuration
+examples/description
diff --git a/recipes-core/swupdate/files/debian/swupdate.install b/recipes-core/swupdate/files/debian/swupdate.install
new file mode 100644
index 0000000..8957cc6
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/swupdate.install
@@ -0,0 +1,2 @@
+swupdate usr/bin
+swupdate.cfg /etc
diff --git a/recipes-core/swupdate/files/debian/swupdate.manpages b/recipes-core/swupdate/files/debian/swupdate.manpages
new file mode 100644
index 0000000..c3438e0
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/swupdate.manpages
@@ -0,0 +1,5 @@
+doc/build/man/swupdate.1
+doc/build/man/client.1
+doc/build/man/sendtohawkbit.1
+doc/build/man/hawkbitcfg.1
+doc/build/man/progress.1
diff --git a/recipes-core/swupdate/files/debian/swupdate.tmpfile b/recipes-core/swupdate/files/debian/swupdate.tmpfile
new file mode 100644
index 0000000..4743672
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/swupdate.tmpfile
@@ -0,0 +1,2 @@
+X /tmp/datadst
+X /tmp/scripts
diff --git a/recipes-core/swupdate/files/debian/watch b/recipes-core/swupdate/files/debian/watch
new file mode 100644
index 0000000..bc4c53e
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/watch
@@ -0,0 +1,12 @@
+# Example watch control file for uscan
+# Rename this file to "watch" and then you can run the "uscan" command
+# to check for upstream updates and more.
+# See uscan(1) for format
+
+# Compulsory line, this is a version 4 file
+version=4
+
+# GitHub hosted projects
+opts="filenamemangle="s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%<project>-$1.tar.gz%" \
+ https://github.com/<user>/swupdate/tags \
+ (?:.*?/)?v?(\d[\d.]*)\.tar\.gz debian uupdate
diff --git a/recipes-core/swupdate/files/postinst b/recipes-core/swupdate/files/postinst
new file mode 100644
index 0000000..f15ac10
--- /dev/null
+++ b/recipes-core/swupdate/files/postinst
@@ -0,0 +1,2 @@
+#!/bin/sh
+deb-systemd-helper enable swupdate.socket || true
diff --git a/recipes-core/swupdate/files/swupdate.cfg b/recipes-core/swupdate/files/swupdate.cfg
new file mode 100644
index 0000000..e0222f1
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate.cfg
@@ -0,0 +1,6 @@
+globals :
+{
+ verbose = true;
+ loglevel = 10;
+ syslog = false;
+};
diff --git a/recipes-core/swupdate/files/swupdate.service.example b/recipes-core/swupdate/files/swupdate.service.example
new file mode 100644
index 0000000..d0b821e
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate.service.example
@@ -0,0 +1,11 @@
+[Unit]
+Description=SWUpdate daemon
+Documentation=https://github.com/sbabic/swupdate
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/swupdate -f /etc/swupdate.cfg
+KillMode=mixed
+
+[Install]
+WantedBy=multi-user.target
diff --git a/recipes-core/swupdate/files/swupdate.socket.example b/recipes-core/swupdate/files/swupdate.socket.example
new file mode 100644
index 0000000..2b75671
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate.socket.example
@@ -0,0 +1,11 @@
+[Unit]
+Description=SWUpdate socket listener
+Documentation=https://github.com/sbabic/swupdate
+Documentation=https://sbabic.github.io/swupdate
+
+[Socket]
+ListenStream=/tmp/sockinstctrl
+ListenStream=/tmp/swupdateprog
+
+[Install]
+WantedBy=sockets.target
diff --git a/recipes-core/swupdate/files/swupdate.socket.tmpl b/recipes-core/swupdate/files/swupdate.socket.tmpl
new file mode 100644
index 0000000..8e7fc1d
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate.socket.tmpl
@@ -0,0 +1,13 @@
+[Unit]
+Description=SWUpdate socket listener
+Documentation=https://github.com/sbabic/swupdate
+Documentation=https://sbabic.github.io/swupdate
+
+[Socket]
+SocketUser=${SWUPDATE_SOCKET_OWNER}
+SocketGroup=root
+ListenStream=/tmp/sockinstctrl
+ListenStream=/tmp/swupdateprog
+
+[Install]
+WantedBy=sockets.target
diff --git a/recipes-core/swupdate/files/swupdate_defconfig b/recipes-core/swupdate/files/swupdate_defconfig
new file mode 100644
index 0000000..9ae7cb5
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig
@@ -0,0 +1,83 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Swupdate Configuration
+#
+CONFIG_HAVE_DOT_CONFIG=y
+
+#
+# Swupdate Settings
+#
+
+#
+# General Configuration
+#
+# CONFIG_CURL is not set
+# CONFIG_CURL_SSL is not set
+CONFIG_SYSTEMD=y
+CONFIG_SCRIPTS=y
+# CONFIG_HW_COMPATIBILITY is not set
+CONFIG_SW_VERSIONS_FILE="/etc/sw-versions"
+
+#
+# Socket Paths
+#
+CONFIG_SOCKET_CTRL_PATH="/tmp/sockinstctrl"
+CONFIG_SOCKET_PROGRESS_PATH="/tmp/swupdateprog"
+CONFIG_SOCKET_REMOTE_HANDLER_DIRECTORY="/tmp/"
+# CONFIG_MTD is not set
+# CONFIG_LUA is not set
+# CONFIG_LUAPKG is not set
+# CONFIG_FEATURE_SYSLOG is not set
+
+#
+# Build Options
+#
+CONFIG_CROSS_COMPILE=""
+CONFIG_SYSROOT=""
+CONFIG_EXTRA_CFLAGS=""
+CONFIG_EXTRA_LDFLAGS=""
+CONFIG_EXTRA_LDLIBS=""
+
+#
+# Debugging Options
+#
+# CONFIG_DEBUG is not set
+# CONFIG_WERROR is not set
+# CONFIG_NOCLEANUP is not set
+# CONFIG_BOOTLOADER_EBG is not set
+# CONFIG_UBOOT is not set
+# CONFIG_BOOTLOADER_NONE is not set
+# CONFIG_BOOTLOADER_GRUB is not set
+# CONFIG_DOWNLOAD is not set
+# CONFIG_DOWNLOAD_SSL is not set
+# CONFIG_CHANNEL_CURL is not set
+# CONFIG_HASH_VERIFY=y
+# CONFIG_SIGNED_IMAGES is not set
+# CONFIG_ENCRYPTED_IMAGES is not set
+# CONFIG_SURICATTA is not set
+# CONFIG_WEBSERVER is not set
+CONFIG_GUNZIP=y
+
+#
+# Parser Features
+#
+CONFIG_LIBCONFIG=y
+CONFIG_PARSERROOT=""
+# CONFIG_JSON is not set
+# CONFIG_LUAEXTERNAL is not set
+# CONFIG_SETEXTPARSERNAME is not set
+# CONFIG_SETSWDESCRIPTION is not set
+
+#
+# Image Handlers
+#
+CONFIG_RAW=y
+# CONFIG_LUASCRIPTHANDLER is not set
+# CONFIG_SHELLSCRIPTHANDLER is not set
+# CONFIG_HANDLER_IN_LUA is not set
+# CONFIG_EMBEDDED_LUA_HANDLER is not set
+# CONFIG_EMBEDDED_LUA_HANDLER_SOURCE is not set
+CONFIG_ARCHIVE=y
+# CONFIG_REMOTE_HANDLER is not set
+# CONFIG_SWUFORWARDER_HANDLER is not set
+# CONFIG_BOOTLOADERHANDLER is not set
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet b/recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet
new file mode 100644
index 0000000..8e3688c
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet
@@ -0,0 +1,3 @@
+CONFIG_BOOTLOADER_NONE=n
+CONFIG_BOOTLOADER_EBG=y
+CONFIG_BOOTLOADERHANDLER=y
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_lua.snippet b/recipes-core/swupdate/files/swupdate_defconfig_lua.snippet
new file mode 100644
index 0000000..b39f9df
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_lua.snippet
@@ -0,0 +1,2 @@
+CONFIG_LUA=y
+CONFIG_LUAPKG="lua53"
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet b/recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet
new file mode 100644
index 0000000..b4a2de8
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet
@@ -0,0 +1,4 @@
+CONFIG_LUASCRIPTHANDLER=y
+CONFIG_HANDLER_IN_LUA=y
+CONFIG_EMBEDDED_LUA_HANDLER=y
+CONFIG_EMBEDDED_LUA_HANDLER_SOURCE="swupdate_handlers.lua"
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet b/recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet
new file mode 100644
index 0000000..eab98dd
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet
@@ -0,0 +1 @@
+CONFIG_MTD=y
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet b/recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet
new file mode 100644
index 0000000..6b5832a
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet
@@ -0,0 +1,3 @@
+CONFIG_UBOOT=y
+CONFIG_UBOOT_FWENV="/etc/fw_env.config"
+CONFIG_BOOTLOADERHANDLER=y
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet b/recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet
new file mode 100644
index 0000000..d1c7732
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet
@@ -0,0 +1,6 @@
+CONFIG_UBIVOL=y
+CONFIG_UBIATTACH=y
+CONFIG_UBIBLACKLIST=""
+CONFIG_UBIWHITELIST=""
+CONFIG_UBIVIDOFFSET=0
+CONFIG_CFI=y
diff --git a/recipes-core/swupdate/files/swupdate_handlers.lua b/recipes-core/swupdate/files/swupdate_handlers.lua
new file mode 100644
index 0000000..c9b9962
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_handlers.lua
@@ -0,0 +1,449 @@
+--[[
+
+ Round-robin Image and File Handler.
+
+ Copyright (C) 2019, Siemens AG
+
+ Author: Christian Storm <christian.storm@siemens.com>
+
+ SPDX-License-Identifier: GPL-2.0-or-later
+
+ An `sw-description` file using these handlers may look like:
+ software =
+ {
+ version = "0.1.0";
+ images: ({
+ filename = "rootfs.ext4";
+ device = "sda4,sda5";
+ type = "roundrobin";
+ compressed = false;
+ });
+ files: ({
+ filename = "vmlinuz";
+ path = "vmlinuz";
+ type = "kernelfile";
+ device = "sda2,sda3";
+ filesystem = "vfat";
+ },
+ {
+ filename = "initrd.img";
+ path = "initrd.img";
+ type = "kernelfile";
+ device = "sda2,sda3";
+ filesystem = "vfat";
+ });
+ }
+
+ The semantics is as follows: Instead of having a fixed target device,
+ the 'roundrobin' image handler calculates the target device by parsing
+ /proc/cmdline, matching the root=<device> kernel parameter against its
+ 'device' attribute's list of devices, and sets the actual target
+ device to the next 'device' attribute list entry in a round-robin
+ manner. The actual flashing is done via chain-calling another handler,
+ defaulting to the "raw" handler.
+
+ The 'kernelfile' file handler reuses the 'roundrobin' handler's target
+ device calculation by reading the actual target device from the same
+ index into its 'device' attribute's list of devices. The actual placing
+ of files into this partition is done via chain-calling another handler,
+ defaulting to the "rawfile" handler.
+
+ In the above example, if /dev/sda4 is currently booted according to
+ /proc/cmdline, /dev/sda5 will be flashed and the vmlinuz and initrd.img
+ files will be placed on /dev/sda3. If /dev/sda5 is booted, /dev/sda4
+ will be flashed and the vmlinuz and initrd.img files are placed on
+ /dev/sda2.
+ In addition to "classical" device nodes as in this example, partition
+ UUIDs as reported, e.g., by `blkid -s PARTUUID` are also supported.
+ UBI volumes are supported as well by specifying a CSV list of
+ ubi<number>:<label> items.
+
+ Configuration is done via an INI-style configuration file located at
+ /etc/swupdate.handler.ini or via compiled-in configuration (by
+ embedding the Lua handler script into the SWUpdate binary via using
+ CONFIG_EMBEDDED_LUA_HANDLER), the latter having precedence over the
+ former. See the example configuration below.
+ If uncommenting this example block, it will take precedence over any
+ /etc/swupdate.handler.ini configuration file.
+
+ The chain-called handlers can either be specified in the configuration,
+ i.e., a static run-time setting, or via the 'chainhandler' property of
+ an 'image' or 'file' section in the sw-description, with the latter
+ taking precedence over the former, e.g.,
+ ...
+ images: ({
+ filename = "rootfs.ext4";
+ device = "sda4,sda5";
+ type = "roundrobin";
+ properties: {
+ chainhandler = "myraw";
+ };
+ });
+ ...
+ Such a sw-description fragment will chain-call the imaginary "myraw"
+ handler regardless of what's been configured in the compiled-in or the
+ configuration file.
+ When chain-calling the "rdiff_image" handler, its 'rdiffbase' property
+ is subject to round-robin as well, i.e., the 'rdiffbase' property is
+ expected to be a CSV list as for the 'device' property, and the actual
+ 'rdiffbase' property value is calculated following the same round-robin
+ calculation mechanism stated above prior to chain-calling the actual
+ "rdiff_image" handler, e.g.,
+ images: ({
+ filename = "rootfs.ext4";
+ type = "roundrobin";
+ device = "sda4,sda5";
+ properties: {
+ chainhandler = "rdiff_image";
+ rdiffbase="sda1,sda2";
+ };
+ });
+ will set the 'rdiffbase' property to /dev/sda2 (/dev/sda1) if /dev/sda4
+ (/dev/sda5) is the currently booted root file system according to
+ /proc/cmdline parsing.
+
+]]
+
+
+local configuration = [[
+[bootloader]
+# Required: bootloader name, uboot and ebg currently supported.
+name=ebg
+# Required: bootloader-specific key-value pairs, e.g., for ebg:
+kernelname=linux.signed.efi
+# For relying on FAT labels, prefix bootlabels with 'L:', e.g., L:BOOT0.
+# For using custom labels, i.e., relying on the contents of an EFILABEL
+# file within the partition, prefix it with 'C:', e.g., C:BOOT0.
+bootlabel={ "C:BOOT0:", "C:BOOT1:" }
+
+# Optional: handler to chain-call for the 'roundrobin' handler,
+# defaulting to 'raw'
+[roundrobin]
+chainhandler=raw
+
+# Optional: handler to chain-call for the 'kernelfile' handler,
+# defaulting to 'rawfile'
+[kernelfile]
+chainhandler=rawfile
+]]
+
+-- Default configuration file, tried if no compiled-in config is available.
+local cfgfile = "/etc/swupdate.handler.ini"
+
+-- Table holding the configuration.
+local config = {}
+
+-- Mandatory configuration [section] and keys
+local BOOTLOADERCFG = {
+ ebg = {
+ bootloader = {"name", "bootlabel", "kernelname"}
+ },
+ -- TODO fill with mandatory U-Boot configuration
+ uboot = {
+ bootloader = {"name"}
+ }
+}
+
+-- enum-alikes to make code more readable
+local BOOTLOADER = { EBG = "ebg", UBOOT = "uboot" }
+local PARTTYPE = { UUID = 1, PLAIN = 2, UBI = 3 }
+
+-- Target table describing the target device the image is to be/has been flashed to.
+local rrtarget = {
+ size = function(self)
+ local _size = 0
+ for index in pairs(self) do _size = _size + 1 end
+ return _size - 1
+ end
+}
+
+-- Helper function parsing CSV fields of a struct img_type such as
+-- the "device" fields or the "rdiffbase" property.
+local get_device_list = function(device_node_csv_list)
+ local device_list = {}
+ for item in device_node_csv_list:gmatch("([^,]+)") do
+ local device_node = item:gsub("/dev/", "")
+ device_list[#device_list+1] = device_node
+ device_list[device_node] = #device_list
+ end
+ return device_list
+end
+
+-- Helper function to determine device node location.
+local get_device_path = function(device_node)
+ if device_node:match("ubi%d+:%S+") then
+ return 0, device_node, PARTTYPE.UBI
+ end
+ local device_path = string.format("/dev/disk/by-partuuid/%s", device_node)
+ local file = io.open(device_path, "rb" )
+ if file then
+ file:close()
+ return 0, device_path, PARTTYPE.UUID
+ end
+ device_path = string.format("/dev/%s", device_node)
+ file = io.open(device_path, "rb" )
+ if file then
+ file:close()
+ return 0, device_path, PARTTYPE.PLAIN
+ end
+ swupdate.error(string.format("Cannot access target device node /dev/{,disk/by-partuuid}/%s", device_node))
+ return 1, nil, nil
+end
+
+-- Helper function parsing the INI-style configuration.
+local get_config = function()
+ -- Return configuration right away if it's already parsed.
+ if config ~= nil and #config > 0 then
+ return config
+ end
+
+ -- Get configuration INI-style string.
+ if not configuration then
+ swupdate.trace(string.format("No compiled-in config found, trying %s", cfgfile))
+ local file = io.open(cfgfile, "r" )
+ if not file then
+ swupdate.error(string.format("Cannot open config file %s", cfgfile))
+ return nil
+ end
+ configuration = file:read("*a")
+ file:close()
+ end
+ if configuration:sub(-1) ~= "\n" then
+ configuration=configuration.."\n"
+ end
+
+ -- Parse INI-style contents into config table.
+ local sec, key, value
+ for line in configuration:gmatch("(.-)\n") do
+ if line:match("^%[([%w%p]+)%][%s]*") then
+ sec = line:match("^%[([%w%p]+)%][%s]*")
+ config[sec] = {}
+ elseif sec then
+ key, value = line:match("^([%w%p]-)=(.*)$")
+ if key and value then
+ if tonumber(value) then value = tonumber(value) end
+ if value == "true" then value = true end
+ if value == "false" then value = false end
+ if value:sub(1,1) == "{" then
+ local _value = {}
+ for _key, _ in value:gmatch("\"(%S+)\"") do
+ table.insert(_value, _key)
+ end
+ value = _value
+ end
+ config[sec][key] = value
+ else
+ if not line:match("^$") and not line:match("^#") then
+ swupdate.warn(string.format("Syntax error, skipping '%s'", line))
+ end
+ end
+ else
+ swupdate.error(string.format("Syntax error. no [section] encountered."))
+ return nil
+ end
+ end
+
+ -- Check config table for mandatory key existence.
+ if config["bootloader"] == nil or config["bootloader"]["name"] == nil then
+ swupdate.error(string.format("Syntax error. no [bootloader] encountered or name= missing therein."))
+ return nil
+ end
+ local bcfg = BOOTLOADERCFG[config.bootloader.name]
+ if not bcfg then
+ swupdate.error(string.format("Bootloader unsupported, name=uboot|ebg missing in [bootloader]?."))
+ return nil
+ end
+ for sec, _ in pairs(bcfg) do
+ for _, key in pairs(bcfg[sec]) do
+ if config[sec] == nil or config[sec][key] == nil then
+ swupdate.error(string.format("Mandatory config key %s= in [%s] not found.", key, sec))
+ end
+ end
+ end
+
+ return config
+end
+
+-- Round-robin image handler for updating the root partition.
+function handler_roundrobin(image)
+ -- Read configuration.
+ if not get_config() then
+ swupdate.error("Cannot read configuration.")
+ return 1
+ end
+
+ -- Check if we can chain-call the handler.
+ local chained_handler = "raw"
+ if image.properties ~= nil and image.properties["chainhandler"] ~= nil then
+ chained_handler = image.properties["chainhandler"]
+ elseif config["roundrobin"] ~= nil and config["roundrobin"]["chainhandler"] ~= nil then
+ chained_handler = config["roundrobin"]["chainhandler"]
+ end
+ if not swupdate.handler[chained_handler] then
+ swupdate.error(string.format("'%s' handler not available in SWUpdate distribution.", chained_handler))
+ return 1
+ end
+
+ -- Get device list for round-robin.
+ local devices = get_device_list(image.device)
+ if #devices < 2 then
+ swupdate.error("Specify at least 2 devices in the device= property for 'roundrobin'.")
+ return 1
+ end
+
+ -- Check that rrtarget is unset, else a reboot may be pending.
+ if rrtarget:size() > 0 then
+ swupdate.warn("The 'roundrobin' handler has been run. Is a reboot pending?")
+ end
+
+ -- Determine current root device.
+ local file = io.open("/proc/cmdline", "r")
+ if not file then
+ swupdate.error("Cannot open /proc/cmdline.")
+ return 1
+ end
+ local cmdline = file:read("*l")
+ file:close()
+
+ local rootparam, rootdevice
+ for item in cmdline:gmatch("%S+") do
+ rootparam, rootdevice = item:match("(root=[%u=]*[/dev/]*(%S+))")
+ if rootparam and rootdevice then break end
+ end
+ if not rootdevice then
+ swupdate.error("Cannot determine current root device.")
+ return 1
+ end
+ swupdate.info(string.format("Current root device is: %s", rootdevice))
+
+ if not devices[rootdevice] then
+ swupdate.error(string.format("Current root device '%s' is not in round-robin root devices list: %s", rootdevice, image.device:gsub("/dev/", "")))
+ return 1
+ end
+
+ -- Perform round-robin calculation for target.
+ local err
+ rrtarget.index = devices[rootdevice] % #devices + 1
+ rrtarget.device_node = devices[rrtarget.index]
+ err, rrtarget.device_path, rrtarget.parttype = get_device_path(devices[rrtarget.index])
+ if err ~= 0 then
+ return 1
+ end
+ swupdate.info(string.format("Using '%s' as 'roundrobin' target via '%s' handler.", rrtarget.device_path, chained_handler))
+
+ -- If the chain-called handler is rdiff_image, adapt the rdiffbase property
+ if chained_handler == "rdiff_image" then
+ if image.properties ~= nil and image.properties["rdiffbase"] ~= nil then
+ local rdiffbase_devices = get_device_list(image.properties["rdiffbase"])
+ if #rdiffbase_devices < 2 then
+ swupdate.error("Specify at least 2 devices in the rdiffbase= property for 'roundrobin'.")
+ return 1
+ end
+ err, image.propierties["rdiffbase"], _ = get_device_path(rdiffbase_devices[rrtarget.index])
+ if err ~= 0 then
+ return 1
+ end
+ swupdate.info(string.format("Using device %s as rdiffbase.", image.properties["rdiffbase"]))
+ else
+ swupdate.error("Property 'rdiffbase' is missing in sw-description.")
+ return 1
+ end
+ end
+
+ -- Actually flash the partition.
+ local msg
+ image.type = chained_handler
+ image.device = rrtarget.device_path
+ err, msg = swupdate.call_handler(chained_handler, image)
+ if err ~= 0 then
+ swupdate.error(string.format("Error chain-calling '%s' handler: %s", chained_handler, (msg or "")))
+ return 1
+ end
+
+ if config.bootloader.name == BOOTLOADER.EBG then
+ if rootparam then
+ local value = cmdline:gsub(
+ rootparam:gsub("%-", "%%-"),
+ string.format("root=%s%s",
+ (rrtarget.parttype == PARTTYPE.PLAIN and "") or (rrtarget.parttype == PARTTYPE.UBI and "") or "PARTUUID=",
+ rrtarget.parttype == PARTTYPE.PLAIN and rrtarget.device_path or devices[rrtarget.index]
+ )
+ )
+ swupdate.info(string.format("Setting EFI Bootguard environment: kernelparams=%s", value))
+ swupdate.set_bootenv("kernelparams", value)
+ end
+ elseif config.bootloader.name == BOOTLOADER.UBOOT then
+ -- Update U-Boot environment.
+ swupdate.info(string.format("Setting U-Boot environment"))
+ local value = rrtarget.index
+ swupdate.set_bootenv("swupdpart", value);
+ end
+
+ return 0
+end
+
+-- File handler for updating kernel files.
+function handler_kernelfile(image)
+ -- Check if we can chain-call the handler.
+ local chained_handler = "rawfile"
+ if image.properties ~= nil and image.properties["chainhandler"] ~= nil then
+ chained_handler = image.properties["chainhandler"]
+ elseif config["kernelfile"] ~= nil and config["kernelfile"]["chainhandler"] ~= nil then
+ chained_handler = config["kernelfile"]["chainhandler"]
+ end
+ if not swupdate.handler[chained_handler] then
+ swupdate.error(string.format("'%s' handler not available in SWUpdate distribution."), chained_handler)
+ return 1
+ end
+
+ -- Check that rrtarget is set, else the 'roundrobin' handler hasn't been run.
+ if rrtarget:size() == 0 then
+ swupdate.error("The 'roundrobin' handler hasn't been run.")
+ swupdate.info("Place 'roundrobin' above 'kernelfile' in sw-description.")
+ return 1
+ end
+
+ -- Get device list for round-robin.
+ local devices = get_device_list(image.device)
+ if #devices < 2 then
+ swupdate.error("Specify at least 2 devices in the device= property for 'kernelfile'.")
+ return 1
+ end
+ if rrtarget.index > #devices then
+ swupdate.error("Cannot map kernel partition to root partition.")
+ return 1
+ end
+
+ -- Perform round-robin indexing for target.
+ local err
+ err, image.device, _ = get_device_path(devices[rrtarget.index])
+ if err ~= 0 then
+ return 1
+ end
+ swupdate.info(string.format("Using '%s' as 'kernelfile' target via '%s' handler.", image.device, chained_handler))
+
+ -- Actually copy the 'kernelfile' files.
+ local msg
+ image.type = chained_handler
+ err, msg = swupdate.call_handler(chained_handler, image)
+ if err ~= 0 then
+ swupdate.error(string.format("Error chain-calling '%s' handler: %s", chained_handler, (msg or "")))
+ return 1
+ end
+
+ if config.bootloader.name == BOOTLOADER.EBG then
+ -- Update EFI Boot Guard environment: kernelfile
+ local value = string.format("%s%s", config.bootloader.bootlabel[rrtarget.index], config.bootloader.kernelname)
+ swupdate.info(string.format("Setting EFI Bootguard environment: kernelfile=%s", value))
+ swupdate.set_bootenv("kernelfile", value)
+ elseif config.bootloader.name == BOOTLOADER.UBOOT then
+ -- Update U-Boot environment.
+ swupdate.info(string.format("Setting U-Boot environment"))
+ -- TODO
+ end
+
+ return 0
+end
+
+swupdate.register_handler("roundrobin", handler_roundrobin, swupdate.HANDLER_MASK.IMAGE_HANDLER)
+swupdate.register_handler("kernelfile", handler_kernelfile, swupdate.HANDLER_MASK.FILE_HANDLER)
diff --git a/recipes-core/swupdate/swupdate.bb b/recipes-core/swupdate/swupdate.bb
new file mode 100644
index 0000000..9c58f7d
--- /dev/null
+++ b/recipes-core/swupdate/swupdate.bb
@@ -0,0 +1,54 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+hDESCRIPTION = "swupdate utility for software updates"
+HOMEPAGE= "https://github.com/sbabic/swupdate"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://${LAYERDIR_isar}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe"
+
+SRC_URI = "gitsm://code.siemens.com/mirror/swupdate.git;branch=master;protocol=https"
Internal mirror. You need to go back to upstream.

And do we actually need gitsm? It is not a mature feature of bitbake, thus generally discouraged.

Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux


Re: [isar-cip-core PATCH 1/6] opt-security.yml: Sample settings to install security

Jan Kiszka
 

On 26.06.20 08:44, venkata wrote:
From: Kazuhiro Hayashi kazuhiro3.hayashi@toshiba.co.jp<mailto:kazuhiro3.hayashi@toshiba.co.jp>
This line seems to have been mangled. It should be in line with the Signed-off-by.

opt-security.yml: Sample settings to install security
packages
Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
---
SECURITY.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++
opt-security.yml | 34 +++++++++++++++++++++++++++++++
2 files changed, 86 insertions(+)
create mode 100644 SECURITY.md
create mode 100644 opt-security.yml
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..a8bccc7
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,52 @@
+How to customize images for security features
+=============================================
+
+This is the "temporal" document about how to create and use
+the CIP Core generic profile images for security feature evaluation.
+
+Official manuals
+----------------
+
+* isar-cip-core: https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/README.md
+* ISAR User Manual: https://github.com/ilbers/isar/blob/master/doc/user_manual.md
+
+Assumed environment
+-------------------
+
+* isar-cip-core: master branch
+* Host: Debian 10 buster amd64
+ * Installed packages: `docker-ce`, `qemu-system`
+ * Users who does the following actions must be in the groups `docker` and `kvm`
+
+Create kas file
+---------------
+
+Create a kas file named `opt-security.yml` to add security settings.
That file is added by this patch already.

+
+Add security packages to rootfs
+-------------------------------
+
+Set `IMAGE_PREINSTALL` to the list of packages required to enable
+the security features. This variable can be set through the kas file.
+
+Example:
+
+```
+local_conf_header:
+ security: |
+ IMAGE_PREINSTALL = "openssl"
+```
+
+Build images
+------------
+
+Build images for QEMU x86 64bit machine:
+
+ $ ./kas-docker --isar build kas.yml:board-qemu-amd64.yml:opt-security.yml
+
+Run on QEMU
+-----------
+
+Run the generated images on QEMU (x86 64bit).
+
+ $ ./start-qemu.sh amd64
diff --git a/opt-security.yml b/opt-security.yml
new file mode 100644
index 0000000..7c6b39c
--- /dev/null
+++ b/opt-security.yml
@@ -0,0 +1,34 @@
+#
+# KAS configuration for CIP Core generic profile to enable security features
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# Authors:
+# Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 8
+
+local_conf_header:
+ security: |
+ # TODO: Add sudo or sudo-ldap
+ IMAGE_PREINSTALL = "\
+ openssl libssl1.1 \
+ fail2ban \
+ openssh-server openssh-sftp-server openssh-client \
+ syslog-ng-core syslog-ng-mod-journal \
+ aide aide-common \
+ libnftables0 nftables \
+ libpam-pkcs11 \
+ chrony \
+ tpm2-tools \
+ tpm2-abrmd \
+ libtss2-esys0 libtss2-udev \
+ libpam-cracklib \
+ acl \
+ libauparse0 audispd-plugins auditd \
+ uuid-runtime \
+ "
Shouldn't we target for a security image (recipe) instead?

General question: What is this series targeting? Seems patch 2 and 3 are left-overs from the development. Is this an RFC series only?

Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux


Re: [isar-cip-core PATCH 2/2] kas: Restructure kas files.

Quirin Gylstorff
 

On 6/25/20 4:53 PM, Jan Kiszka wrote:
On 25.06.20 15:12, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Create folder structure
kas -> general configuration
kas/board -> all supported boards
kas/opt -> all kas option files

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
  .gitlab-ci.yml                                            | 8 ++++----
  README.md                                                 | 4 ++--
  board-bbb.yml => kas/board/bbb.yml                        | 0
  board-iwg20m.yml => kas/board/iwg20m.yml                  | 0
  board-qemu-amd64.yml => kas/board/qemu-amd64.yml          | 0
  board-rzg2m.yml => kas/board/rzg2m.yml                    | 0
  .../board/simatic-ipc227e.yml                             | 0
  kas.yml => kas/cip.yml                                    | 0
  opt-4.4.yml => kas/opt/4.4.yml                            | 0
  opt-rt.yml => kas/opt/rt.yml                              | 0
  opt-stretch.yml => kas/opt/stretch.yml                    | 0
  opt-targz-img.yml => kas/opt/targz-img.yml                | 0
  12 files changed, 6 insertions(+), 6 deletions(-)
  rename board-bbb.yml => kas/board/bbb.yml (100%)
  rename board-iwg20m.yml => kas/board/iwg20m.yml (100%)
  rename board-qemu-amd64.yml => kas/board/qemu-amd64.yml (100%)
  rename board-rzg2m.yml => kas/board/rzg2m.yml (100%)
  rename board-simatic-ipc227e.yml => kas/board/simatic-ipc227e.yml (100%)
  rename kas.yml => kas/cip.yml (100%)
  rename opt-4.4.yml => kas/opt/4.4.yml (100%)
  rename opt-rt.yml => kas/opt/rt.yml (100%)
  rename opt-stretch.yml => kas/opt/stretch.yml (100%)
  rename opt-targz-img.yml => kas/opt/targz-img.yml (100%)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6f1dc91..564398d 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -13,17 +13,17 @@ all:
      - export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
      - export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
-    - kas build kas.yml:board-simatic-ipc227e.yml:opt-rt.yml:opt-targz-img.yml
+    - kas build kas/cip.yml:kas/board/simatic-ipc227e.yml:kas/opt/rt.yml:kas/opt/targz-img.yml
      - scripts/deploy-cip-core.sh buster simatic-ipc227e
      - sudo rm -rf build/tmp
-    - kas build kas.yml:board-bbb.yml:opt-rt.yml:opt-targz-img.yml
+    - kas build kas/cip.yml:kas/board/bbb.yml:kas/opt/rt.yml:kas/opt/targz-img.yml
      - scripts/deploy-cip-core.sh buster bbb am335x-boneblack.dtb
      - sudo rm -rf build/tmp
-    - kas build kas.yml:board-iwg20m.yml:opt-rt.yml:opt-targz-img.yml
+    - kas build kas/cip.yml:kas/board/iwg20m.yml:kas/opt/rt.yml:kas/opt/targz-img.yml
      - scripts/deploy-cip-core.sh buster iwg20m r8a7743-iwg20d-q7-dbcm-ca.dtb
      - sudo rm -rf build/tmp
-    - kas build kas.yml:board-rzg2m.yml:opt-rt.yml:opt-targz-img.yml
+    - kas build kas/cip.yml:kas/board/rzg2m.yml:kas/opt/rt.yml:kas/opt/targz-img.yml
      - scripts/deploy-cip-core.sh buster hihope-rzg2m renesas/r8a774a1-hihope-rzg2m-ex.dtb
diff --git a/README.md b/README.md
index bbad1a0..ebbdee4 100644
--- a/README.md
+++ b/README.md
@@ -21,11 +21,11 @@ start containers.
  To build, e.g., the QEMU AMD64 target inside Docker, invoke kas-docker like
  this:
-    ./kas-docker --isar build kas.yml:board-qemu-amd64.yml
+    ./kas-docker --isar build kas/cip.yml:kas/board/qemu-amd64.yml
  This image can be run using `start-qemu.sh x86`.
-The BeagleBone Black target is selected by `... kas.yml:board-bbb.yml`. In
+The BeagleBone Black target is selected by `... kas/cip.yml:kas/board/bbb.yml`. In
  order to build the image with the PREEMPT-RT kernel, append `:opt-rt.yml` to
  the above. Append ':opt-4.4.yml' to use the kernel version 4.4 instead of 4.19.
diff --git a/board-bbb.yml b/kas/board/bbb.yml
similarity index 100%
rename from board-bbb.yml
rename to kas/board/bbb.yml
diff --git a/board-iwg20m.yml b/kas/board/iwg20m.yml
similarity index 100%
rename from board-iwg20m.yml
rename to kas/board/iwg20m.yml
diff --git a/board-qemu-amd64.yml b/kas/board/qemu-amd64.yml
similarity index 100%
rename from board-qemu-amd64.yml
rename to kas/board/qemu-amd64.yml
diff --git a/board-rzg2m.yml b/kas/board/rzg2m.yml
similarity index 100%
rename from board-rzg2m.yml
rename to kas/board/rzg2m.yml
diff --git a/board-simatic-ipc227e.yml b/kas/board/simatic-ipc227e.yml
similarity index 100%
rename from board-simatic-ipc227e.yml
rename to kas/board/simatic-ipc227e.yml
diff --git a/kas.yml b/kas/cip.yml
similarity index 100%
rename from kas.yml
rename to kas/cip.yml
diff --git a/opt-4.4.yml b/kas/opt/4.4.yml
similarity index 100%
rename from opt-4.4.yml
rename to kas/opt/4.4.yml
diff --git a/opt-rt.yml b/kas/opt/rt.yml
similarity index 100%
rename from opt-rt.yml
rename to kas/opt/rt.yml
diff --git a/opt-stretch.yml b/kas/opt/stretch.yml
similarity index 100%
rename from opt-stretch.yml
rename to kas/opt/stretch.yml
diff --git a/opt-targz-img.yml b/kas/opt/targz-img.yml
similarity index 100%
rename from opt-targz-img.yml
rename to kas/opt/targz-img.yml
There is one catch with moving everything into a subdirectory: If a user pulls a tarball of the layer, thus tries to use it with git, kas will not be able to identify the top-level directory, and various things can fail.
Therefore, we are now often using the pattern of keeping the kas-*.yml file at the top level while moving options or boards under kas/. See e.g. https://github.com/siemens/meta-iot2050/.
Jan
Ok I will send a v2 to add a top level kas-cip.yml to address that.

Quirin


[isar-cip-core PATCH 6/6] cip-core-image-security.bb: Add sudo package

Venkata Pyla
 

From: venkata pyla venkata.pyla@...

 

Added sudo package for security feature

 

Signed-off-by: venkata pyla <venkata.pyla@...>

---

recipes-core/images/cip-core-image-security.bb | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

 

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb

index b883414..8253952 100644

--- a/recipes-core/images/cip-core-image-security.bb

+++ b/recipes-core/images/cip-core-image-security.bb

@@ -17,7 +17,6 @@ DESCRIPTION = "CIP Core image including security packages"

IMAGE_INSTALL += "customizations"

 # Debian packages that provide security features

-# TODO: Add sudo or sudo-ldap which conflict each other

IMAGE_PREINSTALL += " \

               openssl libssl1.1 \

               fail2ban \

@@ -34,4 +33,5 @@ IMAGE_PREINSTALL += " \

               acl \

               libauparse0 audispd-plugins auditd \

               uuid-runtime \

+             sudo \

"

--

2.20.1

.


[isar-cip-core PATCH 5/6] cip-core-image-security.bb: append security packages to existing 'IMAGE_PREINSTALL'

Venkata Pyla
 

From: venkata pyla venkata.pyla@...

 

Signed-off-by: venkata pyla <venkata.pyla@...>

---

recipes-core/images/cip-core-image-security.bb | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

 

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb

index 70571f8..b883414 100644

--- a/recipes-core/images/cip-core-image-security.bb

+++ b/recipes-core/images/cip-core-image-security.bb

@@ -18,7 +18,7 @@ IMAGE_INSTALL += "customizations"

 # Debian packages that provide security features

# TODO: Add sudo or sudo-ldap which conflict each other

-IMAGE_PREINSTALL = " \

+IMAGE_PREINSTALL += " \

               openssl libssl1.1 \

               fail2ban \

               openssh-server openssh-sftp-server openssh-client \

--

2.20.1

.


[isar-cip-core PATCH 4/6] Use an image recipe to define installed packages instead of kas option

Venkata Pyla
 

From: Kazuhiro Hayashi kazuhiro3.hayashi@...

 

Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@...>

---

SECURITY.md                                   | 23 ++++--------

opt-security.yml                              | 34 -----------------

.../images/cip-core-image-security.bb         | 37 +++++++++++++++++++

3 files changed, 45 insertions(+), 49 deletions(-)

delete mode 100644 opt-security.yml

create mode 100644 recipes-core/images/cip-core-image-security.bb

 

diff --git a/SECURITY.md b/SECURITY.md

index a8bccc7..ddceee5 100644

--- a/SECURITY.md

+++ b/SECURITY.md

@@ -18,31 +18,24 @@ Assumed environment

     * Installed packages: `docker-ce`, `qemu-system`

     * Users who does the following actions must be in the groups `docker` and `kvm`

-Create kas file

----------------

-

-Create a kas file named `opt-security.yml` to add security settings.

-

-Add security packages to rootfs

--------------------------------

+Create image recipe

+-------------------

-Set `IMAGE_PREINSTALL` to the list of packages required to enable

-the security features. This variable can be set through the kas file.

+Create the recipe `recipes-core/images/cip-core-image-security.bb`

+to generate a image including required packages.

+We can install existing Debian packages by setting

+`IMAGE_PREINSTALL` in the image recipe.

 Example:

-```

-local_conf_header:

-  security: |

     IMAGE_PREINSTALL = "openssl"

-```

 Build images

------------

-Build images for QEMU x86 64bit machine:

+Build images for QEMU x86 64bit machine.

-    $ ./kas-docker --isar build kas.yml:board-qemu-amd64.yml:opt-security.yml

+    $ ./kas-docker --isar build --target cip-core-image-security kas.yml:board-qemu-amd64.yml

 Run on QEMU

-----------

diff --git a/opt-security.yml b/opt-security.yml

deleted file mode 100644

index 7c6b39c..0000000

--- a/opt-security.yml

+++ /dev/null

@@ -1,34 +0,0 @@

-#

-# KAS configuration for CIP Core generic profile to enable security features

-#

-# Copyright (c) Toshiba Corporation, 2020

-#

-# Authors:

-#  Kazuhiro Hayashi <kazuhiro3.hayashi@...>

-#

-# SPDX-License-Identifier: MIT

-#

-

-header:

-  version: 8

-

-local_conf_header:

-  security: |

-    # TODO: Add sudo or sudo-ldap

-    IMAGE_PREINSTALL = "\

-      openssl libssl1.1 \

-      fail2ban \

-      openssh-server openssh-sftp-server openssh-client \

-      syslog-ng-core syslog-ng-mod-journal \

-      aide aide-common \

-      libnftables0 nftables \

-      libpam-pkcs11 \

-      chrony \

-      tpm2-tools \

-      tpm2-abrmd \

-      libtss2-esys0 libtss2-udev \

-      libpam-cracklib \

-      acl \

-      libauparse0 audispd-plugins auditd \

-      uuid-runtime \

-    "

\ No newline at end of file

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb

new file mode 100644

index 0000000..70571f8

--- /dev/null

+++ b/recipes-core/images/cip-core-image-security.bb

@@ -0,0 +1,37 @@

+#

+# A reference image which includes security packages

+#

+# Copyright (c) Toshiba Corporation, 2020

+#

+# Authors:

+#  Kazuhiro Hayashi <kazuhiro3.hayashi@...>

+#

+# SPDX-License-Identifier: MIT

+#

+

+inherit image

+

+DESCRIPTION = "CIP Core image including security packages"

+

+# Use the same customizations as cip-core-image

+IMAGE_INSTALL += "customizations"

+

+# Debian packages that provide security features

+# TODO: Add sudo or sudo-ldap which conflict each other

+IMAGE_PREINSTALL = " \

+             openssl libssl1.1 \

+             fail2ban \

+             openssh-server openssh-sftp-server openssh-client \

+             syslog-ng-core syslog-ng-mod-journal \

+             aide aide-common \

+             libnftables0 nftables \

+             libpam-pkcs11 \

+             chrony \

+             tpm2-tools \

+             tpm2-abrmd \

+             libtss2-esys0 libtss2-udev \

+             libpam-cracklib \

+             acl \

+             libauparse0 audispd-plugins auditd \

+             uuid-runtime \

+"

--

2.20.1

 

.

2221 - 2240 of 7074