Date   

[isar-cip-core PATCH v2 4/6] secure-boot: Add secure boot with unified kernel image

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

A unified kernel image contains the os-release, kernel,
kernel commandline, initramfs and efi-stub in one binary.
This binary can be boot by systemd-boot and efibootguard.
It also allows to sign kernel and initramfs as one packages.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
kas/opt/ebg-secure-boot-base.yml | 17 ++++
recipes-core/images/cip-core-image.bb | 2 +-
recipes-core/images/files/sw-description.tmpl | 6 +-
.../ebg-secure-boot-secrets_0.1.bb | 51 +++++++++++
.../ebg-secure-boot-secrets/files/README.md | 1 +
.../files/control.tmpl | 12 +++
.../files/sign_secure_image.sh.tmpl | 22 +++++
.../initramfs-config/files/postinst.tmpl | 31 -------
...enerate-sb-db-from-existing-certificate.sh | 16 ++++
scripts/generate_secure_boot_keys.sh | 51 +++++++++++
.../wic/plugins/source/efibootguard-boot.py | 87 +++++++++++++++++--
.../wic/plugins/source/efibootguard-efi.py | 40 ++++++++-
scripts/start-efishell.sh | 12 +++
start-qemu.sh | 54 +++++++++---
wic/ebg-signed-bootloader.inc | 2 +
wic/qemu-amd64-efibootguard.wks | 6 +-
16 files changed, 350 insertions(+), 60 deletions(-)
create mode 100644 kas/opt/ebg-secure-boot-base.yml
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
delete mode 100644 recipes-support/initramfs-config/files/postinst.tmpl
create mode 100755 scripts/generate-sb-db-from-existing-certificate.sh
create mode 100755 scripts/generate_secure_boot_keys.sh
create mode 100755 scripts/start-efishell.sh
create mode 100644 wic/ebg-signed-bootloader.inc

diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
new file mode 100644
index 0000000..0f9133c
--- /dev/null
+++ b/kas/opt/ebg-secure-boot-base.yml
@@ -0,0 +1,17 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 8
+
+local_conf_header:
+ initramfs: |
+ IMAGE_INSTALL += "initramfs-abrootfs-secureboot"
diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb
index 4dfc983..c781623 100644
--- a/recipes-core/images/cip-core-image.bb
+++ b/recipes-core/images/cip-core-image.bb
@@ -10,7 +10,7 @@
#

inherit image
-
+inherit image_uuid
ISAR_RELEASE_CMD = "git -C ${LAYERDIR_cip-core} describe --tags --dirty --always --match 'v[0-9].[0-9]*'"
DESCRIPTION = "CIP Core image"

diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl
index bef1984..bce97d0 100644
--- a/recipes-core/images/files/sw-description.tmpl
+++ b/recipes-core/images/files/sw-description.tmpl
@@ -11,12 +11,12 @@
software =
{
version = "0.2";
- name = "ebsy secure boot update"
+ name = "secure boot update"
images: ({
- filename = "${EXTRACTED_PARTITION_NAME}";
+ filename = "${ROOTFS_PARTITION_NAME}";
device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002";
type = "roundrobin";
- compressed = true;
+ compressed = "true";
filesystem = "ext4";
});
files: ({
diff --git a/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb b/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
new file mode 100644
index 0000000..37b35c9
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
@@ -0,0 +1,51 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+DESCRIPTION = "Add user defined secureboot certifcates to the buildchroot and the script to \
+ sign an image with the given keys"
+
+# variables
+SB_CERT_PATH = "/usr/share/ebg-secure-boot"
+SB_CERTDB ??= ""
+SB_VERIFY_CERT ??= ""
+SB_KEY_NAME ??= "demoDB"
+
+# used to sign the image
+DEBIAN_DEPENDS = "pesign, sbsigntool"
+
+# this package cannot be install together with:
+DEBIAN_CONFLICTS = "ebg-secure-boot-snakeoil"
+
+SRC_URI = " \
+ file://sign_secure_image.sh.tmpl \
+ file://control.tmpl"
+SRC_URI_append = " ${@ d.getVar(SB_CERTDB) or "" }"
+SRC_URI_append = " ${@ d.getVar(SB_VERIFY_CERT) or "" }"
+TEMPLATE_FILES = "sign_secure_image.sh.tmpl"
+TEMPLATE_VARS += "SB_CERT_PATH SB_CERTDB SB_VERIFY_CERT SB_KEY_NAME"
+
+TEMPLATE_FILES += "control.tmpl"
+TEMPLATE_VARS += "PN MAINTAINER DPKG_ARCH DEBIAN_DEPENDS DESCRIPTION DEBIAN_CONFLICTS"
+
+do_install() {
+ TARGET=${D}${SB_CERT_PATH}
+ install -m 0700 -d ${TARGET}
+ cp -a ${WORKDIR}/${SB_CERTDB} ${TARGET}/${SB_CERTDB}
+ chmod 700 ${TARGET}/${SB_CERTDB}
+ install -m 0600 ${WORKDIR}/${SB_VERIFY_CERT} ${TARGET}/${SB_VERIFY_CERT}
+ TARGET=${D}/usr/bin
+ install -d ${TARGET}
+ install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh
+}
+
+addtask do_install after do_transform_template
diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/README.md b/recipes-devtools/ebg-secure-boot-secrets/files/README.md
new file mode 100644
index 0000000..c739c51
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-secrets/files/README.md
@@ -0,0 +1 @@
+For a secure boot image this directory needs to contain the certdb directory and the db.crt file.
diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl b/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
new file mode 100644
index 0000000..8361a49
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
@@ -0,0 +1,12 @@
+Source: ${PN}
+Section: misc
+Priority: optional
+Standards-Version: 3.9.6
+Maintainer: ${MAINTAINER}
+Build-Depends: debhelper (>= 9)
+
+Package: ${PN}
+Architecture: ${DPKG_ARCH}
+Depends: ${DEBIAN_DEPENDS}
+Description: ${DESCRIPTION}
+Conflicts: ${DEBIAN_CONFLICTS}
diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl b/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
new file mode 100644
index 0000000..e84fd4c
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
@@ -0,0 +1,22 @@
+#!/bin/sh
+set -e
+set -x
+signee=$1
+signed=$2
+
+usage(){
+ echo "sign with debian snakeoil"
+ echo "$0 signee signed"
+ echo "signee: path to the image to be signed"
+ echo "signed: path to store the signed image"
+}
+
+
+if [ -z "$signee" ] || [ -z "$signed" ]; then
+ usage
+ exit 1
+fi
+
+pesign --force --verbose --padding -n ${SB_CERT_PATH}/${SB_CERTDB} -c "${SB_KEY_NAME}" -s -i $signee -o $signed
+sbverify --cert ${SB_CERT_PATH}/${SB_VERIFY_CERT} $signed
+exit 0
diff --git a/recipes-support/initramfs-config/files/postinst.tmpl b/recipes-support/initramfs-config/files/postinst.tmpl
deleted file mode 100644
index 008f68d..0000000
--- a/recipes-support/initramfs-config/files/postinst.tmpl
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/sh
-if [ -d /usr/share/secureboot ]; then
- patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch
-fi
-
-INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf
-if [ -f ${INITRAMFS_CONF} ]; then
- sed -i -E 's/(^MODULES=).*/\1${INITRAMFS_MODULES}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^BUSYBOX=).*/\1${INITRAMFS_BUSYBOX}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^COMPRESS=).*/\1${INITRAMFS_COMPRESS}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^KEYMAP=).*/\1${INITRAMFS_KEYMAP}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^DEVICE=).*/\1${INITRAMFS_NET_DEVICE}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^NFSROOT=).*/\1${INITRAMFS_NFSROOT}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^RUNSIZE=).*/\1${INITRAMFS_RUNSIZE}/' ${INITRAMFS_CONF}
- if grep -Fxq "ROOT=" "${INITRAMFS_CONF}"; then
- sed -i -E 's/(^ROOT=).*/\1${INITRAMFS_ROOT}/' ${INITRAMFS_CONF}
- else
- sed -i -E "\$aROOT=${INITRAMFS_ROOT}" ${INITRAMFS_CONF}
- fi
-fi
-
-MODULES_LIST_FILE=/etc/initramfs-tools/modules
-if [ -f ${MODULES_LIST_FILE} ]; then
- for modname in ${INITRAMFS_MODULE_LIST}; do
- if ! grep -Fxq "$modname" "${MODULES_LIST_FILE}"; then
- echo "$modname" >> "${MODULES_LIST_FILE}"
- fi
- done
-fi
-
-update-initramfs -v -u
diff --git a/scripts/generate-sb-db-from-existing-certificate.sh b/scripts/generate-sb-db-from-existing-certificate.sh
new file mode 100755
index 0000000..035f189
--- /dev/null
+++ b/scripts/generate-sb-db-from-existing-certificate.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+name=${SB_NAME:-snakeoil}
+keydir=${SB_KEYDIR:-./keys}
+if [ ! -d ${keydir} ]; then
+ mkdir -p ${keydir}
+fi
+inkey=${INKEY:-/usr/share/ovmf/PkKek-1-snakeoil.key}
+incert=${INCERT:-/usr/share/ovmf/PkKek-1-snakeoil.pem}
+nick_name=${IN_NICK:-snakeoil}
+TMP=$(mktemp -d)
+mkdir -p ${keydir}/${name}certdb
+certutil -N --empty-password -d ${keydir}/${name}certdb
+openssl pkcs12 -export -out ${TMP}/foo_key.p12 -inkey $inkey -in $incert -name $nick_name
+pk12util -i ${TMP}/foo_key.p12 -d ${keydir}/${name}certdb
+cp $incert ${keydir}/$(basename $incert)
+rm -rf $TMP
diff --git a/scripts/generate_secure_boot_keys.sh b/scripts/generate_secure_boot_keys.sh
new file mode 100755
index 0000000..8d3f8c0
--- /dev/null
+++ b/scripts/generate_secure_boot_keys.sh
@@ -0,0 +1,51 @@
+#!/bin/sh
+name=${SB_NAME:-demo}
+keydir=${SB_KEYDIR:-./keys}
+if [ ! -d ${keydir} ]; then
+ mkdir -p ${keydir}
+fi
+openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}PK/" -outform PEM \
+ -keyout ${keydir}/${name}PK.key -out ${keydir}/${name}PK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}KEK/" -outform PEM \
+ -keyout ${keydir}/${name}KEK.key -out ${keydir}/${name}KEK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}DB/" -outform PEM \
+ -keyout ${keydir}/${name}DB.key -out ${keydir}/${name}DB.crt -days 3650 -nodes -sha256
+openssl x509 -in ${keydir}/${name}PK.crt -out ${keydir}/${name}PK.cer -outform DER
+openssl x509 -in ${keydir}/${name}KEK.crt -out ${keydir}/${name}KEK.cer -outform DER
+openssl x509 -in ${keydir}/${name}DB.crt -out ${keydir}/${name}DB.cer -outform DER
+
+openssl pkcs12 -export -out ${keydir}/${name}DB.p12 \
+ -in ${keydir}/${name}DB.crt -inkey ${keydir}/${name}DB.key -passout pass:
+
+GUID=$(uuidgen --random)
+echo $GUID > ${keydir}/${name}GUID
+
+cert-to-efi-sig-list -g $GUID ${keydir}/${name}PK.crt ${keydir}/${name}PK.esl
+cert-to-efi-sig-list -g $GUID ${keydir}/${name}KEK.crt ${keydir}/${name}KEK.esl
+cert-to-efi-sig-list -g $GUID ${keydir}/${name}DB.crt ${keydir}/${name}DB.esl
+rm -f ${keydir}/${name}noPK.esl
+touch ${keydir}/${name}noPK.esl
+
+sign-efi-sig-list -g $GUID \
+ -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \
+ PK ${keydir}/${name}PK.esl ${keydir}/${name}PK.auth
+sign-efi-sig-list -g $GUID \
+ -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \
+ PK ${keydir}/${name}noPK.esl ${keydir}/${name}noPK.auth
+sign-efi-sig-list -g $GUID \
+ -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \
+ KEK ${keydir}/${name}KEK.esl ${keydir}/${name}KEK.auth
+sign-efi-sig-list -g $GUID \
+ -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \
+ DB ${keydir}/${name}DB.esl ${keydir}/${name}DB.auth
+
+chmod 0600 ${keydir}/${name}*.key
+mkdir -p ${keydir}/${name}certdb
+certutil -N --empty-password -d ${keydir}/${name}certdb
+
+certutil -A -n 'PK' -d ${keydir}/${name}certdb -t CT,CT,CT -i ${keydir}/${name}PK.crt
+pk12util -W "" -d ${keydir}/${name}certdb -i ${keydir}/${name}DB.p12
+certutil -d ${keydir}/${name}certdb -A -i ${keydir}/${name}DB.crt -n "" -t u
+
+certutil -d ${keydir}/${name}certdb -K
+certutil -d ${keydir}/${name}certdb -L
diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
index 38d2b2e..d291f75 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-boot.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
@@ -80,17 +80,29 @@ class EfibootguardBootPlugin(SourcePlugin):


boot_files = source_params.get("files", "").split(' ')
+ uefi_kernel = source_params.get("unified-kernel")
cmdline = bootloader.append
- root_dev = source_params.get("root", None)
- if not root_dev:
- msger.error("Specify root in source params")
- exit(1)
+ if uefi_kernel:
+ boot_image = cls._create_unified_kernel_image(rootfs_dir,
+ cr_workdir,
+ cmdline,
+ uefi_kernel,
+ deploy_dir,
+ kernel_image,
+ initrd_image,
+ source_params)
+ boot_files.append(boot_image)
+ else:
+ root_dev = source_params.get("root", None)
+ if not root_dev:
+ msger.error("Specify root in source params")
+ exit(1)
root_dev = root_dev.replace(":", "=")

- cmdline += " root=%s rw" % root_dev
- boot_files.append(kernel_image)
- boot_files.append(initrd_image)
- cmdline += "initrd=%s" % initrd_image if initrd_image else ""
+ cmdline += " root=%s rw" % root_dev
+ boot_files.append(kernel_image)
+ boot_files.append(initrd_image)
+ cmdline += "initrd=%s" % initrd_image if initrd_image else ""

part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir,
part.label, part.lineno)
@@ -160,3 +172,62 @@ class EfibootguardBootPlugin(SourcePlugin):

part.size = bootimg_size
part.source_file = bootimg
+
+ @classmethod
+ def _create_unified_kernel_image(cls, rootfs_dir, cr_workdir, cmdline,
+ uefi_kernel, deploy_dir, kernel_image,
+ initrd_image, source_params):
+ rootfs_path = rootfs_dir.get('ROOTFS_DIR')
+ os_release_file = "{root}/etc/os-release".format(root=rootfs_path)
+ efistub = "{rootfs_path}/usr/lib/systemd/boot/efi/linuxx64.efi.stub"\
+ .format(rootfs_path=rootfs_path)
+ msger.debug("osrelease path: %s", os_release_file)
+ kernel_cmdline_file = "{cr_workdir}/kernel-command-line-file.txt"\
+ .format(cr_workdir=cr_workdir)
+ with open(kernel_cmdline_file, "w") as cmd_fd:
+ cmd_fd.write(cmdline)
+ uefi_kernel_name = "linux.efi"
+ uefi_kernel_file = "{deploy_dir}/{uefi_kernel_name}"\
+ .format(deploy_dir=deploy_dir, uefi_kernel_name=uefi_kernel_name)
+ kernel = "{deploy_dir}/{kernel_image}"\
+ .format(deploy_dir=deploy_dir, kernel_image=kernel_image)
+ initrd = "{deploy_dir}/{initrd_image}"\
+ .format(deploy_dir=deploy_dir, initrd_image=initrd_image)
+ objcopy_cmd = 'objcopy \
+ --add-section .osrel={os_release_file} \
+ --change-section-vma .osrel=0x20000 \
+ --add-section .cmdline={kernel_cmdline_file} \
+ --change-section-vma .cmdline=0x30000 \
+ --add-section .linux={kernel} \
+ --change-section-vma .linux=0x2000000 \
+ --add-section .initrd={initrd} \
+ --change-section-vma .initrd=0x3000000 \
+ {efistub} {uefi_kernel_file}'.format(
+ os_release_file=os_release_file,
+ kernel_cmdline_file=kernel_cmdline_file,
+ kernel=kernel,
+ initrd=initrd,
+ efistub=efistub,
+ uefi_kernel_file=uefi_kernel_file)
+ exec_cmd(objcopy_cmd)
+
+ return cls._sign_file(name=uefi_kernel_name,
+ signee=uefi_kernel_file,
+ deploy_dir=deploy_dir,
+ source_params=source_params)
+
+ @classmethod
+ def _sign_file(cls, name, signee, deploy_dir, source_params):
+ sign_script = source_params.get("signwith")
+ if sign_script and os.path.exists(sign_script):
+ msger.info("sign with script %s", sign_script)
+ name = name.replace(".efi", ".signed.efi")
+ sign_cmd = "{sign_script} {signee} {deploy_dir}/{name}"\
+ .format(sign_script=sign_script, signee=signee,
+ deploy_dir=deploy_dir, name=name)
+ exec_cmd(sign_cmd)
+ elif sign_script and not os.path.exists(sign_script):
+ msger.error("Could not find script %s", sign_script)
+ exit(1)
+
+ return name
diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py
index 5ee451f..6647212 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-efi.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py
@@ -64,10 +64,17 @@ class EfibootguardEFIPlugin(SourcePlugin):
exec_cmd(create_dir_cmd)

for bootloader in bootloader_files:
- cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (deploy_dir,
- bootloader,
- part_rootfs_dir,
- bootloader)
+ signed_bootloader = cls._sign_file(bootloader,
+ "{}/{}".format(deploy_dir,
+ bootloader
+ ),
+ cr_workdir,
+ source_params)
+ # important the bootloader in deploy_dir is no longer signed
+ cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (cr_workdir,
+ signed_bootloader,
+ part_rootfs_dir,
+ bootloader)
exec_cmd(cp_cmd, True)
du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir
blocks = int(exec_cmd(du_cmd).split()[0])
@@ -100,3 +107,28 @@ class EfibootguardEFIPlugin(SourcePlugin):

part.size = efi_part_image_size
part.source_file = efi_part_image
+
+
+ @classmethod
+ def _sign_file(cls, name, signee, cr_workdir, source_params):
+ sign_script = source_params.get("signwith")
+ if sign_script and os.path.exists(sign_script):
+ work_name = name.replace(".efi", ".signed.efi")
+ sign_cmd = "{sign_script} {signee} \
+ {cr_workdir}/{work_name}".format(sign_script=sign_script,
+ signee=signee,
+ cr_workdir=cr_workdir,
+ work_name=work_name)
+ exec_cmd(sign_cmd)
+ elif sign_script and not os.path.exists(sign_script):
+ msger.error("Could not find script %s", sign_script)
+ exit(1)
+ else:
+ # if we do nothing copy the signee to the work directory
+ work_name = name
+ cp_cmd = "cp {signee} {cr_workdir}/{work_name}".format(
+ signee=signee,
+ cr_workdir=cr_workdir,
+ work_name=work_name)
+ exec_cmd(cp_cmd)
+ return work_name
diff --git a/scripts/start-efishell.sh b/scripts/start-efishell.sh
new file mode 100755
index 0000000..3c56ebc
--- /dev/null
+++ b/scripts/start-efishell.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd}
+ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd}
+DISK=$1
+qemu-system-x86_64 -enable-kvm -M q35 \
+ -cpu host,hv_relaxed,hv_vapic,hv-spinlocks=0xfff -smp 2 -m 2G -no-hpet \
+ -global ICH9-LPC.disable_s3=1 \
+ -global isa-fdc.driveA= \
+ -boot menu=on \
+ -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
+ -drive if=pflash,format=raw,file=${ovmf_vars} \
+ -drive file=fat:rw:$DISK
diff --git a/start-qemu.sh b/start-qemu.sh
index 49f0266..74d1b54 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -15,6 +15,8 @@ usage()
echo "Usage: $0 ARCHITECTURE [QEMU_OPTIONS]"
echo -e "\nSet QEMU_PATH environment variable to use a locally " \
"built QEMU version"
+ echo -e "\nSet SECURE_BOOT environment variable to boot a secure boot environment " \
+ "This environment also needs the variables OVMF_VARS and OVMF_CODE set"
exit 1
}

@@ -22,17 +24,25 @@ if [ -n "${QEMU_PATH}" ]; then
QEMU_PATH="${QEMU_PATH}/"
fi

+if [ -z "${DISTRO_RELEASE}" ]; then
+ DISTRO_RELEASE="buster"
+fi
+if [ -z "${TARGET_IMAGE}" ];then
+ TARGET_IMAGE="cip-core-image"
+fi
+
case "$1" in
x86|x86_64|amd64)
DISTRO_ARCH=amd64
QEMU=qemu-system-x86_64
QEMU_EXTRA_ARGS=" \
- -cpu host -smp 4 \
- -enable-kvm -machine q35 \
+ -cpu qemu64 \
+ -smp 4 \
+ -machine q35,accel=kvm:tcg \
-device ide-hd,drive=disk \
-device virtio-net-pci,netdev=net"
KERNEL_CMDLINE=" \
- root=/dev/sda vga=0x305 console=ttyS0"
+ root=/dev/sda vga=0x305"
;;
arm64|aarch64)
DISTRO_ARCH=arm64
@@ -71,21 +81,41 @@ case "$1" in
;;
esac

-if [ -z "${DISTRO_RELEASE}" ]; then
- DISTRO_RELEASE="buster"
-fi
-
-IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/cip-core-image-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}"
-IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img)
+IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/${TARGET_IMAGE}-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}"

if [ -z "${DISPLAY}" ]; then
QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} -nographic"
+ case "$1" in
+ x86|x86_64|amd64)
+ KERNEL_CMDLINE="${KERNEL_CMDLINE} console=ttyS0"
+ esac
+fi
+
+
+
+if [ -n "SECURE_BOOT" ]; then
+ ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd}
+ ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd}
+ QEMU_EXTRA_ARGS=" \
+ ${QEMU_EXTRA_ARGS} \
+ -global ICH9-LPC.disable_s3=1 \
+ -global isa-fdc.driveA= \
+ "
+ BOOT_FILES="-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
+ -drive if=pflash,format=raw,file=${ovmf_vars} \
+ -drive file=${IMAGE_PREFIX}.wic.img,discard=unmap,if=none,id=disk,format=raw"
+else
+ IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img)
+
+ KERNEL_FILE=$(ls ${IMAGE_PREFIX}-vmlinuz* | tail -1)
+ INITRD_FILE=$(ls ${IMAGE_PREFIX}-initrd.img* | tail -1)
+
+ BOOT_FILES=-kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \
+ -initrd ${INITRD_FILE}
fi

shift 1

${QEMU_PATH}${QEMU} \
- -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \
-m 1G -serial mon:stdio -netdev user,id=net \
- -kernel ${IMAGE_PREFIX}-vmlinuz -append "${KERNEL_CMDLINE}" \
- -initrd ${IMAGE_PREFIX}-initrd.img ${QEMU_EXTRA_ARGS} "$@"
+ ${BOOT_FILES} ${QEMU_EXTRA_ARGS} "$@"
diff --git a/wic/ebg-signed-bootloader.inc b/wic/ebg-signed-bootloader.inc
new file mode 100644
index 0000000..667e014
--- /dev/null
+++ b/wic/ebg-signed-bootloader.inc
@@ -0,0 +1,2 @@
+# EFI partition containing efibootguard bootloader binary
+part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
diff --git a/wic/qemu-amd64-efibootguard.wks b/wic/qemu-amd64-efibootguard.wks
index 3cd7360..9ccf501 100644
--- a/wic/qemu-amd64-efibootguard.wks
+++ b/wic/qemu-amd64-efibootguard.wks
@@ -1,5 +1,9 @@
# short-description: Qemu-amd64 with Efibootguard and SWUpdate
# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
+include ebg-signed-bootloader.inc
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"

-include ebg-sysparts.inc
include swupdate-partition.inc
--
2.20.1


[isar-cip-core PATCH v2 2/6] isar-patch: Add initramfs-config patch

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Adapt the initramfs generation to set for example the root device
in the initramfs

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
...-support-Generate-a-custom-initramfs.patch | 207 ++++++++++++++++++
kas-cip.yml | 3 +
2 files changed, 210 insertions(+)
create mode 100644 isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch

diff --git a/isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch b/isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch
new file mode 100644
index 0000000..f8fb28e
--- /dev/null
+++ b/isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch
@@ -0,0 +1,207 @@
+From 7c85e2e363fd39e60bf5041d02e14e8bd62c1a68 Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+Date: Tue, 24 Mar 2020 17:58:08 +0100
+Subject: [PATCH v7 1/3] meta/support: Generate a custom initramfs
+
+This package sets the Parameters for mkinitramfs/update-intramfs
+before it regenerates the initrd.img of debian with a modified version.
+
+Use cases are the remove unnecessary kernel modules to reduce the
+size of the initrd by using the parameters:
+```
+INITRAMFS_MODULES = "list"
+INITRAMFS_MODULE_LIST += "ext4"
+```
+
+Set the boot root during the initrd generation by setting `INITRAMFS_ROOT`.
+
+see also man pages of mkinitramfs and initramfs.conf.
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+---
+ .../initramfs-config/initramfs-config_0.1.bb | 6 +++
+ .../initramfs-config/files/control.tmpl | 12 +++++
+ .../initramfs-config/files/postinst.tmpl | 50 +++++++++++++++++++
+ .../initramfs-config/files/postrm.tmpl | 41 +++++++++++++++
+ .../initramfs-config/initramfs-config.inc | 32 ++++++++++++
+ 5 files changed, 141 insertions(+)
+ create mode 100644 meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb
+ create mode 100644 meta/recipes-support/initramfs-config/files/control.tmpl
+ create mode 100644 meta/recipes-support/initramfs-config/files/postinst.tmpl
+ create mode 100644 meta/recipes-support/initramfs-config/files/postrm.tmpl
+ create mode 100644 meta/recipes-support/initramfs-config/initramfs-config.inc
+
+diff --git a/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb b/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb
+new file mode 100644
+index 0000000..c951e8a
+--- /dev/null
++++ b/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb
+@@ -0,0 +1,6 @@
++#
++# Copyright (C) Siemens AG, 2020
++#
++# SPDX-License-Identifier: MIT
++
++require recipes-support/initramfs-config/initramfs-config.inc
+diff --git a/meta/recipes-support/initramfs-config/files/control.tmpl b/meta/recipes-support/initramfs-config/files/control.tmpl
+new file mode 100644
+index 0000000..66984eb
+--- /dev/null
++++ b/meta/recipes-support/initramfs-config/files/control.tmpl
+@@ -0,0 +1,12 @@
++Source: ${PN}
++Section: misc
++Priority: optional
++Standards-Version: 3.9.6
++Maintainer: isar-users <isar-users@googlegroups.com>
++Build-Depends: debhelper (>= 9)
++
++
++Package: ${PN}
++Architecture: any
++Depends: ${shlibs:Depends}, ${misc:Depends}, initramfs-tools-core, ${DEBIAN_DEPENDS}
++Description: Configuration files for a custom initramfs
+diff --git a/meta/recipes-support/initramfs-config/files/postinst.tmpl b/meta/recipes-support/initramfs-config/files/postinst.tmpl
+new file mode 100644
+index 0000000..e523906
+--- /dev/null
++++ b/meta/recipes-support/initramfs-config/files/postinst.tmpl
+@@ -0,0 +1,50 @@
++#!/bin/sh
++# postinst script for initramfs-config
++#
++# see: dh_installdeb(1)
++
++set -e
++
++case "$1" in
++ configure)
++ INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf
++ if [ -f ${INITRAMFS_CONF} ]; then
++ sed -i -E 's/(^MODULES=).*/\1${INITRAMFS_MODULES}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^BUSYBOX=).*/\1${INITRAMFS_BUSYBOX}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^COMPRESS=).*/\1${INITRAMFS_COMPRESS}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^KEYMAP=).*/\1${INITRAMFS_KEYMAP}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^DEVICE=).*/\1${INITRAMFS_NET_DEVICE}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^NFSROOT=).*/\1${INITRAMFS_NFSROOT}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^RUNSIZE=).*/\1${INITRAMFS_RUNSIZE}/' ${INITRAMFS_CONF}
++ if grep -Fxq "ROOT=" "${INITRAMFS_CONF}"; then
++ sed -i -E 's/(^ROOT=).*/\1${INITRAMFS_ROOT}/' ${INITRAMFS_CONF}
++ else
++ sed -i -E "\$aROOT=${INITRAMFS_ROOT}" ${INITRAMFS_CONF}
++ fi
++ fi
++
++ MODULES_LIST_FILE=/etc/initramfs-tools/modules
++ if [ -f ${MODULES_LIST_FILE} ]; then
++ for modname in ${INITRAMFS_MODULE_LIST}; do
++ if ! grep -Fxq "$modname" "${MODULES_LIST_FILE}"; then
++ echo "$modname" >> "${MODULES_LIST_FILE}"
++ fi
++ done
++ fi
++
++ update-initramfs -v -u
++
++ ;;
++ abort-upgrade|abort-remove|abort-deconfigure)
++ ;;
++
++ *)
++ echo "postinst called with unknown argument \`$1'" >&2
++ exit 1
++ ;;
++esac
++# dh_installdeb will replace this with shell code automatically
++# generated by other debhelper scripts.
++#DEBHELPER#
++
++exit 0
+diff --git a/meta/recipes-support/initramfs-config/files/postrm.tmpl b/meta/recipes-support/initramfs-config/files/postrm.tmpl
+new file mode 100644
+index 0000000..115d9b6
+--- /dev/null
++++ b/meta/recipes-support/initramfs-config/files/postrm.tmpl
+@@ -0,0 +1,41 @@
++#!/bin/sh
++# postrm script for initramfs-config
++#
++# see: dh_installdeb(1)
++
++set -e
++
++case "$1" in
++ purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
++ # back to the debian defaults
++ INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf
++ sed -i -E 's/(^MODULES=).*/\1most/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^BUSYBOX=).*/\1auto/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^COMPRESS=).*/\1gzip/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^KEYMAP=).*/\1n/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^DEVICE=).*/\1/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^NFSROOT=).*/\1auto/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^RUNSIZE=).*/\110%/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^ROOT=).*//' ${INITRAMFS_CONF}
++
++ # remove the added modules
++ MODULES_LIST_FILE=/etc/initramfs-tools/modules
++ for modname in ${INITRAMFS_MODULE_LIST}; do
++ sed -i -E 's/$modname//'
++ done
++
++ update-initramfs -v -u
++ ;;
++
++ *)
++ echo "postrm called with unknown argument \`$1'" >&2
++ exit 1
++ ;;
++esac
++
++# dh_installdeb will replace this with shell code automatically
++# generated by other debhelper scripts.
++
++#DEBHELPER#
++
++exit 0
+diff --git a/meta/recipes-support/initramfs-config/initramfs-config.inc b/meta/recipes-support/initramfs-config/initramfs-config.inc
+new file mode 100644
+index 0000000..16049a9
+--- /dev/null
++++ b/meta/recipes-support/initramfs-config/initramfs-config.inc
+@@ -0,0 +1,32 @@
++# This software is a part of ISAR.
++# Copyright (C) 2020 Siemens AG
++#
++# SPDX-License-Identifier: MIT
++inherit dpkg-raw
++inherit template
++DESCRIPTION = "Recipe to set the initramfs configuration and generate a new ramfs"
++
++FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/files:"
++
++SRC_URI = "file://postinst.tmpl \
++ file://postrm.tmpl \
++ file://control.tmpl \
++ "
++
++INITRAMFS_MODULES ?= "most"
++INITRAMFS_BUSYBOX ?= "auto"
++INITRAMFS_COMPRESS ?= "gzip"
++INITRAMFS_KEYMAP ?= "n"
++INITRAMFS_NET_DEVICE ?= ""
++INITRAMFS_NFSROOT ?= "auto"
++INITRAMFS_RUNSIZE ?= "10%"
++INITRAMFS_ROOT ?= ""
++INITRAMFS_MODULE_LIST ?= ""
++CREATE_NEW_INITRAMFS ?= "n"
++KERNEL_PACKAGE = "${@ ("linux-image-" + d.getVar("KERNEL_NAME", True)) if d.getVar("KERNEL_NAME", True) else ""}"
++DEBIAN_DEPENDS += ", ${KERNEL_PACKAGE}"
++TEMPLATE_FILES = "postinst.tmpl control.tmpl postrm.tmpl"
++TEMPLATE_VARS += "INITRAMFS_MODULES INITRAMFS_BUSYBOX INITRAMFS_COMPRESS \
++ INITRAMFS_KEYMAP INITRAMFS_NET_DEVICE INITRAMFS_NFSROOT \
++ INITRAMFS_RUNSIZE INITRAMFS_ROOT INITRAMFS_MODULE_LIST \
++ CREATE_NEW_INITRAMFS DEBIAN_DEPENDS PN"
+--
+2.20.1
+
diff --git a/kas-cip.yml b/kas-cip.yml
index 0da07db..da99d51 100644
--- a/kas-cip.yml
+++ b/kas-cip.yml
@@ -26,6 +26,9 @@ repos:
01-libubootenv:
path: isar-patches/0001-u-boot-add-libubootenv.patch
repo: cip-core
+ 02-initramfs:
+ path: isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch
+ repo: cip-core

bblayers_conf_header:
standard: |
--
2.20.1


[isar-cip-core PATCH v2 3/6] secure-boot: select boot partition in initramfs

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

As the usage of a unified kernel image freeze the kernel commmandline
during build time the rootfs selection for swupdate can no longer be
done with the kernel commandline and must be done later in the boot
process. Read the root filesystem /etc/os-release and check if it contains
the same uuid as stored in the initramfs . If the uuids are the same
boot the root file system.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/image_uuid.bbclass | 29 +++++++
.../files/initramfs.image_uuid.hook | 33 ++++++++
.../files/initramfs.lsblk.hook | 29 +++++++
.../initramfs-config/files/postinst.ext | 3 +
.../initramfs-config/files/postinst.tmpl | 31 ++++++++
.../files/secure-boot-debian-local-patch | 77 +++++++++++++++++++
.../initramfs-abrootfs-secureboot_0.1.bb | 38 +++++++++
7 files changed, 240 insertions(+)
create mode 100644 classes/image_uuid.bbclass
create mode 100644 recipes-support/initramfs-config/files/initramfs.image_uuid.hook
create mode 100644 recipes-support/initramfs-config/files/initramfs.lsblk.hook
create mode 100644 recipes-support/initramfs-config/files/postinst.ext
create mode 100644 recipes-support/initramfs-config/files/postinst.tmpl
create mode 100644 recipes-support/initramfs-config/files/secure-boot-debian-local-patch
create mode 100644 recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb

diff --git a/classes/image_uuid.bbclass b/classes/image_uuid.bbclass
new file mode 100644
index 0000000..64379da
--- /dev/null
+++ b/classes/image_uuid.bbclass
@@ -0,0 +1,29 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+def generate_image_uuid():
+ import uuid
+ return str(uuid.uuid4())
+
+
+IMAGE_UUID ?= "${@generate_image_uuid()}"
+
+do_generate_image_uuid[depends] = "buildchroot-target:do_build"
+do_generate_image_uuid() {
+ sudo sed -i '/^IMAGE_UUID=.*/d' '${IMAGE_ROOTFS}/etc/os-release'
+ echo "IMAGE_UUID=\"${IMAGE_UUID}\"" | \
+ sudo tee -a '${IMAGE_ROOTFS}/etc/os-release'
+ image_do_mounts
+
+ # update initramfs to add uuid
+ sudo chroot '${IMAGE_ROOTFS}' update-initramfs -u
+}
+addtask generate_image_uuid before do_copy_boot_files after do_rootfs_install
diff --git a/recipes-support/initramfs-config/files/initramfs.image_uuid.hook b/recipes-support/initramfs-config/files/initramfs.image_uuid.hook
new file mode 100644
index 0000000..910ce84
--- /dev/null
+++ b/recipes-support/initramfs-config/files/initramfs.image_uuid.hook
@@ -0,0 +1,33 @@
+# This software is a part of ISAR.
+# Copyright (C) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+#!/bin/sh
+set -x
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/scripts/functions
+. /usr/share/initramfs-tools/hook-functions
+
+if [ ! -e /etc/os-release ]; then
+ echo "Warning: couldn't find /etc/os-release!"
+ exit 0
+fi
+
+IMAGE_UUID=$(sed -n 's/^IMAGE_UUID="\(.*\)"/\1/p' /etc/os-release)
+echo "${IMAGE_UUID}" > "${DESTDIR}/conf/image_uuid"
+
+exit 0
\ No newline at end of file
diff --git a/recipes-support/initramfs-config/files/initramfs.lsblk.hook b/recipes-support/initramfs-config/files/initramfs.lsblk.hook
new file mode 100644
index 0000000..cf32404
--- /dev/null
+++ b/recipes-support/initramfs-config/files/initramfs.lsblk.hook
@@ -0,0 +1,29 @@
+# This software is a part of ISAR.
+# Copyright (C) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+#!/bin/sh
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/scripts/functions
+. /usr/share/initramfs-tools/hook-functions
+
+if [ ! -x /usr/bin/lsblk ]; then
+ echo "Warning: couldn't find /usr/bin/lsblk!"
+ exit 0
+fi
+
+copy_exec /usr/bin/lsblk
diff --git a/recipes-support/initramfs-config/files/postinst.ext b/recipes-support/initramfs-config/files/postinst.ext
new file mode 100644
index 0000000..cdafa74
--- /dev/null
+++ b/recipes-support/initramfs-config/files/postinst.ext
@@ -0,0 +1,3 @@
+if [ -d /usr/share/secureboot ]; then
+ patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch
+fi
diff --git a/recipes-support/initramfs-config/files/postinst.tmpl b/recipes-support/initramfs-config/files/postinst.tmpl
new file mode 100644
index 0000000..008f68d
--- /dev/null
+++ b/recipes-support/initramfs-config/files/postinst.tmpl
@@ -0,0 +1,31 @@
+#!/bin/sh
+if [ -d /usr/share/secureboot ]; then
+ patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch
+fi
+
+INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf
+if [ -f ${INITRAMFS_CONF} ]; then
+ sed -i -E 's/(^MODULES=).*/\1${INITRAMFS_MODULES}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^BUSYBOX=).*/\1${INITRAMFS_BUSYBOX}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^COMPRESS=).*/\1${INITRAMFS_COMPRESS}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^KEYMAP=).*/\1${INITRAMFS_KEYMAP}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^DEVICE=).*/\1${INITRAMFS_NET_DEVICE}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^NFSROOT=).*/\1${INITRAMFS_NFSROOT}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^RUNSIZE=).*/\1${INITRAMFS_RUNSIZE}/' ${INITRAMFS_CONF}
+ if grep -Fxq "ROOT=" "${INITRAMFS_CONF}"; then
+ sed -i -E 's/(^ROOT=).*/\1${INITRAMFS_ROOT}/' ${INITRAMFS_CONF}
+ else
+ sed -i -E "\$aROOT=${INITRAMFS_ROOT}" ${INITRAMFS_CONF}
+ fi
+fi
+
+MODULES_LIST_FILE=/etc/initramfs-tools/modules
+if [ -f ${MODULES_LIST_FILE} ]; then
+ for modname in ${INITRAMFS_MODULE_LIST}; do
+ if ! grep -Fxq "$modname" "${MODULES_LIST_FILE}"; then
+ echo "$modname" >> "${MODULES_LIST_FILE}"
+ fi
+ done
+fi
+
+update-initramfs -v -u
diff --git a/recipes-support/initramfs-config/files/secure-boot-debian-local-patch b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch
new file mode 100644
index 0000000..31d4c40
--- /dev/null
+++ b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch
@@ -0,0 +1,77 @@
+--- local 2020-06-10 14:54:42.148263121 +0200
++++ ../../../../../../../../../../../recipes-support/initramfs-config/files/local 2020-06-10 14:53:03.723314458 +0200
+@@ -1,5 +1,4 @@
+ # Local filesystem mounting -*- shell-script -*-
+-
+ local_top()
+ {
+ if [ "${local_top_used}" != "yes" ]; then
+@@ -155,34 +154,46 @@
+ local_mount_root()
+ {
+ local_top
+- if [ -z "${ROOT}" ]; then
+- panic "No root device specified. Boot arguments must include a root= parameter."
++ if [ ! -e /conf/image_uuid ]; then
++ panic "could not find image_uuid to select correct root file system"
+ fi
+- local_device_setup "${ROOT}" "root file system"
+- ROOT="${DEV}"
++ local INITRAMFS_IMAGE_UUID=$(cat /conf/image_uuid)
++ local partitions=$(lsblk -nlp -o name)
++ for part in $partitions; do
++ local_device_setup "${part}" "root file system"
++ ROOT="${DEV}"
++
++ # Get the root filesystem type if not set
++ if [ -z "${ROOTFSTYPE}" ] || [ "${ROOTFSTYPE}" = auto ]; then
++ FSTYPE=$(get_fstype "${ROOT}")
++ else
++ FSTYPE=${ROOTFSTYPE}
++ fi
+
+- # Get the root filesystem type if not set
+- if [ -z "${ROOTFSTYPE}" ] || [ "${ROOTFSTYPE}" = auto ]; then
+- FSTYPE=$(get_fstype "${ROOT}")
+- else
+- FSTYPE=${ROOTFSTYPE}
+- fi
++ local_premount
+
+- local_premount
++ if [ "${readonly?}" = "y" ]; then
++ roflag=-r
++ else
++ roflag=-w
++ fi
+
+- if [ "${readonly?}" = "y" ]; then
+- roflag=-r
+- else
+- roflag=-w
+- fi
++ checkfs "${ROOT}" root "${FSTYPE}"
+
+- checkfs "${ROOT}" root "${FSTYPE}"
++ # Mount root
++ # shellcheck disable=SC2086
++ if mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then
++ if [ -e "${rootmnt?}"/etc/os-release ]; then
++ image_uuid=$(sed -n 's/^IMAGE_UUID=//p' "${rootmnt?}"/etc/os-release | tr -d '"' )
++ if [ "${INITRAMFS_IMAGE_UUID}" = "${image_uuid}" ]; then
++ return
++ fi
++ fi
++ umount "${rootmnt?}"
++ fi
++ done
++ panic "Could not find ROOTFS with matching UUID $INITRAMFS_IMAGE_UUID"
+
+- # Mount root
+- # shellcheck disable=SC2086
+- if ! mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then
+- panic "Failed to mount ${ROOT} as root file system."
+- fi
+ }
+
+ local_mount_fs()
diff --git a/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb b/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb
new file mode 100644
index 0000000..0be9871
--- /dev/null
+++ b/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb
@@ -0,0 +1,38 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+require recipes-support/initramfs-config/initramfs-config.inc
+
+FILESPATH =. "${LAYERDIR_isar-siemens}/recipes-support/initramfs-config/files:"
+
+DEBIAN_DEPENDS += ", busybox, patch"
+
+SRC_URI += "file://postinst.ext \
+ file://initramfs.lsblk.hook \
+ file://initramfs.image_uuid.hook \
+ file://secure-boot-debian-local-patch"
+
+INITRAMFS_BUSYBOX = "y"
+
+do_install() {
+ # add patch for local to /usr/share/secure boot
+ TARGET=${D}/usr/share/secureboot
+ install -m 0755 -d ${TARGET}
+ install -m 0644 ${WORKDIR}/secure-boot-debian-local-patch ${TARGET}/secure-boot-debian-local.patch
+ # patch postinst
+ sed -i -e '/configure)/r ${WORKDIR}/postinst.ext' ${WORKDIR}/postinst
+
+ # add hooks for secure boot
+ HOOKS=${D}/etc/initramfs-tools/hooks
+install -m 0755 -d ${HOOKS}
+ install -m 0740 ${WORKDIR}/initramfs.lsblk.hook ${HOOKS}/lsblk.hook
+ install -m 0740 ${WORKDIR}/initramfs.image_uuid.hook ${HOOKS}/image_uuid.hook
+}
+addtask do_install after do_transform_template
--
2.20.1


[isar-cip-core PATCH v2 0/6] secureboot with efibootguard

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This patchset adds secureboot with efibootguard to cip-core.

The image build signs the efibootguard bootloader (bootx64.efi) and generates
a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/).
A unified kernel image packs the kernel, initramfs and the kernel command-line
in one binary object. As the kernel command-line is immutable after the build
process, the previous selection of the root file system with a command-line parameter is no longer
possible. Therefore the selection of the root file-system occurs now in the initramfs.

The image uses an A/B partition layout to update the root file system. The sample implementation to
select the root file system generates a uuid and stores the id in /etc/os-release and in the initramfs.
During boot the initramfs compares its own uuid with the uuid stored in /etc/os-release of each rootfs.
If a match is found the rootfs is used for the boot.

Changes V2:

- rebase to [1]
- removed luahandler patch as it now part of [1]
- add handling for sw-description

[1]: a/b rootfsupdate with software update

Quirin Gylstorff (6):
kernel: add fat for qemu-amd64
isar-patch: Add initramfs-config patch
secure-boot: select boot partition in initramfs
secure-boot: Add secure boot with unified kernel image
secure-boot: Add Debian snakeoil keys for ease-of-use
doc: Add README for secureboot

classes/image_uuid.bbclass | 29 +++
conf/distro/debian-buster-backports.list | 1 +
conf/distro/preferences.ovmf-snakeoil.conf | 3 +
doc/README.secureboot.md | 188 ++++++++++++++++
...-support-Generate-a-custom-initramfs.patch | 207 ++++++++++++++++++
kas-cip.yml | 3 +
kas/opt/ebg-secure-boot-base.yml | 17 ++
kas/opt/ebg-secure-boot-snakeoil.yml | 27 +++
kas/opt/ebg-swu.yml | 2 +-
recipes-core/images/cip-core-image.bb | 2 +-
recipes-core/images/files/sw-description.tmpl | 6 +-
.../ebg-secure-boot-secrets_0.1.bb | 51 +++++
.../ebg-secure-boot-secrets/files/README.md | 1 +
.../files/control.tmpl | 12 +
.../files/sign_secure_image.sh.tmpl | 22 ++
.../ebg-secure-boot-snakeoil_0.1.bb | 35 +++
.../files/control.tmpl | 12 +
.../files/sign_secure_image.sh | 36 +++
.../ovmf-binaries/files/control.tmpl | 11 +
.../ovmf-binaries/ovmf-binaries_0.1.bb | 30 +++
.../linux/files/qemu-amd64_defconfig | 6 +
.../files/initramfs.image_uuid.hook | 33 +++
.../files/initramfs.lsblk.hook | 29 +++
.../initramfs-config/files/postinst.ext | 3 +
.../files/secure-boot-debian-local-patch | 77 +++++++
.../initramfs-abrootfs-secureboot_0.1.bb | 38 ++++
...enerate-sb-db-from-existing-certificate.sh | 16 ++
scripts/generate_secure_boot_keys.sh | 51 +++++
.../wic/plugins/source/efibootguard-boot.py | 87 +++++++-
.../wic/plugins/source/efibootguard-efi.py | 40 +++-
scripts/start-efishell.sh | 12 +
start-qemu.sh | 54 ++++-
wic/ebg-signed-bootloader.inc | 2 +
wic/qemu-amd64-efibootguard.wks | 6 +-
34 files changed, 1119 insertions(+), 30 deletions(-)
create mode 100644 classes/image_uuid.bbclass
create mode 100644 conf/distro/debian-buster-backports.list
create mode 100644 conf/distro/preferences.ovmf-snakeoil.conf
create mode 100644 doc/README.secureboot.md
create mode 100644 isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch
create mode 100644 kas/opt/ebg-secure-boot-base.yml
create mode 100644 kas/opt/ebg-secure-boot-snakeoil.yml
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
create mode 100644 recipes-devtools/ovmf-binaries/files/control.tmpl
create mode 100644 recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb
create mode 100644 recipes-support/initramfs-config/files/initramfs.image_uuid.hook
create mode 100644 recipes-support/initramfs-config/files/initramfs.lsblk.hook
create mode 100644 recipes-support/initramfs-config/files/postinst.ext
create mode 100644 recipes-support/initramfs-config/files/secure-boot-debian-local-patch
create mode 100644 recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb
create mode 100755 scripts/generate-sb-db-from-existing-certificate.sh
create mode 100755 scripts/generate_secure_boot_keys.sh
create mode 100755 scripts/start-efishell.sh
create mode 100644 wic/ebg-signed-bootloader.inc

--
2.20.1


[isar-cip-core PATCH v2 1/6] kernel: add fat for qemu-amd64

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add a fat configuration to access FAT Partitions on the qemu-amd64
target.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
recipes-kernel/linux/files/qemu-amd64_defconfig | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/recipes-kernel/linux/files/qemu-amd64_defconfig b/recipes-kernel/linux/files/qemu-amd64_defconfig
index 7487152..5449317 100644
--- a/recipes-kernel/linux/files/qemu-amd64_defconfig
+++ b/recipes-kernel/linux/files/qemu-amd64_defconfig
@@ -351,3 +351,9 @@ CONFIG_CRYPTO_DEV_CCP=y
# CONFIG_XZ_DEC_ARM is not set
# CONFIG_XZ_DEC_ARMTHUMB is not set
# CONFIG_XZ_DEC_SPARC is not set
+CONFIG_MSDOS_FS=y
+CONFIG_VFAT_FS=y
+CONFIG_NLS_ASCII=y
+CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_ISO8859_1=y
+CONFIG_NLS_UTF8=y
--
2.20.1


[isar-cip-core PATCH v2 5/5] swupdate: create swu file from wic image

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Create a swu file for swupdate to update devices in the field.
This is done in the same step as the complete image build
to avoid diverging images.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/extract-partition.bbclass | 26 +++++++++++++++++
classes/wic-swu-img.bbclass | 20 +++++++++++++
kas/opt/qemu-swupdate.yml | 19 ++++++++++++
recipes-core/images/cip-core-image.bb | 10 +++++++
recipes-core/images/files/sw-description.tmpl | 29 +++++++++++++++++++
5 files changed, 104 insertions(+)
create mode 100644 classes/extract-partition.bbclass
create mode 100644 classes/wic-swu-img.bbclass
create mode 100644 kas/opt/qemu-swupdate.yml
create mode 100644 recipes-core/images/files/sw-description.tmpl

diff --git a/classes/extract-partition.bbclass b/classes/extract-partition.bbclass
new file mode 100644
index 0000000..e9de8fc
--- /dev/null
+++ b/classes/extract-partition.bbclass
@@ -0,0 +1,26 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+SOURCE_IMAGE_FILE ?= "${WIC_IMAGE_FILE}"
+EXTRACT_PARTITIONS ?= "img4"
+
+do_extract_partition () {
+ for PARTITION in ${EXTRACT_PARTITIONS}; do
+ rm -f ${DEPLOY_DIR_IMAGE}/${PARTITION}.gz
+ PART_START=$(fdisk -lu ${SOURCE_IMAGE_FILE} | grep ${PARTITION} | awk '{ print $2 }' )
+ PART_END=$(fdisk -lu ${SOURCE_IMAGE_FILE} | grep ${PARTITION} | awk '{ print $3 }' )
+ PART_COUNT=$(expr ${PART_END} - ${PART_START} + 1 )
+
+ dd if=${SOURCE_IMAGE_FILE} of=${DEPLOY_DIR_IMAGE}/${PARTITION} bs=512 skip=${PART_START} count=${PART_COUNT}
+
+ gzip ${DEPLOY_DIR_IMAGE}/${PARTITION}
+ done
+}
diff --git a/classes/wic-swu-img.bbclass b/classes/wic-swu-img.bbclass
new file mode 100644
index 0000000..c8532ba
--- /dev/null
+++ b/classes/wic-swu-img.bbclass
@@ -0,0 +1,20 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+
+inherit wic-img
+inherit extract-partition
+inherit swupdate-img
+
+SOURCE_IMAGE_FILE = "${WIC_IMAGE_FILE}"
+
+addtask do_extract_partition after do_wic_image
+addtask do_swupdate_image after do_extract_partition
diff --git a/kas/opt/qemu-swupdate.yml b/kas/opt/qemu-swupdate.yml
new file mode 100644
index 0000000..99b4547
--- /dev/null
+++ b/kas/opt/qemu-swupdate.yml
@@ -0,0 +1,19 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+
+header:
+ version: 8
+
+local_conf_header:
+ qemu-wic: |
+ IMAGE_TYPE ?= "wic-swu-img"
+ WKS_FILE = "qemu-amd64-${BOOTLOADER}.wks"
diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb
index 9ee4b25..4dfc983 100644
--- a/recipes-core/images/cip-core-image.bb
+++ b/recipes-core/images/cip-core-image.bb
@@ -17,3 +17,13 @@ DESCRIPTION = "CIP Core image"
IMAGE_INSTALL += "customizations"
# for cip-testing
IMAGE_INSTALL += "ltp-full"
+
+# for swupdate
+EXTRACT_PARTITIONS = "img4"
+ROOTFS_PARTITION_NAME="img4.gz"
+
+SRC_URI += "file://sw-description.tmpl"
+TEMPLATE_FILES += "sw-description.tmpl"
+TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME"
+
+SWU_ADDITIONAL_FILES += "linux.signed.efi ${ROOTFS_PARTITION_NAME}"
diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl
new file mode 100644
index 0000000..bef1984
--- /dev/null
+++ b/recipes-core/images/files/sw-description.tmpl
@@ -0,0 +1,29 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+software =
+{
+ version = "0.2";
+ name = "ebsy secure boot update"
+ images: ({
+ filename = "${EXTRACTED_PARTITION_NAME}";
+ device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002";
+ type = "roundrobin";
+ compressed = true;
+ filesystem = "ext4";
+ });
+ files: ({
+ filename = "linux.signed.efi";
+ path = "linux.signed.efi";
+ type = "kernelfile";
+ device = "sda2,sda3";
+ filesystem = "vfat";
+ })
+}
--
2.20.1


[isar-cip-core PATCH v2 3/5] recipes-core: add swupdate

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add swupdate for A/B software updates. Currently the Round Robin
handler in lua supports efibootguard as bootloader. The u-boot
implementation is outstanding.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/kconfig-snippets.bbclass | 90 ++++
classes/swupdate-config.bbclass | 76 +++
classes/swupdate-img.bbclass | 75 +++
.../swupdate/files/debian/changelog.tmpl | 6 +
recipes-core/swupdate/files/debian/compat | 1 +
.../swupdate/files/debian/control.tmpl | 15 +
recipes-core/swupdate/files/debian/copyright | 36 ++
recipes-core/swupdate/files/debian/rules.tmpl | 30 ++
.../swupdate/files/debian/swupdate.examples | 2 +
.../swupdate/files/debian/swupdate.install | 2 +
.../swupdate/files/debian/swupdate.manpages | 5 +
.../swupdate/files/debian/swupdate.tmpfile | 2 +
recipes-core/swupdate/files/debian/watch | 12 +
recipes-core/swupdate/files/postinst | 2 +
recipes-core/swupdate/files/swupdate.cfg | 6 +
.../swupdate/files/swupdate.service.example | 11 +
.../swupdate/files/swupdate.socket.example | 11 +
.../swupdate/files/swupdate.socket.tmpl | 13 +
.../swupdate/files/swupdate_defconfig | 83 ++++
.../swupdate_defconfig_efibootguard.snippet | 3 +
.../files/swupdate_defconfig_lua.snippet | 2 +
.../swupdate_defconfig_luahandler.snippet | 4 +
.../files/swupdate_defconfig_mtd.snippet | 1 +
.../files/swupdate_defconfig_u-boot.snippet | 3 +
.../files/swupdate_defconfig_ubi.snippet | 6 +
.../swupdate/files/swupdate_handlers.lua | 453 ++++++++++++++++++
recipes-core/swupdate/swupdate.bb | 54 +++
27 files changed, 1004 insertions(+)
create mode 100644 classes/kconfig-snippets.bbclass
create mode 100644 classes/swupdate-config.bbclass
create mode 100644 classes/swupdate-img.bbclass
create mode 100644 recipes-core/swupdate/files/debian/changelog.tmpl
create mode 100644 recipes-core/swupdate/files/debian/compat
create mode 100644 recipes-core/swupdate/files/debian/control.tmpl
create mode 100644 recipes-core/swupdate/files/debian/copyright
create mode 100755 recipes-core/swupdate/files/debian/rules.tmpl
create mode 100644 recipes-core/swupdate/files/debian/swupdate.examples
create mode 100644 recipes-core/swupdate/files/debian/swupdate.install
create mode 100644 recipes-core/swupdate/files/debian/swupdate.manpages
create mode 100644 recipes-core/swupdate/files/debian/swupdate.tmpfile
create mode 100644 recipes-core/swupdate/files/debian/watch
create mode 100644 recipes-core/swupdate/files/postinst
create mode 100644 recipes-core/swupdate/files/swupdate.cfg
create mode 100644 recipes-core/swupdate/files/swupdate.service.example
create mode 100644 recipes-core/swupdate/files/swupdate.socket.example
create mode 100644 recipes-core/swupdate/files/swupdate.socket.tmpl
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_lua.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_handlers.lua
create mode 100644 recipes-core/swupdate/swupdate.bb

diff --git a/classes/kconfig-snippets.bbclass b/classes/kconfig-snippets.bbclass
new file mode 100644
index 0000000..d754654
--- /dev/null
+++ b/classes/kconfig-snippets.bbclass
@@ -0,0 +1,90 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Christian Storm <christian.storm@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+KCONFIG_SNIPPETS = ""
+
+# The following function defines the kconfig snippet system
+# with automatich debian dependency injection
+#
+# To define a feature set, the user has to define the following
+# variable to an empty string:
+#
+# KFEATURE_featurename = ""
+#
+# Then, required additions to the variables can be defined:
+#
+# KFEATURE_featurename[KCONFIG_SNIPPETS] = "file://snippet-file-name.snippet"
+# KFEATURE_featurename[SRC_URI] = "file://required-file.txt"
+# KFEATURE_featurename[DEPENDS] = "deb-pkg1 deb-pkg2 deb-pkg3"
+# KFEATURE_featurename[DEBIAN_DEPENDS] = "deb-pkg1"
+# KFEATURE_featurename[BUILD_DEB_DEPENDS] = "deb-pkg1,deb-pkg2,deb-pkg3"
+
+# The 'KCONFIG_SNIPPETS' flag gives a list of URI entries, where only
+# file:// is supported. These snippets are appended to the DEFCONFIG file.
+#
+# Features can depend on other features via the following mechanism:
+#
+# KFEATURE_DEPS[feature1] = "feature2"
+
+python () {
+ requested_features = d.getVar("KFEATURES", True) or ""
+
+ features = set(requested_features.split())
+ old_features = set()
+ feature_deps = d.getVarFlags("KFEATURE_DEPS") or {}
+ while old_features != features:
+ diff_features = old_features.symmetric_difference(features)
+ old_features = features.copy()
+ for i in diff_features:
+ features.update(feature_deps.get(i, "").split())
+
+ for f in sorted(features):
+ bb.debug(2, "Feature: " + f)
+ varname = "KFEATURE_" + f
+ dummyvar = d.getVar(varname, False)
+ if dummyvar == None:
+ bb.error("Feature var " + f + " must be defined with needed flags.")
+ else:
+ feature_flags = d.getVarFlags(varname)
+ for feature_varname in sorted(feature_flags):
+ if feature_flags.get(feature_varname, "") != "":
+ sep = " "
+
+ # Required to add KCONFIG_SNIPPETS to SRC_URI here,
+ # because 'SRC_URI += "${KCONFIG_SNIPPETS}"' would
+ # conflict with SRC_APT feature.
+ if feature_varname == "KCONFIG_SNIPPETS":
+ d.appendVar('SRC_URI',
+ " " + feature_flags[feature_varname].strip())
+
+ # BUILD_DEP_DEPENDS and DEBIAN_DEPENDS is ',' separated
+ # Only add ',' if there is already something there
+ if feature_varname in ["BUILD_DEB_DEPENDS",
+ "DEBIAN_DEPENDS"]:
+ sep = "," if d.getVar(feature_varname) else ""
+
+ d.appendVar(feature_varname,
+ sep + feature_flags[feature_varname].strip())
+}
+
+# DEFCONFIG must be a predefined bitbake variable and the corresponding file
+# must exist in the WORKDIR.
+# The resulting generated config is the same file suffixed with ".gen"
+
+do_prepare_build_prepend() {
+ sh -x
+ GENCONFIG="${WORKDIR}/${DEFCONFIG}".gen
+ rm -f "$GENCONFIG"
+ cp "${WORKDIR}/${DEFCONFIG}" "$GENCONFIG"
+ for CONFIG_SNIPPET in $(echo "${KCONFIG_SNIPPETS}" | sed 's#file://##g')
+ do
+ cat ${WORKDIR}/$CONFIG_SNIPPET >> "$GENCONFIG"
+ done
+}
diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass
new file mode 100644
index 0000000..7ce51c5
--- /dev/null
+++ b/classes/swupdate-config.bbclass
@@ -0,0 +1,76 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Christian Storm <christian.storm@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+# This class manages the config snippets together with their dependencies
+# to build SWUpdate
+
+inherit kconfig-snippets
+
+BUILD_DEB_DEPENDS = " \
+ zlib1g-dev, debhelper, libconfig-dev, libarchive-dev, \
+ python-sphinx:native, dh-systemd, libsystemd-dev"
+
+KFEATURE_lua = ""
+KFEATURE_lua[BUILD_DEB_DEPENDS] = "liblua5.3-dev"
+KFEATURE_lua[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_lua.snippet"
+
+KFEATURE_luahandler = ""
+KFEATURE_luahandler[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_luahandler.snippet"
+KFEATURE_luahandler[SRC_URI] = "file://${SWUPDATE_LUASCRIPT}"
+
+KFEATURE_DEPS = ""
+KFEATURE_DEPS[luahandler] = "lua"
+
+KFEATURE_efibootguard = ""
+KFEATURE_efibootguard[BUILD_DEB_DEPENDS] = "efibootguard-dev"
+KFEATURE_efibootguard[DEBIAN_DEPENDS] = "efibootguard-dev"
+KFEATURE_efibootguard[DEPENDS] = "efibootguard-dev"
+KFEATURE_efibootguard[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_efibootguard.snippet"
+
+KFEATURE_mtd = ""
+KFEATURE_mtd[BUILD_DEB_DEPENDS] = "libmtd-dev"
+KFEATURE_mtd[DEPENDS] = "mtd-utils"
+KFEATURE_mtd[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_mtd.snippet"
+
+KFEATURE_ubi = ""
+KFEATURE_ubi[BUILD_DEB_DEPENDS] = "libubi-dev"
+KFEATURE_ubi[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_ubi.snippet"
+
+KFEATURE_DEPS[ubi] = "mtd"
+
+KFEATURE_u-boot = ""
+KFEATURE_u-boot[BUILD_DEB_DEPENDS] = "u-boot-${MACHINE}-dev"
+KFEATURE_u-boot[DEBIAN_DEPENDS] = "u-boot-tools"
+KFEATURE_u-boot[DEPENDS] = "${U_BOOT}"
+KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet"
+
+SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua"
+
+def get_bootloader_featureset(d):
+ bootloader = d.getVar("BOOTLOADER", True) or ""
+ if bootloader == "efibootguard":
+ return "efibootguard"
+ if bootloader == "u-boot":
+ return "u-boot"
+ return ""
+
+SWUPDATE_KFEATURES ??= ""
+KFEATURES = "${SWUPDATE_KFEATURES}"
+KFEATURES += "${@get_bootloader_featureset(d)}"
+
+# Astonishingly, as an anonymous python function, BOOTLOADER is always None
+# one time before it gets set. So the following must be a task.
+python do_check_bootloader () {
+ bootloader = d.getVar("BOOTLOADER", True) or "None"
+ if not bootloader in ["efibootguard", "u-boot"]:
+ bb.warn("swupdate: BOOTLOADER set to incompatible value: " + bootloader)
+}
+addtask check_bootloader before do_fetch
+
diff --git a/classes/swupdate-img.bbclass b/classes/swupdate-img.bbclass
new file mode 100644
index 0000000..a21d6ec
--- /dev/null
+++ b/classes/swupdate-img.bbclass
@@ -0,0 +1,75 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Christian Storm <christian.storm@siemens.com>
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+SWU_IMAGE_FILE ?= "${PN}-${DISTRO}-${MACHINE}.swu"
+SWU_DESCRIPTION_FILE ?= "sw-description"
+SWU_ADDITIONAL_FILES ?= ""
+SWU_SIGNED ?= ""
+SWU_SIGNATURE_EXT ?= "sig"
+SWU_SIGNATURE_TYPE ?= "rsa"
+
+IMAGER_INSTALL += "${@'openssl' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
+
+do_swupdate_image[stamp-extra-info] = "${DISTRO}-${MACHINE}"
+do_swupdate_image[cleandirs] += "${WORKDIR}/swu"
+do_swupdate_image() {
+ rm -f '${DEPLOY_DIR_IMAGE}/${SWU_IMAGE_FILE}'
+ cp '${WORKDIR}/${SWU_DESCRIPTION_FILE}' '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}'
+
+ # Create symlinks for files used in the update image
+ for file in ${SWU_ADDITIONAL_FILES}; do
+ if [ -e "${WORKDIR}/$file" ]; then
+ ln -s "${WORKDIR}/$file" "${WORKDIR}/swu/$file"
+ else
+ ln -s "${DEPLOY_DIR_IMAGE}/$file" "${WORKDIR}/swu/$file"
+ fi
+ done
+
+ # Prepare for signing
+ sign='${@'x' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}'
+ if [ -n "$sign" ]; then
+ image_do_mounts
+ cp -f '${SIGN_KEY}' '${WORKDIR}/dev.key'
+ test -e '${SIGN_CRT}' && cp -f '${SIGN_CRT}' '${WORKDIR}/dev.crt'
+
+ # Fill in file check sums
+ for file in ${SWU_ADDITIONAL_FILES}; do
+ sed -i "s:$file-sha256:$(sha256sum '${WORKDIR}/swu/'$file | cut -f 1 -d ' '):g" \
+ '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}'
+ done
+ fi
+
+ cd "${WORKDIR}/swu"
+ for file in '${SWU_DESCRIPTION_FILE}' ${SWU_ADDITIONAL_FILES}; do
+ echo "$file"
+ if [ -n "$sign" -a \
+ '${SWU_DESCRIPTION_FILE}' = "$file" ]; then
+ if [ "${SWU_SIGNATURE_TYPE}" = "rsa" ]; then
+ sudo chroot ${BUILDCHROOT_DIR} /usr/bin/openssl dgst \
+ -sha256 -sign '${PP_WORK}/dev.key' \
+ '${PP_WORK}/swu/'"$file" \
+ > '${WORKDIR}/swu/'"$file".'${SWU_SIGNATURE_EXT}'
+ elif [ "${SWU_SIGNATURE_TYPE}" = "cms" ]; then
+ sudo chroot ${BUILDCHROOT_DIR} /usr/bin/openssl cms \
+ -sign -in '${PP_WORK}/swu/'"$file" \
+ -out '${WORKDIR}/swu/'"$file".'${SWU_SIGNATURE_EXT}' \
+ -signer '${PP_WORK}/dev.crt' \
+ -inkey '${PP_WORK}/dev.key' \
+ -outform DER -nosmimecap -binary
+ fi
+ echo "$file".'${SWU_SIGNATURE_EXT}'
+ fi
+ done | cpio -ovL -H crc \
+ > '${DEPLOY_DIR_IMAGE}/${SWU_IMAGE_FILE}'
+ cd -
+}
+
+addtask swupdate_image before do_build after do_copy_boot_files do_install_imager_deps do_transform_template
diff --git a/recipes-core/swupdate/files/debian/changelog.tmpl b/recipes-core/swupdate/files/debian/changelog.tmpl
new file mode 100644
index 0000000..81087d3
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/changelog.tmpl
@@ -0,0 +1,6 @@
+swupdate (${PV}) unstable; urgency=medium
+
+ * SWUpdate
+
+ -- Christian Storm <christian.storm@siemens.com> Thu, 31 Jan 2019 15:23:56 +0100
+
diff --git a/recipes-core/swupdate/files/debian/compat b/recipes-core/swupdate/files/debian/compat
new file mode 100644
index 0000000..b4de394
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/compat
@@ -0,0 +1 @@
+11
diff --git a/recipes-core/swupdate/files/debian/control.tmpl b/recipes-core/swupdate/files/debian/control.tmpl
new file mode 100644
index 0000000..2b92850
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/control.tmpl
@@ -0,0 +1,15 @@
+Source: swupdate
+Section: embedded
+Priority: optional
+Maintainer: Stefano Babic <sbabic@denx.de>
+Build-Depends: ${BUILD_DEB_DEPENDS}
+Standards-Version: 4.2.1
+Homepage: http://sbabic.github.io/swupdate
+
+Package: swupdate
+Architecture: any
+Depends: ${DEBIAN_DEPENDS}
+Description: reliable way to update an embedded system
+ This project is thought to help to update an embedded system from a storage media or from network.
+ However, it should be mainly considered as a framework, where further protocols or installers
+ (in SWUpdate they are called handlers) can be easily added to the application.
diff --git a/recipes-core/swupdate/files/debian/copyright b/recipes-core/swupdate/files/debian/copyright
new file mode 100644
index 0000000..f920942
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/copyright
@@ -0,0 +1,36 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: swupdate
+Maintainer: Stefano Babic <sbabic@denx.de>
+Source: http://github.com/sbabic/swupdate
+
+Files: *
+Copyright: 2014-2017 Stefano Babic <sbabic@denx.de>
+
+License: GPL-2 with OpenSSL exception
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ In addition, as a special exception, the author of this
+ program gives permission to link the code of its
+ release with the OpenSSL project's "OpenSSL" library (or
+ with modified versions of it that use the same license as
+ the "OpenSSL" library), and distribute the linked
+ executables. You must obey the GNU General Public
+ License in all respects for all of the code used other
+ than "OpenSSL". If you modify this file, you may extend
+ this exception to your version of the file, but you are
+ not obligated to do so. If you do not wish to do so,
+ delete this exception statement from your version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
diff --git a/recipes-core/swupdate/files/debian/rules.tmpl b/recipes-core/swupdate/files/debian/rules.tmpl
new file mode 100755
index 0000000..54cca57
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/rules.tmpl
@@ -0,0 +1,30 @@
+#!/usr/bin/make -f
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+export CC=$(DEB_HOST_GNU_TYPE)-gcc
+export LD=$(DEB_HOST_GNU_TYPE)-gcc
+endif
+
+export DH_VERBOSE = 1
+
+export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow
+
+documentation: configure
+ make man
+
+configure:
+ make ${DEFCONFIG}
+
+build: documentation configure
+ dh $@
+
+%:
+ echo $@
+ dh $@
+
+override_dh_installchangelogs:
+ true
+
+override_dh_installdocs:
+ true
diff --git a/recipes-core/swupdate/files/debian/swupdate.examples b/recipes-core/swupdate/files/debian/swupdate.examples
new file mode 100644
index 0000000..c257b75
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/swupdate.examples
@@ -0,0 +1,2 @@
+examples/configuration
+examples/description
diff --git a/recipes-core/swupdate/files/debian/swupdate.install b/recipes-core/swupdate/files/debian/swupdate.install
new file mode 100644
index 0000000..8957cc6
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/swupdate.install
@@ -0,0 +1,2 @@
+swupdate usr/bin
+swupdate.cfg /etc
diff --git a/recipes-core/swupdate/files/debian/swupdate.manpages b/recipes-core/swupdate/files/debian/swupdate.manpages
new file mode 100644
index 0000000..c3438e0
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/swupdate.manpages
@@ -0,0 +1,5 @@
+doc/build/man/swupdate.1
+doc/build/man/client.1
+doc/build/man/sendtohawkbit.1
+doc/build/man/hawkbitcfg.1
+doc/build/man/progress.1
diff --git a/recipes-core/swupdate/files/debian/swupdate.tmpfile b/recipes-core/swupdate/files/debian/swupdate.tmpfile
new file mode 100644
index 0000000..4743672
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/swupdate.tmpfile
@@ -0,0 +1,2 @@
+X /tmp/datadst
+X /tmp/scripts
diff --git a/recipes-core/swupdate/files/debian/watch b/recipes-core/swupdate/files/debian/watch
new file mode 100644
index 0000000..bc4c53e
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/watch
@@ -0,0 +1,12 @@
+# Example watch control file for uscan
+# Rename this file to "watch" and then you can run the "uscan" command
+# to check for upstream updates and more.
+# See uscan(1) for format
+
+# Compulsory line, this is a version 4 file
+version=4
+
+# GitHub hosted projects
+opts="filenamemangle="s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%<project>-$1.tar.gz%" \
+ https://github.com/<user>/swupdate/tags \
+ (?:.*?/)?v?(\d[\d.]*)\.tar\.gz debian uupdate
diff --git a/recipes-core/swupdate/files/postinst b/recipes-core/swupdate/files/postinst
new file mode 100644
index 0000000..f15ac10
--- /dev/null
+++ b/recipes-core/swupdate/files/postinst
@@ -0,0 +1,2 @@
+#!/bin/sh
+deb-systemd-helper enable swupdate.socket || true
diff --git a/recipes-core/swupdate/files/swupdate.cfg b/recipes-core/swupdate/files/swupdate.cfg
new file mode 100644
index 0000000..e0222f1
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate.cfg
@@ -0,0 +1,6 @@
+globals :
+{
+ verbose = true;
+ loglevel = 10;
+ syslog = false;
+};
diff --git a/recipes-core/swupdate/files/swupdate.service.example b/recipes-core/swupdate/files/swupdate.service.example
new file mode 100644
index 0000000..d0b821e
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate.service.example
@@ -0,0 +1,11 @@
+[Unit]
+Description=SWUpdate daemon
+Documentation=https://github.com/sbabic/swupdate
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/swupdate -f /etc/swupdate.cfg
+KillMode=mixed
+
+[Install]
+WantedBy=multi-user.target
diff --git a/recipes-core/swupdate/files/swupdate.socket.example b/recipes-core/swupdate/files/swupdate.socket.example
new file mode 100644
index 0000000..2b75671
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate.socket.example
@@ -0,0 +1,11 @@
+[Unit]
+Description=SWUpdate socket listener
+Documentation=https://github.com/sbabic/swupdate
+Documentation=https://sbabic.github.io/swupdate
+
+[Socket]
+ListenStream=/tmp/sockinstctrl
+ListenStream=/tmp/swupdateprog
+
+[Install]
+WantedBy=sockets.target
diff --git a/recipes-core/swupdate/files/swupdate.socket.tmpl b/recipes-core/swupdate/files/swupdate.socket.tmpl
new file mode 100644
index 0000000..8e7fc1d
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate.socket.tmpl
@@ -0,0 +1,13 @@
+[Unit]
+Description=SWUpdate socket listener
+Documentation=https://github.com/sbabic/swupdate
+Documentation=https://sbabic.github.io/swupdate
+
+[Socket]
+SocketUser=${SWUPDATE_SOCKET_OWNER}
+SocketGroup=root
+ListenStream=/tmp/sockinstctrl
+ListenStream=/tmp/swupdateprog
+
+[Install]
+WantedBy=sockets.target
diff --git a/recipes-core/swupdate/files/swupdate_defconfig b/recipes-core/swupdate/files/swupdate_defconfig
new file mode 100644
index 0000000..9ae7cb5
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig
@@ -0,0 +1,83 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Swupdate Configuration
+#
+CONFIG_HAVE_DOT_CONFIG=y
+
+#
+# Swupdate Settings
+#
+
+#
+# General Configuration
+#
+# CONFIG_CURL is not set
+# CONFIG_CURL_SSL is not set
+CONFIG_SYSTEMD=y
+CONFIG_SCRIPTS=y
+# CONFIG_HW_COMPATIBILITY is not set
+CONFIG_SW_VERSIONS_FILE="/etc/sw-versions"
+
+#
+# Socket Paths
+#
+CONFIG_SOCKET_CTRL_PATH="/tmp/sockinstctrl"
+CONFIG_SOCKET_PROGRESS_PATH="/tmp/swupdateprog"
+CONFIG_SOCKET_REMOTE_HANDLER_DIRECTORY="/tmp/"
+# CONFIG_MTD is not set
+# CONFIG_LUA is not set
+# CONFIG_LUAPKG is not set
+# CONFIG_FEATURE_SYSLOG is not set
+
+#
+# Build Options
+#
+CONFIG_CROSS_COMPILE=""
+CONFIG_SYSROOT=""
+CONFIG_EXTRA_CFLAGS=""
+CONFIG_EXTRA_LDFLAGS=""
+CONFIG_EXTRA_LDLIBS=""
+
+#
+# Debugging Options
+#
+# CONFIG_DEBUG is not set
+# CONFIG_WERROR is not set
+# CONFIG_NOCLEANUP is not set
+# CONFIG_BOOTLOADER_EBG is not set
+# CONFIG_UBOOT is not set
+# CONFIG_BOOTLOADER_NONE is not set
+# CONFIG_BOOTLOADER_GRUB is not set
+# CONFIG_DOWNLOAD is not set
+# CONFIG_DOWNLOAD_SSL is not set
+# CONFIG_CHANNEL_CURL is not set
+# CONFIG_HASH_VERIFY=y
+# CONFIG_SIGNED_IMAGES is not set
+# CONFIG_ENCRYPTED_IMAGES is not set
+# CONFIG_SURICATTA is not set
+# CONFIG_WEBSERVER is not set
+CONFIG_GUNZIP=y
+
+#
+# Parser Features
+#
+CONFIG_LIBCONFIG=y
+CONFIG_PARSERROOT=""
+# CONFIG_JSON is not set
+# CONFIG_LUAEXTERNAL is not set
+# CONFIG_SETEXTPARSERNAME is not set
+# CONFIG_SETSWDESCRIPTION is not set
+
+#
+# Image Handlers
+#
+CONFIG_RAW=y
+# CONFIG_LUASCRIPTHANDLER is not set
+# CONFIG_SHELLSCRIPTHANDLER is not set
+# CONFIG_HANDLER_IN_LUA is not set
+# CONFIG_EMBEDDED_LUA_HANDLER is not set
+# CONFIG_EMBEDDED_LUA_HANDLER_SOURCE is not set
+CONFIG_ARCHIVE=y
+# CONFIG_REMOTE_HANDLER is not set
+# CONFIG_SWUFORWARDER_HANDLER is not set
+# CONFIG_BOOTLOADERHANDLER is not set
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet b/recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet
new file mode 100644
index 0000000..8e3688c
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet
@@ -0,0 +1,3 @@
+CONFIG_BOOTLOADER_NONE=n
+CONFIG_BOOTLOADER_EBG=y
+CONFIG_BOOTLOADERHANDLER=y
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_lua.snippet b/recipes-core/swupdate/files/swupdate_defconfig_lua.snippet
new file mode 100644
index 0000000..b39f9df
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_lua.snippet
@@ -0,0 +1,2 @@
+CONFIG_LUA=y
+CONFIG_LUAPKG="lua53"
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet b/recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet
new file mode 100644
index 0000000..b4a2de8
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet
@@ -0,0 +1,4 @@
+CONFIG_LUASCRIPTHANDLER=y
+CONFIG_HANDLER_IN_LUA=y
+CONFIG_EMBEDDED_LUA_HANDLER=y
+CONFIG_EMBEDDED_LUA_HANDLER_SOURCE="swupdate_handlers.lua"
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet b/recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet
new file mode 100644
index 0000000..eab98dd
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet
@@ -0,0 +1 @@
+CONFIG_MTD=y
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet b/recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet
new file mode 100644
index 0000000..6b5832a
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet
@@ -0,0 +1,3 @@
+CONFIG_UBOOT=y
+CONFIG_UBOOT_FWENV="/etc/fw_env.config"
+CONFIG_BOOTLOADERHANDLER=y
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet b/recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet
new file mode 100644
index 0000000..d1c7732
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet
@@ -0,0 +1,6 @@
+CONFIG_UBIVOL=y
+CONFIG_UBIATTACH=y
+CONFIG_UBIBLACKLIST=""
+CONFIG_UBIWHITELIST=""
+CONFIG_UBIVIDOFFSET=0
+CONFIG_CFI=y
diff --git a/recipes-core/swupdate/files/swupdate_handlers.lua b/recipes-core/swupdate/files/swupdate_handlers.lua
new file mode 100644
index 0000000..f2ecc54
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_handlers.lua
@@ -0,0 +1,453 @@
+--[[
+
+ Round-robin Image and File Handler.
+
+ Copyright (C) 2019, Siemens AG
+
+ Author: Christian Storm <christian.storm@siemens.com>
+
+ SPDX-License-Identifier: GPL-2.0-or-later
+
+ An `sw-description` file using these handlers may look like:
+ software =
+ {
+ version = "0.1.0";
+ images: ({
+ filename = "rootfs.ext4";
+ device = "sda4,sda5";
+ type = "roundrobin";
+ compressed = false;
+ });
+ files: ({
+ filename = "vmlinuz";
+ path = "vmlinuz";
+ type = "kernelfile";
+ device = "sda2,sda3";
+ filesystem = "vfat";
+ },
+ {
+ filename = "initrd.img";
+ path = "initrd.img";
+ type = "kernelfile";
+ device = "sda2,sda3";
+ filesystem = "vfat";
+ });
+ }
+
+ The semantics is as follows: Instead of having a fixed target device,
+ the 'roundrobin' image handler calculates the target device by parsing
+ /proc/cmdline, matching the root=<device> kernel parameter against its
+ 'device' attribute's list of devices, and sets the actual target
+ device to the next 'device' attribute list entry in a round-robin
+ manner. The actual flashing is done via chain-calling another handler,
+ defaulting to the "raw" handler.
+
+ The 'kernelfile' file handler reuses the 'roundrobin' handler's target
+ device calculation by reading the actual target device from the same
+ index into its 'device' attribute's list of devices. The actual placing
+ of files into this partition is done via chain-calling another handler,
+ defaulting to the "rawfile" handler.
+
+ In the above example, if /dev/sda4 is currently booted according to
+ /proc/cmdline, /dev/sda5 will be flashed and the vmlinuz and initrd.img
+ files will be placed on /dev/sda3. If /dev/sda5 is booted, /dev/sda4
+ will be flashed and the vmlinuz and initrd.img files are placed on
+ /dev/sda2.
+ In addition to "classical" device nodes as in this example, partition
+ UUIDs as reported, e.g., by `blkid -s PARTUUID` are also supported.
+ UBI volumes are supported as well by specifying a CSV list of
+ ubi<number>:<label> items.
+
+ Configuration is done via an INI-style configuration file located at
+ /etc/swupdate.handler.ini or via compiled-in configuration (by
+ embedding the Lua handler script into the SWUpdate binary via using
+ CONFIG_EMBEDDED_LUA_HANDLER), the latter having precedence over the
+ former. See the example configuration below.
+ If uncommenting this example block, it will take precedence over any
+ /etc/swupdate.handler.ini configuration file.
+
+ The chain-called handlers can either be specified in the configuration,
+ i.e., a static run-time setting, or via the 'chainhandler' property of
+ an 'image' or 'file' section in the sw-description, with the latter
+ taking precedence over the former, e.g.,
+ ...
+ images: ({
+ filename = "rootfs.ext4";
+ device = "sda4,sda5";
+ type = "roundrobin";
+ properties: {
+ chainhandler = "myraw";
+ };
+ });
+ ...
+ Such a sw-description fragment will chain-call the imaginary "myraw"
+ handler regardless of what's been configured in the compiled-in or the
+ configuration file.
+ When chain-calling the "rdiff_image" handler, its 'rdiffbase' property
+ is subject to round-robin as well, i.e., the 'rdiffbase' property is
+ expected to be a CSV list as for the 'device' property, and the actual
+ 'rdiffbase' property value is calculated following the same round-robin
+ calculation mechanism stated above prior to chain-calling the actual
+ "rdiff_image" handler, e.g.,
+ images: ({
+ filename = "rootfs.ext4";
+ type = "roundrobin";
+ device = "sda4,sda5";
+ properties: {
+ chainhandler = "rdiff_image";
+ rdiffbase="sda1,sda2";
+ };
+ });
+ will set the 'rdiffbase' property to /dev/sda2 (/dev/sda1) if /dev/sda4
+ (/dev/sda5) is the currently booted root file system according to
+ /proc/cmdline parsing.
+
+]]
+
+
+local configuration = [[
+[bootloader]
+# Required: bootloader name, uboot and ebg currently supported.
+name=ebg
+# Required: bootloader-specific key-value pairs, e.g., for ebg:
+kernelname=linux.signed.efi
+# For relying on FAT labels, prefix bootlabels with 'L:', e.g., L:BOOT0.
+# For using custom labels, i.e., relying on the contents of an EFILABEL
+# file within the partition, prefix it with 'C:', e.g., C:BOOT0.
+bootlabel={ "C:BOOT0:", "C:BOOT1:" }
+
+# Optional: handler to chain-call for the 'roundrobin' handler,
+# defaulting to 'raw'
+[roundrobin]
+chainhandler=raw
+
+# Optional: handler to chain-call for the 'kernelfile' handler,
+# defaulting to 'rawfile'
+[kernelfile]
+chainhandler=rawfile
+]]
+
+-- Default configuration file, tried if no compiled-in config is available.
+local cfgfile = "/etc/swupdate.handler.ini"
+
+-- Table holding the configuration.
+local config = {}
+
+-- Mandatory configuration [section] and keys
+local BOOTLOADERCFG = {
+ ebg = {
+ bootloader = {"name", "bootlabel", "kernelname"}
+ },
+ -- TODO fill with mandatory U-Boot configuration
+ uboot = {
+ bootloader = {"name"}
+ }
+}
+
+-- enum-alikes to make code more readable
+local BOOTLOADER = { EBG = "ebg", UBOOT = "uboot" }
+local PARTTYPE = { UUID = 1, PLAIN = 2, UBI = 3 }
+
+-- Target table describing the target device the image is to be/has been flashed to.
+local rrtarget = {
+ size = function(self)
+ local _size = 0
+ for index in pairs(self) do _size = _size + 1 end
+ return _size - 1
+ end
+}
+
+-- Helper function parsing CSV fields of a struct img_type such as
+-- the "device" fields or the "rdiffbase" property.
+local get_device_list = function(device_node_csv_list)
+ local device_list = {}
+ for item in device_node_csv_list:gmatch("([^,]+)") do
+ local device_node = item:gsub("/dev/", "")
+ device_list[#device_list+1] = device_node
+ device_list[device_node] = #device_list
+ end
+ return device_list
+end
+
+-- Helper function to determine device node location.
+local get_device_path = function(device_node)
+ if device_node:match("ubi%d+:%S+") then
+ return 0, device_node, PARTTYPE.UBI
+ end
+ local device_path = string.format("/dev/disk/by-partuuid/%s", device_node)
+ local file = io.open(device_path, "rb" )
+ if file then
+ file:close()
+ return 0, device_path, PARTTYPE.UUID
+ end
+ device_path = string.format("/dev/%s", device_node)
+ file = io.open(device_path, "rb" )
+ if file then
+ file:close()
+ return 0, device_path, PARTTYPE.PLAIN
+ end
+ swupdate.error(string.format("Cannot access target device node /dev/{,disk/by-partuuid}/%s", device_node))
+ return 1, nil, nil
+end
+
+-- Helper function parsing the INI-style configuration.
+local get_config = function()
+ -- Return configuration right away if it's already parsed.
+ if config ~= nil and #config > 0 then
+ return config
+ end
+
+ -- Get configuration INI-style string.
+ if not configuration then
+ swupdate.trace(string.format("No compiled-in config found, trying %s", cfgfile))
+ local file = io.open(cfgfile, "r" )
+ if not file then
+ swupdate.error(string.format("Cannot open config file %s", cfgfile))
+ return nil
+ end
+ configuration = file:read("*a")
+ file:close()
+ end
+ if configuration:sub(-1) ~= "\n" then
+ configuration=configuration.."\n"
+ end
+
+ -- Parse INI-style contents into config table.
+ local sec, key, value
+ for line in configuration:gmatch("(.-)\n") do
+ if line:match("^%[([%w%p]+)%][%s]*") then
+ sec = line:match("^%[([%w%p]+)%][%s]*")
+ config[sec] = {}
+ elseif sec then
+ key, value = line:match("^([%w%p]-)=(.*)$")
+ if key and value then
+ if tonumber(value) then value = tonumber(value) end
+ if value == "true" then value = true end
+ if value == "false" then value = false end
+ if value:sub(1,1) == "{" then
+ local _value = {}
+ for _key, _ in value:gmatch("\"(%S+)\"") do
+ table.insert(_value, _key)
+ end
+ value = _value
+ end
+ config[sec][key] = value
+ else
+ if not line:match("^$") and not line:match("^#") then
+ swupdate.warn(string.format("Syntax error, skipping '%s'", line))
+ end
+ end
+ else
+ swupdate.error(string.format("Syntax error. no [section] encountered."))
+ return nil
+ end
+ end
+
+ -- Check config table for mandatory key existence.
+ if config["bootloader"] == nil or config["bootloader"]["name"] == nil then
+ swupdate.error(string.format("Syntax error. no [bootloader] encountered or name= missing therein."))
+ return nil
+ end
+ local bcfg = BOOTLOADERCFG[config.bootloader.name]
+ if not bcfg then
+ swupdate.error(string.format("Bootloader unsupported, name=uboot|ebg missing in [bootloader]?."))
+ return nil
+ end
+ for sec, _ in pairs(bcfg) do
+ for _, key in pairs(bcfg[sec]) do
+ if config[sec] == nil or config[sec][key] == nil then
+ swupdate.error(string.format("Mandatory config key %s= in [%s] not found.", key, sec))
+ end
+ end
+ end
+
+ return config
+end
+
+-- Round-robin image handler for updating the root partition.
+function handler_roundrobin(image)
+ -- Read configuration.
+ if not get_config() then
+ swupdate.error("Cannot read configuration.")
+ return 1
+ end
+
+ -- Check if we can chain-call the handler.
+ local chained_handler = "raw"
+ if image.properties ~= nil and image.properties["chainhandler"] ~= nil then
+ chained_handler = image.properties["chainhandler"]
+ elseif config["roundrobin"] ~= nil and config["roundrobin"]["chainhandler"] ~= nil then
+ chained_handler = config["roundrobin"]["chainhandler"]
+ end
+ if not swupdate.handler[chained_handler] then
+ swupdate.error(string.format("'%s' handler not available in SWUpdate distribution.", chained_handler))
+ return 1
+ end
+
+ -- Get device list for round-robin.
+ local devices = get_device_list(image.device)
+ if #devices < 2 then
+ swupdate.error("Specify at least 2 devices in the device= property for 'roundrobin'.")
+ return 1
+ end
+
+ -- Check that rrtarget is unset, else a reboot may be pending.
+ if rrtarget:size() > 0 then
+ swupdate.warn("The 'roundrobin' handler has been run. Is a reboot pending?")
+ end
+
+ -- Determine current root device.
+ local file = io.open("/proc/cmdline", "r")
+ if not file then
+ swupdate.error("Cannot open /proc/cmdline.")
+ return 1
+ end
+ local cmdline = file:read("*l")
+ file:close()
+
+ local rootparam, rootdevice
+ for item in cmdline:gmatch("%S+") do
+ rootparam, rootdevice = item:match("(root=[%u=]*[/dev/]*(%S+))")
+ if rootparam and rootdevice then break end
+ end
+ if not rootdevice then
+ -- Use findmnt to get the rootdev
+ rootdevice = io.popen('findmnt -nl / -o PARTUUID'):read("*l")
+ if not rootdevice then
+ swupdate.error("Cannot determine current root device.")
+ return 1
+ end
+ end
+ swupdate.info(string.format("Current root device is: %s", rootdevice))
+
+ if not devices[rootdevice] then
+ swupdate.error(string.format("Current root device '%s' is not in round-robin root devices list: %s", rootdevice, image.device:gsub("/dev/", "")))
+ return 1
+ end
+
+ -- Perform round-robin calculation for target.
+ local err
+ rrtarget.index = devices[rootdevice] % #devices + 1
+ rrtarget.device_node = devices[rrtarget.index]
+ err, rrtarget.device_path, rrtarget.parttype = get_device_path(devices[rrtarget.index])
+ if err ~= 0 then
+ return 1
+ end
+ swupdate.info(string.format("Using '%s' as 'roundrobin' target via '%s' handler.", rrtarget.device_path, chained_handler))
+
+ -- If the chain-called handler is rdiff_image, adapt the rdiffbase property
+ if chained_handler == "rdiff_image" then
+ if image.properties ~= nil and image.properties["rdiffbase"] ~= nil then
+ local rdiffbase_devices = get_device_list(image.properties["rdiffbase"])
+ if #rdiffbase_devices < 2 then
+ swupdate.error("Specify at least 2 devices in the rdiffbase= property for 'roundrobin'.")
+ return 1
+ end
+ err, image.propierties["rdiffbase"], _ = get_device_path(rdiffbase_devices[rrtarget.index])
+ if err ~= 0 then
+ return 1
+ end
+ swupdate.info(string.format("Using device %s as rdiffbase.", image.properties["rdiffbase"]))
+ else
+ swupdate.error("Property 'rdiffbase' is missing in sw-description.")
+ return 1
+ end
+ end
+
+ -- Actually flash the partition.
+ local msg
+ image.type = chained_handler
+ image.device = rrtarget.device_path
+ err, msg = swupdate.call_handler(chained_handler, image)
+ if err ~= 0 then
+ swupdate.error(string.format("Error chain-calling '%s' handler: %s", chained_handler, (msg or "")))
+ return 1
+ end
+
+ if config.bootloader.name == BOOTLOADER.EBG then
+ if rootparam then
+ local value = cmdline:gsub(
+ rootparam:gsub("%-", "%%-"),
+ string.format("root=%s%s",
+ (rrtarget.parttype == PARTTYPE.PLAIN and "") or (rrtarget.parttype == PARTTYPE.UBI and "") or "PARTUUID=",
+ rrtarget.parttype == PARTTYPE.PLAIN and rrtarget.device_path or devices[rrtarget.index]
+ )
+ )
+ swupdate.info(string.format("Setting EFI Bootguard environment: kernelparams=%s", value))
+ swupdate.set_bootenv("kernelparams", value)
+ end
+ elseif config.bootloader.name == BOOTLOADER.UBOOT then
+ -- Update U-Boot environment.
+ swupdate.info(string.format("Setting U-Boot environment"))
+ local value = rrtarget.index
+ swupdate.set_bootenv("swupdpart", value);
+ end
+
+ return 0
+end
+
+-- File handler for updating kernel files.
+function handler_kernelfile(image)
+ -- Check if we can chain-call the handler.
+ local chained_handler = "rawfile"
+ if image.properties ~= nil and image.properties["chainhandler"] ~= nil then
+ chained_handler = image.properties["chainhandler"]
+ elseif config["kernelfile"] ~= nil and config["kernelfile"]["chainhandler"] ~= nil then
+ chained_handler = config["kernelfile"]["chainhandler"]
+ end
+ if not swupdate.handler[chained_handler] then
+ swupdate.error(string.format("'%s' handler not available in SWUpdate distribution."), chained_handler)
+ return 1
+ end
+
+ -- Check that rrtarget is set, else the 'roundrobin' handler hasn't been run.
+ if rrtarget:size() == 0 then
+ swupdate.error("The 'roundrobin' handler hasn't been run.")
+ swupdate.info("Place 'roundrobin' above 'kernelfile' in sw-description.")
+ return 1
+ end
+
+ -- Get device list for round-robin.
+ local devices = get_device_list(image.device)
+ if #devices < 2 then
+ swupdate.error("Specify at least 2 devices in the device= property for 'kernelfile'.")
+ return 1
+ end
+ if rrtarget.index > #devices then
+ swupdate.error("Cannot map kernel partition to root partition.")
+ return 1
+ end
+
+ -- Perform round-robin indexing for target.
+ local err
+ err, image.device, _ = get_device_path(devices[rrtarget.index])
+ if err ~= 0 then
+ return 1
+ end
+ swupdate.info(string.format("Using '%s' as 'kernelfile' target via '%s' handler.", image.device, chained_handler))
+
+ -- Actually copy the 'kernelfile' files.
+ local msg
+ image.type = chained_handler
+ err, msg = swupdate.call_handler(chained_handler, image)
+ if err ~= 0 then
+ swupdate.error(string.format("Error chain-calling '%s' handler: %s", chained_handler, (msg or "")))
+ return 1
+ end
+
+ if config.bootloader.name == BOOTLOADER.EBG then
+ -- Update EFI Boot Guard environment: kernelfile
+ local value = string.format("%s%s", config.bootloader.bootlabel[rrtarget.index], config.bootloader.kernelname)
+ swupdate.info(string.format("Setting EFI Bootguard environment: kernelfile=%s", value))
+ swupdate.set_bootenv("kernelfile", value)
+ elseif config.bootloader.name == BOOTLOADER.UBOOT then
+ -- Update U-Boot environment.
+ swupdate.info(string.format("Setting U-Boot environment"))
+ -- TODO
+ end
+
+ return 0
+end
+
+swupdate.register_handler("roundrobin", handler_roundrobin, swupdate.HANDLER_MASK.IMAGE_HANDLER)
+swupdate.register_handler("kernelfile", handler_kernelfile, swupdate.HANDLER_MASK.FILE_HANDLER)
diff --git a/recipes-core/swupdate/swupdate.bb b/recipes-core/swupdate/swupdate.bb
new file mode 100644
index 0000000..95cf73a
--- /dev/null
+++ b/recipes-core/swupdate/swupdate.bb
@@ -0,0 +1,54 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+hDESCRIPTION = "swupdate utility for software updates"
+HOMEPAGE= "https://github.com/sbabic/swupdate"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://${LAYERDIR_isar}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe"
+
+SRC_URI = "git://github.com/sbabic/swupdate.git;branch=master;protocol=https"
+
+SRCREV = "1a6dfbb5a0be978ac1a159758e278ab4d44167e2"
+PV = "2020.4-git+isar"
+
+DEFCONFIG := "swupdate_defconfig"
+
+SRC_URI += "file://debian \
+ file://${DEFCONFIG} \
+ file://${PN}.cfg"
+
+DEPENDS += "libubootenv"
+
+DEBIAN_DEPENDS = "${shlibs:Depends}, ${misc:Depends}"
+
+inherit dpkg
+inherit swupdate-config
+
+KFEATURES += "luahandler"
+
+S = "${WORKDIR}/git"
+
+TEMPLATE_FILES = "debian/changelog.tmpl debian/control.tmpl debian/rules.tmpl"
+TEMPLATE_VARS += "BUILD_DEB_DEPENDS DEFCONFIG DEBIAN_DEPENDS"
+
+do_prepare_build() {
+ DEBDIR=${S}/debian
+ cp -R ${WORKDIR}/debian ${S}
+
+ install -m 0644 ${WORKDIR}/${PN}.cfg ${S}/swupdate.cfg
+ install -m 0644 ${WORKDIR}/${DEFCONFIG}.gen ${S}/configs/${DEFCONFIG}
+
+ if ! grep -q "configs/${DEFCONFIG}" ${S}/.gitignore
+ then
+ echo "configs/${DEFCONFIG}" >> ${S}/.gitignore
+ fi
+ # luahandler
+ install -m 0644 ${WORKDIR}/${SWUPDATE_LUASCRIPT} ${S}
+}
--
2.20.1


[isar-cip-core PATCH v2 4/5] wic: Add wks files for A/B Partition update

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add wks for:
- simatic-ipc227e
- qemu-amd64

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
kas/opt/ebg-swu.yml | 26 ++++++++++++++++++++++++++
wic/ebg-sysparts.inc | 8 ++++++++
wic/qemu-amd64-efibootguard.wks | 5 +++++
wic/simatic-ipc227e-efibootguard.wks | 5 +++++
wic/swupdate-partition.inc | 4 ++++
5 files changed, 48 insertions(+)
create mode 100644 kas/opt/ebg-swu.yml
create mode 100644 wic/ebg-sysparts.inc
create mode 100644 wic/qemu-amd64-efibootguard.wks
create mode 100644 wic/simatic-ipc227e-efibootguard.wks
create mode 100644 wic/swupdate-partition.inc

diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml
new file mode 100644
index 0000000..5b39730
--- /dev/null
+++ b/kas/opt/ebg-swu.yml
@@ -0,0 +1,26 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 8
+
+local_conf_header:
+ swupdate: |
+ IMAGE_INSTALL_append = " swupdate efibootguard"
+ BOOTLOADER = "efibootguard"
+
+ efibootguard: |
+ WDOG_TIMEOUT = "0"
+ WICVARS += "WDOG_TIMEOUT"
+
+ wic: |
+ IMAGE_TYPE = "wic-img"
+ WKS_FILE = "${MACHINE}-${BOOTLOADER}.wks"
diff --git a/wic/ebg-sysparts.inc b/wic/ebg-sysparts.inc
new file mode 100644
index 0000000..dea99e8
--- /dev/null
+++ b/wic/ebg-sysparts.inc
@@ -0,0 +1,8 @@
+# default partition layout EFI Boot Guard usage
+
+# EFI partition containing efibootguard bootloader binary
+part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000001"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000002"
diff --git a/wic/qemu-amd64-efibootguard.wks b/wic/qemu-amd64-efibootguard.wks
new file mode 100644
index 0000000..3cd7360
--- /dev/null
+++ b/wic/qemu-amd64-efibootguard.wks
@@ -0,0 +1,5 @@
+# short-description: Qemu-amd64 with Efibootguard and SWUpdate
+# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
+
+include ebg-sysparts.inc
+include swupdate-partition.inc
diff --git a/wic/simatic-ipc227e-efibootguard.wks b/wic/simatic-ipc227e-efibootguard.wks
new file mode 100644
index 0000000..74446d3
--- /dev/null
+++ b/wic/simatic-ipc227e-efibootguard.wks
@@ -0,0 +1,5 @@
+# short-description: Simatic-ipc227e with EFI Boot Guard and SWUpdate
+# long-description: Disk image for Simatic-ipc227e with EFI Boot Guard and SWUpdate
+
+include ebg-sysparts.inc
+include swupdate-partition.inc
diff --git a/wic/swupdate-partition.inc b/wic/swupdate-partition.inc
new file mode 100644
index 0000000..15fbe80
--- /dev/null
+++ b/wic/swupdate-partition.inc
@@ -0,0 +1,4 @@
+part --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000001" --size 1000M --extra-space 128M --overhead-factor 1 --label systema --align 1024 --fstype=ext4
+part --source rootfs --uuid "fedcba98-7654-3210-cafe-5e0710000002" --size 1000M --extra-space 128M --overhead-factor 1 --label systemb --align 1024 --fstype=ext4
+
+bootloader --ptable gpt --append="console=tty0 console=ttyS0,115200 rootwait earlyprintk"
--
2.20.1


[isar-cip-core PATCH v2 1/5] recipes-bsp: Add efibootguard

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add the bootloader efibootguard for A/B partition update
on x86 with EFI.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../efibootguard/efibootguard_0.7-git+isar.bb | 46 +++++
recipes-bsp/efibootguard/files/debian/compat | 1 +
.../efibootguard/files/debian/control.tmpl | 20 +++
.../files/debian/efibootguard-dev.install | 3 +
.../files/debian/efibootguard.install | 2 +
recipes-bsp/efibootguard/files/debian/rules | 21 +++
.../wic/plugins/source/efibootguard-boot.py | 162 ++++++++++++++++++
.../wic/plugins/source/efibootguard-efi.py | 102 +++++++++++
8 files changed, 357 insertions(+)
create mode 100644 recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb
create mode 100644 recipes-bsp/efibootguard/files/debian/compat
create mode 100644 recipes-bsp/efibootguard/files/debian/control.tmpl
create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard-dev.install
create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard.install
create mode 100755 recipes-bsp/efibootguard/files/debian/rules
create mode 100644 scripts/lib/wic/plugins/source/efibootguard-boot.py
create mode 100644 scripts/lib/wic/plugins/source/efibootguard-efi.py

diff --git a/recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb b/recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb
new file mode 100644
index 0000000..4bdf76a
--- /dev/null
+++ b/recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb
@@ -0,0 +1,46 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "efibootguard boot loader"
+DESCRIPTION_DEV = "efibootguard development library"
+HOMEPAGE = "https://github.com/siemens/efibootguard"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://${LAYERDIR_isar}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe"
+MAINTAINER = "Jan Kiszka <jan.kiszka@siemens.com>"
+
+SRC_URI = "git://github.com/siemens/efibootguard.git;branch=master;protocol=https \
+ file://debian \
+ "
+
+S = "${WORKDIR}/git"
+
+SRCREV = "442e87bafb480ada2b9074f02350a30408d4cf9c"
+
+PROVIDES = "${PN}"
+PROVIDES += "${PN}-dev"
+
+BUILD_DEB_DEPENDS = "gnu-efi,libpci-dev,check,pkg-config,libc6-dev-i386"
+
+inherit dpkg
+
+TEMPLATE_FILES = "debian/control.tmpl"
+TEMPLATE_VARS += "DESCRIPTION_DEV BUILD_DEB_DEPENDS"
+
+do_prepare_build() {
+ cp -R ${WORKDIR}/debian ${S}
+ deb_add_changelog
+}
+
+dpkg_runbuild_append() {
+ install -m 0755 -d ${DEPLOY_DIR_IMAGE}
+ install -m 0755 ${S}/efibootguardx64.efi ${DEPLOY_DIR_IMAGE}/bootx64.efi
+ install -m 0755 ${S}/bg_setenv ${DEPLOY_DIR_IMAGE}/bg_setenv
+}
diff --git a/recipes-bsp/efibootguard/files/debian/compat b/recipes-bsp/efibootguard/files/debian/compat
new file mode 100644
index 0000000..ec63514
--- /dev/null
+++ b/recipes-bsp/efibootguard/files/debian/compat
@@ -0,0 +1 @@
+9
diff --git a/recipes-bsp/efibootguard/files/debian/control.tmpl b/recipes-bsp/efibootguard/files/debian/control.tmpl
new file mode 100644
index 0000000..54b1994
--- /dev/null
+++ b/recipes-bsp/efibootguard/files/debian/control.tmpl
@@ -0,0 +1,20 @@
+Source: ${PN}
+Section: base
+Priority: optional
+Standards-Version: 3.9.6
+Build-Depends: ${BUILD_DEB_DEPENDS}
+Homepage: ${HOMEPAGE}
+Maintainer: ${MAINTAINER}
+
+Package: ${PN}
+Depends: ${shlibs:Depends}
+Section: base
+Architecture: ${DISTRO_ARCH}
+Priority: required
+Description: ${DESCRIPTION}
+
+Package: ${PN}-dev
+Section: base
+Architecture: ${DISTRO_ARCH}
+Priority: optional
+Description: ${DESCRIPTION_DEV}
diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard-dev.install b/recipes-bsp/efibootguard/files/debian/efibootguard-dev.install
new file mode 100644
index 0000000..7b45bd8
--- /dev/null
+++ b/recipes-bsp/efibootguard/files/debian/efibootguard-dev.install
@@ -0,0 +1,3 @@
+include/ebgenv.h usr/include/efibootguard
+libebgenv.a usr/lib/x86_64-linux-gnu
+
diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard.install b/recipes-bsp/efibootguard/files/debian/efibootguard.install
new file mode 100644
index 0000000..8a8d9d3
--- /dev/null
+++ b/recipes-bsp/efibootguard/files/debian/efibootguard.install
@@ -0,0 +1,2 @@
+bg_setenv usr/bin
+bg_printenv usr/bin
diff --git a/recipes-bsp/efibootguard/files/debian/rules b/recipes-bsp/efibootguard/files/debian/rules
new file mode 100755
index 0000000..82e9e0e
--- /dev/null
+++ b/recipes-bsp/efibootguard/files/debian/rules
@@ -0,0 +1,21 @@
+#!/usr/bin/make -f
+export DH_VERBOSE=1
+export DEB_BUILD_OPTIONS=hardening=-stackprotector
+export DPKG_EXPORT_BUILDFLAGS=1
+include /usr/share/dpkg/default.mk
+
+override_dh_auto_test:
+ # we do not run the tests; that avoids having to pull the fff submodule
+
+override_dh_auto_install:
+ # install using Debian's .install files rather than
+ # make install in order to have a proper package split.
+
+override_dh_installchangelogs:
+ # we're not interested in changelogs
+
+override_dh_installdocs:
+ # we're not interested in docs
+
+%:
+ dh $@ --with autoreconf
diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
new file mode 100644
index 0000000..38d2b2e
--- /dev/null
+++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
@@ -0,0 +1,162 @@
+# ex:ts=4:sw=4:sts=4:et
+# -*- tab-width: 4; c-basic-offset: 4; indent-tabs-mode: nil -*-
+#
+# Copyright (c) 2014, Intel Corporation.
+# Copyright (c) 2018, Siemens AG.
+# All rights reserved.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# DESCRIPTION
+# This implements the 'efibootguard-boot' source plugin class for 'wic'
+#
+# AUTHORS
+# Tom Zanussi <tom.zanussi (at] linux.intel.com>
+# Claudius Heine <ch (at] denx.de>
+# Andreas Reichel <andreas.reichel.ext (at] siemens.com>
+# Christian Storm <christian.storm (at] siemens.com>
+
+import os
+import fnmatch
+import sys
+import logging
+
+msger = logging.getLogger('wic')
+
+from wic.pluginbase import SourcePlugin
+from wic.utils.misc import exec_cmd, get_bitbake_var, BOOTDD_EXTRA_SPACE
+
+class EfibootguardBootPlugin(SourcePlugin):
+ """
+ Create EFI Boot Guard partition hosting the
+ environment file plus Kernel files.
+ """
+
+ name = 'efibootguard-boot'
+
+ @classmethod
+ def do_prepare_partition(cls, part, source_params, creator, cr_workdir,
+ oe_builddir, deploy_dir, kernel_dir,
+ rootfs_dir, native_sysroot):
+ """
+ Called to do the actual content population for a partition, i.e.,
+ populate an EFI Boot Guard environment partition plus Kernel files.
+ """
+
+ kernel_image = get_bitbake_var("KERNEL_IMAGE")
+ if not kernel_image:
+ msger.warning("KERNEL_IMAGE not set. Use default:")
+ kernel_image = "vmlinuz"
+ boot_image = kernel_image
+
+ initrd_image = get_bitbake_var("INITRD_IMAGE")
+ if not initrd_image:
+ msger.warning("INITRD_IMAGE not set\n")
+ initrd_image = "initrd.img"
+ bootloader = creator.ks.bootloader
+
+ deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE")
+ if not deploy_dir:
+ msger.error("DEPLOY_DIR_IMAGE not set, exiting\n")
+ sys.exit(1)
+ creator.deploy_dir = deploy_dir
+
+ wdog_timeout = get_bitbake_var("WDOG_TIMEOUT")
+ if not wdog_timeout:
+ msger.error("Specify watchdog timeout for \
+ efibootguard in local.conf with WDOG_TIMEOUT=")
+ exit(1)
+
+
+ boot_files = source_params.get("files", "").split(' ')
+ cmdline = bootloader.append
+ root_dev = source_params.get("root", None)
+ if not root_dev:
+ msger.error("Specify root in source params")
+ exit(1)
+ root_dev = root_dev.replace(":", "=")
+
+ cmdline += " root=%s rw" % root_dev
+ boot_files.append(kernel_image)
+ boot_files.append(initrd_image)
+ cmdline += "initrd=%s" % initrd_image if initrd_image else ""
+
+ part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir,
+ part.label, part.lineno)
+ create_dir_cmd = "install -d %s" % part_rootfs_dir
+ exec_cmd(create_dir_cmd)
+
+ cwd = os.getcwd()
+ os.chdir(part_rootfs_dir)
+ config_cmd = '%s/bg_setenv -f . -k "C:%s:%s" %s -r %s -w %s' \
+ % (
+ deploy_dir,
+ part.label.upper(),
+ boot_image,
+ '-a "%s"' % cmdline if cmdline else "",
+ source_params.get("revision", 1),
+ wdog_timeout
+ )
+ exec_cmd(config_cmd, True)
+ os.chdir(cwd)
+
+ boot_files = list(filter(None, boot_files))
+ for boot_file in boot_files:
+ if os.path.isfile("%s/%s" % (kernel_dir, kernel_image)):
+ install_cmd = "install -m 0644 %s/%s %s/%s" % \
+ (kernel_dir, boot_file, part_rootfs_dir, boot_file)
+ exec_cmd(install_cmd)
+ else:
+ msger.error("file %s not found in directory %s",
+ boot_file, kernel_dir)
+ exit(1)
+ cls._create_img(part_rootfs_dir, part, cr_workdir)
+
+ @classmethod
+ def _create_img(cls, part_rootfs_dir, part, cr_workdir):
+ # Write label as utf-16le to EFILABEL file
+ with open("%s/EFILABEL" % part_rootfs_dir, 'wb') as filedescriptor:
+ filedescriptor.write(part.label.upper().encode("utf-16le"))
+
+ du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir
+ blocks = int(exec_cmd(du_cmd).split()[0])
+
+ extra_blocks = part.get_extra_block_count(blocks)
+ if extra_blocks < BOOTDD_EXTRA_SPACE:
+ extra_blocks = BOOTDD_EXTRA_SPACE
+
+ blocks += extra_blocks
+ blocks = blocks + (16 - (blocks % 16))
+
+ msger.debug("Added %d extra blocks to %s to get to %d total blocks",
+ extra_blocks, part.mountpoint, blocks)
+
+ # dosfs image, created by mkdosfs
+ bootimg = "%s/%s.%s.img" % (cr_workdir, part.label, part.lineno)
+
+ dosfs_cmd = "mkdosfs -F 16 -S 512 -n %s -C %s %d" % \
+ (part.label.upper(), bootimg, blocks)
+ exec_cmd(dosfs_cmd)
+
+ mcopy_cmd = "mcopy -v -i %s -s %s/* ::/" % (bootimg, part_rootfs_dir)
+ exec_cmd(mcopy_cmd, True)
+
+ chmod_cmd = "chmod 644 %s" % bootimg
+ exec_cmd(chmod_cmd)
+
+ du_cmd = "du -Lbks %s" % bootimg
+ bootimg_size = int(exec_cmd(du_cmd).split()[0])
+
+ part.size = bootimg_size
+ part.source_file = bootimg
diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py
new file mode 100644
index 0000000..5ee451f
--- /dev/null
+++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py
@@ -0,0 +1,102 @@
+# ex:ts=4:sw=4:sts=4:et
+# -*- tab-width: 4; c-basic-offset: 4; indent-tabs-mode: nil -*-
+#
+# Copyright (c) 2014, Intel Corporation.
+# Copyright (c) 2018, Siemens AG.
+# All rights reserved.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# DESCRIPTION
+# This implements the 'efibootguard-efi' source plugin class for 'wic'
+#
+# AUTHORS
+# Tom Zanussi <tom.zanussi (at] linux.intel.com>
+# Claudius Heine <ch (at] denx.de>
+# Andreas Reichel <andreas.reichel.ext (at] siemens.com>
+# Christian Storm <christian.storm (at] siemens.com>
+
+import logging
+import os
+
+msger = logging.getLogger('wic')
+
+from wic.pluginbase import SourcePlugin
+from wic.utils.misc import exec_cmd, get_bitbake_var, BOOTDD_EXTRA_SPACE
+
+class EfibootguardEFIPlugin(SourcePlugin):
+ """
+ Create EFI bootloader partition containing the EFI Boot Guard Bootloader.
+ """
+
+ name = 'efibootguard-efi'
+
+ @classmethod
+ def do_prepare_partition(cls, part, source_params, creator, cr_workdir,
+ oe_builddir, deploy_dir, kernel_dir,
+ rootfs_dir, native_sysroot):
+ """
+ Called to do the actual content population for a partition, i.e.,
+ populate an EFI boot partition containing the EFI Boot Guard
+ bootloader binary.
+ """
+ deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE")
+ creator.deploy_dir = deploy_dir
+ bootloader_files = source_params.get("bootloader")
+ if not bootloader_files:
+ bootloader_files = "bootx64.efi"
+ bootloader_files = bootloader_files.split(' ')
+ part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir,
+ part.label,
+ part.lineno)
+ create_dir_cmd = "install -d %s/EFI/BOOT" % part_rootfs_dir
+ exec_cmd(create_dir_cmd)
+
+ for bootloader in bootloader_files:
+ cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (deploy_dir,
+ bootloader,
+ part_rootfs_dir,
+ bootloader)
+ exec_cmd(cp_cmd, True)
+ du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir
+ blocks = int(exec_cmd(du_cmd).split()[0])
+
+ extra_blocks = part.get_extra_block_count(blocks)
+ if extra_blocks < BOOTDD_EXTRA_SPACE:
+ extra_blocks = BOOTDD_EXTRA_SPACE
+ blocks += extra_blocks
+ blocks = blocks + (16 - (blocks % 16))
+
+ msger.debug("Added %d extra blocks to %s to get to %d total blocks",
+ extra_blocks, part.mountpoint, blocks)
+
+ # dosfs image, created by mkdosfs
+ efi_part_image = "%s/%s.%s.img" % (cr_workdir, part.label, part.lineno)
+
+ dosfs_cmd = "mkdosfs -S 512 -n %s -C %s %d" % \
+ (part.label.upper(), efi_part_image, blocks)
+ exec_cmd(dosfs_cmd)
+
+ mcopy_cmd = "mcopy -v -i %s -s %s/* ::/" % \
+ (efi_part_image, part_rootfs_dir)
+ exec_cmd(mcopy_cmd, True)
+
+ chmod_cmd = "chmod 644 %s" % efi_part_image
+ exec_cmd(chmod_cmd)
+
+ du_cmd = "du -Lbks %s" % efi_part_image
+ efi_part_image_size = int(exec_cmd(du_cmd).split()[0])
+
+ part.size = efi_part_image_size
+ part.source_file = efi_part_image
--
2.20.1


[isar-cip-core PATCH v2 0/5] A/B Rootfs update with software update

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This patchset adds efibootguard, swupdate to allow A/B updates in
cip-core. The update mechanism is currently only implemented for x86_64.

Changes V2:
- update efibootguard to v0.7
- add swdescription and kas option to build qemu-amd64 test image
- swupdate set to upstream mirror and no longer use gitsm

Quirin Gylstorff (5):
recipes-bsp: Add efibootguard
patches: add libubootenv
recipes-core: add swupdate
wic: Add wks files for A/B Partition update
swupdate: create swu file from wic image

classes/extract-partition.bbclass | 26 +
classes/kconfig-snippets.bbclass | 90 ++++
classes/swupdate-config.bbclass | 76 +++
classes/swupdate-img.bbclass | 75 +++
classes/wic-swu-img.bbclass | 20 +
.../0001-u-boot-add-libubootenv.patch | 169 +++++++
kas-cip.yml | 4 +
kas/opt/ebg-swu.yml | 26 +
kas/opt/qemu-swupdate.yml | 19 +
.../efibootguard/efibootguard_0.7-git+isar.bb | 46 ++
recipes-bsp/efibootguard/files/debian/compat | 1 +
.../efibootguard/files/debian/control.tmpl | 20 +
.../files/debian/efibootguard-dev.install | 3 +
.../files/debian/efibootguard.install | 2 +
recipes-bsp/efibootguard/files/debian/rules | 21 +
recipes-core/images/cip-core-image.bb | 10 +
recipes-core/images/files/sw-description.tmpl | 29 ++
.../swupdate/files/debian/changelog.tmpl | 6 +
recipes-core/swupdate/files/debian/compat | 1 +
.../swupdate/files/debian/control.tmpl | 15 +
recipes-core/swupdate/files/debian/copyright | 36 ++
recipes-core/swupdate/files/debian/rules.tmpl | 30 ++
.../swupdate/files/debian/swupdate.examples | 2 +
.../swupdate/files/debian/swupdate.install | 2 +
.../swupdate/files/debian/swupdate.manpages | 5 +
.../swupdate/files/debian/swupdate.tmpfile | 2 +
recipes-core/swupdate/files/debian/watch | 12 +
recipes-core/swupdate/files/postinst | 2 +
recipes-core/swupdate/files/swupdate.cfg | 6 +
.../swupdate/files/swupdate.service.example | 11 +
.../swupdate/files/swupdate.socket.example | 11 +
.../swupdate/files/swupdate.socket.tmpl | 13 +
.../swupdate/files/swupdate_defconfig | 83 ++++
.../swupdate_defconfig_efibootguard.snippet | 3 +
.../files/swupdate_defconfig_lua.snippet | 2 +
.../swupdate_defconfig_luahandler.snippet | 4 +
.../files/swupdate_defconfig_mtd.snippet | 1 +
.../files/swupdate_defconfig_u-boot.snippet | 3 +
.../files/swupdate_defconfig_ubi.snippet | 6 +
.../swupdate/files/swupdate_handlers.lua | 453 ++++++++++++++++++
recipes-core/swupdate/swupdate.bb | 54 +++
.../wic/plugins/source/efibootguard-boot.py | 162 +++++++
.../wic/plugins/source/efibootguard-efi.py | 102 ++++
wic/ebg-sysparts.inc | 8 +
wic/qemu-amd64-efibootguard.wks | 5 +
wic/simatic-ipc227e-efibootguard.wks | 5 +
wic/swupdate-partition.inc | 4 +
47 files changed, 1686 insertions(+)
create mode 100644 classes/extract-partition.bbclass
create mode 100644 classes/kconfig-snippets.bbclass
create mode 100644 classes/swupdate-config.bbclass
create mode 100644 classes/swupdate-img.bbclass
create mode 100644 classes/wic-swu-img.bbclass
create mode 100644 isar-patches/0001-u-boot-add-libubootenv.patch
create mode 100644 kas/opt/ebg-swu.yml
create mode 100644 kas/opt/qemu-swupdate.yml
create mode 100644 recipes-bsp/efibootguard/efibootguard_0.7-git+isar.bb
create mode 100644 recipes-bsp/efibootguard/files/debian/compat
create mode 100644 recipes-bsp/efibootguard/files/debian/control.tmpl
create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard-dev.install
create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard.install
create mode 100755 recipes-bsp/efibootguard/files/debian/rules
create mode 100644 recipes-core/images/files/sw-description.tmpl
create mode 100644 recipes-core/swupdate/files/debian/changelog.tmpl
create mode 100644 recipes-core/swupdate/files/debian/compat
create mode 100644 recipes-core/swupdate/files/debian/control.tmpl
create mode 100644 recipes-core/swupdate/files/debian/copyright
create mode 100755 recipes-core/swupdate/files/debian/rules.tmpl
create mode 100644 recipes-core/swupdate/files/debian/swupdate.examples
create mode 100644 recipes-core/swupdate/files/debian/swupdate.install
create mode 100644 recipes-core/swupdate/files/debian/swupdate.manpages
create mode 100644 recipes-core/swupdate/files/debian/swupdate.tmpfile
create mode 100644 recipes-core/swupdate/files/debian/watch
create mode 100644 recipes-core/swupdate/files/postinst
create mode 100644 recipes-core/swupdate/files/swupdate.cfg
create mode 100644 recipes-core/swupdate/files/swupdate.service.example
create mode 100644 recipes-core/swupdate/files/swupdate.socket.example
create mode 100644 recipes-core/swupdate/files/swupdate.socket.tmpl
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_lua.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet
create mode 100644 recipes-core/swupdate/files/swupdate_handlers.lua
create mode 100644 recipes-core/swupdate/swupdate.bb
create mode 100644 scripts/lib/wic/plugins/source/efibootguard-boot.py
create mode 100644 scripts/lib/wic/plugins/source/efibootguard-efi.py
create mode 100644 wic/ebg-sysparts.inc
create mode 100644 wic/qemu-amd64-efibootguard.wks
create mode 100644 wic/simatic-ipc227e-efibootguard.wks
create mode 100644 wic/swupdate-partition.inc

--
2.20.1


[isar-cip-core PATCH v2 2/5] patches: add libubootenv

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

swupdate 2020.04 requires libubootenv as build dependency.

libubootenv is a library that provides a hardware independent
way to access to U-Boot environment. U-Boot has its default environment
compiled board-dependently and this means that tools to access the environment
are also board specific, too.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../0001-u-boot-add-libubootenv.patch | 169 ++++++++++++++++++
kas-cip.yml | 4 +
2 files changed, 173 insertions(+)
create mode 100644 isar-patches/0001-u-boot-add-libubootenv.patch

diff --git a/isar-patches/0001-u-boot-add-libubootenv.patch b/isar-patches/0001-u-boot-add-libubootenv.patch
new file mode 100644
index 0000000..10a5b4a
--- /dev/null
+++ b/isar-patches/0001-u-boot-add-libubootenv.patch
@@ -0,0 +1,169 @@
+From 76897e89977f895495e21e37cb76f90392d55ef9 Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+Date: Fri, 19 Jun 2020 17:00:36 +0200
+Subject: [PATCH v2] u-boot: add libubootenv
+
+Add the new library libubootenv and remove fw_printenv and fw_setenv
+form u-boot-tools as the are now part of the new library.
+
+libubootenv is a library that provides a hardware independent
+way to access to U-Boot environment. U-Boot has its default environment
+compiled board-dependently and this means that tools to access the environment
+are also board specific, too.
+
+libubootenv conflicts with u-boot-tools from Debian 10
+as both try to install fw_printenv and fw_sentenv. This conflict is not
+part of the control file as it breaks the installation of custom u-boot-tools
+from the u-boot-sources.
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+---
+ meta-isar/conf/machine/de0-nano-soc.conf | 2 +-
+ .../libubootenv/files/debian/compat | 1 +
+ .../libubootenv/files/debian/control.tmpl | 15 +++++++++
+ .../libubootenv/files/debian/rules.tmpl | 24 ++++++++++++++
+ .../libubootenv/libubootenv_0.2.bb | 32 +++++++++++++++++++
+ .../files/debian/u-boot-tools.conffiles | 1 -
+ .../u-boot/files/debian/u-boot-tools.install | 2 --
+ .../u-boot/files/debian/u-boot-tools.links | 1 -
+ 8 files changed, 73 insertions(+), 5 deletions(-)
+ create mode 100644 meta/recipes-bsp/libubootenv/files/debian/compat
+ create mode 100644 meta/recipes-bsp/libubootenv/files/debian/control.tmpl
+ create mode 100644 meta/recipes-bsp/libubootenv/files/debian/rules.tmpl
+ create mode 100644 meta/recipes-bsp/libubootenv/libubootenv_0.2.bb
+ delete mode 100644 meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles
+ delete mode 100644 meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links
+
+diff --git a/meta-isar/conf/machine/de0-nano-soc.conf b/meta-isar/conf/machine/de0-nano-soc.conf
+index 3a2c009..6558d90 100644
+--- a/meta-isar/conf/machine/de0-nano-soc.conf
++++ b/meta-isar/conf/machine/de0-nano-soc.conf
+@@ -15,4 +15,4 @@ WKS_FILE ?= "de0-nano-soc.wks.in"
+ IMAGER_INSTALL += "u-boot-de0-nano-soc"
+ IMAGER_BUILD_DEPS += "u-boot-de0-nano-soc"
+
+-IMAGE_INSTALL += "u-boot-tools u-boot-script"
++IMAGE_INSTALL += "u-boot-tools libubootenv u-boot-script"
+diff --git a/meta/recipes-bsp/libubootenv/files/debian/compat b/meta/recipes-bsp/libubootenv/files/debian/compat
+new file mode 100644
+index 0000000..b4de394
+--- /dev/null
++++ b/meta/recipes-bsp/libubootenv/files/debian/compat
+@@ -0,0 +1 @@
++11
+diff --git a/meta/recipes-bsp/libubootenv/files/debian/control.tmpl b/meta/recipes-bsp/libubootenv/files/debian/control.tmpl
+new file mode 100644
+index 0000000..fade69a
+--- /dev/null
++++ b/meta/recipes-bsp/libubootenv/files/debian/control.tmpl
+@@ -0,0 +1,15 @@
++Source: libubootenv
++Section: embedded
++Priority: optional
++Maintainer: Stefano Babic <sbabic@denx.de>
++Build-Depends: ${BUILD_DEB_DEPENDS}
++Standards-Version: 4.2.1
++Homepage: https://sbabic.github.io/libubootenv
++
++Package: libubootenv
++Architecture: any
++Depends: ${DEBIAN_DEPENDS}
++Description: libubootenv is a library that provides a hardware independent
++ way to access to U-Boot environment. U-Boot has its default environment
++ compiled board-dependently and this means that tools to access the environment
++ are also board specific, too.
+diff --git a/meta/recipes-bsp/libubootenv/files/debian/rules.tmpl b/meta/recipes-bsp/libubootenv/files/debian/rules.tmpl
+new file mode 100644
+index 0000000..56ccd19
+--- /dev/null
++++ b/meta/recipes-bsp/libubootenv/files/debian/rules.tmpl
+@@ -0,0 +1,24 @@
++#!/usr/bin/make -f
++
++ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
++export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
++export CC=$(DEB_HOST_GNU_TYPE)-gcc
++export LD=$(DEB_HOST_GNU_TYPE)-gcc
++endif
++
++export DH_VERBOSE = 1
++
++export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow
++
++override_dh_auto_configure:
++ dh_auto_configure --
++
++%:
++ echo $@
++ dh $@
++
++override_dh_installchangelogs:
++ true
++
++override_dh_installdocs:
++ true
+diff --git a/meta/recipes-bsp/libubootenv/libubootenv_0.2.bb b/meta/recipes-bsp/libubootenv/libubootenv_0.2.bb
+new file mode 100644
+index 0000000..1be058c
+--- /dev/null
++++ b/meta/recipes-bsp/libubootenv/libubootenv_0.2.bb
+@@ -0,0 +1,32 @@
++# libubootenv
++#
++# This software is a part of ISAR.
++# Copyright (c) Siemens AG, 2020
++#
++# SPDX-License-Identifier: MIT
++
++DESCRIPTION = "swupdate utility for software updates"
++HOMEPAGE= "https://github.com/sbabic/swupdate"
++LICENSE = "GPL-2.0"
++LIC_FILES_CHKSUM = "file://${LAYERDIR_isar}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe"
++SRC_URI = "gitsm://github.com/sbabic/libubootenv.git;branch=master;protocol=https"
++
++SRCREV = "bf6ff631c0e38cede67268ceb8bf1383b5f8848e"
++
++BUILD_DEB_DEPENDS = "cmake, zlib1g-dev"
++
++SRC_URI += "file://debian"
++TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
++TEMPLATE_VARS += "BUILD_DEB_DEPENDS DEFCONFIG DEBIAN_DEPENDS"
++
++
++inherit dpkg
++
++S = "${WORKDIR}/git"
++
++do_prepare_build() {
++ DEBDIR=${S}/debian
++ install -d ${DEBDIR}
++ cp -R ${WORKDIR}/debian ${S}
++ deb_add_changelog
++}
+diff --git a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles
+deleted file mode 100644
+index d49a8fb..0000000
+--- a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.conffiles
++++ /dev/null
+@@ -1 +0,0 @@
+-/etc/fw_env.config
+diff --git a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.install b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.install
+index d1ae3e0..2893b9a 100644
+--- a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.install
++++ b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.install
+@@ -1,5 +1,3 @@
+ tools/dumpimage /usr/bin/
+-tools/env/fw_printenv /usr/bin/
+ tools/mkenvimage /usr/bin/
+ tools/mkimage /usr/bin/
+-tools/env/fw_env.config /etc
+diff --git a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links b/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links
+deleted file mode 100644
+index 92f5a6c..0000000
+--- a/meta/recipes-bsp/u-boot/files/debian/u-boot-tools.links
++++ /dev/null
+@@ -1 +0,0 @@
+-/usr/bin/fw_printenv /usr/bin/fw_setenv
+--
+2.20.1
+
diff --git a/kas-cip.yml b/kas-cip.yml
index 019b31e..0da07db 100644
--- a/kas-cip.yml
+++ b/kas-cip.yml
@@ -22,6 +22,10 @@ repos:
refspec: 351af175bc54a201c6f44307d4e998bd6c0afdb8
layers:
meta:
+ patches:
+ 01-libubootenv:
+ path: isar-patches/0001-u-boot-add-libubootenv.patch
+ repo: cip-core

bblayers_conf_header:
standard: |
--
2.20.1


Re: [isar-cip-core RFC 3/4] recipes-core: add swupdate

Quirin Gylstorff
 

On 6/26/20 3:05 PM, Jan Kiszka wrote:
On 25.06.20 15:21, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add swupdate for A/B software updates. Currently the Round Robin
handler in lua supports efibootguard as bootloader. The u-boot
implementation is outstanding.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
  classes/kconfig-snippets.bbclass              |  90 ++++
  classes/swupdate-config.bbclass               |  76 +++
  classes/swupdate-img.bbclass                  |  75 +++
  .../swupdate/files/debian/changelog.tmpl      |   6 +
  recipes-core/swupdate/files/debian/compat     |   1 +
  .../swupdate/files/debian/control.tmpl        |  15 +
  recipes-core/swupdate/files/debian/copyright  |  36 ++
  recipes-core/swupdate/files/debian/rules.tmpl |  30 ++
  .../swupdate/files/debian/swupdate.examples   |   2 +
  .../swupdate/files/debian/swupdate.install    |   2 +
  .../swupdate/files/debian/swupdate.manpages   |   5 +
  .../swupdate/files/debian/swupdate.tmpfile    |   2 +
  recipes-core/swupdate/files/debian/watch      |  12 +
  recipes-core/swupdate/files/postinst          |   2 +
  recipes-core/swupdate/files/swupdate.cfg      |   6 +
  .../swupdate/files/swupdate.service.example   |  11 +
  .../swupdate/files/swupdate.socket.example    |  11 +
  .../swupdate/files/swupdate.socket.tmpl       |  13 +
  .../swupdate/files/swupdate_defconfig         |  83 ++++
  .../swupdate_defconfig_efibootguard.snippet   |   3 +
  .../files/swupdate_defconfig_lua.snippet      |   2 +
  .../swupdate_defconfig_luahandler.snippet     |   4 +
  .../files/swupdate_defconfig_mtd.snippet      |   1 +
  .../files/swupdate_defconfig_u-boot.snippet   |   3 +
  .../files/swupdate_defconfig_ubi.snippet      |   6 +
  .../swupdate/files/swupdate_handlers.lua      | 449 ++++++++++++++++++
  recipes-core/swupdate/swupdate.bb             |  54 +++
  27 files changed, 1000 insertions(+)
  create mode 100644 classes/kconfig-snippets.bbclass
  create mode 100644 classes/swupdate-config.bbclass
  create mode 100644 classes/swupdate-img.bbclass
  create mode 100644 recipes-core/swupdate/files/debian/changelog.tmpl
  create mode 100644 recipes-core/swupdate/files/debian/compat
  create mode 100644 recipes-core/swupdate/files/debian/control.tmpl
  create mode 100644 recipes-core/swupdate/files/debian/copyright
  create mode 100755 recipes-core/swupdate/files/debian/rules.tmpl
  create mode 100644 recipes-core/swupdate/files/debian/swupdate.examples
  create mode 100644 recipes-core/swupdate/files/debian/swupdate.install
  create mode 100644 recipes-core/swupdate/files/debian/swupdate.manpages
  create mode 100644 recipes-core/swupdate/files/debian/swupdate.tmpfile
  create mode 100644 recipes-core/swupdate/files/debian/watch
  create mode 100644 recipes-core/swupdate/files/postinst
  create mode 100644 recipes-core/swupdate/files/swupdate.cfg
  create mode 100644 recipes-core/swupdate/files/swupdate.service.example
  create mode 100644 recipes-core/swupdate/files/swupdate.socket.example
  create mode 100644 recipes-core/swupdate/files/swupdate.socket.tmpl
  create mode 100644 recipes-core/swupdate/files/swupdate_defconfig
  create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet
  create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_lua.snippet
  create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet
  create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet
  create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet
  create mode 100644 recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet
  create mode 100644 recipes-core/swupdate/files/swupdate_handlers.lua
  create mode 100644 recipes-core/swupdate/swupdate.bb

diff --git a/classes/kconfig-snippets.bbclass b/classes/kconfig-snippets.bbclass
new file mode 100644
index 0000000..d754654
--- /dev/null
+++ b/classes/kconfig-snippets.bbclass
@@ -0,0 +1,90 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+#  Christian Storm <christian.storm@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+KCONFIG_SNIPPETS = ""
+
+# The following function defines the kconfig snippet system
+# with automatich debian dependency injection
+#
+# To define a feature set, the user has to define the following
+# variable to an empty string:
+#
+# KFEATURE_featurename = ""
+#
+# Then, required additions to the variables can be defined:
+#
+# KFEATURE_featurename[KCONFIG_SNIPPETS] = "file://snippet-file-name.snippet"
+# KFEATURE_featurename[SRC_URI] = "file://required-file.txt"
+# KFEATURE_featurename[DEPENDS] = "deb-pkg1 deb-pkg2 deb-pkg3"
+# KFEATURE_featurename[DEBIAN_DEPENDS] = "deb-pkg1"
+# KFEATURE_featurename[BUILD_DEB_DEPENDS] = "deb-pkg1,deb-pkg2,deb-pkg3"
+
+# The 'KCONFIG_SNIPPETS' flag gives a list of URI entries, where only
+# file:// is supported. These snippets are appended to the DEFCONFIG file.
+#
+# Features can depend on other features via the following mechanism:
+#
+# KFEATURE_DEPS[feature1] = "feature2"
+
+python () {
+    requested_features = d.getVar("KFEATURES", True) or ""
+
+    features = set(requested_features.split())
+    old_features = set()
+    feature_deps = d.getVarFlags("KFEATURE_DEPS") or {}
+    while old_features != features:
+        diff_features = old_features.symmetric_difference(features)
+        old_features = features.copy()
+        for i in diff_features:
+            features.update(feature_deps.get(i, "").split())
+
+    for f in sorted(features):
+        bb.debug(2, "Feature: " + f)
+        varname = "KFEATURE_" + f
+        dummyvar = d.getVar(varname, False)
+        if dummyvar == None:
+            bb.error("Feature var " + f + " must be defined with needed flags.")
+        else:
+            feature_flags = d.getVarFlags(varname)
+            for feature_varname in sorted(feature_flags):
+                if feature_flags.get(feature_varname, "") != "":
+                    sep = " "
+
+                    # Required to add KCONFIG_SNIPPETS to SRC_URI here,
+                    # because 'SRC_URI += "${KCONFIG_SNIPPETS}"' would
+                    # conflict with SRC_APT feature.
+                    if feature_varname == "KCONFIG_SNIPPETS":
+                        d.appendVar('SRC_URI',
+                            " " + feature_flags[feature_varname].strip())
+
+                    # BUILD_DEP_DEPENDS and DEBIAN_DEPENDS is ',' separated
+                    # Only add ',' if there is already something there
+                    if feature_varname in ["BUILD_DEB_DEPENDS",
+                                           "DEBIAN_DEPENDS"]:
+                        sep = "," if d.getVar(feature_varname) else ""
+
+                    d.appendVar(feature_varname,
+                        sep + feature_flags[feature_varname].strip())
+}
+
+# DEFCONFIG must be a predefined bitbake variable and the corresponding file
+# must exist in the WORKDIR.
+# The resulting generated config is the same file suffixed with ".gen"
+
+do_prepare_build_prepend() {
+        sh -x
+        GENCONFIG="${WORKDIR}/${DEFCONFIG}".gen
+        rm -f "$GENCONFIG"
+        cp "${WORKDIR}/${DEFCONFIG}" "$GENCONFIG"
+        for CONFIG_SNIPPET in $(echo "${KCONFIG_SNIPPETS}" | sed 's#file://##g')
+        do
+                cat ${WORKDIR}/$CONFIG_SNIPPET >> "$GENCONFIG"
+        done
+}
diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass
new file mode 100644
index 0000000..7ce51c5
--- /dev/null
+++ b/classes/swupdate-config.bbclass
@@ -0,0 +1,76 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+#  Christian Storm <christian.storm@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+# This class manages the config snippets together with their dependencies
+# to build SWUpdate
+
+inherit kconfig-snippets
+
+BUILD_DEB_DEPENDS = " \
+    zlib1g-dev, debhelper, libconfig-dev, libarchive-dev, \
+    python-sphinx:native, dh-systemd, libsystemd-dev"
+
+KFEATURE_lua = ""
+KFEATURE_lua[BUILD_DEB_DEPENDS] = "liblua5.3-dev"
+KFEATURE_lua[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_lua.snippet"
+
+KFEATURE_luahandler = ""
+KFEATURE_luahandler[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_luahandler.snippet"
+KFEATURE_luahandler[SRC_URI] = "file://${SWUPDATE_LUASCRIPT}"
+
+KFEATURE_DEPS = ""
+KFEATURE_DEPS[luahandler] = "lua"
+
+KFEATURE_efibootguard = ""
+KFEATURE_efibootguard[BUILD_DEB_DEPENDS] = "efibootguard-dev"
+KFEATURE_efibootguard[DEBIAN_DEPENDS] = "efibootguard-dev"
+KFEATURE_efibootguard[DEPENDS] = "efibootguard-dev"
+KFEATURE_efibootguard[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_efibootguard.snippet"
+
+KFEATURE_mtd = ""
+KFEATURE_mtd[BUILD_DEB_DEPENDS] = "libmtd-dev"
+KFEATURE_mtd[DEPENDS] = "mtd-utils"
+KFEATURE_mtd[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_mtd.snippet"
+
+KFEATURE_ubi = ""
+KFEATURE_ubi[BUILD_DEB_DEPENDS] = "libubi-dev"
+KFEATURE_ubi[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_ubi.snippet"
+
+KFEATURE_DEPS[ubi] = "mtd"
+
+KFEATURE_u-boot = ""
+KFEATURE_u-boot[BUILD_DEB_DEPENDS] = "u-boot-${MACHINE}-dev"
+KFEATURE_u-boot[DEBIAN_DEPENDS] = "u-boot-tools"
+KFEATURE_u-boot[DEPENDS] = "${U_BOOT}"
+KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet"
+
+SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua"
+
+def get_bootloader_featureset(d):
+    bootloader = d.getVar("BOOTLOADER", True) or ""
+    if bootloader == "efibootguard":
+        return "efibootguard"
+    if bootloader == "u-boot":
+        return "u-boot"
+    return ""
+
+SWUPDATE_KFEATURES ??= ""
+KFEATURES = "${SWUPDATE_KFEATURES}"
+KFEATURES += "${@get_bootloader_featureset(d)}"
+
+# Astonishingly, as an anonymous python function, BOOTLOADER is always None
+# one time before it gets set. So the following must be a task.
+python do_check_bootloader () {
+    bootloader = d.getVar("BOOTLOADER", True) or "None"
+    if not bootloader in ["efibootguard", "u-boot"]:
+        bb.warn("swupdate: BOOTLOADER set to incompatible value: " + bootloader)
+}
+addtask check_bootloader before do_fetch
+
diff --git a/classes/swupdate-img.bbclass b/classes/swupdate-img.bbclass
new file mode 100644
index 0000000..a21d6ec
--- /dev/null
+++ b/classes/swupdate-img.bbclass
@@ -0,0 +1,75 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+#  Christian Storm <christian.storm@siemens.com>
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+SWU_IMAGE_FILE ?= "${PN}-${DISTRO}-${MACHINE}.swu"
+SWU_DESCRIPTION_FILE ?= "sw-description"
+SWU_ADDITIONAL_FILES ?= ""
+SWU_SIGNED ?= ""
+SWU_SIGNATURE_EXT ?= "sig"
+SWU_SIGNATURE_TYPE ?= "rsa"
+
+IMAGER_INSTALL += "${@'openssl' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
+
+do_swupdate_image[stamp-extra-info] = "${DISTRO}-${MACHINE}"
+do_swupdate_image[cleandirs] += "${WORKDIR}/swu"
+do_swupdate_image() {
+    rm -f '${DEPLOY_DIR_IMAGE}/${SWU_IMAGE_FILE}'
+    cp '${WORKDIR}/${SWU_DESCRIPTION_FILE}' '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}'
+
+    # Create symlinks for files used in the update image
+    for file in ${SWU_ADDITIONAL_FILES}; do
+        if [ -e "${WORKDIR}/$file" ]; then
+            ln -s "${WORKDIR}/$file" "${WORKDIR}/swu/$file"
+        else
+            ln -s "${DEPLOY_DIR_IMAGE}/$file" "${WORKDIR}/swu/$file"
+        fi
+    done
+
+    # Prepare for signing
+    sign='${@'x' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}'
+    if [ -n "$sign" ]; then
+        image_do_mounts
+        cp -f '${SIGN_KEY}' '${WORKDIR}/dev.key'
+        test -e '${SIGN_CRT}' && cp -f '${SIGN_CRT}' '${WORKDIR}/dev.crt'
+
+        # Fill in file check sums
+        for file in ${SWU_ADDITIONAL_FILES}; do
+            sed -i "s:$file-sha256:$(sha256sum '${WORKDIR}/swu/'$file | cut -f 1 -d ' '):g" \
+                '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}'
+        done
+    fi
+
+    cd "${WORKDIR}/swu"
+    for file in '${SWU_DESCRIPTION_FILE}' ${SWU_ADDITIONAL_FILES}; do
+        echo "$file"
+        if [ -n "$sign" -a \
+             '${SWU_DESCRIPTION_FILE}' = "$file" ]; then
+            if [ "${SWU_SIGNATURE_TYPE}" = "rsa" ]; then
+                sudo chroot ${BUILDCHROOT_DIR} /usr/bin/openssl dgst \
+                    -sha256 -sign '${PP_WORK}/dev.key' \
+                    '${PP_WORK}/swu/'"$file" \
+                        > '${WORKDIR}/swu/'"$file".'${SWU_SIGNATURE_EXT}'
+            elif [ "${SWU_SIGNATURE_TYPE}" = "cms" ]; then
+                sudo chroot ${BUILDCHROOT_DIR} /usr/bin/openssl cms \
+                    -sign -in '${PP_WORK}/swu/'"$file" \
+                    -out '${WORKDIR}/swu/'"$file".'${SWU_SIGNATURE_EXT}' \
+                    -signer '${PP_WORK}/dev.crt' \
+                    -inkey '${PP_WORK}/dev.key' \
+                    -outform DER -nosmimecap -binary
+            fi
+            echo "$file".'${SWU_SIGNATURE_EXT}'
+        fi
+    done | cpio -ovL -H crc \
+        > '${DEPLOY_DIR_IMAGE}/${SWU_IMAGE_FILE}'
+    cd -
+}
+
+addtask swupdate_image before do_build after do_copy_boot_files do_install_imager_deps do_transform_template
diff --git a/recipes-core/swupdate/files/debian/changelog.tmpl b/recipes-core/swupdate/files/debian/changelog.tmpl
new file mode 100644
index 0000000..81087d3
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/changelog.tmpl
@@ -0,0 +1,6 @@
+swupdate (${PV}) unstable; urgency=medium
+
+  * SWUpdate
+
+ --  Christian Storm <christian.storm@siemens.com>  Thu, 31 Jan 2019 15:23:56 +0100
+
diff --git a/recipes-core/swupdate/files/debian/compat b/recipes-core/swupdate/files/debian/compat
new file mode 100644
index 0000000..b4de394
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/compat
@@ -0,0 +1 @@
+11
diff --git a/recipes-core/swupdate/files/debian/control.tmpl b/recipes-core/swupdate/files/debian/control.tmpl
new file mode 100644
index 0000000..2b92850
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/control.tmpl
@@ -0,0 +1,15 @@
+Source: swupdate
+Section: embedded
+Priority: optional
+Maintainer: Stefano Babic <sbabic@denx.de>
+Build-Depends: ${BUILD_DEB_DEPENDS}
+Standards-Version: 4.2.1
+Homepage: http://sbabic.github.io/swupdate
+
+Package: swupdate
+Architecture: any
+Depends: ${DEBIAN_DEPENDS}
+Description: reliable way to update an embedded system
+ This project is thought to help to update an embedded system from a storage media or from network.
+ However, it should be mainly considered as a framework, where further protocols or installers
+ (in SWUpdate they are called handlers) can be easily added to the application.
diff --git a/recipes-core/swupdate/files/debian/copyright b/recipes-core/swupdate/files/debian/copyright
new file mode 100644
index 0000000..f920942
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/copyright
@@ -0,0 +1,36 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: swupdate
+Maintainer: Stefano Babic <sbabic@denx.de>
+Source: http://github.com/sbabic/swupdate
+
+Files: *
+Copyright: 2014-2017 Stefano Babic <sbabic@denx.de>
+
+License: GPL-2 with OpenSSL exception
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ In addition, as a special exception, the author of this
+ program gives permission to link the code of its
+ release with the OpenSSL project's "OpenSSL" library (or
+ with modified versions of it that use the same license as
+ the "OpenSSL" library), and distribute the linked
+ executables. You must obey the GNU General Public
+ License in all respects for all of the code used other
+ than "OpenSSL".  If you modify this file, you may extend
+ this exception to your version of the file, but you are
+ not obligated to do so.  If you do not wish to do so,
+ delete this exception statement from your version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
diff --git a/recipes-core/swupdate/files/debian/rules.tmpl b/recipes-core/swupdate/files/debian/rules.tmpl
new file mode 100755
index 0000000..54cca57
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/rules.tmpl
@@ -0,0 +1,30 @@
+#!/usr/bin/make -f
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+export CC=$(DEB_HOST_GNU_TYPE)-gcc
+export LD=$(DEB_HOST_GNU_TYPE)-gcc
+endif
+
+export DH_VERBOSE = 1
+
+export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow
+
+documentation: configure
+    make man
+
+configure:
+    make ${DEFCONFIG}
+
+build: documentation configure
+    dh $@
+
+%:
+    echo $@
+    dh $@
+
+override_dh_installchangelogs:
+    true
+
+override_dh_installdocs:
+    true
diff --git a/recipes-core/swupdate/files/debian/swupdate.examples b/recipes-core/swupdate/files/debian/swupdate.examples
new file mode 100644
index 0000000..c257b75
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/swupdate.examples
@@ -0,0 +1,2 @@
+examples/configuration
+examples/description
diff --git a/recipes-core/swupdate/files/debian/swupdate.install b/recipes-core/swupdate/files/debian/swupdate.install
new file mode 100644
index 0000000..8957cc6
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/swupdate.install
@@ -0,0 +1,2 @@
+swupdate usr/bin
+swupdate.cfg /etc
diff --git a/recipes-core/swupdate/files/debian/swupdate.manpages b/recipes-core/swupdate/files/debian/swupdate.manpages
new file mode 100644
index 0000000..c3438e0
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/swupdate.manpages
@@ -0,0 +1,5 @@
+doc/build/man/swupdate.1
+doc/build/man/client.1
+doc/build/man/sendtohawkbit.1
+doc/build/man/hawkbitcfg.1
+doc/build/man/progress.1
diff --git a/recipes-core/swupdate/files/debian/swupdate.tmpfile b/recipes-core/swupdate/files/debian/swupdate.tmpfile
new file mode 100644
index 0000000..4743672
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/swupdate.tmpfile
@@ -0,0 +1,2 @@
+X /tmp/datadst
+X /tmp/scripts
diff --git a/recipes-core/swupdate/files/debian/watch b/recipes-core/swupdate/files/debian/watch
new file mode 100644
index 0000000..bc4c53e
--- /dev/null
+++ b/recipes-core/swupdate/files/debian/watch
@@ -0,0 +1,12 @@
+# Example watch control file for uscan
+# Rename this file to "watch" and then you can run the "uscan" command
+# to check for upstream updates and more.
+# See uscan(1) for format
+
+# Compulsory line, this is a version 4 file
+version=4
+
+# GitHub hosted projects
+opts="filenamemangle="s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%<project>-$1.tar.gz%" \
+   https://github.com/<user>/swupdate/tags \
+   (?:.*?/)?v?(\d[\d.]*)\.tar\.gz debian uupdate
diff --git a/recipes-core/swupdate/files/postinst b/recipes-core/swupdate/files/postinst
new file mode 100644
index 0000000..f15ac10
--- /dev/null
+++ b/recipes-core/swupdate/files/postinst
@@ -0,0 +1,2 @@
+#!/bin/sh
+deb-systemd-helper enable swupdate.socket || true
diff --git a/recipes-core/swupdate/files/swupdate.cfg b/recipes-core/swupdate/files/swupdate.cfg
new file mode 100644
index 0000000..e0222f1
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate.cfg
@@ -0,0 +1,6 @@
+globals :
+{
+    verbose = true;
+    loglevel = 10;
+    syslog = false;
+};
diff --git a/recipes-core/swupdate/files/swupdate.service.example b/recipes-core/swupdate/files/swupdate.service.example
new file mode 100644
index 0000000..d0b821e
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate.service.example
@@ -0,0 +1,11 @@
+[Unit]
+Description=SWUpdate daemon
+Documentation=https://github.com/sbabic/swupdate
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/swupdate -f /etc/swupdate.cfg
+KillMode=mixed
+
+[Install]
+WantedBy=multi-user.target
diff --git a/recipes-core/swupdate/files/swupdate.socket.example b/recipes-core/swupdate/files/swupdate.socket.example
new file mode 100644
index 0000000..2b75671
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate.socket.example
@@ -0,0 +1,11 @@
+[Unit]
+Description=SWUpdate socket listener
+Documentation=https://github.com/sbabic/swupdate
+Documentation=https://sbabic.github.io/swupdate
+
+[Socket]
+ListenStream=/tmp/sockinstctrl
+ListenStream=/tmp/swupdateprog
+
+[Install]
+WantedBy=sockets.target
diff --git a/recipes-core/swupdate/files/swupdate.socket.tmpl b/recipes-core/swupdate/files/swupdate.socket.tmpl
new file mode 100644
index 0000000..8e7fc1d
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate.socket.tmpl
@@ -0,0 +1,13 @@
+[Unit]
+Description=SWUpdate socket listener
+Documentation=https://github.com/sbabic/swupdate
+Documentation=https://sbabic.github.io/swupdate
+
+[Socket]
+SocketUser=${SWUPDATE_SOCKET_OWNER}
+SocketGroup=root
+ListenStream=/tmp/sockinstctrl
+ListenStream=/tmp/swupdateprog
+
+[Install]
+WantedBy=sockets.target
diff --git a/recipes-core/swupdate/files/swupdate_defconfig b/recipes-core/swupdate/files/swupdate_defconfig
new file mode 100644
index 0000000..9ae7cb5
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig
@@ -0,0 +1,83 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Swupdate Configuration
+#
+CONFIG_HAVE_DOT_CONFIG=y
+
+#
+# Swupdate Settings
+#
+
+#
+# General Configuration
+#
+# CONFIG_CURL is not set
+# CONFIG_CURL_SSL is not set
+CONFIG_SYSTEMD=y
+CONFIG_SCRIPTS=y
+# CONFIG_HW_COMPATIBILITY is not set
+CONFIG_SW_VERSIONS_FILE="/etc/sw-versions"
+
+#
+# Socket Paths
+#
+CONFIG_SOCKET_CTRL_PATH="/tmp/sockinstctrl"
+CONFIG_SOCKET_PROGRESS_PATH="/tmp/swupdateprog"
+CONFIG_SOCKET_REMOTE_HANDLER_DIRECTORY="/tmp/"
+# CONFIG_MTD is not set
+# CONFIG_LUA is not set
+# CONFIG_LUAPKG is not set
+# CONFIG_FEATURE_SYSLOG is not set
+
+#
+# Build Options
+#
+CONFIG_CROSS_COMPILE=""
+CONFIG_SYSROOT=""
+CONFIG_EXTRA_CFLAGS=""
+CONFIG_EXTRA_LDFLAGS=""
+CONFIG_EXTRA_LDLIBS=""
+
+#
+# Debugging Options
+#
+# CONFIG_DEBUG is not set
+# CONFIG_WERROR is not set
+# CONFIG_NOCLEANUP is not set
+# CONFIG_BOOTLOADER_EBG is not set
+# CONFIG_UBOOT is not set
+# CONFIG_BOOTLOADER_NONE is not set
+# CONFIG_BOOTLOADER_GRUB is not set
+# CONFIG_DOWNLOAD is not set
+# CONFIG_DOWNLOAD_SSL is not set
+# CONFIG_CHANNEL_CURL is not set
+# CONFIG_HASH_VERIFY=y
+# CONFIG_SIGNED_IMAGES is not set
+# CONFIG_ENCRYPTED_IMAGES is not set
+# CONFIG_SURICATTA is not set
+# CONFIG_WEBSERVER is not set
+CONFIG_GUNZIP=y
+
+#
+# Parser Features
+#
+CONFIG_LIBCONFIG=y
+CONFIG_PARSERROOT=""
+# CONFIG_JSON is not set
+# CONFIG_LUAEXTERNAL is not set
+# CONFIG_SETEXTPARSERNAME is not set
+# CONFIG_SETSWDESCRIPTION is not set
+
+#
+# Image Handlers
+#
+CONFIG_RAW=y
+# CONFIG_LUASCRIPTHANDLER is not set
+# CONFIG_SHELLSCRIPTHANDLER is not set
+# CONFIG_HANDLER_IN_LUA is not set
+# CONFIG_EMBEDDED_LUA_HANDLER is not set
+# CONFIG_EMBEDDED_LUA_HANDLER_SOURCE is not set
+CONFIG_ARCHIVE=y
+# CONFIG_REMOTE_HANDLER is not set
+# CONFIG_SWUFORWARDER_HANDLER is not set
+# CONFIG_BOOTLOADERHANDLER is not set
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet b/recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet
new file mode 100644
index 0000000..8e3688c
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_efibootguard.snippet
@@ -0,0 +1,3 @@
+CONFIG_BOOTLOADER_NONE=n
+CONFIG_BOOTLOADER_EBG=y
+CONFIG_BOOTLOADERHANDLER=y
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_lua.snippet b/recipes-core/swupdate/files/swupdate_defconfig_lua.snippet
new file mode 100644
index 0000000..b39f9df
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_lua.snippet
@@ -0,0 +1,2 @@
+CONFIG_LUA=y
+CONFIG_LUAPKG="lua53"
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet b/recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet
new file mode 100644
index 0000000..b4a2de8
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_luahandler.snippet
@@ -0,0 +1,4 @@
+CONFIG_LUASCRIPTHANDLER=y
+CONFIG_HANDLER_IN_LUA=y
+CONFIG_EMBEDDED_LUA_HANDLER=y
+CONFIG_EMBEDDED_LUA_HANDLER_SOURCE="swupdate_handlers.lua"
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet b/recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet
new file mode 100644
index 0000000..eab98dd
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_mtd.snippet
@@ -0,0 +1 @@
+CONFIG_MTD=y
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet b/recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet
new file mode 100644
index 0000000..6b5832a
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_u-boot.snippet
@@ -0,0 +1,3 @@
+CONFIG_UBOOT=y
+CONFIG_UBOOT_FWENV="/etc/fw_env.config"
+CONFIG_BOOTLOADERHANDLER=y
diff --git a/recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet b/recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet
new file mode 100644
index 0000000..d1c7732
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_defconfig_ubi.snippet
@@ -0,0 +1,6 @@
+CONFIG_UBIVOL=y
+CONFIG_UBIATTACH=y
+CONFIG_UBIBLACKLIST=""
+CONFIG_UBIWHITELIST=""
+CONFIG_UBIVIDOFFSET=0
+CONFIG_CFI=y
diff --git a/recipes-core/swupdate/files/swupdate_handlers.lua b/recipes-core/swupdate/files/swupdate_handlers.lua
new file mode 100644
index 0000000..c9b9962
--- /dev/null
+++ b/recipes-core/swupdate/files/swupdate_handlers.lua
@@ -0,0 +1,449 @@
+--[[
+
+    Round-robin Image and File Handler.
+
+    Copyright (C) 2019, Siemens AG
+
+    Author: Christian Storm <christian.storm@siemens.com>
+
+    SPDX-License-Identifier: GPL-2.0-or-later
+
+    An `sw-description` file using these handlers may look like:
+        software =
+        {
+            version = "0.1.0";
+            images: ({
+                filename = "rootfs.ext4";
+                device = "sda4,sda5";
+                type = "roundrobin";
+                compressed = false;
+            });
+            files: ({
+                filename = "vmlinuz";
+                path = "vmlinuz";
+                type = "kernelfile";
+                device = "sda2,sda3";
+                filesystem = "vfat";
+            },
+            {
+                filename = "initrd.img";
+                path = "initrd.img";
+                type = "kernelfile";
+                device = "sda2,sda3";
+                filesystem = "vfat";
+            });
+        }
+
+    The semantics is as follows: Instead of having a fixed target device,
+    the 'roundrobin' image handler calculates the target device by parsing
+    /proc/cmdline, matching the root=<device> kernel parameter against its
+    'device' attribute's list of devices, and sets the actual target
+    device to the next 'device' attribute list entry in a round-robin
+    manner. The actual flashing is done via chain-calling another handler,
+    defaulting to the "raw" handler.
+
+    The 'kernelfile' file handler reuses the 'roundrobin' handler's target
+    device calculation by reading the actual target device from the same
+    index into its 'device' attribute's list of devices. The actual placing
+    of files into this partition is done via chain-calling another handler,
+    defaulting to the "rawfile" handler.
+
+    In the above example, if /dev/sda4 is currently booted according to
+    /proc/cmdline, /dev/sda5 will be flashed and the vmlinuz and initrd.img
+    files will be placed on /dev/sda3. If /dev/sda5 is booted, /dev/sda4
+    will be flashed and the vmlinuz and initrd.img files are placed on
+    /dev/sda2.
+    In addition to "classical" device nodes as in this example, partition
+    UUIDs as reported, e.g., by `blkid -s PARTUUID` are also supported.
+    UBI volumes are supported as well by specifying a CSV list of
+    ubi<number>:<label> items.
+
+    Configuration is done via an INI-style configuration file located at
+    /etc/swupdate.handler.ini or via compiled-in configuration (by
+    embedding the Lua handler script into the SWUpdate binary via using
+    CONFIG_EMBEDDED_LUA_HANDLER), the latter having precedence over the
+    former. See the example configuration below.
+    If uncommenting this example block, it will take precedence over any
+    /etc/swupdate.handler.ini configuration file.
+
+    The chain-called handlers can either be specified in the configuration,
+    i.e., a static run-time setting, or via the 'chainhandler' property of
+    an 'image' or 'file' section in the sw-description, with the latter
+    taking precedence over the former, e.g.,
+        ...
+        images: ({
+                filename = "rootfs.ext4";
+                device = "sda4,sda5";
+                type = "roundrobin";
+                properties: {
+                    chainhandler = "myraw";
+                };
+            });
+        ...
+    Such a sw-description fragment will chain-call the imaginary "myraw"
+    handler regardless of what's been configured in the compiled-in or the
+    configuration file.
+    When chain-calling the "rdiff_image" handler, its 'rdiffbase' property
+    is subject to round-robin as well, i.e., the 'rdiffbase' property is
+    expected to be a CSV list as for the 'device' property, and the actual
+    'rdiffbase' property value is calculated following the same round-robin
+    calculation mechanism stated above prior to chain-calling the actual
+    "rdiff_image" handler, e.g.,
+        images: ({
+                filename = "rootfs.ext4";
+                type = "roundrobin";
+                device = "sda4,sda5";
+                properties: {
+                    chainhandler = "rdiff_image";
+                    rdiffbase="sda1,sda2";
+                };
+            });
+    will set the 'rdiffbase' property to /dev/sda2 (/dev/sda1) if /dev/sda4
+    (/dev/sda5) is the currently booted root file system according to
+    /proc/cmdline parsing.
+
+]]
+
+
+local configuration = [[
+[bootloader]
+# Required: bootloader name, uboot and ebg currently supported.
+name=ebg
+# Required: bootloader-specific key-value pairs, e.g., for ebg:
+kernelname=linux.signed.efi
+# For relying on FAT labels, prefix bootlabels with 'L:', e.g., L:BOOT0.
+# For using custom labels, i.e., relying on the contents of an EFILABEL
+# file within the partition, prefix it with 'C:', e.g., C:BOOT0.
+bootlabel={ "C:BOOT0:", "C:BOOT1:" }
+
+# Optional: handler to chain-call for the 'roundrobin' handler,
+# defaulting to 'raw'
+[roundrobin]
+chainhandler=raw
+
+# Optional: handler to chain-call for the 'kernelfile' handler,
+# defaulting to 'rawfile'
+[kernelfile]
+chainhandler=rawfile
+]]
+
+-- Default configuration file, tried if no compiled-in config is available.
+local cfgfile = "/etc/swupdate.handler.ini"
+
+-- Table holding the configuration.
+local config = {}
+
+-- Mandatory configuration [section] and keys
+local BOOTLOADERCFG = {
+    ebg   = {
+        bootloader = {"name", "bootlabel", "kernelname"}
+    },
+    -- TODO fill with mandatory U-Boot configuration
+    uboot = {
+        bootloader = {"name"}
+    }
+}
+
+-- enum-alikes to make code more readable
+local BOOTLOADER = { EBG = "ebg", UBOOT = "uboot" }
+local PARTTYPE   = { UUID = 1, PLAIN = 2, UBI = 3 }
+
+-- Target table describing the target device the image is to be/has been flashed to.
+local rrtarget = {
+    size = function(self)
+        local _size = 0
+        for index in pairs(self) do _size = _size + 1 end
+        return _size - 1
+    end
+}
+
+-- Helper function parsing CSV fields of a struct img_type such as
+-- the "device" fields or the "rdiffbase" property.
+local get_device_list = function(device_node_csv_list)
+    local device_list = {}
+    for item in device_node_csv_list:gmatch("([^,]+)") do
+        local device_node = item:gsub("/dev/", "")
+        device_list[#device_list+1] = device_node
+        device_list[device_node] = #device_list
+    end
+    return device_list
+end
+
+-- Helper function to determine device node location.
+local get_device_path = function(device_node)
+    if device_node:match("ubi%d+:%S+") then
+        return 0, device_node, PARTTYPE.UBI
+    end
+    local device_path = string.format("/dev/disk/by-partuuid/%s", device_node)
+    local file = io.open(device_path, "rb" )
+    if file then
+        file:close()
+        return 0, device_path, PARTTYPE.UUID
+    end
+    device_path = string.format("/dev/%s", device_node)
+    file = io.open(device_path, "rb" )
+    if file then
+        file:close()
+        return 0, device_path, PARTTYPE.PLAIN
+    end
+    swupdate.error(string.format("Cannot access target device node /dev/{,disk/by-partuuid}/%s", device_node))
+    return 1, nil, nil
+end
+
+-- Helper function parsing the INI-style configuration.
+local get_config = function()
+    -- Return configuration right away if it's already parsed.
+    if config ~= nil and #config > 0 then
+        return config
+    end
+
+    -- Get configuration INI-style string.
+    if not configuration then
+        swupdate.trace(string.format("No compiled-in config found, trying %s", cfgfile))
+        local file = io.open(cfgfile, "r" )
+        if not file then
+            swupdate.error(string.format("Cannot open config file %s", cfgfile))
+            return nil
+        end
+        configuration = file:read("*a")
+        file:close()
+    end
+    if configuration:sub(-1) ~= "\n" then
+        configuration=configuration.."\n"
+    end
+
+    -- Parse INI-style contents into config table.
+    local sec, key, value
+    for line in configuration:gmatch("(.-)\n") do
+        if line:match("^%[([%w%p]+)%][%s]*") then
+            sec = line:match("^%[([%w%p]+)%][%s]*")
+            config[sec] = {}
+        elseif sec then
+            key, value = line:match("^([%w%p]-)=(.*)$")
+            if key and value then
+                if tonumber(value)  then value = tonumber(value) end
+                if value == "true"  then value = true            end
+                if value == "false" then value = false           end
+                if value:sub(1,1) == "{" then
+                    local _value = {}
+                    for _key, _ in value:gmatch("\"(%S+)\"") do
+                        table.insert(_value, _key)
+                    end
+                    value = _value
+                end
+                config[sec][key] = value
+            else
+                if not line:match("^$") and not line:match("^#") then
+                    swupdate.warn(string.format("Syntax error, skipping '%s'", line))
+                end
+            end
+        else
+            swupdate.error(string.format("Syntax error. no [section] encountered."))
+            return nil
+        end
+    end
+
+    -- Check config table for mandatory key existence.
+    if config["bootloader"] == nil or config["bootloader"]["name"] == nil then
+        swupdate.error(string.format("Syntax error. no [bootloader] encountered or name= missing therein."))
+        return nil
+    end
+    local bcfg = BOOTLOADERCFG[config.bootloader.name]
+    if not bcfg then
+        swupdate.error(string.format("Bootloader unsupported, name=uboot|ebg missing in [bootloader]?."))
+        return nil
+    end
+    for sec, _ in pairs(bcfg) do
+        for _, key in pairs(bcfg[sec]) do
+            if config[sec] == nil or config[sec][key] == nil then
+                swupdate.error(string.format("Mandatory config key %s= in [%s] not found.", key, sec))
+            end
+        end
+    end
+
+    return config
+end
+
+-- Round-robin image handler for updating the root partition.
+function handler_roundrobin(image)
+    -- Read configuration.
+    if not get_config() then
+        swupdate.error("Cannot read configuration.")
+        return 1
+    end
+
+    -- Check if we can chain-call the handler.
+    local chained_handler = "raw"
+    if image.properties ~= nil and image.properties["chainhandler"] ~= nil then
+        chained_handler = image.properties["chainhandler"]
+    elseif config["roundrobin"] ~= nil and config["roundrobin"]["chainhandler"] ~= nil then
+        chained_handler = config["roundrobin"]["chainhandler"]
+    end
+    if not swupdate.handler[chained_handler] then
+        swupdate.error(string.format("'%s' handler not available in SWUpdate distribution.", chained_handler))
+        return 1
+    end
+
+    -- Get device list for round-robin.
+    local devices = get_device_list(image.device)
+    if #devices < 2 then
+        swupdate.error("Specify at least 2 devices in the device= property for 'roundrobin'.")
+        return 1
+    end
+
+    -- Check that rrtarget is unset, else a reboot may be pending.
+    if rrtarget:size() > 0 then
+        swupdate.warn("The 'roundrobin' handler has been run. Is a reboot pending?")
+    end
+
+    -- Determine current root device.
+    local file = io.open("/proc/cmdline", "r")
+    if not file then
+        swupdate.error("Cannot open /proc/cmdline.")
+        return 1
+    end
+    local cmdline = file:read("*l")
+    file:close()
+
+    local rootparam, rootdevice
+    for item in cmdline:gmatch("%S+") do
+        rootparam, rootdevice = item:match("(root=[%u=]*[/dev/]*(%S+))")
+        if rootparam and rootdevice then break end
+    end
+    if not rootdevice then
+      swupdate.error("Cannot determine current root device.")
+      return 1
+    end
+    swupdate.info(string.format("Current root device is: %s", rootdevice))
+
+    if not devices[rootdevice] then
+        swupdate.error(string.format("Current root device '%s' is not in round-robin root devices list: %s", rootdevice, image.device:gsub("/dev/", "")))
+        return 1
+    end
+
+    -- Perform round-robin calculation for target.
+    local err
+    rrtarget.index = devices[rootdevice] % #devices + 1
+    rrtarget.device_node = devices[rrtarget.index]
+    err, rrtarget.device_path, rrtarget.parttype = get_device_path(devices[rrtarget.index])
+    if err ~= 0 then
+        return 1
+    end
+    swupdate.info(string.format("Using '%s' as 'roundrobin' target via '%s' handler.", rrtarget.device_path, chained_handler))
+
+    -- If the chain-called handler is rdiff_image, adapt the rdiffbase property
+    if chained_handler == "rdiff_image" then
+        if image.properties ~= nil and image.properties["rdiffbase"] ~= nil then
+            local rdiffbase_devices = get_device_list(image.properties["rdiffbase"])
+            if #rdiffbase_devices < 2 then
+                swupdate.error("Specify at least 2 devices in the rdiffbase= property for 'roundrobin'.")
+                return 1
+            end
+            err, image.propierties["rdiffbase"], _ = get_device_path(rdiffbase_devices[rrtarget.index])
+            if err ~= 0 then
+                return 1
+            end
+            swupdate.info(string.format("Using device %s as rdiffbase.", image.properties["rdiffbase"]))
+        else
+            swupdate.error("Property 'rdiffbase' is missing in sw-description.")
+            return 1
+        end
+    end
+
+    -- Actually flash the partition.
+    local msg
+    image.type = chained_handler
+    image.device = rrtarget.device_path
+    err, msg = swupdate.call_handler(chained_handler, image)
+    if err ~= 0 then
+        swupdate.error(string.format("Error chain-calling '%s' handler: %s", chained_handler, (msg or "")))
+        return 1
+    end
+
+    if config.bootloader.name == BOOTLOADER.EBG then
+      if rootparam then
+        local value = cmdline:gsub(
+            rootparam:gsub("%-", "%%-"),
+            string.format("root=%s%s",
+                (rrtarget.parttype == PARTTYPE.PLAIN and "") or (rrtarget.parttype == PARTTYPE.UBI and "") or "PARTUUID=",
+                 rrtarget.parttype == PARTTYPE.PLAIN and rrtarget.device_path or devices[rrtarget.index]
+            )
+        )
+        swupdate.info(string.format("Setting EFI Bootguard environment: kernelparams=%s", value))
+        swupdate.set_bootenv("kernelparams", value)
+      end
+    elseif config.bootloader.name == BOOTLOADER.UBOOT then
+        -- Update U-Boot environment.
+        swupdate.info(string.format("Setting U-Boot environment"))
+        local value = rrtarget.index
+        swupdate.set_bootenv("swupdpart", value);
+    end
+
+    return 0
+end
+
+-- File handler for updating kernel files.
+function handler_kernelfile(image)
+    -- Check if we can chain-call the handler.
+    local chained_handler = "rawfile"
+    if image.properties ~= nil and image.properties["chainhandler"] ~= nil then
+        chained_handler = image.properties["chainhandler"]
+    elseif config["kernelfile"] ~= nil and config["kernelfile"]["chainhandler"] ~= nil then
+        chained_handler = config["kernelfile"]["chainhandler"]
+    end
+    if not swupdate.handler[chained_handler] then
+        swupdate.error(string.format("'%s' handler not available in SWUpdate distribution."), chained_handler)
+        return 1
+    end
+
+    -- Check that rrtarget is set, else the 'roundrobin' handler hasn't been run.
+    if rrtarget:size() == 0 then
+        swupdate.error("The 'roundrobin' handler hasn't been run.")
+        swupdate.info("Place 'roundrobin' above 'kernelfile' in sw-description.")
+        return 1
+    end
+
+    -- Get device list for round-robin.
+    local devices = get_device_list(image.device)
+    if #devices < 2 then
+        swupdate.error("Specify at least 2 devices in the device= property for 'kernelfile'.")
+        return 1
+    end
+    if rrtarget.index > #devices then
+        swupdate.error("Cannot map kernel partition to root partition.")
+        return 1
+    end
+
+    -- Perform round-robin indexing for target.
+    local err
+    err, image.device, _ = get_device_path(devices[rrtarget.index])
+    if err ~= 0 then
+        return 1
+    end
+    swupdate.info(string.format("Using '%s' as 'kernelfile' target via '%s' handler.", image.device, chained_handler))
+
+    -- Actually copy the 'kernelfile' files.
+    local msg
+    image.type = chained_handler
+    err, msg = swupdate.call_handler(chained_handler, image)
+    if err ~= 0 then
+        swupdate.error(string.format("Error chain-calling '%s' handler: %s", chained_handler, (msg or "")))
+        return 1
+    end
+
+    if config.bootloader.name == BOOTLOADER.EBG then
+        -- Update EFI Boot Guard environment: kernelfile
+        local value = string.format("%s%s", config.bootloader.bootlabel[rrtarget.index], config.bootloader.kernelname)
+        swupdate.info(string.format("Setting EFI Bootguard environment: kernelfile=%s", value))
+        swupdate.set_bootenv("kernelfile", value)
+    elseif config.bootloader.name == BOOTLOADER.UBOOT then
+        -- Update U-Boot environment.
+        swupdate.info(string.format("Setting U-Boot environment"))
+        -- TODO
+    end
+
+    return 0
+end
+
+swupdate.register_handler("roundrobin", handler_roundrobin, swupdate.HANDLER_MASK.IMAGE_HANDLER)
+swupdate.register_handler("kernelfile", handler_kernelfile, swupdate.HANDLER_MASK.FILE_HANDLER)
diff --git a/recipes-core/swupdate/swupdate.bb b/recipes-core/swupdate/swupdate.bb
new file mode 100644
index 0000000..9c58f7d
--- /dev/null
+++ b/recipes-core/swupdate/swupdate.bb
@@ -0,0 +1,54 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+hDESCRIPTION = "swupdate utility for software updates"
+HOMEPAGE= "https://github.com/sbabic/swupdate"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://${LAYERDIR_isar}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe"
+
+SRC_URI = "gitsm://code.siemens.com/mirror/swupdate.git;branch=master;protocol=https"
Internal mirror. You need to go back to upstream.
And do we actually need gitsm? It is not a mature feature of bitbake, thus generally discouraged.
Jan
I will fix that in v2


Re: [isar-cip-core RFC 1/4] recipes-bsp: Add efibootguard

Quirin Gylstorff
 

On 6/26/20 3:37 PM, Jan Kiszka wrote:
On 25.06.20 15:21, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add the bootloader efibootguard for A/B partition update
on x86 with EFI.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
  .../efibootguard/efibootguard_0.6-git+isar.bb |  46 +++++
I just released 0.7. Maybe you could update when preparing v2.
Jan
Sure


Re: [isar-cip-core RFC 6/7] swupdate: Add luahandler for secureboot

Quirin Gylstorff
 

On 6/29/20 10:14 AM, Jan Kiszka wrote:
On 25.06.20 16:10, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
  recipes-core/swupdate/files/swupdate_handlers.lua | 8 ++++++--
  1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/recipes-core/swupdate/files/swupdate_handlers.lua b/recipes-core/swupdate/files/swupdate_handlers.lua
index c9b9962..f2ecc54 100644
--- a/recipes-core/swupdate/files/swupdate_handlers.lua
+++ b/recipes-core/swupdate/files/swupdate_handlers.lua
@@ -311,8 +311,12 @@ function handler_roundrobin(image)
          if rootparam and rootdevice then break end
      end
      if not rootdevice then
-      swupdate.error("Cannot determine current root device.")
-      return 1
+        -- Use findmnt to get the rootdev
+      rootdevice = io.popen('findmnt -nl / -o PARTUUID'):read("*l")
+      if not rootdevice then
+        swupdate.error("Cannot determine current root device.")
+        return 1
+      end
      end
      swupdate.info(string.format("Current root device is: %s", rootdevice))
Seems not really specific to secure-boot, rather related to the initramfs-based rootfs selection. But is that one actually using PARTUUID in the end? Or rather device paths?
it uses the partuuid from root. If someone finds a better way to get
the current root without parsing the kernel commandline I would use
that.
Anyway, I'm not against merging this. It should just be correctly labeled. Or maybe even merged into the swupdate patch from the first series.
I move the patch to the a/b update patch.

Jan
--
Quirin


Re: [isar-cip-core RFC 6/7] swupdate: Add luahandler for secureboot

Jan Kiszka
 

On 25.06.20 16:10, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
recipes-core/swupdate/files/swupdate_handlers.lua | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/recipes-core/swupdate/files/swupdate_handlers.lua b/recipes-core/swupdate/files/swupdate_handlers.lua
index c9b9962..f2ecc54 100644
--- a/recipes-core/swupdate/files/swupdate_handlers.lua
+++ b/recipes-core/swupdate/files/swupdate_handlers.lua
@@ -311,8 +311,12 @@ function handler_roundrobin(image)
if rootparam and rootdevice then break end
end
if not rootdevice then
- swupdate.error("Cannot determine current root device.")
- return 1
+ -- Use findmnt to get the rootdev
+ rootdevice = io.popen('findmnt -nl / -o PARTUUID'):read("*l")
+ if not rootdevice then
+ swupdate.error("Cannot determine current root device.")
+ return 1
+ end
end
swupdate.info(string.format("Current root device is: %s", rootdevice))
Seems not really specific to secure-boot, rather related to the initramfs-based rootfs selection. But is that one actually using PARTUUID in the end? Or rather device paths?

Anyway, I'm not against merging this. It should just be correctly labeled. Or maybe even merged into the swupdate patch from the first series.

Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux


Re: [cip-kernel-config PATCH] ipc227e: Add missing options to mount fat

Nobuhiro Iwamatsu
 

Hi,

-----Original Message-----
From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Quirin Gylstorff
Sent: Thursday, June 25, 2020 10:23 PM
To: cip-dev@lists.cip-project.org; Jan.Kiszka@siemens.com
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Subject: [cip-dev] [cip-kernel-config PATCH] ipc227e: Add missing options to mount fat

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

To install a swupdate package into a system with a A/B partition
scheme and EFI it is necessary to access a FAT partition.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
4.19.y-cip/x86/siemens_ipc227e_defconfig | 4 ++++
1 file changed, 4 insertions(+)
Applied, thanks.

Nobuhiro



diff --git a/4.19.y-cip/x86/siemens_ipc227e_defconfig b/4.19.y-cip/x86/siemens_ipc227e_defconfig
index 0bbd649..273d20e 100644
--- a/4.19.y-cip/x86/siemens_ipc227e_defconfig
+++ b/4.19.y-cip/x86/siemens_ipc227e_defconfig
@@ -404,6 +404,10 @@ CONFIG_NFSD=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFSD_V4=y
CONFIG_NLS_DEFAULT="utf8"
+CONFIG_NLS_ASCII=y
+CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_ISO8859_1=y
+CONFIG_NLS_UTF8=y
CONFIG_PERSISTENT_KEYRINGS=y
CONFIG_ENCRYPTED_KEYS=m
CONFIG_SECURITY_DMESG_RESTRICT=y
--
2.20.1


[ANNOUNCE] Release v4.19.130-cip29

Nobuhiro Iwamatsu
 

Hi,

CIP kernel team has released Linux kernel v4.19.130-cip29.
The linux-4.19.y-cip tree has been updated base version from v4.19.128 to v4.19.130.

You can get this release via the git tree at:

v4.19.130-cip29:
repository:
https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git
branch:
linux-4.19.y-cip
commit hash:
4adb19da3f20208071f38c9a7706ba6a4ea0a632
added commits:
CIP: Bump version suffix to -cip29 after merge from stable

Best regards,
Nobuhiro


Re: [isar-cip-core PATCH v2 1/1] kas: Restructure kas files.

Jan Kiszka
 

On 26.06.20 18:56, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Create folder structure
kas -> general configuration
kas/board -> all supported boards
kas/opt -> all kas option files
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.gitlab-ci.yml | 8 ++++----
README.md | 4 ++--
kas.yml => kas-cip.yml | 0
board-bbb.yml => kas/board/bbb.yml | 0
board-iwg20m.yml => kas/board/iwg20m.yml | 0
board-qemu-amd64.yml => kas/board/qemu-amd64.yml | 0
board-rzg2m.yml => kas/board/rzg2m.yml | 0
.../board/simatic-ipc227e.yml | 0
opt-4.4.yml => kas/opt/4.4.yml | 0
opt-rt.yml => kas/opt/rt.yml | 0
opt-stretch.yml => kas/opt/stretch.yml | 0
opt-targz-img.yml => kas/opt/targz-img.yml | 0
12 files changed, 6 insertions(+), 6 deletions(-)
rename kas.yml => kas-cip.yml (100%)
rename board-bbb.yml => kas/board/bbb.yml (100%)
rename board-iwg20m.yml => kas/board/iwg20m.yml (100%)
rename board-qemu-amd64.yml => kas/board/qemu-amd64.yml (100%)
rename board-rzg2m.yml => kas/board/rzg2m.yml (100%)
rename board-simatic-ipc227e.yml => kas/board/simatic-ipc227e.yml (100%)
rename opt-4.4.yml => kas/opt/4.4.yml (100%)
rename opt-rt.yml => kas/opt/rt.yml (100%)
rename opt-stretch.yml => kas/opt/stretch.yml (100%)
rename opt-targz-img.yml => kas/opt/targz-img.yml (100%)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6f1dc91..241b09e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -13,17 +13,17 @@ all:
- export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
- export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
- - kas build kas.yml:board-simatic-ipc227e.yml:opt-rt.yml:opt-targz-img.yml
+ - kas build kas-cip.yml:kas/board/simatic-ipc227e.yml:kas/opt/rt.yml:kas/opt/targz-img.yml
- scripts/deploy-cip-core.sh buster simatic-ipc227e
- sudo rm -rf build/tmp
- - kas build kas.yml:board-bbb.yml:opt-rt.yml:opt-targz-img.yml
+ - kas build kas-cip.yml:kas/board/bbb.yml:kas/opt/rt.yml:kas/opt/targz-img.yml
- scripts/deploy-cip-core.sh buster bbb am335x-boneblack.dtb
- sudo rm -rf build/tmp
- - kas build kas.yml:board-iwg20m.yml:opt-rt.yml:opt-targz-img.yml
+ - kas build kas-cip.yml:kas/board/iwg20m.yml:kas/opt/rt.yml:kas/opt/targz-img.yml
- scripts/deploy-cip-core.sh buster iwg20m r8a7743-iwg20d-q7-dbcm-ca.dtb
- sudo rm -rf build/tmp
- - kas build kas.yml:board-rzg2m.yml:opt-rt.yml:opt-targz-img.yml
+ - kas build kas-cip.yml:kas/board/rzg2m.yml:kas/opt/rt.yml:kas/opt/targz-img.yml
- scripts/deploy-cip-core.sh buster hihope-rzg2m renesas/r8a774a1-hihope-rzg2m-ex.dtb
diff --git a/README.md b/README.md
index bbad1a0..1a7af21 100644
--- a/README.md
+++ b/README.md
@@ -21,11 +21,11 @@ start containers.
To build, e.g., the QEMU AMD64 target inside Docker, invoke kas-docker like
this:
- ./kas-docker --isar build kas.yml:board-qemu-amd64.yml
+ ./kas-docker --isar build kas-cip.yml:kas/board/qemu-amd64.yml
This image can be run using `start-qemu.sh x86`.
-The BeagleBone Black target is selected by `... kas.yml:board-bbb.yml`. In
+The BeagleBone Black target is selected by `... kas-cip.yml:kas/board/bbb.yml`. In
order to build the image with the PREEMPT-RT kernel, append `:opt-rt.yml` to
the above. Append ':opt-4.4.yml' to use the kernel version 4.4 instead of 4.19.
diff --git a/kas.yml b/kas-cip.yml
similarity index 100%
rename from kas.yml
rename to kas-cip.yml
diff --git a/board-bbb.yml b/kas/board/bbb.yml
similarity index 100%
rename from board-bbb.yml
rename to kas/board/bbb.yml
diff --git a/board-iwg20m.yml b/kas/board/iwg20m.yml
similarity index 100%
rename from board-iwg20m.yml
rename to kas/board/iwg20m.yml
diff --git a/board-qemu-amd64.yml b/kas/board/qemu-amd64.yml
similarity index 100%
rename from board-qemu-amd64.yml
rename to kas/board/qemu-amd64.yml
diff --git a/board-rzg2m.yml b/kas/board/rzg2m.yml
similarity index 100%
rename from board-rzg2m.yml
rename to kas/board/rzg2m.yml
diff --git a/board-simatic-ipc227e.yml b/kas/board/simatic-ipc227e.yml
similarity index 100%
rename from board-simatic-ipc227e.yml
rename to kas/board/simatic-ipc227e.yml
diff --git a/opt-4.4.yml b/kas/opt/4.4.yml
similarity index 100%
rename from opt-4.4.yml
rename to kas/opt/4.4.yml
diff --git a/opt-rt.yml b/kas/opt/rt.yml
similarity index 100%
rename from opt-rt.yml
rename to kas/opt/rt.yml
diff --git a/opt-stretch.yml b/kas/opt/stretch.yml
similarity index 100%
rename from opt-stretch.yml
rename to kas/opt/stretch.yml
diff --git a/opt-targz-img.yml b/kas/opt/targz-img.yml
similarity index 100%
rename from opt-targz-img.yml
rename to kas/opt/targz-img.yml
Applied to next, also fixing up the remaining README spots.

Thanks,
Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux


[isar-cip-core PATCH v2 0/1] Cleanup

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Move kas related files into folder kas for a cleaner repository root.
Update isar to remove patches folder for now

Changes V2:
- move kas-cip back to repository root
- remove applied Update ISAR patch

Quirin Gylstorff (1):
kas: Restructure kas files.

.gitlab-ci.yml | 8 ++++----
README.md | 4 ++--
kas.yml => kas-cip.yml | 0
board-bbb.yml => kas/board/bbb.yml | 0
board-iwg20m.yml => kas/board/iwg20m.yml | 0
board-qemu-amd64.yml => kas/board/qemu-amd64.yml | 0
board-rzg2m.yml => kas/board/rzg2m.yml | 0
.../board/simatic-ipc227e.yml | 0
opt-4.4.yml => kas/opt/4.4.yml | 0
opt-rt.yml => kas/opt/rt.yml | 0
opt-stretch.yml => kas/opt/stretch.yml | 0
opt-targz-img.yml => kas/opt/targz-img.yml | 0
12 files changed, 6 insertions(+), 6 deletions(-)
rename kas.yml => kas-cip.yml (100%)
rename board-bbb.yml => kas/board/bbb.yml (100%)
rename board-iwg20m.yml => kas/board/iwg20m.yml (100%)
rename board-qemu-amd64.yml => kas/board/qemu-amd64.yml (100%)
rename board-rzg2m.yml => kas/board/rzg2m.yml (100%)
rename board-simatic-ipc227e.yml => kas/board/simatic-ipc227e.yml (100%)
rename opt-4.4.yml => kas/opt/4.4.yml (100%)
rename opt-rt.yml => kas/opt/rt.yml (100%)
rename opt-stretch.yml => kas/opt/stretch.yml (100%)
rename opt-targz-img.yml => kas/opt/targz-img.yml (100%)

--
2.20.1


[isar-cip-core PATCH v2 1/1] kas: Restructure kas files.

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Create folder structure
kas -> general configuration
kas/board -> all supported boards
kas/opt -> all kas option files

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.gitlab-ci.yml | 8 ++++----
README.md | 4 ++--
kas.yml => kas-cip.yml | 0
board-bbb.yml => kas/board/bbb.yml | 0
board-iwg20m.yml => kas/board/iwg20m.yml | 0
board-qemu-amd64.yml => kas/board/qemu-amd64.yml | 0
board-rzg2m.yml => kas/board/rzg2m.yml | 0
.../board/simatic-ipc227e.yml | 0
opt-4.4.yml => kas/opt/4.4.yml | 0
opt-rt.yml => kas/opt/rt.yml | 0
opt-stretch.yml => kas/opt/stretch.yml | 0
opt-targz-img.yml => kas/opt/targz-img.yml | 0
12 files changed, 6 insertions(+), 6 deletions(-)
rename kas.yml => kas-cip.yml (100%)
rename board-bbb.yml => kas/board/bbb.yml (100%)
rename board-iwg20m.yml => kas/board/iwg20m.yml (100%)
rename board-qemu-amd64.yml => kas/board/qemu-amd64.yml (100%)
rename board-rzg2m.yml => kas/board/rzg2m.yml (100%)
rename board-simatic-ipc227e.yml => kas/board/simatic-ipc227e.yml (100%)
rename opt-4.4.yml => kas/opt/4.4.yml (100%)
rename opt-rt.yml => kas/opt/rt.yml (100%)
rename opt-stretch.yml => kas/opt/stretch.yml (100%)
rename opt-targz-img.yml => kas/opt/targz-img.yml (100%)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6f1dc91..241b09e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -13,17 +13,17 @@ all:
- export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
- export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY

- - kas build kas.yml:board-simatic-ipc227e.yml:opt-rt.yml:opt-targz-img.yml
+ - kas build kas-cip.yml:kas/board/simatic-ipc227e.yml:kas/opt/rt.yml:kas/opt/targz-img.yml
- scripts/deploy-cip-core.sh buster simatic-ipc227e

- sudo rm -rf build/tmp
- - kas build kas.yml:board-bbb.yml:opt-rt.yml:opt-targz-img.yml
+ - kas build kas-cip.yml:kas/board/bbb.yml:kas/opt/rt.yml:kas/opt/targz-img.yml
- scripts/deploy-cip-core.sh buster bbb am335x-boneblack.dtb

- sudo rm -rf build/tmp
- - kas build kas.yml:board-iwg20m.yml:opt-rt.yml:opt-targz-img.yml
+ - kas build kas-cip.yml:kas/board/iwg20m.yml:kas/opt/rt.yml:kas/opt/targz-img.yml
- scripts/deploy-cip-core.sh buster iwg20m r8a7743-iwg20d-q7-dbcm-ca.dtb

- sudo rm -rf build/tmp
- - kas build kas.yml:board-rzg2m.yml:opt-rt.yml:opt-targz-img.yml
+ - kas build kas-cip.yml:kas/board/rzg2m.yml:kas/opt/rt.yml:kas/opt/targz-img.yml
- scripts/deploy-cip-core.sh buster hihope-rzg2m renesas/r8a774a1-hihope-rzg2m-ex.dtb
diff --git a/README.md b/README.md
index bbad1a0..1a7af21 100644
--- a/README.md
+++ b/README.md
@@ -21,11 +21,11 @@ start containers.
To build, e.g., the QEMU AMD64 target inside Docker, invoke kas-docker like
this:

- ./kas-docker --isar build kas.yml:board-qemu-amd64.yml
+ ./kas-docker --isar build kas-cip.yml:kas/board/qemu-amd64.yml

This image can be run using `start-qemu.sh x86`.

-The BeagleBone Black target is selected by `... kas.yml:board-bbb.yml`. In
+The BeagleBone Black target is selected by `... kas-cip.yml:kas/board/bbb.yml`. In
order to build the image with the PREEMPT-RT kernel, append `:opt-rt.yml` to
the above. Append ':opt-4.4.yml' to use the kernel version 4.4 instead of 4.19.

diff --git a/kas.yml b/kas-cip.yml
similarity index 100%
rename from kas.yml
rename to kas-cip.yml
diff --git a/board-bbb.yml b/kas/board/bbb.yml
similarity index 100%
rename from board-bbb.yml
rename to kas/board/bbb.yml
diff --git a/board-iwg20m.yml b/kas/board/iwg20m.yml
similarity index 100%
rename from board-iwg20m.yml
rename to kas/board/iwg20m.yml
diff --git a/board-qemu-amd64.yml b/kas/board/qemu-amd64.yml
similarity index 100%
rename from board-qemu-amd64.yml
rename to kas/board/qemu-amd64.yml
diff --git a/board-rzg2m.yml b/kas/board/rzg2m.yml
similarity index 100%
rename from board-rzg2m.yml
rename to kas/board/rzg2m.yml
diff --git a/board-simatic-ipc227e.yml b/kas/board/simatic-ipc227e.yml
similarity index 100%
rename from board-simatic-ipc227e.yml
rename to kas/board/simatic-ipc227e.yml
diff --git a/opt-4.4.yml b/kas/opt/4.4.yml
similarity index 100%
rename from opt-4.4.yml
rename to kas/opt/4.4.yml
diff --git a/opt-rt.yml b/kas/opt/rt.yml
similarity index 100%
rename from opt-rt.yml
rename to kas/opt/rt.yml
diff --git a/opt-stretch.yml b/kas/opt/stretch.yml
similarity index 100%
rename from opt-stretch.yml
rename to kas/opt/stretch.yml
diff --git a/opt-targz-img.yml b/kas/opt/targz-img.yml
similarity index 100%
rename from opt-targz-img.yml
rename to kas/opt/targz-img.yml
--
2.20.1

2201 - 2220 of 7061