| Message ID | af4a6b50-c101-bbc2-9287-63ddc6a0fcc3@siemens.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [isar-cip-core] Update Isar revision, porting to bitbake 2 | expand |
On Tue, 2023-02-07 at 14:36 +0100, Jan Kiszka wrote: > From: Jan Kiszka <jan.kiszka@siemens.com> > > Lift isar-cip-core over the bitbake 2 barrier in order to update Isar > and benefit for latest upstream fixes. This requires the override and > append/remove conversions but also a few taggings of sudo-tasks. Thanks Jan for the patch. I tested it in an external layer and can confirm that it works with latest ISAR next (36ecd2f). Tested-by Felix Moessbauer <felix.moessbauer@siemens.com> Felix > > Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> > --- > classes/image_uuid.bbclass | 1 + > classes/squashfs.bbclass | 6 +++--- > classes/swupdate.bbclass | 1 + > classes/verity.bbclass | 7 ++++--- > doc/README.secureboot.md | 4 ++-- > doc/README.security-testing.md | 2 +- > kas-cip.yml | 2 +- > kas/opt/ebg-secure-boot-snakeoil.yml | 6 +++--- > kas/opt/ebg-swu.yml | 16 ++++++++------ > -- > kas/opt/kernel-panic.yml | 2 +- > kas/opt/swupdate.yml | 6 +++--- > kas/opt/test.yml | 4 ++-- > recipes-bsp/efibootguard/efibootguard_0.13.bb | 4 ++-- > recipes-bsp/u-boot/u-boot-bbb_2022.07.bb | 2 +- > recipes-bsp/u-boot/u-boot-common.inc | 12 ++++++------ > recipes-core/customizations/common.inc | 2 +- > recipes-core/customizations/customizations.bb | 2 +- > recipes-core/images/cip-core-image-security.bb | 4 ++-- > recipes-core/images/efibootguard.inc | 5 ++--- > recipes-core/images/swupdate.inc | 2 +- > .../kernelci-customizations.bb | 2 +- > .../swupdate/swupdate_2021.11-1+debian-gbp.bb | 4 ++-- > .../secure-boot-secrets/secure-boot-secrets.inc | 6 +++--- > recipes-kernel/linux/linux-cip-common.inc | 4 ++-- > 24 files changed, 54 insertions(+), 52 deletions(-) > > diff --git a/classes/image_uuid.bbclass b/classes/image_uuid.bbclass > index 3e2e3dee..2bd530f5 100644 > --- a/classes/image_uuid.bbclass > +++ b/classes/image_uuid.bbclass > @@ -45,6 +45,7 @@ TARGET_IMAGE_UUID = "${@read_target_image_uuid(d)}" > do_generate_image_uuid[vardeps] += "IMAGE_UUID" > do_generate_image_uuid[depends] = "buildchroot-target:do_build" > do_generate_image_uuid[dirs] = "${DEPLOY_DIR_IMAGE}" > +do_generate_image_uuid[network] = "${TASK_USE_SUDO}" > do_generate_image_uuid() { > sudo sed -i '/^IMAGE_UUID=.*/d' '${IMAGE_ROOTFS}/etc/os-release' > echo "IMAGE_UUID=\"${IMAGE_UUID}\"" | \ > diff --git a/classes/squashfs.bbclass b/classes/squashfs.bbclass > index 99436bcb..a06c5013 100644 > --- a/classes/squashfs.bbclass > +++ b/classes/squashfs.bbclass > @@ -9,7 +9,7 @@ > # SPDX-License-Identifier: MIT > # > > -IMAGER_INSTALL_squashfs += "squashfs-tools" > +IMAGER_INSTALL:squashfs += "squashfs-tools" > > SQUASHFS_EXCLUDE_DIRS ?= "" > SQUASHFS_CONTENT ?= "${PP_ROOTFS}" > @@ -27,8 +27,8 @@ python __anonymous() { > d.appendVar('SQUASHFS_CREATION_ARGS', args) > } > > -IMAGE_CMD_squashfs[depends] = "${PN}:do_transform_template" > -IMAGE_CMD_squashfs() { > +IMAGE_CMD:squashfs[depends] = "${PN}:do_transform_template" > +IMAGE_CMD:squashfs() { > ${SUDO_CHROOT} /bin/mksquashfs \ > '${SQUASHFS_CONTENT}' '${IMAGE_FILE_CHROOT}' \ > -noappend ${SQUASHFS_CREATION_ARGS} > diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass > index 451239e0..5eb49364 100644 > --- a/classes/swupdate.bbclass > +++ b/classes/swupdate.bbclass > @@ -23,6 +23,7 @@ IMAGER_INSTALL += "${@'openssl' if > bb.utils.to_boolean(d.getVar('SWU_SIGNED')) e > > do_swupdate_binary[stamp-extra-info] = "${DISTRO}-${MACHINE}" > do_swupdate_binary[cleandirs] += "${WORKDIR}/swu" > +do_swupdate_binary[network] = "${TASK_USE_SUDO}" > do_swupdate_binary() { > rm -f '${SWU_IMAGE_FILE}' > cp '${WORKDIR}/${SWU_DESCRIPTION_FILE}' > '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}' > diff --git a/classes/verity.bbclass b/classes/verity.bbclass > index b6b06f41..154b9e1e 100644 > --- a/classes/verity.bbclass > +++ b/classes/verity.bbclass > @@ -13,8 +13,8 @@ VERITY_IMAGE_TYPE ?= "squashfs" > > inherit ${VERITY_IMAGE_TYPE} > > -IMAGE_TYPEDEP_verity = "${VERITY_IMAGE_TYPE}" > -IMAGER_INSTALL_verity += "cryptsetup" > +IMAGE_TYPEDEP:verity = "${VERITY_IMAGE_TYPE}" > +IMAGER_INSTALL:verity += "cryptsetup" > > VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}" > VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.verity" > @@ -53,9 +53,10 @@ python calculate_verity_data_blocks() { > d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size)) > d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size)) > } > + > do_image_verity[cleandirs] = "${WORKDIR}/verity" > do_image_verity[prefuncs] = "calculate_verity_data_blocks" > -IMAGE_CMD_verity() { > +IMAGE_CMD:verity() { > rm -f ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE} > rm -f ${WORKDIR}/${VERITY_IMAGE_METADATA} > > diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md > index 7dff37d3..50562e11 100644 > --- a/doc/README.secureboot.md > +++ b/doc/README.secureboot.md > @@ -154,9 +154,9 @@ local_conf_header: > IMAGE_CLASSES += "verity" > IMAGE_FSTYPES = "wic" > WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in" > - INITRAMFS_INSTALL_append = " initramfs-verity-hook" > + INITRAMFS_INSTALL:append = " initramfs-verity-hook" > # abrootfs cannot be installed together with verity > - INITRAMFS_INSTALL_remove = " initramfs-abrootfs-hook" > + INITRAMFS_INSTALL:remove = " initramfs-abrootfs-hook" > > local_conf_header: > secure-boot: | > diff --git a/doc/README.security-testing.md b/doc/README.security- > testing.md > index e3d16023..c9540beb 100644 > --- a/doc/README.security-testing.md > +++ b/doc/README.security-testing.md > @@ -10,7 +10,7 @@ This document explains how to verify basic > implementations of [CIP security requ > ``` > local_conf_header: > security_testing: | > - IMAGE_PREINSTALL_append=" sshpass" > + IMAGE_PREINSTALL:append=" sshpass" > ROOTFS_EXTRA="5120" > ``` > > diff --git a/kas-cip.yml b/kas-cip.yml > index b970f39c..e999fe21 100644 > --- a/kas-cip.yml > +++ b/kas-cip.yml > @@ -22,7 +22,7 @@ repos: > > isar: > url: https://github.com/ilbers/isar.git > - refspec: fc4f004eb67237d9d09b1ffad0de1a19217fa94a > + refspec: 36ecd2fe9048829347225e90eb52ab0ca767b05a > layers: > meta: > > diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg- > secure-boot-snakeoil.yml > index e92ea5e0..a182a671 100644 > --- a/kas/opt/ebg-secure-boot-snakeoil.yml > +++ b/kas/opt/ebg-secure-boot-snakeoil.yml > @@ -18,11 +18,11 @@ local_conf_header: > secure-boot-image: | > IMAGE_CLASSES += "verity" > IMAGE_FSTYPES = "wic" > - IMAGE_TYPEDEP_wic += "verity" > + IMAGE_TYPEDEP:wic += "verity" > WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in" > - INITRAMFS_INSTALL_append = " initramfs-verity-hook" > + INITRAMFS_INSTALL:append = " initramfs-verity-hook" > # abrootfs cannot be installed together with verity > - INITRAMFS_INSTALL_remove = " initramfs-abrootfs-hook" > + INITRAMFS_INSTALL:remove = " initramfs-abrootfs-hook" > > secure-boot: | > IMAGER_BUILD_DEPS += "ebg-secure-boot-signer" > diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml > index 6aa411b0..6bc893b3 100644 > --- a/kas/opt/ebg-swu.yml > +++ b/kas/opt/ebg-swu.yml > @@ -18,17 +18,17 @@ local_conf_header: > ebg_swu_bootloader: | > WKS_FILE ?= "${MACHINE}-efibootguard.wks.in" > SWUPDATE_BOOTLOADER = "efibootguard" > - IMAGE_INSTALL_remove = "u-boot-script" > + IMAGE_INSTALL:remove = "u-boot-script" > ebg_swu_image_options: | > - CIP_IMAGE_OPTIONS_append = " efibootguard.inc" > + CIP_IMAGE_OPTIONS:append = " efibootguard.inc" > initramfs: | > - INITRAMFS_INSTALL_append = " initramfs-abrootfs-hook" > + INITRAMFS_INSTALL:append = " initramfs-abrootfs-hook" > firmware-binaries: | > # Add ovmf binaries for qemu > - IMAGER_BUILD_DEPS_append_qemu-amd64 += "ovmf-binaries" > + IMAGER_BUILD_DEPS:append:qemu-amd64 = " ovmf-binaries" > # not needed for Debian 11 and later > - DISTRO_APT_SOURCES_append_qemu-amd64_buster = " > conf/distro/debian-buster-backports.list" > - DISTRO_APT_PREFERENCES_append_qemu-amd64_buster = " > conf/distro/preferences.ovmf-snakeoil.conf" > + DISTRO_APT_SOURCES:append:qemu-amd64:buster = " > conf/distro/debian-buster-backports.list" > + DISTRO_APT_PREFERENCES:append:qemu-amd64:buster = " > conf/distro/preferences.ovmf-snakeoil.conf" > # Add U-Boot for qemu > - IMAGER_BUILD_DEPS_append_qemu-arm64 += "u-boot-qemu-arm64" > - IMAGER_BUILD_DEPS_append_qemu-arm += "u-boot-qemu-arm" > + IMAGER_BUILD_DEPS:append:qemu-arm64 = " u-boot-qemu-arm64" > + IMAGER_BUILD_DEPS:append:qemu-arm = " u-boot-qemu-arm" > diff --git a/kas/opt/kernel-panic.yml b/kas/opt/kernel-panic.yml > index 9aac8b24..fe17982b 100644 > --- a/kas/opt/kernel-panic.yml > +++ b/kas/opt/kernel-panic.yml > @@ -15,4 +15,4 @@ header: > > local_conf_header: > kernel-panic: | > - IMAGE_INSTALL_append = " kernel-panic" > + IMAGE_INSTALL:append = " kernel-panic" > diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml > index 60a4aec3..ae5e3a16 100644 > --- a/kas/opt/swupdate.yml > +++ b/kas/opt/swupdate.yml > @@ -16,14 +16,14 @@ header: > > local_conf_header: > image-option-swupdate: | > - CIP_IMAGE_OPTIONS_append = " swupdate.inc" > + CIP_IMAGE_OPTIONS:append = " swupdate.inc" > > wic-swu: | > IMAGE_CLASSES += "squashfs" > - IMAGE_TYPEDEP_wic += "squashfs" > + IMAGE_TYPEDEP:wic += "squashfs" > IMAGE_FSTYPES = "wic" > WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks.in" > - INITRAMFS_INSTALL_append = " initramfs-squashfs-hook" > + INITRAMFS_INSTALL:append = " initramfs-squashfs-hook" > WIC_DEPLOY_PARTITIONS = "1" > ABROOTFS_PART_UUID_A ?= "fedcba98-7654-3210-cafe-5e0710000001" > ABROOTFS_PART_UUID_B ?= "fedcba98-7654-3210-cafe-5e0710000002" > diff --git a/kas/opt/test.yml b/kas/opt/test.yml > index 411582bd..7dd55364 100644 > --- a/kas/opt/test.yml > +++ b/kas/opt/test.yml > @@ -15,5 +15,5 @@ local_conf_header: > testing: | > IMAGE_INSTALL += "ltp-full" > IMAGE_PREINSTALL += "rt-tests stress-ng" > - DESCRIPTION_append = " with test packages" > - IMAGE_FULLNAME_append = "-test" > + DESCRIPTION:append = " with test packages" > + IMAGE_FULLNAME:append = "-test" > diff --git a/recipes-bsp/efibootguard/efibootguard_0.13.bb b/recipes- > bsp/efibootguard/efibootguard_0.13.bb > index 79f784b0..32798540 100644 > --- a/recipes-bsp/efibootguard/efibootguard_0.13.bb > +++ b/recipes-bsp/efibootguard/efibootguard_0.13.bb > @@ -27,8 +27,8 @@ PROVIDES += "${PN}-dev" > > DEPENDS = "python3-shtab" > BUILD_DEB_DEPENDS = "debhelper,autoconf-archive,check,gnu- > efi,libpci-dev,pkg-config,python3-shtab,zlib1g-dev" > -BUILD_DEB_DEPENDS_append_amd64 = ",libc6-dev-i386" > -BUILD_DEB_DEPENDS_append_i386 = ",libc6-dev-i386" > +BUILD_DEB_DEPENDS:append:amd64 = ",libc6-dev-i386" > +BUILD_DEB_DEPENDS:append:i386 = ",libc6-dev-i386" > > inherit dpkg > > diff --git a/recipes-bsp/u-boot/u-boot-bbb_2022.07.bb b/recipes- > bsp/u-boot/u-boot-bbb_2022.07.bb > index 3be09dc1..6632bb6c 100644 > --- a/recipes-bsp/u-boot/u-boot-bbb_2022.07.bb > +++ b/recipes-bsp/u-boot/u-boot-bbb_2022.07.bb > @@ -16,7 +16,7 @@ U_BOOT_BIN = "all" > > EFI_ARCH = "arm" > > -do_prepare_build_append() { > +do_prepare_build:append() { > echo "MLO u-boot.img /usr/lib/u-boot/${MACHINE}" > \ > ${S}/debian/u-boot-${MACHINE}.install > } > diff --git a/recipes-bsp/u-boot/u-boot-common.inc b/recipes-bsp/u- > boot/u-boot-common.inc > index 60f0da36..0486cdaf 100644 > --- a/recipes-bsp/u-boot/u-boot-common.inc > +++ b/recipes-bsp/u-boot/u-boot-common.inc > @@ -16,21 +16,21 @@ SRC_URI += " \ > file://rules.tmpl;subdir=debian" > SRC_URI[sha256sum] = > "92b08eb49c24da14c1adbf70a71ae8f37cc53eeb4230e859ad8b6733d13dcf5e" > > -SRC_URI_append_secureboot = " \ > +SRC_URI:append:secureboot = " \ > file://secure-boot.cfg.tmpl" > > S = "${WORKDIR}/u-boot-${PV}" > > DEBIAN_BUILD_DEPENDS += ", libssl-dev:native, libssl- > dev:${DISTRO_ARCH}" > > -DEBIAN_BUILD_DEPENDS_append_secureboot = ", \ > +DEBIAN_BUILD_DEPENDS:append:secureboot = ", \ > openssl, pesign, secure-boot-secrets, python3-openssl:native" > -DEPENDS_append_secureboot = " secure-boot-secrets" > +DEPENDS:append:secureboot = " secure-boot-secrets" > > -TEMPLATE_FILES_append_secureboot = " secure-boot.cfg.tmpl" > -TEMPLATE_VARS_append_secureboot = " EFI_ARCH" > +TEMPLATE_FILES:append:secureboot = " secure-boot.cfg.tmpl" > +TEMPLATE_VARS:append:secureboot = " EFI_ARCH" > > -do_prepare_build_append_secureboot() { > +do_prepare_build:append:secureboot() { > sed -ni '/### Secure boot config/q;p' > ${S}/configs/${U_BOOT_CONFIG} > cat ${WORKDIR}/secure-boot.cfg >> ${S}/configs/${U_BOOT_CONFIG} > } > diff --git a/recipes-core/customizations/common.inc b/recipes- > core/customizations/common.inc > index 24c862c3..93f2fbe6 100644 > --- a/recipes-core/customizations/common.inc > +++ b/recipes-core/customizations/common.inc > @@ -11,7 +11,7 @@ > > inherit dpkg-raw > > -FILESPATH_append := ":${FILE_DIRNAME}/files" > +FILESPATH:append := ":${FILE_DIRNAME}/files" > > SRC_URI = " \ > file://postinst \ > diff --git a/recipes-core/customizations/customizations.bb b/recipes- > core/customizations/customizations.bb > index c057d576..ad16a906 100644 > --- a/recipes-core/customizations/customizations.bb > +++ b/recipes-core/customizations/customizations.bb > @@ -13,7 +13,7 @@ require common.inc > > DESCRIPTION = "CIP Core image demo & customizations" > > -do_prepare_build_prepend_qemu-riscv64() { > +do_prepare_build:prepend:qemu-riscv64() { > if ! grep -q serial-getty@hvc0.service ${WORKDIR}/postinst; > then > # suppress SBI console - overlaps with serial console > echo >> ${WORKDIR}/postinst > diff --git a/recipes-core/images/cip-core-image-security.bb > b/recipes-core/images/cip-core-image-security.bb > index 58a0f98c..bfd91bd3 100644 > --- a/recipes-core/images/cip-core-image-security.bb > +++ b/recipes-core/images/cip-core-image-security.bb > @@ -41,5 +41,5 @@ IMAGE_PREINSTALL += " \ > " > > # Package names based on the distro version > -IMAGE_PREINSTALL_append_buster = " libtss2-esys0" > -IMAGE_PREINSTALL_append_bullseye = " libtss2-esys-3.0.2-0" > +IMAGE_PREINSTALL:append:buster = " libtss2-esys0" > +IMAGE_PREINSTALL:append:bullseye = " libtss2-esys-3.0.2-0" > diff --git a/recipes-core/images/efibootguard.inc b/recipes- > core/images/efibootguard.inc > index eace4fd4..26026dcf 100644 > --- a/recipes-core/images/efibootguard.inc > +++ b/recipes-core/images/efibootguard.inc > @@ -9,10 +9,9 @@ > # SPDX-License-Identifier: MIT > # > > -IMAGE_INSTALL_append = " efibootguard" > +IMAGE_INSTALL:append = " efibootguard" > > -WIC_IMAGER_INSTALL_append = " efibootguard" > +WIC_IMAGER_INSTALL:append = " efibootguard" > WDOG_TIMEOUT ?= "60" > WICVARS += "WDOG_TIMEOUT KERNEL_IMAGE INITRD_IMAGE DTB_FILES" > IMAGE_FSTYPES += "wic" > - > diff --git a/recipes-core/images/swupdate.inc b/recipes- > core/images/swupdate.inc > index 9b2aedcf..ee893dd2 100644 > --- a/recipes-core/images/swupdate.inc > +++ b/recipes-core/images/swupdate.inc > @@ -18,7 +18,7 @@ IMAGE_INSTALL += " swupdate-handler-roundrobin" > > ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.p4.gz" > > -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" > +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" > > SRC_URI += "file://sw-description.tmpl" > TEMPLATE_FILES += "sw-description.tmpl" > diff --git a/recipes-core/kernelci-customizations/kernelci- > customizations.bb b/recipes-core/kernelci-customizations/kernelci- > customizations.bb > index 91ad929a..f972be5b 100644 > --- a/recipes-core/kernelci-customizations/kernelci-customizations.bb > +++ b/recipes-core/kernelci-customizations/kernelci-customizations.bb > @@ -17,7 +17,7 @@ DESCRIPTION = "CIP Core KernelCI image > customizations" > > SRC_URI += "file://dmesg.sh" > > -do_install_append() { > +do_install:append() { > install -v -d ${D}/opt/kernelci > install -v -m 744 ${WORKDIR}/dmesg.sh ${D}/opt/kernelci/ > } > diff --git a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb > b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb > index eb0a735f..48b5c2d0 100644 > --- a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb > +++ b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb > @@ -40,11 +40,11 @@ DEB_BUILD_PROFILES += "cross nocheck" > # DEB_BUILD_PROFILES += "pkg.swupdate.embeddedlua" > > # modify for debian buster build > -SRC_URI_append_buster = " > file://0006-debian-prepare-build-for-isar-debian-buster.patch" > +SRC_URI:append:buster = " > file://0006-debian-prepare-build-for-isar-debian-buster.patch" > > # disable create filesystem due to missing symbols in debian buster > # disable webserver due to missing symbols in debian buster > -DEB_BUILD_PROFILES_append_buster = " \ > +DEB_BUILD_PROFILES:append:buster = " \ > pkg.swupdate.bpo \ > pkg.swupdate.nocreatefs \ > pkg.swupdate.nowebserver " > diff --git a/recipes-devtools/secure-boot-secrets/secure-boot- > secrets.inc b/recipes-devtools/secure-boot-secrets/secure-boot- > secrets.inc > index f53435ac..76233b34 100644 > --- a/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc > +++ b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc > @@ -16,8 +16,8 @@ PROVIDES += "secure-boot-secrets" > SB_KEY ??= "" > SB_CERT ??= "" > > -SRC_URI_append = " ${@ "file://"+d.getVar('SB_KEY') if > d.getVar('SB_KEY') else '' }" > -SRC_URI_append = " ${@ "file://"+d.getVar('SB_CERT') if > d.getVar('SB_CERT') else '' }" > +SRC_URI:append = " ${@ "file://"+d.getVar('SB_KEY') if > d.getVar('SB_KEY') else '' }" > +SRC_URI:append = " ${@ "file://"+d.getVar('SB_CERT') if > d.getVar('SB_CERT') else '' }" > > do_install() { > if [ -z ${SB_KEY} ] || [ -z ${SB_CERT} ]; then > @@ -29,6 +29,6 @@ do_install() { > install -m 0700 ${WORKDIR}/${SB_CERT} ${TARGET}/secure-boot.pem > } > > -do_prepare_build_append() { > +do_prepare_build:append() { > echo "Provides: secure-boot-secrets" >> ${S}/debian/control > } > diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes- > kernel/linux/linux-cip-common.inc > index 9b6cd3b0..7148a985 100644 > --- a/recipes-kernel/linux/linux-cip-common.inc > +++ b/recipes-kernel/linux/linux-cip-common.inc > @@ -9,7 +9,7 @@ > # SPDX-License-Identifier: MIT > # > > -FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/files:" > +FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:" > > KERNEL_DEFCONFIG ?= "${MACHINE}_defconfig" > > @@ -19,7 +19,7 @@ SRC_URI += " \ > > https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git/snapshot/linux-cip-${PV}.tar.gz > \ > " > > -SRC_URI_append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip- > kernel-config.git;protocol=https;destsuffix=cip-kernel- > config;name=cip-kernel-config" \ > +SRC_URI:append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip- > kernel-config.git;protocol=https;branch=master;destsuffix=cip-kernel- > config;name=cip-kernel-config" \ > if d.getVar('USE_CIP_KERNEL_CONFIG') == '1' else '' \ > }" >
diff --git a/classes/image_uuid.bbclass b/classes/image_uuid.bbclass index 3e2e3dee..2bd530f5 100644 --- a/classes/image_uuid.bbclass +++ b/classes/image_uuid.bbclass @@ -45,6 +45,7 @@ TARGET_IMAGE_UUID = "${@read_target_image_uuid(d)}" do_generate_image_uuid[vardeps] += "IMAGE_UUID" do_generate_image_uuid[depends] = "buildchroot-target:do_build" do_generate_image_uuid[dirs] = "${DEPLOY_DIR_IMAGE}" +do_generate_image_uuid[network] = "${TASK_USE_SUDO}" do_generate_image_uuid() { sudo sed -i '/^IMAGE_UUID=.*/d' '${IMAGE_ROOTFS}/etc/os-release' echo "IMAGE_UUID=\"${IMAGE_UUID}\"" | \ diff --git a/classes/squashfs.bbclass b/classes/squashfs.bbclass index 99436bcb..a06c5013 100644 --- a/classes/squashfs.bbclass +++ b/classes/squashfs.bbclass @@ -9,7 +9,7 @@ # SPDX-License-Identifier: MIT # -IMAGER_INSTALL_squashfs += "squashfs-tools" +IMAGER_INSTALL:squashfs += "squashfs-tools" SQUASHFS_EXCLUDE_DIRS ?= "" SQUASHFS_CONTENT ?= "${PP_ROOTFS}" @@ -27,8 +27,8 @@ python __anonymous() { d.appendVar('SQUASHFS_CREATION_ARGS', args) } -IMAGE_CMD_squashfs[depends] = "${PN}:do_transform_template" -IMAGE_CMD_squashfs() { +IMAGE_CMD:squashfs[depends] = "${PN}:do_transform_template" +IMAGE_CMD:squashfs() { ${SUDO_CHROOT} /bin/mksquashfs \ '${SQUASHFS_CONTENT}' '${IMAGE_FILE_CHROOT}' \ -noappend ${SQUASHFS_CREATION_ARGS} diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass index 451239e0..5eb49364 100644 --- a/classes/swupdate.bbclass +++ b/classes/swupdate.bbclass @@ -23,6 +23,7 @@ IMAGER_INSTALL += "${@'openssl' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) e do_swupdate_binary[stamp-extra-info] = "${DISTRO}-${MACHINE}" do_swupdate_binary[cleandirs] += "${WORKDIR}/swu" +do_swupdate_binary[network] = "${TASK_USE_SUDO}" do_swupdate_binary() { rm -f '${SWU_IMAGE_FILE}' cp '${WORKDIR}/${SWU_DESCRIPTION_FILE}' '${WORKDIR}/swu/${SWU_DESCRIPTION_FILE}' diff --git a/classes/verity.bbclass b/classes/verity.bbclass index b6b06f41..154b9e1e 100644 --- a/classes/verity.bbclass +++ b/classes/verity.bbclass @@ -13,8 +13,8 @@ VERITY_IMAGE_TYPE ?= "squashfs" inherit ${VERITY_IMAGE_TYPE} -IMAGE_TYPEDEP_verity = "${VERITY_IMAGE_TYPE}" -IMAGER_INSTALL_verity += "cryptsetup" +IMAGE_TYPEDEP:verity = "${VERITY_IMAGE_TYPE}" +IMAGER_INSTALL:verity += "cryptsetup" VERITY_INPUT_IMAGE ?= "${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}" VERITY_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.verity" @@ -53,9 +53,10 @@ python calculate_verity_data_blocks() { d.setVar("VERITY_INPUT_IMAGE_SIZE", str(size)) d.setVar("VERITY_DATA_BLOCKS", str(size // data_block_size)) } + do_image_verity[cleandirs] = "${WORKDIR}/verity" do_image_verity[prefuncs] = "calculate_verity_data_blocks" -IMAGE_CMD_verity() { +IMAGE_CMD:verity() { rm -f ${DEPLOY_DIR_IMAGE}/${VERITY_OUTPUT_IMAGE} rm -f ${WORKDIR}/${VERITY_IMAGE_METADATA} diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md index 7dff37d3..50562e11 100644 --- a/doc/README.secureboot.md +++ b/doc/README.secureboot.md @@ -154,9 +154,9 @@ local_conf_header: IMAGE_CLASSES += "verity" IMAGE_FSTYPES = "wic" WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in" - INITRAMFS_INSTALL_append = " initramfs-verity-hook" + INITRAMFS_INSTALL:append = " initramfs-verity-hook" # abrootfs cannot be installed together with verity - INITRAMFS_INSTALL_remove = " initramfs-abrootfs-hook" + INITRAMFS_INSTALL:remove = " initramfs-abrootfs-hook" local_conf_header: secure-boot: | diff --git a/doc/README.security-testing.md b/doc/README.security-testing.md index e3d16023..c9540beb 100644 --- a/doc/README.security-testing.md +++ b/doc/README.security-testing.md @@ -10,7 +10,7 @@ This document explains how to verify basic implementations of [CIP security requ ``` local_conf_header: security_testing: | - IMAGE_PREINSTALL_append=" sshpass" + IMAGE_PREINSTALL:append=" sshpass" ROOTFS_EXTRA="5120" ``` diff --git a/kas-cip.yml b/kas-cip.yml index b970f39c..e999fe21 100644 --- a/kas-cip.yml +++ b/kas-cip.yml @@ -22,7 +22,7 @@ repos: isar: url: https://github.com/ilbers/isar.git - refspec: fc4f004eb67237d9d09b1ffad0de1a19217fa94a + refspec: 36ecd2fe9048829347225e90eb52ab0ca767b05a layers: meta: diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml index e92ea5e0..a182a671 100644 --- a/kas/opt/ebg-secure-boot-snakeoil.yml +++ b/kas/opt/ebg-secure-boot-snakeoil.yml @@ -18,11 +18,11 @@ local_conf_header: secure-boot-image: | IMAGE_CLASSES += "verity" IMAGE_FSTYPES = "wic" - IMAGE_TYPEDEP_wic += "verity" + IMAGE_TYPEDEP:wic += "verity" WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in" - INITRAMFS_INSTALL_append = " initramfs-verity-hook" + INITRAMFS_INSTALL:append = " initramfs-verity-hook" # abrootfs cannot be installed together with verity - INITRAMFS_INSTALL_remove = " initramfs-abrootfs-hook" + INITRAMFS_INSTALL:remove = " initramfs-abrootfs-hook" secure-boot: | IMAGER_BUILD_DEPS += "ebg-secure-boot-signer" diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml index 6aa411b0..6bc893b3 100644 --- a/kas/opt/ebg-swu.yml +++ b/kas/opt/ebg-swu.yml @@ -18,17 +18,17 @@ local_conf_header: ebg_swu_bootloader: | WKS_FILE ?= "${MACHINE}-efibootguard.wks.in" SWUPDATE_BOOTLOADER = "efibootguard" - IMAGE_INSTALL_remove = "u-boot-script" + IMAGE_INSTALL:remove = "u-boot-script" ebg_swu_image_options: | - CIP_IMAGE_OPTIONS_append = " efibootguard.inc" + CIP_IMAGE_OPTIONS:append = " efibootguard.inc" initramfs: | - INITRAMFS_INSTALL_append = " initramfs-abrootfs-hook" + INITRAMFS_INSTALL:append = " initramfs-abrootfs-hook" firmware-binaries: | # Add ovmf binaries for qemu - IMAGER_BUILD_DEPS_append_qemu-amd64 += "ovmf-binaries" + IMAGER_BUILD_DEPS:append:qemu-amd64 = " ovmf-binaries" # not needed for Debian 11 and later - DISTRO_APT_SOURCES_append_qemu-amd64_buster = " conf/distro/debian-buster-backports.list" - DISTRO_APT_PREFERENCES_append_qemu-amd64_buster = " conf/distro/preferences.ovmf-snakeoil.conf" + DISTRO_APT_SOURCES:append:qemu-amd64:buster = " conf/distro/debian-buster-backports.list" + DISTRO_APT_PREFERENCES:append:qemu-amd64:buster = " conf/distro/preferences.ovmf-snakeoil.conf" # Add U-Boot for qemu - IMAGER_BUILD_DEPS_append_qemu-arm64 += "u-boot-qemu-arm64" - IMAGER_BUILD_DEPS_append_qemu-arm += "u-boot-qemu-arm" + IMAGER_BUILD_DEPS:append:qemu-arm64 = " u-boot-qemu-arm64" + IMAGER_BUILD_DEPS:append:qemu-arm = " u-boot-qemu-arm" diff --git a/kas/opt/kernel-panic.yml b/kas/opt/kernel-panic.yml index 9aac8b24..fe17982b 100644 --- a/kas/opt/kernel-panic.yml +++ b/kas/opt/kernel-panic.yml @@ -15,4 +15,4 @@ header: local_conf_header: kernel-panic: | - IMAGE_INSTALL_append = " kernel-panic" + IMAGE_INSTALL:append = " kernel-panic" diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml index 60a4aec3..ae5e3a16 100644 --- a/kas/opt/swupdate.yml +++ b/kas/opt/swupdate.yml @@ -16,14 +16,14 @@ header: local_conf_header: image-option-swupdate: | - CIP_IMAGE_OPTIONS_append = " swupdate.inc" + CIP_IMAGE_OPTIONS:append = " swupdate.inc" wic-swu: | IMAGE_CLASSES += "squashfs" - IMAGE_TYPEDEP_wic += "squashfs" + IMAGE_TYPEDEP:wic += "squashfs" IMAGE_FSTYPES = "wic" WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks.in" - INITRAMFS_INSTALL_append = " initramfs-squashfs-hook" + INITRAMFS_INSTALL:append = " initramfs-squashfs-hook" WIC_DEPLOY_PARTITIONS = "1" ABROOTFS_PART_UUID_A ?= "fedcba98-7654-3210-cafe-5e0710000001" ABROOTFS_PART_UUID_B ?= "fedcba98-7654-3210-cafe-5e0710000002" diff --git a/kas/opt/test.yml b/kas/opt/test.yml index 411582bd..7dd55364 100644 --- a/kas/opt/test.yml +++ b/kas/opt/test.yml @@ -15,5 +15,5 @@ local_conf_header: testing: | IMAGE_INSTALL += "ltp-full" IMAGE_PREINSTALL += "rt-tests stress-ng" - DESCRIPTION_append = " with test packages" - IMAGE_FULLNAME_append = "-test" + DESCRIPTION:append = " with test packages" + IMAGE_FULLNAME:append = "-test" diff --git a/recipes-bsp/efibootguard/efibootguard_0.13.bb b/recipes-bsp/efibootguard/efibootguard_0.13.bb index 79f784b0..32798540 100644 --- a/recipes-bsp/efibootguard/efibootguard_0.13.bb +++ b/recipes-bsp/efibootguard/efibootguard_0.13.bb @@ -27,8 +27,8 @@ PROVIDES += "${PN}-dev" DEPENDS = "python3-shtab" BUILD_DEB_DEPENDS = "debhelper,autoconf-archive,check,gnu-efi,libpci-dev,pkg-config,python3-shtab,zlib1g-dev" -BUILD_DEB_DEPENDS_append_amd64 = ",libc6-dev-i386" -BUILD_DEB_DEPENDS_append_i386 = ",libc6-dev-i386" +BUILD_DEB_DEPENDS:append:amd64 = ",libc6-dev-i386" +BUILD_DEB_DEPENDS:append:i386 = ",libc6-dev-i386" inherit dpkg diff --git a/recipes-bsp/u-boot/u-boot-bbb_2022.07.bb b/recipes-bsp/u-boot/u-boot-bbb_2022.07.bb index 3be09dc1..6632bb6c 100644 --- a/recipes-bsp/u-boot/u-boot-bbb_2022.07.bb +++ b/recipes-bsp/u-boot/u-boot-bbb_2022.07.bb @@ -16,7 +16,7 @@ U_BOOT_BIN = "all" EFI_ARCH = "arm" -do_prepare_build_append() { +do_prepare_build:append() { echo "MLO u-boot.img /usr/lib/u-boot/${MACHINE}" > \ ${S}/debian/u-boot-${MACHINE}.install } diff --git a/recipes-bsp/u-boot/u-boot-common.inc b/recipes-bsp/u-boot/u-boot-common.inc index 60f0da36..0486cdaf 100644 --- a/recipes-bsp/u-boot/u-boot-common.inc +++ b/recipes-bsp/u-boot/u-boot-common.inc @@ -16,21 +16,21 @@ SRC_URI += " \ file://rules.tmpl;subdir=debian" SRC_URI[sha256sum] = "92b08eb49c24da14c1adbf70a71ae8f37cc53eeb4230e859ad8b6733d13dcf5e" -SRC_URI_append_secureboot = " \ +SRC_URI:append:secureboot = " \ file://secure-boot.cfg.tmpl" S = "${WORKDIR}/u-boot-${PV}" DEBIAN_BUILD_DEPENDS += ", libssl-dev:native, libssl-dev:${DISTRO_ARCH}" -DEBIAN_BUILD_DEPENDS_append_secureboot = ", \ +DEBIAN_BUILD_DEPENDS:append:secureboot = ", \ openssl, pesign, secure-boot-secrets, python3-openssl:native" -DEPENDS_append_secureboot = " secure-boot-secrets" +DEPENDS:append:secureboot = " secure-boot-secrets" -TEMPLATE_FILES_append_secureboot = " secure-boot.cfg.tmpl" -TEMPLATE_VARS_append_secureboot = " EFI_ARCH" +TEMPLATE_FILES:append:secureboot = " secure-boot.cfg.tmpl" +TEMPLATE_VARS:append:secureboot = " EFI_ARCH" -do_prepare_build_append_secureboot() { +do_prepare_build:append:secureboot() { sed -ni '/### Secure boot config/q;p' ${S}/configs/${U_BOOT_CONFIG} cat ${WORKDIR}/secure-boot.cfg >> ${S}/configs/${U_BOOT_CONFIG} } diff --git a/recipes-core/customizations/common.inc b/recipes-core/customizations/common.inc index 24c862c3..93f2fbe6 100644 --- a/recipes-core/customizations/common.inc +++ b/recipes-core/customizations/common.inc @@ -11,7 +11,7 @@ inherit dpkg-raw -FILESPATH_append := ":${FILE_DIRNAME}/files" +FILESPATH:append := ":${FILE_DIRNAME}/files" SRC_URI = " \ file://postinst \ diff --git a/recipes-core/customizations/customizations.bb b/recipes-core/customizations/customizations.bb index c057d576..ad16a906 100644 --- a/recipes-core/customizations/customizations.bb +++ b/recipes-core/customizations/customizations.bb @@ -13,7 +13,7 @@ require common.inc DESCRIPTION = "CIP Core image demo & customizations" -do_prepare_build_prepend_qemu-riscv64() { +do_prepare_build:prepend:qemu-riscv64() { if ! grep -q serial-getty@hvc0.service ${WORKDIR}/postinst; then # suppress SBI console - overlaps with serial console echo >> ${WORKDIR}/postinst diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb index 58a0f98c..bfd91bd3 100644 --- a/recipes-core/images/cip-core-image-security.bb +++ b/recipes-core/images/cip-core-image-security.bb @@ -41,5 +41,5 @@ IMAGE_PREINSTALL += " \ " # Package names based on the distro version -IMAGE_PREINSTALL_append_buster = " libtss2-esys0" -IMAGE_PREINSTALL_append_bullseye = " libtss2-esys-3.0.2-0" +IMAGE_PREINSTALL:append:buster = " libtss2-esys0" +IMAGE_PREINSTALL:append:bullseye = " libtss2-esys-3.0.2-0" diff --git a/recipes-core/images/efibootguard.inc b/recipes-core/images/efibootguard.inc index eace4fd4..26026dcf 100644 --- a/recipes-core/images/efibootguard.inc +++ b/recipes-core/images/efibootguard.inc @@ -9,10 +9,9 @@ # SPDX-License-Identifier: MIT # -IMAGE_INSTALL_append = " efibootguard" +IMAGE_INSTALL:append = " efibootguard" -WIC_IMAGER_INSTALL_append = " efibootguard" +WIC_IMAGER_INSTALL:append = " efibootguard" WDOG_TIMEOUT ?= "60" WICVARS += "WDOG_TIMEOUT KERNEL_IMAGE INITRD_IMAGE DTB_FILES" IMAGE_FSTYPES += "wic" - diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc index 9b2aedcf..ee893dd2 100644 --- a/recipes-core/images/swupdate.inc +++ b/recipes-core/images/swupdate.inc @@ -18,7 +18,7 @@ IMAGE_INSTALL += " swupdate-handler-roundrobin" ROOTFS_PARTITION_NAME = "${IMAGE_FULLNAME}.wic.p4.gz" -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" SRC_URI += "file://sw-description.tmpl" TEMPLATE_FILES += "sw-description.tmpl" diff --git a/recipes-core/kernelci-customizations/kernelci-customizations.bb b/recipes-core/kernelci-customizations/kernelci-customizations.bb index 91ad929a..f972be5b 100644 --- a/recipes-core/kernelci-customizations/kernelci-customizations.bb +++ b/recipes-core/kernelci-customizations/kernelci-customizations.bb @@ -17,7 +17,7 @@ DESCRIPTION = "CIP Core KernelCI image customizations" SRC_URI += "file://dmesg.sh" -do_install_append() { +do_install:append() { install -v -d ${D}/opt/kernelci install -v -m 744 ${WORKDIR}/dmesg.sh ${D}/opt/kernelci/ } diff --git a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb index eb0a735f..48b5c2d0 100644 --- a/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb +++ b/recipes-core/swupdate/swupdate_2021.11-1+debian-gbp.bb @@ -40,11 +40,11 @@ DEB_BUILD_PROFILES += "cross nocheck" # DEB_BUILD_PROFILES += "pkg.swupdate.embeddedlua" # modify for debian buster build -SRC_URI_append_buster = " file://0006-debian-prepare-build-for-isar-debian-buster.patch" +SRC_URI:append:buster = " file://0006-debian-prepare-build-for-isar-debian-buster.patch" # disable create filesystem due to missing symbols in debian buster # disable webserver due to missing symbols in debian buster -DEB_BUILD_PROFILES_append_buster = " \ +DEB_BUILD_PROFILES:append:buster = " \ pkg.swupdate.bpo \ pkg.swupdate.nocreatefs \ pkg.swupdate.nowebserver " diff --git a/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc index f53435ac..76233b34 100644 --- a/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc +++ b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc @@ -16,8 +16,8 @@ PROVIDES += "secure-boot-secrets" SB_KEY ??= "" SB_CERT ??= "" -SRC_URI_append = " ${@ "file://"+d.getVar('SB_KEY') if d.getVar('SB_KEY') else '' }" -SRC_URI_append = " ${@ "file://"+d.getVar('SB_CERT') if d.getVar('SB_CERT') else '' }" +SRC_URI:append = " ${@ "file://"+d.getVar('SB_KEY') if d.getVar('SB_KEY') else '' }" +SRC_URI:append = " ${@ "file://"+d.getVar('SB_CERT') if d.getVar('SB_CERT') else '' }" do_install() { if [ -z ${SB_KEY} ] || [ -z ${SB_CERT} ]; then @@ -29,6 +29,6 @@ do_install() { install -m 0700 ${WORKDIR}/${SB_CERT} ${TARGET}/secure-boot.pem } -do_prepare_build_append() { +do_prepare_build:append() { echo "Provides: secure-boot-secrets" >> ${S}/debian/control } diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc index 9b6cd3b0..7148a985 100644 --- a/recipes-kernel/linux/linux-cip-common.inc +++ b/recipes-kernel/linux/linux-cip-common.inc @@ -9,7 +9,7 @@ # SPDX-License-Identifier: MIT # -FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/files:" +FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:" KERNEL_DEFCONFIG ?= "${MACHINE}_defconfig" @@ -19,7 +19,7 @@ SRC_URI += " \ https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git/snapshot/linux-cip-${PV}.tar.gz \ " -SRC_URI_append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-config.git;protocol=https;destsuffix=cip-kernel-config;name=cip-kernel-config" \ +SRC_URI:append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-config.git;protocol=https;branch=master;destsuffix=cip-kernel-config;name=cip-kernel-config" \ if d.getVar('USE_CIP_KERNEL_CONFIG') == '1' else '' \ }"