From patchwork Thu May  5 16:43:17 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 12839788
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B5B59C433F5
	for <webhook@archiver.kernel.org>; Thu,  5 May 2022 16:43:38 +0000 (UTC)
Received: from mta-64-227.siemens.flowmailer.net
 (mta-64-227.siemens.flowmailer.net [185.136.64.227])
 by mx.groups.io with SMTP id smtpd.web11.13539.1651769014539215601
 for <cip-dev@lists.cip-project.org>;
 Thu, 05 May 2022 09:43:35 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=N5kR9w6k;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227,
 mailfrom:
 fm-294854-202205051643319504194c1e9a1c2905-uft87y@rts-flowmailer.siemens.com)
Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id
 202205051643319504194c1e9a1c2905
        for <cip-dev@lists.cip-project.org>;
        Thu, 05 May 2022 18:43:31 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=B1Gz+TLYxJ3TSprOo31rYjOWc/C9tv3v3IdLIcb3fMc=;
 b=N5kR9w6kf8fxbiWnn31FhUljUaam6dhIgm/QssNWsTfGgzuJ6UwAUZ7MruWwN6yYGfs8VL
 BPVvi69jI3rerlooZTT1Pqjd1Y5MzRtzGLrbTySMYMx3ha9AS7pNcJuYxrJ6dq10wEO9nEnU
 VDErBw91vfXKR/abFrQ/9Uv4Nw4Kw=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
	Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH v2 01/13] initramfs-etc-overlay-hook: Improve
 error reporting of script
Date: Thu,  5 May 2022 18:43:17 +0200
Message-Id: 
 <4f88138887963ae36f0c54258801d4d059b37132.1651769009.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1651769009.git.jan.kiszka@siemens.com>
References: <cover.1651769009.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Thu, 05 May 2022 16:43:38 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8255

From: Jan Kiszka <jan.kiszka@siemens.com>

Fail loudly in case the overlay cannot be mounted.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../initramfs-etc-overlay-hook/files/etc-overlay.script       | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/recipes-initramfs/initramfs-etc-overlay-hook/files/etc-overlay.script b/recipes-initramfs/initramfs-etc-overlay-hook/files/etc-overlay.script
index a9a3663..6e5aacd 100644
--- a/recipes-initramfs/initramfs-etc-overlay-hook/files/etc-overlay.script
+++ b/recipes-initramfs/initramfs-etc-overlay-hook/files/etc-overlay.script
@@ -31,4 +31,6 @@ fi
 
 mkdir -p ${rootmnt}/var/local/etc
 mkdir -p ${rootmnt}/var/local/.atomic
-mount -t overlay -o lowerdir=${rootmnt}/etc,upperdir=${rootmnt}/var/local/etc,workdir=${rootmnt}/var/local/.atomic overlay ${rootmnt}/etc
+if ! mount -t overlay -o lowerdir=${rootmnt}/etc,upperdir=${rootmnt}/var/local/etc,workdir=${rootmnt}/var/local/.atomic overlay ${rootmnt}/etc; then
+	panic "Can't mount overlay!"
+fi

From patchwork Thu May  5 16:43:18 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 12839786
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B3C04C433EF
	for <webhook@archiver.kernel.org>; Thu,  5 May 2022 16:43:38 +0000 (UTC)
Received: from mta-65-225.siemens.flowmailer.net
 (mta-65-225.siemens.flowmailer.net [185.136.65.225])
 by mx.groups.io with SMTP id smtpd.web11.13541.1651769014822241356
 for <cip-dev@lists.cip-project.org>;
 Thu, 05 May 2022 09:43:35 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=Fr7TRiyO;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225,
 mailfrom:
 fm-294854-202205051643316637f9cd2d42a4bed0-hsxbfp@rts-flowmailer.siemens.com)
Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id
 202205051643316637f9cd2d42a4bed0
        for <cip-dev@lists.cip-project.org>;
        Thu, 05 May 2022 18:43:31 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=yc1tBJMr8NLC7gYRSH6TtnijvCrtxJTLX06pCsbi0s8=;
 b=Fr7TRiyOJjZrwCxUGt5dH5f8iACYqrJQzIuDxqP4ub6f3q8xWkt1XNBQHDgE+ASO6e2NsC
 AkJgpib4jOg6YmOB6DubIldl448wsrEmTYQvedReJqMqwwQr8k56okZ7e7CCdxwfwa0pNesG
 zo9LWtf4AmHcJ00ncq+RLDw7LufUU=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
	Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH v2 02/13] initramfs-etc-overlay-hook: Install
 overlay module
Date: Thu,  5 May 2022 18:43:18 +0200
Message-Id: 
 <ff9a89cb20920ddbacebc4c78e57e52537466064.1651769009.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1651769009.git.jan.kiszka@siemens.com>
References: <cover.1651769009.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Thu, 05 May 2022 16:43:38 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8256

From: Jan Kiszka <jan.kiszka@siemens.com>

Needed in case overlay support is built as kernel module.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../files/etc-overlay.hook                    | 25 +++++++++++++++++++
 .../initramfs-etc-overlay-hook_0.1.bb         |  3 +++
 2 files changed, 28 insertions(+)
 create mode 100644 recipes-initramfs/initramfs-etc-overlay-hook/files/etc-overlay.hook

diff --git a/recipes-initramfs/initramfs-etc-overlay-hook/files/etc-overlay.hook b/recipes-initramfs/initramfs-etc-overlay-hook/files/etc-overlay.hook
new file mode 100644
index 0000000..bfaa7b6
--- /dev/null
+++ b/recipes-initramfs/initramfs-etc-overlay-hook/files/etc-overlay.hook
@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+#  Jan Kiszka <jan.kiszka@siemens.com>
+#
+
+PREREQ=""
+prereqs()
+{
+    echo "$PREREQ"
+}
+case $1 in
+prereqs)
+    prereqs
+    exit 0
+    ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+manual_add_modules overlay
diff --git a/recipes-initramfs/initramfs-etc-overlay-hook/initramfs-etc-overlay-hook_0.1.bb b/recipes-initramfs/initramfs-etc-overlay-hook/initramfs-etc-overlay-hook_0.1.bb
index 19e9261..37a04ec 100644
--- a/recipes-initramfs/initramfs-etc-overlay-hook/initramfs-etc-overlay-hook_0.1.bb
+++ b/recipes-initramfs/initramfs-etc-overlay-hook/initramfs-etc-overlay-hook_0.1.bb
@@ -12,6 +12,7 @@
 inherit dpkg-raw
 
 SRC_URI += " \
+    file://etc-overlay.hook \
     file://etc-overlay.script \
     "
 
@@ -22,6 +23,8 @@ do_install[cleandirs] += " \
     ${D}/usr/share/initramfs-tools/scripts/local-bottom"
 
 do_install() {
+    install -m 0755 "${WORKDIR}/etc-overlay.hook" \
+        "${D}/usr/share/initramfs-tools/hooks/etc-overlay"
     install -m 0755 "${WORKDIR}/etc-overlay.script" \
         "${D}/usr/share/initramfs-tools/scripts/local-bottom/etc-overlay"
 }

From patchwork Thu May  5 16:43:19 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 12839790
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C2B47C4332F
	for <webhook@archiver.kernel.org>; Thu,  5 May 2022 16:43:38 +0000 (UTC)
Received: from mta-64-227.siemens.flowmailer.net
 (mta-64-227.siemens.flowmailer.net [185.136.64.227])
 by mx.groups.io with SMTP id smtpd.web10.13630.1651769015166942512
 for <cip-dev@lists.cip-project.org>;
 Thu, 05 May 2022 09:43:36 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=QGzWTDq1;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227,
 mailfrom:
 fm-294854-202205051643312855fc8dacdd081675-gg8bj7@rts-flowmailer.siemens.com)
Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id
 202205051643312855fc8dacdd081675
        for <cip-dev@lists.cip-project.org>;
        Thu, 05 May 2022 18:43:32 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=H3LAbwPwPAClZiw/dtEOjNGKWWic7d23Z2Eev3QIIss=;
 b=QGzWTDq1rg0Svm+LzdfSI0QrBU8VueoB3xUyN1klUTxXCFeGmrK/Xpc/eTR9XNWOLVsFXr
 xfAHnPU2wOQlHH7wbXuk4bxd4a7zwjhQa5QShvrygvCFJRxaIKrhrMHiANEeQlk1yTKfpoI5
 wCa4rmTkohJNMQeK5byNhAopF7FJI=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
	Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH v2 03/13] initramfs-abrootfs-hook: Remove
 obsolete patch
Date: Thu,  5 May 2022 18:43:19 +0200
Message-Id: 
 <ce43aec6418357fbeb6a7489725e2e9153a2d5d2.1651769009.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1651769009.git.jan.kiszka@siemens.com>
References: <cover.1651769009.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Thu, 05 May 2022 16:43:38 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8260

From: Jan Kiszka <jan.kiszka@siemens.com>

Forgotten to remove in f1e559498116.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../files/debian-local-patch                  | 103 ------------------
 1 file changed, 103 deletions(-)
 delete mode 100644 recipes-initramfs/initramfs-abrootfs-hook/files/debian-local-patch

diff --git a/recipes-initramfs/initramfs-abrootfs-hook/files/debian-local-patch b/recipes-initramfs/initramfs-abrootfs-hook/files/debian-local-patch
deleted file mode 100644
index cd2d271..0000000
--- a/recipes-initramfs/initramfs-abrootfs-hook/files/debian-local-patch
+++ /dev/null
@@ -1,103 +0,0 @@
---- local.orig	2020-11-18 14:42:43.540055680 +0530
-+++ local	2020-11-18 20:15:48.687164540 +0530
-@@ -1,5 +1,4 @@
- # Local filesystem mounting			-*- shell-script -*-
--
- local_top()
- {
- 	if [ "${local_top_used}" != "yes" ]; then
-@@ -152,36 +151,70 @@
- 	DEV="${real_dev}"
- }
- 
--local_mount_root()
-+local_find_by_uuid()
- {
--	local_top
--	if [ -z "${ROOT}" ]; then
--		panic "No root device specified. Boot arguments must include a root= parameter."
--	fi
--	local_device_setup "${ROOT}" "root file system"
--	ROOT="${DEV}"
-+	partitions="$1"
- 
--	# Get the root filesystem type if not set
--	if [ -z "${ROOTFSTYPE}" ] || [ "${ROOTFSTYPE}" = auto ]; then
--		FSTYPE=$(get_fstype "${ROOT}")
--	else
--		FSTYPE=${ROOTFSTYPE}
--	fi
-+	for part in $partitions; do
-+		if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
-+			local_device_setup "${part}" "root file system"
-+			ROOT="${DEV}"
-+
-+			# Get the root filesystem type if not set
-+			if [ -z "${ROOTFSTYPE}" ] || [ "${ROOTFSTYPE}" = auto ]; then
-+				FSTYPE=$(get_fstype "${ROOT}")
-+			else
-+				FSTYPE=${ROOTFSTYPE}
-+			fi
- 
--	local_premount
-+			local_premount
- 
--	if [ "${readonly?}" = "y" ]; then
--		roflag=-r
--	else
--		roflag=-w
--	fi
-+			if [ "${readonly?}" = "y" ]; then
-+				roflag=-r
-+			else
-+				roflag=-w
-+			fi
-+			checkfs "${ROOT}" root "${FSTYPE}"
- 
--	checkfs "${ROOT}" root "${FSTYPE}"
-+			# Mount root
-+			# shellcheck disable=SC2086
-+			if mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then
-+				if [ -e "${rootmnt?}"/etc/os-release ]; then
-+				image_uuid=$(sed -n 's/^IMAGE_UUID=//p' "${rootmnt?}"/etc/os-release | tr -d '"' )
-+					if [ "${INITRAMFS_IMAGE_UUID}" = "${image_uuid}" ]; then
-+						return 0
-+					fi
-+				fi
-+				umount "${rootmnt?}"
-+			fi
-+		fi
-+	done
-+	return 1
-+}
- 
--	# Mount root
--	# shellcheck disable=SC2086
--	if ! mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then
--		panic "Failed to mount ${ROOT} as root file system."
-+local_mount_root()
-+{
-+	local_top
-+	if [ ! -e /conf/image_uuid ]; then
-+		 panic "could not find image_uuid to select correct root file system"
-+	fi
-+	local INITRAMFS_IMAGE_UUID=$(cat /conf/image_uuid)
-+	local partitions=""
-+	local ret=1
-+	local timeout_uuid=0
-+	while [ "${ret}" != 0 ] && [ "${timeout_uuid}" -le 10 ]; do
-+		wait_for_udev 10
-+		partitions=$(blkid -o device)
-+		local_find_by_uuid "$partitions"
-+		ret=$?
-+		timeout_uuid="$(cat /proc/uptime)"
-+		timeout_uuid="${timeout_uuid%%[. ]*}"
-+		timeout_uuid=$((timeout_uuid - local_top_time))
-+	done
-+	if [ "${ret}" != 0 ]; then
-+		panic "Could not find ROOTFS with matching UUID $INITRAMFS_IMAGE_UUID"
-+	else
-+		return $ret
- 	fi
- }
- 

From patchwork Thu May  5 16:43:20 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 12839797
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id DB279C4167E
	for <webhook@archiver.kernel.org>; Thu,  5 May 2022 16:43:38 +0000 (UTC)
Received: from mta-64-225.siemens.flowmailer.net
 (mta-64-225.siemens.flowmailer.net [185.136.64.225])
 by mx.groups.io with SMTP id smtpd.web09.13556.1651769015245627704
 for <cip-dev@lists.cip-project.org>;
 Thu, 05 May 2022 09:43:36 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=Byx0wH3Y;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225,
 mailfrom:
 fm-294854-20220505164332af3cf3312e625e19c9-in9loj@rts-flowmailer.siemens.com)
Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id
 20220505164332af3cf3312e625e19c9
        for <cip-dev@lists.cip-project.org>;
        Thu, 05 May 2022 18:43:32 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=K35Ae1gfsZ0qcjF3h4mikEhOaqCyQ0NbbkjycvX7GVc=;
 b=Byx0wH3YVamoS3+mVzcOK8JDpdtzXbQeyPdZsXmvLq1yYszAhOneErN7HfM+3IVrox7Ecw
 gafNs7Dfwu5j7TlIiXE4WpVWW9vxxG8RNQpwoWpi55FU/vfhkAsjto2yxMxQhZm0HCitrLU8
 JQsko/tIWmKIJjb1UZtW4nvJpUUyI=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
	Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH v2 04/13] Rework secure boot key handling and
 signing recipes
Date: Thu,  5 May 2022 18:43:20 +0200
Message-Id: 
 <ec0256be52152975c1a9be42ca875059a222cbbc.1651769009.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1651769009.git.jan.kiszka@siemens.com>
References: <cover.1651769009.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Thu, 05 May 2022 16:43:38 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8262

From: Jan Kiszka <jan.kiszka@siemens.com>

Simplify the signing recipe to a single, generic one. Instead, provide
secure-boot-secrets packages that contain the used image key and
certificate at a well-defined location. This allows for easy reuse in
other recipes than ebg-secure-boot-signer. U-Boot will be one.

Rather than using the OVMF package as build-time source for the snakeoil
keys, we import the two artifacts here. This allows to run the required
key removal upfront and simplifies the usage for buster. The certificate
has such a long lifetime that also future Debian should use the same
one, thus the snakeoil artifacts of OVMF should stay in sync with our
copy of key and cert. We may revisit this when discontinuing support for
buster, though.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 doc/README.secureboot.md                      | 22 ++++----
 kas/opt/ebg-secure-boot-snakeoil.yml          |  7 +--
 .../ebg-secure-boot-secrets_0.1.bb            | 51 -------------------
 .../ebg-secure-boot-secrets/files/README.md   |  1 -
 .../files/control.tmpl                        | 12 -----
 .../files/sign_secure_image.sh.tmpl           | 22 --------
 .../ebg-secure-boot-signer_0.1.bb             | 26 ++++++++++
 .../files/sign_secure_image.sh                | 33 ++++++++++++
 .../ebg-secure-boot-snakeoil_0.1.bb           | 34 -------------
 .../files/control.tmpl                        | 12 -----
 .../files/sign_secure_image.sh                | 36 -------------
 .../files/PkKek-1-snakeoil.key                | 27 ++++++++++
 .../files/PkKek-1-snakeoil.pem                | 21 ++++++++
 .../secure-boot-key_0.1.bb                    | 14 +++++
 .../secure-boot-secrets.inc                   | 34 +++++++++++++
 .../secure-boot-snakeoil_0.1.bb               | 17 +++++++
 16 files changed, 186 insertions(+), 183 deletions(-)
 delete mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
 delete mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md
 delete mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
 delete mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
 create mode 100644 recipes-devtools/ebg-secure-boot-signer/ebg-secure-boot-signer_0.1.bb
 create mode 100644 recipes-devtools/ebg-secure-boot-signer/files/sign_secure_image.sh
 delete mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
 delete mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
 delete mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
 create mode 100644 recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key
 create mode 100644 recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem
 create mode 100644 recipes-devtools/secure-boot-secrets/secure-boot-key_0.1.bb
 create mode 100644 recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
 create mode 100644 recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index b2d7be9..c1a0301 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -43,24 +43,22 @@ executable or script with the following interface:
 Supply the script name and path to wic by adding
 `signwith=<path and name of the script to sign>"` to sourceparams of the partition.
 
-### Existing packages to sign an image
+### Existing key packages for signing an image
 
-#### ebg-secure-boot-snakeoil
+#### secure-boot-snakeoil
 
 This package uses the snakeoil key and certificate from the ovmf package(0.0~20200229-2)
-backported from Debian bullseye and signs the image.
+backported from Debian bullseye for signing the image.
 
-#### ebg-secure-boot-secrets
-This package takes a user-generated certificate and adds it to the build system.
+#### secure-boot-key
+
+This package takes a user-generated certificate and key adds them to the build system.
 The following variable and steps are necessary to build a secure boot capable image:
 - Set certification information to sign and verify the image with:
-    - SB_CERTDB: The directory containing the certificate database create with certutil
-    - SB_VERIFY_CERT: The certificate to verify the signing process
-    - SB_KEY_NAME: Name of the key in the certificate database
-- if necessary change the script to select the boot partition after an update
-    - recipes-support/initramfs-config/files/initramfs.selectrootfs.script
+    - SB_CERT: The certificate to verify the signing process
+    - SB_KEY: The private key of for the certificate
 
-The files referred by SB_CERTDB and SB_VERIFY_CERT must be store in  `recipes-devtools/ebg-secure-boot-secrets/files/`
+The files referred by SB_CERT and SB_KEY must be store in `recipes-devtools/secure-boot-secrets/files/`.
 
 ## Running in QEMU
 
@@ -96,7 +94,7 @@ scripts/generate-sb-db-from-existing-certificate.sh
 ```
 This will create the directory `SB_KEYDIR` and will store the `${SB_NAME}certdb` with the given name.
 
-Copy the used certificate and database to `recipes-devtools/ebg-secure-boot-secrets/files/`
+Copy the used certificate and private key to `recipes-devtools/secure-boot-secrets/files/`
 
 #### Generate keys
 
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index b329f41..7442eb7 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -28,6 +28,7 @@ local_conf_header:
     INITRAMFS_INSTALL_append = " initramfs-verity-hook"
 
   secure-boot: |
-    # Add snakeoil binaries for qemu
-    IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil"
-    IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
+    IMAGER_BUILD_DEPS += "ebg-secure-boot-signer"
+    IMAGER_INSTALL += "ebg-secure-boot-signer"
+    # Use snakeoil keys
+    PREFERRED_PROVIDER_secure-boot-secrets = "secure-boot-snakeoil"
diff --git a/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb b/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
deleted file mode 100644
index 0d57910..0000000
--- a/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
+++ /dev/null
@@ -1,51 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2020
-#
-# Authors:
-#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-inherit dpkg-raw
-
-DESCRIPTION = "Add user defined secureboot certifcates to the buildchroot and the script to \
-               sign an image with the given keys"
-
-# variables
-SB_CERT_PATH = "/usr/share/ebg-secure-boot"
-SB_CERTDB ??= ""
-SB_VERIFY_CERT ??= ""
-SB_KEY_NAME ??= "demoDB"
-
-# used to sign the image
-DEBIAN_DEPENDS = "pesign, sbsigntool"
-
-# this package cannot be install together with:
-DEBIAN_CONFLICTS = "ebg-secure-boot-snakeoil"
-
-SRC_URI = " \
-    file://sign_secure_image.sh.tmpl \
-    file://control.tmpl"
-SRC_URI_append = " ${@ "file://"+d.getVar('SB_CERTDB') if d.getVar('SB_CERTDB') else '' }"
-SRC_URI_append = " ${@ "file://"+d.getVar('SB_VERIFY_CERT') if d.getVar('SB_VERIFY_CERT') else '' }"
-TEMPLATE_FILES = "sign_secure_image.sh.tmpl"
-TEMPLATE_VARS += "SB_CERT_PATH SB_CERTDB SB_VERIFY_CERT SB_KEY_NAME"
-
-TEMPLATE_FILES += "control.tmpl"
-TEMPLATE_VARS += "PN MAINTAINER DPKG_ARCH DEBIAN_DEPENDS DESCRIPTION DEBIAN_CONFLICTS"
-
-do_install() {
-    TARGET=${D}${SB_CERT_PATH}
-    install -m 0700 -d ${TARGET}
-    cp -a ${WORKDIR}/${SB_CERTDB} ${TARGET}/${SB_CERTDB}
-    chmod 700 ${TARGET}/${SB_CERTDB}
-    install -m 0600 ${WORKDIR}/${SB_VERIFY_CERT} ${TARGET}/${SB_VERIFY_CERT}
-    TARGET=${D}/usr/bin
-    install -d ${TARGET}
-    install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh
-}
-
-addtask do_install after do_transform_template
diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/README.md b/recipes-devtools/ebg-secure-boot-secrets/files/README.md
deleted file mode 100644
index c739c51..0000000
--- a/recipes-devtools/ebg-secure-boot-secrets/files/README.md
+++ /dev/null
@@ -1 +0,0 @@
-For a secure boot image this directory needs to contain the certdb directory and the db.crt file.
diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl b/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
deleted file mode 100644
index 8361a49..0000000
--- a/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
+++ /dev/null
@@ -1,12 +0,0 @@
-Source: ${PN}
-Section: misc
-Priority: optional
-Standards-Version: 3.9.6
-Maintainer: ${MAINTAINER}
-Build-Depends: debhelper (>= 9)
-
-Package: ${PN}
-Architecture: ${DPKG_ARCH}
-Depends: ${DEBIAN_DEPENDS}
-Description: ${DESCRIPTION}
-Conflicts: ${DEBIAN_CONFLICTS}
diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl b/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
deleted file mode 100644
index e84fd4c..0000000
--- a/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/sh
-set -e
-set -x
-signee=$1
-signed=$2
-
-usage(){
-    echo "sign with debian snakeoil"
-    echo "$0 signee signed"
-    echo "signee: path to the image to be signed"
-    echo "signed: path to store the signed image"
-}
-
-
-if [ -z "$signee" ] || [ -z "$signed" ]; then
-    usage
-    exit 1
-fi
-
-pesign --force --verbose --padding -n ${SB_CERT_PATH}/${SB_CERTDB} -c "${SB_KEY_NAME}" -s -i $signee -o $signed
-sbverify --cert ${SB_CERT_PATH}/${SB_VERIFY_CERT} $signed
-exit 0
diff --git a/recipes-devtools/ebg-secure-boot-signer/ebg-secure-boot-signer_0.1.bb b/recipes-devtools/ebg-secure-boot-signer/ebg-secure-boot-signer_0.1.bb
new file mode 100644
index 0000000..546fded
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-signer/ebg-secure-boot-signer_0.1.bb
@@ -0,0 +1,26 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020-2022
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#  Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+DESCRIPTION = "Signing script for EFI Boot Guard setups"
+
+DEPENDS = "secure-boot-secrets"
+DEBIAN_DEPENDS = "sbsigntool, secure-boot-secrets"
+
+SRC_URI = "file://sign_secure_image.sh"
+
+do_install() {
+    TARGET=${D}/usr/bin
+    install -d ${TARGET}
+    install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh
+}
diff --git a/recipes-devtools/ebg-secure-boot-signer/files/sign_secure_image.sh b/recipes-devtools/ebg-secure-boot-signer/files/sign_secure_image.sh
new file mode 100644
index 0000000..0c9b898
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-signer/files/sign_secure_image.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020-2022
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#  Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+set -e
+
+signee=$1
+signed=$2
+
+usage(){
+    echo "sign with image keys"
+    echo "$0 signee signed"
+    echo "signee: path to the image to be signed"
+    echo "signed: path to store the signed image"
+}
+
+if [ -z "$signee" ] || [ -z "$signed" ]; then
+    usage
+    exit 1
+fi
+
+keydir=/usr/share/secure-boot-secrets
+
+sbsign --key ${keydir}/secure-boot.key --cert ${keydir}/secure-boot.pem --output $signed $signee
diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb b/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
deleted file mode 100644
index 4975d92..0000000
--- a/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
+++ /dev/null
@@ -1,34 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2020
-#
-# Authors:
-#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-inherit dpkg-raw
-
-DESCRIPTION = "Add script to sign for secure boot with the debian snakeoil keys"
-# used to sign the image
-DEBIAN_DEPENDS = "pesign,  sbsigntool, ovmf, openssl, libnss3-tools"
-
-
-# this package cannot be install together with:
-DEBIAN_CONFLICTS = "ebg-secure-boot-secrets"
-
-SRC_URI = "file://sign_secure_image.sh \
-           file://control.tmpl"
-
-TEMPLATE_FILES = "control.tmpl"
-TEMPLATE_VARS += "PN MAINTAINER DPKG_ARCH DEBIAN_DEPENDS DESCRIPTION DEBIAN_CONFLICTS"
-
-do_install() {
-    TARGET=${D}/usr/bin
-    install -d ${TARGET}
-    install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh
-}
-
-addtask do_install after do_transform_template
diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl b/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
deleted file mode 100644
index 8361a49..0000000
--- a/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
+++ /dev/null
@@ -1,12 +0,0 @@
-Source: ${PN}
-Section: misc
-Priority: optional
-Standards-Version: 3.9.6
-Maintainer: ${MAINTAINER}
-Build-Depends: debhelper (>= 9)
-
-Package: ${PN}
-Architecture: ${DPKG_ARCH}
-Depends: ${DEBIAN_DEPENDS}
-Description: ${DESCRIPTION}
-Conflicts: ${DEBIAN_CONFLICTS}
diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh b/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
deleted file mode 100644
index 081dbe9..0000000
--- a/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/bin/sh
-set -e
-set -x
-signee=$1
-signed=$2
-
-usage(){
-    echo "sign with debian snakeoil"
-    echo "$0 signee signed"
-    echo "signee: path to the image to be signed"
-    echo "signed: path to store the signed image"
-}
-
-
-if [ -z "$signee" ] || [ -z "$signed" ]; then
-    usage
-    exit 1
-fi
-
-name=snakeoil
-keydir=$(mktemp -d)
-inkey=/usr/share/ovmf/PkKek-1-snakeoil.key
-incert=/usr/share/ovmf/PkKek-1-snakeoil.pem
-nick_name=snakeoil
-TMP=$(mktemp -d)
-mkdir -p ${keydir}/${name}certdb
-certutil -N --empty-password -d ${keydir}/${name}certdb
-openssl pkcs12 -export -passin pass:"snakeoil" -passout pass: -out ${TMP}/foo_key.p12 -inkey $inkey  -in $incert  -name $nick_name
-pk12util -W "" -i ${TMP}/foo_key.p12 -d ${keydir}/${name}certdb
-cp $incert ${keydir}/$(basename $incert)
-rm -rf $TMP
-
-pesign --force --verbose --padding -n ${keydir}/${name}certdb -c "$nick_name" -s -i $signee -o $signed
-sbverify --cert $incert $signed
-rm -rf $keydir
-exit 0
diff --git a/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key b/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key
new file mode 100644
index 0000000..193de62
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAyIuuXei5qIw+UvavLxPyyNhx0G6Ijuf9SqxVXOpKcQ+l3ZCc
+KQaCLWCH0pbPQj587zVjgMUd4SHgXdVP6awDz8b0NcLgyzF31pHBmmB3z55nv2Jb
+gI56bix9TEHLpoDs4+cWAb2WZPkW8rV/6YR+xVuE8fi9aAWJ7H4dwUhPzU7RBB1d
+Z1wF6Wv3b8nn1jJa5W8I3zOd+tpWczOsqyRnDnFhMiOulGAiFTtmIXv2VReQf7Tx
+rXdqAAs9dcS3qizzNVgY5XpABtmYu1AjyLwwqXZ+blZ2tmUUJicgw3YdCWtlTAtf
+XZDHf+ZzgCNtTvhb2DzpAVmF/H+A8w8lUJZiBQIDAQABAoIBABET/BRZNj5JOyF7
+im2a6Ej8TazvTMfGr8ZFKLvR4+b+6yQUJYhE2p8colRnrVy5z4/bXw7fOm0qol27
+RaPjlyuBiNhvMQ98tfTa0r7fyjQvDCy7JomrGHf7Z+wvijUys3mw+ynIyF7u62pd
+1HfBZb5OzeKBSTfriNRP5R7JlqooDl+O9JVlnvlJIaFe1rX2sQxZ7F8gVINKIJDv
+n7ZZ0o351uIMjKLqwmliULPTjZ2ZeeJqnkB0pFcWZzEf2wAnrrglYRdnn10oNzhB
+6cXMHJeuEOedXECLZtmynRw1dWZK9+Xku1jEAqTWAoI0OIjrfYYzntwe/kab8w/R
+T7ojFGECgYEA9rGhtmSQiim2h+3iGyXNTEQiEOFFL7E8/1ibfWi3vzDhoLARrnH1
+p45DPgnL664xLHXIUl6/wto79Ij/2qA9mp054nVJ4X4AQgq3xCT/57nL0QHfQLaa
+VdzNIoz4jJT3cO0gYcBAK4Bg+dGGQ6ZUrRRt6VkHG/W6fW0D1e7PnEkCgYEA0Bxj
+Jr4ShNXb7J4YDQ24uSwmc2E1IgX5FjHu/JMKCiyIDWQkrxtVdIL9v6+kmYecyxFJ
+S3Qyr3ZqOHqwN1svYuB/CHyKg6dHrzJyZFTj8cr8h0ZKLDu2xZNFxfBIjn5vitSX
+W9q3477oFG/30Ew12Yee4NhDQkaEuB/Ic9+yv90CgYB2y00rLrwnvDSIunXiSs7U
+xg59gG03rSrJb5rYxj+NkvVj0sWA8qGwASLCUidfo69MUJ+ZgsTnCP5MIFjMp9Ni
+jAne0ko0it+G7fBWRNbyeJb8W+FtIUGqzTv/QlFCKU4KlDW+vLxp9lU8l7gHBabK
+/gZ7kwKIZUlbss5hC7Hv+QKBgQCsQBLBKmlhkTEqs9/sTgMrISPiM/8qXg9BE6tf
+WsTgjuM9UjoaxWEBwroMQnDWsqxQV8p2rYKWQEjC3qmj59Fc4bvDZnGvbnGizPpp
+mOniY8SIouEZo4MwHSmPH8auSnBAVJ3C5VF3K7gj0lknCy03E02phNaGsJ+BVq0v
+W2Qz8QKBgEB5RKiwJhgGQA2o+NJKKUUCDM9iBsO1Yy3QwtDWioKKcdAkxdTg3xR+
+XtJdXq6MkCMWM5em3v6GHPceexn81FZTxGBbIMBYNp0Sp4qs/3lK64ln8m5Qttxe
+70HVtrp9HhG5oFJ3fUuLPcYpE2GMgPM9fIbAWh9GZ4GpTLuPRtWg
+-----END RSA PRIVATE KEY-----
diff --git a/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem b/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem
new file mode 100644
index 0000000..dd02a82
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDdzCCAl+gAwIBAgIULTs+L+8XzClMGhAvyFIdsp/PYgUwDQYJKoZIhvcNAQEL
+BQAwSjELMAkGA1UEBhMCVVMxETAPBgNVBAgMCENvbG9yYWRvMRUwEwYDVQQHDAxG
+b3J0IENvbGxpbnMxETAPBgNVBAoMCFNuYWtlT2lsMCAXDTIwMDkwNzE4NDMyMloY
+DzIxMjAwODE0MTg0MzIyWjBKMQswCQYDVQQGEwJVUzERMA8GA1UECAwIQ29sb3Jh
+ZG8xFTATBgNVBAcMDEZvcnQgQ29sbGluczERMA8GA1UECgwIU25ha2VPaWwwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIi65d6LmojD5S9q8vE/LI2HHQ
+boiO5/1KrFVc6kpxD6XdkJwpBoItYIfSls9CPnzvNWOAxR3hIeBd1U/prAPPxvQ1
+wuDLMXfWkcGaYHfPnme/YluAjnpuLH1MQcumgOzj5xYBvZZk+RbytX/phH7FW4Tx
++L1oBYnsfh3BSE/NTtEEHV1nXAXpa/dvyefWMlrlbwjfM5362lZzM6yrJGcOcWEy
+I66UYCIVO2Yhe/ZVF5B/tPGtd2oACz11xLeqLPM1WBjlekAG2Zi7UCPIvDCpdn5u
+Vna2ZRQmJyDDdh0Ja2VMC19dkMd/5nOAI21O+FvYPOkBWYX8f4DzDyVQlmIFAgMB
+AAGjUzBRMB0GA1UdDgQWBBRjuNXuXfh7mi8I3eTboeYGyFTa2zAfBgNVHSMEGDAW
+gBRjuNXuXfh7mi8I3eTboeYGyFTa2zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQBW2ckn0APqBnwSiOXCWkMCnvY7K7UOfxAlotEsMFSrkzdEa4IE
+sn0+A3RV/r3HZGqIaE8GMsBqp8UiVIbL5H67dkqvJEke94/7wEUC16JSSOBc0Mac
+HeArDWsL/WIbzKiVcRrmgX+XwJFlsUN5UtR/feTHR08yiy5srSCIJEqli/cTrOxS
+JAgvWPLxcoFhOKf6Mi+nwWdrQEbpXvvv8Jv/qyyz5e/VmTRY0wIVmUjd+Yseu+5M
+3+cpKtlYaawMxVni5RibA0A12fm+i60fGPrkCNhascUrNY+Oppaf/h+QmKOwEM7h
+pqKXyGFQyU6dB6cFBQ/uD5IABUYuEOuL7VFY
+-----END CERTIFICATE-----
diff --git a/recipes-devtools/secure-boot-secrets/secure-boot-key_0.1.bb b/recipes-devtools/secure-boot-secrets/secure-boot-key_0.1.bb
new file mode 100644
index 0000000..e6ef37c
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/secure-boot-key_0.1.bb
@@ -0,0 +1,14 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+#  Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+require secure-boot-secrets.inc
+
+DEBIAN_CONFLICTS = "secure-boot-snakeoil"
diff --git a/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
new file mode 100644
index 0000000..f53435a
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
@@ -0,0 +1,34 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+#  Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+PROVIDES += "secure-boot-secrets"
+
+SB_KEY ??= ""
+SB_CERT ??= ""
+
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_KEY') if d.getVar('SB_KEY') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_CERT') if d.getVar('SB_CERT') else '' }"
+
+do_install() {
+    if [ -z ${SB_KEY} ] || [ -z ${SB_CERT} ]; then
+        bbfatal "You must set SB_KEY and SB_CERT and provide the required files as artifacts to this recipe"
+    fi
+    TARGET=${D}/usr/share/secure-boot-secrets
+    install -d -m 0700 ${TARGET}
+    install -m 0700 ${WORKDIR}/${SB_KEY} ${TARGET}/secure-boot.key
+    install -m 0700 ${WORKDIR}/${SB_CERT} ${TARGET}/secure-boot.pem
+}
+
+do_prepare_build_append() {
+    echo "Provides: secure-boot-secrets" >> ${S}/debian/control
+}
diff --git a/recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb b/recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb
new file mode 100644
index 0000000..24a5352
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb
@@ -0,0 +1,17 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+#  Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+require secure-boot-secrets.inc
+
+SB_KEY = "PkKek-1-snakeoil.key"
+SB_CERT = "PkKek-1-snakeoil.pem"
+
+DEBIAN_CONFLICTS = "secure-boot-key"

From patchwork Thu May  5 16:43:21 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 12839791
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C32FCC43217
	for <webhook@archiver.kernel.org>; Thu,  5 May 2022 16:43:38 +0000 (UTC)
Received: from mta-64-228.siemens.flowmailer.net
 (mta-64-228.siemens.flowmailer.net [185.136.64.228])
 by mx.groups.io with SMTP id smtpd.web12.13765.1651769015105679621
 for <cip-dev@lists.cip-project.org>;
 Thu, 05 May 2022 09:43:35 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=lTwOeNbX;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228,
 mailfrom:
 fm-294854-2022050516433231b3cec025bb2ccd15-scuyfj@rts-flowmailer.siemens.com)
Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id
 2022050516433231b3cec025bb2ccd15
        for <cip-dev@lists.cip-project.org>;
        Thu, 05 May 2022 18:43:32 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=G9aKQFx8ntImR9N6X5/xxkPPrbkwco2j7xI9zrOZtR8=;
 b=lTwOeNbXxE+eFb1QqHW978RXSLyHihlVfcWKE/Mz0byPZiCufLWuueZd/+m+eA5fm4lfg2
 IIb3aSNKGZ2dinyXoaSXTI0Zj2j0zTOvQ2CG1tzeyquzp/okbBcdP96rzJVwKodPW/H5F5vF
 NuLodA9KrWn6xyRKGbCoEzDzzAe6s=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
	Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH v2 05/13] linux-cip: Update cip-kernel-config
 for QEMU and ipc227e
Date: Thu,  5 May 2022 18:43:21 +0200
Message-Id: 
 <22c861c4d823261c7b37637d1cd9d8578ea0ae98.1651769009.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1651769009.git.jan.kiszka@siemens.com>
References: <cover.1651769009.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Thu, 05 May 2022 16:43:38 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8258

From: Jan Kiszka <jan.kiszka@siemens.com>

Needed for iTCO under -rt kernels, swupdate support on arm64 and xattr
for squashfs in swupudate scenarios.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 recipes-kernel/linux/linux-cip-common.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc
index 238e5b0..0e36bd5 100644
--- a/recipes-kernel/linux/linux-cip-common.inc
+++ b/recipes-kernel/linux/linux-cip-common.inc
@@ -25,6 +25,6 @@ SRC_URI_append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-confi
 
 SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}"
 
-SRCREV_cip-kernel-config ?= "0150b63d0e74d64cc0d5baa9b9440cc148abad8b"
+SRCREV_cip-kernel-config ?= "a8d04df6595344091eee2b242c3a0f5e108f966c"
 
 S = "${WORKDIR}/linux-cip-v${PV}"

From patchwork Thu May  5 16:43:22 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 12839787
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B48C3C433FE
	for <webhook@archiver.kernel.org>; Thu,  5 May 2022 16:43:38 +0000 (UTC)
Received: from mta-64-227.siemens.flowmailer.net
 (mta-64-227.siemens.flowmailer.net [185.136.64.227])
 by mx.groups.io with SMTP id smtpd.web12.13764.1651769015105523487
 for <cip-dev@lists.cip-project.org>;
 Thu, 05 May 2022 09:43:35 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=Cx0EIKS1;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227,
 mailfrom:
 fm-294854-20220505164333be744d1423d00418cd-ugu5qu@rts-flowmailer.siemens.com)
Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id
 20220505164333be744d1423d00418cd
        for <cip-dev@lists.cip-project.org>;
        Thu, 05 May 2022 18:43:33 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=mXv2P4MwnBJxlCvTGoPqN3icakHbb0rep6WZaUFFgV4=;
 b=Cx0EIKS1R7JsLwNvsikGG/dAgIDHWHcGiZKmamPneg/+ni0Y2kI9hGIfQ9VfVxXRE0JtSE
 OxRf8BWVTVa4Pfm3j7XWkRBStvzY7LF8TkZamCsBZDjZbUkSjc1TVztbSOhuptubR4orPcpA
 2PVLGDc3tJ73dQn0ctPUXei1H9QnA=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
	Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH v2 06/13] linux-cip: Update to 4.19.239-cip72
 and 5.10.112-cip6
Date: Thu,  5 May 2022 18:43:22 +0200
Message-Id: 
 <cb388d29742dbff98818c7eb08ce24a39f865b23.1651769009.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1651769009.git.jan.kiszka@siemens.com>
References: <cover.1651769009.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Thu, 05 May 2022 16:43:38 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8257

From: Jan Kiszka <jan.kiszka@siemens.com>

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 ...{linux-cip_4.19.235-cip70.bb => linux-cip_4.19.239-cip72.bb} | 2 +-
 .../{linux-cip_5.10.106-cip4.bb => linux-cip_5.10.112-cip6.bb}  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename recipes-kernel/linux/{linux-cip_4.19.235-cip70.bb => linux-cip_4.19.239-cip72.bb} (72%)
 rename recipes-kernel/linux/{linux-cip_5.10.106-cip4.bb => linux-cip_5.10.112-cip6.bb} (72%)

diff --git a/recipes-kernel/linux/linux-cip_4.19.235-cip70.bb b/recipes-kernel/linux/linux-cip_4.19.239-cip72.bb
similarity index 72%
rename from recipes-kernel/linux/linux-cip_4.19.235-cip70.bb
rename to recipes-kernel/linux/linux-cip_4.19.239-cip72.bb
index eaad5e8..718bbfb 100644
--- a/recipes-kernel/linux/linux-cip_4.19.235-cip70.bb
+++ b/recipes-kernel/linux/linux-cip_4.19.239-cip72.bb
@@ -13,4 +13,4 @@ require linux-cip-common.inc
 
 KERNEL_DEFCONFIG_VERSION ?= "4.19.y-cip"
 
-SRC_URI[sha256sum] = "b3bcb1ffd82c2ccdcb96aba55bdc46c72db12b6b5442591f804c8e298ad405c4"
+SRC_URI[sha256sum] = "5f22ea902c89b1cd178706411e48a40613c1db069fa7dc5993b979fd4652c2cd"
diff --git a/recipes-kernel/linux/linux-cip_5.10.106-cip4.bb b/recipes-kernel/linux/linux-cip_5.10.112-cip6.bb
similarity index 72%
rename from recipes-kernel/linux/linux-cip_5.10.106-cip4.bb
rename to recipes-kernel/linux/linux-cip_5.10.112-cip6.bb
index 2f52cdb..b54dcb5 100644
--- a/recipes-kernel/linux/linux-cip_5.10.106-cip4.bb
+++ b/recipes-kernel/linux/linux-cip_5.10.112-cip6.bb
@@ -13,4 +13,4 @@ require linux-cip-common.inc
 
 KERNEL_DEFCONFIG_VERSION ?= "5.10.y-cip"
 
-SRC_URI[sha256sum] = "512787b7f75b25e2c7f64978957bb2e6613e7c9edccc6d677ddd256109244d25"
+SRC_URI[sha256sum] = "aedeaefcb3da02fe6ab36859eb15c2e36844b2a0ea828a902b85037ad145e1ee"

From patchwork Thu May  5 16:43:23 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 12839799
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D8BBDC4167D
	for <webhook@archiver.kernel.org>; Thu,  5 May 2022 16:43:38 +0000 (UTC)
Received: from mta-65-225.siemens.flowmailer.net
 (mta-65-225.siemens.flowmailer.net [185.136.65.225])
 by mx.groups.io with SMTP id smtpd.web09.13557.1651769015364938526
 for <cip-dev@lists.cip-project.org>;
 Thu, 05 May 2022 09:43:36 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=T7BofaHw;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225,
 mailfrom:
 fm-294854-2022050516433373af63d24ec45f1f2f-s9br2h@rts-flowmailer.siemens.com)
Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id
 2022050516433373af63d24ec45f1f2f
        for <cip-dev@lists.cip-project.org>;
        Thu, 05 May 2022 18:43:33 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=UcJxcVMrwFxw2A4GGhDOOvLkCcllYdRh/T10ps9vJrs=;
 b=T7BofaHwxKELgeoWwqZbv4qQb4IytN0PXJAWsSP4xAQN9jIxUwMH72DpgPtnOSHn6vxS1z
 5RtWI7tTYnuUOzJ6rOco2PLPq+/466fsdGI+zNBfAHaUBRSEZv1yOMfsSnMIxV784QpZx7XQ
 N+FPKGZiwAsE3U59XyobAmxanwvro=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
	Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH v2 07/13] efibootguard: Update to 0.11 release
Date: Thu,  5 May 2022 18:43:23 +0200
Message-Id: 
 <eb55d9d50c4e562a2c8704b7881539f2d5d7794c.1651769009.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1651769009.git.jan.kiszka@siemens.com>
References: <cover.1651769009.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Thu, 05 May 2022 16:43:38 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8261

From: Jan Kiszka <jan.kiszka@siemens.com>

This version bring the new unified kernel stub and script to generate
unified kernel images from that.

That script requires python3, so we need to expand the package
dependencies. As we package all tools into a single deb, and the target
usually requires bg_{print,set}env, python3 is now also pulled onto the
target. If that should be avoided, we will have to split packaging in
future.

One extra patch is needed that missed the release. It fixes building
under buster for arm64.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 ...bootguard_0.10.bb => efibootguard_0.11.bb} |  4 +--
 ...efile-Drop-nostdinc-for-EFI-binaries.patch | 28 +++++++++++++++++++
 .../0001-configure-Fix-aarch64-EFI-arch.patch | 28 -------------------
 .../efibootguard/files/debian/control.tmpl    |  2 +-
 .../files/debian/efibootguard.install         |  3 +-
 5 files changed, 33 insertions(+), 32 deletions(-)
 rename recipes-bsp/efibootguard/{efibootguard_0.10.bb => efibootguard_0.11.bb} (90%)
 create mode 100644 recipes-bsp/efibootguard/files/0001-Makefile-Drop-nostdinc-for-EFI-binaries.patch
 delete mode 100644 recipes-bsp/efibootguard/files/0001-configure-Fix-aarch64-EFI-arch.patch

diff --git a/recipes-bsp/efibootguard/efibootguard_0.10.bb b/recipes-bsp/efibootguard/efibootguard_0.11.bb
similarity index 90%
rename from recipes-bsp/efibootguard/efibootguard_0.10.bb
rename to recipes-bsp/efibootguard/efibootguard_0.11.bb
index bfc0ede..ef6cd9c 100644
--- a/recipes-bsp/efibootguard/efibootguard_0.10.bb
+++ b/recipes-bsp/efibootguard/efibootguard_0.11.bb
@@ -19,9 +19,9 @@ MAINTAINER = "Jan Kiszka <jan.kiszka@siemens.com>"
 SRC_URI = " \
     https://github.com/siemens/efibootguard/archive/refs/tags/v${PV}.tar.gz;downloadfilename=efitbootguard-v${PV}.tar.gz \
     file://debian \
-    file://0001-configure-Fix-aarch64-EFI-arch.patch \
+    file://0001-Makefile-Drop-nostdinc-for-EFI-binaries.patch \
     "
-SRC_URI[sha256sum] = "4d58574a0bb8f1e56056ab0bcc2487d37e49fa147dc991e719c2ec8e20f88dd3"
+SRC_URI[sha256sum] = "12bd84ff63a34bef56e489b48d4f97955aa4d864eeff9ea2dea1d24a286d8ebe"
 
 PROVIDES = "${PN}"
 PROVIDES += "${PN}-dev"
diff --git a/recipes-bsp/efibootguard/files/0001-Makefile-Drop-nostdinc-for-EFI-binaries.patch b/recipes-bsp/efibootguard/files/0001-Makefile-Drop-nostdinc-for-EFI-binaries.patch
new file mode 100644
index 0000000..8cc1654
--- /dev/null
+++ b/recipes-bsp/efibootguard/files/0001-Makefile-Drop-nostdinc-for-EFI-binaries.patch
@@ -0,0 +1,28 @@
+From daf4cb61bec56dac628be83b95a7072c184eabcd Mon Sep 17 00:00:00 2001
+From: Jan Kiszka <jan.kiszka@siemens.com>
+Date: Wed, 4 May 2022 11:52:53 +0200
+Subject: [PATCH] Makefile: Drop -nostdinc for EFI binaries
+
+Not needed, also systemd-boot does not use it, and it actually triggers
+a build failure on Debian 10, possibly on other distros as well.
+
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+---
+ Makefile.am | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index f0daa15..7398b85 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -191,7 +191,6 @@ efi_cflags = \
+ 	-Wall \
+ 	-Wextra \
+ 	-std=gnu99 \
+-	-nostdinc \
+ 	-ggdb -O0 \
+ 	-fpic \
+ 	-fshort-wchar \
+-- 
+2.34.1
+
diff --git a/recipes-bsp/efibootguard/files/0001-configure-Fix-aarch64-EFI-arch.patch b/recipes-bsp/efibootguard/files/0001-configure-Fix-aarch64-EFI-arch.patch
deleted file mode 100644
index ee05e94..0000000
--- a/recipes-bsp/efibootguard/files/0001-configure-Fix-aarch64-EFI-arch.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 3f11612fbcbd1c17988d634ecdaecf1ec241f6e0 Mon Sep 17 00:00:00 2001
-From: Jan Kiszka <jan.kiszka@siemens.com>
-Date: Mon, 21 Mar 2022 07:02:28 +0100
-Subject: [PATCH] configure: Fix aarch64 EFI arch
-
-It's aa64 here according to the UEFI spec.
-
-Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
----
- configure.ac | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index a1a83e9..09d06d7 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -102,7 +102,7 @@ AM_COND_IF(ARCH_X86_64, [
- 	   MACHINE_TYPE_NAME=x64])
- 
- AM_COND_IF(ARCH_AARCH64, [
--	   MACHINE_TYPE_NAME=aarch64])
-+	   MACHINE_TYPE_NAME=aa64])
- 
- AC_SUBST([ARCH])
- AC_SUBST([MACHINE_TYPE_NAME])
--- 
-2.34.1
-
diff --git a/recipes-bsp/efibootguard/files/debian/control.tmpl b/recipes-bsp/efibootguard/files/debian/control.tmpl
index 54b1994..f8bdd8a 100644
--- a/recipes-bsp/efibootguard/files/debian/control.tmpl
+++ b/recipes-bsp/efibootguard/files/debian/control.tmpl
@@ -7,7 +7,7 @@ Homepage: ${HOMEPAGE}
 Maintainer: ${MAINTAINER}
 
 Package: ${PN}
-Depends: ${shlibs:Depends}
+Depends: ${shlibs:Depends}, python3
 Section: base
 Architecture: ${DISTRO_ARCH}
 Priority: required
diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard.install b/recipes-bsp/efibootguard/files/debian/efibootguard.install
index 910e153..d3ea007 100755
--- a/recipes-bsp/efibootguard/files/debian/efibootguard.install
+++ b/recipes-bsp/efibootguard/files/debian/efibootguard.install
@@ -1,6 +1,7 @@
 #!/usr/bin/dh-exec
 bg_setenv usr/bin
 bg_printenv usr/bin
-efibootguard*.efi usr/share/efibootguard
+tools/bg_gen_unified_kernel usr/bin
+*.efi usr/share/efibootguard
 completion/bash/bg_printenv.bash => usr/share/bash-completion/completions/bg_printenv
 completion/bash/bg_setenv.bash => usr/share/bash-completion/completions/bg_setenv

From patchwork Thu May  5 16:43:24 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 12839795
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 042ACC41535
	for <webhook@archiver.kernel.org>; Thu,  5 May 2022 16:43:39 +0000 (UTC)
Received: from mta-65-227.siemens.flowmailer.net
 (mta-65-227.siemens.flowmailer.net [185.136.65.227])
 by mx.groups.io with SMTP id smtpd.web10.13631.1651769016660078234
 for <cip-dev@lists.cip-project.org>;
 Thu, 05 May 2022 09:43:37 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=SNHHWeXV;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227,
 mailfrom:
 fm-294854-20220505164333fde87e1c517949beec-gc6eky@rts-flowmailer.siemens.com)
Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id
 20220505164333fde87e1c517949beec
        for <cip-dev@lists.cip-project.org>;
        Thu, 05 May 2022 18:43:34 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=GMYuwS6GwjNy1ZPgnPQaz/t4z5Q9duHYsZMC4y68xFk=;
 b=SNHHWeXVf8vdNRXNdWqw4vcGjPDQdI4uEyjy491w07X0aVNdgakzZ7KfJaCLBFZtL6aVYd
 qcCBlU6zgVxk8MnJGfH6iVGWJliz3ZGO6gpnhE0fOqMiTuAqMRBDqiUaP/X0mn5DmcKFS6aG
 DQdd02v+wjawmHd43vLW41hAy2BHc=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
	Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH v2 08/13] efibootguard: Fix empty command line
 case
Date: Thu,  5 May 2022 18:43:24 +0200
Message-Id: 
 <9e8df37239f072c7cc8e832cb0beccc8025a1f2d.1651769009.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1651769009.git.jan.kiszka@siemens.com>
References: <cover.1651769009.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Thu, 05 May 2022 16:43:39 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8267

From: Jan Kiszka <jan.kiszka@siemens.com>

We crash in case of an empty command line with non-unified kernel images
right now. Just avoid cmdline==None, will also make upcoming changes
simpler.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 scripts/lib/wic/plugins/source/efibootguard-boot.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
index 909e629..9267033 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-boot.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
@@ -80,7 +80,7 @@ class EfibootguardBootPlugin(SourcePlugin):
 
         boot_files = source_params.get("files", "").split(' ')
         unified_kernel = source_params.get("unified-kernel") or 'y'
-        cmdline = bootloader.append
+        cmdline = bootloader.append or ''
         if unified_kernel == 'y':
             boot_image = cls._create_unified_kernel_image(rootfs_dir,
                                                           cr_workdir,
@@ -113,7 +113,7 @@ class EfibootguardBootPlugin(SourcePlugin):
             % (
                 part.label.upper(),
                 boot_image,
-                '-a "%s"' % cmdline if cmdline else "",
+                '-a "%s"' % cmdline,
                 source_params.get("revision", 1),
                 wdog_timeout
             )

From patchwork Thu May  5 16:43:25 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 12839793
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E80E7C4167B
	for <webhook@archiver.kernel.org>; Thu,  5 May 2022 16:43:38 +0000 (UTC)
Received: from mta-64-227.siemens.flowmailer.net
 (mta-64-227.siemens.flowmailer.net [185.136.64.227])
 by mx.groups.io with SMTP id smtpd.web11.13542.1651769016786053283
 for <cip-dev@lists.cip-project.org>;
 Thu, 05 May 2022 09:43:37 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=DcrRxyoL;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227,
 mailfrom:
 fm-294854-202205051643347f59f8fd054e1c9528-r1uomi@rts-flowmailer.siemens.com)
Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id
 202205051643347f59f8fd054e1c9528
        for <cip-dev@lists.cip-project.org>;
        Thu, 05 May 2022 18:43:34 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=HT3kh+C44U3cSEYIRuapZjdcINaVRBiHj3Xia/tPa6k=;
 b=DcrRxyoLlIZ+OB1j1el6DYURQBsCGtL/Pvif2VMP8WXWCiBfUCimqPKgNv9sSW0l6bz9m5
 EvbVqg9CeKHUFbUUPt5L/yWFKumRN9uVEYjDO4s7imz9Vagq8E+vBWFI1twEPnE8fqhcuZDl
 r03KAvKUqK3sMd09cog/H8wNJou2c=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
	Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH v2 09/13] efibootguard: Use new unified kernel
 image generation
Date: Thu,  5 May 2022 18:43:25 +0200
Message-Id: 
 <05dd963af0588e60dced70d901073a8021cb3ed6.1651769009.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1651769009.git.jan.kiszka@siemens.com>
References: <cover.1651769009.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Thu, 05 May 2022 16:43:38 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8265

From: Jan Kiszka <jan.kiszka@siemens.com>

Switch to the unified kernel image and its generator script that EFI
Boot Guard now provides. So far this only simplifies the generation
process. But it will also allow to use the more advanced device tree
embedding of the EBG linux-stub later on.

As the linux-stub uses LINUX_EFI_INITRD_MEDIA_GUID for loading the
initrd, we need to restrict support to CIP kernel 5.10 as this feature
was only introduced with 5.8.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 Kconfig                                       |  2 +-
 .../wic/plugins/source/efibootguard-boot.py   | 27 +++++--------------
 2 files changed, 7 insertions(+), 22 deletions(-)

diff --git a/Kconfig b/Kconfig
index 8032ede..135794d 100644
--- a/Kconfig
+++ b/Kconfig
@@ -127,7 +127,7 @@ config KAS_INCLUDE_TESTING
 	string
 	default "kas/opt/test.yml" if IMAGE_TESTING
 
-if IMAGE_FLASH
+if IMAGE_FLASH && !KERNEL_4_4 && !KERNEL_4_19
 
 config IMAGE_SWUPDATE
 	bool "SWUpdate support for root partition"
diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
index 9267033..47c6884 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-boot.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
@@ -113,7 +113,7 @@ class EfibootguardBootPlugin(SourcePlugin):
             % (
                 part.label.upper(),
                 boot_image,
-                '-a "%s"' % cmdline,
+                '-a "%s"' % cmdline if unified_kernel != 'y' else '',
                 source_params.get("revision", 1),
                 wdog_timeout
             )
@@ -181,15 +181,9 @@ class EfibootguardBootPlugin(SourcePlugin):
             "i386": "ia32"
         }
         rootfs_path = rootfs_dir.get('ROOTFS_DIR')
-        os_release_file = "{root}/etc/os-release".format(root=rootfs_path)
-        efistub = "{rootfs_path}/usr/lib/systemd/boot/efi/linux{efiarch}.efi.stub"\
+        efistub = "{rootfs_path}/usr/share/efibootguard/kernel-stub{efiarch}.efi"\
             .format(rootfs_path=rootfs_path,
                     efiarch=distro_to_efi_arch[get_bitbake_var("DISTRO_ARCH")])
-        msger.debug("osrelease path: %s", os_release_file)
-        kernel_cmdline_file = "{cr_workdir}/kernel-command-line-file.txt"\
-            .format(cr_workdir=cr_workdir)
-        with open(kernel_cmdline_file, "w") as cmd_fd:
-            cmd_fd.write(cmdline)
         uefi_kernel_name = "linux.efi"
         uefi_kernel_file = "{deploy_dir}/{uefi_kernel_name}"\
             .format(deploy_dir=deploy_dir, uefi_kernel_name=uefi_kernel_name)
@@ -197,23 +191,14 @@ class EfibootguardBootPlugin(SourcePlugin):
             .format(deploy_dir=deploy_dir, kernel_image=kernel_image)
         initrd = "{deploy_dir}/{initrd_image}"\
             .format(deploy_dir=deploy_dir, initrd_image=initrd_image)
-        objcopy_cmd = 'objcopy \
-            --add-section .osrel={os_release_file} \
-            --change-section-vma .osrel=0x20000 \
-            --add-section .cmdline={kernel_cmdline_file} \
-            --change-section-vma .cmdline=0x30000 \
-            --add-section .linux={kernel} \
-            --change-section-vma .linux=0x2000000 \
-            --add-section .initrd={initrd} \
-            --change-section-vma .initrd=0x3000000 \
-            {efistub} {uefi_kernel_file}'.format(
-                os_release_file=os_release_file,
-                kernel_cmdline_file=kernel_cmdline_file,
+        cmd = 'bg_gen_unified_kernel {efistub} {kernel} {uefi_kernel_file} \
+            -c "{cmdline}" -i {initrd}'.format(
+                cmdline=cmdline,
                 kernel=kernel,
                 initrd=initrd,
                 efistub=efistub,
                 uefi_kernel_file=uefi_kernel_file)
-        exec_cmd(objcopy_cmd)
+        exec_cmd(cmd, as_shell=True)
 
         cls._sign_file(signee=uefi_kernel_file, source_params=source_params)
 

From patchwork Thu May  5 16:43:26 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 12839796
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E84DCC46467
	for <webhook@archiver.kernel.org>; Thu,  5 May 2022 16:43:38 +0000 (UTC)
Received: from mta-64-226.siemens.flowmailer.net
 (mta-64-226.siemens.flowmailer.net [185.136.64.226])
 by mx.groups.io with SMTP id smtpd.web08.13669.1651769016803277947
 for <cip-dev@lists.cip-project.org>;
 Thu, 05 May 2022 09:43:37 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=MkiqcZtZ;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226,
 mailfrom:
 fm-294854-2022050516433478614d62ccbd04dbfc-qrglr2@rts-flowmailer.siemens.com)
Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id
 2022050516433478614d62ccbd04dbfc
        for <cip-dev@lists.cip-project.org>;
        Thu, 05 May 2022 18:43:34 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=wXVDAv0typ0gxF2lRe0X9t/Ut+Hf7Wn/k5SjjM1eohc=;
 b=MkiqcZtZdM5Qdw1wrfEvbpEYgOBp9QBP2k2WRzF4c5JohQ9LWFHp2SAuoV5b7DMx7aqgqZ
 3rcUR+aYdIH+xQWrQYVKgadg2WSXiTtr8rcElSyIizi67W+FUc+r9CtzVV9zR5sm2jXz4Mnp
 216Qdps2JUP7h3Dk4yB6kZFvTNA9k=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
	Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH v2 10/13] efibootguard: Add support for
 embedding DTBs into unified kernel images
Date: Thu,  5 May 2022 18:43:26 +0200
Message-Id: 
 <c1164c6a3f7ed9fb9aecea8dae695e2cc2345fde.1651769009.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1651769009.git.jan.kiszka@siemens.com>
References: <cover.1651769009.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Thu, 05 May 2022 16:43:38 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8264

From: Jan Kiszka <jan.kiszka@siemens.com>

Pick up the DTBs specified via DTB_FILES and embed them into the unified
kernel image that the wic plugin can generate. This does not work for
normal kernels, so bail out if DTB_FILES is set in that mode.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 kas/opt/efibootguard.yml                          |  2 +-
 .../lib/wic/plugins/source/efibootguard-boot.py   | 15 +++++++++++++--
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/kas/opt/efibootguard.yml b/kas/opt/efibootguard.yml
index 2d84427..c71cdb3 100644
--- a/kas/opt/efibootguard.yml
+++ b/kas/opt/efibootguard.yml
@@ -23,7 +23,7 @@ local_conf_header:
   efibootguard-wic: |
     WIC_IMAGER_INSTALL_append = " efibootguard"
     WDOG_TIMEOUT ?= "60"
-    WICVARS += "WDOG_TIMEOUT KERNEL_IMAGE INITRD_IMAGE"
+    WICVARS += "WDOG_TIMEOUT KERNEL_IMAGE INITRD_IMAGE DTB_FILES"
     IMAGE_FSTYPES ?= "wic-img"
     WKS_FILE ?= "${MACHINE}-efibootguard.wks.in"
 
diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
index 47c6884..4b7fa8d 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-boot.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
@@ -66,10 +66,12 @@ class EfibootguardBootPlugin(SourcePlugin):
             initrd_image = "initrd.img"
         bootloader = creator.ks.bootloader
 
+        dtb_files = (get_bitbake_var("DTB_FILES") or '').split()
+
         deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE")
         if not deploy_dir:
             msger.error("DEPLOY_DIR_IMAGE not set, exiting\n")
-            sys.exit(1)
+            exit(1)
         creator.deploy_dir = deploy_dir
 
         wdog_timeout = get_bitbake_var("WDOG_TIMEOUT")
@@ -88,9 +90,13 @@ class EfibootguardBootPlugin(SourcePlugin):
                                                           deploy_dir,
                                                           kernel_image,
                                                           initrd_image,
+                                                          dtb_files,
                                                           source_params)
             boot_files.append(boot_image)
         else:
+            if dtb_files:
+                msger.error("DTB_FILES specified while unified kernel is disabled\n")
+                exit(1)
             root_dev = source_params.get("root", None)
             if not root_dev:
                 msger.error("Specify root in source params")
@@ -173,7 +179,7 @@ class EfibootguardBootPlugin(SourcePlugin):
     @classmethod
     def _create_unified_kernel_image(cls, rootfs_dir, cr_workdir, cmdline,
                                      deploy_dir, kernel_image, initrd_image,
-                                     source_params):
+                                     dtb_files, source_params):
         # we need to map the distro_arch to uefi values
         distro_to_efi_arch = {
             "amd64": "x64",
@@ -198,6 +204,11 @@ class EfibootguardBootPlugin(SourcePlugin):
                 initrd=initrd,
                 efistub=efistub,
                 uefi_kernel_file=uefi_kernel_file)
+        if dtb_files:
+            for dtb in dtb_files:
+                cmd += ' -d {deploy_dir}/{dtb_file}'.format(
+                    deploy_dir=deploy_dir,
+                    dtb_file=os.path.basename(dtb))
         exec_cmd(cmd, as_shell=True)
 
         cls._sign_file(signee=uefi_kernel_file, source_params=source_params)

From patchwork Thu May  5 16:43:27 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 12839798
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E94B6C3527C
	for <webhook@archiver.kernel.org>; Thu,  5 May 2022 16:43:38 +0000 (UTC)
Received: from mta-64-225.siemens.flowmailer.net
 (mta-64-225.siemens.flowmailer.net [185.136.64.225])
 by mx.groups.io with SMTP id smtpd.web09.13559.1651769016922938261
 for <cip-dev@lists.cip-project.org>;
 Thu, 05 May 2022 09:43:37 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=PqI1njk6;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225,
 mailfrom:
 fm-294854-202205051643340ee3dbfefeeb306d4c-knhqrj@rts-flowmailer.siemens.com)
Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id
 202205051643340ee3dbfefeeb306d4c
        for <cip-dev@lists.cip-project.org>;
        Thu, 05 May 2022 18:43:35 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=PU24+oZ5hM49YyftqyoCFn1TOGIsCUT61/HLyZcfWno=;
 b=PqI1njk667PedvujRWxl4GfkjDy4K41rstoYzILmXOU1XuF4N6WdVkMwV+GHa3mDmnQbQ7
 HJo5Xq6XttTrc+8rLjIxj8WNn+tSJvfsU8U6ImLKdRSMTGk4cNnl5nHU3xsQek68MCK/LBiA
 ZrimIyTXysSCY5maMQSA/Ge/jl7P8=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
	Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH v2 11/13] u-boot-qemu-arm64: Add recipe for
 customized version based on 2022.04
Date: Thu,  5 May 2022 18:43:27 +0200
Message-Id: 
 <734d389aee1124469573150fd40784aa7d611fda.1651769009.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1651769009.git.jan.kiszka@siemens.com>
References: <cover.1651769009.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Thu, 05 May 2022 16:43:38 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8266

From: Jan Kiszka <jan.kiszka@siemens.com>

This will be used for booting via UEFI, both in open and locked-down
secure mode. The secure mode variations can be selected by adding
"secureboot" to OVERRIDES.

One extra patch is needed to add support for long-living certificates.
It is pending upstream.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 ...-rtc_mktime-and-mktime64-Y2038-ready.patch | 107 ++++++++++++++++++
 recipes-bsp/u-boot/files/rules                |  40 +++++++
 recipes-bsp/u-boot/files/secure-boot.cfg      |   6 +
 .../u-boot/u-boot-qemu-arm64_2022.04.bb       |  50 ++++++++
 4 files changed, 203 insertions(+)
 create mode 100644 recipes-bsp/u-boot/files/0001-lib-date-Make-rtc_mktime-and-mktime64-Y2038-ready.patch
 create mode 100755 recipes-bsp/u-boot/files/rules
 create mode 100644 recipes-bsp/u-boot/files/secure-boot.cfg
 create mode 100644 recipes-bsp/u-boot/u-boot-qemu-arm64_2022.04.bb

diff --git a/recipes-bsp/u-boot/files/0001-lib-date-Make-rtc_mktime-and-mktime64-Y2038-ready.patch b/recipes-bsp/u-boot/files/0001-lib-date-Make-rtc_mktime-and-mktime64-Y2038-ready.patch
new file mode 100644
index 0000000..b2ff705
--- /dev/null
+++ b/recipes-bsp/u-boot/files/0001-lib-date-Make-rtc_mktime-and-mktime64-Y2038-ready.patch
@@ -0,0 +1,107 @@
+From 8b990a06685678abd8dbc8be86c27bf3e94e3694 Mon Sep 17 00:00:00 2001
+From: Jan Kiszka <jan.kiszka@siemens.com>
+Date: Sun, 24 Apr 2022 11:24:54 +0200
+Subject: [PATCH] lib/date: Make rtc_mktime and mktime64 Y2038-ready
+
+We currently overflow due to wrong types used internally in rtc_mktime,
+on all platforms, and we return a too small type on 32-bit.
+
+One consumer that directly benefits from this is mktime64. Many others
+may still store the result in a wrong type.
+
+While at it, drop the redundant cast of mon in rtc_mktime (obsoleted by
+714209832db1).
+
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+---
+ include/linux/time.h |  3 ---
+ include/rtc.h        |  8 +++++---
+ lib/date.c           | 13 +++++--------
+ 3 files changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/include/linux/time.h b/include/linux/time.h
+index 702dd276aea..14ff5b6f481 100644
+--- a/include/linux/time.h
++++ b/include/linux/time.h
+@@ -152,9 +152,6 @@ _DEFUN (ctime_r, (tim_p, result),
+     return asctime_r (localtime_r (tim_p, &tm), result);
+ }
+ 
+-/* for compatibility with linux code */
+-typedef __s64 time64_t;
+-
+ #ifdef CONFIG_LIB_DATE
+ time64_t mktime64(const unsigned int year, const unsigned int mon,
+ 		  const unsigned int day, const unsigned int hour,
+diff --git a/include/rtc.h b/include/rtc.h
+index 6c7fcadd488..10104e3bf5a 100644
+--- a/include/rtc.h
++++ b/include/rtc.h
+@@ -16,6 +16,8 @@
+ #include <bcd.h>
+ #include <rtc_def.h>
+ 
++typedef int64_t time64_t;
++
+ #ifdef CONFIG_DM_RTC
+ 
+ struct udevice;
+@@ -301,7 +303,7 @@ int rtc_calc_weekday(struct rtc_time *time);
+ void rtc_to_tm(u64 time_t, struct rtc_time *time);
+ 
+ /**
+- * rtc_mktime() - Convert a broken-out time into a time_t value
++ * rtc_mktime() - Convert a broken-out time into a time64_t value
+  *
+  * The following fields need to be valid for this function to work:
+  *	tm_sec, tm_min, tm_hour, tm_mday, tm_mon, tm_year
+@@ -309,9 +311,9 @@ void rtc_to_tm(u64 time_t, struct rtc_time *time);
+  * Note that tm_wday and tm_yday are ignored.
+  *
+  * @time:	Broken-out time to convert
+- * Return: corresponding time_t value, seconds since 1970-01-01 00:00:00
++ * Return: corresponding time64_t value, seconds since 1970-01-01 00:00:00
+  */
+-unsigned long rtc_mktime(const struct rtc_time *time);
++time64_t rtc_mktime(const struct rtc_time *time);
+ 
+ /**
+  * rtc_month_days() - The number of days in the month
+diff --git a/lib/date.c b/lib/date.c
+index c589d9ed3a2..e3d22459cd0 100644
+--- a/lib/date.c
++++ b/lib/date.c
+@@ -71,19 +71,16 @@ int rtc_calc_weekday(struct rtc_time *tm)
+  * -year / 100 + year / 400 terms, and add 10.]
+  *
+  * This algorithm was first published by Gauss (I think).
+- *
+- * WARNING: this function will overflow on 2106-02-07 06:28:16 on
+- * machines where long is 32-bit! (However, as time_t is signed, we
+- * will already get problems at other places on 2038-01-19 03:14:08)
+  */
+-unsigned long rtc_mktime(const struct rtc_time *tm)
++time64_t rtc_mktime(const struct rtc_time *tm)
+ {
+ 	int mon = tm->tm_mon;
+ 	int year = tm->tm_year;
+-	int days, hours;
++	unsigned long days;
++	time64_t hours;
+ 
+ 	mon -= 2;
+-	if (0 >= (int)mon) {	/* 1..12 -> 11, 12, 1..10 */
++	if (0 >= mon) {		/* 1..12 -> 11, 12, 1..10 */
+ 		mon += 12;	/* Puts Feb last since it has leap day */
+ 		year -= 1;
+ 	}
+@@ -109,5 +106,5 @@ time64_t mktime64(const unsigned int year, const unsigned int mon,
+ 	time.tm_min = min;
+ 	time.tm_sec = sec;
+ 
+-	return (time64_t)rtc_mktime((const struct rtc_time *)&time);
++	return rtc_mktime((const struct rtc_time *)&time);
+ }
+-- 
+2.34.1
+
diff --git a/recipes-bsp/u-boot/files/rules b/recipes-bsp/u-boot/files/rules
new file mode 100755
index 0000000..36e1e1b
--- /dev/null
+++ b/recipes-bsp/u-boot/files/rules
@@ -0,0 +1,40 @@
+#!/usr/bin/make -f
+#
+# Copyright (c) Siemens AG, 2018-2022
+#
+# SPDX-License-Identifier: MIT
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+SET_CROSS_BUILD_TOOLS=CROSS_BUILD_TOOLS=y
+endif
+
+override_dh_auto_build:
+	if [ -e /usr/share/secure-boot-secrets/secure-boot.pem ]; then \
+		openssl x509 -in /usr/share/secure-boot-secrets/secure-boot.pem -out secure-boot.der -outform der; \
+		rm -f secure-boot.esl; \
+		efisiglist -a -c secure-boot.der -o secure-boot.esl; \
+		rm -f ubootefi.var; \
+		tools/efivar.py set -i ubootefi.var -n PK -d secure-boot.esl -t file; \
+		tools/efivar.py set -i ubootefi.var -n KEK -d secure-boot.esl -t file; \
+		tools/efivar.py set -i ubootefi.var -n db -d secure-boot.esl -t file; \
+	fi
+	$(MAKE) $(PARALLEL_MAKE) $(U_BOOT_CONFIG)
+	$(MAKE) $(PARALLEL_MAKE) ${U_BOOT_BIN}
+	$(MAKE) -n u-boot-initial-env >/dev/null 2>&1; if [ $$? -ne 2 ]; then \
+		$(MAKE) $(PARALLEL_MAKE) u-boot-initial-env; \
+	else \
+		./scripts/get_default_envs.sh >u-boot-initial-env; \
+	fi
+	$(MAKE) $(PARALLEL_MAKE) $(SET_CROSS_BUILD_TOOLS) NO_SDL=1 tools-only envtools
+
+override_dh_auto_install:
+	mv tools/env/lib.a tools/env/libubootenv.a
+
+override_dh_auto_test:
+
+override_dh_strip:
+	dh_strip -X libubootenv.a
+
+%:
+	dh $@ --parallel
diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg b/recipes-bsp/u-boot/files/secure-boot.cfg
new file mode 100644
index 0000000..a1b9931
--- /dev/null
+++ b/recipes-bsp/u-boot/files/secure-boot.cfg
@@ -0,0 +1,6 @@
+### Secure boot config
+CONFIG_BOOTDELAY=-2
+CONFIG_USE_BOOTCOMMAND=y
+CONFIG_BOOTCOMMAND="setenv scan_dev_for_boot 'if test -e ${devtype} ${devnum}:${distro_bootpart} efi/boot/bootaa64.efi; then load ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} efi/boot/bootaa64.efi; bootefi ${kernel_addr_r} ${fdtcontroladdr}; fi'; run distro_bootcmd; echo 'EFI Boot failed!'; sleep 1000; reset"
+CONFIG_EFI_VARIABLES_PRESEED=y
+CONFIG_EFI_SECURE_BOOT=y
diff --git a/recipes-bsp/u-boot/u-boot-qemu-arm64_2022.04.bb b/recipes-bsp/u-boot/u-boot-qemu-arm64_2022.04.bb
new file mode 100644
index 0000000..e462258
--- /dev/null
+++ b/recipes-bsp/u-boot/u-boot-qemu-arm64_2022.04.bb
@@ -0,0 +1,50 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+#  Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+require recipes-bsp/u-boot/u-boot-custom.inc
+
+SRC_URI += " \
+    https://ftp.denx.de/pub/u-boot/u-boot-${PV}.tar.bz2 \
+    file://0001-lib-date-Make-rtc_mktime-and-mktime64-Y2038-ready.patch \
+    file://rules"
+SRC_URI[sha256sum] = "68e065413926778e276ec3abd28bb32fa82abaa4a6898d570c1f48fbdb08bcd0"
+
+SRC_URI_append_secureboot = " \
+    file://secure-boot.cfg"
+
+S = "${WORKDIR}/u-boot-${PV}"
+
+DEBIAN_BUILD_DEPENDS += ", libssl-dev:native, libssl-dev:arm64"
+
+DEBIAN_BUILD_DEPENDS_append_secureboot = ", \
+    openssl, pesign, secure-boot-secrets, python3-openssl:native"
+DEPENDS_append_secureboot = " secure-boot-secrets"
+
+U_BOOT_CONFIG = "qemu_arm64_defconfig"
+U_BOOT_BIN = "u-boot.bin"
+
+do_prepare_build_append() {
+    cp ${WORKDIR}/rules ${S}/debian/rules
+}
+
+do_prepare_build_append_secureboot() {
+    sed -ni '/### Secure boot config/q;p' ${S}/configs/${U_BOOT_CONFIG}
+    cat ${WORKDIR}/secure-boot.cfg >> ${S}/configs/${U_BOOT_CONFIG}
+}
+
+do_deploy[dirs] = "${DEPLOY_DIR_IMAGE}"
+do_deploy() {
+    dpkg --fsys-tarfile "${WORKDIR}/u-boot-${MACHINE}_${PV}_${DISTRO_ARCH}.deb" | \
+        tar xOf - "./usr/lib/u-boot/${MACHINE}/${U_BOOT_BIN}" \
+        > "${DEPLOY_DIR_IMAGE}/firmware.bin"
+}
+
+addtask deploy after do_dpkg_build before do_deploy_deb

From patchwork Thu May  5 16:43:28 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 12839789
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D3BB0C4321E
	for <webhook@archiver.kernel.org>; Thu,  5 May 2022 16:43:38 +0000 (UTC)
Received: from mta-64-227.siemens.flowmailer.net
 (mta-64-227.siemens.flowmailer.net [185.136.64.227])
 by mx.groups.io with SMTP id smtpd.web11.13539.1651769014539215601
 for <cip-dev@lists.cip-project.org>;
 Thu, 05 May 2022 09:43:36 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=RsXmk6pN;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227,
 mailfrom:
 fm-294854-20220505164335b0fa7f9fb4df3b398a-7gs7fe@rts-flowmailer.siemens.com)
Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id
 20220505164335b0fa7f9fb4df3b398a
        for <cip-dev@lists.cip-project.org>;
        Thu, 05 May 2022 18:43:35 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=AzHYcEu0j+5gns1JGUX20ciyeMXO2L5ijI5X5XyEWzY=;
 b=RsXmk6pNB3udahRnT+hQAHHBVG99jKIIqgNdwqNKsBbwJQfNKkt+Nn2nsRf3BkEsZzaLYM
 wXBlADCygk5NnJBEyq6nNBYJe4ypi/4Hzu+6lmIWJh1/rIXEbdH69ZelseagGA/uk4f2WQMo
 /iZF9uysy12k+LRqJih09rh6WAWvI=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
	Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH v2 12/13] Enable SWUpdate with and w/o secure
 boot for QEMU arm64
Date: Thu,  5 May 2022 18:43:28 +0200
Message-Id: 
 <5d8314f71095cfb1ff736f864f7a04f5467178af.1651769009.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1651769009.git.jan.kiszka@siemens.com>
References: <cover.1651769009.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Thu, 05 May 2022 16:43:38 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8263

From: Jan Kiszka <jan.kiszka@siemens.com>

Hook up the new U-Boot recipe, provide new wks files and disable the
watchdog for EFI Boot Guard - that's all what's need to allow offering
SWUpdate and secure boot for the QEMU arm64 target.

QEMU currently does not provide a watchdog for the virt machine which we
plan to use. A patch to change this has been sent, but for now we will
have to live without one.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 Kconfig                                       |  4 ++--
 conf/machine/qemu-arm64.conf                  |  3 +++
 kas/opt/ebg-secure-boot-snakeoil.yml          |  3 +++
 kas/opt/efibootguard.yml                      |  4 +++-
 wic/qemu-arm64-efibootguard-secureboot.wks.in | 15 +++++++++++++++
 wic/qemu-arm64-efibootguard.wks.in            | 13 +++++++++++++
 6 files changed, 39 insertions(+), 3 deletions(-)
 create mode 100644 wic/qemu-arm64-efibootguard-secureboot.wks.in
 create mode 100644 wic/qemu-arm64-efibootguard.wks.in

diff --git a/Kconfig b/Kconfig
index 135794d..651a726 100644
--- a/Kconfig
+++ b/Kconfig
@@ -131,11 +131,11 @@ if IMAGE_FLASH && !KERNEL_4_4 && !KERNEL_4_19
 
 config IMAGE_SWUPDATE
 	bool "SWUpdate support for root partition"
-	depends on TARGET_QEMU_AMD64 || TARGET_SIMATIC_IPC227E
+	depends on TARGET_QEMU_AMD64 || TARGET_SIMATIC_IPC227E || TARGET_QEMU_ARM64
 
 config IMAGE_SECURE_BOOT
 	bool "Secure boot support"
-	depends on TARGET_QEMU_AMD64
+	depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64
 	select IMAGE_SWUPDATE
 
 config KAS_INCLUDE_SWUPDATE_SECBOOT
diff --git a/conf/machine/qemu-arm64.conf b/conf/machine/qemu-arm64.conf
index 0d21262..4e12cdb 100644
--- a/conf/machine/qemu-arm64.conf
+++ b/conf/machine/qemu-arm64.conf
@@ -11,3 +11,6 @@ DISTRO_ARCH = "arm64"
 IMAGE_FSTYPES ?= "ext4-img"
 USE_CIP_KERNEL_CONFIG = "1"
 KERNEL_DEFCONFIG ?= "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm64/qemu_arm64_defconfig"
+
+# for SWUpdate setups: watchdog is configured in U-Boot
+WDOG_TIMEOUT = "0"
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 7442eb7..3f2a794 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -32,3 +32,6 @@ local_conf_header:
     IMAGER_INSTALL += "ebg-secure-boot-signer"
     # Use snakeoil keys
     PREFERRED_PROVIDER_secure-boot-secrets = "secure-boot-snakeoil"
+
+  secureboot_override: |
+    OVERRIDES .= ":secureboot"
diff --git a/kas/opt/efibootguard.yml b/kas/opt/efibootguard.yml
index c71cdb3..d85aed7 100644
--- a/kas/opt/efibootguard.yml
+++ b/kas/opt/efibootguard.yml
@@ -27,10 +27,12 @@ local_conf_header:
     IMAGE_FSTYPES ?= "wic-img"
     WKS_FILE ?= "${MACHINE}-efibootguard.wks.in"
 
-  ovmf-binaries: |
+  firmware-binaries: |
     # Add ovmf binaries for qemu
     IMAGER_BUILD_DEPS_append_qemu-amd64 += "ovmf-binaries"
     # not needed for Debian 11 and later
     OVERRIDES_append_qemu-amd64 = ":${BASE_DISTRO_CODENAME}"
     DISTRO_APT_SOURCES_append_qemu-amd64_buster = " conf/distro/debian-buster-backports.list"
     DISTRO_APT_PREFERENCES_append_qemu-amd64_buster = " conf/distro/preferences.ovmf-snakeoil.conf"
+    # Add U-Boot for qemu
+    IMAGER_BUILD_DEPS_append_qemu-arm64 += "u-boot-qemu-arm64"
diff --git a/wic/qemu-arm64-efibootguard-secureboot.wks.in b/wic/qemu-arm64-efibootguard-secureboot.wks.in
new file mode 100644
index 0000000..df6a9a1
--- /dev/null
+++ b/wic/qemu-arm64-efibootguard-secureboot.wks.in
@@ -0,0 +1,15 @@
+# EFI partition containing efibootguard bootloader binary
+include ebg-signed-bootloader.inc
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,signwith=/usr/bin/sign_secure_image.sh"
+
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+
+# home and var are extra partitions
+part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
+part /var  --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var  --fstype=ext4 --label var  --align 1024 --size 2G
+
+bootloader --ptable gpt --append="panic=5"
diff --git a/wic/qemu-arm64-efibootguard.wks.in b/wic/qemu-arm64-efibootguard.wks.in
new file mode 100644
index 0000000..a153205
--- /dev/null
+++ b/wic/qemu-arm64-efibootguard.wks.in
@@ -0,0 +1,13 @@
+# short-description: arm64 with EFI Boot Guard and SWUpdate
+# long-description: Disk image for arm64 machines with EFI Boot Guard and SWUpdate
+
+include ebg-sysparts.inc
+
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+
+# home and var are extra partitions
+part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024  --size 1G
+part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024  --size 2G
+
+bootloader --ptable gpt

From patchwork Thu May  5 16:43:29 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 12839794
Return-Path: <jan.kiszka@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 034CEC3527A
	for <webhook@archiver.kernel.org>; Thu,  5 May 2022 16:43:39 +0000 (UTC)
Received: from mta-65-225.siemens.flowmailer.net
 (mta-65-225.siemens.flowmailer.net [185.136.65.225])
 by mx.groups.io with SMTP id smtpd.web12.13767.1651769017448965932
 for <cip-dev@lists.cip-project.org>;
 Thu, 05 May 2022 09:43:37 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=jan.kiszka@siemens.com header.s=fm1 header.b=a8w7630f;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225,
 mailfrom:
 fm-294854-2022050516433574d52eb1a8be7655e9-zp6qsc@rts-flowmailer.siemens.com)
Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id
 2022050516433574d52eb1a8be7655e9
        for <cip-dev@lists.cip-project.org>;
        Thu, 05 May 2022 18:43:35 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=jan.kiszka@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=rG5xDmnDBa7deYwip/ylz/on0rCvU7M57dqk/4nR6Tk=;
 b=a8w7630f/mTD90wnBxDdZbB+hJwy2iDVWJAyzY9e84wUqBQIvzaK6yyYJnK64jaLcT6bhc
 VMPNe+4YzRp+TwWgUu2ghW2/v4XxQ36+tzTy4IbX2A8sETomuLaP3boGVwTiIgnbmqKgrBgg
 MwdN/sWyNa5wfjpdMAOL1ywYbEth4=;
From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
	Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH v2 13/13] start-qemu.sh: Add support for
 SWUpdate and secure boot mode to arm64
Date: Thu,  5 May 2022 18:43:29 +0200
Message-Id: 
 <5f29d6bdde6c55842b4677f3eb54071c4609bf6a.1651769009.git.jan.kiszka@siemens.com>
In-Reply-To: <cover.1651769009.git.jan.kiszka@siemens.com>
References: <cover.1651769009.git.jan.kiszka@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-294854:519-21489:flowmailer
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Thu, 05 May 2022 16:43:39 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8268

From: Jan Kiszka <jan.kiszka@siemens.com>

We just need to pick up the newly deployed firmware.bin as -bios,
analogously to the x86's OVMF, and switch to a disk image. A separate
key storage is not yet used, thus there is no difference between normal
and secure mode for arm64 so far.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 start-qemu.sh | 67 ++++++++++++++++++++++++++++++++-------------------
 1 file changed, 42 insertions(+), 25 deletions(-)

diff --git a/start-qemu.sh b/start-qemu.sh
index fe08ebd..ad4fca5 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -45,7 +45,10 @@ if [ -z "${TARGET_IMAGE}" ];then
 	fi
 fi
 
-case "$1" in
+arch="$1"
+shift 1
+
+case "${arch}" in
 	x86|x86_64|amd64)
 		DISTRO_ARCH=amd64
 		QEMU=qemu-system-x86_64
@@ -98,7 +101,7 @@ case "$1" in
 		usage
 		;;
 	*)
-		echo "Unsupported architecture: $1"
+		echo "Unsupported architecture: ${arch}"
 		exit 1
 		;;
 esac
@@ -107,40 +110,54 @@ IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/${TARGET
 
 if [ -z "${DISPLAY}" ]; then
 	QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} -nographic"
-	case "$1" in
+	case "${arch}" in
 		x86|x86_64|amd64)
 			KERNEL_CMDLINE="${KERNEL_CMDLINE} console=ttyS0"
 	esac
 fi
 
-shift 1
-
 QEMU_COMMON_OPTIONS=" \
 	-m 1G \
 	-serial mon:stdio \
 	-netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \
 	${QEMU_EXTRA_ARGS}"
 
-if [ -n "${SECURE_BOOT}" ]; then
-		ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secboot.fd}
-		ovmf_vars=${OVMF_VARS:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_VARS_4M.snakeoil.fd}
-
-		${QEMU_PATH}${QEMU} \
-			-global ICH9-LPC.disable_s3=1 \
-			-global isa-fdc.driveA= \
-			-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
-			-drive if=pflash,format=raw,file=${ovmf_vars} \
-			-drive file=${IMAGE_PREFIX}.wic.img,discard=unmap,if=none,id=disk,format=raw \
-			${QEMU_COMMON_OPTIONS} "$@"
-
-elif [ -n "${SWUPDATE_BOOT}" ]; then
-		ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd}
-
-		${QEMU_PATH}${QEMU} \
-			-drive file=${IMAGE_PREFIX}.wic.img,discard=unmap,if=none,id=disk,format=raw \
-			-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
-			${QEMU_COMMON_OPTIONS} "$@"
-
+if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
+	case "${arch}" in
+		x86|x86_64|amd64)
+			if [ -n "${SECURE_BOOT}" ]; then
+				ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secboot.fd}
+				ovmf_vars=${OVMF_VARS:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_VARS_4M.snakeoil.fd}
+
+				${QEMU_PATH}${QEMU} \
+					-global ICH9-LPC.disable_s3=1 \
+					-global isa-fdc.driveA= \
+					-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
+					-drive if=pflash,format=raw,file=${ovmf_vars} \
+					-drive file=${IMAGE_PREFIX}.wic.img,discard=unmap,if=none,id=disk,format=raw \
+					${QEMU_COMMON_OPTIONS} "$@"
+			else
+				ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd}
+
+				${QEMU_PATH}${QEMU} \
+					-drive file=${IMAGE_PREFIX}.wic.img,discard=unmap,if=none,id=disk,format=raw \
+					-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
+					${QEMU_COMMON_OPTIONS} "$@"
+			fi
+			;;
+		arm64|aarch64)
+			u_boot_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-arm64/firmware.bin}
+
+			${QEMU_PATH}${QEMU} \
+				-drive file=${IMAGE_PREFIX}.wic.img,discard=unmap,if=none,id=disk,format=raw \
+				-bios ${u_boot_bin} \
+				${QEMU_COMMON_OPTIONS} "$@"
+			;;
+		*)
+			echo "Unsupported architecture: ${arch}"
+			exit 1
+			;;
+	esac
 else
 		IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img)