1
0
mirror of https://git.yoctoproject.org/meta-arm synced 2026-07-18 04:27:08 +00:00

Compare commits

...

22 Commits

Author SHA1 Message Date
Andrew Jeffery 0d4c09cf00 arm/trusted-services: ts-sp-fw: Replace v2.7.0 tag with commit ID
Do so for the usual reason of avoiding network access during recipe
parsing. Occasionally parsing will stall for me as it seems connectivity
to trustedfirmware.org can be flaky.

Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-15 15:49:05 +01:00
Ross Burton 5425d269c1 CI: use canonical git.yoctoproject.org URLs
The canonical repository URLs don't use /git/.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-04 13:55:43 -04:00
Ross Burton 97284c1c3e arm/fvp-base-a-aem: update SRC_URI
developer.arm.com has a reorganisation and whilst most paths have a
redirect in place, the older FVP binaries did not.  Update the URL for
this FVP to the new canonical URLs.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-26 10:14:07 -04:00
Ross Burton 9c548d16e0 arm-system-ready/arm-systemready-ir-acs: add version to download filename
The download filename wasn't versioned so multiple versions would write
to the same file on disk and conflict, causing repeated downloads and
fetch failures.

Add the PV to the filename on disk to resolve this.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-26 10:14:02 -04:00
Musa Antike e56a0cd6fe kas: Include unattended Debian test
Add unattended installation yml to Debian  target

Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-29 11:37:39 -05:00
Musa Antike 61bfbf1601 arm-systemready/oeqa: Add unattended installation testcase
Add test for Debian unattended installation verification

Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-29 11:37:32 -05:00
Musa Antike 32c4bca3ae arm-systemready/linux-distros: Implement unattended Debian
- Implement unattended installation for Debian
- Upgrade Debian version to 12.8.0

Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-15 10:00:18 -05:00
Musa Antike 6d58916259 arm-systemready/linux-distros: Move openSUSE unattended conf to SRC_URI
- Replace THISDIR with UNPACKDIR by adding unattended conf to SRC_URI

Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-15 10:00:18 -05:00
Musa Antike dfc0187c36 arm-systemready/linux-distros: Move Fedora unattended conf to SRC_URI
- Replace THISDIR with UNPACKDIR by adding unattended conf to SRC_URI

Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-15 10:00:18 -05:00
Peter Hoyes 0ef5fd9682 arm/lib: Relax "Listening for serial connection" regex
Newer versions of the FVP now contain a full log entry for the
"Listening for serial connection on port" regex of the form:

INFO: FVP_NAME: terminal_uart: Listening for serial connection...

Relax the regex to support this new logging format and change from
re.match to re.search as the regex may not appear at the start of the
line.

This change is backwards-compatible with older versions of the FVP.

Signed-off-by: Peter Hoyes <peter.hoyes@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-18 06:00:16 -05:00
Hugues KAMBA MPIANA 18bc3f9389 kas: corstone-1000: Pin Yocto layer dependencies for CORSTONE1000-2024.11 release
The SHA of the dependent community layers are set to
the tested SHA from the `styhead` branch of each layer.

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-05 12:00:12 -05:00
Hugues KAMBA MPIANA 2d601b02b7 kas: corstone-1000: Update the SHA of the Yocto layer dependencies for the CORSTONE1000-2024.11 release.
The SHA of the dependent community layers are commented out and set to
the tested SHA from the `styhead` branch of each layer.

The set SHAs are to be uncommented in the `styhead` branch which is
to be used to create the `CORSTONE1000-2024.11` tag.

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-05 12:00:12 -05:00
Hugues KAMBA MPIANA 4c490d2c2b arm-bsp/documentation: corstone1000: Amend documentation for CORSTONE1000-2024.11 release
* Fix typographical error in documentation.
* Add missing instructions.
* Create paragraphs where necessary to improve readability.
* Change `note` box to `important` box

* Remove verification of arm_tstee driver presence:
arm-tstee driver has been integrated in Linux v6.10.14 which is
the one used in the software stack. It is built as part of Linux and
is no longer a loadable module.
The steps to verify the driver presence are no longer applicable.

* Standardise naming of the target platform:
Consistently use the name `Corstone-1000` to refer to the target platform.

* Update Debian OS version from 12.4 to 12.7
Debian version 12.4 has a bug in Shim 15.7.
This bug causes a fatal error when attempting to boot media installer
for Debian,and resets the platform before installation starts.
A patch to skip the Shim was applied to Corstone-1000 to avoid
the error.
Debian version 12.7 no longer has the bug in the Shim thus making
the usage of the patch redundant.
Bump Debian installer to version 12.7 and remove usage of the patch
for the Debian installation test.

* Replace xterm with tmux:
Update the user guide to specify tmux instead of xterm.
Using tmux as opposed to xterm provides a better user experience
when running the commands listed on the user guide.

* Use ACS image for FVP SystemReady test:
Due to fixed timeout values in the meta-arm-systemready the ACS time
test do not complete successfully.
Instead, specify commands to use the pre-built ACS image.

* List Trusted Services as a host component:
Add Trusted Services to the list of components used on the Host processor
of the Corstone-1000. The various BitBake recipes and append files used to
build Trusted Services are listed for the component.

* Update release version to CORSTONE1000-2024.11:
All references to the version of the Corstone-1000 software reference
stack have been updated from CORSTONE1000-2024.06 to CORSTONE1000-2024.11.
Add to the changelog the 2024.11 release information.
Add the 2024.11 release notes.

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-05 12:00:12 -05:00
Bence Balogh d824ee371a arm-bsp/trusted-firmware-m: corstone1000: Fix Secure Debug connection due to token version mismatch
Due to a mismatch between the ADAC dummy token major version and the version
in the secure-debug-manager repository [1]'s submodule [2], the secure debug connection was denied.
Update the ADAC token major and minor versions in TF-M to align with the expected
dummy token.

[1] https://github.com/ARM-software/secure-debug-manager/
[2] https://git.trustedfirmware.org/plugins/gitiles/shared/psa-adac.git/+/refs/heads/master/psa-adac/core/include/psa_adac.h

Fixes: 7e9466 ("arm-bsp/trusted-firmware-m: corstone1000: add Secure Debug")
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-02 06:00:12 -05:00
Jon Mason acafe7c89f CI: remove branch name
The meta-arm styhead branch should be using the styhead branches of
meta-clang, meta-virtualization, and meta-secure-core.  Remove the
master branch specific line to allow for these to be used.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-18 10:34:03 -05:00
Ziad Elhanafy 2a624d2239 arm-systemready/linux-distros: Follow WORKDIR -> UNPACKDIR transition
This adapts to the oe-core rework to enforce a separate directory
for unpacking local sources (UNPACKDIR) instead of polluting WORKDIR
directly.

Follows the guidelines from:
https://lists.openembedded.org/g/openembedded-architecture/message/2007

Signed-off-by: Ziad Elhanafy <ziad.elhanafy@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-06 10:08:08 -05:00
Ben 52b2ad14a8 kas: Include unattended openSUSE test
Add unattended installation class to openSUSE target

Signed-off-by: Ben Cownley <ben.cownley@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-16 07:00:15 -04:00
Ben a987c321b7 arm-systemready/oeqa: Add unattended installation testcase
Add test for openSUSE unattended installation

Signed-off-by: Ben Cownley <ben.cownley@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-16 07:00:15 -04:00
Ben b2f0014a48 arm-systemready/linux-distros: Implement unattended openSUSE
Implement unattended installation for openSUSE

Signed-off-by: Ben Cownley <ben.cownley@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-16 07:00:15 -04:00
Jon Mason ca9375b72d CI: Rework qemuarm64-secureboot matrix
qemuarm64-secureboot is using systemd for uefi-secureboot, which has
warnings with musl (and fails to compile with clang and musl).  So,
modify the matrix to keep the coverage of everything else but musl.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-07 10:17:58 -04:00
Javier Tia 691d479ce4 arm/qemuarm64-secureboot: Enable UEFI Secure Boot
Encapsulate all UEFI Secure Boot required settings in one Kas
configuration file.

Introduce SBSIGN_KEYS_DIR variable where UEFI keys will be generated
to sign UEFI binaries. 

Introduce uefi-secureboot machine feature, which is being used to
conditionally set the proper UEFI settings in recipes.

Replace Grub bootloader with systemd-boot, which it makes easier to
enable Secure Boot.

Advantages using systemd as Init Manager:

- Extending secure boot to userspace is a lot easier with systemd than
with sysvinit where custom scripts will need to be written for all use
cases.

- systemd supports dm-verity and TPM devices for encryption usecases out
of the box. Enabling them is a lot easier than writing custom scripts
for sysvinit.

- systemd also supports EUFI signing the UKI binaries which merge kernel,
command line and initrd which helps in bringing secure boot towards
rootfs.

- systemd offers a modular structure with unit files that are more
predictable and easier to manage than the complex and varied scripts
used by SysVinit. This modularity allows for better control and
customization of the boot process, which is beneficial in Secure Boot
environments.

- Add CI settings to build and test UEFI Secure Boot.

Add one test to verify Secure Boot using OE Testing infraestructure:

$ kas build ci/qemuarm64-secureboot.yml:ci/meta-secure-core.yml:ci/uefi-secureboot.yml:ci/testimage.yml
...
RESULTS - uefi_secureboot.UEFI_SB_TestSuite.test_uefi_secureboot: PASSED (0.62s)
...
SUMMARY:
core-image-base () - Ran 73 tests in 28.281s
core-image-base - OK - All required tests passed (successes=19, skipped=54, failures=0, errors=0)

Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> [yml file include fix]
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-07 10:17:44 -04:00
Javier Tia 67a28fc298 arm: Enable Secure Boot in all required recipes
In the target, Secure Boot starts from the firmware (u-boot), adds the
signing keys, and verifies the bootloader (systemd-boot) and kernel
(Linux).

sbsign bbclass is used to sign the binaries. sbsign is the name of the
tool used to sign these binaries. Hence the name of this class to sbsign
and variables with SBSIGN prefix.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-07 10:17:44 -04:00
39 changed files with 1597 additions and 180 deletions
+4
View File
@@ -265,6 +265,10 @@ qemuarm64-secureboot:
TCLIBC: [glibc, musl]
TS: [none, qemuarm64-secureboot-ts]
TESTING: testimage
- TOOLCHAINS: [gcc, clang]
TS: [none, qemuarm64-secureboot-ts]
UEFISB: [none, uefi-secureboot]
TESTING: testimage
- KERNEL: linux-yocto-dev
TESTING: testimage
+1 -1
View File
@@ -17,7 +17,7 @@ repos:
meta-arm-toolchain:
poky:
url: https://git.yoctoproject.org/git/poky
url: https://git.yoctoproject.org/poky
layers:
meta:
meta-poky:
-1
View File
@@ -6,7 +6,6 @@ header:
repos:
meta-clang:
url: https://github.com/kraj/meta-clang
branch: master
local_conf_header:
toolchain: |
-1
View File
@@ -6,7 +6,6 @@ header:
repos:
meta-secure-core:
url: https://github.com/Wind-River/meta-secure-core.git
branch: master
layers:
meta-secure-core-common:
meta-signing-key:
-1
View File
@@ -8,4 +8,3 @@ header:
repos:
meta-virtualization:
url: https://git.yoctoproject.org/meta-virtualization
branch: master
+37
View File
@@ -0,0 +1,37 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
# UEFI Secure Boot: A mechanism to ensure that only trusted software is executed
# during the boot process.
header:
version: 14
includes:
- ci/meta-openembedded.yml
- ci/meta-secure-core.yml
local_conf_header:
uefi_secureboot: |
SBSIGN_KEYS_DIR = "${TOPDIR}/sbkeys"
BB_ENV_PASSTHROUGH_ADDITIONS = "SBSIGN_KEYS_DIR"
# Detected by passing kernel parameter
QB_KERNEL_ROOT = ""
# kernel is in the image, should not be loaded separately
QB_DEFAULT_KERNEL = "none"
WKS_FILE = "efi-disk.wks.in"
KERNEL_IMAGETYPE = "Image"
MACHINE_FEATURES:append = " efi uefi-secureboot"
EFI_PROVIDER = "systemd-boot"
# Use systemd as the init system
INIT_MANAGER = "systemd"
DISTRO_FEATURES:append = " systemd"
DISTRO_FEATURES_NATIVE:append = " systemd"
IMAGE_INSTALL:append = " systemd systemd-boot util-linux coreutils"
TEST_SUITES:append = " uefi_secureboot"
+2 -2
View File
@@ -20,9 +20,9 @@ def repo_shortname(url):
.replace('*', '.'))
repositories = (
"https://git.yoctoproject.org/git/poky",
"https://git.yoctoproject.org/poky",
"https://git.openembedded.org/meta-openembedded",
"https://git.yoctoproject.org/git/meta-virtualization",
"https://git.yoctoproject.org/meta-virtualization",
"https://github.com/kraj/meta-clang",
)
@@ -2,6 +2,7 @@ header:
version: 13
includes:
- kas/arm-systemready-firmware.yml
- kas/arm-systemready-linux-distros-unattended-installation.yml
target:
- arm-systemready-linux-distros-debian
@@ -2,6 +2,7 @@ header:
version: 13
includes:
- kas/arm-systemready-firmware.yml
- kas/arm-systemready-linux-distros-unattended-installation.yml
target:
- arm-systemready-linux-distros-opensuse
+4 -4
View File
@@ -5,7 +5,7 @@ distro: poky
defaults:
repos:
branch: master
branch: styhead
repos:
meta-arm:
@@ -16,14 +16,14 @@ repos:
poky:
url: https://git.yoctoproject.org/git/poky
# commit: 2e9c2a2381105f1306bcbcb54816cbc5d8110eff
commit: 5465094be9a61a1639e1dab6d2b4ebea2bee7440
layers:
meta:
meta-poky:
meta-openembedded:
url: https://git.openembedded.org/meta-openembedded
# commit: 1750c66ae8e4268c472c0b2b94748a59d6ef866d
commit: 461d85a1831318747af5abe86da193bcde3fd9b4
layers:
meta-oe:
meta-python:
@@ -31,7 +31,7 @@ repos:
meta-secure-core:
url: https://github.com/wind-river/meta-secure-core.git
# commit: e29165a1031dcf601edbed1733cedd64826672a5
commit: 59d7e90542947c342098863b9998693ac79352b0
layers:
meta-secure-core-common:
meta-signing-key:
@@ -11,6 +11,69 @@ This document contains a summary of the new features, changes and
fixes in each release of Corstone-1000 software stack.
***************
Version 2024.11
***************
Changes
=======
- Implementation of a replication strategy for FWU metadata in TF-M according to the FWU specification.
- Upgrade to metadata version 2 in TF-M.
- Increase the ITS and PS memory size in Secure Flash for TF-M.
- SW components upgrades.
- Bug fixes.
Corstone-1000 components versions
=================================
+-------------------------------------------+-----------------------------------------------------+
| linux-yocto | 6.10.14 |
+-------------------------------------------+-----------------------------------------------------+
| u-boot | 2023.07.02 |
+-------------------------------------------+-----------------------------------------------------+
| external-system | 0.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| optee-client | 4.2.0 |
+-------------------------------------------+-----------------------------------------------------+
| optee-os | 4.2.0 |
+-------------------------------------------+-----------------------------------------------------+
| trusted-firmware-a | 2.11.0 |
+-------------------------------------------+-----------------------------------------------------+
| trusted-firmware-m | 2.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| libts | 602be60719 |
+-------------------------------------------+-----------------------------------------------------+
| ts-newlib | 4.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| ts-psa-{crypto, iat, its. ps}-api-test | 74dc6646ff |
+-------------------------------------------+-----------------------------------------------------+
| ts-sp-{se-proxy, smm-gateway} | 602be60719 |
+-------------------------------------------+-----------------------------------------------------+
Yocto distribution components versions
======================================
+-------------------------------------------+------------------------------+
| meta-arm | styhead |
+-------------------------------------------+------------------------------+
| poky | 5465094be9 |
+-------------------------------------------+------------------------------+
| meta-openembedded | 461d85a183 |
+-------------------------------------------+------------------------------+
| meta-secure-core | 59d7e90542 |
+-------------------------------------------+------------------------------+
| busybox | 1.36.1 |
+-------------------------------------------+------------------------------+
| musl | 1.2.5 |
+-------------------------------------------+------------------------------+
| gcc-arm-none-eabi | 13.3.rel1 |
+-------------------------------------------+------------------------------+
| gcc-cross-aarch64 | 14.2.0 |
+-------------------------------------------+------------------------------+
| openssl | 3.3.1 |
+-------------------------------------------+------------------------------+
***************
Version 2024.06
***************
@@ -19,6 +19,12 @@ intended for safety-critical applications. Should Your Software or Your Hardware
prove defective, you assume the entire cost of all necessary servicing, repair
or correction.
***********************
Release notes - 2024.11
***********************
The same notes as the 2024.06 release still apply.
***********************
Release notes - 2024.06
***********************
@@ -4,7 +4,7 @@
# SPDX-License-Identifier: MIT
######################
Software architecture
Software Architecture
######################
@@ -20,7 +20,7 @@ Corstone-1000 software plus hardware reference solution is PSA Level-2 ready
certified (`PSA L2 Ready`_) as well as System Ready IR certified(`SRIR cert`_).
More information on the Corstone-1000 subsystem product and design can be
found at:
`Arm corstone1000 Software`_ and `Arm corstone1000 Technical Overview`_.
`Arm Corstone-1000 Software`_ and `Arm Corstone-1000 Technical Overview`_.
This readme explicitly focuses on the software part of the solution and
provides internal details on the software components. The reference
@@ -57,7 +57,7 @@ TrustedFirmware-M(`TF-M`_) as runtime software. The software design on
Secure Enclave follows Firmware Framework for M class
processor (`FF-M`_) specification.
The Host System is based on ARM Cotex-A35 processor with standardized
The Host System is based on ARM Cortex-A35 processor with standardized
peripherals to allow for the booting of a Linux OS. The Cortex-A35 has
the TrustZone technology that allows secure and non-secure security
states in the processor. The software design in the Host System follows
@@ -213,15 +213,18 @@ Image (the initramfs bundle). The new images are accepted in the form of a UEFI
When Firmware update is triggered, U-Boot verifies the capsule by checking the
capsule signature, version number and size. Then it signals the Secure Enclave
that can start writing UEFI capsule into the flash. Once this operation finishes
,Secure Enclave resets the entire system.
that can start writing UEFI capsule into the flash.
Once this operation finishes, Secure Enclave resets the entire system.
The Metadata Block in the flash has the below firmware update state machine.
TF-M runs an OTA service that is responsible for accepting and updating the
images in the flash. The communication between the UEFI Capsule update
subsystem and the OTA service follows the same data path explained above.
The OTA service writes the new images to the passive bank after successful
capsule verification. It changes the state of the system to trial state and
triggers the reset. Boot loaders in Secure Enclave and Host read the Metadata
triggers the reset.
Boot loaders in Secure Enclave and Host read the Metadata
block to get the information on the boot bank. In the successful trial stage,
the acknowledgment from the host moves the state of the system from trial to
regular. Any failure in the trial stage or system hangs leads to a system
@@ -258,17 +261,17 @@ calls are forwarded to the Secure Enclave as explained above.
***************
References
***************
`ARM corstone1000 Search`_
`ARM Corstone-1000 Search`_
`Arm security features`_
--------------
*Copyright (c) 2022-2023, Arm Limited. All rights reserved.*
*Copyright (c) 2022-2024, Arm Limited. All rights reserved.*
.. _Arm corstone1000 Technical Overview: https://developer.arm.com/documentation/102360/0000
.. _Arm corstone1000 Software: https://developer.arm.com/Tools%20and%20Software/Corstone-1000%20Software
.. _Arm corstone1000 Search: https://developer.arm.com/search#q=corstone-1000
.. _Arm Corstone-1000 Technical Overview: https://developer.arm.com/documentation/102360/0000
.. _Arm Corstone-1000 Software: https://developer.arm.com/Tools%20and%20Software/Corstone-1000%20Software
.. _Arm Corstone-1000 Search: https://developer.arm.com/search#q=corstone-1000
.. _Arm security features: https://www.arm.com/architecture/security-features/platform-security
.. _linux repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/
.. _FF-A: https://developer.arm.com/documentation/den0077/latest
@@ -18,16 +18,17 @@ for more information.
Prerequisites
-------------
This guide assumes that your host machine is running Ubuntu 20.04 LTS, with at least
This guide assumes that your host machine is running Ubuntu 20.04 LTS ( with ``sudo`` rights), with at least
32GB of free disk space and 16GB of RAM as minimum requirement.
The following prerequisites must be available on the host system:
- Git 1.8.3.1 or greater
- Git 1.8.3.1 or greater.
- Python 3.8.0 or greater.
- GNU Tar 1.28 or greater
- GNU Tar 1.28 or greater.
- GNU Compiler Collection 8.0 or greater.
- GNU Make 4.0 or greater
- GNU Make 4.0 or greater.
- tmux.
Please follow the steps described in the Yocto mega manual:
@@ -49,7 +50,7 @@ The Corstone-1000 software stack can be run on:
Yocto Stable Branch
-------------------
Corstone-1000 software stack is built on top of Yocto scarthgap release.
Corstone-1000 software stack is built on top of Yocto styhead release.
Software Components
-------------------
@@ -58,7 +59,7 @@ a `BitBake recipe <https://docs.yoctoproject.org/bitbake/2.2/bitbake-user-manual
The recipes specific to the Corstone-1000 BSP are located at:
``$WORKSPACE/meta-arm/meta-arm-bsp/``.
.. note::
.. important::
``$WORKSPACE`` refers to the absolute path to your workspace where the `meta-arm` repository will be cloned.
@@ -83,16 +84,49 @@ Host Processor Components
+----------+-----------------------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend`` |
+----------+-----------------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.4.bb`` |
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.11.0.bb`` |
+----------+-----------------------------------------------------------------------------------------------------+
`Trusted Services <https://trusted-services.readthedocs.io/en/latest/index.html>`__
====================================================================================
+----------+-----------------------------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/libts_%.bbappend`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-psa-crypto-api-test_%.bbappend`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-psa-iat-api-test_%.bbappend`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-psa-its-api-test_%.bbappend`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-psa-ps-api-test_%.bbappend`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-se-proxy_%.bbappend`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/libts_git.bb`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-crypto-api-test_git.bb`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-iat-api-test_git.bb`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-its-api-test_git.bb`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-ps-api-test_git.bb`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway.bb`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy.bb`` |
+----------+-----------------------------------------------------------------------------------------------------------+
`OP-TEE <https://git.trustedfirmware.org/OP-TEE/optee_os.git>`__
================================================================
+----------+----------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_4.%.bbappend`` |
+----------+----------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/optee/optee-os_4.1.0.bb`` |
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/optee/optee-os_4.2.0.bb`` |
+----------+----------------------------------------------------------------------------------------+
`U-Boot <https://github.com/u-boot/u-boot.git>`__
@@ -116,7 +150,7 @@ The provided distribution is based on `BusyBox <https://www.busybox.net/>`__ and
+-----------+----------------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-yocto_%.bbappend`` |
+-----------+----------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/poky/meta/recipes-kernel/linux/linux-yocto_6.6.bb`` |
| Recipe | ``$WORKSPACE/poky/meta/recipes-kernel/linux/linux-yocto_6.10.bb`` |
+-----------+----------------------------------------------------------------------------------------------+
| defconfig | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/defconfig`` |
+-----------+----------------------------------------------------------------------------------------------+
@@ -131,7 +165,7 @@ Secure Enclave Components
+----------+-----------------------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m_%.bbappend`` |
+----------+-----------------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_2.0.0.bb`` |
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_2.1.0.bb`` |
+----------+-----------------------------------------------------------------------------------------------------+
************************************
@@ -182,7 +216,7 @@ Build
.. code-block:: console
cd $WORKSPACE
git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2024.06
git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2024.11
#. Build a Corstone-1000 image:
@@ -414,7 +448,7 @@ instructions of the installer to setup the FVP.
.. code-block:: console
kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \
-c "../meta-arm/scripts/runfvp --terminals=xterm"
-c "../meta-arm/scripts/runfvp --terminals=tmux"
When the script is executed, three terminal instances will be launched:
@@ -460,14 +494,13 @@ Clean Secure Flash
.. code-block:: console
cd $WORKSPACE
git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2024.06
git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2024.11
#. Copy the secure flash cleaning Git patch file to your copy of `meta-arm`.
.. code-block:: console
cp -f systemready-patch/embedded-a/corstone1000/erase_flash/0001-embedded-a-corstone1000-clean-secure-flash.patch meta-arm
cd meta-arm
#. Apply the Git patch to `meta-arm`.
@@ -481,7 +514,9 @@ Clean Secure Flash
.. code-block:: console
cd $WORKSPACE
kas build meta-arm/kas/corstone1000-mps3.yml:meta-arm/ci/debug.yml
kas shell meta-arm/kas/corstone1000-mps3.yml:meta-arm/ci/debug.yml
bitbake -c cleansstate trusted-firmware-m corstone1000-flash-firmware-image
bitbake -c build corstone1000-flash-firmware-image
#. Replace the ``bl1.bin`` file on the SD card with ``$WORKSPACE/build/tmp/deploy/images/corstone1000-mps3/bl1.bin``.
@@ -495,6 +530,15 @@ Clean Secure Flash
NOW YOU CAN FLASH THE ACTUAL CORSTONE1000 IMAGE
PLEASE REMOVE THE LATEST ERASE SECURE FLASH PATCH AND BUILD THE IMAGE AGAIN
#. Whilst still in the ``kas`` shell, revert the changes the patch introduced by running the following commands:
.. code-block:: console
cd $WORKSPACE/meta-arm
git reset --hard
cd ..
bitbake -c cleansstate trusted-firmware-m corstone1000-flash-firmware-image
exit
#. Follow the `instructions <building-the-software-stack_>`__ to build a clean software stack and flash the MPS3 with it.
@@ -561,7 +605,7 @@ MPS3
.. code-block:: console
sudo dd \
if=$WORKSPACE/build/tmp/deploy/images/corstone1000-mps3/corstone1000-esp-image-costickrstone1000-mps3.wic \
if=$WORKSPACE/build/tmp/deploy/images/corstone1000-mps3/corstone1000-esp-image-corstone1000-mps3.wic \
of=/dev/sdb \
iflag=direct oflag=direct status=progress bs=512; sync;
@@ -625,8 +669,6 @@ This sections below describe how to build and run ACS tests on Corstone-1000.
.. _mps3-instructions-for-acs-image:
MPS3
====
#. On your host development machine, clone the `Arm SystemReady ACS repository <https://github.com/ARM-software/arm-systemready/>`_.
@@ -647,6 +689,16 @@ MPS3
and full USB support for Corstone-1000 will be available in the repository with the next
SystemReady release.
#. Decompress the pre-built ACS live image.
.. code-block:: console
cd $WORKSPACE/arm-systemready/IR/prebuilt_images/v23.09_2.1.0
unxz ir-acs-live-image-generic-arm64.wic.xz
MPS3
====
#. Connect a USB drive (other than the one used for the ESP) to the host development machine.
#. Run the following command to discover which device is your USB drive:
@@ -666,7 +718,6 @@ MPS3
.. code-block:: console
cd $WORKSPACE/arm-systemready/IR/prebuilt_images/v23.09_2.1.0
unxz ir-acs-live-image-generic-arm64.wic.xz
sudo dd if=ir-acs-live-image-generic-arm64.wic of=/dev/sdc iflag=direct oflag=direct bs=1M status=progress; sync
#. Plug the USB drive to the MPS3. At this point you should have both the USB drive with the ESP and the USB drive with the ACS image plugged to the MPS3.
@@ -679,29 +730,48 @@ The MPS3 will reset multiple times during the test, and it might take approximat
Unplug the ESP USB drive from the MPS3 if it is preventing GRUB
from finding the bootable partition. Leave only the ACS image USB drive
plugged in to run the ACS tests. The ESP USB drive can be plugged in again after
the platform is booted to Linux at the end of the ACS tests.
plugged in to run the ACS tests.
The ESP USB drive can be plugged in again after
selecting the `Linux Boot` option in the GRUB menu at the end of the ACS tests.
.. warning::
A timeout issue has been observed while booting Linux during the ACS tests, causing the system to boot into emergency mode.
Booting Linux is necessary to run certain tests, such as `dt-validation`.
The following workaround is required to enable Linux to boot properly and perform all Linux-based tests:
#. Press Enter at the Linux prompt.
#. Open the file `/etc/systemd/system.conf` and set `DefaultDeviceTimeoutSec=infinity`.
#. Reboot the platform using the `reboot` command.
#. Select the `Linux Boot` option from the GRUB menu.
#. Allow Linux to boot and run the remaining ACS tests until completion.
.. _fvp-instructions-for-acs-image:
FVP
===
FVP has been integrated in the `meta-arm-systemready Yocto layer <https://git.yoctoproject.org/meta-arm/plain/meta-arm-systemready>`__.
Find more details about the `meta-arm-systemready` Yocto layer from its `README <https://git.yoctoproject.org/meta-arm/plain/meta-arm-systemready/README.md>`__ file.
Run the following command to build the firmware image with the specific kas configuration file for building an image with the ACS tests baked in:
Run the commands below to run the ACS test on FVP using the built firmware image and the pre-built ACS image identified above:
.. code-block:: console
kas build meta-arm/ci/corstone1000-fvp.yml:meta-arm/ci/debug.yml:meta-arm/kas/arm-systemready-ir-acs.yml
cd $WORKSPACE
tmux
./meta-arm/scripts/runfvp \
--terminals=tmux \
./build/tmp/deploy/images/corstone1000-fvp/corstone1000-flash-firmware-image-corstone1000-fvp.fvpconf \
-- -C board.msd_mmc.p_mmc_file=$WORKSPACE/arm-systemready/IR/prebuilt_images/v23.09_2.1.0/ir-acs-live-image-generic-arm64.wic
.. note::
The FVP will reset multiple times during the test.
The ACS tests might take up to 1 day to complete when run on FVP.
The message `ACS run is completed` will be displayed on the FVP host terminal when the test runs to completion.
You will be prompted to press the Enter key to access the Linux prompt.
Test Sequence and Results
=========================
@@ -718,8 +788,14 @@ The results can be fetched from the `acs_results` folder in the ``BOOT`` partiti
.. note::
The FVP uses the ``$WORKSPACE/build/tmp-glibc/work/corstone1000_fvp-oe-linux/arm-systemready-ir-acs/2.0.0/deploy-arm-systemready-ir-acs/arm-systemready-ir-acs-corstone1000-fvp.wic``
image if the `meta-arm-systemready` Yocto layer is used. The results can be checked in this image.
Access the `acs_results` folder in FVP by running the following commands:
.. code-block:: console
sudo mkdir /mnt/test
sudo mount -o rw,offset=1048576 \
$WORKSPACE/arm-systemready/IR/prebuilt_images/v23.09_2.1.0/ir-acs-live-image-generic-arm64.wic \
/mnt/test
#####################################################
@@ -781,10 +857,18 @@ Run the following commands to generate an invalid capsule with a ``fw-version``
--private-key build/tmp/deploy/images/corstone1000-$TARGET/corstone1000_capsule_key.key \
--certificate build/tmp/deploy/images/corstone1000-$TARGET/corstone1000_capsule_cert.crt \
--index 1 \
--guid df1865d1-90fb-4d59-9c38-c9f2c1bba8cc \
--guid $TARGET_GUID \
--fw-version 5 build/tmp/deploy/images/corstone1000-$TARGET/corstone1000-$TARGET_image.nopt \
corstone1000-$TARGET-v5.uefi.capsule
.. important::
``$TARGET_GUID`` is different depending on whether the capsule is built for the ``fvp`` or ``mps3`` ``$TARGET``.
- ``fvp`` ``$TARGET_GUID`` is ``989f3a4e-46e0-4cd0-9877-a25c70c01329``
- ``mps3`` ``$TARGET_GUID`` is ``df1865d1-90fb-4d59-9c38-c9f2c1bba8cc``
The invalid capsule will be located in the ``$WORKSPACE`` directory.
***************************
@@ -889,7 +973,7 @@ Positive Capsule Update Test
.. code-block:: console
kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \
-c "../meta-arm/scripts/runfvp --terminals=xterm \
-c "../meta-arm/scripts/runfvp --terminals=tmux \
-- -C board.msd_mmc.p_mmc_file=$ACS_IMAGE_PATH/ir-acs-live-image-generic-arm64.wic"
.. warning::
@@ -911,9 +995,17 @@ Positive Capsule Update Test
#. Run the ``CapsuleApp`` application with the valid capsule file:
.. code-block:: console
- MPS3:
EFI/BOOT/app/CapsuleApp.efi corstone1000-$TARGET-v6.uefi.capsule
.. code-block:: console
EFI/BOOT/app/CapsuleApp.efi EFI/BOOT/corstone1000-mps3-v6.uefi.capsule
- FVP:
.. code-block:: console
EFI/BOOT/app/CapsuleApp.efi corstone1000-fvp-v6.uefi.capsule
The capsule update will be started.
@@ -1013,11 +1105,25 @@ Negative Capsule Update Test
Press ESC in 4 seconds to skip startup.nsh or any other key to continue.
#. Run the ``CapsuleApp`` application with the invalid capsule file:
#. Access the content of the first file system (``File System 0``) where we copied the capsule files by running the following command:
.. code-block:: console
EFI/BOOT/app/CapsuleApp.efi corstone1000-$TARGET-v5.uefi.capsule
FS0:
#. Run the ``CapsuleApp`` application with the invalid capsule file:
- MPS3:
.. code-block:: console
EFI/BOOT/app/CapsuleApp.efi EFI/BOOT/corstone1000-mps3-v5.uefi.capsule
- FVP:
.. code-block:: console
EFI/BOOT/app/CapsuleApp.efi corstone1000-fvp-v5.uefi.capsule
#. TrustedFirmware-M should reject the capsule due to having a lower firmware version and display the following log on the Secure Enclave terminal (``ttyUSB1``):
@@ -1107,83 +1213,6 @@ The Linux distributions to be installed are:
Follow the instructions below to install the Linux distributions to the Corstone-1000 software stack.
***********************************
Apply Patch for Debian Installation
***********************************
.. warning::
**!!Debian ONLY!!**
There is a known issue in `Shim 15.7 <https://salsa.debian.org/efi-team/shim/-/tree/upstream/15.7?ref_type=tags>`__
provided with the Debian installer image.
This bug causes a fatal error when attempting to boot media installer for Debian, and resets the platform before installation starts.
A `patch <debian-skip-shim-patch>`__ to be applied to the Corstone-1000 software stack is provided to skip the Shim.
This patch makes U-Boot automatically bypass the Shim and run GRUB to allow
the user to proceed with a normal installation.
You are encourage to try a new installer if at the moment of reading this document the Shim problem has been solved.
Otherwise, please apply the patch as indicated by the instructions below.
#. Clone the repository containing the patch in your ``$WORKSPACE``:
.. code-block:: console
cd $WORKSPACE
git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2024.06
#. Copy the Git patch file to your local copy of `meta-arm` in your workspace:
.. code-block:: console
cp -f systemready-patch/embedded-a/corstone1000/shim/0001-arm-bsp-u-boot-corstone1000-Skip-the-shim-by-booting.patch meta-arm
#. Change the current working directory to your local copy of the `meta-arm` repository to apply the Git patch:
.. code-block:: console
cd meta-arm
git am 0001-arm-bsp-u-boot-corstone1000-Skip-the-shim-by-booting.patch
#. Change the current working directory back to your ``$WORKSPACE``:
.. code-block:: console
cd $WORKSPACE
#. Initialize a kas shell environment using the debug configuration file for your target to:
- remove build artefacts (for ``u-boot``, ``trusted-firmware-a``, and ``corstone1000-flash-firmware-image``)
- reset the state of those recipes
- re-build the ``corstone1000-flash-firmware-image`` recipe from scratch
.. code-block:: console
kas shell meta-arm/kas/corstone1000-$TARGET.yml:meta-arm/ci/debug.yml \
-c="bitbake u-boot trusted-firmware-a corstone1000-flash-firmware-image -c cleansstate; \
bitbake corstone1000-flash-firmware-image"
.. important::
On MPS3, replace the ``cs1000.bin`` on the SD card with the newly generated ``*.wic`` file.
.. warning::
The Corstone-1000 patch for Debian installation must be removed from `meta-arm` before running the software to boot openSUSE or
executing any other tests in this user guide.
Remove the patch and rebuild the ``corstone1000-flash-firmware-image`` recipe by running the following commands:
.. code-block:: console
cd $WORKSPACE/meta-arm
git reset --hard HEAD~1
cd $WORKSPACE
kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \
-c="bitbake u-boot -c cleanall; bitbake trusted-firmware-a -c cleanall; \
bitbake corstone1000-flash-firmware-image -c cleanall; \
bitbake corstone1000-flash-firmware-image"
**************************
Prepare Installation Media
**************************
@@ -1194,7 +1223,7 @@ Follow the instructions below to create the installation media.
#. Using your development machine, download one of following Linux distribution images:
- `Debian installer image <https://cdimage.debian.org/mirror/cdimage/archive/12.4.0/arm64/iso-dvd/>`__
- `Debian installer image <https://cdimage.debian.org/mirror/cdimage/archive/12.7.0/arm64/iso-dvd/>`__
- `OpenSUSE Tumbleweed installer image <http://download.opensuse.org/ports/aarch64/tumbleweed/iso/>`__
.. note::
@@ -1246,7 +1275,7 @@ Corstone-1000 on-board non-volatile storage size is insufficient for installing
#. Do not yet connect this blank USB drive to the MPS3. It will be used as the primary drive to boot the distribution.
- FVP:
#. Create an 8GB GUID Partition Table (GPT) formatted MultiMediaCard (MMC) image.
#. Create an 10 GB GUID Partition Table (GPT) formatted MultiMediaCard (MMC) image.
.. code-block:: console
@@ -1295,7 +1324,7 @@ FVP
.. code-block:: console
kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \
-c "../meta-arm/scripts/runfvp --terminals=xterm -- \
-c "../meta-arm/scripts/runfvp --terminals=tmux -- \
-C board.msd_mmc.p_mmc_file=$WORKSPACE/fvp_distro_system_drive.img \
-C board.msd_mmc_2.p_mmc_file=$DISTRO_INSTALLER_ISO_PATH"
@@ -1361,8 +1390,8 @@ Boot Distribution
.. code-block:: console
kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \
-c "../meta-arm/scripts/runfvp --terminals=xterm -- \
-C board.msd_mmc.p_mmc_file=$WORKSPACE/fvp_distro_system_drive.img.img"
-c "../meta-arm/scripts/runfvp --terminals=tmux -- \
-C board.msd_mmc.p_mmc_file=$WORKSPACE/fvp_distro_system_drive.img"
.. warning::
@@ -1460,7 +1489,7 @@ Generate Keys, Signed Image and Unsigned Image
cd $WORKSPACE
git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git \
-b CORSTONE1000-2024.06
-b CORSTONE1000-2024.11
#. Set the current working directory to build directory's subdirectory containing the software stack build images.
@@ -1718,14 +1747,6 @@ The steps below are applicable to both MPS3 and FVP).
#. Start the Corstone-1000 and wait until it boots to Linux on the Host Processor terminal (``ttyUSB2``).
#. Verify that the `arm_tstee` driver is present.
.. code-block:: console
ls /sys/bus/arm_ffa/drivers | grep arm_tstee
``arm_tstee`` should be printed on the terminal to confirm that the driver is present.
#. Run the PSA API tests by running the commands below in the order shown:
.. code-block:: console
@@ -1747,13 +1768,13 @@ External System Processor
The Linux operating system running on the Host Processor starts the ``remoteproc`` framework to manage the External System Processor.
#. Start the External System Processor with the following command:
#. Stop the External System Processor with the following command:
.. code-block:: console
echo stop > /sys/class/remoteproc/remoteproc0/state
#. Stop the External System Processor with the following command:
#. Start the External System Processor with the following command:
.. code-block:: console
@@ -1811,7 +1832,7 @@ The build and integration instructions can be found in its `README <secure-debug
The `secure-debug-manager` repository also contains the private key and chain certificate to be used during the tests.
The private key's public pair is provisioned into the One-Time Programmable memory in TrustedFirmware-M. These are dummy keys that should not be used in production.
A debug probe (DSTREAM family) and an Arm Development Studio 2022.2 and 2022.c (or later) are needed to test the Secure Debug feature.
To test the Secure Debug feature, you'll need a debug probe from the DSTREAM family and Arm Development Studio versions 2022.2, 2022.c, or 2023.a.
#. Clone the `secure-debug-manager` repository to your workspace.
@@ -1821,6 +1842,13 @@ A debug probe (DSTREAM family) and an Arm Development Studio 2022.2 and 2022.c (
cd $WORKSPACE
git clone https://github.com/ARM-software/secure-debug-manager.git
#. Navigate into the repository directory and checkout the specific commit in the listing below.
.. code-block:: console
cd $WORKSPACE/secure-debug-manager
git checkout b30d6496ca749123e86b39b161b9f70ef76106d6
#. Follow the steps in the `secure-debug-manager`'s `README <secure-debug-manager-repo-readme_>`__ for the development machine setup.
#. Rebuild the software stack with Secure Debug.
@@ -1873,8 +1901,8 @@ A debug probe (DSTREAM family) and an Arm Development Studio 2022.2 and 2022.c (
Reports
-------
Various test reports for the `Corstone-1000 software (CORSTONE1000-2024.06) <https://git.yoctoproject.org/meta-arm/tag/?h=CORSTONE1000-2024.06>`__
release version are available for reference `here <https://gitlab.arm.com/arm-reference-solutions/arm-reference-solutions-test-report/-/tree/CORSTONE1000-2024.06/embedded-a/corstone1000/CORSTONE1000-2024.06?ref_type=tags>`__.
Various test reports for the `Corstone-1000 software (CORSTONE1000-2024.11) <https://git.yoctoproject.org/meta-arm/tag/?h=CORSTONE1000-2024.11>`__
release version are available for reference `here <https://gitlab.arm.com/arm-reference-solutions/arm-reference-solutions-test-report/-/tree/CORSTONE1000-2024.11/embedded-a/corstone1000/CORSTONE1000-2024.11?ref_type=tags>`__.
--------------
@@ -1882,5 +1910,4 @@ release version are available for reference `here <https://gitlab.arm.com/arm-re
*Copyright (c) 2022-2024, Arm Limited. All rights reserved.*
.. _Arm Ecosystem FVPs: https://developer.arm.com/tools-and-software/open-source-software/arm-platforms-software/arm-ecosystem-fvps
.. _debian-skip-shim-patch: https://gitlab.arm.com/arm-reference-solutions/systemready-patch/-/blob/CORSTONE1000-2024.06/embedded-a/corstone1000/shim/0001-arm-bsp-u-boot-corstone1000-Skip-the-shim-by-booting.patch
.. _secure-debug-manager-repo-readme: https://github.com/ARM-software/secure-debug-manager/blob/master/README.md
@@ -14,28 +14,25 @@ certificate/token versions.
Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Upstream-Status: Inappropriate [Add newer dummy token and cert]
---
psa-adac/core/include/psa_adac.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
psa-adac/core/include/psa_adac.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/psa-adac/core/include/psa_adac.h b/psa-adac/core/include/psa_adac.h
index b190992..b026607 100644
index b190992..6c3feb2 100644
--- a/psa-adac/core/include/psa_adac.h
+++ b/psa-adac/core/include/psa_adac.h
@@ -30,10 +30,10 @@ extern "C" {
@@ -30,8 +30,8 @@ extern "C" {
*
* Current version numbers for certificate and token format.
*/
-#define ADAC_CERT_MAJOR 1u
-#define ADAC_CERT_MINOR 0u
-#define ADAC_TOKEN_MAJOR 1u
-#define ADAC_TOKEN_MINOR 0u
+#define ADAC_CERT_MAJOR 0u
+#define ADAC_CERT_MINOR 1u
+#define ADAC_TOKEN_MAJOR 0u
+#define ADAC_TOKEN_MINOR 1u
#define ADAC_TOKEN_MAJOR 1u
#define ADAC_TOKEN_MINOR 0u
/** \brief Key options
*
--
2.17.1
2.25.1
@@ -0,0 +1,66 @@
from oeqa.runtime.case import OERuntimeTestCase
class SystemReadyDebianUnattendedTest(OERuntimeTestCase):
def setUp(self):
super().setUp()
self.console = self.target.DEFAULT_CONSOLE
def test_debian_unattended(self):
# Turn on the FVP.
self.target.transition('on')
# Timeout value = elapsed time * 2; where elapsed time was collected
# from the elapsed time in the log.do_testimage for each function after
# the build is finished on the development machine.
self.target.expect(self.console,
r'.*Scanning installation',
timeout=(20 * 60))
bb.plain('Installation status: Scanning installation media...')
self.target.expect(self.console,
r'.*Detecting network hardware',
timeout=(35 * 60))
bb.plain('Installation status: Detecting network hardware...')
self.target.expect(self.console,
r'.*Installing the base system',
timeout=(35 * 60))
bb.plain('Installation status: Installing the base system...')
self.target.expect(self.console,
r'.*Installing GRUB',
timeout=(7 * 60 * 60))
bb.plain('Installation status: Installing GRUB...')
# Waiting to respond to the boot loader prompt error message.
self.target.expect(self.console,
r'.*Press enter to continue',
timeout=(15 * 60))
self.target.sendline(self.console, '')
self.target.expect(self.console,
r'.*Press enter to continue',
timeout=(60))
self.target.sendline(self.console, '')
# Waiting to respond continue without bootloader to install
# bootloader with the late script in preseed.cfg at the end.
self.target.expect(self.console,
r'.*Continue without boot loader',
timeout=(2 * 60))
self.target.sendline(self.console, '14')
self.target.expect(self.console,
r'.*Press enter to continue',
timeout=(60))
self.target.sendline(self.console, '')
self.target.expect(self.console,
r'.*Finishing the installation',
timeout=(2 * 60))
bb.plain('Installation status: Finishing the installation...')
# Waiting till the installation is finished.
self.target.expect(self.console, r'.*login:', timeout=(40 * 60))
bb.plain('Installation status: Debian installation finished successfully.')
@@ -0,0 +1,42 @@
from oeqa.runtime.case import OERuntimeTestCase
class SystemReadyOpenSUSEUnattendedTest(OERuntimeTestCase):
def setUp(self):
super().setUp()
self.console = self.target.DEFAULT_CONSOLE
def test_opensuse_unattended(self):
# Turn on the FVP.
self.target.transition('on')
# Timeout value = elapsed time * 2; where elapsed time was collected
# from the elapsed time in the log.do_testimage for each function after
# the build is finished on the development machine.
self.target.expect(self.console,
'Booting `Installation\'',
timeout=(2 * 60))
bb.plain('Installation status: Loading the kernel, initrd and basic drivers...')
self.target.expect(self.console,
'Starting hardware detection...',
timeout=(40 * 60))
bb.plain('Installation status: Starting hardware detection...')
self.target.expect(self.console,
'Loading Installation System',
timeout=(60 * 60))
bb.plain('Installation status: Loading Installation System...')
self.target.expect(self.console,
'Starting Installer',
timeout=(40 * 60))
bb.plain('Installation status: Performing Installation...')
self.target.expect(self.console,
'Finishing Configuration',
timeout=(15 * 60 * 60))
bb.plain('Installation status: Finishing Configuration...')
# Waiting till the installation is finished.
self.target.expect(self.console, r'.*login: ', timeout=(6 * 60 * 60))
bb.plain('Installation status: openSUSE installation finished successfully.')
@@ -49,9 +49,9 @@ PV = "2.0.0"
PV_DATE = "23.03"
FULL_PV = "v${PV_DATE}_${PV}"
ARM_SYSTEMREADY_IR_ACS_BRANCH ?= "main"
IMAGE_FILENAME = "ir-acs-live-image-generic-arm64.wic"
IMAGE_FILENAME = "ir-acs-live-image-generic-arm64-${PV}.wic"
SRC_URI = " \
https://github.com/ARM-software/arm-systemready/raw/${ARM_SYSTEMREADY_IR_ACS_BRANCH}/IR/prebuilt_images/${FULL_PV}/${IMAGE_FILENAME}.xz;name=acs-img \
https://github.com/ARM-software/arm-systemready/raw/${ARM_SYSTEMREADY_IR_ACS_BRANCH}/IR/prebuilt_images/${FULL_PV}/ir-acs-live-image-generic-arm64.wic.xz;name=acs-img;downloadfilename=${IMAGE_FILENAME}.xz \
git://git.gitlab.arm.com/systemready/systemready-ir-template.git;protocol=https;nobranch=1;destsuffix=systemready-ir-template;name=sr-ir-template \
"
SRC_URI[acs-img.sha256sum] = "ea52f84dab44bde97de3e2d2224d883acaae35724dd8e2bdfb125de49040f9b3"
@@ -98,8 +98,35 @@ file://${COMMON_LICENSE_DIR}/OPL-1.0;md5=acdf1e4398bd93dc137e271c50316324 \
file://${COMMON_LICENSE_DIR}/PD;md5=b3597d12946881e13cb3b548d1173851 \
"
PV = "12.4.0"
# netinst, DVD-1
ISO_TYPE = "netinst"
SRC_URI = "https://cdimage.debian.org/mirror/cdimage/archive/${PV}/arm64/iso-cd/debian-${PV}-arm64-${ISO_TYPE}.iso;unpack=0;downloadfilename=${ISO_IMAGE_NAME}.iso"
SRC_URI[sha256sum] = "d32d2c63350a932dc0d9d45665985b41413f9e01efc0eacbea981d435f553d3d"
PV = "12.8.0"
SRC_URI = "\
https://cdimage.debian.org/mirror/cdimage/archive/12.8.0/arm64/iso-dvd/debian-12.8.0-arm64-DVD-1.iso;unpack=0;downloadfilename=${ISO_IMAGE_NAME}.iso;name=debian_iso_image \
file://unattended-boot-conf/Debian/preseed.cfg \
"
SRC_URI[debian_iso_image.sha256sum] = "8891fe48bb5a58ae54176eaa6440059bf852044d6b9ae77219e78f9ef8d65149"
TEST_SUITES = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "arm_systemready_debian_unattended", "", d)}"
ISO_LABEL = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "debian-12.8.0-arm64-1", "", d)}"
BOOT_CATALOG = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "boot.catalog", "", d)}"
BOOT_IMAGE = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "EFI/boot/bootaa64.efi", "", d)}"
EFI_IMAGE = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "boot/grub/efi.img", "", d)}"
modifyiso() {
UNATTENDED_CONF_DIR="${UNPACKDIR}/unattended-boot-conf/Debian"
# Append the preseed.cfg file to the initrd
gunzip ${EXTRACTED_ISO_TEMP_DIR}/install.a64/initrd.gz
(cd ${UNATTENDED_CONF_DIR} && echo preseed.cfg | cpio -H newc -o -A -F ${EXTRACTED_ISO_TEMP_DIR}/install.a64/initrd)
gzip ${EXTRACTED_ISO_TEMP_DIR}/install.a64/initrd
#GRUB
# Disable timeout
sed -i '/^insmod gzio/ a set timeout=0' ${EXTRACTED_ISO_TEMP_DIR}/boot/grub/grub.cfg
# Update default menu entry to select automated install
sed -i '/^set timeout/ a set default="2>5"' ${EXTRACTED_ISO_TEMP_DIR}/boot/grub/grub.cfg
# Update kernel boot parameters to enable more text based console output
sed -i 's|linux /install.a64/vmlinuz auto=true priority=critical --- quiet|linux /install.a64/vmlinuz auto=true priority=critical DEBIAN_FRONTEND=text --- nomodeset|g' ${EXTRACTED_ISO_TEMP_DIR}/boot/grub/grub.cfg
}
@@ -106,11 +106,14 @@ BOOT_IMAGE = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "EFI/BOOT/BOOT
EFI_IMAGE = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "images/efiboot.img", "", d)}"
PV = "39.1.5"
SRC_URI = "https://download.fedoraproject.org/pub/fedora/linux/releases/39/Server/aarch64/iso/Fedora-Server-dvd-aarch64-39-1.5.iso;unpack=0;downloadfilename=${ISO_IMAGE_NAME}.iso"
SRC_URI[sha256sum] = "d19dc2a39758155fa53e6fd555d0d173ccc8175b55dea48002d499f39cb30ce0"
SRC_URI = "\
https://download.fedoraproject.org/pub/fedora/linux/releases/39/Server/aarch64/iso/Fedora-Server-dvd-aarch64-39-1.5.iso;unpack=0;downloadfilename=${ISO_IMAGE_NAME}.iso;name=fedora_iso_image \
file://unattended-boot-conf/Fedora/ks.cfg\
"
SRC_URI[fedora_iso_image.sha256sum] = "d19dc2a39758155fa53e6fd555d0d173ccc8175b55dea48002d499f39cb30ce0"
modifyiso() {
UNATTENDED_CONF_DIR="${THISDIR}/unattended-boot-conf/Fedora"
UNATTENDED_CONF_DIR="${UNPACKDIR}/unattended-boot-conf/Fedora"
cp "${UNATTENDED_CONF_DIR}/ks.cfg" ${EXTRACTED_ISO_TEMP_DIR}
sed -i 's/set default="1"/set default="0"/g' "${EXTRACTED_ISO_TEMP_DIR}/EFI/BOOT/grub.cfg"
@@ -70,5 +70,23 @@ PV = "15.5"
# possible value of ISO_TYPE: NET, DVD
ISO_TYPE = "DVD"
BUILD_NO = "491.1"
SRC_URI = "https://download.opensuse.org/distribution/leap/${PV}/iso/openSUSE-Leap-${PV}-${ISO_TYPE}-aarch64-Build${BUILD_NO}-Media.iso;unpack=0;downloadfilename=${ISO_IMAGE_NAME}.iso"
SRC_URI[sha256sum] = "456cc4f99b044429d8a89bd302c06e9e382d6ac4dc590139a7096ebb54f5357b"
SRC_URI = "\
https://download.opensuse.org/distribution/leap/${PV}/iso/openSUSE-Leap-${PV}-${ISO_TYPE}-aarch64-Build${BUILD_NO}-Media.iso;unpack=0;downloadfilename=${ISO_IMAGE_NAME}.iso;name=opensuse_iso_image \
file://unattended-boot-conf/openSUSE/autoinst.xml \
"
SRC_URI[opensuse_iso_image.sha256sum] = "456cc4f99b044429d8a89bd302c06e9e382d6ac4dc590139a7096ebb54f5357b"
TEST_SUITES = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "arm_systemready_opensuse_unattended", "", d)}"
ISO_LABEL = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "OEMDRV", "", d)}"
BOOT_CATALOG = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "boot.catalog", "", d)}"
BOOT_IMAGE = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "EFI/BOOT/bootaa64.efi", "", d)}"
EFI_IMAGE = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "boot/aarch64/efi", "", d)}"
modifyiso() {
UNATTENDED_CONF_DIR="${UNPACKDIR}/unattended-boot-conf/openSUSE"
#create installation configuration files, remove grub timeout, setup network
cp "${UNATTENDED_CONF_DIR}/autoinst.xml" ${EXTRACTED_ISO_TEMP_DIR}
sed -i 's/timeout=60/timeout=0/g' "${EXTRACTED_ISO_TEMP_DIR}/EFI/BOOT/grub.cfg"
}
@@ -19,7 +19,7 @@ python () {
unpackiso() {
# Unpack the ISO image
bsdtar -xf ${WORKDIR}/${ISO_IMAGE_NAME}.iso -C ${EXTRACTED_ISO_TEMP_DIR}
bsdtar -xf ${UNPACKDIR}/${ISO_IMAGE_NAME}.iso -C ${EXTRACTED_ISO_TEMP_DIR}
chmod -R u+rw ${EXTRACTED_ISO_TEMP_DIR}
}
@@ -34,7 +34,7 @@ repackiso() {
-boot-load-size 4 -boot-info-table -J -R -V ${ISO_LABEL} -eltorito-alt-boot \
-eltorito-boot ${EFI_IMAGE} -no-emul-boot ${EXTRACTED_ISO_TEMP_DIR}
mv -f ${NEW_ISO_TEMP_DIR}/${ISO_IMAGE_NAME}.iso ${WORKDIR}
mv -f ${NEW_ISO_TEMP_DIR}/${ISO_IMAGE_NAME}.iso ${UNPACKDIR}
}
# Write the test data in IMAGE_POSTPROCESS_COMMAND
@@ -0,0 +1,75 @@
# Preconfiguration file for Debian unattended installation
# Enable auto mode
d-i auto-install/enable boolean true
d-i debconf/priority select critical
# Set language, country and locale
d-i debian-installer/language string en
d-i debian-installer/country string GB
d-i debian-installer/locale string en_GB.UTF-8
d-i keyboard-configuration/xkb-keymap select us
# Set clock and timezone
d-i clock-setup/utc boolean true
d-i time/zone select Europe/London
# Skip installing recommended packages
d-i base-installer/install-recommends boolean false
# Set user and password
d-i passwd/root-login boolean false
d-i passwd/user-fullname string user
d-i passwd/username string user
d-i passwd/user-password password unsafe
d-i passwd/user-password-again password unsafe
# Disable CD-ROM and set mirror
d-i apt-setup/cdrom/set-first boolean false
d-i mirror/country string manual NO
d-i mirror/http/proxy string
# Disable mirror selection
d-i apt-setup/no_mirror boolean true
d-i popularity-contest/participate boolean false
# Skip package selection and upgrades
d-i pkgsel/run_tasksel boolean false
d-i pkgsel/upgrade select none
# Ensure the 'dbus' package is installed
d-i pkgsel/include string dbus
# Set host and domain names
d-i netcfg/get_hostname string debtest
d-i netcfg/get_domain string unassigned-domain
# Partitioning
d-i partman-auto/disk string /dev/vda
d-i partman-auto/init_automatically_partition select Guided - use entire disk
d-i partman-auto/choose_recipe select All files in one partition (recommended for new users)
d-i partman-auto/method string regular
d-i partman/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
# Install GRUB bootloader
d-i grub-installer/only_debian boolean true
d-i grub-installer/bootdev string /dev/vda
d-i grub-installer/bootloader-id string debian
d-i grub-installer/efi-directory string /boot/efi
# Handle errors automatically
d-i debian-installer/exit-on-error boolean true
# Late command to install GRUB and finalize boot setup
d-i preseed/late_command string \
mount /dev/vda1 /target/boot/efi || true; \
in-target mkdir -p /boot/efi/EFI/boot || true; \
in-target grub-install --target=arm64-efi --efi-directory=/boot/efi --bootloader-id=debian --removable || true; \
in-target update-grub || true; \
umount /target/boot/efi || true
# Reboot after installation
d-i finish-install/reboot_in_progress note
@@ -0,0 +1,935 @@
<?xml version="1.0"?>
<!DOCTYPE profile>
<profile xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns">
<bootloader t="map">
<global t="map">
<append>splash=silent preempt=full mitigations=auto quiet security=apparmor</append>
<cpu_mitigations>auto</cpu_mitigations>
<gfxmode>auto</gfxmode>
<hiddenmenu>false</hiddenmenu>
<os_prober>true</os_prober>
<secure_boot>true</secure_boot>
<terminal>gfxterm</terminal>
<timeout t="integer">8</timeout>
<update_nvram>true</update_nvram>
</global>
<loader_type>grub2-efi</loader_type>
</bootloader>
<firewall t="map">
<default_zone>public</default_zone>
<enable_firewall t="boolean">true</enable_firewall>
<log_denied_packets>off</log_denied_packets>
<start_firewall t="boolean">true</start_firewall>
<zones t="list">
<zone t="map">
<description>Unsolicited incoming network packets are rejected. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>block</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list"/>
<short>Block</short>
<target>%%REJECT%%</target>
</zone>
<zone t="map">
<description>For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>dmz</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>ssh</service>
</services>
<short>DMZ</short>
<target>default</target>
</zone>
<zone t="map">
<description>All network connections are accepted.</description>
<interfaces t="list">
<interface>docker0</interface>
</interfaces>
<masquerade t="boolean">false</masquerade>
<name>docker</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list"/>
<short>docker</short>
<target>ACCEPT</target>
</zone>
<zone t="map">
<description>Unsolicited incoming network packets are dropped. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>drop</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list"/>
<short>Drop</short>
<target>DROP</target>
</zone>
<zone t="map">
<description>For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">true</masquerade>
<name>external</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>ssh</service>
</services>
<short>External</short>
<target>default</target>
</zone>
<zone t="map">
<description>For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>home</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>dhcpv6-client</service>
<service>mdns</service>
<service>samba-client</service>
<service>ssh</service>
</services>
<short>Home</short>
<target>default</target>
</zone>
<zone t="map">
<description>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>internal</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>dhcpv6-client</service>
<service>mdns</service>
<service>samba-client</service>
<service>ssh</service>
</services>
<short>Internal</short>
<target>default</target>
</zone>
<zone t="map">
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list">
<interface>eth0</interface>
</interfaces>
<masquerade t="boolean">false</masquerade>
<name>public</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>dhcpv6-client</service>
<service>ssh</service>
</services>
<short>Public</short>
<target>default</target>
</zone>
<zone t="map">
<description>All network connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>trusted</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list"/>
<short>Trusted</short>
<target>ACCEPT</target>
</zone>
<zone t="map">
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>work</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>dhcpv6-client</service>
<service>ssh</service>
</services>
<short>Work</short>
<target>default</target>
</zone>
</zones>
</firewall>
<general t="map">
<mode t="map">
<confirm t="boolean">false</confirm>
</mode>
</general>
<groups t="list">
<group t="map">
<gid>100</gid>
<groupname>users</groupname>
<userlist/>
</group>
<group t="map">
<gid>499</gid>
<groupname>messagebus</groupname>
<userlist/>
</group>
<group t="map">
<gid>1</gid>
<groupname>bin</groupname>
<userlist>daemon</userlist>
</group>
<group t="map">
<gid>488</gid>
<groupname>input</groupname>
<userlist/>
</group>
<group t="map">
<gid>495</gid>
<groupname>kmem</groupname>
<userlist/>
</group>
<group t="map">
<gid>493</gid>
<groupname>utmp</groupname>
<userlist/>
</group>
<group t="map">
<gid>62</gid>
<groupname>man</groupname>
<userlist/>
</group>
<group t="map">
<gid>477</gid>
<groupname>polkitd</groupname>
<userlist/>
</group>
<group t="map">
<gid>479</gid>
<groupname>systemd-timesync</groupname>
<userlist/>
</group>
<group t="map">
<gid>2</gid>
<groupname>daemon</groupname>
<userlist/>
</group>
<group t="map">
<gid>480</gid>
<groupname>systemd-network</groupname>
<userlist/>
</group>
<group t="map">
<gid>71</gid>
<groupname>ntadmin</groupname>
<userlist/>
</group>
<group t="map">
<gid>490</gid>
<groupname>dialout</groupname>
<userlist/>
</group>
<group t="map">
<gid>59</gid>
<groupname>maildrop</groupname>
<userlist>postfix</userlist>
</group>
<group t="map">
<gid>478</gid>
<groupname>nscd</groupname>
<userlist/>
</group>
<group t="map">
<gid>51</gid>
<groupname>postfix</groupname>
<userlist/>
</group>
<group t="map">
<gid>485</gid>
<groupname>tape</groupname>
<userlist/>
</group>
<group t="map">
<gid>487</gid>
<groupname>render</groupname>
<userlist/>
</group>
<group t="map">
<gid>476</gid>
<groupname>sshd</groupname>
<userlist/>
</group>
<group t="map">
<gid>491</gid>
<groupname>cdrom</groupname>
<userlist/>
</group>
<group t="map">
<gid>486</gid>
<groupname>sgx</groupname>
<userlist/>
</group>
<group t="map">
<gid>0</gid>
<groupname>root</groupname>
<userlist/>
</group>
<group t="map">
<gid>489</gid>
<groupname>disk</groupname>
<userlist/>
</group>
<group t="map">
<gid>15</gid>
<groupname>shadow</groupname>
<userlist/>
</group>
<group t="map">
<gid>484</gid>
<groupname>video</groupname>
<userlist/>
</group>
<group t="map">
<gid>496</gid>
<groupname>wheel</groupname>
<userlist/>
</group>
<group t="map">
<gid>483</gid>
<groupname>audit</groupname>
<userlist/>
</group>
<group t="map">
<gid>498</gid>
<groupname>mail</groupname>
<userlist>postfix</userlist>
</group>
<group t="map">
<gid>5</gid>
<groupname>tty</groupname>
<userlist/>
</group>
<group t="map">
<gid>65533</gid>
<groupname>nogroup</groupname>
<userlist/>
</group>
<group t="map">
<gid>65534</gid>
<groupname>nobody</groupname>
<userlist/>
</group>
<group t="map">
<gid>497</gid>
<groupname>lp</groupname>
<userlist/>
</group>
<group t="map">
<gid>482</gid>
<groupname>chrony</groupname>
<userlist/>
</group>
<group t="map">
<gid>492</gid>
<groupname>audio</groupname>
<userlist/>
</group>
<group t="map">
<gid>494</gid>
<groupname>lock</groupname>
<userlist/>
</group>
<group t="map">
<gid>36</gid>
<groupname>kvm</groupname>
<userlist/>
</group>
<group t="map">
<gid>42</gid>
<groupname>trusted</groupname>
<userlist/>
</group>
<group t="map">
<gid>481</gid>
<groupname>systemd-journal</groupname>
<userlist/>
</group>
</groups>
<host t="map">
<hosts t="list">
<hosts_entry t="map">
<host_address>127.0.0.1</host_address>
<names t="list">
<name>localhost</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>::1</host_address>
<names t="list">
<name>localhost ipv6-localhost ipv6-loopback</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>fe00::0</host_address>
<names t="list">
<name>ipv6-localnet</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>ff00::0</host_address>
<names t="list">
<name>ipv6-mcastprefix</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>ff02::1</host_address>
<names t="list">
<name>ipv6-allnodes</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>ff02::2</host_address>
<names t="list">
<name>ipv6-allrouters</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>ff02::3</host_address>
<names t="list">
<name>ipv6-allhosts</name>
</names>
</hosts_entry>
</hosts>
</host>
<language t="map">
<language>en_GB</language>
<languages>en_GB</languages>
</language>
<networking t="map">
<dhcp_options t="map">
<dhclient_client_id/>
<dhclient_hostname_option>AUTO</dhclient_hostname_option>
</dhcp_options>
<dns t="map">
<dhcp_hostname t="boolean">true</dhcp_hostname>
<hostname>localhost</hostname>
<resolv_conf_policy>auto</resolv_conf_policy>
</dns>
<interfaces t="list">
<interface t="map">
<bootproto>dhcp</bootproto>
<name>eth0</name>
<startmode>auto</startmode>
<zone>public</zone>
</interface>
</interfaces>
<ipv6 t="boolean">true</ipv6>
<keep_install_network t="boolean">true</keep_install_network>
<managed t="boolean">false</managed>
<routing t="map">
<ipv4_forward t="boolean">false</ipv4_forward>
<ipv6_forward t="boolean">false</ipv6_forward>
</routing>
</networking>
<ntp-client t="map">
<ntp_policy>auto</ntp_policy>
<ntp_servers t="list"/>
<ntp_sync>systemd</ntp_sync>
</ntp-client>
<partitioning t="list">
<drive t="map">
<device>/dev/vda</device>
<disklabel>gpt</disklabel>
<enable_snapshots t="boolean">false</enable_snapshots>
<partitions t="list">
<partition t="map">
<create t="boolean">true</create>
<filesystem t="symbol">vfat</filesystem>
<format t="boolean">true</format>
<fstopt>utf8</fstopt>
<mount>/boot/efi</mount>
<mountby t="symbol">uuid</mountby>
<partition_id t="integer">259</partition_id>
<partition_nr t="integer">1</partition_nr>
<resize t="boolean">false</resize>
<size>134217728</size>
</partition>
<partition t="map">
<create t="boolean">true</create>
<create_subvolumes t="boolean">true</create_subvolumes>
<filesystem t="symbol">btrfs</filesystem>
<format t="boolean">true</format>
<mount>/</mount>
<mountby t="symbol">uuid</mountby>
<partition_id t="integer">131</partition_id>
<partition_nr t="integer">2</partition_nr>
<quotas t="boolean">false</quotas>
<resize t="boolean">false</resize>
<size>6307167744</size>
<subvolumes t="list">
<subvolume t="map">
<copy_on_write t="boolean">false</copy_on_write>
<path>var</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>usr/local</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>tmp</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>srv</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>root</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>opt</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>home</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>boot/grub2/arm64-efi</path>
</subvolume>
</subvolumes>
<subvolumes_prefix>@</subvolumes_prefix>
</partition>
</partitions>
<type t="symbol">CT_DISK</type>
<use>all</use>
</drive>
</partitioning>
<proxy t="map">
<enabled t="boolean">false</enabled>
</proxy>
<services-manager t="map">
<default_target>multi-user</default_target>
<services t="map">
<enable t="list">
<service>YaST2-Firstboot</service>
<service>YaST2-Second-Stage</service>
<service>apparmor</service>
<service>auditd</service>
<service>klog</service>
<service>chronyd</service>
<service>cron</service>
<service>cups</service>
<service>firewalld</service>
<service>wickedd-auto4</service>
<service>wickedd-dhcp4</service>
<service>wickedd-dhcp6</service>
<service>wickedd-nanny</service>
<service>irqbalance</service>
<service>issue-generator</service>
<service>kbdsettings</service>
<service>wicked</service>
<service>nscd</service>
<service>postfix</service>
<service>purge-kernels</service>
<service>rsyslog</service>
<service>smartd</service>
<service>sshd</service>
<service>systemd-pstore</service>
<service>systemd-remount-fs</service>
</enable>
</services>
</services-manager>
<software t="map">
<install_recommended t="boolean">true</install_recommended>
<instsource/>
<packages t="list">
<package>wicked</package>
<package>shim</package>
<package>os-prober</package>
<package>openssh</package>
<package>openSUSE-release</package>
<package>mokutil</package>
<package>kexec-tools</package>
<package>grub2-arm64-efi</package>
<package>glibc</package>
<package>firewalld</package>
<package>e2fsprogs</package>
<package>dosfstools</package>
<package>chrony</package>
<package>btrfsprogs</package>
<package>autoyast2</package>
</packages>
<patterns t="list">
<pattern>apparmor</pattern>
<pattern>base</pattern>
<pattern>documentation</pattern>
<pattern>enhanced_base</pattern>
<pattern>minimal_base</pattern>
<pattern>sw_management</pattern>
<pattern>yast2_basis</pattern>
</patterns>
<products t="list">
<product>Leap</product>
</products>
</software>
<ssh_import t="map">
<copy_config t="boolean">false</copy_config>
<import t="boolean">false</import>
</ssh_import>
<user_defaults t="map">
<expire/>
<group>100</group>
<home>/home</home>
<inactive>-1</inactive>
<shell>/bin/bash</shell>
<umask>022</umask>
</user_defaults>
<users t="list">
<user t="map">
<authorized_keys t="list"/>
<encrypted t="boolean">true</encrypted>
<fullname>user</fullname>
<gid>100</gid>
<home>/home/user</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max>99999</max>
<min>0</min>
<warn>7</warn>
</password_settings>
<shell>/bin/bash</shell>
<uid>1000</uid>
<user_password>$6$WV8CB/c6j0zhAi5S$4euhbt4alH7WNfaatS9IJgPiiKDJ48d5Ru1zCZCA0N9GiyOPuefN2PAUWlyYeTgqAInpyvPh1frdp4fFVjvEn0</user_password>
<username>user</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>User for nscd</fullname>
<gid>478</gid>
<home>/run/nscd</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/sbin/nologin</shell>
<uid>478</uid>
<user_password>!</user_password>
<username>nscd</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>systemd Network Management</fullname>
<gid>480</gid>
<home>/</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>480</uid>
<user_password>!*</user_password>
<username>systemd-network</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Daemon</fullname>
<gid>2</gid>
<home>/sbin</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>2</uid>
<user_password>!</user_password>
<username>daemon</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>systemd Time Synchronization</fullname>
<gid>479</gid>
<home>/</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>479</uid>
<user_password>!*</user_password>
<username>systemd-timesync</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>user for rpcbind</fullname>
<gid>65534</gid>
<home>/var/lib/empty</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/sbin/nologin</shell>
<uid>475</uid>
<user_password>!</user_password>
<username>rpc</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>SSH daemon</fullname>
<gid>476</gid>
<home>/var/lib/sshd</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>476</uid>
<user_password>!</user_password>
<username>sshd</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Postfix Daemon</fullname>
<gid>51</gid>
<home>/var/spool/postfix</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>51</uid>
<user_password>!</user_password>
<username>postfix</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>NFS statd daemon</fullname>
<gid>65533</gid>
<home>/var/lib/nfs</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/sbin/nologin</shell>
<uid>474</uid>
<user_password>!</user_password>
<username>statd</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>bin</fullname>
<gid>1</gid>
<home>/bin</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>1</uid>
<user_password>!</user_password>
<username>bin</username>
</user>
<user t="map">
<authorized_keys t="list"/>
<encrypted t="boolean">true</encrypted>
<fullname>root</fullname>
<gid>0</gid>
<home>/root</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/bin/bash</shell>
<uid>0</uid>
<user_password>$6$zAe5W7gw/kja9aKy$mM.BWtNyjalXrDNig4CUfN3bgfmehUIs8.zvBwWn1XroK104G.rY3lyup3OH8TujieUmgO4J74Df.LktV4A1K1</user_password>
<username>root</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>User for D-Bus</fullname>
<gid>499</gid>
<home>/run/dbus</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/bin/false</shell>
<uid>499</uid>
<user_password>!</user_password>
<username>messagebus</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Manual pages viewer</fullname>
<gid>62</gid>
<home>/var/lib/empty</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>13</uid>
<user_password>!</user_password>
<username>man</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Printing daemon</fullname>
<gid>497</gid>
<home>/var/spool/lpd</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>497</uid>
<user_password>!</user_password>
<username>lp</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>User for polkitd</fullname>
<gid>477</gid>
<home>/var/lib/polkit</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>477</uid>
<user_password>!</user_password>
<username>polkitd</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Chrony Daemon</fullname>
<gid>482</gid>
<home>/var/lib/chrony</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>496</uid>
<user_password>!</user_password>
<username>chrony</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>nobody</fullname>
<gid>65534</gid>
<home>/var/lib/nobody</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/bin/bash</shell>
<uid>65534</uid>
<user_password>!</user_password>
<username>nobody</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Mailer daemon</fullname>
<gid>498</gid>
<home>/var/spool/clientmqueue</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>498</uid>
<user_password>!</user_password>
<username>mail</username>
</user>
</users>
</profile>
+31
View File
@@ -0,0 +1,31 @@
# Sign binaries for UEFI Secure Boot
#
# Usage in recipes:
#
# Set binary to sign per recipe:
# SBSIGN_TARGET_BINARY = "${B}/binary_to_sign"
#
# Then call do_sbsign() in correct stage of the build
# do_compile:append() {
# do_sbsign
# }
DEPENDS += 'gen-sbkeys'
DEPENDS += "sbsigntool-native"
SBSIGN_KEY = "${SBSIGN_KEYS_DIR}/db.key"
SBSIGN_CERT = "${SBSIGN_KEYS_DIR}/db.crt"
SBSIGN_TARGET_BINARY ?= "binary_to_sign"
# Not adding as task since recipes may need to sign binaries at different
# stages. Instead they can call this function when needed by calling this function
do_sbsign() {
bbnote "Signing ${PN} binary ${SBSIGN_TARGET_BINARY} with ${SBSIGN_KEY} and ${SBSIGN_CERT}"
${STAGING_BINDIR_NATIVE}/sbsign \
--key "${SBSIGN_KEY}" \
--cert "${SBSIGN_CERT}" \
--output "${SBSIGN_TARGET_BINARY}.signed" \
"${SBSIGN_TARGET_BINARY}"
cp "${SBSIGN_TARGET_BINARY}" "${SBSIGN_TARGET_BINARY}.unsigned"
cp "${SBSIGN_TARGET_BINARY}.signed" "${SBSIGN_TARGET_BINARY}"
}
+1 -1
View File
@@ -57,7 +57,7 @@ class ConsolePortParser:
while True:
try:
line = next(self._lines).strip().decode(errors='ignore')
m = re.match(r"^(\S+): Listening for serial connection on port (\d+)$", line)
m = re.search(r"(\S+): Listening for serial connection on port (\d+)$", line)
if m:
matched_console = m.group(1)
matched_port = int(m.group(2))
@@ -0,0 +1,29 @@
#
# SPDX-License-Identifier: MIT
#
from oeqa.runtime.case import OERuntimeTestCase
from oeqa.core.decorator.oetimeout import OETimeout
class UEFI_SB_TestSuite(OERuntimeTestCase):
"""
Validate Secure Boot is Enabled
"""
@OETimeout(1300)
def test_uefi_secureboot(self):
# Validate Secure Boot is enabled by checking
# 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot.
# The GUID '8be4df61-93ca-11d2-aa0d-00e098032b8c' is a well-known
# identifier for the Secure Boot UEFI variable. By checking the value of
# this variable, specifically
# '8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot', we can determine
# whether Secure Boot is enabled or not. This variable is set by the
# UEFI firmware to indicate the current Secure Boot state. If the
# variable is set to a value of '0x1' (or '1'), it indicates that Secure
# Boot is enabled. If the variable is set to a value of '0x0' (or '0'),
# it indicates that Secure Boot is disabled.
cmd = "echo $( od -t u2 -A n -j 4 -N 4 /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c )"
status, output = self.target.run(cmd, timeout=120)
self.assertEqual(output, "1", msg="\n".join([cmd, output]))
@@ -0,0 +1,17 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
SRC_URI += "file://uefi-secureboot.cfg"
inherit sbsign
DEPENDS += 'python3-pyopenssl-native'
do_compile:prepend() {
export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
"${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk -d "${SBSIGN_KEYS_DIR}"/PK.esl -t file
"${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${SBSIGN_KEYS_DIR}"/KEK.esl -t file
"${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db -d "${SBSIGN_KEYS_DIR}"/db.esl -t file
"${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${SBSIGN_KEYS_DIR}"/dbx.esl -t file
"${S}"/tools/efivar.py print -i "${S}"/ubootefi.var
}
@@ -0,0 +1,10 @@
CONFIG_CMD_BOOTMENU=y
CONFIG_USE_BOOTCOMMAND=y
CONFIG_BOOTCOMMAND="bootmenu"
CONFIG_USE_PREBOOT=y
CONFIG_EFI_VAR_BUF_SIZE=65536
CONFIG_FIT_SIGNATURE=y
CONFIG_EFI_SECURE_BOOT=y
CONFIG_EFI_VARIABLES_PRESEED=y
CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig"
CONFIG_PREBOOT_DEFINED=y
@@ -2,3 +2,5 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
SRC_URI:append:qemuarm64-secureboot = " file://qemuarm64.cfg"
SRC_URI:append:qemuarm-secureboot = " file://qemuarm.cfg"
require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-uefi-secureboot.inc', '', d)}
@@ -0,0 +1,7 @@
inherit sbsign
SBSIGN_TARGET_BINARY = "${B}/src/boot/efi/systemd-boot${EFI_ARCH}.efi"
do_compile:append() {
do_sbsign
}
@@ -0,0 +1 @@
require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'systemd-boot-uefi-secureboot.inc', '', d)}
@@ -0,0 +1 @@
PACKAGECONFIG:append = " efi"
@@ -0,0 +1 @@
require ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'systemd-efi.inc', '', d)}
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://license_terms/license_agreement.txt;md5=1a33828e132ba
file://license_terms/third_party_licenses/arm_license_management_utilities/third_party_licenses.txt;md5=abcaafefc7b7a0cdf6664c51f9075c5b"
SRC_URI = "https://developer.arm.com/-/cdn-downloads/permalink/Fixed-Virtual-Platforms/${PV_URL_SHORT}/${MODEL_CODE}_${PV_URL}_${FVP_ARCH}.tgz;subdir=${BP};name=fvp-${HOST_ARCH}"
SRC_URI = "https://developer.arm.com/-/cdn-downloads/permalink/FVPs-Architecture/${PV_URL_SHORT}/${MODEL_CODE}_${PV_URL}_${FVP_ARCH}.tgz;subdir=${BP};name=fvp-${HOST_ARCH}"
SRC_URI[fvp-aarch64.sha256sum] = "0a262327073d410146a6689c068162f60e72f45845734650b08a1d45483853ca"
SRC_URI[fvp-x86_64.sha256sum] = "a314f0f8c55492b70ab469fbbe2bb71ab8bb7c7ae4608ed1c432d8de8f4edb27"
@@ -25,3 +25,5 @@ SRC_URI:append:qemuarm = " \
FFA_TRANSPORT_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-transport.inc', '' , d)}"
require ${FFA_TRANSPORT_INCLUDE}
require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'linux-yocto-uefi-secureboot.inc', '', d)}
@@ -0,0 +1,14 @@
KERNEL_FEATURES += "cfg/efi-ext.scc"
inherit sbsign
# shell variable set inside do_compile task
SBSIGN_TARGET_BINARY = "$KERNEL_IMAGE"
do_compile:append() {
KERNEL_IMAGE=$(find ${B} -name ${KERNEL_IMAGETYPE} -print -quit)
do_sbsign
}
RRECOMMENDS:${PN} += "kernel-module-efivarfs"
RRECOMMENDS:${PN} += "kernel-module-efivars"
@@ -15,7 +15,7 @@ OECMAKE_SOURCEPATH="${S}/deployments/fwu/config/${TS_SP_FWU_CONFIG}-${TS_ENV}"
# The GPT parser component is needed from TF-A
SRC_URI += "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;name=tfa;protocol=https;branch=master;destsuffix=git/tf-a"
SRCREV_tfa = "v2.7.0"
SRCREV_tfa = "35f4c7295bafeb32c8bcbdfb6a3f2e74a57e732b"
LIC_FILES_CHKSUM = "file://../tf-a/docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde"
do_apply_local_src_patches:append() {
apply_local_src_patches ${S}/external/tf_a ${WORKDIR}/git/tf-a