Separate A/B kernel partitions for meta-mender.
Probably not very useful by itself, but is a prerequisite for things like encrypting the rootfs.
- Two additional A/B kernel partitions are created after the
/datapartition via themender-corevariableMENDER_EXTRA_PARTS. - On boot, GRUB selects the corresponding kernel partition based on
mender_boot_part. The kernel and/or initramfs are loaded from this partition. - An
ArtifactInstallstate-script updates the kernel partition. - Optional UEFI Secure Boot.
Requires meta-secure-core. See this kas file for more setup details.
There were a few gotchas integrating secure boot
SELoader is not setup to verify anything outside the /efi partition. To workaround this:
- use
SELoaderto verify everything on/efi(config, env, EFI binaries, etc). This is noop and standardmeta-efi-secure-bootoperation. - use
shimto verify theINITRAMFS_IMAGE_BUNDLE- enforce
INITRAMFS_IMAGE_BUNDLE - sign
INITRAMFS_IMAGE_BUNDLEwithsb_signto useMOKkey(s) - use
chainloaderinstead oflinuxgrub command to launchINITRAMFS_IMAGE_BUNDLE
- enforce
This layer depends on:
URI: git://git.openembedded.org/bitbake
URI: git://git.openembedded.org/openembedded-core
layers: meta
branch: master
URI: https://github.com/mendersoftware/meta-mender.git
layers: meta-mender-core
branch: master
URI: https://github.com/coreycothrum/meta-bitbake-variable-substitution.git
layers: meta-bitbake-variable-substitution
branch: master
In order to use this layer, the build system must be aware of it.
Assuming this layer exists at the top-level of the yocto build tree; add the location of this layer to bblayers.conf, along with any additional layers needed:
BBLAYERS ?= " \
/path/to/yocto/meta \
/path/to/yocto/meta-poky \
/path/to/yocto/meta-yocto-bsp \
/path/to/yocto/meta-mender/meta-mender-core \
/path/to/yocto/meta-bitbake-variable-substitution \
/path/to/yocto/meta-mender-kernel \
"
Alternatively, run bitbake-layers to add:
$ bitbake-layers add-layer /path/to/yocto/meta-mender-kernel
The following definitions should be added to local.conf or custom_machine.conf:
require conf/include/mender-kernel.inc
# size (MB) of each kernel partition
# ideally this should be in a custom machine.conf with the rest of the MENDER size params
MENDER/KERNEL_PART_SIZE_MB = "256"
The following should be added to the image recipe (e.g. core-image-minimal.bbappend):
require conf/include/mender-kernel-image.inc
Alternatively, a kas file has been provided to help with setup/config. Include kas/kas.yml from this layer in the top level kas file:
header:
version : 1
includes:
- repo: meta-mender-kernel
file: kas/kas.yml
local_conf_header:
01_meta-mender-kernel: |
# define here, or in a machine.conf file
MENDER/KERNEL_PART_SIZE_MB = "256"
Additional files in kas/ have been provided to selectively turn on some features, such as UEFI Secure Boot.
A standalone reference build kas file has been provided.
Refer to meta-mender-luks for a more detailed build example.
All testing has been done with the Dockerfile located in this repo.
Commands executed from docker image:
# clone repo
cd $YOCTO_WORKDIR && git clone https://github.com/coreycothrum/meta-mender-kernel.git
# build TARGET image
cd $YOCTO_WORKDIR && kas build $YOCTO_WORKDIR/meta-mender-kernel/kas/reference_builds/kas.min.x86-64.yml
# build QEMU image
cd $YOCTO_WORKDIR && kas build $YOCTO_WORKDIR/meta-mender-kernel/kas/reference_builds/kas.min.x86-64.yml:$YOCTO_WORKDIR/meta-mender-kernel/kas/reference_builds/kas.qemu.yml
Please submit any patches against this layer via pull request.
Commits must be signed off.
Use conventional commits.
This layer will remain compatible with the latest YOCTO LTS. This mirrors what meta-mender does.