Preparations for release 3.0

* Rauc updates & install initial implementation * Try build initrd without firmwares and kernel modules * Shellcheck * Use kas for dependency management * Include intel cpu microcode update to initrd * Include vex class * Update dependencies * Split modules sign and secure boot keys * Fix tmp certificates files naming
Enapter · Oct 31, 2024 · f818872 · f818872
1 parent eede08f
commit f818872
Show file tree

Hide file tree

Showing 24 changed files with 1,319 additions and 181 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1 +1,4 @@
-repositories/*
+/build
+/poky
+/meta-*/
+!meta-enapter-linux
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -6,6 +6,7 @@ variables:
   DOCKER_BUILDKIT: 1
   COMPOSE_HTTP_TIMEOUT: 600
   BUILD_STORAGE_DIR: /home/gitlab-runner
+  GIT_STRATEGY: clone
 
 Build Image:
   when: manual
@@ -18,7 +19,6 @@ Build Image:
   script:
     - set -o allexport && source configs/versions.env && set +o allexport
     - source ./bin/prepare-environments.sh
-    - ./bin/fetch-repositories.sh configs/repositories.conf
     - docker-compose -f docker-compose-buildagent.yml run --rm intel-x86-64-build
 
 Git Pull:
@@ -27,7 +27,7 @@ Git Pull:
   tags:
   - yocto
   script:
-    - ./bin/fetch-repositories.sh configs/repositories.conf
+    - echo "Done."
 
 Release:
   when: manual

diff --git a/bin/fetch-repositories.sh b/bin/fetch-repositories.sh
diff --git a/bin/git-fetch.sh b/bin/git-fetch.sh
diff --git a/bin/prepare-environments.sh b/bin/prepare-environments.sh
@@ -1,23 +1,30 @@
 # SPDX-FileCopyrightText: 2024 Enapter <[email protected]>
 # SPDX-License-Identifier: Apache-2.0
 
-export BB_ENV_PASSTHROUGH_ADDITIONS="$BB_ENV_PASSTHROUGH_ADDITIONS DISTRO_VERSION DL_DIR SSTATE_DIR TMPDIR SECURE_BOOT_SIGNING_KEY SECURE_BOOT_SIGNING_CERT SECURE_BOOT_SIGNING_CERT_DER"
-
-export SECURE_BOOT_SIGNING_CERT="/home/build/secure_boot_signing/sign.crt"
+export SECURE_BOOT_SIGNING_CERT="/home/build/secure_boot_signing/sign.pem"
 export SECURE_BOOT_SIGNING_KEY="/home/build/secure_boot_signing/sign.key"
-export SECURE_BOOT_SIGNING_CERT_DER="/home/build/secure_boot_signing/sign.cer"
+export SECURE_BOOT_SIGNING_CERT_DER="/home/build/secure_boot_signing/sign.der"
+
+export MODSIGN_SIGNING_CERT="/home/build/modules_signing/sign.pem"
+export MODSIGN_SIGNING_KEY="/home/build/modules_signing/sign.key"
+
+export RAUC_CERT="/home/build/rauc/production.pem"
+export RAUC_KEY="/home/build/rauc/production.key"
+export RAUC_KEYRING="/home/build/rauc/ca.cert.pem"
 
 if [ -z "$CI_COMMIT_TAG" ]; then
   export DISTRO_VERSION="${ENAPTER_LINUX_BASE_VERSION}-dev-${CI_PIPELINE_ID:-${CI_COMMIT_SHORT_SHA:-unknown}}"
 else
-  export DISTRO_VERSION="$CI_COMMIT_TAG"
+  export DISTRO_VERSION="${CI_COMMIT_TAG:-$CI_COMMIT_REF_SLUG}.$CI_PIPELINE_ID"
 fi
 
+export DISTRO="enapter-industrial-linux"
+
 export IMG_ARTIFACT_NAME="enapter-industrial-linux-${DISTRO_VERSION}.zip"
 export IMG_FILE_ARTIFACT_NAME="enapter-industrial-linux-${DISTRO_VERSION}.img"
 export UPDATE_ARTIFACT_NAME="enapter-industrial-linux-update-${DISTRO_VERSION}.zip"
+export RAUC_UPDATE_ARTIFACT_NAME="enapter-industrial-linux-update-${DISTRO_VERSION}.raucb"
 export VMDK_ARTIFACT_NAME="enapter-industrial-linux-${DISTRO_VERSION}.vmdk"
-
-export SSTATE_DIR=/home/build/sstate-cache
-export DL_DIR=/home/build/downloads
-export TMPDIR=/home/build/tmp
+export VEX_ARTIFACT_NAME="enapter-industrial-linux-${DISTRO_VERSION}-vex.json"
+export ROOTFS_SPDX_ARTIFACT_NAME="enapter-industrial-linux-${DISTRO_VERSION}-rootfs-spdx.zip"
+export INITRAMFS_SPDX_ARTIFACT_NAME="enapter-industrial-linux-${DISTRO_VERSION}-initrd-spdx.zip"
diff --git a/bin/upload-artifacts.sh b/bin/upload-artifacts.sh
@@ -35,9 +35,22 @@ release_id=$(echo "$create_release_response" | jq '.id')
 
 cd "$artifacts_dir"
 
-sha256sum -b "$IMG_ARTIFACT_NAME" "$UPDATE_ARTIFACT_NAME" "$VMDK_ARTIFACT_NAME" > "$sha256sums_name"
+sha256sum -b "$IMG_ARTIFACT_NAME" "$UPDATE_ARTIFACT_NAME" "$VMDK_ARTIFACT_NAME" "$RAUC_UPDATE_ARTIFACT_NAME" > "$sha256sums_name"
 
 upload_asset "$release_id" "$IMG_ARTIFACT_NAME" "$IMG_ARTIFACT_NAME"
 upload_asset "$release_id" "$UPDATE_ARTIFACT_NAME" "$UPDATE_ARTIFACT_NAME"
 upload_asset "$release_id" "$VMDK_ARTIFACT_NAME" "$VMDK_ARTIFACT_NAME"
+upload_asset "$release_id" "$RAUC_UPDATE_ARTIFACT_NAME" "$RAUC_UPDATE_ARTIFACT_NAME"
 upload_asset "$release_id" "$sha256sums_name" "$sha256sums_name"
+
+if [ -e "$VEX_ARTIFACT_NAME" ]; then
+  upload_asset "$release_id" "$VEX_ARTIFACT_NAME" "$VEX_ARTIFACT_NAME"
+fi
+
+if [ -e "$ROOTFS_SPDX_ARTIFACT_NAME" ]; then
+  upload_asset "$release_id" "$ROOTFS_SPDX_ARTIFACT_NAME" "$ROOTFS_SPDX_ARTIFACT_NAME"
+fi
+
+if [ -e "$INITRAMFS_SPDX_ARTIFACT_NAME" ]; then
+  upload_asset "$release_id" "$INITRAMFS_SPDX_ARTIFACT_NAME" "$INITRAMFS_SPDX_ARTIFACT_NAME"
+fi
diff --git a/configs/enapter-industrial-linux.yml b/configs/enapter-industrial-linux.yml
@@ -0,0 +1,88 @@
+# SPDX-FileCopyrightText: 2024 Enapter <[email protected]>
+# SPDX-License-Identifier: Apache-2.0
+
+header:
+  version: 17
+
+distro: enapter-industrial-linux
+target: enapter-industrial-linux-image
+machine: intel-corei7-64
+
+env:
+  DISTRO: null
+  DISTRO_VERSION: null
+  DL_DIR: /home/build/downloads
+  IMG_ARTIFACT_NAME: null
+  IMG_FILE_ARTIFACT_NAME: null
+  INITRAMFS_SPDX_ARTIFACT_NAME: null
+  MODSIGN_SIGNING_CERT: null
+  MODSIGN_SIGNING_KEY: null
+  NVDCVE_API_KEY: null
+  RAUC_CERT: null
+  RAUC_KEY: null
+  RAUC_KEYRING: null
+  RAUC_UPDATE_ARTIFACT_NAME: null
+  ROOTFS_SPDX_ARTIFACT_NAME: null
+  SECURE_BOOT_SIGNING_CERT: null
+  SECURE_BOOT_SIGNING_CERT_DER: null
+  SECURE_BOOT_SIGNING_KEY: null
+  SSTATE_DIR: /home/build/sstate-cache
+  TMPDIR: /home/build/tmp
+  UPDATE_ARTIFACT_NAME: null
+  VEX_ARTIFACT_NAME: null
+  VMDK_ARTIFACT_NAME: null
+
+repos:
+  meta-enapter-linux:
+    layers:
+      meta-enapter-linux:
+
+  poky:
+    url: 'git://git.yoctoproject.org/poky.git'
+    tag: 'yocto-5.0.4'
+    patches:
+      patch0:
+        repo: meta-enapter-linux
+        path: configs/patches/0001-Backport-vex.bbclass-and-dependencies.patch
+    layers:
+      meta:
+      meta-poky:
+      meta-yocto-bsp:
+
+  meta-enapter:
+    url: 'https://github.com/enapter/meta-enapter'
+    branch: 'release/3.0'
+    layers:
+      meta-enapter-core:
+
+  meta-intel:
+    url: 'git://git.yoctoproject.org/meta-intel.git'
+    commit: 'c2bc8e27e9cc83654a23e8d89525fd9b1e781eb6'
+
+  meta-openembedded:
+    url: 'git://git.openembedded.org/meta-openembedded'
+    commit: '2e3126c9c16bb3df0560f6b3896d01539a3bfad7'
+    layers:
+      meta-filesystems:
+      meta-initramfs:
+      meta-networking:
+      meta-oe:
+      meta-perl:
+      meta-python:
+      meta-webserver:
+
+  meta-rauc:
+    url: 'https://github.com/rauc/meta-rauc.git'
+    commit: '1e3e6b334defd7fbf95cb43d23975e7b3de4b520'
+
+  meta-virtualization:
+    url: 'git://git.yoctoproject.org/meta-virtualization'
+    commit: '6f3c1d8f90947408a6587be222fec575a1ca5195'
+
+local_conf_header:
+  10-base: |
+    CONF_VERSION = "2"
+    SPDX_PRETTY = "1"
+    IMAGE_FSTYPES = "wic ext4"
+    SKIP_META_VIRT_SANITY_CHECK = "1"
+    INHERIT += "rm_work vex"