[isar-cip-core][PATCH 0/7] SWUpdate/secure boot for ARM, related recipe updates

[isar-cip-core][PATCH 0/7] SWUpdate/secure boot for ARM, related recipe updates

[Jan Kiszka]

Finally, this enables also 32-bit ARM for UEFI-based SWUpdate and secure
boot, analogously to ARM64. We need to update EFI Boot Guard to 0.12 and
also bump the cip-kernel-config revision for this. U-Boot is updated to
fix a security bug in its hash validation code for signed UEFI binaries.

One special patch is needed for the efibootguard plugin: mcopy from
buster does not work properly with recursive copying, and that breaks
the boot partition setup.

Jan

Jan Kiszka (7):
  linux-cip: Update cip-kernel-config revision
  efibootguard: Do not rely on mcopy to perform recursive copies
  efibootguard: Update to release 0.12
  u-boot-qemu-arm64: Update to 2022.07
  u-boot-qemu-arm64: Generalize the recipe
  Add support for ARM-based swupdate/secure boot image
  ci: Add qemu-arm target for secure boot with swupdate

 .gitlab-ci.yml                                |  12 ++
 Kconfig                                       |   4 +-
 conf/machine/qemu-arm.conf                    |   5 +
 conf/machine/qemu-arm64.conf                  |   2 +
 kas/opt/efibootguard.yml                      |   1 +
 ...bootguard_0.11.bb => efibootguard_0.12.bb} |   5 +-
 ...efile-Drop-nostdinc-for-EFI-binaries.patch |  28 -----
 ...-rtc_mktime-and-mktime64-Y2038-ready.patch | 107 ------------------
 recipes-bsp/u-boot/files/secure-boot.cfg      |   6 -
 recipes-bsp/u-boot/files/secure-boot.cfg.tmpl |   6 +
 .../u-boot/u-boot-qemu-arm64_2022.07.bb       |  16 +++
 recipes-bsp/u-boot/u-boot-qemu-arm_2022.07.bb |  16 +++
 ...rm64_2022.04.bb => u-boot-qemu-common.inc} |  11 +-
 recipes-kernel/linux/linux-cip-common.inc     |   2 +-
 .../wic/plugins/source/efibootguard-boot.py   |   1 +
 .../wic/plugins/source/efibootguard-efi.py    |   7 +-
 start-qemu.sh                                 |   4 +-
 wic/qemu-arm-efibootguard-secureboot.wks.in   |   1 +
 wic/qemu-arm-efibootguard.wks.in              |   1 +
 19 files changed, 80 insertions(+), 155 deletions(-)
 rename recipes-bsp/efibootguard/{efibootguard_0.11.bb => efibootguard_0.12.bb} (85%)
 delete mode 100644 recipes-bsp/efibootguard/files/0001-Makefile-Drop-nostdinc-for-EFI-binaries.patch
 delete mode 100644 recipes-bsp/u-boot/files/0001-lib-date-Make-rtc_mktime-and-mktime64-Y2038-ready.patch
 delete mode 100644 recipes-bsp/u-boot/files/secure-boot.cfg
 create mode 100644 recipes-bsp/u-boot/files/secure-boot.cfg.tmpl
 create mode 100644 recipes-bsp/u-boot/u-boot-qemu-arm64_2022.07.bb
 create mode 100644 recipes-bsp/u-boot/u-boot-qemu-arm_2022.07.bb
 rename recipes-bsp/u-boot/{u-boot-qemu-arm64_2022.04.bb => u-boot-qemu-common.inc} (77%)
 create mode 120000 wic/qemu-arm-efibootguard-secureboot.wks.in
 create mode 120000 wic/qemu-arm-efibootguard.wks.in

-- 
2.35.3

[isar-cip-core][PATCH 1/7] linux-cip: Update cip-kernel-config revision

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Needed to use qemu-arm with UEFI secure boot / swupdate and also for
qemu-arm on 4.4 kernels

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 recipes-kernel/linux/linux-cip-common.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc
index c12a60f..b612efa 100644
--- a/recipes-kernel/linux/linux-cip-common.inc
+++ b/recipes-kernel/linux/linux-cip-common.inc
@@ -25,6 +25,6 @@ SRC_URI_append = " ${@ "git://gitlab.com/cip-project/cip-kernel/cip-kernel-confi
 
 SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}"
 
-SRCREV_cip-kernel-config ?= "a8d04df6595344091eee2b242c3a0f5e108f966c"
+SRCREV_cip-kernel-config ?= "6509d11f52b7df71b8b2228c1bccd7913e4a33b8"
 
 S = "${WORKDIR}/linux-cip-${PV}"
-- 
2.35.3

[isar-cip-core][PATCH 2/7] efibootguard: Do not rely on mcopy to perform recursive copies

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This is broken for old buster on ARM (or over qemu-user for ARM).

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 scripts/lib/wic/plugins/source/efibootguard-efi.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py
index e1411cb..140b734 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-efi.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py
@@ -98,7 +98,11 @@ class EfibootguardEFIPlugin(SourcePlugin):
             (part.label.upper(), efi_part_image, blocks)
         exec_cmd(dosfs_cmd)
 
-        mcopy_cmd = "mcopy -v -i %s -s %s/* ::/" % \
+        # mtools for buster have problems with resursive mcopy.
+        # Therefore, create the target dir via mmd first.
+        mmd_cmd = "mmd -i %s ::/EFI ::/EFI/BOOT" % (efi_part_image)
+        exec_cmd(mmd_cmd, True)
+        mcopy_cmd = "mcopy -v -i %s -s %s/EFI/BOOT/* ::/EFI/BOOT" % \
             (efi_part_image, part_rootfs_dir)
         exec_cmd(mcopy_cmd, True)
 
-- 
2.35.3

[isar-cip-core][PATCH 3/7] efibootguard: Update to release 0.12

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Allows to drop our patch. And it's the precondition to add ARM support.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 ...bootguard_0.11.bb => efibootguard_0.12.bb} |  5 ++--
 ...efile-Drop-nostdinc-for-EFI-binaries.patch | 28 -------------------
 2 files changed, 2 insertions(+), 31 deletions(-)
 rename recipes-bsp/efibootguard/{efibootguard_0.11.bb => efibootguard_0.12.bb} (85%)
 delete mode 100644 recipes-bsp/efibootguard/files/0001-Makefile-Drop-nostdinc-for-EFI-binaries.patch

diff --git a/recipes-bsp/efibootguard/efibootguard_0.11.bb b/recipes-bsp/efibootguard/efibootguard_0.12.bb
similarity index 85%
rename from recipes-bsp/efibootguard/efibootguard_0.11.bb
rename to recipes-bsp/efibootguard/efibootguard_0.12.bb
index ef6cd9c..88dc2ed 100644
--- a/recipes-bsp/efibootguard/efibootguard_0.11.bb
+++ b/recipes-bsp/efibootguard/efibootguard_0.12.bb
@@ -19,15 +19,14 @@ MAINTAINER = "Jan Kiszka <jan.kiszka@siemens.com>"
 SRC_URI = " \
     https://github.com/siemens/efibootguard/archive/refs/tags/v${PV}.tar.gz;downloadfilename=efitbootguard-v${PV}.tar.gz \
     file://debian \
-    file://0001-Makefile-Drop-nostdinc-for-EFI-binaries.patch \
     "
-SRC_URI[sha256sum] = "12bd84ff63a34bef56e489b48d4f97955aa4d864eeff9ea2dea1d24a286d8ebe"
+SRC_URI[sha256sum] = "fd670f7a60a605c68ed411a9ab83ac680fbc9a9b5a8fd7b417c049f6cba5b6dc"
 
 PROVIDES = "${PN}"
 PROVIDES += "${PN}-dev"
 
 DEPENDS = "python3-shtab"
-BUILD_DEB_DEPENDS = "dh-exec,gnu-efi,libpci-dev,check,pkg-config,python3-shtab"
+BUILD_DEB_DEPENDS = "dh-exec,autoconf-archive,gnu-efi,libpci-dev,check,pkg-config,python3-shtab"
 BUILD_DEB_DEPENDS_append_amd64 = ",libc6-dev-i386"
 BUILD_DEB_DEPENDS_append_i386 = ",libc6-dev-i386"
 
diff --git a/recipes-bsp/efibootguard/files/0001-Makefile-Drop-nostdinc-for-EFI-binaries.patch b/recipes-bsp/efibootguard/files/0001-Makefile-Drop-nostdinc-for-EFI-binaries.patch
deleted file mode 100644
index 8cc1654..0000000
--- a/recipes-bsp/efibootguard/files/0001-Makefile-Drop-nostdinc-for-EFI-binaries.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From daf4cb61bec56dac628be83b95a7072c184eabcd Mon Sep 17 00:00:00 2001
-From: Jan Kiszka <jan.kiszka@siemens.com>
-Date: Wed, 4 May 2022 11:52:53 +0200
-Subject: [PATCH] Makefile: Drop -nostdinc for EFI binaries
-
-Not needed, also systemd-boot does not use it, and it actually triggers
-a build failure on Debian 10, possibly on other distros as well.
-
-Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
----
- Makefile.am | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/Makefile.am b/Makefile.am
-index f0daa15..7398b85 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -191,7 +191,6 @@ efi_cflags = \
- 	-Wall \
- 	-Wextra \
- 	-std=gnu99 \
--	-nostdinc \
- 	-ggdb -O0 \
- 	-fpic \
- 	-fshort-wchar \
--- 
-2.34.1
-
-- 
2.35.3

[isar-cip-core][PATCH 4/7] u-boot-qemu-arm64: Update to 2022.07

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This is required because of a critical fix in that release to actually
validate hashes of UEFI signatures. And it allows to drop our patch.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 ...-rtc_mktime-and-mktime64-Y2038-ready.patch | 107 ------------------
 ...022.04.bb => u-boot-qemu-arm64_2022.07.bb} |   3 +-
 2 files changed, 1 insertion(+), 109 deletions(-)
 delete mode 100644 recipes-bsp/u-boot/files/0001-lib-date-Make-rtc_mktime-and-mktime64-Y2038-ready.patch
 rename recipes-bsp/u-boot/{u-boot-qemu-arm64_2022.04.bb => u-boot-qemu-arm64_2022.07.bb} (87%)

diff --git a/recipes-bsp/u-boot/files/0001-lib-date-Make-rtc_mktime-and-mktime64-Y2038-ready.patch b/recipes-bsp/u-boot/files/0001-lib-date-Make-rtc_mktime-and-mktime64-Y2038-ready.patch
deleted file mode 100644
index b2ff705..0000000
--- a/recipes-bsp/u-boot/files/0001-lib-date-Make-rtc_mktime-and-mktime64-Y2038-ready.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From 8b990a06685678abd8dbc8be86c27bf3e94e3694 Mon Sep 17 00:00:00 2001
-From: Jan Kiszka <jan.kiszka@siemens.com>
-Date: Sun, 24 Apr 2022 11:24:54 +0200
-Subject: [PATCH] lib/date: Make rtc_mktime and mktime64 Y2038-ready
-
-We currently overflow due to wrong types used internally in rtc_mktime,
-on all platforms, and we return a too small type on 32-bit.
-
-One consumer that directly benefits from this is mktime64. Many others
-may still store the result in a wrong type.
-
-While at it, drop the redundant cast of mon in rtc_mktime (obsoleted by
-714209832db1).
-
-Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
----
- include/linux/time.h |  3 ---
- include/rtc.h        |  8 +++++---
- lib/date.c           | 13 +++++--------
- 3 files changed, 10 insertions(+), 14 deletions(-)
-
-diff --git a/include/linux/time.h b/include/linux/time.h
-index 702dd276aea..14ff5b6f481 100644
---- a/include/linux/time.h
-+++ b/include/linux/time.h
-@@ -152,9 +152,6 @@ _DEFUN (ctime_r, (tim_p, result),
-     return asctime_r (localtime_r (tim_p, &tm), result);
- }
- 
--/* for compatibility with linux code */
--typedef __s64 time64_t;
--
- #ifdef CONFIG_LIB_DATE
- time64_t mktime64(const unsigned int year, const unsigned int mon,
- 		  const unsigned int day, const unsigned int hour,
-diff --git a/include/rtc.h b/include/rtc.h
-index 6c7fcadd488..10104e3bf5a 100644
---- a/include/rtc.h
-+++ b/include/rtc.h
-@@ -16,6 +16,8 @@
- #include <bcd.h>
- #include <rtc_def.h>
- 
-+typedef int64_t time64_t;
-+
- #ifdef CONFIG_DM_RTC
- 
- struct udevice;
-@@ -301,7 +303,7 @@ int rtc_calc_weekday(struct rtc_time *time);
- void rtc_to_tm(u64 time_t, struct rtc_time *time);
- 
- /**
-- * rtc_mktime() - Convert a broken-out time into a time_t value
-+ * rtc_mktime() - Convert a broken-out time into a time64_t value
-  *
-  * The following fields need to be valid for this function to work:
-  *	tm_sec, tm_min, tm_hour, tm_mday, tm_mon, tm_year
-@@ -309,9 +311,9 @@ void rtc_to_tm(u64 time_t, struct rtc_time *time);
-  * Note that tm_wday and tm_yday are ignored.
-  *
-  * @time:	Broken-out time to convert
-- * Return: corresponding time_t value, seconds since 1970-01-01 00:00:00
-+ * Return: corresponding time64_t value, seconds since 1970-01-01 00:00:00
-  */
--unsigned long rtc_mktime(const struct rtc_time *time);
-+time64_t rtc_mktime(const struct rtc_time *time);
- 
- /**
-  * rtc_month_days() - The number of days in the month
-diff --git a/lib/date.c b/lib/date.c
-index c589d9ed3a2..e3d22459cd0 100644
---- a/lib/date.c
-+++ b/lib/date.c
-@@ -71,19 +71,16 @@ int rtc_calc_weekday(struct rtc_time *tm)
-  * -year / 100 + year / 400 terms, and add 10.]
-  *
-  * This algorithm was first published by Gauss (I think).
-- *
-- * WARNING: this function will overflow on 2106-02-07 06:28:16 on
-- * machines where long is 32-bit! (However, as time_t is signed, we
-- * will already get problems at other places on 2038-01-19 03:14:08)
-  */
--unsigned long rtc_mktime(const struct rtc_time *tm)
-+time64_t rtc_mktime(const struct rtc_time *tm)
- {
- 	int mon = tm->tm_mon;
- 	int year = tm->tm_year;
--	int days, hours;
-+	unsigned long days;
-+	time64_t hours;
- 
- 	mon -= 2;
--	if (0 >= (int)mon) {	/* 1..12 -> 11, 12, 1..10 */
-+	if (0 >= mon) {		/* 1..12 -> 11, 12, 1..10 */
- 		mon += 12;	/* Puts Feb last since it has leap day */
- 		year -= 1;
- 	}
-@@ -109,5 +106,5 @@ time64_t mktime64(const unsigned int year, const unsigned int mon,
- 	time.tm_min = min;
- 	time.tm_sec = sec;
- 
--	return (time64_t)rtc_mktime((const struct rtc_time *)&time);
-+	return rtc_mktime((const struct rtc_time *)&time);
- }
--- 
-2.34.1
-
diff --git a/recipes-bsp/u-boot/u-boot-qemu-arm64_2022.04.bb b/recipes-bsp/u-boot/u-boot-qemu-arm64_2022.07.bb
similarity index 87%
rename from recipes-bsp/u-boot/u-boot-qemu-arm64_2022.04.bb
rename to recipes-bsp/u-boot/u-boot-qemu-arm64_2022.07.bb
index b026dd6..465be40 100644
--- a/recipes-bsp/u-boot/u-boot-qemu-arm64_2022.04.bb
+++ b/recipes-bsp/u-boot/u-boot-qemu-arm64_2022.07.bb
@@ -13,9 +13,8 @@ require recipes-bsp/u-boot/u-boot-custom.inc
 
 SRC_URI += " \
     https://ftp.denx.de/pub/u-boot/u-boot-${PV}.tar.bz2 \
-    file://0001-lib-date-Make-rtc_mktime-and-mktime64-Y2038-ready.patch \
     file://rules.tmpl;subdir=debian"
-SRC_URI[sha256sum] = "68e065413926778e276ec3abd28bb32fa82abaa4a6898d570c1f48fbdb08bcd0"
+SRC_URI[sha256sum] = "92b08eb49c24da14c1adbf70a71ae8f37cc53eeb4230e859ad8b6733d13dcf5e"
 
 SRC_URI_append_secureboot = " \
     file://secure-boot.cfg"
-- 
2.35.3

[isar-cip-core][PATCH 5/7] u-boot-qemu-arm64: Generalize the recipe

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This will allow to reuse it for 32-bit ARM.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 conf/machine/qemu-arm64.conf                  |  2 ++
 recipes-bsp/u-boot/files/secure-boot.cfg      |  6 ----
 recipes-bsp/u-boot/files/secure-boot.cfg.tmpl |  6 ++++
 .../u-boot/u-boot-qemu-arm64_2022.07.bb       | 33 ++-----------------
 ...rm64_2022.07.bb => u-boot-qemu-common.inc} |  8 +++--
 5 files changed, 15 insertions(+), 40 deletions(-)
 delete mode 100644 recipes-bsp/u-boot/files/secure-boot.cfg
 create mode 100644 recipes-bsp/u-boot/files/secure-boot.cfg.tmpl
 copy recipes-bsp/u-boot/{u-boot-qemu-arm64_2022.07.bb => u-boot-qemu-common.inc} (84%)

diff --git a/conf/machine/qemu-arm64.conf b/conf/machine/qemu-arm64.conf
index b5c1e1c..7f42369 100644
--- a/conf/machine/qemu-arm64.conf
+++ b/conf/machine/qemu-arm64.conf
@@ -14,3 +14,5 @@ KERNEL_DEFCONFIG ?= "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm64/qemu_ar
 
 # for SWUpdate setups: watchdog is configured in U-Boot
 WDOG_TIMEOUT = "0"
+
+PREFERRED_PROVIDER_u-boot-${MACHINE} = "u-boot-qemu-arm64"
diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg b/recipes-bsp/u-boot/files/secure-boot.cfg
deleted file mode 100644
index a1b9931..0000000
--- a/recipes-bsp/u-boot/files/secure-boot.cfg
+++ /dev/null
@@ -1,6 +0,0 @@
-### Secure boot config
-CONFIG_BOOTDELAY=-2
-CONFIG_USE_BOOTCOMMAND=y
-CONFIG_BOOTCOMMAND="setenv scan_dev_for_boot 'if test -e ${devtype} ${devnum}:${distro_bootpart} efi/boot/bootaa64.efi; then load ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} efi/boot/bootaa64.efi; bootefi ${kernel_addr_r} ${fdtcontroladdr}; fi'; run distro_bootcmd; echo 'EFI Boot failed!'; sleep 1000; reset"
-CONFIG_EFI_VARIABLES_PRESEED=y
-CONFIG_EFI_SECURE_BOOT=y
diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl
new file mode 100644
index 0000000..956dcbf
--- /dev/null
+++ b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl
@@ -0,0 +1,6 @@
+### Secure boot config
+CONFIG_BOOTDELAY=-2
+CONFIG_USE_BOOTCOMMAND=y
+CONFIG_BOOTCOMMAND="setenv scan_dev_for_boot 'if test -e ${devtype} ${devnum}:${distro_bootpart} efi/boot/boot${EFI_ARCH}.efi; then load ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} efi/boot/boot${EFI_ARCH}.efi; bootefi ${kernel_addr_r} ${fdtcontroladdr}; fi'; run distro_bootcmd; echo 'EFI Boot failed!'; sleep 1000; reset"
+CONFIG_EFI_VARIABLES_PRESEED=y
+CONFIG_EFI_SECURE_BOOT=y
diff --git a/recipes-bsp/u-boot/u-boot-qemu-arm64_2022.07.bb b/recipes-bsp/u-boot/u-boot-qemu-arm64_2022.07.bb
index 465be40..29ca0a5 100644
--- a/recipes-bsp/u-boot/u-boot-qemu-arm64_2022.07.bb
+++ b/recipes-bsp/u-boot/u-boot-qemu-arm64_2022.07.bb
@@ -9,37 +9,8 @@
 # SPDX-License-Identifier: MIT
 #
 
-require recipes-bsp/u-boot/u-boot-custom.inc
-
-SRC_URI += " \
-    https://ftp.denx.de/pub/u-boot/u-boot-${PV}.tar.bz2 \
-    file://rules.tmpl;subdir=debian"
-SRC_URI[sha256sum] = "92b08eb49c24da14c1adbf70a71ae8f37cc53eeb4230e859ad8b6733d13dcf5e"
-
-SRC_URI_append_secureboot = " \
-    file://secure-boot.cfg"
-
-S = "${WORKDIR}/u-boot-${PV}"
-
-DEBIAN_BUILD_DEPENDS += ", libssl-dev:native, libssl-dev:arm64"
-
-DEBIAN_BUILD_DEPENDS_append_secureboot = ", \
-    openssl, pesign, secure-boot-secrets, python3-openssl:native"
-DEPENDS_append_secureboot = " secure-boot-secrets"
+require u-boot-qemu-common.inc
 
 U_BOOT_CONFIG = "qemu_arm64_defconfig"
-U_BOOT_BIN = "u-boot.bin"
-
-do_prepare_build_append_secureboot() {
-    sed -ni '/### Secure boot config/q;p' ${S}/configs/${U_BOOT_CONFIG}
-    cat ${WORKDIR}/secure-boot.cfg >> ${S}/configs/${U_BOOT_CONFIG}
-}
-
-do_deploy[dirs] = "${DEPLOY_DIR_IMAGE}"
-do_deploy() {
-    dpkg --fsys-tarfile "${WORKDIR}/u-boot-${MACHINE}_${PV}_${DISTRO_ARCH}.deb" | \
-        tar xOf - "./usr/lib/u-boot/${MACHINE}/${U_BOOT_BIN}" \
-        > "${DEPLOY_DIR_IMAGE}/firmware.bin"
-}
 
-addtask deploy after do_dpkg_build before do_deploy_deb
+EFI_ARCH = "aa64"
diff --git a/recipes-bsp/u-boot/u-boot-qemu-arm64_2022.07.bb b/recipes-bsp/u-boot/u-boot-qemu-common.inc
similarity index 84%
copy from recipes-bsp/u-boot/u-boot-qemu-arm64_2022.07.bb
copy to recipes-bsp/u-boot/u-boot-qemu-common.inc
index 465be40..2bb9ac0 100644
--- a/recipes-bsp/u-boot/u-boot-qemu-arm64_2022.07.bb
+++ b/recipes-bsp/u-boot/u-boot-qemu-common.inc
@@ -17,19 +17,21 @@ SRC_URI += " \
 SRC_URI[sha256sum] = "92b08eb49c24da14c1adbf70a71ae8f37cc53eeb4230e859ad8b6733d13dcf5e"
 
 SRC_URI_append_secureboot = " \
-    file://secure-boot.cfg"
+    file://secure-boot.cfg.tmpl"
 
 S = "${WORKDIR}/u-boot-${PV}"
 
-DEBIAN_BUILD_DEPENDS += ", libssl-dev:native, libssl-dev:arm64"
+DEBIAN_BUILD_DEPENDS += ", libssl-dev:native, libssl-dev:${DISTRO_ARCH}"
 
 DEBIAN_BUILD_DEPENDS_append_secureboot = ", \
     openssl, pesign, secure-boot-secrets, python3-openssl:native"
 DEPENDS_append_secureboot = " secure-boot-secrets"
 
-U_BOOT_CONFIG = "qemu_arm64_defconfig"
 U_BOOT_BIN = "u-boot.bin"
 
+TEMPLATE_FILES_append_secureboot = " secure-boot.cfg.tmpl"
+TEMPLATE_VARS_append_secureboot = " EFI_ARCH"
+
 do_prepare_build_append_secureboot() {
     sed -ni '/### Secure boot config/q;p' ${S}/configs/${U_BOOT_CONFIG}
     cat ${WORKDIR}/secure-boot.cfg >> ${S}/configs/${U_BOOT_CONFIG}
-- 
2.35.3

[isar-cip-core][PATCH 6/7] Add support for ARM-based swupdate/secure boot image

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Everything is now lined up so that enabling this almost trivial,
reusing what is there for qemu-arm64.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 Kconfig                                          |  4 ++--
 conf/machine/qemu-arm.conf                       |  5 +++++
 kas/opt/efibootguard.yml                         |  1 +
 recipes-bsp/u-boot/u-boot-qemu-arm_2022.07.bb    | 16 ++++++++++++++++
 .../lib/wic/plugins/source/efibootguard-boot.py  |  1 +
 .../lib/wic/plugins/source/efibootguard-efi.py   |  1 +
 start-qemu.sh                                    |  4 ++--
 wic/qemu-arm-efibootguard-secureboot.wks.in      |  1 +
 wic/qemu-arm-efibootguard.wks.in                 |  1 +
 9 files changed, 30 insertions(+), 4 deletions(-)
 create mode 100644 recipes-bsp/u-boot/u-boot-qemu-arm_2022.07.bb
 create mode 120000 wic/qemu-arm-efibootguard-secureboot.wks.in
 create mode 120000 wic/qemu-arm-efibootguard.wks.in

diff --git a/Kconfig b/Kconfig
index 9c89008..c63000b 100644
--- a/Kconfig
+++ b/Kconfig
@@ -132,11 +132,11 @@ if IMAGE_FLASH && !KERNEL_4_4 && !KERNEL_4_19
 
 config IMAGE_SWUPDATE
 	bool "SWUpdate support for root partition"
-	depends on TARGET_QEMU_AMD64 || TARGET_SIMATIC_IPC227E || TARGET_QEMU_ARM64
+	depends on TARGET_QEMU_AMD64 || TARGET_SIMATIC_IPC227E || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM
 
 config IMAGE_SECURE_BOOT
 	bool "Secure boot support"
-	depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64
+	depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM
 	select IMAGE_SWUPDATE
 
 config KAS_INCLUDE_SWUPDATE_SECBOOT
diff --git a/conf/machine/qemu-arm.conf b/conf/machine/qemu-arm.conf
index 1937c4c..aa3a6b4 100644
--- a/conf/machine/qemu-arm.conf
+++ b/conf/machine/qemu-arm.conf
@@ -12,3 +12,8 @@ DISTRO_ARCH = "armhf"
 IMAGE_FSTYPES ?= "ext4"
 USE_CIP_KERNEL_CONFIG = "1"
 KERNEL_DEFCONFIG ?= "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm/qemu_arm_defconfig"
+
+# for SWUpdate setups: watchdog is configured in U-Boot
+WDOG_TIMEOUT = "0"
+
+PREFERRED_PROVIDER_u-boot-${MACHINE} = "u-boot-qemu-arm"
diff --git a/kas/opt/efibootguard.yml b/kas/opt/efibootguard.yml
index 4282932..cee9c78 100644
--- a/kas/opt/efibootguard.yml
+++ b/kas/opt/efibootguard.yml
@@ -36,3 +36,4 @@ local_conf_header:
     DISTRO_APT_PREFERENCES_append_qemu-amd64_buster = " conf/distro/preferences.ovmf-snakeoil.conf"
     # Add U-Boot for qemu
     IMAGER_BUILD_DEPS_append_qemu-arm64 += "u-boot-qemu-arm64"
+    IMAGER_BUILD_DEPS_append_qemu-arm += "u-boot-qemu-arm"
diff --git a/recipes-bsp/u-boot/u-boot-qemu-arm_2022.07.bb b/recipes-bsp/u-boot/u-boot-qemu-arm_2022.07.bb
new file mode 100644
index 0000000..cdad19a
--- /dev/null
+++ b/recipes-bsp/u-boot/u-boot-qemu-arm_2022.07.bb
@@ -0,0 +1,16 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+#  Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+require u-boot-qemu-common.inc
+
+U_BOOT_CONFIG = "qemu_arm_defconfig"
+
+EFI_ARCH = "arm"
diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
index 4b7fa8d..f9b232b 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-boot.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
@@ -184,6 +184,7 @@ class EfibootguardBootPlugin(SourcePlugin):
         distro_to_efi_arch = {
             "amd64": "x64",
             "arm64": "aa64",
+            "armhf": "arm",
             "i386": "ia32"
         }
         rootfs_path = rootfs_dir.get('ROOTFS_DIR')
diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py
index 140b734..a754ee1 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-efi.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py
@@ -55,6 +55,7 @@ class EfibootguardEFIPlugin(SourcePlugin):
         distro_to_efi_arch = {
             "amd64": "x64",
             "arm64": "aa64",
+            "armhf": "arm",
             "i386": "ia32"
         }
 
diff --git a/start-qemu.sh b/start-qemu.sh
index f7ca87f..bcc7a51 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -145,8 +145,8 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
 					${QEMU_COMMON_OPTIONS} "$@"
 			fi
 			;;
-		arm64|aarch64)
-			u_boot_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-arm64/firmware.bin}
+		arm64|aarch64|arm|armhf)
+			u_boot_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-${QEMU_ARCH}/firmware.bin}
 
 			${QEMU_PATH}${QEMU} \
 				-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
diff --git a/wic/qemu-arm-efibootguard-secureboot.wks.in b/wic/qemu-arm-efibootguard-secureboot.wks.in
new file mode 120000
index 0000000..c6ac32f
--- /dev/null
+++ b/wic/qemu-arm-efibootguard-secureboot.wks.in
@@ -0,0 +1 @@
+qemu-arm64-efibootguard-secureboot.wks.in
\ No newline at end of file
diff --git a/wic/qemu-arm-efibootguard.wks.in b/wic/qemu-arm-efibootguard.wks.in
new file mode 120000
index 0000000..9cb5f0e
--- /dev/null
+++ b/wic/qemu-arm-efibootguard.wks.in
@@ -0,0 +1 @@
+qemu-arm64-efibootguard.wks.in
\ No newline at end of file
-- 
2.35.3

[isar-cip-core][PATCH 7/7] ci: Add qemu-arm target for secure boot with swupdate

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .gitlab-ci.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b1a4dc0..3d39d1f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -230,6 +230,18 @@ build:qemu-arm64-secure-boot:
     targz: disable
     deploy: disable
 
+# secure boot images arm
+build:qemu-arm-secure-boot:
+  extends:
+    - .build_base
+  variables:
+    target: qemu-arm
+    extension: ebg-secure-boot-snakeoil
+    use_rt: disable
+    wic_targz: disable
+    targz: disable
+    deploy: disable
+
 # buster images
 build:simatic-ipc227e-buster:
   extends:
-- 
2.35.3