[next] Implement foundational changes for NILRT Device Encryption

conf/machine/x64.conf

@@ -10,6 +10,8 @@ DEFAULTTUNE ?= "core2-64"
 require conf/machine/include/x86/tune-core2.inc
 require conf/machine/include/x86/x86-base.inc
 
+MACHINE_FEATURES:append = " tpm2"
+
 XSERVER = "\
 	${XSERVER_X86_BASE} \
 	${XSERVER_X86_EXT} \

docs/example.bb

@@ -0,0 +1,69 @@
+SUMMARY = "foobar - The example project"
+DESCRIPTION = "\
+foobar is an example project, used when you need to communicate concepts to \
+developers."
+HOMEPAGE = "https://github.com/ni/meta-nilrt"
+SECTION = "test"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+
+# ==============================================================================
+# RECIPE VARIABLES
+# ==============================================================================
+
+# If the recipe sources are entirely within OE, we can set the package version
+# to match the DISTRO_VERSION.
+# PV = "${DISTRO_VERSION}"
+
+
+# ==============================================================================
+# SOURCE VARIABLES
+# ==============================================================================
+
+SRC_URI = "\
+	file://foo-file.1 \
+	file://foo-file.2 \
+	file://foo.initd \
+"
+
+S = "${UNPACKDIR}"
+
+
+# ==============================================================================
+# BBCLASSES
+# ==============================================================================
+
+# UPDATE-RC.D
+inherit update-rc.d
+INITSCRIPT_PARAMS = "default"
+INITSCRIPT = "foo"
+
+
+# ==============================================================================
+# TASKS
+# ==============================================================================
+
+pkglibdir = "${libdir}/${BPN}"
+
+do_install () {
+	install -d ${D}${sysconfdir}/init.d
+	install foo.initd ${D}${sysconfdir}/init.d/foo
+
+	install -d ${D}${pkglibdir}
+	install --mode=0755 foo-file.1 ${D}${pkglibdir}/foo-file.1
+	install --mode=0744 foo-file.2 ${D}${pkglibdir}/foo-file.2
+}
+
+
+# ==============================================================================
+# PACKAGING
+# ==============================================================================
+# FOO
+RDEPENDS:${PN} = "bash"
+
+
+# ==============================================================================
+# CLASS EXTENSIONS
+# ==============================================================================
+# BBCLASSEXTEND = "native"

docs/styleguide.md

@@ -138,61 +138,3 @@ At a minimum, you should add an additional message trailer declaring the [upstre
 #### .patch file names
 
 When bitbake applies `.patch` files to a recipe, it copies all `.patch` files into the recipe's workspace, then applies them in alphanumeric-order. In your PR, be mindful of how your `.patch` file is ordered versus the other files in the recipe. Keep in mind that some `.patch` files might come from other layers.
-
-
-# Example Recipe
-This is an example recipe for a package whose source is contained in the meta-nilrt layer.
-
-`.../foobar/`
-```
-foobar/
-|-  files/
-|   |- foo-file.1
-|   |- foo-file.2
-|   \- foo.initd
-\-  foobar.bb
-```
-----
-`.../foobar/foobar.bb`
-```
-SUMMARY = "foobar - The example project"
-DESCRIPTION = "\
-foobar is an example project, used when you need to communicate concepts to \
-developers."
-HOMEPAGE = "https://github.com/ni/meta-nilrt"
-SECTION = "test"
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
-
-
-PV = "1.0"
-
-
-SRC_URI = "\
-	file://foo-file.1 \
-	file://foo-file.2 \
-	file://foo.initd \
-"
-
-S = "${UNPACKDIR}"
-
-
-inherit update-rc.d
-INITSCRIPT_PARAMS = "default"
-INITSCRIPT = "foo"
-
-
-prefix_lib=${libdir}/${BPN}
-
-do_install () {
-	install -d ${D}${sysconfdir}/init.d
-	install foo.initd ${D}${sysconfdir}/init.d/foo
-
-	install -d ${D}${prefix_lib}
-	install --mode=0755 foo-file.1 ${D}${prefix_lib}/foo-file.1
-	install --mode=0744 foo-file.2 ${D}${prefix_lib}/foo-file.2
-}
-
-
-RDEPENDS:${PN} = "bash"
-```

files/group

@@ -6,6 +6,7 @@ ni:x:500:
 openvpn:x:499:
 niwscerts:x:498:
 # free space
+clevis:x:405:
 krill:x:404:
 xrdp:x:403:
 arpwatch:x:402:

files/passwd

@@ -6,6 +6,7 @@ webserv:x:501::::
 lvuser:x:500::::
 openvpn:x:499::::
 # free space
+clevis:x:405::::
 krill:x:404::::
 xrdp:x:403::::
 arpwatch:x:402::::

recipes-bsp/grub/grub-efi_2.%.bbappend

@@ -1,12 +1,37 @@
 require grub-nilrt.inc
 
-GRUB_BUILDIN += "smbios chain multiboot efi_uga font gfxterm gfxmenu terminal \
-                minicmd iorw echo reboot terminfo loopback memdisk tar help serial \
-                ls search_fs_uuid udf btrfs ntfs reiserfs xfs lvm ata \
-                regexp probe"
-
-# Downstream NI-branch code quality is not yet ready to build with -Werror
-CFLAGS:append = " -Wno-error"
+GRUB_BUILDIN:append = " \
+    ata \
+    btrfs \
+    chain \
+    echo \
+    efi_uga \
+    font \
+    gfxmenu \
+    gfxterm \
+    help \
+    iorw \
+    loopback \
+    ls \
+    lvm \
+    memdisk \
+    minicmd \
+    multiboot \
+    ntfs \
+    probe \
+    reboot \
+    regexp \
+    reiserfs \
+    search_fs_uuid \
+    serial \
+    smbios \
+    tar \
+    terminal \
+    terminfo \
+    tpm \
+    udf \
+    xfs \
+"
 
 PACKAGES:prepend = "${PN}-nilrt "
 
@@ -17,10 +42,13 @@ do_install:append:class-target() {
     # unchanged so that we may use it with USB provisioning tool
     # and other removable storage.
     (
-    cd "${B}"
-    grub-mkimage -p /efi/nilrt -d ./grub-core/ \
-                 -O ${GRUB_TARGET}-efi -o ./${GRUB_IMAGE_PREFIX}nilrt-${GRUB_IMAGE} \
-                 ${GRUB_BUILDIN}
+        cd "${B}"
+        grub-mkimage \
+            --prefix=/efi/nilrt \
+            --directory=./grub-core/ \
+            --format=${GRUB_TARGET}-efi \
+            --output=./${GRUB_IMAGE_PREFIX}nilrt-${GRUB_IMAGE} \
+            ${GRUB_BUILDIN}
     )
 
     # Install NILRT grub image

recipes-bsp/grub/grub-nilrt.inc

@@ -4,7 +4,6 @@ SRC_URI += "\
 	file://cmd-test-Add-bitwise-AND-document-the-feature.patch \
 	file://grub-advertise-NI-NILRT-over-GNU-GRUB.patch \
 	file://add-inbit-command-to-io-module.patch \
-	file://grub.cfg \
 	file://cfg \
 	file://grub.d \
 "

recipes-bsp/grub/grub/grub-runmode-bootimage.cfg

@@ -2,6 +2,7 @@
 
 set consoleparam='console=tty0 console=ttyS0,115200n8'
 set kernel_path='/runmode/bzImage'
+set ramdisk_path='/runmode/ramdisk.xz'
 
 set otherbootargs="rootwait rw usbcore.usbfs_memory_mb=0 consoleblank=0 rcu_nocbs=all ibt=off "
 

recipes-bsp/grub/grub/grub-safemode.cfg

@@ -41,6 +41,7 @@ set sys_reset=false
 set system_manufacturer=""
 set smbios_bootmode=0
 set smbios_tablelen=0
+set measure_on=true
 
 # Set the root variable to NI's bootfs partition
 search --set root --label nibootfs
@@ -125,30 +126,33 @@ function setterminal {
 }
 
 function check_valid_os {
-	#safemode
-	for file in $safemode_files
-	do
-		if [ ! -f /.safe/$file ]; then
-			set valid_safemode=0
-			break
-		fi
-	done
-
-	#runmode
-	for file in $runmode_files
-	do
-		if [ ! -f /runmode/$file ]; then
-			set valid_runmode=0
-			break
-		fi
-	done
+	# Safemode
+	if [ ! -d /.safe ]; then
+		set valid_safemode=0
+	else
+		for file in $safemode_files
+		do
+			if [ ! -f /.safe/$file ]; then
+				set valid_safemode=0
+				break
+			fi
+		done
+	fi
 
-	if [ $valid_safemode = 0 -a $valid_runmode = 0 ]; then
-		set fail_state=1
+	# Runmode
+	if [ ! -d /runmode ]; then
+		set valid_runmode=0
+	else
+		for file in $runmode_files
+		do
+			if [ ! -f /runmode/$file ]; then
+				set valid_runmode=0
+				break
+			fi
+		done
 	fi
 
-	# rootuuid is only generated at system provision - treat missing value as requiring recovery
-	if [ "$rootuuid" = "" ]; then
+	if [ $valid_safemode = 0 -a $valid_runmode = 0 ]; then
 		set fail_state=1
 	fi
 }
@@ -165,7 +169,15 @@ function boot_runmode {
 	setconsoleparam
 	setusbgadgetparam
 
-	linux $kernel_path root=PARTUUID=$rootuuid $otherbootargs $usb_gadget_args $kernellogparam $consoleparam $othbootargs sys_reset=$sys_reset
+	if [ -n "$ramdisk_path" ]; then
+		echo 'Loading Linux ...'
+		linux $kernel_path $otherbootargs $usb_gadget_args $kernellogparam $consoleparam $othbootargs sys_reset=$sys_reset
+		echo 'Loading initial ramdisk ...'
+		initrd $ramdisk_path
+	else
+		echo 'Loading Linux ...'
+		linux $kernel_path root=PARTUUID=$rootuuid $otherbootargs $usb_gadget_args $kernellogparam $consoleparam $othbootargs sys_reset=$sys_reset
+	fi
 }
 
 function boot_safemode {
@@ -180,7 +192,9 @@ function boot_safemode {
 	setconsoleparam
 	setusbgadgetparam
 
+	echo 'Loading Linux ...'
 	linux $kernel_path $rootfs_path $otherbootargs $usb_gadget_args $kernellogparam $consoleparam $othbootargs sys_reset=$sys_reset
+	echo 'Loading safemode ramdisk ...'
 	initrd $ramdisk_path
 }