Skip to content

Commit cafc6da

Browse files
committed
refactor: separate debug mode into a new kas configuration file
1 parent 2ca96b6 commit cafc6da

3 files changed

Lines changed: 174 additions & 13 deletions

File tree

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ Please see below on how to check reproducible builds.
99

1010
To build, run this command on x86-64 Linux from the meta-secluso-os directory:
1111
```chatinput
12-
kas build build-pi-image.yml
12+
kas build pi-official-image.yml
1313
```
1414

1515
The image can be found after building running this from the meta-secluso-os directory:
Lines changed: 6 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -26,10 +26,6 @@ machine: raspberrypi0-2w-64
2626
# Selects conf/distro/secluso.conf from meta-secluso-os.
2727
distro: secluso
2828

29-
env:
30-
# Set to 1 when invoking kas to enable HDMI console + empty-root-password debug helpers in local.conf.
31-
SECLUSO_DEBUG_IMAGE: "0"
32-
3329
# We want as minimal of an image as possible to build on
3430
# We use 'secluso-image-minimal' to include our own recipes on top of core-image-minimal
3531
# Located in recipes-core/images/secluso-pi-image-minimal.bb
@@ -146,15 +142,13 @@ local_conf_header:
146142
147143
INHERIT += "buildhistory"
148144
149-
150-
# This should ONLY be used for debugging the image. Otherwise, these should be removed.
145+
# This should ONLY be used for debugging the image.
151146
# Allows debugging via HDMI cable with root user with no password.
152-
# These will only be included if SECLUSO_DEBUG_IMAGE environment varibale is 1
153-
APPEND:append = "${@' console=tty1' if d.getVar('SECLUSO_DEBUG_IMAGE') == '1' else ''}"
154-
IMAGE_INSTALL:append = "${@' util-linux' if d.getVar('SECLUSO_DEBUG_IMAGE') == '1' else ''}"
155-
USE_VT = "${@'1' if d.getVar('SECLUSO_DEBUG_IMAGE') == '1' else '0'}"
156-
RPI_EXTRA_CONFIG:append = "${@'hdmi_force_hotplug=1\\n' if d.getVar('SECLUSO_DEBUG_IMAGE') == '1' else ''}"
157-
EXTRA_IMAGE_FEATURES:append = "${@' empty-root-password' if d.getVar('SECLUSO_DEBUG_IMAGE') == '1' else ''}"
147+
APPEND += " console=tty1"
148+
IMAGE_INSTALL:append = " util-linux"
149+
USE_VT = "1"
150+
RPI_EXTRA_CONFIG += "hdmi_force_hotplug=1\n"
151+
EXTRA_IMAGE_FEATURES += "empty-root-password"
158152
159153
# Camera support (https://github.com/agherzan/meta-raspberrypi/blob/b83766291188efb956c475b09c9666c2dfe2cb69/recipes-bsp/bootfiles/rpi-config_git.bb#L223)
160154
# Support the sensors for Camera Module V1 and V2.
Lines changed: 167 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,167 @@
1+
# SPDX-License-Identifier: GPL-3.0-only
2+
# Copyright (C) 2026 Secluso, Inc.
3+
# Additional terms apply; see the NOTICE file in the repository root.
4+
5+
# Referenced from kas documentation [https://kas.readthedocs.io/en/latest/userguide/project-configuration.html]
6+
7+
# Every file needs to contain a header, that provides kas with information
8+
# about the context of this file.
9+
header:
10+
# The `version` entry in the header describes for which configuration
11+
# format version this file was created for. It is used by kas to figure
12+
# out if it is compatible with this file. The version is an integer that
13+
# is increased on every format change.
14+
version: 2
15+
16+
# Fingerprint obtained from https://wiki.yoctoproject.org/wiki/GPG_sign_notes_%26_git_tags
17+
# "Primary key fingerprint: 2AFB 13F2 8FBB B0D1 B9DA F630 87EB 3D32 FB63 1AD9"
18+
signers:
19+
YoctoBuildandRelease:
20+
fingerprint: 2AFB13F28FBBB0D1B9DAF63087EB3D32FB631AD9
21+
gpg_keyserver: keyserver.ubuntu.com
22+
23+
# The machine as it is written into the `local.conf` of bitbake.
24+
machine: raspberrypi0-2w-64
25+
# The distro name as it is written into the `local.conf` of bitbake.
26+
# Selects conf/distro/secluso.conf from meta-secluso-os.
27+
distro: secluso
28+
29+
# We want as minimal of an image as possible to build on
30+
# We use 'secluso-image-minimal' to include our own recipes on top of core-image-minimal
31+
# Located in recipes-core/images/secluso-pi-image-minimal.bb
32+
target: secluso-pi-image-minimal
33+
repos:
34+
# We create a layer for secluso-os.
35+
# This allows us to use our own wic/ file. Additionally, we have conf/ if we need it.
36+
secluso-os:
37+
layers:
38+
meta-secluso-os:
39+
40+
# We use bitbake, openembedded-core and meta-yocto here now instead of solely "poky"
41+
# https://git.yoctoproject.org/poky/commit/?id=453df63af0c857c24804271da7f55691d0ed27f8
42+
# The poky repository master branch is no longer being updated.
43+
# The monolithic poky source arrangement approach is no longer recommended.
44+
# Thus, the recommended approach is to use indiviudal clones of bitbake, oe-core and meta-yocto (a split approach).
45+
# Thus, we mirror this [https://docs.yoctoproject.org/dev/dev-manual/poky-manual-setup.html] in the kas configuration
46+
#
47+
# We previously also pulled meta-yocto (for meta-poky and meta-yocto-bsp).
48+
# meta-poky provided the "poky" reference distro, which we have replaced with our own conf/distro/secluso.conf.
49+
# meta-yocto-bsp provides reference BSPs (qemu*, genericx86, beaglebone-yocto) that we do not target
50+
# Our Pi BSP comes entirely from meta-raspberrypi.
51+
# So meta-yocto is no longer needed.
52+
bitbake:
53+
url: "https://git.openembedded.org/bitbake"
54+
commit: d6e45bad8e7b5bbae23307243a5e7ade147ba668 # Pinned to immutable (whinlatter) [https://git.openembedded.org/bitbake/tag/?h=yocto-5.3.3]
55+
tag: yocto-5.3.3 # We additionally specify the tag to allow the signature to be verified
56+
signed: true
57+
allowed_signers:
58+
- YoctoBuildandRelease
59+
# The "." here is the root of the repository
60+
# By disabling it, we tell kas we do not want the root added to bblayers.conf.
61+
# Otherwise, kas would treat the repo root itself as a layer.
62+
# We fetch this repo for the BitBake tool itself, not as a Yocto layer.
63+
layers:
64+
.: disabled
65+
66+
openembedded-core:
67+
url: "https://git.openembedded.org/openembedded-core"
68+
commit: d7d1e3068cb1bff9b3fcffb1f696ee7d6cd36ea4 # Pinned to immutable (whinlatter) [https://git.openembedded.org/openembedded-core/tag/?h=yocto-5.3.3]
69+
tag: yocto-5.3.3 # We additionally specify the tag to allow the signature to be verified
70+
signed: true
71+
allowed_signers:
72+
- YoctoBuildandRelease
73+
# 'meta' is the OE-core layer directory within the openembedded-core repository
74+
# It contains the core metadata / recipes that BitBake uses.
75+
# See https://git.openembedded.org/openembedded-core/tree/meta
76+
layers:
77+
meta:
78+
79+
# TODO: meta-openembedded is pinned to an immutable commit, but unlike bitbake / oe-core, this is not signer-verified in kas
80+
# So we have a fixed origin but no signer-verification for source authenticity
81+
# There seems to be no current way to achieve this for this repository.
82+
meta-openembedded:
83+
url: "https://git.openembedded.org/meta-openembedded"
84+
commit: 8bcdb0cc1dab116253b409e78fb868ced7d8397c # Pinned to immutable (whinlatter) [https://git.openembedded.org/meta-openembedded/commit/?h=whinlatter&id=8bcdb0cc1dab116253b409e78fb868ced7d8397c]
85+
layers:
86+
meta-oe:
87+
88+
# meta-networking depends on this
89+
meta-python:
90+
91+
# This is included for Wi-Fi and hotspot support
92+
meta-networking:
93+
94+
# This is included for libcamera recipe
95+
meta-multimedia:
96+
97+
# TODO: meta-raspberrypi is pinned to an immutable commit, but unlike bitbake / oe-core, this is not signer-verified in kas
98+
# So we have a fixed origin but no signer-verification for source authenticity
99+
# There seems to be no current way to achieve this for this repository.
100+
meta-raspberrypi:
101+
url: "https://git.yoctoproject.org/meta-raspberrypi"
102+
commit: 469e232c77d74cb030fe8a9af4ffe9127214a29b # Pinned to immutable (tag: whinlatter) (https://git.yoctoproject.org/meta-raspberrypi/commit/?h=whinlatter&id=469e232c77d74cb030fe8a9af4ffe9127214a29b)
103+
104+
105+
meta-onnxruntime:
106+
url: "https://github.com/NobuoTsukamoto/meta-onnxruntime"
107+
commit: bf1f613ca4cc222955a7535daa221446e4b0668e
108+
109+
110+
# these are added to the head of the local.conf file
111+
local_conf_header:
112+
secluso-os: |
113+
# This is required to download the linux-firmware-rpidistro-bcm43430 for Synaptics WiFi/BT firmware blobs.
114+
# Note that this is actually not in the LICENSE anymore from them. See https://github.com/agherzan/meta-raspberrypi/issues/1453
115+
# We will be able to remove this soon, and there is seemingly no longer a killswitch
116+
LICENSE_FLAGS_ACCEPTED = "synaptics-killswitch"
117+
118+
# meta-raspberrypi sets WKS_FILE with a weak assignment (?=), so we don't need a force override
119+
# wks is a custom configuration script used by the wic tool to define the partitioning layout
120+
# override theirs with our modified version
121+
WKS_FILE:raspberrypi0-2w-64 = "sdcard-raspberrypi.wks"
122+
123+
# Reference: https://wiki.yoctoproject.org/wiki/Reproducible_Builds
124+
# These should be default values. We re-affirm them here to be safe.
125+
BUILD_REPRODUCIBLE_BINARIES = "1"
126+
PYTHONHASHSEED = "0"
127+
PERL_HASH_SEED = "0"
128+
TZ = 'UTC'
129+
SOURCE_DATE_EPOCH = "1520598896"
130+
REPRODUCIBLE_TIMESTAMP_ROOTFS = "1520598896"
131+
132+
# We set this explicitly to 0.5.2 as that's what matches our current fork of rpicam-apps
133+
# Moreover, we have a libcaemra_0.5.2.bbappend in recipes-multimedia that overrides the SRC_URI (and SRCREV) to the Raspberry Pi patched version
134+
# Version taken from https://github.com/raspberrypi/libcamera/releases
135+
PREFERRED_VERSION_libcamera = "1:0.5.2+rpt20250903"
136+
137+
# Generate a CVE report when we create an image
138+
# TODO: Exclude kernel false positives: https://docs.yoctoproject.org/security-manual/vulnerabilities.html#linux-kernel-vulnerabilities
139+
# TODO: See discussion in https://github.com/secluso/os/issues/16
140+
INHERIT += "cve-check"
141+
require conf/distro/include/cve-extra-exclusions.inc
142+
143+
INHERIT += "buildhistory"
144+
145+
# Camera support (https://github.com/agherzan/meta-raspberrypi/blob/b83766291188efb956c475b09c9666c2dfe2cb69/recipes-bsp/bootfiles/rpi-config_git.bb#L223)
146+
# Support the sensors for Camera Module V1 and V2.
147+
# "camera_auto_detect" allows for either overlay (instead of forcing one) to be supported
148+
RPI_EXTRA_CONFIG += "\ncamera_auto_detect=1\n"
149+
VIDEO_CAMERA = "1"
150+
# ENABLE_CAMERA is legacy; not libcamera affiliated
151+
ENABLE_CAMERA = "0"
152+
ENABLE_I2C = "1"
153+
# Ensure the ov5647 & imx219 overlays are built and deployed to /boot/overlays/
154+
KERNEL_DEVICETREE:append:raspberrypi0-2w-64 = " overlays/ov5647.dtbo"
155+
KERNEL_DEVICETREE:append:raspberrypi0-2w-64 = " overlays/imx219.dtbo"
156+
157+
# Ensure the kernel modules are installed into the image. Needed to properly load in the camera into libcamera
158+
# Not all kernel-modules need to be included for proper operation.
159+
# TODO: Remove unnecesary kernel modules
160+
IMAGE_INSTALL:append = " kmod i2c-tools kernel-modules"
161+
162+
# Referenced from https://hub.mender.io/t/how-to-configure-networking-using-systemd-in-yocto-project/1097
163+
# This installs the necessary firmware to connect to WiFi. See LICENSE_FLAGS_ACCEPTED for a relevant discussion.
164+
IMAGE_INSTALL:append = " linux-firmware-rpidistro-bcm43430 "
165+
166+
# Cargo needs this or it fails to fetch dependencies
167+
FETCHCMD_wget = "/usr/bin/env wget -t 2 -T 30 --user-agent='bitbake/2.0'"

0 commit comments

Comments
 (0)