22 files changed, 11 insertions, 808 deletions

diff --git a/README b/README
index 8c0ebff..5ae8533 100644
--- a/README
+++ b/README
@@ -16,6 +16,8 @@ This layer depends on:
   layers: meta
   branch: master
 
+This layer also provides the support for the stable branches actively
+maintained by Yocto Project. Please check [this page](https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance) for them.
 
 Patches
 =======
@@ -23,7 +25,7 @@ Patches
 Please submit any patches against the meta-secure-core layer to the
 maintainer:
 
-Maintainer: Jia Zhang <lans.zhang2008@gmail.com>
+Maintainer: Jia Zhang <zhang.jia@linux.alibaba.com>
 
 
 Table of Contents
diff --git a/meta-efi-secure-boot/conf/layer.conf b/meta-efi-secure-boot/conf/layer.conf
index 7d69fea..167ca22 100644
--- a/meta-efi-secure-boot/conf/layer.conf
+++ b/meta-efi-secure-boot/conf/layer.conf
@@ -19,4 +19,4 @@ LAYERDEPENDS_efi-secure-boot = "\
     perl-layer \
 "
 
-LAYERSERIES_COMPAT_efi-secure-boot = "rocko sumo"
+LAYERSERIES_COMPAT_efi-secure-boot = "sumo"
diff --git a/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb b/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb
index 5d5fe2d..40ff582 100644
--- a/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb
+++ b/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb
@@ -45,8 +45,6 @@ EXTRA_OEMAKE = "\
     LIB_GCC="`${CC} -print-libgcc-file-name`" \
 "
 
-EXTRA_OEMAKE += "${@bb.utils.contains('LAYERSERIES_CORENAMES', 'rocko', 'GNU_EFI_VERSION=306', '', d)}"
-
 EFI_ARCH_x86 = "ia32"
 EFI_ARCH_x86-64 = "x64"
 
diff --git a/meta-encrypted-storage/conf/layer.conf b/meta-encrypted-storage/conf/layer.conf
index 18fa131..9772e96 100644
--- a/meta-encrypted-storage/conf/layer.conf
+++ b/meta-encrypted-storage/conf/layer.conf
@@ -17,4 +17,4 @@ LAYERDEPENDS_encrypted-storage = "\
     openembedded-layer \
 "
 
-LAYERSERIES_COMPAT_encrypted-storage = "rocko sumo"
+LAYERSERIES_COMPAT_encrypted-storage = "sumo"
diff --git a/meta-ids/conf/layer.conf b/meta-ids/conf/layer.conf
index 50cc3cc..a2f29c9 100644
--- a/meta-ids/conf/layer.conf
+++ b/meta-ids/conf/layer.conf
@@ -16,4 +16,4 @@ LAYERDEPENDS_ids = "\
     networking-layer \
 "
 
-LAYERSERIES_COMPAT_ids = "rocko sumo"
+LAYERSERIES_COMPAT_ids = "sumo"
diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf
index 74961cc..2565080 100644
--- a/meta-integrity/conf/layer.conf
+++ b/meta-integrity/conf/layer.conf
@@ -27,4 +27,4 @@ BB_HASHBASE_WHITELIST_append += "\
     RPM_FSK_PATH \
 "
 
-LAYERSERIES_COMPAT_integrity = "rocko sumo"
+LAYERSERIES_COMPAT_integrity = "sumo"
diff --git a/meta-integrity/recipes-devtools/rpm/rpm-integrity.inc b/meta-integrity/recipes-devtools/rpm/rpm-integrity.inc
index 172d5a2..1945cc2 100644
--- a/meta-integrity/recipes-devtools/rpm/rpm-integrity.inc
+++ b/meta-integrity/recipes-devtools/rpm/rpm-integrity.inc
@@ -1,20 +1,5 @@
 FILESEXTRAPATHS_prepend := "${THISDIR}/rpm:"
 
-ROCKO_SRC_URI = "\
-    file://0001-Pass-sign-arguments-to-signature-deletion-too.patch \
-    file://0002-Beat-some-sense-into-rpmsign-cli-parsing.patch \
-    file://0003-Fix-thinko-typo-in-file-signing-error-message.patch \
-    file://0004-Bury-get_fskpass-inside-rpmsign-utility.patch \
-    file://0005-Dont-advertise-file-signing-features-if-support-not-.patch \
-    file://0006-Remove-bunch-of-redundant-environ-declarations.patch \
-    file://0007-Dont-push-NULL-bodied-macros-in-case-of-get_fskpass-.patch \
-    file://0008-Move-key-password-helper-variables-to-local-scope.patch \
-    file://0009-Use-rpm-memory-allocator-so-we-dont-need-to-check-fo.patch \
-    file://0010-Fix-a-number-of-problems-in-get_fskpass.patch \
-    file://0011-Bump-file-digests-to-SHA256-by-default-finally.patch \
-"
-SRC_URI += "${@bb.utils.contains('LAYERSERIES_CORENAMES', 'rocko', '${ROCKO_SRC_URI}', '', d)}"
-
 PACKAGECONFIG = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'imaevm', '', d)}"
 
 # IMA signing support is provided by RPM plugin.
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0001-Pass-sign-arguments-to-signature-deletion-too.patch b/meta-integrity/recipes-devtools/rpm/rpm/0001-Pass-sign-arguments-to-signature-deletion-too.patch
deleted file mode 100644
index a2c453f..0000000
--- a/meta-integrity/recipes-devtools/rpm/rpm/0001-Pass-sign-arguments-to-signature-deletion-too.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-From 23dc36f0d587495f2d29ebefd9e46437069b5a2d Mon Sep 17 00:00:00 2001
-From: Panu Matilainen <pmatilai@redhat.com>
-Date: Mon, 29 May 2017 16:11:55 +0300
-Subject: [PATCH] Pass sign arguments to signature deletion too
-
-Refactor rpmsign and python bindings to be more similar on both
-addsign/delsign operations, and always pass the signing arguments
-along. Deletion doesn't actually (yet) use the arguments for anything
-but makes things more symmetric (I remember having doubts about
-this when adding - reminder to self: if in doubt, add more arguments ;)
-
-Yet another API break, but what the hey... Other than that, behavior is
-not supposed to change here.
----
- python/rpmsmodule.c | 28 ++++++++++++++++------------
- rpmsign.c           | 13 +++++++------
- sign/rpmgensig.c    |  2 +-
- sign/rpmsign.h      |  3 ++-
- 4 files changed, 26 insertions(+), 20 deletions(-)
-
-diff --git a/python/rpmsmodule.c b/python/rpmsmodule.c
-index 0601353b9..72465221d 100644
---- a/python/rpmsmodule.c
-+++ b/python/rpmsmodule.c
-@@ -5,32 +5,36 @@
- static char rpms__doc__[] =
- "";
- 
-+static int parseSignArgs(PyObject * args, PyObject *kwds,
-+                       const char **path, struct rpmSignArgs *sargs)
-+{
-+    char * kwlist[] = { "path", "keyid", "hashalgo", NULL };
-+
-+    memset(sargs, 0, sizeof(*sargs));
-+    return PyArg_ParseTupleAndKeywords(args, kwds, "s|si", kwlist,
-+                                   path, &sargs->keyid, &sargs->hashalgo);
-+}
-+
- static PyObject * addSign(PyObject * self, PyObject * args, PyObject *kwds)
- {
-     const char *path = NULL;
--    char * kwlist[] = { "path", "keyid", "hashalgo", NULL };
--    struct rpmSignArgs sig, *sigp = NULL;
-+    struct rpmSignArgs sargs;
- 
--    memset(&sig, 0, sizeof(sig));
--    if (!PyArg_ParseTupleAndKeywords(args, kwds, "s|si", kwlist,
--                               &path, &sig.keyid, &sig.hashalgo))
-+    if (parseSignArgs(args, kwds, &path, &sargs))
-        return NULL;
- 
--    if (sig.keyid || sig.hashalgo)
--       sigp = &sig;
--
--    return PyBool_FromLong(rpmPkgSign(path, sigp) == 0);
-+    return PyBool_FromLong(rpmPkgSign(path, &sargs) == 0);
- }
- 
- static PyObject * delSign(PyObject * self, PyObject * args, PyObject *kwds)
- {
-     const char *path = NULL;
--    char * kwlist[] = { "path", NULL };
-+    struct rpmSignArgs sargs;
- 
--    if (!PyArg_ParseTupleAndKeywords(args, kwds, "s", kwlist, &path))
-+    if (parseSignArgs(args, kwds, &path, &sargs))
-        return NULL;
- 
--    return PyBool_FromLong(rpmPkgDelSign(path) == 0);
-+    return PyBool_FromLong(rpmPkgDelSign(path, &sargs) == 0);
- }
- 
- /*
-diff --git a/rpmsign.c b/rpmsign.c
-index 3834b505e..0402af556 100644
---- a/rpmsign.c
-+++ b/rpmsign.c
-@@ -25,6 +25,8 @@ static int signfiles = 0, fskpass = 0;
- static char * fileSigningKey = NULL;
- static char * fileSigningKeyPassword = NULL;
- 
-+static struct rpmSignArgs sargs = {NULL, 0, 0};
-+
- static struct poptOption signOptsTable[] = {
-     { "addsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_ADDSIGN,
-        N_("sign package(s)"), NULL },
-@@ -54,11 +56,10 @@ static struct poptOption optionsTable[] = {
- };
- 
- /* TODO: permit overriding macro setup on the command line */
--static int doSign(poptContext optCon)
-+static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
- {
-     int rc = EXIT_FAILURE;
-     char * name = rpmExpand("%{?_gpg_name}", NULL);
--    struct rpmSignArgs sig = {NULL, 0, 0};
-     char *key = NULL;
- 
-     if (rstreq(name, "")) {
-@@ -92,13 +93,13 @@ static int doSign(poptContext optCon)
-            free(fileSigningKeyPassword);
-        }
- 
--       sig.signfiles = 1;
-+       sargs->signfiles = 1;
-     }
- 
-     const char *arg;
-     rc = 0;
-     while ((arg = poptGetArg(optCon)) != NULL) {
--       rc += rpmPkgSign(arg, &sig);
-+       rc += rpmPkgSign(arg, sargs);
-     }
- 
- exit:
-@@ -133,12 +134,12 @@ int main(int argc, char *argv[])
-     switch (mode) {
-     case MODE_ADDSIGN:
-     case MODE_RESIGN:
--       ec = doSign(optCon);
-+       ec = doSign(optCon, &sargs);
-        break;
-     case MODE_DELSIGN:
-        ec = 0;
-        while ((arg = poptGetArg(optCon)) != NULL) {
--           ec += rpmPkgDelSign(arg);
-+           ec += rpmPkgDelSign(arg, &sargs);
-        }
-        break;
-     default:
-diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
-index 4f5ff7b59..32bcfb3fb 100644
---- a/sign/rpmgensig.c
-+++ b/sign/rpmgensig.c
-@@ -863,7 +863,7 @@ int rpmPkgSign(const char *path, const struct rpmSignArgs * args)
-     return rc;
- }
- 
--int rpmPkgDelSign(const char *path)
-+int rpmPkgDelSign(const char *path, const struct rpmSignArgs * args)
- {
-     return rpmSign(path, 1, 0);
- }
-diff --git a/sign/rpmsign.h b/sign/rpmsign.h
-index b41e3caab..bed8d6245 100644
---- a/sign/rpmsign.h
-+++ b/sign/rpmsign.h
-@@ -31,9 +31,10 @@ int rpmPkgSign(const char *path, const struct rpmSignArgs * args);
- /** \ingroup rpmsign
-  * Delete signature(s) from a package
-  * @param path         path to package
-+ * @param args         signing parameters (or NULL for defaults)
-  * @return             0 on success
-  */
--int rpmPkgDelSign(const char *path);
-+int rpmPkgDelSign(const char *path, const struct rpmSignArgs * args);
- 
- #ifdef __cplusplus
- }
--- 
-2.11.0
-
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0002-Beat-some-sense-into-rpmsign-cli-parsing.patch b/meta-integrity/recipes-devtools/rpm/rpm/0002-Beat-some-sense-into-rpmsign-cli-parsing.patch
deleted file mode 100644
index 34f35bc..0000000
--- a/meta-integrity/recipes-devtools/rpm/rpm/0002-Beat-some-sense-into-rpmsign-cli-parsing.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 8bcfd98c0545eaf98bbc99e56cc2118c995a8fad Mon Sep 17 00:00:00 2001
-From: Panu Matilainen <pmatilai@redhat.com>
-Date: Thu, 8 Jun 2017 12:39:53 +0300
-Subject: [PATCH] Beat some sense into rpmsign cli parsing
-
-Separate missing mode and several modes, print usage in the former
-and mumble about modes only if more than one actually specified.
----
- rpmsign.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/rpmsign.c b/rpmsign.c
-index 0402af556..de6f79384 100644
---- a/rpmsign.c
-+++ b/rpmsign.c
-@@ -14,12 +14,13 @@ char ** environ = NULL;
- #endif
- 
- enum modes {
-+    MODE_NONE    = 0,
-     MODE_ADDSIGN = (1 << 0),
-     MODE_RESIGN  = (1 << 1),
-     MODE_DELSIGN = (1 << 2),
- };
- 
--static int mode = 0;
-+static int mode = MODE_NONE;
- 
- static int signfiles = 0, fskpass = 0;
- static char * fileSigningKey = NULL;
-@@ -142,6 +143,9 @@ int main(int argc, char *argv[])
-            ec += rpmPkgDelSign(arg, &sargs);
-        }
-        break;
-+    case MODE_NONE:
-+       printUsage(optCon, stderr, 0);
-+       break;
-     default:
-        argerror(_("only one major mode may be specified"));
-        break;
--- 
-2.11.0
-
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0003-Fix-thinko-typo-in-file-signing-error-message.patch b/meta-integrity/recipes-devtools/rpm/rpm/0003-Fix-thinko-typo-in-file-signing-error-message.patch
deleted file mode 100644
index 5452778..0000000
--- a/meta-integrity/recipes-devtools/rpm/rpm/0003-Fix-thinko-typo-in-file-signing-error-message.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 26cae3941f68c96e44d8126fea330ef7f0327913 Mon Sep 17 00:00:00 2001
-From: Panu Matilainen <pmatilai@redhat.com>
-Date: Thu, 8 Jun 2017 12:42:00 +0300
-Subject: [PATCH] Fix %% -> $$ thinko/typo in file signing error message
-
----
- rpmsign.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/rpmsign.c b/rpmsign.c
-index de6f79384..66ab8e5eb 100644
---- a/rpmsign.c
-+++ b/rpmsign.c
-@@ -75,7 +75,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
-     if (signfiles) {
-        key = rpmExpand("%{?_file_signing_key}", NULL);
-        if (rstreq(key, "")) {
--           fprintf(stderr, _("You must set \"$$_file_signing_key\" in your macro file or on the command line with --fskpath\n"));
-+           fprintf(stderr, _("You must set \"%%_file_signing_key\" in your macro file or on the command line with --fskpath\n"));
-            goto exit;
-        }
- 
--- 
-2.11.0
-
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0004-Bury-get_fskpass-inside-rpmsign-utility.patch b/meta-integrity/recipes-devtools/rpm/rpm/0004-Bury-get_fskpass-inside-rpmsign-utility.patch
deleted file mode 100644
index 6906a39..0000000
--- a/meta-integrity/recipes-devtools/rpm/rpm/0004-Bury-get_fskpass-inside-rpmsign-utility.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From 5a76125050c2f389cdc1c3017dff5fec4aef7e57 Mon Sep 17 00:00:00 2001
-From: Panu Matilainen <pmatilai@redhat.com>
-Date: Thu, 8 Jun 2017 16:55:16 +0300
-Subject: [PATCH] Bury get_fskpass() inside rpmsign utility
-
-librpm is not in the business of providing terminal utility functions,
-file signing might well need to ask for passwords but it doesn't
-have to be a non-prefixed function in a shared library. The library
-provides means to *pass* the password and its up to calling applications
-to ask for it if needed.
----
- lib/rpmsignfiles.c | 35 -----------------------------------
- lib/rpmsignfiles.h |  2 --
- rpmsign.c          | 37 ++++++++++++++++++++++++++++++++++++-
- 3 files changed, 36 insertions(+), 38 deletions(-)
-
-diff --git a/lib/rpmsignfiles.c b/lib/rpmsignfiles.c
-index 87e4e4265..aacb34647 100644
---- a/lib/rpmsignfiles.c
-+++ b/lib/rpmsignfiles.c
-@@ -7,8 +7,6 @@
- #include "system.h"
- #include "imaevm.h"
- 
--#include <termios.h>
--
- #include <rpm/rpmlog.h>                /* rpmlog */
- #include <rpm/rpmstring.h>     /* rnibble */
- #include <rpm/rpmpgp.h>                /* rpmDigestLength */
-@@ -34,39 +32,6 @@ static const char *hash_algo_name[] = {
- 
- #define ARRAY_SIZE(a)  (sizeof(a) / sizeof(a[0]))
- 
--char *get_fskpass(void)
--{
--    struct termios flags, tmp_flags;
--    char *password, *pwd;
--    int passlen = 64;
--
--    password = malloc(passlen);
--    if (!password) {
--       perror("malloc");
--       return NULL;
--    }
--
--    tcgetattr(fileno(stdin), &flags);
--    tmp_flags = flags;
--    tmp_flags.c_lflag &= ~ECHO;
--    tmp_flags.c_lflag |= ECHONL;
--
--    if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) {
--       perror("tcsetattr");
--       return NULL;
--    }
--
--    printf("PEM password: ");
--    pwd = fgets(password, passlen, stdin);
--    pwd[strlen(pwd) - 1] = '\0';  /* remove newline */
--
--    if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) {
--       perror("tcsetattr");
--       return NULL;
--    }
--    return pwd;
--}
--
- static char *signFile(const char *algo, const char *fdigest, int diglen,
- const char *key, char *keypass)
- {
-diff --git a/lib/rpmsignfiles.h b/lib/rpmsignfiles.h
-index 52e2482a9..70ed69412 100644
---- a/lib/rpmsignfiles.h
-+++ b/lib/rpmsignfiles.h
-@@ -14,8 +14,6 @@ extern "C" {
-  */
- rpmRC rpmSignFiles(Header h, const char *key, char *keypass);
- 
--char *get_fskpass(void); /* get file signing key password */
--
- #ifdef _cplusplus
- }
- #endif
-diff --git a/rpmsign.c b/rpmsign.c
-index 66ab8e5eb..6cd63d872 100644
---- a/rpmsign.c
-+++ b/rpmsign.c
-@@ -1,12 +1,12 @@
- #include "system.h"
- #include <errno.h>
- #include <sys/wait.h>
-+#include <termios.h>
- 
- #include <popt.h>
- #include <rpm/rpmcli.h>
- #include <rpm/rpmsign.h>
- #include "cliutils.h"
--#include "lib/rpmsignfiles.h"
- #include "debug.h"
- 
- #if !defined(__GLIBC__) && !defined(__APPLE__)
-@@ -56,6 +56,41 @@ static struct poptOption optionsTable[] = {
-     POPT_TABLEEND
- };
- 
-+#ifdef WITH_IMAEVM
-+static char *get_fskpass(void)
-+{
-+    struct termios flags, tmp_flags;
-+    char *password, *pwd;
-+    int passlen = 64;
-+
-+    password = malloc(passlen);
-+    if (!password) {
-+       perror("malloc");
-+       return NULL;
-+    }
-+
-+    tcgetattr(fileno(stdin), &flags);
-+    tmp_flags = flags;
-+    tmp_flags.c_lflag &= ~ECHO;
-+    tmp_flags.c_lflag |= ECHONL;
-+
-+    if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) {
-+       perror("tcsetattr");
-+       return NULL;
-+    }
-+
-+    printf("PEM password: ");
-+    pwd = fgets(password, passlen, stdin);
-+    pwd[strlen(pwd) - 1] = '\0';  /* remove newline */
-+
-+    if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) {
-+       perror("tcsetattr");
-+       return NULL;
-+    }
-+    return pwd;
-+}
-+#endif
-+
- /* TODO: permit overriding macro setup on the command line */
- static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
- {
--- 
-2.11.0
-
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0005-Dont-advertise-file-signing-features-if-support-not-.patch b/meta-integrity/recipes-devtools/rpm/rpm/0005-Dont-advertise-file-signing-features-if-support-not-.patch
deleted file mode 100644
index a3d0e24..0000000
--- a/meta-integrity/recipes-devtools/rpm/rpm/0005-Dont-advertise-file-signing-features-if-support-not-.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From a77d2d3476919fdbcba9baf0dd44c98db1620360 Mon Sep 17 00:00:00 2001
-From: Panu Matilainen <pmatilai@redhat.com>
-Date: Thu, 8 Jun 2017 17:36:28 +0300
-Subject: [PATCH] Dont advertise file signing features if support not built in
-
-ifdef the whole thing out when not enabled, instead of blurting out
-obscure error messages. A few to many ifdefs for my taste but
-that's a topic for another day...
----
- rpmsign.c | 12 ++++++++----
- 1 file changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/rpmsign.c b/rpmsign.c
-index 6cd63d872..dce342af0 100644
---- a/rpmsign.c
-+++ b/rpmsign.c
-@@ -22,9 +22,11 @@ enum modes {
- 
- static int mode = MODE_NONE;
- 
-+#ifdef WITH_IMAEVM
- static int signfiles = 0, fskpass = 0;
- static char * fileSigningKey = NULL;
- static char * fileSigningKeyPassword = NULL;
-+#endif
- 
- static struct rpmSignArgs sargs = {NULL, 0, 0};
- 
-@@ -35,6 +37,7 @@ static struct poptOption signOptsTable[] = {
-        N_("sign package(s) (identical to --addsign)"), NULL },
-     { "delsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_DELSIGN,
-        N_("delete package signatures"), NULL },
-+#ifdef WITH_IMAEVM
-     { "signfiles", '\0', POPT_ARG_NONE, &signfiles, 0,
-        N_("sign package(s) files"), NULL},
-     { "fskpath", '\0', POPT_ARG_STRING, &fileSigningKey, 0,
-@@ -42,6 +45,7 @@ static struct poptOption signOptsTable[] = {
-        N_("<key>") },
-     { "fskpass", '\0', POPT_ARG_NONE, &fskpass, 0,
-        N_("prompt for file signing key password"), NULL},
-+#endif
-     POPT_TABLEEND
- };
- 
-@@ -103,6 +107,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
-        goto exit;
-     }
- 
-+#ifdef WITH_IMAEVM
-     if (fileSigningKey) {
-        rpmPushMacro(NULL, "_file_signing_key", NULL, fileSigningKey, RMIL_GLOBAL);
-     }
-@@ -115,11 +120,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
-        }
- 
-        if (fskpass) {
--#ifndef WITH_IMAEVM
--           argerror(_("--fskpass may only be specified when signing files"));
--#else
-            fileSigningKeyPassword = get_fskpass();
--#endif
-        }
- 
-        rpmPushMacro(NULL, "_file_signing_key_password", NULL,
-@@ -131,6 +132,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
- 
-        sargs->signfiles = 1;
-     }
-+#endif
- 
-     const char *arg;
-     rc = 0;
-@@ -163,9 +165,11 @@ int main(int argc, char *argv[])
-        argerror(_("no arguments given"));
-     }
- 
-+#ifdef WITH_IMAEVM
-     if (fileSigningKey && !signfiles) {
-        argerror(_("--fskpath may only be specified when signing files"));
-     }
-+#endif
- 
-     switch (mode) {
-     case MODE_ADDSIGN:
--- 
-2.11.0
-
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0006-Remove-bunch-of-redundant-environ-declarations.patch b/meta-integrity/recipes-devtools/rpm/rpm/0006-Remove-bunch-of-redundant-environ-declarations.patch
deleted file mode 100644
index 8260865..0000000
--- a/meta-integrity/recipes-devtools/rpm/rpm/0006-Remove-bunch-of-redundant-environ-declarations.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From 8fae14f4dfc655dabd3de11be4d7e9b7c1cb6898 Mon Sep 17 00:00:00 2001
-From: Panu Matilainen <pmatilai@redhat.com>
-Date: Fri, 9 Jun 2017 11:37:03 +0300
-Subject: [PATCH] Remove bunch of redundant environ declarations
-
-rpmsign.c used to actually use "environ" to pass to execve(), but
-that call moved to librpmsign a long, long time ago. rpmdb.c and
-rpmkeys.c never used it at all but guess it was copy-paste inherited
-from rpmsign.c back in the day (dfbaa77152ccf98524c4f27afe85d32e6f690522)
-
-rpmgensig.c actually refers to environ, but this is a POSIX required
-variable and while Apple has managed to screw it up, it's handled
-in system.h and that must be sufficient for all relevant systems
-as we also refer to environ in rpmfileutil.c open_dso() and there's
-no fake environ definition there. So drop the one in rpmgensig.c too.
----
- rpmdb.c          | 4 ----
- rpmkeys.c        | 4 ----
- rpmsign.c        | 4 ----
- sign/rpmgensig.c | 4 ----
- 4 files changed, 16 deletions(-)
-
-diff --git a/rpmdb.c b/rpmdb.c
-index 67630d00c..25c088da9 100644
---- a/rpmdb.c
-+++ b/rpmdb.c
-@@ -6,10 +6,6 @@
- #include "cliutils.h"
- #include "debug.h"
- 
--#if !defined(__GLIBC__) && !defined(__APPLE__)
--char ** environ = NULL;
--#endif
--
- enum modes {
-     MODE_INITDB                = (1 << 0),
-     MODE_REBUILDDB     = (1 << 1),
-diff --git a/rpmkeys.c b/rpmkeys.c
-index 0ecc65ed1..2b60a729e 100644
---- a/rpmkeys.c
-+++ b/rpmkeys.c
-@@ -5,10 +5,6 @@
- #include "cliutils.h"
- #include "debug.h"
- 
--#if !defined(__GLIBC__) && !defined(__APPLE__)
--char ** environ = NULL;
--#endif
--
- enum modes {
-     MODE_CHECKSIG      = (1 << 0),
-     MODE_IMPORTKEY     = (1 << 1),
-diff --git a/rpmsign.c b/rpmsign.c
-index dce342af0..04738c052 100644
---- a/rpmsign.c
-+++ b/rpmsign.c
-@@ -9,10 +9,6 @@
- #include "cliutils.h"
- #include "debug.h"
- 
--#if !defined(__GLIBC__) && !defined(__APPLE__)
--char ** environ = NULL;
--#endif
--
- enum modes {
-     MODE_NONE    = 0,
-     MODE_ADDSIGN = (1 << 0),
-diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
-index 141ad1530..5c04e9218 100644
---- a/sign/rpmgensig.c
-+++ b/sign/rpmgensig.c
-@@ -25,10 +25,6 @@
- 
- #include "debug.h"
- 
--#if !defined(__GLIBC__) && !defined(__APPLE__)
--char ** environ = NULL;
--#endif
--
- typedef struct sigTarget_s {
-     FD_t fd;
-     const char *fileName;
--- 
-2.11.0
-
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0007-Dont-push-NULL-bodied-macros-in-case-of-get_fskpass-.patch b/meta-integrity/recipes-devtools/rpm/rpm/0007-Dont-push-NULL-bodied-macros-in-case-of-get_fskpass-.patch
deleted file mode 100644
index cdfc2a0..0000000
--- a/meta-integrity/recipes-devtools/rpm/rpm/0007-Dont-push-NULL-bodied-macros-in-case-of-get_fskpass-.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 5a6acd24a55d31a7c7e68dc4e46149598f1699a4 Mon Sep 17 00:00:00 2001
-From: Panu Matilainen <pmatilai@redhat.com>
-Date: Fri, 9 Jun 2017 12:33:23 +0300
-Subject: [PATCH] Dont push NULL-bodied macros (in case of get_fskpass()
- failure)
-
----
- rpmsign.c        | 4 ++--
- sign/rpmgensig.c | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/rpmsign.c b/rpmsign.c
-index 04738c052..578079a4d 100644
---- a/rpmsign.c
-+++ b/rpmsign.c
-@@ -119,9 +119,9 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
-            fileSigningKeyPassword = get_fskpass();
-        }
- 
--       rpmPushMacro(NULL, "_file_signing_key_password", NULL,
--           fileSigningKeyPassword, RMIL_CMDLINE);
-        if (fileSigningKeyPassword) {
-+           rpmPushMacro(NULL, "_file_signing_key_password", NULL,
-+                       fileSigningKeyPassword, RMIL_CMDLINE);
-            memset(fileSigningKeyPassword, 0, strlen(fileSigningKeyPassword));
-            free(fileSigningKeyPassword);
-        }
-diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
-index 5c04e9218..073136364 100644
---- a/sign/rpmgensig.c
-+++ b/sign/rpmgensig.c
-@@ -538,7 +538,7 @@ static rpmRC includeFileSignatures(FD_t fd, const char *rpm,
- 
-     key = rpmExpand("%{?_file_signing_key}", NULL);
- 
--    keypass = rpmExpand("%{_file_signing_key_password}", NULL);
-+    keypass = rpmExpand("%{?_file_signing_key_password}", NULL);
-     if (rstreq(keypass, "")) {
-        free(keypass);
-        keypass = NULL;
--- 
-2.11.0
-
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0008-Move-key-password-helper-variables-to-local-scope.patch b/meta-integrity/recipes-devtools/rpm/rpm/0008-Move-key-password-helper-variables-to-local-scope.patch
deleted file mode 100644
index 362e0c1..0000000
--- a/meta-integrity/recipes-devtools/rpm/rpm/0008-Move-key-password-helper-variables-to-local-scope.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 46eadbf33d06a0a97be0845afe09873acb44af3c Mon Sep 17 00:00:00 2001
-From: Panu Matilainen <pmatilai@redhat.com>
-Date: Fri, 9 Jun 2017 12:35:43 +0300
-Subject: [PATCH] Move key/password helper variables to local scope
-
----
- rpmsign.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/rpmsign.c b/rpmsign.c
-index 578079a4d..35c5ee966 100644
---- a/rpmsign.c
-+++ b/rpmsign.c
-@@ -21,7 +21,6 @@ static int mode = MODE_NONE;
- #ifdef WITH_IMAEVM
- static int signfiles = 0, fskpass = 0;
- static char * fileSigningKey = NULL;
--static char * fileSigningKeyPassword = NULL;
- #endif
- 
- static struct rpmSignArgs sargs = {NULL, 0, 0};
-@@ -96,7 +95,6 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
- {
-     int rc = EXIT_FAILURE;
-     char * name = rpmExpand("%{?_gpg_name}", NULL);
--    char *key = NULL;
- 
-     if (rstreq(name, "")) {
-        fprintf(stderr, _("You must set \"%%_gpg_name\" in your macro file\n"));
-@@ -109,7 +107,8 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
-     }
- 
-     if (signfiles) {
--       key = rpmExpand("%{?_file_signing_key}", NULL);
-+       char *fileSigningKeyPassword = NULL;
-+       char *key = rpmExpand("%{?_file_signing_key}", NULL);
-        if (rstreq(key, "")) {
-            fprintf(stderr, _("You must set \"%%_file_signing_key\" in your macro file or on the command line with --fskpath\n"));
-            goto exit;
-@@ -127,6 +126,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
-        }
- 
-        sargs->signfiles = 1;
-+       free(key);
-     }
- #endif
- 
-@@ -137,7 +137,6 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
-     }
- 
- exit:
--    free(key);
-     free(name);
-     return rc;
- }
--- 
-2.11.0
-
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0009-Use-rpm-memory-allocator-so-we-dont-need-to-check-fo.patch b/meta-integrity/recipes-devtools/rpm/rpm/0009-Use-rpm-memory-allocator-so-we-dont-need-to-check-fo.patch
deleted file mode 100644
index 4937c46..0000000
--- a/meta-integrity/recipes-devtools/rpm/rpm/0009-Use-rpm-memory-allocator-so-we-dont-need-to-check-fo.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 542f41a8bdc385ed849170565ac353956a47683a Mon Sep 17 00:00:00 2001
-From: Panu Matilainen <pmatilai@redhat.com>
-Date: Fri, 9 Jun 2017 12:45:21 +0300
-Subject: [PATCH] Use rpm memory allocator so we dont need to check for return
-
----
- rpmsign.c | 9 ++-------
- 1 file changed, 2 insertions(+), 7 deletions(-)
-
-diff --git a/rpmsign.c b/rpmsign.c
-index 35c5ee966..a59f2dc1c 100644
---- a/rpmsign.c
-+++ b/rpmsign.c
-@@ -59,14 +59,9 @@ static struct poptOption optionsTable[] = {
- static char *get_fskpass(void)
- {
-     struct termios flags, tmp_flags;
--    char *password, *pwd;
-     int passlen = 64;
--
--    password = malloc(passlen);
--    if (!password) {
--       perror("malloc");
--       return NULL;
--    }
-+    char *password = xmalloc(passlen);
-+    char *pwd;
- 
-     tcgetattr(fileno(stdin), &flags);
-     tmp_flags = flags;
--- 
-2.11.0
-
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0010-Fix-a-number-of-problems-in-get_fskpass.patch b/meta-integrity/recipes-devtools/rpm/rpm/0010-Fix-a-number-of-problems-in-get_fskpass.patch
deleted file mode 100644
index 923de03..0000000
--- a/meta-integrity/recipes-devtools/rpm/rpm/0010-Fix-a-number-of-problems-in-get_fskpass.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 46c7bf438e5349676139dba0655faed3b2230827 Mon Sep 17 00:00:00 2001
-From: Panu Matilainen <pmatilai@redhat.com>
-Date: Fri, 9 Jun 2017 12:52:08 +0300
-Subject: [PATCH] Fix a number of problems in get_fskpass()
-
-Fix segfault in case of fgets() failure, fix memleak on password
-buffer on failure.
----
- rpmsign.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/rpmsign.c b/rpmsign.c
-index a59f2dc1c..ae86f666d 100644
---- a/rpmsign.c
-+++ b/rpmsign.c
-@@ -61,7 +61,7 @@ static char *get_fskpass(void)
-     struct termios flags, tmp_flags;
-     int passlen = 64;
-     char *password = xmalloc(passlen);
--    char *pwd;
-+    char *pwd = NULL;
- 
-     tcgetattr(fileno(stdin), &flags);
-     tmp_flags = flags;
-@@ -70,17 +70,23 @@ static char *get_fskpass(void)
- 
-     if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) {
-        perror("tcsetattr");
--       return NULL;
-+       goto exit;
-     }
- 
-     printf("PEM password: ");
-     pwd = fgets(password, passlen, stdin);
--    pwd[strlen(pwd) - 1] = '\0';  /* remove newline */
- 
-     if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) {
-        perror("tcsetattr");
--       return NULL;
-+       pwd = NULL;
-+       goto exit;
-     }
-+
-+exit:
-+    if (pwd)
-+       pwd[strlen(pwd) - 1] = '\0';  /* remove newline */
-+    else
-+       free(password);
-     return pwd;
- }
- #endif
--- 
-2.11.0
-
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0011-Bump-file-digests-to-SHA256-by-default-finally.patch b/meta-integrity/recipes-devtools/rpm/rpm/0011-Bump-file-digests-to-SHA256-by-default-finally.patch
deleted file mode 100644
index 68d54ad..0000000
--- a/meta-integrity/recipes-devtools/rpm/rpm/0011-Bump-file-digests-to-SHA256-by-default-finally.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 0cd74ade37d16d282d13e781deb68a219b2c04b9 Mon Sep 17 00:00:00 2001
-From: Panu Matilainen <pmatilai@redhat.com>
-Date: Wed, 8 Mar 2017 14:51:45 +0200
-Subject: [PATCH] Bump file digests to SHA256 by default, finally
-
-As a part of modernizing the crypto used by rpm, it's way past time
-to use a stronger algorithm for the file digests. The jump from MD5
-is not entirely smooth but at least Fedora and RHEL did that ages ago
-and survived, others should too. And of course you can always flip
-it back to MD5 if you really need to, for eg building packages for
-ancient distro versions.
-
-Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
----
- macros.in | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/macros.in b/macros.in
-index 72d4a51ed..49a3dab04 100644
---- a/macros.in
-+++ b/macros.in
-@@ -355,17 +355,17 @@ package or when debugging this package.\
- 
- #      Algorithm to use for generating file checksum digests on build.
- #      If not specified or 0, MD5 is used.
--#      WARNING: non-MD5 is backwards incompatible, don't enable lightly!
--#      The supported algorithms may depend on NSS version, as of NSS
--#      3.11.99.5 the following are supported:
-+#      WARNING: non-MD5 is backwards incompatible with rpm < 4.6!
-+#      The supported algorithms may depend on the underlying crypto
-+#      implementation but generally at least the following are supported:
- #      1       MD5 (default)
- #      2       SHA1
- #      8       SHA256
- #      9       SHA384
- #      10      SHA512
- #
--#%_source_filedigest_algorithm 1
--#%_binary_filedigest_algorithm 1
-+%_source_filedigest_algorithm  8
-+%_binary_filedigest_algorithm  8
- 
- #      Configurable vendor information, same as Vendor: in a specfile.
- #
--- 
-2.11.0
-
diff --git a/meta-signing-key/conf/layer.conf b/meta-signing-key/conf/layer.conf
index 67fc8d3..1b735d2 100644
--- a/meta-signing-key/conf/layer.conf
+++ b/meta-signing-key/conf/layer.conf
@@ -13,7 +13,7 @@ BBLAYERS_LAYERINDEX_NAME_signing-key = "meta-signing-key"
 
 LAYERDEPENDS_signing-key = "core"
 
-LAYERSERIES_COMPAT_signing-key = "rocko sumo"
+LAYERSERIES_COMPAT_signing-key = "sumo"
 
 SIGNING_MODEL ??= "sample"
 SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys"
diff --git a/meta-tpm/conf/layer.conf b/meta-tpm/conf/layer.conf
index 2b2dd3e..2b9964a 100644
--- a/meta-tpm/conf/layer.conf
+++ b/meta-tpm/conf/layer.conf
@@ -13,4 +13,4 @@ BBLAYERS_LAYERINDEX_NAME_tpm = "meta-tpm"
 
 LAYERDEPENDS_tpm = "core"
 
-LAYERSERIES_COMPAT_tpm = "rocko sumo"
+LAYERSERIES_COMPAT_tpm = "sumo"
diff --git a/meta-tpm2/conf/layer.conf b/meta-tpm2/conf/layer.conf
index 9957c6e..3842160 100644
--- a/meta-tpm2/conf/layer.conf
+++ b/meta-tpm2/conf/layer.conf
@@ -13,4 +13,4 @@ BBLAYERS_LAYERINDEX_NAME_tpm2 = "meta-tpm2"
 
 LAYERDEPENDS_tpm2 = "core"
 
-LAYERSERIES_COMPAT_tpm2 = "rocko sumo"
+LAYERSERIES_COMPAT_tpm2 = "sumo"
diff --git a/meta/conf/layer.conf b/meta/conf/layer.conf
index 301b017..4caf70c 100644
--- a/meta/conf/layer.conf
+++ b/meta/conf/layer.conf
@@ -15,4 +15,4 @@ LAYERDEPENDS_secure-core = "\
     core \
 "
 
-LAYERSERIES_COMPAT_secure-core = "rocko sumo"
+LAYERSERIES_COMPAT_secure-core = "sumo"