Merge pull request #481 from advancedtelematic/backport/rocko/garage-sign-lock-etc

Backport/rocko/garage sign lock etc

11 files changed, 137 insertions, 232 deletions

diff --git a/CONTRIBUTING.adoc b/CONTRIBUTING.adoc
index 4d9e8f6..0b40438 100644
--- a/CONTRIBUTING.adoc
+++ b/CONTRIBUTING.adoc
@@ -13,6 +13,12 @@ Previously, some older branches were also regularly supported, and while they sh
 
 If you are developing with meta-updater, it may be helpful to read the README and other documentation for link:README.adoc[this repo], https://github.com/advancedtelematic/aktualizr[aktualizr], and the https://github.com/advancedtelematic/updater-repo/[updater-repo], particularly the sections about development and debugging.
 
+== Developer Certificate of Origin (DCO)
+
+All commits in pull requests must contain a `Signed-off-by:` line to indicate that the developer has agreed to the terms of the https://developercertificate.org[Developer Certificate of Origin]. A simple way to achieve that is to use the `-s` flag of `git commit`.
+
+New pull requests will automatically be checked by the https://probot.github.io/apps/dco/[probot/dco].
+
 == Contributor checklist
 
 * OTA-enabled build succeeds for at least one platform, the resulting image boots, and an update can be installed. This check is absolutely necessary for every pull request unless it only touches documentation.
diff --git a/README.adoc b/README.adoc
index 32630d7..6ca20d8 100644
--- a/README.adoc
+++ b/README.adoc
@@ -79,6 +79,9 @@ Although we have used U-Boot so far, other boot loaders can be configured work w
 * `OSTREE_REPO` - path to your OSTree repository. Defaults to `$\{DEPLOY_DIR_IMAGE}/ostree_repo`
 * `OSTREE_OSNAME` - OS deployment name on your target device. For more information about deployments and osnames see the https://ostree.readthedocs.io/en/latest/manual/deployment/[OSTree documentation]. Defaults to "poky".
 * `OSTREE_INITRAMFS_IMAGE` - initramfs/initrd image that is used as a proxy while booting into OSTree deployment. Do not change this setting unless you are sure that your initramfs can serve as such a proxy.
+* `OSTREE_COMMIT_BODY` - Message attached to OSTree commit. Empty by default.
+* `OSTREE_COMMIT_SUBJECT` - Commit subject used by OSTree. Defaults to `Commit-id: ${IMAGE_NAME}`
+* `OSTREE_UPDATE_SUMMARY` - Set this to '1' to update summary of OSTree repository on each commit. '0' by default.
 * `SOTA_PACKED_CREDENTIALS` - when set, your ostree commit will be pushed to a remote repo as a bitbake step. This should be the path to a zipped credentials file in https://github.com/advancedtelematic/aktualizr/blob/master/docs/credentials.adoc[the format accepted by garage-push].
 * `SOTA_DEPLOY_CREDENTIALS` - when set to '1' (default value), deploys credentials to the built image. Override it in `local.conf` to built a generic image that can be provisioned manually after the build.
 * `SOTA_CLIENT_PROV` - which provisioning method to use. Valid options are https://github.com/advancedtelematic/aktualizr/blob/master/docs/automatic-provisioning.adoc[`aktualizr-auto-prov`], https://github.com/advancedtelematic/aktualizr/blob/master/docs/implicit-provisioning.adoc[`aktualizr-ca-implicit-prov`], and https://github.com/advancedtelematic/aktualizr/blob/master/docs/hsm-provisioning.adoc[`aktualizr-hsm-prov`]. The default is `aktualizr-auto-prov`. This can also be set to an empty string to avoid using a provisioning recipe.
diff --git a/classes/image_types_ostree.bbclass b/classes/image_types_ostree.bbclass
index 22ae123..97290ac 100644
--- a/classes/image_types_ostree.bbclass
+++ b/classes/image_types_ostree.bbclass
@@ -1,22 +1,19 @@
 # OSTree deployment
 
 do_image_ostree[depends] += "ostree-native:do_populate_sysroot \
-                        openssl-native:do_populate_sysroot \
                         coreutils-native:do_populate_sysroot \
-                        unzip-native:do_populate_sysroot \
                         virtual/kernel:do_deploy \
                         ${OSTREE_INITRAMFS_IMAGE}:do_image_complete"
 do_image_ostree[lockfiles] += "${OSTREE_REPO}/ostree.lock"
 
-export OSTREE_REPO
-export OSTREE_BRANCHNAME
-export GARAGE_TARGET_NAME
-
 RAMDISK_EXT ?= ".${OSTREE_INITRAMFS_FSTYPES}"
 
 OSTREE_KERNEL ??= "${KERNEL_IMAGETYPE}"
+OSTREE_COMMIT_SUBJECT ??= "Commit-id: ${IMAGE_NAME}"
+OSTREE_COMMIT_BODY ??= ""
+OSTREE_UPDATE_SUMMARY ??= "0"
 
-export SYSTEMD_USED = "${@oe.utils.ifelse(d.getVar('VIRTUAL-RUNTIME_init_manager', True) == 'systemd', 'true', '')}"
+SYSTEMD_USED = "${@oe.utils.ifelse(d.getVar('VIRTUAL-RUNTIME_init_manager', True) == 'systemd', 'true', '')}"
 
 IMAGE_CMD_ostree () {
     if [ -z "$OSTREE_REPO" ]; then
@@ -61,7 +58,7 @@ IMAGE_CMD_ostree () {
         fi
     done
 
-    if [ -n "$SYSTEMD_USED" ]; then
+    if [ -n "${SYSTEMD_USED}" ]; then
         mkdir -p usr/etc/tmpfiles.d
         tmpfiles_conf=usr/etc/tmpfiles.d/00ostree-tmpfiles.conf
         echo "d /var/rootdirs 0755 root root -" >>${tmpfiles_conf}
@@ -97,7 +94,7 @@ IMAGE_CMD_ostree () {
                 bbwarn "Data in /$dir directory is not preserved by OSTree. Consider moving it under /usr"
             fi
 
-            if [ -n "$SYSTEMD_USED" ]; then
+            if [ -n "${SYSTEMD_USED}" ]; then
                 echo "d /var/rootdirs/${dir} 0755 root root -" >>${tmpfiles_conf}
             else
                 echo "mkdir -p /var/rootdirs/${dir}; chown 755 /var/rootdirs/${dir}" >>${tmpfiles_conf}
@@ -109,11 +106,10 @@ IMAGE_CMD_ostree () {
 
     if [ -d root ] && [ ! -L root ]; then
         if [ "$(ls -A root)" ]; then
-            bberror "Data in /root directory is not preserved by OSTree."
-            exit 1
+            bbfatal "Data in /root directory is not preserved by OSTree."
         fi
 
-        if [ -n "$SYSTEMD_USED" ]; then
+        if [ -n "${SYSTEMD_USED}" ]; then
             echo "d /var/roothome 0755 root root -" >>${tmpfiles_conf}
         else
             echo "mkdir -p /var/roothome; chown 755 /var/roothome" >>${tmpfiles_conf}
@@ -156,7 +152,12 @@ IMAGE_CMD_ostree () {
            --tree=dir=${OSTREE_ROOTFS} \
            --skip-if-unchanged \
            --branch=${OSTREE_BRANCHNAME} \
-           --subject="Commit-id: ${IMAGE_NAME}"
+           --subject="${OSTREE_COMMIT_SUBJECT}" \
+           --body="${OSTREE_COMMIT_BODY}"
+
+    if [ "${OSTREE_UPDATE_SUMMARY}" = "1" ]; then
+        ostree --repo=${OSTREE_REPO} summary -u
+    fi
 
     rm -rf ${OSTREE_ROOTFS}
 }
@@ -180,7 +181,10 @@ IMAGE_CMD_ostreepush () {
 }
 
 IMAGE_TYPEDEP_garagesign = "ostreepush"
-do_image_garagesign[depends] += "aktualizr-native:do_populate_sysroot"
+do_image_garagesign[depends] += "unzip-native:do_populate_sysroot"
+# This lock solves OTA-1866, which is that removing GARAGE_SIGN_REPO while using
+# garage-sign simultaneously for two images often causes problems.
+do_image_garagesign[lockfiles] += "${DEPLOY_DIR_IMAGE}/garagesign.lock"
 IMAGE_CMD_garagesign () {
     if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
         # if credentials are issued by a server that doesn't support offline signing, exit silently
@@ -188,11 +192,9 @@ IMAGE_CMD_garagesign () {
 
         java_version=$( java -version 2>&1 | awk -F '"' '/version/ {print $2}' )
         if [ "${java_version}" = "" ]; then
-            bberror "Java is required for synchronization with update backend, but is not installed on the host machine"
-            exit 1
+            bbfatal "Java is required for synchronization with update backend, but is not installed on the host machine"
         elif [ "${java_version}" \< "1.8" ]; then
-            bberror "Java version >= 8 is required for synchronization with update backend"
-            exit 1
+            bbfatal "Java version >= 8 is required for synchronization with update backend"
         fi
 
         rm -rf ${GARAGE_SIGN_REPO}
@@ -243,14 +245,12 @@ IMAGE_CMD_garagesign () {
         rm -rf ${GARAGE_SIGN_REPO}
 
         if [ "$push_success" -ne "1" ]; then
-            bberror "Couldn't push to garage repository"
-            exit 1
+            bbfatal "Couldn't push to garage repository"
         fi
     fi
 }
 
-IMAGE_TYPEDEP_garagecheck = "ostreepush garagesign"
-do_image_garagecheck[depends] += "aktualizr-native:do_populate_sysroot"
+IMAGE_TYPEDEP_garagecheck = "garagesign"
 IMAGE_CMD_garagecheck () {
     if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
         # if credentials are issued by a server that doesn't support offline signing, exit silently
diff --git a/classes/image_types_ota.bbclass b/classes/image_types_ota.bbclass
index f677491..88f5b2c 100644
--- a/classes/image_types_ota.bbclass
+++ b/classes/image_types_ota.bbclass
@@ -40,110 +40,103 @@ calculate_size () {
                         return -1
                 fi
         fi
-        
+
         echo "${SIZE}"
 }
 
-export OSTREE_OSNAME
-export OSTREE_BRANCHNAME
-export OSTREE_REPO
-export OSTREE_BOOTLOADER
+IMAGE_CMD_otaimg () {
+        if ${@bb.utils.contains('IMAGE_FSTYPES', 'otaimg', 'false', 'true', d)}; then
+                return
+        fi
+        if [ -z "$OSTREE_REPO" ]; then
+                bbfatal "OSTREE_REPO should be set in your local.conf"
+        fi
 
-export GARAGE_TARGET_NAME
+        if [ -z "$OSTREE_OSNAME" ]; then
+                bbfatal "OSTREE_OSNAME should be set in your local.conf"
+        fi
 
-IMAGE_CMD_otaimg () {
-        if ${@bb.utils.contains('IMAGE_FSTYPES', 'otaimg', 'true', 'false', d)}; then
-                if [ -z "$OSTREE_REPO" ]; then
-                        bbfatal "OSTREE_REPO should be set in your local.conf"
-                fi
+        if [ -z "$OSTREE_BRANCHNAME" ]; then
+                bbfatal "OSTREE_BRANCHNAME should be set in your local.conf"
+        fi
 
-                if [ -z "$OSTREE_OSNAME" ]; then
-                        bbfatal "OSTREE_OSNAME should be set in your local.conf"
-                fi
+        PHYS_SYSROOT=`mktemp -d ${WORKDIR}/ota-sysroot-XXXXX`
 
-                if [ -z "$OSTREE_BRANCHNAME" ]; then
-                        bbfatal "OSTREE_BRANCHNAME should be set in your local.conf"
-                fi
+        ostree admin --sysroot=${PHYS_SYSROOT} init-fs ${PHYS_SYSROOT}
+        ostree admin --sysroot=${PHYS_SYSROOT} os-init ${OSTREE_OSNAME}
 
-                PHYS_SYSROOT=`mktemp -d ${WORKDIR}/ota-sysroot-XXXXX`
-
-                ostree admin --sysroot=${PHYS_SYSROOT} init-fs ${PHYS_SYSROOT}
-                ostree admin --sysroot=${PHYS_SYSROOT} os-init ${OSTREE_OSNAME}
-
-                mkdir -p ${PHYS_SYSROOT}/boot/loader.0
-                ln -s loader.0 ${PHYS_SYSROOT}/boot/loader
-
-                if [ "${OSTREE_BOOTLOADER}" = "grub" ]; then
-                        mkdir -p ${PHYS_SYSROOT}/boot/grub2
-                        ln -s ../loader/grub.cfg ${PHYS_SYSROOT}/boot/grub2/grub.cfg
-                elif [ "${OSTREE_BOOTLOADER}" = "u-boot" ]; then
-                        touch ${PHYS_SYSROOT}/boot/loader/uEnv.txt
-                else
-                        bberror "Invalid bootloader: ${OSTREE_BOOTLOADER}"
-                fi;
-
-                ostree_target_hash=$(cat ${OSTREE_REPO}/refs/heads/${OSTREE_BRANCHNAME})
-
-                ostree --repo=${PHYS_SYSROOT}/ostree/repo pull-local --remote=${OSTREE_OSNAME} ${OSTREE_REPO} ${ostree_target_hash}
-                export OSTREE_BOOT_PARTITION="/boot"
-                kargs_list=""
-                for arg in ${OSTREE_KERNEL_ARGS}; do
-                        kargs_list="${kargs_list} --karg-append=$arg"
-                done
-
-                ostree admin --sysroot=${PHYS_SYSROOT} deploy ${kargs_list} --os=${OSTREE_OSNAME} ${ostree_target_hash}
-
-                # Copy deployment /home and /var/sota to sysroot
-                HOME_TMP=`mktemp -d ${WORKDIR}/home-tmp-XXXXX`
-                tar --xattrs --xattrs-include='*' -C ${HOME_TMP} -xf ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.rootfs.ostree.tar.bz2 ./usr/homedirs ./var/local || true
-
-                cp -a ${IMAGE_ROOTFS}/var/sota ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/ || true
-                # Create /var/sota if it doesn't exist yet
-                mkdir -p ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/sota
-                # Ensure the permissions are correctly set
-                chmod 700 ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/sota
-
-                mv ${HOME_TMP}/var/local ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/ || true
-                mv ${HOME_TMP}/usr/homedirs/home ${PHYS_SYSROOT}/ || true
-                # Ensure that /var/local exists (AGL symlinks /usr/local to /var/local)
-                install -d ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/local
-                # Set package version for the first deployment
-                target_version=${ostree_target_hash}
-                if [ -n "${GARAGE_TARGET_VERSION}" ]; then
-                        target_version=${GARAGE_TARGET_VERSION}
-                elif [ -e "${STAGING_DATADIR_NATIVE}/target_version" ]; then
-                        target_version=$(cat "${STAGING_DATADIR_NATIVE}/target_version")
-                fi
-                mkdir -p ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/sota/import
-                echo "{\"${ostree_target_hash}\":\"${GARAGE_TARGET_NAME}-${target_version}\"}" > ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/sota/import/installed_versions
+        mkdir -p ${PHYS_SYSROOT}/boot/loader.0
+        ln -s loader.0 ${PHYS_SYSROOT}/boot/loader
 
-                rm -rf ${HOME_TMP}
+        if [ "${OSTREE_BOOTLOADER}" = "grub" ]; then
+                mkdir -p ${PHYS_SYSROOT}/boot/grub2
+                ln -s ../loader/grub.cfg ${PHYS_SYSROOT}/boot/grub2/grub.cfg
+        elif [ "${OSTREE_BOOTLOADER}" = "u-boot" ]; then
+                touch ${PHYS_SYSROOT}/boot/loader/uEnv.txt
+        else
+                bbfatal "Invalid bootloader: ${OSTREE_BOOTLOADER}"
+        fi
 
-                # Calculate image type
-                OTA_ROOTFS_SIZE=$(calculate_size `du -ks $PHYS_SYSROOT | cut -f 1`  "${IMAGE_OVERHEAD_FACTOR}" "${IMAGE_ROOTFS_SIZE}" "${IMAGE_ROOTFS_MAXSIZE}" `expr ${IMAGE_ROOTFS_EXTRA_SPACE}` "${IMAGE_ROOTFS_ALIGNMENT}")
+        ostree_target_hash=$(cat ${OSTREE_REPO}/refs/heads/${OSTREE_BRANCHNAME})
+
+        ostree --repo=${PHYS_SYSROOT}/ostree/repo pull-local --remote=${OSTREE_OSNAME} ${OSTREE_REPO} ${ostree_target_hash}
+        kargs_list=""
+        for arg in ${OSTREE_KERNEL_ARGS}; do
+                kargs_list="${kargs_list} --karg-append=$arg"
+        done
+
+        ostree admin --sysroot=${PHYS_SYSROOT} deploy ${kargs_list} --os=${OSTREE_OSNAME} ${ostree_target_hash}
+
+        # Copy deployment /home and /var/sota to sysroot
+        HOME_TMP=`mktemp -d ${WORKDIR}/home-tmp-XXXXX`
+        tar --xattrs --xattrs-include='*' -C ${HOME_TMP} -xf ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.rootfs.ostree.tar.bz2 ./usr/homedirs ./var/local || true
+
+        cp -a ${IMAGE_ROOTFS}/var/sota ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/ || true
+        # Create /var/sota if it doesn't exist yet
+        mkdir -p ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/sota
+        # Ensure the permissions are correctly set
+        chmod 700 ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/sota
+
+        mv ${HOME_TMP}/var/local ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/ || true
+        mv ${HOME_TMP}/usr/homedirs/home ${PHYS_SYSROOT}/ || true
+        # Ensure that /var/local exists (AGL symlinks /usr/local to /var/local)
+        install -d ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/local
+        # Set package version for the first deployment
+        target_version=${ostree_target_hash}
+        if [ -n "${GARAGE_TARGET_VERSION}" ]; then
+                target_version=${GARAGE_TARGET_VERSION}
+        elif [ -e "${STAGING_DATADIR_NATIVE}/target_version" ]; then
+                target_version=$(cat "${STAGING_DATADIR_NATIVE}/target_version")
+        fi
+        mkdir -p ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/sota/import
+        echo "{\"${ostree_target_hash}\":\"${GARAGE_TARGET_NAME}-${target_version}\"}" > ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/sota/import/installed_versions
 
-                if [ $OTA_ROOTFS_SIZE -lt 0 ]; then
-                        exit -1
-                fi
-                eval local COUNT=\"0\"
-                eval local MIN_COUNT=\"60\"
-                if [ $OTA_ROOTFS_SIZE -lt $MIN_COUNT ]; then
-                        eval COUNT=\"$MIN_COUNT\"
-                fi
+        rm -rf ${HOME_TMP}
+
+        # Calculate image size
+        OTA_ROOTFS_SIZE=$(calculate_size `du -ks $PHYS_SYSROOT | cut -f 1`  "${IMAGE_OVERHEAD_FACTOR}" "${IMAGE_ROOTFS_SIZE}" "${IMAGE_ROOTFS_MAXSIZE}" `expr ${IMAGE_ROOTFS_EXTRA_SPACE}` "${IMAGE_ROOTFS_ALIGNMENT}")
 
-                # create image
-                rm -rf ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.otaimg
-                sync
-                dd if=/dev/zero of=${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.otaimg seek=$OTA_ROOTFS_SIZE count=$COUNT bs=1024
-                mkfs.ext4 -O ^64bit ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.otaimg -L otaroot -d ${PHYS_SYSROOT}
-                rm -rf ${PHYS_SYSROOT}
-
-                rm -f ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.otaimg
-                ln -s ${IMAGE_NAME}.otaimg ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.otaimg
-                # for forward compatibility
-                rm -f ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.ota-ext4
-                ln -s ${IMAGE_NAME}.otaimg ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.ota-ext4
+        if [ ${OTA_ROOTFS_SIZE} -lt 0 ]; then
+                exit -1
         fi
+        eval local COUNT=\"0\"
+        eval local MIN_COUNT=\"60\"
+        if [ ${OTA_ROOTFS_SIZE} -lt ${MIN_COUNT} ]; then
+                eval COUNT=\"${MIN_COUNT}\"
+        fi
+
+        # create image
+        rm -rf ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.otaimg
+        sync
+        dd if=/dev/zero of=${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.otaimg seek=${OTA_ROOTFS_SIZE} count=${COUNT} bs=1024
+        mkfs.ext4 -O ^64bit ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.otaimg -L otaroot -d ${PHYS_SYSROOT}
+        rm -rf ${PHYS_SYSROOT}
+
+        rm -f ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.otaimg
+        ln -s ${IMAGE_NAME}.otaimg ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.otaimg
+        # for forward compatibility
+        rm -f ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.ota-ext4
+        ln -s ${IMAGE_NAME}.otaimg ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.ota-ext4
 }
 
 IMAGE_TYPEDEP_otaimg = "ostree"
diff --git a/classes/sota.bbclass b/classes/sota.bbclass
index 246865b..1517ceb 100644
--- a/classes/sota.bbclass
+++ b/classes/sota.bbclass
@@ -26,11 +26,13 @@ EXTRA_IMAGEDEPENDS_append_sota = " parted-native mtools-native dosfstools-native
 OSTREE_INITRAMFS_FSTYPES ??= "${@oe.utils.ifelse(d.getVar('OSTREE_BOOTLOADER', True) == 'u-boot', 'ext4.gz.u-boot', 'ext4.gz')}"
 
 # Please redefine OSTREE_REPO in order to have a persistent OSTree repo
-OSTREE_REPO ?= "${DEPLOY_DIR_IMAGE}/ostree_repo"
-OSTREE_BRANCHNAME ?= "${SOTA_HARDWARE_ID}"
-OSTREE_OSNAME ?= "poky"
+export OSTREE_REPO ?= "${DEPLOY_DIR_IMAGE}/ostree_repo"
+export OSTREE_BRANCHNAME ?= "${SOTA_HARDWARE_ID}"
+export OSTREE_OSNAME ?= "poky"
+export OSTREE_BOOTLOADER ??= 'u-boot'
+export OSTREE_BOOT_PARTITION ??= "/boot"
+
 OSTREE_INITRAMFS_IMAGE ?= "initramfs-ostree-image"
-OSTREE_BOOTLOADER ??= 'u-boot'
 
 GARAGE_SIGN_REPO ?= "${DEPLOY_DIR_IMAGE}/garage_sign_repo"
 GARAGE_SIGN_KEYNAME ?= "garage-key"
diff --git a/lib/oeqa/selftest/cases/updater.py b/lib/oeqa/selftest/cases/updater.py
index fd37e85..4813b2e 100644
--- a/lib/oeqa/selftest/cases/updater.py
+++ b/lib/oeqa/selftest/cases/updater.py
@@ -655,7 +655,13 @@ def qemu_launch(efi=False, machine=None, imagename=None):
     args.dir = 'tmp/deploy/images'
     args.efi = efi
     args.machine = machine
-    args.kvm = None  # Autodetect
+    qemu_use_kvm = get_bb_var("QEMU_USE_KVM")
+    if qemu_use_kvm and \
+       (qemu_use_kvm == 'True' and 'x86' in machine or \
+        get_bb_var('MACHINE') in qemu_use_kvm.split()):
+        args.kvm = True
+    else:
+        args.kvm = None  # Autodetect
     args.no_gui = True
     args.gdb = False
     args.pcap = None
diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb
index 41af7c0..7420983 100644
--- a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb
+++ b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb
@@ -21,11 +21,11 @@ do_install() {
             SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem
             SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem
             mkdir -p ${DEPLOY_DIR_IMAGE}/CA
-            bbwarn "SOTA_CACERT_PATH is not specified, use default one at $SOTA_CACERT_PATH"
+            bbwarn "SOTA_CACERT_PATH is not specified, use default one at ${SOTA_CACERT_PATH}"
 
             if [ ! -f ${SOTA_CACERT_PATH} ]; then
                 bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA"
-                SOTA_CACERT_DIR_PATH="$(dirname "$SOTA_CACERT_PATH")"
+                SOTA_CACERT_DIR_PATH="$(dirname "${SOTA_CACERT_PATH}")"
                 openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096
                 openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert
                 bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server"
@@ -33,7 +33,7 @@ do_install() {
         fi
 
         if [ -z ${SOTA_CAKEY_PATH} ]; then
-            bberror "SOTA_CAKEY_PATH should be set when using implicit provisioning"
+            bbfatal "SOTA_CAKEY_PATH should be set when using implicit provisioning"
         fi
 
         install -m 0700 -d ${D}${localstatedir}/sota
diff --git a/recipes-sota/ostree/ostree_git.bb b/recipes-sota/ostree/ostree_git.bb
index 3e3c951..93ae6e7 100644
--- a/recipes-sota/ostree/ostree_git.bb
+++ b/recipes-sota/ostree/ostree_git.bb
@@ -7,9 +7,9 @@ inherit autotools pkgconfig systemd bash-completion gobject-introspection
 
 SRC_URI = "gitsm://github.com/ostreedev/ostree.git;branch=master"
 
-SRCREV="3e96ec9811b5cfc5481f8b6b06c8d34d9a35408e"
+SRCREV = "f3eba6bcec39c163eb831c02c148ffa483292906"
 
-PV = "v2018.7"
+PV = "v2018.9"
 
 S = "${WORKDIR}/git"
 
@@ -61,6 +61,7 @@ FILES_${PN} = "${bindir} \
     ${libdir}/ostree/ostree-remount \
     ${libdir}/girepository-1.0/* \
     ${@bb.utils.contains('DISTRO_FEATURES','systemd','${libdir}/tmpfiles.d', '', d)} \
+    ${@bb.utils.contains('DISTRO_FEATURES','systemd','${systemd_unitdir}/system/*.path', '', d)} \
     ${@bb.utils.contains('DISTRO_FEATURES','systemd','${systemd_unitdir}/system-generators', '', d)} \
 "
 FILES_${PN}-dev += " ${datadir}/gir-1.0"
diff --git a/recipes-support/libp11/libp11_0.4.9.bb b/recipes-support/libp11/libp11_git.bb
index 6d0165f..e51bcce 100644
--- a/recipes-support/libp11/libp11_0.4.9.bb
+++ b/recipes-support/libp11/libp11_git.bb
@@ -11,7 +11,9 @@ RDEPENDS_${PN} += " opensc"
 
 SRC_URI = "git://github.com/OpenSC/libp11.git \
            file://0001-Workaround-for-a-buggy-version-of-openssl-1.0.2m.patch"
-SRCREV = "e1210903291b1de9eabcad26e740a4b2fbcca692"
+SRCREV = "57ca68ff67efa08e3be1f26dec6d23bf5bb977f2"
+
+PV = "0.4.9+git${SRCPV}"
 
 S = "${WORKDIR}/git"
 
diff --git a/recipes-support/sc-hsm-embedded/files/0001-Cross-compilation-tweaks.patch b/recipes-support/sc-hsm-embedded/files/0001-Cross-compilation-tweaks.patch
deleted file mode 100644
index b3a7622..0000000
--- a/recipes-support/sc-hsm-embedded/files/0001-Cross-compilation-tweaks.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From b6add28acb884b6006216e8422cc18504483c72e Mon Sep 17 00:00:00 2001
-From: Anton Gerasimov <anton@advancedtelematic.com>
-Date: Fri, 8 Sep 2017 15:08:40 +0200
-Subject: [PATCH] Cross-compilation tweaks
-
----
- m4/acx_openssl.m4      | 2 ++
- m4/acx_openssl_ecc.m4  | 3 +++
- m4/acx_openssl_fips.m4 | 2 ++
- m4/acx_openssl_gost.m4 | 2 ++
- 4 files changed, 9 insertions(+)
-
-diff --git a/m4/acx_openssl.m4 b/m4/acx_openssl.m4
-index e90c78f..9de6055 100644
---- a/m4/acx_openssl.m4
-+++ b/m4/acx_openssl.m4
-@@ -25,6 +25,7 @@ AC_DEFUN([ACX_OPENSSL],[
-        AC_CHECK_HEADERS([openssl/ssl.h],,[AC_MSG_ERROR([Can't find OpenSSL headers])])
-        AC_CHECK_LIB(crypto, BN_new,,[AC_MSG_ERROR([Can't find OpenSSL library])])
- 
-+       if test "$cross_compiling" != yes; then
-        AC_MSG_CHECKING([for OpenSSL version])
-        CHECK_OPENSSL_VERSION=m4_format(0x%02x%02x%02x000L, $1, $2, $3)
-        AC_LANG_PUSH([C])
-@@ -51,6 +52,7 @@ AC_DEFUN([ACX_OPENSSL],[
-                AC_MSG_ERROR([OpenSSL library too old ($1.$2.$3 or later required)])
-        ],[])
-        AC_LANG_POP([C])
-+       fi
- 
-        CPPFLAGS=$tmp_CPPFLAGS
-        LIBS=$tmp_LIBS
-diff --git a/m4/acx_openssl_ecc.m4 b/m4/acx_openssl_ecc.m4
-index 612c505..ba2389d 100644
---- a/m4/acx_openssl_ecc.m4
-+++ b/m4/acx_openssl_ecc.m4
-@@ -1,4 +1,5 @@
- AC_DEFUN([ACX_OPENSSL_ECC],[
-+       if test "$cross_compiling" != yes; then
-        AC_MSG_CHECKING(for OpenSSL ECC support)
- 
-        tmp_CPPFLAGS=$CPPFLAGS
-@@ -32,6 +33,8 @@ AC_DEFUN([ACX_OPENSSL_ECC],[
-        ],[])
-        AC_LANG_POP([C])
- 
-+       fi
-+
-        CPPFLAGS=$tmp_CPPFLAGS
-        LIBS=$tmp_LIBS
- ])
-diff --git a/m4/acx_openssl_fips.m4 b/m4/acx_openssl_fips.m4
-index 0491397..896cdbf 100644
---- a/m4/acx_openssl_fips.m4
-+++ b/m4/acx_openssl_fips.m4
-@@ -1,4 +1,5 @@
- AC_DEFUN([ACX_OPENSSL_FIPS],[
-+       if test "$cross_compiling" != yes; then
-        AC_MSG_CHECKING(for OpenSSL FIPS capable library)
- 
-        tmp_CPPFLAGS=$CPPFLAGS
-@@ -47,4 +48,5 @@ AC_DEFUN([ACX_OPENSSL_FIPS],[
- 
-        CPPFLAGS=$tmp_CPPFLAGS
-        LIBS=$tmp_LIBS
-+       fi
- ])
-diff --git a/m4/acx_openssl_gost.m4 b/m4/acx_openssl_gost.m4
-index dca489b..34c39d8 100644
---- a/m4/acx_openssl_gost.m4
-+++ b/m4/acx_openssl_gost.m4
-@@ -1,4 +1,5 @@
- AC_DEFUN([ACX_OPENSSL_GOST],[
-+       if test "$cross_compiling" != yes; then
-        AC_MSG_CHECKING(for OpenSSL GOST support)
- 
-        tmp_CPPFLAGS=$CPPFLAGS
-@@ -62,4 +63,5 @@ AC_DEFUN([ACX_OPENSSL_GOST],[
- 
-        CPPFLAGS=$tmp_CPPFLAGS
-        LIBS=$tmp_LIBS
-+       fi
- ])
--- 
-2.7.4
-
diff --git a/recipes-support/sc-hsm-embedded/sc-hsm-embedded_git.bb b/recipes-support/sc-hsm-embedded/sc-hsm-embedded_git.bb
deleted file mode 100644
index 062d514..0000000
--- a/recipes-support/sc-hsm-embedded/sc-hsm-embedded_git.bb
+++ /dev/null
@@ -1,22 +0,0 @@
-SUMMARY = "Smartcard HSM driver"
-LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://COPYING;md5=55b854a477953696452f698a3af5de1c"
-
-inherit autotools-brokensep
-
-
-SRC_URI = "git://github.com/CardContact/sc-hsm-embedded.git;branch=master"
-SRCREV="a45155d4249575ebdfb16ff26fdedbc4c4813002"
-
-S = "${WORKDIR}/git"
-
-DEPENDS += " openssl pcsc-lite"
-
-do_configure() {
- autoreconf -fi
- oe_runconf
-}
-
-FILES_${PN} += "${libdir}"
-FILES_SOLIBSDEV = ""
-