Merge branch 'master' of https://github.com/advancedtelematic/meta-updater into backport/thud/garage-sign-lock-etcbackport/thud/garage-sign-lock-etc

22 files changed, 111 insertions, 280 deletions

diff --git a/CONTRIBUTING.adoc b/CONTRIBUTING.adoc
index 4d9e8f6..0b40438 100644
--- a/CONTRIBUTING.adoc
+++ b/CONTRIBUTING.adoc
@@ -13,6 +13,12 @@ Previously, some older branches were also regularly supported, and while they sh
 
 If you are developing with meta-updater, it may be helpful to read the README and other documentation for link:README.adoc[this repo], https://github.com/advancedtelematic/aktualizr[aktualizr], and the https://github.com/advancedtelematic/updater-repo/[updater-repo], particularly the sections about development and debugging.
 
+== Developer Certificate of Origin (DCO)
+
+All commits in pull requests must contain a `Signed-off-by:` line to indicate that the developer has agreed to the terms of the https://developercertificate.org[Developer Certificate of Origin]. A simple way to achieve that is to use the `-s` flag of `git commit`.
+
+New pull requests will automatically be checked by the https://probot.github.io/apps/dco/[probot/dco].
+
 == Contributor checklist
 
 * OTA-enabled build succeeds for at least one platform, the resulting image boots, and an update can be installed. This check is absolutely necessary for every pull request unless it only touches documentation.
diff --git a/README.adoc b/README.adoc
index 994ad67..27ecabf 100644
--- a/README.adoc
+++ b/README.adoc
@@ -81,6 +81,7 @@ Although we have used U-Boot so far, other boot loaders can be configured work w
 * `OSTREE_COMMIT_BODY` - Message attached to OSTree commit. Empty by default. 
 * `OSTREE_COMMIT_SUBJECT` - Commit subject used by OSTree. Defaults to `Commit-id: ${IMAGE_NAME}`
 * `OSTREE_UPDATE_SUMMARY` - Set this to '1' to update summary of OSTree repository on each commit. '0' by default.
+* `OSTREE_DEPLOY_DEVICETREE` - Set this to '1' to include devicetree(s) to boot
 * `INITRAMFS_IMAGE` - initramfs/initrd image that is used as a proxy while booting into OSTree deployment. Do not change this setting unless you are sure that your initramfs can serve as such a proxy.
 * `SOTA_PACKED_CREDENTIALS` - when set, your ostree commit will be pushed to a remote repo as a bitbake step. This should be the path to a zipped credentials file in https://github.com/advancedtelematic/aktualizr/blob/master/docs/credentials.adoc[the format accepted by garage-push].
 * `SOTA_DEPLOY_CREDENTIALS` - when set to '1' (default value), deploys credentials to the built image. Override it in `local.conf` to built a generic image that can be provisioned manually after the build.
@@ -88,6 +89,9 @@ Although we have used U-Boot so far, other boot loaders can be configured work w
 * `SOTA_CLIENT_FEATURES` - extensions to aktualizr. The only valid options are `hsm` (to build with HSM support) and `secondary-network` (to set up a simulated 'in-vehicle' network with support for a primary node with a DHCP server and a secondary node with a DHCP client).
 * `SOTA_SECONDARY_CONFIG_DIR` - a directory containing JSON configuration files for virtual secondaries on the host. These will be installed into `/etc/sota/ecus` on the device and automatically provided to aktualizr.
 * `SOTA_HARDWARE_ID` - a custom hardware ID that will be written to the aktualizr config. Defaults to MACHINE if not set.
+* `SOTA_MAIN_DTB` - base device tree to use with the kernel. Used together with FIT images. You can change it, and the device tree will also be changed after the update.
+* `SOTA_DT_OVERLAYS` - whitespace-separated list of used device tree overlays for FIT image. This list is OSTree-updateable as well.
+* `SOTA_EXTRA_CONF_FRAGS` - extra https://lxr.missinglinkelectronics.com/uboot/doc/uImage.FIT/overlay-fdt-boot.txt[configuration fragments] for FIT image.
 
 == Usage
 
diff --git a/classes/image_types_ostree.bbclass b/classes/image_types_ostree.bbclass
index 4095de0..29da78e 100644
--- a/classes/image_types_ostree.bbclass
+++ b/classes/image_types_ostree.bbclass
@@ -6,10 +6,11 @@ OSTREE_ROOTFS ??= "${WORKDIR}/ostree-rootfs"
 OSTREE_COMMIT_SUBJECT ??= "Commit-id: ${IMAGE_NAME}"
 OSTREE_COMMIT_BODY ??= ""
 OSTREE_UPDATE_SUMMARY ??= "0"
+OSTREE_DEPLOY_DEVICETREE ??= "0"
 
 BUILD_OSTREE_TARBALL ??= "1"
 
-SYSTEMD_USED = "${@oe.utils.ifelse(d.getVar('VIRTUAL-RUNTIME_init_manager', True) == 'systemd', 'true', '')}"
+SYSTEMD_USED = "${@oe.utils.ifelse(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd', 'true', '')}"
 
 IMAGE_CMD_TAR = "tar --xattrs --xattrs-include=*"
 CONVERSION_CMD_tar = "touch ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}; ${IMAGE_CMD_TAR} --numeric-owner -cf ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.tar -C ${OTA_IMAGE_ROOTFS} . || [ $? -eq 1 ]"
@@ -103,18 +104,27 @@ IMAGE_CMD_ostree () {
         ln -sf var/roothome root
     fi
 
-    checksum=`sha256sum ${DEPLOY_DIR_IMAGE}/${OSTREE_KERNEL} | cut -f 1 -d " "`
-
-    cp ${DEPLOY_DIR_IMAGE}/${OSTREE_KERNEL} boot/vmlinuz-${checksum}
-
     if [ "${KERNEL_IMAGETYPE}" = "fitImage" ]; then
         # this is a hack for ostree not to override init= in kernel cmdline -
         # make it think that the initramfs is present (while it is in FIT image)
+        # since initramfs is fake file, it does not need to be included in checksum
+        checksum=$(sha256sum ${DEPLOY_DIR_IMAGE}/${OSTREE_KERNEL} | cut -f 1 -d " ")
         touch boot/initramfs-${checksum}
     else
+        if [ "${OSTREE_DEPLOY_DEVICETREE}" = "1"  ] && [ -n "${KERNEL_DEVICETREE}" ]; then
+            checksum=$(cat ${DEPLOY_DIR_IMAGE}/${OSTREE_KERNEL} ${DEPLOY_DIR_IMAGE}/${INITRAMFS_IMAGE}-${MACHINE}.${INITRAMFS_FSTYPES} ${KERNEL_DEVICETREE} | sha256sum | cut -f 1 -d " ")
+            for DTS_FILE in ${KERNEL_DEVICETREE}; do
+                DTS_FILE_BASENAME=$(basename ${DTS_FILE})
+                cp ${DEPLOY_DIR_IMAGE}/${DTS_FILE_BASENAME} boot/devicetree-${DTS_FILE_BASENAME}-${checksum}
+            done
+        else
+            checksum=$(cat ${DEPLOY_DIR_IMAGE}/${OSTREE_KERNEL} ${DEPLOY_DIR_IMAGE}/${INITRAMFS_IMAGE}-${MACHINE}.${INITRAMFS_FSTYPES} | sha256sum | cut -f 1 -d " ")
+        fi
         cp ${DEPLOY_DIR_IMAGE}/${INITRAMFS_IMAGE}-${MACHINE}.${INITRAMFS_FSTYPES} boot/initramfs-${checksum}
     fi
 
+    cp ${DEPLOY_DIR_IMAGE}/${OSTREE_KERNEL} boot/vmlinuz-${checksum}
+
     # Copy image manifest
     cat ${IMAGE_MANIFEST} | cut -d " " -f1,3 > usr/package.manifest
 }
@@ -160,6 +170,9 @@ IMAGE_CMD_ostreepush () {
 
 IMAGE_TYPEDEP_garagesign = "ostreepush"
 do_image_garagesign[depends] += "unzip-native:do_populate_sysroot"
+# This lock solves OTA-1866, which is that removing GARAGE_SIGN_REPO while using
+# garage-sign simultaneously for two images often causes problems.
+do_image_garagesign[lockfiles] += "${DEPLOY_DIR_IMAGE}/garagesign.lock"
 IMAGE_CMD_garagesign () {
     if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
         # if credentials are issued by a server that doesn't support offline signing, exit silently
diff --git a/classes/image_types_ota.bbclass b/classes/image_types_ota.bbclass
index 9883a68..a31cbd1 100644
--- a/classes/image_types_ota.bbclass
+++ b/classes/image_types_ota.bbclass
@@ -42,8 +42,8 @@ OTA_IMAGE_ROOTFS_task-image-ota = "${OTA_SYSROOT}"
 IMAGE_TYPEDEP_ota = "ostreecommit"
 do_image_ota[dirs] = "${OTA_SYSROOT}"
 do_image_ota[cleandirs] = "${OTA_SYSROOT}"
-do_image_ota[depends] = "${@'grub:do_populate_sysroot' if d.getVar('OSTREE_BOOTLOADER', True) == 'grub' else ''} \
-                         ${@'virtual/bootloader:do_deploy' if d.getVar('OSTREE_BOOTLOADER', True) == 'u-boot' else ''}"
+do_image_ota[depends] = "${@'grub:do_populate_sysroot' if d.getVar('OSTREE_BOOTLOADER') == 'grub' else ''} \
+                         ${@'virtual/bootloader:do_deploy' if d.getVar('OSTREE_BOOTLOADER') == 'u-boot' else ''}"
 IMAGE_CMD_ota () {
         ostree admin --sysroot=${OTA_SYSROOT} init-fs ${OTA_SYSROOT}
         ostree admin --sysroot=${OTA_SYSROOT} os-init ${OSTREE_OSNAME}
@@ -93,7 +93,7 @@ IMAGE_CMD_ota () {
 IMAGE_TYPEDEP_ota-ext4 = "ota"
 do_image_ota_ext4[depends] = "e2fsprogs-native:do_populate_sysroot"
 IMAGE_CMD_ota-ext4 () {
-        # Calculate image type
+        # Calculate image size
         OTA_ROOTFS_SIZE=$(calculate_size `du -ks ${OTA_SYSROOT} | cut -f 1`  "${IMAGE_OVERHEAD_FACTOR}" "${IMAGE_ROOTFS_SIZE}" "${IMAGE_ROOTFS_MAXSIZE}" `expr ${IMAGE_ROOTFS_EXTRA_SPACE}` "${IMAGE_ROOTFS_ALIGNMENT}")
 
         if [ ${OTA_ROOTFS_SIZE} -lt 0 ]; then
@@ -110,4 +110,4 @@ IMAGE_CMD_ota-ext4 () {
         mkfs.ext4 -O ^64bit ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.ota-ext4 -L otaroot -d ${OTA_SYSROOT}
 }
 
-do_image_wic[depends] += "${@bb.utils.contains('DISTRO_FEATURES', 'sota', '%s:do_image_ota_ext4' % d.getVar('IMAGE_BASENAME', True), '', d)}"
+do_image_wic[depends] += "${@bb.utils.contains('DISTRO_FEATURES', 'sota', '%s:do_image_ota_ext4' % d.getVar('IMAGE_BASENAME'), '', d)}"
diff --git a/classes/sota.bbclass b/classes/sota.bbclass
index 93f59eb..92b4c43 100644
--- a/classes/sota.bbclass
+++ b/classes/sota.bbclass
@@ -21,7 +21,7 @@ WKS_FILE_sota ?= "sdimage-sota.wks"
 
 EXTRA_IMAGEDEPENDS_append_sota = " parted-native mtools-native dosfstools-native"
 
-INITRAMFS_FSTYPES ??= "${@oe.utils.ifelse(d.getVar('OSTREE_BOOTLOADER', True) == 'u-boot', 'cpio.gz.u-boot', 'cpio.gz')}"
+INITRAMFS_FSTYPES ?= "${@oe.utils.ifelse(d.getVar('OSTREE_BOOTLOADER') == 'u-boot', 'cpio.gz.u-boot', 'cpio.gz')}"
 
 # Please redefine OSTREE_REPO in order to have a persistent OSTree repo
 export OSTREE_REPO ?= "${DEPLOY_DIR_IMAGE}/ostree_repo"
diff --git a/classes/sota_raspberrypi.bbclass b/classes/sota_raspberrypi.bbclass
index 600f9e9..e1c0054 100644
--- a/classes/sota_raspberrypi.bbclass
+++ b/classes/sota_raspberrypi.bbclass
@@ -5,6 +5,13 @@ KERNEL_IMAGETYPE_sota = "fitImage"
 INITRAMFS_FSTYPES = "cpio.gz"
 OSTREE_KERNEL = "${KERNEL_IMAGETYPE}-${INITRAMFS_IMAGE}-${MACHINE}-${KERNEL_FIT_LINK_NAME}"
 
+# DTB needs to be relocated to apply overlays
+UBOOT_DTB_LOADADDRESS = "0x05000000"
+UBOOT_DTBO_LOADADDRESS = "0x06000000"
+
+# Deploy config fragment list to OSTree root fs
+IMAGE_INSTALL_append = " fit-conf"
+
 PREFERRED_PROVIDER_virtual/bootloader_sota ?= "u-boot"
 UBOOT_ENTRYPOINT_sota ?= "0x00008000"
 
@@ -18,7 +25,13 @@ IMAGE_BOOT_FILES_sota = "bcm2835-bootfiles/* u-boot.bin;${SDIMG_KERNELIMAGE}"
 KERNEL_DEVICETREE_raspberrypi2_sota ?= " bcm2709-rpi-2-b.dtb "
 KERNEL_DEVICETREE_raspberrypi3_sota ?= " bcm2710-rpi-3-b.dtb overlays/vc4-kms-v3d.dtbo overlays/rpi-ft5406.dtbo"
 
+SOTA_MAIN_DTB_raspberrypi2 ?= "bcm2709-rpi-2-b.dtb"
+SOTA_MAIN_DTB_raspberrypi3 ?= "bcm2710-rpi-3-b.dtb"
+
+SOTA_DT_OVERLAYS_raspberrypi3 ?= "vc4-kms-v3d.dtbo rpi-ft5406.dtbo"
+
 # Kernel args normally provided by RPi's internal bootloader. Non-updateable
-OSTREE_KERNEL_ARGS_sota ?= " 8250.nr_uarts=1 bcm2708_fb.fbwidth=720 bcm2708_fb.fbheight=480 bcm2708_fb.fbswap=1 vc_mem.mem_base=0x3ec00000 vc_mem.mem_size=0x40000000 dwc_otg.lpm_enable=0 console=ttyS0,115200 usbhid.mousepoll=0 "
+OSTREE_KERNEL_ARGS_sota ?= " 8250.nr_uarts=1 bcm2708_fb.fbwidth=656 bcm2708_fb.fbheight=614 bcm2708_fb.fbswap=1 vc_mem.mem_base=0x3ec00000 vc_mem.mem_size=0x40000000 dwc_otg.lpm_enable=0 console=ttyS0,115200 usbhid.mousepoll=0 "
 
 SOTA_CLIENT_FEATURES_append = " ubootenv"
+
diff --git a/classes/sota_sanity.bbclass b/classes/sota_sanity.bbclass
index e47de19..8e80acb 100644
--- a/classes/sota_sanity.bbclass
+++ b/classes/sota_sanity.bbclass
@@ -1,17 +1,17 @@
 # Sanity check the sota setup for common misconfigurations
 
 def sota_check_overrides(status, d):
-    for var in (d.getVar('SOTA_OVERRIDES_BLACKLIST', True) or "").split():
-        if var in d.getVar('OVERRIDES', True).split(':'):
+    for var in (d.getVar('SOTA_OVERRIDES_BLACKLIST') or "").split():
+        if var in d.getVar('OVERRIDES').split(':'):
             status.addresult("%s should not be a overrides, because it is a image fstype in updater layer, please check your OVERRIDES setting.\n" % var)
 
 def sota_check_required_variables(status, d):
-    for var in (d.getVar('SOTA_REQUIRED_VARIABLES', True) or "").split():
-        if not d.getVar(var, True):
+    for var in (d.getVar('SOTA_REQUIRED_VARIABLES') or "").split():
+        if not d.getVar(var):
             status.addresult("%s should be set in your local.conf.\n" % var)
 
 def sota_raise_sanity_error(msg, d):
-    if d.getVar("SANITY_USE_EVENTS", True) == "1":
+    if d.getVar("SANITY_USE_EVENTS") == "1":
         bb.event.fire(bb.event.SanityCheckFailed(msg), d)
         return
 
diff --git a/conf/distro/sota.conf.inc b/conf/distro/sota.conf.inc
index 8de9597..f6111bf 100644
--- a/conf/distro/sota.conf.inc
+++ b/conf/distro/sota.conf.inc
@@ -10,4 +10,10 @@ INHERIT += " sota"
 # Prelinking increases the size of downloads and causes build errors
 USER_CLASSES_remove = "image-prelink"
 
+# Enable reproducible builds. Use 0 as mtime, the same as OSTree is using.
+INHERIT += "reproducible_build_simple"
+
+export SOURCE_DATE_EPOCH ?= "0"
+REPRODUCIBLE_TIMESTAMP_ROOTFS ?= "0"
+
 HOSTTOOLS_append = " sync sha256sum"
diff --git a/recipes-sota/aktualizr/aktualizr-auto-prov.bb b/recipes-sota/aktualizr/aktualizr-auto-prov.bb
index f506cab..308f552 100644
--- a/recipes-sota/aktualizr/aktualizr-auto-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-auto-prov.bb
@@ -6,7 +6,7 @@ LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
 DEPENDS = "aktualizr-native zip-native"
-RDEPENDS_${PN}_append = "${@' aktualizr-auto-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}"
+RDEPENDS_${PN}_append = "${@' aktualizr-auto-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
 PV = "1.0"
 PR = "6"
 
diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
index 5893ed2..8dcda99 100644
--- a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
@@ -10,7 +10,7 @@ LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
 DEPENDS = "aktualizr aktualizr-native openssl-native"
-RDEPENDS_${PN}_append = "${@' aktualizr-ca-implicit-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}"
+RDEPENDS_${PN}_append = "${@' aktualizr-ca-implicit-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
 
 PV = "1.0"
 PR = "1"
diff --git a/recipes-sota/aktualizr/aktualizr-hsm-prov.bb b/recipes-sota/aktualizr/aktualizr-hsm-prov.bb
index 7947edd..27aba0f 100644
--- a/recipes-sota/aktualizr/aktualizr-hsm-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-hsm-prov.bb
@@ -6,7 +6,7 @@ LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
 DEPENDS = "aktualizr aktualizr-native"
-RDEPENDS_${PN}_append = "${@' aktualizr-ca-implicit-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}"
+RDEPENDS_${PN}_append = "${@' aktualizr-ca-implicit-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
 
 SRC_URI = ""
 PV = "1.0"
diff --git a/recipes-sota/aktualizr/credentials.inc b/recipes-sota/aktualizr/credentials.inc
index 256c8ff..7c44257 100644
--- a/recipes-sota/aktualizr/credentials.inc
+++ b/recipes-sota/aktualizr/credentials.inc
@@ -1 +1 @@
-SRC_URI_append = "${@('file://' + d.getVar('SOTA_PACKED_CREDENTIALS', True)) if d.getVar('SOTA_PACKED_CREDENTIALS', True) else ''}"
+SRC_URI_append = "${@('file://' + d.getVar('SOTA_PACKED_CREDENTIALS')) if d.getVar('SOTA_PACKED_CREDENTIALS') else ''}"
diff --git a/recipes-sota/aktualizr/garage-sign-version.inc b/recipes-sota/aktualizr/garage-sign-version.inc
index 1b89a3d..2cea6c9 100644
--- a/recipes-sota/aktualizr/garage-sign-version.inc
+++ b/recipes-sota/aktualizr/garage-sign-version.inc
@@ -1,11 +1,11 @@
 
 python () {
-    if d.getVar("GARAGE_SIGN_VERSION", True) or not d.getVar("SOTA_PACKED_CREDENTIALS", True):
+    if d.getVar("GARAGE_SIGN_VERSION") or not d.getVar("SOTA_PACKED_CREDENTIALS"):
         return
     import json
     import urllib.request
     import zipfile
-    with zipfile.ZipFile(d.getVar("SOTA_PACKED_CREDENTIALS", True), 'r') as zip_ref:
+    with zipfile.ZipFile(d.getVar("SOTA_PACKED_CREDENTIALS"), 'r') as zip_ref:
         try:
             with zip_ref.open('tufrepo.url', mode='r') as url_file:
                 url = url_file.read().decode().strip(' \t\n') + '/health/version'
diff --git a/recipes-sota/fit-conf/fit-conf.bb b/recipes-sota/fit-conf/fit-conf.bb
new file mode 100644
index 0000000..c6cecec
--- /dev/null
+++ b/recipes-sota/fit-conf/fit-conf.bb
@@ -0,0 +1,22 @@
+SUMMARY = "FIT image configuration for u-boot to use"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+do_install() {
+        mkdir -p ${D}${libdir}
+        echo -n "fit_conf=" >${D}${libdir}/fit_conf
+
+        if [ -n ${SOTA_MAIN_DTB} ]; then
+                echo -n "#conf@${SOTA_MAIN_DTB}" >> ${D}${libdir}/fit_conf
+        fi
+
+        for ovrl in ${SOTA_DT_OVERLAYS}; do
+                echo -n "#conf@overlays_${ovrl}" >> ${D}${libdir}/fit_conf
+        done
+
+        for conf_frag in ${SOTA_EXTRA_CONF_FRAGS}; do
+                echo -n "#${conf_frag}" >> ${D}${libdir}/fit_conf
+        done
+}
+
+FILES_${PN} += "${libdir}/fit_conf"
diff --git a/recipes-sota/ostree/ostree_git.bb b/recipes-sota/ostree/ostree_git.bb
index 3e3c951..93ae6e7 100644
--- a/recipes-sota/ostree/ostree_git.bb
+++ b/recipes-sota/ostree/ostree_git.bb
@@ -7,9 +7,9 @@ inherit autotools pkgconfig systemd bash-completion gobject-introspection
 
 SRC_URI = "gitsm://github.com/ostreedev/ostree.git;branch=master"
 
-SRCREV="3e96ec9811b5cfc5481f8b6b06c8d34d9a35408e"
+SRCREV = "f3eba6bcec39c163eb831c02c148ffa483292906"
 
-PV = "v2018.7"
+PV = "v2018.9"
 
 S = "${WORKDIR}/git"
 
@@ -61,6 +61,7 @@ FILES_${PN} = "${bindir} \
     ${libdir}/ostree/ostree-remount \
     ${libdir}/girepository-1.0/* \
     ${@bb.utils.contains('DISTRO_FEATURES','systemd','${libdir}/tmpfiles.d', '', d)} \
+    ${@bb.utils.contains('DISTRO_FEATURES','systemd','${systemd_unitdir}/system/*.path', '', d)} \
     ${@bb.utils.contains('DISTRO_FEATURES','systemd','${systemd_unitdir}/system-generators', '', d)} \
 "
 FILES_${PN}-dev += " ${datadir}/gir-1.0"
diff --git a/recipes-support/libp11/files/0001-Workaround-for-a-buggy-version-of-openssl-1.0.2m.patch b/recipes-support/libp11/files/0001-Workaround-for-a-buggy-version-of-openssl-1.0.2m.patch
deleted file mode 100644
index 55f2ed3..0000000
--- a/recipes-support/libp11/files/0001-Workaround-for-a-buggy-version-of-openssl-1.0.2m.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From ccab5ce63dd5d3dbb4bd02998d21d34407e550f2 Mon Sep 17 00:00:00 2001
-From: Anton Gerasimov <anton.gerasimov@here.com>
-Date: Fri, 19 Jan 2018 12:44:27 +0100
-Subject: [PATCH] Workaround for a buggy version of openssl (1.0.2m)
-
----
- src/p11_pkey.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/src/p11_pkey.c b/src/p11_pkey.c
-index 45d5ad3..75625e6 100644
---- a/src/p11_pkey.c
-+++ b/src/p11_pkey.c
-@@ -139,8 +139,14 @@ static void EVP_PKEY_meth_copy(EVP_PKEY_METHOD *dst, const EVP_PKEY_METHOD *src)
- 
- #endif
- 
--#if OPENSSL_VERSION_NUMBER < 0x100020d0L || defined(LIBRESSL_VERSION_NUMBER)
--static void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth,
-+#if OPENSSL_VERSION_NUMBER < 0x10002110L || defined(LIBRESSL_VERSION_NUMBER)
-+
-+#  if (OPENSSL_VERSION_NUMBER & 0xFFFFFFF0) == 0x100020d0L
-+#    undef EVP_PKEY_meth_get_sign
-+#    undef EVP_PKEY_meth_get_decrypt
-+#  endif
-+
-+void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth,
-                int (**psign_init) (EVP_PKEY_CTX *ctx),
-                int (**psign) (EVP_PKEY_CTX *ctx,
-                        unsigned char *sig, size_t *siglen,
-@@ -152,7 +158,7 @@ static void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth,
-                *psign = pmeth->sign;
- }
- 
--static void EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *pmeth,
-+void EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *pmeth,
-                int (**pdecrypt_init) (EVP_PKEY_CTX *ctx),
-                int (**pdecrypt) (EVP_PKEY_CTX *ctx,
-                        unsigned char *out,
--- 
-2.15.1
-
diff --git a/recipes-support/libp11/libp11_0.4.9.bb b/recipes-support/libp11/libp11_git.bb
index 6d0165f..bedcdc8 100644
--- a/recipes-support/libp11/libp11_0.4.9.bb
+++ b/recipes-support/libp11/libp11_git.bb
@@ -9,9 +9,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fad9b3332be894bab9bc501572864b29"
 DEPENDS = "libtool openssl"
 RDEPENDS_${PN} += " opensc"
 
-SRC_URI = "git://github.com/OpenSC/libp11.git \
-           file://0001-Workaround-for-a-buggy-version-of-openssl-1.0.2m.patch"
-SRCREV = "e1210903291b1de9eabcad26e740a4b2fbcca692"
+SRC_URI = "git://github.com/OpenSC/libp11.git"
+SRCREV = "57ca68ff67efa08e3be1f26dec6d23bf5bb977f2"
+
+PV = "0.4.9+git${SRCPV}"
 
 S = "${WORKDIR}/git"
 
diff --git a/recipes-support/sc-hsm-embedded/files/0001-Cross-compilation-tweaks.patch b/recipes-support/sc-hsm-embedded/files/0001-Cross-compilation-tweaks.patch
deleted file mode 100644
index b3a7622..0000000
--- a/recipes-support/sc-hsm-embedded/files/0001-Cross-compilation-tweaks.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From b6add28acb884b6006216e8422cc18504483c72e Mon Sep 17 00:00:00 2001
-From: Anton Gerasimov <anton@advancedtelematic.com>
-Date: Fri, 8 Sep 2017 15:08:40 +0200
-Subject: [PATCH] Cross-compilation tweaks
-
----
- m4/acx_openssl.m4      | 2 ++
- m4/acx_openssl_ecc.m4  | 3 +++
- m4/acx_openssl_fips.m4 | 2 ++
- m4/acx_openssl_gost.m4 | 2 ++
- 4 files changed, 9 insertions(+)
-
-diff --git a/m4/acx_openssl.m4 b/m4/acx_openssl.m4
-index e90c78f..9de6055 100644
---- a/m4/acx_openssl.m4
-+++ b/m4/acx_openssl.m4
-@@ -25,6 +25,7 @@ AC_DEFUN([ACX_OPENSSL],[
-        AC_CHECK_HEADERS([openssl/ssl.h],,[AC_MSG_ERROR([Can't find OpenSSL headers])])
-        AC_CHECK_LIB(crypto, BN_new,,[AC_MSG_ERROR([Can't find OpenSSL library])])
- 
-+       if test "$cross_compiling" != yes; then
-        AC_MSG_CHECKING([for OpenSSL version])
-        CHECK_OPENSSL_VERSION=m4_format(0x%02x%02x%02x000L, $1, $2, $3)
-        AC_LANG_PUSH([C])
-@@ -51,6 +52,7 @@ AC_DEFUN([ACX_OPENSSL],[
-                AC_MSG_ERROR([OpenSSL library too old ($1.$2.$3 or later required)])
-        ],[])
-        AC_LANG_POP([C])
-+       fi
- 
-        CPPFLAGS=$tmp_CPPFLAGS
-        LIBS=$tmp_LIBS
-diff --git a/m4/acx_openssl_ecc.m4 b/m4/acx_openssl_ecc.m4
-index 612c505..ba2389d 100644
---- a/m4/acx_openssl_ecc.m4
-+++ b/m4/acx_openssl_ecc.m4
-@@ -1,4 +1,5 @@
- AC_DEFUN([ACX_OPENSSL_ECC],[
-+       if test "$cross_compiling" != yes; then
-        AC_MSG_CHECKING(for OpenSSL ECC support)
- 
-        tmp_CPPFLAGS=$CPPFLAGS
-@@ -32,6 +33,8 @@ AC_DEFUN([ACX_OPENSSL_ECC],[
-        ],[])
-        AC_LANG_POP([C])
- 
-+       fi
-+
-        CPPFLAGS=$tmp_CPPFLAGS
-        LIBS=$tmp_LIBS
- ])
-diff --git a/m4/acx_openssl_fips.m4 b/m4/acx_openssl_fips.m4
-index 0491397..896cdbf 100644
---- a/m4/acx_openssl_fips.m4
-+++ b/m4/acx_openssl_fips.m4
-@@ -1,4 +1,5 @@
- AC_DEFUN([ACX_OPENSSL_FIPS],[
-+       if test "$cross_compiling" != yes; then
-        AC_MSG_CHECKING(for OpenSSL FIPS capable library)
- 
-        tmp_CPPFLAGS=$CPPFLAGS
-@@ -47,4 +48,5 @@ AC_DEFUN([ACX_OPENSSL_FIPS],[
- 
-        CPPFLAGS=$tmp_CPPFLAGS
-        LIBS=$tmp_LIBS
-+       fi
- ])
-diff --git a/m4/acx_openssl_gost.m4 b/m4/acx_openssl_gost.m4
-index dca489b..34c39d8 100644
---- a/m4/acx_openssl_gost.m4
-+++ b/m4/acx_openssl_gost.m4
-@@ -1,4 +1,5 @@
- AC_DEFUN([ACX_OPENSSL_GOST],[
-+       if test "$cross_compiling" != yes; then
-        AC_MSG_CHECKING(for OpenSSL GOST support)
- 
-        tmp_CPPFLAGS=$CPPFLAGS
-@@ -62,4 +63,5 @@ AC_DEFUN([ACX_OPENSSL_GOST],[
- 
-        CPPFLAGS=$tmp_CPPFLAGS
-        LIBS=$tmp_LIBS
-+       fi
- ])
--- 
-2.7.4
-
diff --git a/recipes-support/sc-hsm-embedded/sc-hsm-embedded_git.bb b/recipes-support/sc-hsm-embedded/sc-hsm-embedded_git.bb
deleted file mode 100644
index 062d514..0000000
--- a/recipes-support/sc-hsm-embedded/sc-hsm-embedded_git.bb
+++ /dev/null
@@ -1,22 +0,0 @@
-SUMMARY = "Smartcard HSM driver"
-LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://COPYING;md5=55b854a477953696452f698a3af5de1c"
-
-inherit autotools-brokensep
-
-
-SRC_URI = "git://github.com/CardContact/sc-hsm-embedded.git;branch=master"
-SRCREV="a45155d4249575ebdfb16ff26fdedbc4c4813002"
-
-S = "${WORKDIR}/git"
-
-DEPENDS += " openssl pcsc-lite"
-
-do_configure() {
- autoreconf -fi
- oe_runconf
-}
-
-FILES_${PN} += "${libdir}"
-FILES_SOLIBSDEV = ""
-
diff --git a/recipes-support/softhsm/files/0001-Cross-compilation-tweaks.patch b/recipes-support/softhsm/files/0001-Cross-compilation-tweaks.patch
deleted file mode 100644
index b3a7622..0000000
--- a/recipes-support/softhsm/files/0001-Cross-compilation-tweaks.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From b6add28acb884b6006216e8422cc18504483c72e Mon Sep 17 00:00:00 2001
-From: Anton Gerasimov <anton@advancedtelematic.com>
-Date: Fri, 8 Sep 2017 15:08:40 +0200
-Subject: [PATCH] Cross-compilation tweaks
-
----
- m4/acx_openssl.m4      | 2 ++
- m4/acx_openssl_ecc.m4  | 3 +++
- m4/acx_openssl_fips.m4 | 2 ++
- m4/acx_openssl_gost.m4 | 2 ++
- 4 files changed, 9 insertions(+)
-
-diff --git a/m4/acx_openssl.m4 b/m4/acx_openssl.m4
-index e90c78f..9de6055 100644
---- a/m4/acx_openssl.m4
-+++ b/m4/acx_openssl.m4
-@@ -25,6 +25,7 @@ AC_DEFUN([ACX_OPENSSL],[
-        AC_CHECK_HEADERS([openssl/ssl.h],,[AC_MSG_ERROR([Can't find OpenSSL headers])])
-        AC_CHECK_LIB(crypto, BN_new,,[AC_MSG_ERROR([Can't find OpenSSL library])])
- 
-+       if test "$cross_compiling" != yes; then
-        AC_MSG_CHECKING([for OpenSSL version])
-        CHECK_OPENSSL_VERSION=m4_format(0x%02x%02x%02x000L, $1, $2, $3)
-        AC_LANG_PUSH([C])
-@@ -51,6 +52,7 @@ AC_DEFUN([ACX_OPENSSL],[
-                AC_MSG_ERROR([OpenSSL library too old ($1.$2.$3 or later required)])
-        ],[])
-        AC_LANG_POP([C])
-+       fi
- 
-        CPPFLAGS=$tmp_CPPFLAGS
-        LIBS=$tmp_LIBS
-diff --git a/m4/acx_openssl_ecc.m4 b/m4/acx_openssl_ecc.m4
-index 612c505..ba2389d 100644
---- a/m4/acx_openssl_ecc.m4
-+++ b/m4/acx_openssl_ecc.m4
-@@ -1,4 +1,5 @@
- AC_DEFUN([ACX_OPENSSL_ECC],[
-+       if test "$cross_compiling" != yes; then
-        AC_MSG_CHECKING(for OpenSSL ECC support)
- 
-        tmp_CPPFLAGS=$CPPFLAGS
-@@ -32,6 +33,8 @@ AC_DEFUN([ACX_OPENSSL_ECC],[
-        ],[])
-        AC_LANG_POP([C])
- 
-+       fi
-+
-        CPPFLAGS=$tmp_CPPFLAGS
-        LIBS=$tmp_LIBS
- ])
-diff --git a/m4/acx_openssl_fips.m4 b/m4/acx_openssl_fips.m4
-index 0491397..896cdbf 100644
---- a/m4/acx_openssl_fips.m4
-+++ b/m4/acx_openssl_fips.m4
-@@ -1,4 +1,5 @@
- AC_DEFUN([ACX_OPENSSL_FIPS],[
-+       if test "$cross_compiling" != yes; then
-        AC_MSG_CHECKING(for OpenSSL FIPS capable library)
- 
-        tmp_CPPFLAGS=$CPPFLAGS
-@@ -47,4 +48,5 @@ AC_DEFUN([ACX_OPENSSL_FIPS],[
- 
-        CPPFLAGS=$tmp_CPPFLAGS
-        LIBS=$tmp_LIBS
-+       fi
- ])
-diff --git a/m4/acx_openssl_gost.m4 b/m4/acx_openssl_gost.m4
-index dca489b..34c39d8 100644
---- a/m4/acx_openssl_gost.m4
-+++ b/m4/acx_openssl_gost.m4
-@@ -1,4 +1,5 @@
- AC_DEFUN([ACX_OPENSSL_GOST],[
-+       if test "$cross_compiling" != yes; then
-        AC_MSG_CHECKING(for OpenSSL GOST support)
- 
-        tmp_CPPFLAGS=$CPPFLAGS
-@@ -62,4 +63,5 @@ AC_DEFUN([ACX_OPENSSL_GOST],[
- 
-        CPPFLAGS=$tmp_CPPFLAGS
-        LIBS=$tmp_LIBS
-+       fi
- ])
--- 
-2.7.4
-
diff --git a/recipes-support/softhsm/softhsm_git.bb b/recipes-support/softhsm/softhsm_git.bb
index c26903d..4dcfe7d 100644
--- a/recipes-support/softhsm/softhsm_git.bb
+++ b/recipes-support/softhsm/softhsm_git.bb
@@ -1,27 +1,26 @@
 SUMMARY = "HSM emulator"
-LICENSE = "BSD"
+HOMEPAGE = "https://www.opendnssec.org/softhsm/"
+LICENSE = "BSD-2-Clause & ISC"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=ef3f77a3507c3d91e75b9f2bdaee4210"
 
-inherit autotools-brokensep
+DEPENDS = "openssl"
 
+SRC_URI = "git://github.com/opendnssec/SoftHSMv2.git;branch=master"
+SRCREV = "369df0383d101bc8952692c2a368ac8bc887d1b4"
 
-SRC_URI = "git://github.com/opendnssec/SoftHSMv2.git;branch=master \
-           file://0001-Cross-compilation-tweaks.patch"
-SRCREV="1f7498c0c65b1b1ad5e1bdbd87e9d4b100705745"
+PV = "2.5.0"
 
 S = "${WORKDIR}/git"
 
-DEPENDS += " openssl"
+inherit autotools pkgconfig
 
-EXTRA_OECONF = "--disable-gost --with-openssl=${STAGING_LIBDIR}/.."
+# EdDSA requires OpenSSL >= 1.1.1
+EXTRA_OECONF = "--enable-eddsa --disable-gost"
 
-do_configure() {
- unset docdir
- sh ./autogen.sh
- oe_runconf
+do_configure_prepend() {
+    (
+        cd ${S}
+        unset docdir
+        sh ./autogen.sh
+    )
 }
-
-FILES_${PN} = "${bindir} \
-               ${libdir}/softhsm \
-               ${sysconfdir} \
-               ${localstatedir}/lib/softhsm "
diff --git a/scripts/ci/Jenkinsfile.bleeding-selftest b/scripts/ci/Jenkinsfile.bleeding-selftest
index e50b4b6..8c2d1de 100644
--- a/scripts/ci/Jenkinsfile.bleeding-selftest
+++ b/scripts/ci/Jenkinsfile.bleeding-selftest
@@ -10,7 +10,9 @@ node {
 }
 
 pipeline {
-  agent any
+  agent { 
+    node { label 'bitbake' } 
+        }
   environment {
     TEST_AKTUALIZR_REMOTE = 'aktualizr'
     TEST_AKTUALIZR_DIR = 'aktualizr'