Merge pull request #618 from advancedtelematic/feat/thud/2019.9-backport

Feat/thud/2019.9 backport

29 files changed, 219 insertions, 331 deletions

diff --git a/README.adoc b/README.adoc
index 12e0446..4cccc7b 100644
--- a/README.adoc
+++ b/README.adoc
@@ -1,17 +1,18 @@
 = meta-updater
 :toc: macro
 :toc-title:
-:aktualizr-docsroot: https://github.com/advancedtelematic/aktualizr/tree/master/docs/ota-client-guide/modules/ROOT/pages/
+:devguide-docsroot: https://docs.ota.here.com/ota-client/latest/
+:getstarted-docsroot: https://docs.ota.here.com/getstarted/dev/
 
 Meta-updater is a link:https://www.yoctoproject.org/software-overview/layers/[Yocto layer] that enables over-the-air updates (OTA) with https://github.com/ostreedev/ostree[OSTree] and https://github.com/advancedtelematic/aktualizr[Aktualizr] -- the default client for link:https://www.here.com/products/automotive/ota-technology[HERE OTA Connect].
 
 https://github.com/ostreedev/ostree[OSTree] is a tool for atomic full file system upgrades with rollback capability. OSTree has several advantages over traditional dual-bank systems, but the most important one is that it minimizes network bandwidth and data storage footprint by sharing files with the same contents across file system deployments.
 
-https://github.com/advancedtelematic/aktualizr[Aktualizr] (and https://github.com/advancedtelematic/rvi_sota_client[RVI SOTA client]) add authentication and provisioning capabilities to OTA and are integrated with OSTree. You can connect with these open-source applications or sign up for a free account at https://connect.ota.here.com/[HERE OTA Connect] to get started.
+https://github.com/advancedtelematic/aktualizr[Aktualizr] implements https://uptane.github.io/uptane-standard/uptane-standard.html[Uptane], supports device authentication and provisioning, and is integrated with OSTree. You can connect aktualizr to your own server solution or sign up for a free account at https://connect.ota.here.com/[HERE OTA Connect] to get started.
 
 == Quickstart
 
-If you don't already have a Yocto project that you want to add OTA to, you can use the xref:dev@getstarted::raspberry-pi.adoc[HERE OTA Connect Quickstart] project to rapidly get up and running on a Raspberry Pi. It takes a standard https://www.yoctoproject.org/tools-resources/projects/poky[poky] distribution, and adds OTA and OSTree capabilities.
+If you don't already have a Yocto project that you want to add OTA to, you can use the xref:{getstarted-docsroot}get-started.html[HERE OTA Connect Quickstart] project to rapidly get up and running on a xref:{getstarted-docsroot}raspberry-pi.html[Raspberry Pi] or with xref:{getstarted-docsroot}qemuvirtualbox.html[QEMU]. It takes a standard https://www.yoctoproject.org/tools-resources/projects/poky[poky] distribution, and adds OTA and OSTree capabilities.
 
 == Dependencies
 
@@ -30,43 +31,43 @@ sudo apt install ovmf
 [discrete]
 == Table of Contents
 
-The following documentation focuses on tasks that involve the meta-updater layer. If you want to get an idea of the overall developer workflow in OTA Connect, see the link:https://docs.ota.here.com/ota-client/dev/index.html[OTA Connect Developer Guide].
-[NOTE]
-====
-The following links point to files in the aktualizr repository where the source of the developer guide is stored.
-====
+The following documentation focuses on tasks that involve the meta-updater layer. If you want to get an idea of the overall developer workflow in OTA Connect, see the link:{devguide-docsroot}index.html[OTA Connect Developer Guide].
 
-* xref:{aktualizr-docsroot}meta-updater-build.adoc[Build]
+* xref:{devguide-docsroot}supported-boards.html[Supported boards]
 +
-Learn how to use this layer to build a basic disk image and add it to your own Yocto project.
+Find out if your board is supported and learn about the minimum hardware requirements.
 +
-* xref:{aktualizr-docsroot}supported-boards.adoc[Supported boards]
+* xref:{devguide-docsroot}build-agl.html[Build an Automotive Grade Linux image]
 +
-Find out if your board is supported and learn about the minimum hardware requirements.
+Learn how to use this layer as part of AGL.
++
+* xref:{devguide-docsroot}add-ota-functonality-existing-yocto-project.html[Add OTA functionality to an existing Yocto project]
++
+Learn how to add this layer to your own Yocto project.
 +
-* xref:{aktualizr-docsroot}build-configuration.adoc[SOTA-related variables in local.conf]
+* xref:{devguide-docsroot}build-configuration.html[SOTA-related variables in local.conf]
 +
-Learn how to configure OTA-related functionality when building disk images.
+Learn how to configure OTA-related functionality when building images, including how to install custom versions of aktualizr.
 +
-* xref:{aktualizr-docsroot}meta-updater-usage.adoc[Usage]
+* xref:{devguide-docsroot}recommended-clientconfig.html[Recommended configuration]
 +
-Learn about the `garage-push` and `garage-sign` utilities, aktualizr configuration and service resource control, and OSTree.
+Learn how to optimize your build for development or production.
 +
-* xref:{aktualizr-docsroot}meta-updater-dev-config.adoc[Development configuration]
+* xref:{devguide-docsroot}client-provisioning-methods.html[Provisoning methods]
 +
-Learn how to configure logging, install custom versions of aktualizr, and override the version indicator for sofware updates.
+Learn more about the methods for provisioning devices. For more detail, you may also want to read about how to xref:{devguide-docsroot}enable-device-cred-provisioning.html[enable device credential provisioning] or how to xref:{devguide-docsroot}simulate-device-cred-provtest.html[simulate it for testing].
 +
-* xref:{aktualizr-docsroot}meta-updater-testing.adoc#_qa_with_oe_selftest[QA with oe-selftest]
+* xref:{devguide-docsroot}meta-updater-usage.html[Advanced usage]
 +
-Learn how to use the `oe-selftest` framework for quality assurance.
+Learn about the `garage-push` and `garage-sign` utilities, aktualizr configuration recipes, and service resource control.
 +
-* xref:{aktualizr-docsroot}meta-updater-testing.adoc#_aktualizr_test_suite_with_ptest[Aktualizr test suite with ptest]
+* xref:{devguide-docsroot}meta-updater-testing.html[Testing with oe-selftest and ptest]
 +
-Learn how to enable Yocto's package test functionality and run parts of the aktualizr test suite.
+Learn how to use the `oe-selftest` framework for quality assurance and how to run the aktualizr test suite via ptest.
 +
-* xref:{aktualizr-docsroot}meta-updater-provisioning-methods.adoc[Provisoning methods]
+* xref:{devguide-docsroot}troubleshooting.html[Troubleshooting]
 +
-Learn how to enable different methods for provisioning devices.
+Get help on common problems.
 
 == License
 
diff --git a/classes/image_types_ostree.bbclass b/classes/image_types_ostree.bbclass
index 795e01b..7ffe99d 100644
--- a/classes/image_types_ostree.bbclass
+++ b/classes/image_types_ostree.bbclass
@@ -168,7 +168,8 @@ IMAGE_CMD_ostreecommit () {
            --skip-if-unchanged \
            --branch=${OSTREE_BRANCHNAME} \
            --subject="${OSTREE_COMMIT_SUBJECT}" \
-           --body="${OSTREE_COMMIT_BODY}"
+           --body="${OSTREE_COMMIT_BODY}" \
+           --bind-ref="${OSTREE_BRANCHNAME}-${IMAGE_BASENAME}"
 
     if [ "${OSTREE_UPDATE_SUMMARY}" = "1" ]; then
         ostree --repo=${OSTREE_REPO} summary -u
diff --git a/classes/sota_raspberrypi.bbclass b/classes/sota_raspberrypi.bbclass
index 69f09fd..c901a70 100644
--- a/classes/sota_raspberrypi.bbclass
+++ b/classes/sota_raspberrypi.bbclass
@@ -16,25 +16,55 @@ DEV_MATCH_DIRECTIVE_pn-networkd-dhcp-conf = "Driver=smsc95xx lan78xx"
 IMAGE_INSTALL_append_sota = " virtual/network-configuration "
 
 PREFERRED_PROVIDER_virtual/bootloader_sota ?= "u-boot"
-UBOOT_ENTRYPOINT_sota ?= "0x00008000"
+UBOOT_ENTRYPOINT_sota ?= "0x00080000"
 
 IMAGE_FSTYPES_remove_sota = "rpi-sdimg"
 OSTREE_BOOTLOADER ?= "u-boot"
 
+def make_dtb_boot_files(d):
+    # Generate IMAGE_BOOT_FILES entries for device tree files listed in
+    # KERNEL_DEVICETREE.
+    #
+    # This function was taken from conf/machine/include/rpi-base.inc in
+    # meta-raspberrypi
+    alldtbs = d.getVar('KERNEL_DEVICETREE')
+    imgtyp = d.getVar('KERNEL_IMAGETYPE')
+
+    def transform(dtb):
+        base = os.path.basename(dtb)
+        if dtb.endswith('dtb'):
+            return base
+        elif dtb.endswith('dtbo'):
+            return '{};{}'.format(base, dtb)
+
+    return ' '.join([transform(dtb) for dtb in alldtbs.split(' ') if dtb])
+
+IMAGE_BOOT_FILES_sota = "bcm2835-bootfiles/* \
+                         u-boot.bin;${SDIMG_KERNELIMAGE} \
+                         "
+
 # OSTree puts its own boot.scr to bcm2835-bootfiles
-IMAGE_BOOT_FILES_sota = "bcm2835-bootfiles/* u-boot.bin;${SDIMG_KERNELIMAGE}"
+# raspberrypi4 needs dtb in /boot partition so that they can be read by the
+# firmware
+IMAGE_BOOT_FILES_append_sota_raspberrypi4 = "${@make_dtb_boot_files(d)}"
 
 # Just the overlays that will be used should be listed
 KERNEL_DEVICETREE_raspberrypi2_sota ?= " bcm2709-rpi-2-b.dtb "
 KERNEL_DEVICETREE_raspberrypi3_sota ?= " bcm2710-rpi-3-b.dtb overlays/vc4-kms-v3d.dtbo overlays/rpi-ft5406.dtbo"
 KERNEL_DEVICETREE_raspberrypi3-64_sota ?= " broadcom/bcm2710-rpi-3-b.dtb overlays/vc4-kms-v3d.dtbo overlays/vc4-fkms-v3d.dtbo overlays/rpi-ft5406.dtbo"
+KERNEL_DEVICETREE_raspberrypi4_sota ?= " bcm2711-rpi-4-b.dtb overlays/vc4-fkms-v3d.dtbo overlays/uart0-rpi4.dtbo"
+KERNEL_DEVICETREE_raspberrypi4-64_sota ?= " broadcom/bcm2711-rpi-4-b.dtb overlays/vc4-fkms-v3d.dtbo overlays/uart0-rpi4.dtbo"
 
 SOTA_MAIN_DTB_raspberrypi2 ?= "bcm2709-rpi-2-b.dtb"
 SOTA_MAIN_DTB_raspberrypi3 ?= "bcm2710-rpi-3-b.dtb"
 SOTA_MAIN_DTB_raspberrypi3-64 ?= "broadcom_bcm2710-rpi-3-b.dtb"
+SOTA_MAIN_DTB_raspberrypi4_sota ?= "bcm2711-rpi-4-b.dtb"
+SOTA_MAIN_DTB_raspberrypi4-64_sota ?= "broadcom_bcm2711-rpi-4-b.dtb"
 
 SOTA_DT_OVERLAYS_raspberrypi3 ?= "vc4-kms-v3d.dtbo rpi-ft5406.dtbo"
 SOTA_DT_OVERLAYS_raspberrypi3-64 ?= "vc4-kms-v3d.dtbo vc4-fkms-v3d.dtbo rpi-ft5406.dtbo"
+SOTA_DT_OVERLAYS_raspberrypi4 ?= "vc4-fkms-v3d.dtbo uart0-rpi4.dtbo"
+SOTA_DT_OVERLAYS_raspberrypi4-64 ?= "vc4-fkms-v3d.dtbo uart0-rpi4.dtbo"
 
 # Kernel args normally provided by RPi's internal bootloader. Non-updateable
 OSTREE_KERNEL_ARGS_sota ?= " 8250.nr_uarts=1 bcm2708_fb.fbwidth=656 bcm2708_fb.fbheight=614 bcm2708_fb.fbswap=1 vc_mem.mem_base=0x3ec00000 vc_mem.mem_size=0x40000000 dwc_otg.lpm_enable=0 console=ttyS0,115200 usbhid.mousepoll=0 "
diff --git a/conf/include/bblayers/sota_raspberrypi3-64.inc b/conf/include/bblayers/sota_raspberrypi3-64.inc
index ea420ba..03f8f44 100644
--- a/conf/include/bblayers/sota_raspberrypi3-64.inc
+++ b/conf/include/bblayers/sota_raspberrypi3-64.inc
@@ -1,2 +1,3 @@
+BBLAYERS += "${METADIR}/meta-openembedded/meta-python"
 BBLAYERS += "${METADIR}/meta-updater-raspberrypi"
 BBLAYERS += "${METADIR}/meta-raspberrypi"
diff --git a/conf/include/bblayers/sota_raspberrypi4-64.inc b/conf/include/bblayers/sota_raspberrypi4-64.inc
new file mode 100644
index 0000000..7e320af
--- /dev/null
+++ b/conf/include/bblayers/sota_raspberrypi4-64.inc
@@ -0,0 +1,3 @@
+BBLAYERS += "${METADIR}/meta-updater-raspberrypi"
+BBLAYERS += "${METADIR}/meta-raspberrypi"
+BBLAYERS += "${METADIR}/meta-openembedded/meta-networking"
diff --git a/conf/include/bblayers/sota_raspberrypi4.inc b/conf/include/bblayers/sota_raspberrypi4.inc
new file mode 100644
index 0000000..7e320af
--- /dev/null
+++ b/conf/include/bblayers/sota_raspberrypi4.inc
@@ -0,0 +1,3 @@
+BBLAYERS += "${METADIR}/meta-updater-raspberrypi"
+BBLAYERS += "${METADIR}/meta-raspberrypi"
+BBLAYERS += "${METADIR}/meta-openembedded/meta-networking"
diff --git a/conf/layer.conf b/conf/layer.conf
index 627a1b8..39ea749 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -9,5 +9,14 @@ BBFILE_COLLECTIONS += "sota"
 BBFILE_PATTERN_sota = "^${LAYERDIR}/"
 BBFILE_PRIORITY_sota = "7"
 
-LAYERDEPENDS_sota = "filesystems-layer"
+LAYERDEPENDS_sota = "openembedded-layer"
+LAYERDEPENDS_sota += "filesystems-layer"
 LAYERSERIES_COMPAT_sota = "thud"
+
+SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \
+  aktualizr-device-prov->aktualizr \
+  aktualizr-device-prov-hsm->aktualizr \
+  aktualizr-shared-prov->aktualizr \
+  aktualizr-shared-prov-creds->aktualizr \
+  aktualizr-uboot-env-rollback->aktualizr \
+"
diff --git a/recipes-connectivity/networkd-dhcp-conf/networkd-dhcp-conf.bb b/recipes-connectivity/networkd-dhcp-conf/networkd-dhcp-conf.bb
index b6076cd..394531e 100644
--- a/recipes-connectivity/networkd-dhcp-conf/networkd-dhcp-conf.bb
+++ b/recipes-connectivity/networkd-dhcp-conf/networkd-dhcp-conf.bb
@@ -4,7 +4,7 @@ interfaces through systemd-networkd"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
-inherit allarch systemd
+inherit systemd
 
 RPROVIDES_${PN} = "virtual/network-configuration"
 
diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb
deleted file mode 100644
index 6e02a50..0000000
--- a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb
+++ /dev/null
@@ -1,60 +0,0 @@
-SUMMARY = "Credentials for device provisioning with fleet CA certificate"
-HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
-SECTION = "base"
-LICENSE = "MPL-2.0"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
-
-inherit allarch
-
-# WARNING: it is NOT a production solution. The secure way to provision devices
-# is to create certificate request directly on the device (either with HSM/TPM
-# or with software) and then sign it with a CA stored on a disconnected machine.
-
-DEPENDS = "aktualizr aktualizr-native"
-ALLOW_EMPTY_${PN} = "1"
-
-SRC_URI = " \
-            file://ca.cnf \
-            "
-
-require credentials.inc
-
-export SOTA_CACERT_PATH
-export SOTA_CAKEY_PATH
-
-do_install() {
-    if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
-        if [ -z ${SOTA_CACERT_PATH} ]; then
-            SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem
-            SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem
-            mkdir -p ${DEPLOY_DIR_IMAGE}/CA
-            bbwarn "SOTA_CACERT_PATH is not specified, use default one at ${SOTA_CACERT_PATH}"
-
-            if [ ! -f ${SOTA_CACERT_PATH} ]; then
-                bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA"
-                SOTA_CACERT_DIR_PATH="$(dirname "${SOTA_CACERT_PATH}")"
-                openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096
-                openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert
-                bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server"
-            fi
-        fi
-
-        if [ -z ${SOTA_CAKEY_PATH} ]; then
-            bbfatal "SOTA_CAKEY_PATH should be set when using device credential provisioning"
-        fi
-
-        install -m 0700 -d ${D}${localstatedir}/sota
-        aktualizr-cert-provider --credentials ${SOTA_PACKED_CREDENTIALS} \
-                                --fleet-ca ${SOTA_CACERT_PATH} \
-                                --fleet-ca-key ${SOTA_CAKEY_PATH} \
-                                --root-ca \
-                                --server-url \
-                                --local ${D} \
-                                --config ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred.toml
-    fi
-}
-
-FILES_${PN} = " \
-                ${localstatedir}/sota/*"
-
-# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
index c3cd593..4eadb77 100644
--- a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
+++ b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
@@ -7,14 +7,16 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 inherit allarch
 
-DEPENDS = "aktualizr aktualizr-native"
-RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
+# We need to get the config files from the aktualizr-host-tools package built by
+# the aktualizr (target) recipe.
+DEPENDS = "aktualizr"
 
-SRC_URI = ""
+# If the config file from aktualizr used here is changed, you will need to bump
+# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
 PV = "1.0"
 PR = "6"
 
-require credentials.inc
+SRC_URI = ""
 
 do_install() {
     install -m 0700 -d ${D}${libdir}/sota/conf.d
diff --git a/recipes-sota/aktualizr/aktualizr-device-prov.bb b/recipes-sota/aktualizr/aktualizr-device-prov.bb
index d579532..55f398d 100644
--- a/recipes-sota/aktualizr/aktualizr-device-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-device-prov.bb
@@ -7,13 +7,16 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 inherit allarch
 
-DEPENDS = "aktualizr aktualizr-native openssl-native"
-RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
+# We need to get the config files from the aktualizr-host-tools package built by
+# the aktualizr (target) recipe.
+DEPENDS = "aktualizr"
 
+# If the config file from aktualizr used here is changed, you will need to bump
+# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
 PV = "1.0"
 PR = "1"
 
-require credentials.inc
+SRC_URI = ""
 
 do_install() {
     install -m 0700 -d ${D}${libdir}/sota/conf.d
diff --git a/recipes-sota/aktualizr/aktualizr-hwid.bb b/recipes-sota/aktualizr/aktualizr-hwid.bb
new file mode 100644
index 0000000..fd3e395
--- /dev/null
+++ b/recipes-sota/aktualizr/aktualizr-hwid.bb
@@ -0,0 +1,24 @@
+SUMMARY = "Aktualizr hwid configuration"
+HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
+SECTION = "base"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
+
+# Because of the dependency on MACHINE.
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+SRC_URI = ""
+
+do_install() {
+    install -m 0700 -d ${D}${libdir}/sota/conf.d
+    if [ -n "${SOTA_HARDWARE_ID}" ]; then
+        printf "[provision]\nprimary_ecu_hardware_id = ${SOTA_HARDWARE_ID}\n" > ${D}${libdir}/sota/conf.d/40-hardware-id.toml
+    fi
+}
+
+FILES_${PN} = " \
+                ${libdir}/sota/conf.d \
+                ${libdir}/sota/conf.d/40-hardware-id.toml \
+                "
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb
index 2701c07..9c6f0dd 100644
--- a/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb
+++ b/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb
@@ -6,9 +6,16 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 inherit allarch
 
-DEPENDS = "aktualizr-native zip-native"
+DEPENDS = "zip-native"
 ALLOW_EMPTY_${PN} = "1"
 
+# If the config file from aktualizr used here is changed, you will need to bump
+# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
+PV = "1.0"
+PR = "1"
+
+SRC_URI = ""
+
 require credentials.inc
 
 do_install() {
diff --git a/recipes-sota/aktualizr/aktualizr-shared-prov.bb b/recipes-sota/aktualizr/aktualizr-shared-prov.bb
index d3d6f16..2ee47a1 100644
--- a/recipes-sota/aktualizr/aktualizr-shared-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-shared-prov.bb
@@ -7,15 +7,18 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 inherit allarch
 
-DEPENDS = "aktualizr-native zip-native"
+# We need to get the config files from the aktualizr-host-tools package built by
+# the aktualizr (target) recipe.
+DEPENDS = "aktualizr"
 RDEPENDS_${PN}_append = "${@' aktualizr-shared-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
+
+# If the config file from aktualizr used here is changed, you will need to bump
+# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
 PV = "1.0"
 PR = "6"
 
 SRC_URI = ""
 
-require credentials.inc
-
 do_install() {
     if [ -n "${SOTA_AUTOPROVISION_CREDENTIALS}" ]; then
         bbwarn "SOTA_AUTOPROVISION_CREDENTIALS are ignored. Please use SOTA_PACKED_CREDENTIALS"
@@ -31,7 +34,7 @@ do_install() {
     fi
 
     install -m 0700 -d ${D}${libdir}/sota/conf.d
-    install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/sota-shared-cred.toml \
+    install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota-shared-cred.toml \
         ${D}${libdir}/sota/conf.d/20-sota-shared-cred.toml
 }
 
diff --git a/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb b/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb
index 860f225..2895e5c 100644
--- a/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb
+++ b/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb
@@ -6,14 +6,18 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 inherit allarch
 
-DEPENDS = "aktualizr-native"
-RDEPENDS_${PN} = "aktualizr"
+DEPENDS = "aktualizr"
+
+# If the config file from aktualizr used here is changed, you will need to bump
+# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
+PV = "1.0"
+PR = "1"
 
 SRC_URI = ""
 
 do_install() {
     install -m 0700 -d ${D}${libdir}/sota/conf.d
-    install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/sota-uboot-env.toml ${D}${libdir}/sota/conf.d/30-rollback.toml
+    install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota-uboot-env.toml ${D}${libdir}/sota/conf.d/30-rollback.toml
 }
 
 FILES_${PN} = " \
diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb
index 17aa15a..0427c3c 100644
--- a/recipes-sota/aktualizr/aktualizr_git.bb
+++ b/recipes-sota/aktualizr/aktualizr_git.bb
@@ -3,11 +3,11 @@ DESCRIPTION = "SOTA Client application written in C++"
 HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
 SECTION = "base"
 LICENSE = "MPL-2.0"
-LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=9741c346eef56131163e13b9db1241b3"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=815ca599c9df247a0c7f619bab123dad"
 
 DEPENDS = "boost curl openssl libarchive libsodium sqlite3 asn1c-native"
 DEPENDS_append = "${@bb.utils.contains('PTEST_ENABLED', '1', ' coreutils-native net-tools-native ostree-native aktualizr-native ', '', d)}"
-RDEPENDS_${PN}_class-target = "aktualizr-configs lshw"
+RDEPENDS_${PN}_class-target = "aktualizr-configs aktualizr-hwid lshw"
 RDEPENDS_${PN}-host-tools = "aktualizr aktualizr-cert-provider ${@bb.utils.contains('PACKAGECONFIG', 'sota-tools', 'garage-deploy garage-push', '', d)}"
 
 RDEPENDS_${PN}-ptest += "bash cmake curl python3-misc python3-modules openssl-bin sqlite3 valgrind"
@@ -15,23 +15,22 @@ RDEPENDS_${PN}-ptest += "bash cmake curl python3-misc python3-modules openssl-bi
 PV = "1.0+git${SRCPV}"
 PR = "7"
 
-GARAGE_SIGN_PV = "0.7.0-33-g214dfb1"
+GARAGE_SIGN_PV = "0.7.0-49-g5ffd420"
 
 SRC_URI = " \
-  gitsm://github.com/advancedtelematic/aktualizr;branch=${BRANCH} \
+  gitsm://github.com/advancedtelematic/aktualizr;branch=${BRANCH};name=aktualizr \
   file://run-ptest \
   file://aktualizr.service \
   file://aktualizr-secondary.service \
   file://aktualizr-serialcan.service \
   file://10-resource-control.conf \
-  ${@ d.expand("https://ats-tuf-cli-releases.s3-eu-central-1.amazonaws.com/cli-${GARAGE_SIGN_PV}.tgz;unpack=0") if d.getVar('GARAGE_SIGN_AUTOVERSION') != '1' else ''} \
+  ${@ d.expand("https://ats-tuf-cli-releases.s3-eu-central-1.amazonaws.com/cli-${GARAGE_SIGN_PV}.tgz;unpack=0;name=garagesign") if d.getVar('GARAGE_SIGN_AUTOVERSION') != '1' else ''} \
   "
 
-# for garage-sign archive
-SRC_URI[md5sum] = "66ffe8dcd61d4c15646e1c4b7dde7401"
-SRC_URI[sha256sum] = "7a7193ddf7e1a33ea60fbb20f98318a8bd78c325dab391d8c4ebd644a738abdc"
+SRC_URI[garagesign.md5sum] = "de0877ecb693fd48ec11052e51b0ff1a"
+SRC_URI[garagesign.sha256sum] = "cf25759574c9c1206835daeaf6fc345f6db7b5ccdb95fb828c86d7451f78f0aa"
 
-SRCREV = "3bb9fe91b4c614a79373beadc721272fcf7acce2"
+SRCREV = "fa59e33208d3b1dc690a30ce8339b3b4162f8022"
 BRANCH ?= "master"
 
 S = "${WORKDIR}/git"
@@ -46,11 +45,11 @@ SYSTEMD_PACKAGES = "${PN} ${PN}-secondary"
 SYSTEMD_SERVICE_${PN} = "aktualizr.service"
 SYSTEMD_SERVICE_${PN}-secondary = "aktualizr-secondary.service"
 
-EXTRA_OECMAKE = "-DCMAKE_BUILD_TYPE=Release -DAKTUALIZR_VERSION=${PV} ${@bb.utils.contains('PTEST_ENABLED', '1', '-DTESTSUITE_VALGRIND=on', '', d)}"
+EXTRA_OECMAKE = "-DCMAKE_BUILD_TYPE=Release ${@bb.utils.contains('PTEST_ENABLED', '1', '-DTESTSUITE_VALGRIND=on', '', d)}"
 
 GARAGE_SIGN_OPS = "${@ d.expand('-DGARAGE_SIGN_ARCHIVE=${WORKDIR}/cli-${GARAGE_SIGN_PV}.tgz') if d.getVar('GARAGE_SIGN_AUTOVERSION') != '1' else ''}"
 
-PACKAGECONFIG ?= "ostree ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} ${@bb.utils.filter('SOTA_CLIENT_FEATURES', 'hsm serialcan ubootenv', d)}"
+PACKAGECONFIG ?= "ostree ${@bb.utils.filter('SOTA_CLIENT_FEATURES', 'hsm serialcan ubootenv', d)}"
 PACKAGECONFIG_class-native = "sota-tools"
 PACKAGECONFIG[warning-as-error] = "-DWARNING_AS_ERROR=ON,-DWARNING_AS_ERROR=OFF,"
 PACKAGECONFIG[ostree] = "-DBUILD_OSTREE=ON,-DBUILD_OSTREE=OFF,ostree,"
@@ -70,6 +69,14 @@ RESOURCE_CPU_WEIGHT = "100"
 RESOURCE_MEMORY_HIGH = "100M"
 RESOURCE_MEMORY_MAX = "80%"
 
+do_configure_prepend() {
+    # CMake has trouble finding yocto's git when cross-compiling, let's do this step manually
+    cd ${S}
+    if [ ! -f VERSION ]; then
+        ./scripts/get_version.sh > VERSION
+    fi
+}
+
 do_compile_ptest() {
     cmake_runcmake_build --target build_tests "${PARALLEL_MAKE}"
 }
@@ -102,10 +109,6 @@ do_install_append () {
     install -m 0700 -d ${D}${libdir}/sota/conf.d
     install -m 0700 -d ${D}${sysconfdir}/sota/conf.d
 
-    if [ -n "${SOTA_HARDWARE_ID}" ]; then
-        printf "[provision]\nprimary_ecu_hardware_id = ${SOTA_HARDWARE_ID}\n" > ${D}${libdir}/sota/conf.d/40-hardware-id.toml
-    fi
-
     install -m 0755 -d ${D}${systemd_unitdir}/system
     aktualizr_service=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', '${WORKDIR}/aktualizr-serialcan.service', '${WORKDIR}/aktualizr.service', d)}
     install -m 0644 ${aktualizr_service} ${D}${systemd_unitdir}/system/aktualizr.service
diff --git a/recipes-sota/config/aktualizr-virtualsec.bb b/recipes-sota/config/aktualizr-virtualsec.bb
new file mode 100644
index 0000000..b7d55aa
--- /dev/null
+++ b/recipes-sota/config/aktualizr-virtualsec.bb
@@ -0,0 +1,27 @@
+SUMMARY = "Example virtual secondary in aktualizr"
+DESCRIPTION = "Creates an example virtual secondary to be used to update an arbitrary file on the primary"
+HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
+SECTION = "base"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
+
+inherit allarch
+
+SRC_URI = " \
+            file://30-virtualsec.toml \
+            file://virtualsec.json \
+            "
+
+do_install_append () {
+    install -m 0700 -d ${D}${libdir}/sota/conf.d
+    install -m 0644 ${WORKDIR}/30-virtualsec.toml ${D}${libdir}/sota/conf.d/30-virtualsec.toml
+    install -m 0644 ${WORKDIR}/virtualsec.json ${D}${libdir}/sota/virtualsec.json
+}
+
+FILES_${PN} = " \
+                ${libdir}/sota/conf.d/30-virtualsec.toml \
+                ${libdir}/sota/virtualsec.json \
+                "
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
+
diff --git a/recipes-sota/config/files/30-virtualsec.toml b/recipes-sota/config/files/30-virtualsec.toml
new file mode 100644
index 0000000..987f692
--- /dev/null
+++ b/recipes-sota/config/files/30-virtualsec.toml
@@ -0,0 +1,3 @@
+[uptane]
+secondary_config_file = "/usr/lib/sota/virtualsec.json"
+
diff --git a/recipes-sota/config/files/virtualsec.json b/recipes-sota/config/files/virtualsec.json
new file mode 100644
index 0000000..dcdcdba
--- /dev/null
+++ b/recipes-sota/config/files/virtualsec.json
@@ -0,0 +1,14 @@
+{
+    "virtual": [
+        {
+            "partial_verifying": "false",
+            "ecu_hardware_id": "external-config",
+            "full_client_dir": "/var/sota/external-config",
+            "ecu_private_key": "sec.private",
+            "ecu_public_key": "sec.public",
+            "firmware_path": "/var/sota/external-config/config.txt",
+            "target_name_path": "/var/sota/external-config/target_name",
+            "metadata_path": "/var/sota/external-config/metadata"
+        }
+    ]
+}
diff --git a/recipes-test/demo-config/primary-config.bb b/recipes-test/demo-config/primary-config.bb
index 27cb553..b1964e2 100644
--- a/recipes-test/demo-config/primary-config.bb
+++ b/recipes-test/demo-config/primary-config.bb
@@ -4,6 +4,8 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 require shared-conf.inc
 
+inherit allarch
+
 PRIMARY_SECONDARIES ?= "${SECONDARY_IP}:${SECONDARY_PORT}"
 
 SRC_URI = "\
diff --git a/recipes-test/demo-config/secondary-config.bb b/recipes-test/demo-config/secondary-config.bb
index 9411646..ddbed89 100644
--- a/recipes-test/demo-config/secondary-config.bb
+++ b/recipes-test/demo-config/secondary-config.bb
@@ -4,6 +4,9 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 require shared-conf.inc
 
+# Because of the dependency on MACHINE.
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
 SECONDARY_SERIAL_ID ?= ""
 SOTA_HARDWARE_ID ?= "${MACHINE}-sndry"
 SECONDARY_HARDWARE_ID ?= "${SOTA_HARDWARE_ID}"
@@ -16,18 +19,18 @@ SRC_URI = "\
 
 do_install () {
     install -m 0700 -d ${D}${libdir}/sota/conf.d
-    install -m 0644 ${WORKDIR}/30-fake-pacman.toml ${D}/${libdir}/sota/conf.d/30-fake-pacman.toml
+    install -m 0644 ${WORKDIR}/30-fake-pacman.toml ${D}${libdir}/sota/conf.d/30-fake-pacman.toml
 
-    install -m 0644 ${WORKDIR}/35-network-config.toml ${D}/${libdir}/sota/conf.d/35-network-config.toml
+    install -m 0644 ${WORKDIR}/35-network-config.toml ${D}${libdir}/sota/conf.d/35-network-config.toml
     sed -i -e 's|@PORT@|${SECONDARY_PORT}|g' \
            -e 's|@PRIMARY_IP@|${PRIMARY_IP}|g' \
            -e 's|@PRIMARY_PORT@|${PRIMARY_PORT}|g' \
-           ${D}/${libdir}/sota/conf.d/35-network-config.toml
+           ${D}${libdir}/sota/conf.d/35-network-config.toml
 
-    install -m 0644 ${WORKDIR}/45-id-config.toml ${D}/${libdir}/sota/conf.d/45-id-config.toml
+    install -m 0644 ${WORKDIR}/45-id-config.toml ${D}${libdir}/sota/conf.d/45-id-config.toml
     sed -i -e 's|@SERIAL@|${SECONDARY_SERIAL_ID}|g' \
            -e 's|@HWID@|${SECONDARY_HARDWARE_ID}|g' \
-           ${D}/${libdir}/sota/conf.d/45-id-config.toml
+           ${D}${libdir}/sota/conf.d/45-id-config.toml
 
 }
 
diff --git a/recipes-test/demo-network-config/network-config.inc b/recipes-test/demo-network-config/network-config.inc
index ed623d4..b023f51 100644
--- a/recipes-test/demo-network-config/network-config.inc
+++ b/recipes-test/demo-network-config/network-config.inc
@@ -2,15 +2,18 @@ SRC_URI_append = "\
     file://26-${CONF_TYPE}-client.network \
     "
 
+# Because of the dependency on MACHINE.
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
 SECONDARY_INTERFACE ?= "${@ 'eth0' if d.getVar('MACHINE') == 'raspberrypi3' else 'enp0s5'}"
 
 do_install_append() {
     bbnote "Network configuration type to be applied: ${CONF_TYPE}"
-    install -d ${D}/usr/lib/systemd/network
-    install -m 0644 ${WORKDIR}/26-${CONF_TYPE}-client.network ${D}/usr/lib/systemd/network/
+    install -d ${D}${libdir}/systemd/network
+    install -m 0644 ${WORKDIR}/26-${CONF_TYPE}-client.network ${D}${libdir}/systemd/network/
     sed -i -e 's|@ADDR@|${IP_ADDR}|g' \
            -e 's|@IFNAME@|${SECONDARY_INTERFACE}|g' \
-           ${D}/usr/lib/systemd/network/26-${CONF_TYPE}-client.network
+           ${D}${libdir}/systemd/network/26-${CONF_TYPE}-client.network
 
 }
 
diff --git a/recipes-test/demo-network-config/primary-network-config.bb b/recipes-test/demo-network-config/primary-network-config.bb
index d840a95..544a5ec 100644
--- a/recipes-test/demo-network-config/primary-network-config.bb
+++ b/recipes-test/demo-network-config/primary-network-config.bb
@@ -2,19 +2,17 @@ DESCRIPTION = "Sample network configuration for an Uptane Primary"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
-inherit allarch
-
 SRC_URI = "\
     file://27-dhcp-client-external.network \
     "
 
-FILES_${PN} = "/usr/lib/systemd/network"
+FILES_${PN} = "${libdir}/systemd/network"
 
 PR = "1"
 
 do_install() {
-    install -d ${D}/usr/lib/systemd/network
-    install -m 0644 ${WORKDIR}/27-dhcp-client-external.network ${D}/usr/lib/systemd/network/
+    install -d ${D}${libdir}/systemd/network
+    install -m 0644 ${WORKDIR}/27-dhcp-client-external.network ${D}${libdir}/systemd/network/
 }
 
 PRIMARY_IP ?= "10.0.3.1"
diff --git a/recipes-test/demo-network-config/secondary-network-config.bb b/recipes-test/demo-network-config/secondary-network-config.bb
index b1d70f1..ca83d53 100644
--- a/recipes-test/demo-network-config/secondary-network-config.bb
+++ b/recipes-test/demo-network-config/secondary-network-config.bb
@@ -2,8 +2,6 @@ DESCRIPTION = "Sample network configuration for an Uptane Secondary"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
-inherit allarch
-
 # TODO: It configures the 'user' interface in NAT mode and provides an access to public Inet via it
 # which is not desired for Secondary. It cannot be just removed since we get SSH access to Secondary
 # VM via this interface. So, the task is to configure the interface in such way that it does provide access
@@ -12,13 +10,13 @@ SRC_URI = "\
     file://27-dhcp-client-external.network \
     "
 
-FILES_${PN} = "/usr/lib/systemd/network"
+FILES_${PN} = "${libdir}/systemd/network"
 
 PR = "1"
 
 do_install() {
-    install -d ${D}/usr/lib/systemd/network
-    install -m 0644 ${WORKDIR}/27-dhcp-client-external.network ${D}/usr/lib/systemd/network/
+    install -d ${D}${libdir}/systemd/network
+    install -m 0644 ${WORKDIR}/27-dhcp-client-external.network ${D}${libdir}/systemd/network/
 }
 
 SECONDARY_IP ?= "10.0.3.2"
diff --git a/recipes-test/images/secondary-image.bb b/recipes-test/images/secondary-image.bb
index 27d1e3f..7db2c68 100644
--- a/recipes-test/images/secondary-image.bb
+++ b/recipes-test/images/secondary-image.bb
@@ -14,7 +14,6 @@ IMAGE_INSTALL_remove = " \
                         aktualizr-shared-prov \
                         aktualizr-shared-prov-creds \
                         aktualizr-device-prov \
-                        aktualizr-device-prov-creds \
                         aktualizr-device-prov-hsm \
                         aktualizr-uboot-env-rollback \
                         virtual/network-configuration \
diff --git a/scripts/ci/Jenkinsfile.bleeding b/scripts/ci/Jenkinsfile.bleeding
deleted file mode 100644
index 6d340fd..0000000
--- a/scripts/ci/Jenkinsfile.bleeding
+++ /dev/null
@@ -1,87 +0,0 @@
-// This CI setup checks out aktualizr, meta-updater and updater-repo and builds
-// master branches whenever a change is pushed to any of these
-
-// define these for docker image creation
-node {
-  // might cause some problems:
-  // https://stackoverflow.com/questions/44805076/setting-build-args-for-dockerfile-agent-using-a-jenkins-declarative-pipeline
-  JENKINS_UID = sh(returnStdout: true, script: 'id -u').trim()
-  JENKINS_GID = sh(returnStdout: true, script: 'id -g').trim()
-}
-
-pipeline {
-  agent any
-  environment {
-    TEST_AKTUALIZR_REMOTE = 'aktualizr'
-    TEST_AKTUALIZR_DIR = 'aktualizr'
-    TEST_AKTUALIZR_BRANCH = 'master'
-    TEST_BITBAKE_COMMON_DIR = "/opt/jenkins/bitbake-common"
-  }
-  stages {
-    stage('checkout') {
-      steps {
-
-        checkout([$class: 'GitSCM',
-            userRemoteConfigs: [
-              [url: 'https://github.com/advancedtelematic/aktualizr', name: 'aktualizr']
-            ],
-            branches: [[name: 'refs/heads/master']],
-            extensions: [
-              [$class: 'DisableRemotePoll'],
-              [$class: 'PruneStaleBranch'],
-              [$class: 'RelativeTargetDirectory',
-                relativeTargetDir: 'aktualizr'
-              ]
-            ],
-        ])
-
-        checkout([$class: 'RepoScm',
-            manifestRepositoryUrl: 'https://github.com/advancedtelematic/updater-repo',
-            manifestBranch: null,
-            manifestFile: 'master.xml',
-            manifestGroup: null,
-            mirrorDir: null,
-            jobs: 0,
-            depth: 0,
-            localManifest: null,
-            destinationDir: 'updater-repo',
-            repoUrl: null,
-            currentBranch: false,
-            resetFirst: true,
-            quiet: false,
-            trace: false,
-            showAllChanges: false,
-        ])
-
-        // ignore bitbake build directories in docker
-        sh 'echo \'build*\' > .dockerignore'
-
-        // override meta-updater commit with currently tested branch
-        sh '''
-           META_UPDATER_COMMIT=$(git rev-parse HEAD)
-           cd updater-repo/meta-updater
-           git checkout $META_UPDATER_COMMIT
-           '''
-      }
-    }
-    stage('build-core-image-minimal') {
-      agent {
-        dockerfile {
-          filename 'scripts/ci/Dockerfile.bitbake'
-          args '-v /opt/jenkins/bitbake-common:/opt/jenkins/bitbake-common'
-          additionalBuildArgs "--build-arg uid=${JENKINS_UID} --build-arg gid=${JENKINS_GID}"
-          reuseNode true
-        }
-      }
-      environment {
-        TEST_AKTUALIZR_CREDENTIALS = credentials('garage-credentials')
-      }
-      steps {
-        sh 'scripts/ci/configure.sh'
-
-        sh 'scripts/ci/build.sh core-image-minimal'
-      }
-    }
-  }
-}
-// vim: set ft=groovy tabstop=2 shiftwidth=2 expandtab:
diff --git a/scripts/ci/Jenkinsfile.bleeding-selftest b/scripts/ci/Jenkinsfile.bleeding-selftest
deleted file mode 100644
index 8c2d1de..0000000
--- a/scripts/ci/Jenkinsfile.bleeding-selftest
+++ /dev/null
@@ -1,91 +0,0 @@
-// This CI setup checks out aktualizr, meta-updater and updater-repo and builds
-// master branches whenever a change is pushed to any of these
-
-// define these for docker image creation
-node {
-  // might cause some problems:
-  // https://stackoverflow.com/questions/44805076/setting-build-args-for-dockerfile-agent-using-a-jenkins-declarative-pipeline
-  JENKINS_UID = sh(returnStdout: true, script: 'id -u').trim()
-  JENKINS_GID = sh(returnStdout: true, script: 'id -g').trim()
-}
-
-pipeline {
-  agent { 
-    node { label 'bitbake' } 
-        }
-  environment {
-    TEST_AKTUALIZR_REMOTE = 'aktualizr'
-    TEST_AKTUALIZR_DIR = 'aktualizr'
-    TEST_AKTUALIZR_BRANCH = 'master'
-    TEST_BITBAKE_COMMON_DIR = "/opt/jenkins/bitbake-common"
-  }
-  stages {
-    stage('checkout') {
-      steps {
-
-        checkout([$class: 'GitSCM',
-            userRemoteConfigs: [
-              [url: 'https://github.com/advancedtelematic/aktualizr', name: 'aktualizr']
-            ],
-            branches: [[name: 'refs/heads/master']],
-            extensions: [
-              [$class: 'DisableRemotePoll'],
-              [$class: 'PruneStaleBranch'],
-              [$class: 'RelativeTargetDirectory',
-                relativeTargetDir: 'aktualizr'
-              ]
-            ],
-        ])
-
-        checkout([$class: 'RepoScm',
-            manifestRepositoryUrl: 'https://github.com/advancedtelematic/updater-repo',
-            manifestBranch: null,
-            manifestFile: 'master.xml',
-            manifestGroup: null,
-            mirrorDir: null,
-            jobs: 0,
-            depth: 0,
-            localManifest: null,
-            destinationDir: 'updater-repo',
-            repoUrl: null,
-            currentBranch: false,
-            resetFirst: true,
-            quiet: false,
-            trace: false,
-            showAllChanges: false,
-        ])
-
-        // ignore bitbake build directories in docker
-        sh 'echo \'build*\' > .dockerignore'
-
-        // override meta-updater commit with currently tested branch
-        sh '''
-           META_UPDATER_COMMIT=$(git rev-parse HEAD)
-           cd updater-repo/meta-updater
-           git checkout $META_UPDATER_COMMIT
-           '''
-      }
-    }
-    stage('build-core-image-minimal+oe-selftest') {
-      agent {
-        dockerfile {
-          filename 'scripts/ci/Dockerfile.bitbake'
-          args '-v /opt/jenkins/bitbake-common:/opt/jenkins/bitbake-common'
-          additionalBuildArgs "--build-arg uid=${JENKINS_UID} --build-arg gid=${JENKINS_GID}"
-          reuseNode true
-        }
-      }
-      environment {
-        TEST_AKTUALIZR_CREDENTIALS = credentials('garage-credentials')
-      }
-      steps {
-        sh 'scripts/ci/configure.sh'
-
-        sh 'scripts/ci/build.sh core-image-minimal'
-
-        sh 'scripts/ci/oe-selftest.sh'
-      }
-    }
-  }
-}
-// vim: set ft=groovy tabstop=2 shiftwidth=2 expandtab:
diff --git a/scripts/ci/README.adoc b/scripts/ci/README.adoc
deleted file mode 100644
index 222982b..0000000
--- a/scripts/ci/README.adoc
+++ /dev/null
@@ -1,14 +0,0 @@
-= Jenkins setup for running meta-updater CI
-
-As bitbake is quite resource-hungry, there are some special steps that are
-needed to run Jenkins CI tasks:
-
-- docker should be installed and the `jenkins` unix user should belong to
-  the `docker` group
-- `/opt/jenkins` should exist and have `jenkins:jenkins` permissions, it
-  will be mapped as a volume on the same location in the docker build
-  container
-
-Note that for nodes running Jenkins slaves as a docker container, the
-`/opt/jenkins` directory must exist on the host system as well, with
-permissions matching the user and groupd ids in Jenkins' docker
diff --git a/scripts/find_aktualizr_dependencies.sh b/scripts/find_aktualizr_dependencies.sh
index 493df80..fcb2f97 100755
--- a/scripts/find_aktualizr_dependencies.sh
+++ b/scripts/find_aktualizr_dependencies.sh
@@ -13,7 +13,6 @@ ${parentdir}/find_dependencies.py aktualizr
 ${parentdir}/find_dependencies.py aktualizr-shared-prov
 ${parentdir}/find_dependencies.py aktualizr-shared-prov-creds
 ${parentdir}/find_dependencies.py aktualizr-device-prov
-${parentdir}/find_dependencies.py aktualizr-device-prov-creds
 ${parentdir}/find_dependencies.py aktualizr-device-prov-hsm
 ${parentdir}/find_dependencies.py aktualizr-auto-reboot
 ${parentdir}/find_dependencies.py aktualizr-disable-send-ip