Merge pull request #602 from advancedtelematic/backport/thud/2019.7

Backport/thud/2019.7

9 files changed, 129 insertions, 318 deletions

diff --git a/CONTRIBUTING.adoc b/CONTRIBUTING.adoc
index 0b40438..24916cc 100644
--- a/CONTRIBUTING.adoc
+++ b/CONTRIBUTING.adoc
@@ -1,17 +1,9 @@
 = Contributing
+:aktualizr-docsroot: https://github.com/advancedtelematic/aktualizr/tree/master/docs/ota-client-guide/modules/ROOT/pages/
 
-We welcome pull requests from anyone. The master branch is the primary branch for development, and if you wish to add new functionality, it probably belongs there. We attempt to maintain recent previous branches and welcome bug fixes and backports for those. Currently, the actively maintained branches are:
+We welcome pull requests from anyone. The master branch is the primary branch for development, and if you wish to add new functionality, it probably belongs there. We attempt to maintain recent release branches and welcome bug fixes and backports for those. Please see the xref:{aktualizr-docsroot}yocto-release-branches.adoc[release branches] documentation for the current list of supported branches.
 
-* thud
-* sumo
-* rocko
-
-Previously, some older branches were also regularly supported, and while they should still be stable, they have not been updated or actively maintained for a while. These branches include:
-
-* pyro
-* morty
-
-If you are developing with meta-updater, it may be helpful to read the README and other documentation for link:README.adoc[this repo], https://github.com/advancedtelematic/aktualizr[aktualizr], and the https://github.com/advancedtelematic/updater-repo/[updater-repo], particularly the sections about development and debugging.
+If you are developing with meta-updater, it may be helpful to read the README and other documentation for xref:README.adoc[this repo], https://github.com/advancedtelematic/aktualizr[aktualizr], and the link:https://github.com/advancedtelematic/updater-repo/[updater-repo], particularly the sections about development and debugging.
 
 == Developer Certificate of Origin (DCO)
 
@@ -23,7 +15,7 @@ New pull requests will automatically be checked by the https://probot.github.io/
 
 * OTA-enabled build succeeds for at least one platform, the resulting image boots, and an update can be installed. This check is absolutely necessary for every pull request unless it only touches documentation.
 * If your change touches platform code (like `classes/sota_<platform>.bbclass`), please check building and updating on this particular platform.
-* oe-selftest succeeds. To test meta-updater, run `oe-selftest -r updater` from a build directory with `MACHINE` set to `qemux86-64`. See the link:README.adoc#qa-with-oe-selftest[relevant section of the README] for more details.
+* oe-selftest succeeds. To test meta-updater, run `oe-selftest -r updater` from a build directory with `MACHINE` set to `qemux86-64`. See the link:{aktualizr-docsroot}meta-updater-testing.adoc#qa-with-oe-selftest[relevant section of the README] for more details.
 * Updates are forwards- and backwards-compatible. You should be able to update an OTA-enabled build before the change is applied to the version with change applied and vice versa. One should pay double attention to the compatibility when bootloader code is affected.
 * The patch/branch should be based on the latest version of the target branch. This may mean that rebasing is necessary if other PRs are merged before yours is approved.
 
diff --git a/README.adoc b/README.adoc
index dd07425..12e0446 100644
--- a/README.adoc
+++ b/README.adoc
@@ -1,25 +1,19 @@
 = meta-updater
 :toc: macro
 :toc-title:
+:aktualizr-docsroot: https://github.com/advancedtelematic/aktualizr/tree/master/docs/ota-client-guide/modules/ROOT/pages/
 
-This layer enables over-the-air updates (OTA) with https://github.com/ostreedev/ostree[OSTree] and https://github.com/advancedtelematic/aktualizr[Aktualizr].
+Meta-updater is a link:https://www.yoctoproject.org/software-overview/layers/[Yocto layer] that enables over-the-air updates (OTA) with https://github.com/ostreedev/ostree[OSTree] and https://github.com/advancedtelematic/aktualizr[Aktualizr] -- the default client for link:https://www.here.com/products/automotive/ota-technology[HERE OTA Connect].
 
 https://github.com/ostreedev/ostree[OSTree] is a tool for atomic full file system upgrades with rollback capability. OSTree has several advantages over traditional dual-bank systems, but the most important one is that it minimizes network bandwidth and data storage footprint by sharing files with the same contents across file system deployments.
 
 https://github.com/advancedtelematic/aktualizr[Aktualizr] (and https://github.com/advancedtelematic/rvi_sota_client[RVI SOTA client]) add authentication and provisioning capabilities to OTA and are integrated with OSTree. You can connect with these open-source applications or sign up for a free account at https://connect.ota.here.com/[HERE OTA Connect] to get started.
 
-[discrete]
-== Table of Contents
-
-toc::[]
-
-== Build
+== Quickstart
 
-=== Quickstart
+If you don't already have a Yocto project that you want to add OTA to, you can use the xref:dev@getstarted::raspberry-pi.adoc[HERE OTA Connect Quickstart] project to rapidly get up and running on a Raspberry Pi. It takes a standard https://www.yoctoproject.org/tools-resources/projects/poky[poky] distribution, and adds OTA and OSTree capabilities.
 
-If you don't already have a Yocto project that you want to add OTA to, you can use the https://docs.atsgarage.com/quickstarts/raspberry-pi.html[HERE OTA Connect Quickstart] project to rapidly get up and running on a Raspberry Pi. It takes a standard https://www.yoctoproject.org/tools-resources/projects/poky[poky] distribution, and adds OTA and OSTree capabilities.
-
-=== Dependencies
+== Dependencies
 
 In addition to the link:https://www.yoctoproject.org/docs/current/ref-manual/ref-manual.html#required-packages-for-the-build-host[standard Yocto dependencies], meta-updater generally requires a few additional dependencies, depending on your use case and target platform. To install these additional packages on Debian/Ubuntu, run this:
 
@@ -33,268 +27,46 @@ To build for https://github.com/advancedtelematic/meta-updater-minnowboard[Minno
 sudo apt install ovmf
 ....
 
-=== Adding meta-updater capabilities to your build
-
-If you already have a Yocto-based project and you want to add atomic filesystem updates to it, you just need to do three things:
-
-1.  Clone the `meta-updater` layer and add it to your https://www.yoctoproject.org/docs/current/ref-manual/ref-manual.html#structure-build-conf-bblayers.conf[bblayers.conf].
-2.  Clone BSP integration layer (`meta-updater-$\{PLATFORM}`, e.g. https://github.com/advancedtelematic/meta-updater-raspberrypi[meta-updater-raspberrypi]) and add it to your `conf/bblayers.conf`. If your board isn't supported yet, you could write a BSP integration for it yourself. See the <<Adding support for your board>> section for the details.
-3.  Set up your https://www.yoctoproject.org/docs/current/ref-manual/ref-manual.html#var-DISTRO[distro]. If you are using "poky", the default distro in Yocto, you can change it in your `conf/local.conf` to "poky-sota". Alternatively, if you are using your own or third party distro configuration, you can add `INHERIT += " sota"` to it, thus combining capabilities of your distro with meta-updater features.
-
-You can then build your image as usual, with bitbake. After building the root file system, bitbake will then create an https://ostree.readthedocs.io/en/latest/manual/adapting-existing/[OSTree-enabled version] of it, commit it to your local OSTree repo and (optionally) push it to a remote server. Additionally, a live disk image will be created (normally named `$\{IMAGE_NAME}.-sdimg-ota` e.g. `core-image-raspberrypi3.rpi-sdimg-ota`). You can control this behaviour through <<sota-related-variables-in-localconf,variables in your local.conf>>.
-
-=== Build in AGL
-
-With AGL you can just add agl-sota feature while configuring your build environment:
-
-....
-source meta-agl/scripts/aglsetup.sh -m porter agl-demo agl-appfw-smack agl-devel agl-sota
-....
-
-You can then run:
-
-....
-bitbake agl-demo-platform
-....
-
-and get as a result an `ostree_repo` folder in your images directory (`tmp/deploy/images/$\{MACHINE}/ostree_repo`). It will contain:
-
-* your OSTree repository, with the rootfs committed as an OSTree deployment,
-* an `ota-ext4` bootstrap image, which is an OSTree physical sysroot as a burnable filesystem image, and optionally
-* some machine-dependent live images (e.g. `.wic` for Raspberry Pi or `.porter-sdimg-ota` for Renesas Porter board).
-
-Although `aglsetup.sh` hooks provide reasonable defaults for SOTA-related variables, you may want to tune some of them.
-
-=== Build problems
-
-Ubuntu users that encounter an error due to missing `Python.h` should install `libpython2.7-dev` on their host machine.
-
-== Supported boards
-
-Currently supported platforms are:
-
-* https://github.com/advancedtelematic/meta-updater-raspberrypi[Raspberry Pi 2 and 3]
-* https://github.com/advancedtelematic/meta-updater-minnowboard[Intel Minnowboard]
-* https://github.com/advancedtelematic/meta-updater-qemux86-64[Native QEMU emulation]
-* Renesas R-Car H3 and M3
-* https://github.com/advancedtelematic/meta-updater-ti/[TI BeagleBone Black] (rocko only, using TI SDK 05.03)
-* https://github.com/advancedtelematic/meta-updater-ti/[TI AM65x industrial development kit] (rocko only, using TI SDK 05.03)
-
-Additionally, there is community support for https://github.com/ricardosalveti/meta-updater-riscv[RISC-V] boards, in particular the Freedom U540.
-
-We also historically supported the https://github.com/advancedtelematic/meta-updater-porter[Renesas Porter] board.
-
-=== Adding support for your board
-
-If your board isn't supported yet, you can add board integration code yourself. The main purpose of this code is to provide a bootloader that will be able to use https://ostree.readthedocs.io/en/latest/manual/atomic-upgrades/[OSTree's boot directory]. In the meta-updater integration layers we have written so far, the basic steps are:
-
-1.  Make the board boot into http://www.denx.de/wiki/U-Boot[U-Boot]
-2.  Make U-boot import variables from /boot/loader/uEnv.txt and load the kernel with initramfs and kernel command line arguments according to what is set in this file.
-
-You may take a look into https://github.com/advancedtelematic/meta-updater-minnowboard[Minnowboard] or https://github.com/advancedtelematic/meta-updater-raspberrypi[Raspberry Pi] integration layers for examples.
-
-Although we have focused on U-Boot and GRUB so far, other bootloaders can be configured to work with OSTree as well.
-
-Your images will also need network connectivity to be able to reach an actual OTA backend. Our 'poky-sota' distribution does not mandate or install a default network manager but our supported platforms use the `virtual/network-configuration` recipe, which can be used as a starting example.
-
-== SOTA-related variables in local.conf
-
-* `OSTREE_BRANCHNAME` - OSTree branch name. Defaults to `${SOTA_HARDWARE_ID}`. Particularly useful for grouping similar images.
-* `OSTREE_REPO` - path to your OSTree repository. Defaults to `$\{DEPLOY_DIR_IMAGE}/ostree_repo`
-* `OSTREE_OSNAME` - OS deployment name on your target device. For more information about deployments and osnames see the https://ostree.readthedocs.io/en/latest/manual/deployment/[OSTree documentation]. Defaults to "poky".
-* `OSTREE_COMMIT_BODY` - Message attached to OSTree commit. Empty by default.
-* `OSTREE_COMMIT_SUBJECT` - Commit subject used by OSTree. Defaults to `Commit-id: ${IMAGE_NAME}`
-* `OSTREE_UPDATE_SUMMARY` - Set this to '1' to update summary of OSTree repository on each commit. '0' by default.
-* `OSTREE_DEPLOY_DEVICETREE` - Set this to '1' to include devicetree(s) to boot
-* `GARAGE_SIGN_AUTOVERSION` - Set this to '1' to automatically fetch the last version of the garage tools installed by the aktualizr-native. Otherwise use the fixed version specified in the recipe.
-* `INITRAMFS_IMAGE` - initramfs/initrd image that is used as a proxy while booting into OSTree deployment. Do not change this setting unless you are sure that your initramfs can serve as such a proxy.
-* `SOTA_PACKED_CREDENTIALS` - when set, your ostree commit will be pushed to a remote repo as a bitbake step. This should be the path to a zipped credentials file in https://github.com/advancedtelematic/aktualizr/blob/master/docs/credentials.adoc[the format accepted by garage-push].
-* `SOTA_DEPLOY_CREDENTIALS` - when set to '1' (default value), deploys credentials to the built image. Override it in `local.conf` to built a generic image that can be provisioned manually after the build.
-* `SOTA_CLIENT_PROV` - which provisioning method to use. Valid options are `aktualizr-shared-prov`, `aktualizr-device-prov`, and `aktualizr-device-prov-hsm`. For more information on these provisioning methods, see the https://docs.ota.here.com/client-config/client-provisioning-methods.html[OTA Connect documentation]. The default is `aktualizr-shared-prov`. This can also be set to an empty string to avoid using a provisioning recipe.
-* `SOTA_CLIENT_FEATURES` - extensions to aktualizr. The only valid options are `hsm` (to build with HSM support) and `secondary-network` (to set up a simulated 'in-vehicle' network with support for a primary node with a DHCP server and a secondary node with a DHCP client).
-* `SOTA_SECONDARY_CONFIG` - a file containing JSON configuration for secondaries. It will be installed into `/etc/sota/ecus` on the device and automatically provided to aktualizr. See link:https://github.com/advancedtelematic/aktualizr/blob/master/docs/posix-secondaries-bitbaking.adoc[here] for more details.
-* `SOTA_HARDWARE_ID` - a custom hardware ID that will be written to the aktualizr config. Defaults to MACHINE if not set.
-* `SOTA_MAIN_DTB` - base device tree to use with the kernel. Used together with FIT images. You can change it, and the device tree will also be changed after the update.
-* `SOTA_DT_OVERLAYS` - whitespace-separated list of used device tree overlays for FIT image. This list is OSTree-updateable as well.
-* `SOTA_EXTRA_CONF_FRAGS` - extra https://lxr.missinglinkelectronics.com/uboot/doc/uImage.FIT/overlay-fdt-boot.txt[configuration fragments] for FIT image.
-* `RESOURCE_xxx_pn-aktualizr` - controls maximum resource usage of the aktualizr service, when `aktualizr-resource-control` is installed on the image. See <<aktualizr service resource control>> for details.
-* `SOTA_POLLING_SEC` - sets polling interval for aktualizr to check for updates if aktualizr-polling-interval is included in the image.
-
-== Usage
-
-=== OSTree
-
-OSTree used to include a simple HTTP server as part of the ostree binary, but this has been removed in more recent versions. However, OSTree repositories are self-contained directories, and can be trivially served over the network using any HTTP server. For example, you could use Python's SimpleHTTPServer:
-
-....
-cd tmp/deploy/images/qemux86-64/ostree_repo
-python -m SimpleHTTPServer <port> # port defaults to 8000
-....
-
-You can then run ostree from inside your device by adding your repo:
-
-....
-# This behaves like adding a Git remote; you can name it anything
-ostree remote add --no-gpg-verify my-remote http://<your-ip>:<port>
-
-# If OSTREE_BRANCHNAME is set in local.conf, that will be the name of the
-# branch. If not set, it defaults to the value of MACHINE (e.g. qemux86-64).
-ostree pull my-remote <branch>
-
-# poky is the OS name as set in OSTREE_OSNAME
-ostree admin deploy --os=poky my-remote:<branch>
-....
-
-After restarting, you will boot into the newly deployed OS image.
-
-For example, on the raspberry pi you can try this sequence:
-
-....
-# add remote
-ostree remote add --no-gpg-verify agl-snapshot https://download.automotivelinux.org/AGL/snapshots/master/latest/raspberrypi3/deploy/images/raspberrypi3/ostree_repo/ agl-ota
-
-# pull
-ostree pull agl-snapshot agl-ota
-
-# deploy
-ostree admin deploy --os=agl agl-snapshot:agl-ota
-....
-
-=== garage-push
-
-The https://github.com/advancedtelematic/aktualizr[aktualizr repo] contains a tool, garage-push, which lets you push the changes in OSTree repository generated by bitbake process. It communicates with an http server capable of querying files with HEAD requests and uploading them with POST requests. In particular, this can be used with https://connect.ota.here.com/[HERE OTA Connect]. garage-push is used as follows:
-
-....
-garage-push --repo=/path/to/ostree-repo --ref=mybranch --credentials=/path/to/credentials.zip
-....
-
-You can set `SOTA_PACKED_CREDENTIALS` in your `local.conf` to automatically synchronize your build results with a remote server. Credentials are stored in an archive as described in the https://github.com/advancedtelematic/aktualizr/blob/master/docs/credentials.adoc[aktualizr documentation].
-
-=== aktualizr configuration
-
-https://github.com/advancedtelematic/aktualizr[Aktualizr] supports a variety of https://github.com/advancedtelematic/aktualizr/blob/master/docs/configuration.adoc[configuration options via a configuration file and the command line]. There are two primary ways to control aktualizr's configuration from meta-updater.
-
-First, you can set `SOTA_CLIENT_PROV` to control which provisioning recipe is used. Each recipe installs an appropriate `sota.toml` file from aktualizr according to the provisioning needs. See the <<sota-related-variables-in-localconf,SOTA-related variables in local.conf>> section for more information.
-
-Second, you can write recipes to install additional config files with customized options. A few recipes already exist to address common needs and provide an example:
-
-* link:recipes-sota/config/aktualizr-auto-reboot.bb[aktualizr-auto-reboot.bb] configures aktualizr to automatically reboot after new updates are installed in order to apply the updates immediately. This is only relevant for package managers (such as OSTree) that require a reboot to complete the installation process. If this is not enabled, you will need to reboot the system through other means.
-* link:recipes-sota/config/aktualizr-disable-send-ip.bb[aktualizr-disable-send-ip.bb] disables the reporting of networking information to the server. This is enabled by default and supported by https://connect.ota.here.com/[HERE OTA Connect]. However, if you are using a different server that does not support this feature, you may want to disable it in aktualizr.
-* link:recipes-sota/config/aktualizr-log-debug.bb[aktualizr-log-debug.bb] sets the log level of aktualizr to 0 (trace). The default is 2 (info). This recipe is intended for development and debugging purposes.
-
-To use these recipes, you will need to add them to your image with a line such as `IMAGE_INSTALL_append = " aktualizr-log-debug "` in your `local.conf`.
-
-=== aktualizr service resource control
-
-With systemd based images, it is possible to set resource policies for the aktualizr service. The main use case is to provide a safeguard against resource exhaustion during an unforeseen failure scenario.
-
-To enable it, install `aktualizr-resource-control` on the target image and optionally override the default resource limits set in link:recipes-sota/aktualizr/aktualizr_git.bb[aktualizr_git.bb], from your `local.conf`.
-
-For example:
-
-....
-IMAGE_INSTALL_append += " aktualizr-resource-control "
-RESOURCE_CPU_WEIGHT_pn-aktualizr = "50"
-....
-
-== Development configuration
-
-=== Logging
-
-To troubleshoot problems that you might encounter during development, we recommend that you enable persistent `systemd` logging. This setting is enabled by default for newly configured environments (see link:conf/local.conf.sample.append[]). To enable it manually, put this to your `local.conf`:
-
-....
-IMAGE_INSTALL_append += " systemd-journald-persistent"
-....
-
-It may also be helpful to run with debug logging enabled in aktualizr. To do so, add this to your `local.conf`:
-
-....
-IMAGE_INSTALL_append += " aktualizr-log-debug"
-....
-
-=== Custom aktualizr versions
-
-You can override the version of aktualizr included in your image. This requires that the version you wish to run is pushed to the https://github.com/advancedtelematic/aktualizr[aktualizr github repo]. You can then use these settings in your `local.conf` to simplify the development process:
-
-[options="header"]
-|======================
-| Option                              | Effect
-| `require classes/sota_bleeding.inc` | Build the latest head (by default, using the master branch) of Aktualizr
-| `BRANCH_pn-aktualizr = "mybranch"`
-
-`BRANCH_pn-aktualizr-native = "mybranch"` | Build `mybranch` of Aktualizr. Note that both of these need to be set. This is normally used in conjunction with `require classes/sota_bleeding.inc`
-| `SRCREV_pn-aktualizr = "1004efa3f86cef90c012b34620992b5762b741e3"`
-
-`SRCREV_pn-aktualizr-native = "1004efa3f86cef90c012b34620992b5762b741e3"` | Build the specified revision of Aktualizr. Note that both of these need to be set. This can be used in conjunction with `BRANCH_pn-aktualizr` and `BRANCH_pn-aktualizr-native` but will conflict with `require classes/sota_bleeding.inc`
-| `TOOLCHAIN_HOST_TASK_append = " nativesdk-cmake "` | Use with `bitbake -c populate_sdk core-image-minimal` to build an SDK. See the https://github.com/advancedtelematic/aktualizr#developing-against-an-openembedded-system[aktualizr repo] for more information.
-|======================
-
-=== Overriding target version
-*Warning: overriding target version is a dangerous operation, make sure you understand this section completely before doing it.*
-
-Every time you build an image with `SOTA_PACKED_CREDENTIALS` set, a new entry in your Uptane metadata is created and you can see it in the OTA Garage UI if you're using one. Normally this version will be equal to OSTree hash of your root file system. If you want it to be different though you can override is using one of two methods:
-
-1. Set `GARAGE_TARGET_VERSION` variable in your `local.conf`.
-2. Write a recipe or a bbclass to write the desired version to `${STAGING_DATADIR_NATIVE}/target_version`. An example of such bbclass can be found in `classes/target_version_example.bbclass`.
-
-Please note that [target name, target version] pairs are expected to be unique in the system. If you build a new target with the same target version as a previously built one, the old package will be overwritten on the update server. It can have unpredictable effect on devices that have this version installed, and it is not guaranteed that information will be reported correctly for such devices or that you will be able to update them (we're doing our best though). The easiest way to avoid problems is to make sure that your overriding version is as unique as an OSTree commit hash.
-
-== QA with oe-selftest
+[discrete]
+== Table of Contents
 
-This layer relies on the test framework oe-selftest for quality assurance. Currently, you will need to run this in a build directory with `MACHINE` set to `qemux86-64`. Follow the steps below to run the tests:
+The following documentation focuses on tasks that involve the meta-updater layer. If you want to get an idea of the overall developer workflow in OTA Connect, see the link:https://docs.ota.here.com/ota-client/dev/index.html[OTA Connect Developer Guide].
+[NOTE]
+====
+The following links point to files in the aktualizr repository where the source of the developer guide is stored.
+====
 
-1. Append the line below to `conf/local.conf` to disable the warning about supported operating systems:
+* xref:{aktualizr-docsroot}meta-updater-build.adoc[Build]
 +
-```
-SANITY_TESTED_DISTROS = ""
-```
-
-2. If your image does not already include an ssh daemon such as dropbear or openssh, add this line to `conf/local.conf` as well:
+Learn how to use this layer to build a basic disk image and add it to your own Yocto project.
 +
-```
-IMAGE_INSTALL_append = " dropbear "
-```
-
-3. Some tests require that `SOTA_PACKED_CREDENTIALS` is set in your `conf/local.conf`. See the <<sota-related-variables-in-localconf,SOTA-related variables in local.conf>> section.
-
-4. To be able to build an image for the GRUB tests, you will need to install the ovmf package as described in the <<Dependencies,dependencies>>.
-
-5. Run oe-selftest:
+* xref:{aktualizr-docsroot}supported-boards.adoc[Supported boards]
 +
-```
-oe-selftest -r updater_native updater_qemux86_64 updater_minnowboard updater_raspberrypi updater_qemux86_64_ptest
-```
-
-For more information about oe-selftest, including details about how to run individual test modules or classes, please refer to the https://wiki.yoctoproject.org/wiki/Oe-selftest[Yocto Project wiki].
-
-== Aktualizr test suite with ptest
-
-The meta-updater layer includes support for running parts of the aktualizr test suite on deployed devices through link:https://wiki.yoctoproject.org/wiki/Ptest[Yocto's ptest functionality]. Since it adds significant build time cost, it is currently disabled by default. To enable it, add the following to your `conf/local.conf`:
-
-```
-PTEST_ENABLED_pn-aktualizr = "1"
-IMAGE_INSTALL_append += " aktualizr-ptest ptest-runner "
-```
-
-Be aware that it will add several hundreds of MB to the generated file system.
-
-The aktualizr tests will now be part of the deployed ptest suite, which can be run by calling `ptest-runner`. Alternatively, the required files and run script can be found in `/usr/lib/aktualizr/ptest`.
-
-== Manual provisoning
-
-As described in <<sota-related-variables-in-localconf,SOTA-related variables in local.conf>> section you can set `SOTA_DEPLOY_CREDENTIALS` to `0` to prevent deploying credentials to the built `wic` image. In this case you get a generic image that you can use e.g. on a production line to flash a series of devices. The cost of this approach is that this image is half-baked and should be provisioned before it can connect to the backend.
-
-Provisioning procedure depends on your provisioning recipe, i.e. the value of `SOTA_CLIENT_PROV` (equal to `aktualizr-shared-prov` by default):
-
-* For `aktualizr-shared-prov` put your `credentials.zip` to `/var/sota/sota_provisioning_credentials.zip` on the filesystem of a running device. If you have the filesystem of our device mounted to your build machine, prefix all paths with `/ostree/deploy/poky` as in `/ostree/deploy/poky/var/sota/sota_provisioning_credentials.zip`.
-* For `aktualizr-device-prov`
-** put URL to the backend server (together with protocol prefix and port number) at `/var/sota/gateway.url`. If you're using HERE OTA Connect, you can find the URL in the `autoprov.url` file in your credentials archive.
-** put client certificate, private key and root CA certificate (for the *server*, not for the *device*) at `/var/sota/import/client.pem`, `/var/sota/import/pkey.pem` and `/var/sota/import/root.crt` respectively.
-* For  `aktualizr-device-prov-hsm`
-** put URL to the server backend (together with protocol prefix and port number) at `/var/sota/gateway.url`. If you're using HERE OTA Connect, you can find the URL in the `autoprov.url` file in your credentials archive.
-** put root CA certificate (for the *server*, not for the *device*) at `/var/sota/import/root.crt`.
-** put client certificate and private key to slots 1 and 2 of the PKCS#11-compatible device.
+Find out if your board is supported and learn about the minimum hardware requirements.
++
+* xref:{aktualizr-docsroot}build-configuration.adoc[SOTA-related variables in local.conf]
++
+Learn how to configure OTA-related functionality when building disk images.
++
+* xref:{aktualizr-docsroot}meta-updater-usage.adoc[Usage]
++
+Learn about the `garage-push` and `garage-sign` utilities, aktualizr configuration and service resource control, and OSTree.
++
+* xref:{aktualizr-docsroot}meta-updater-dev-config.adoc[Development configuration]
++
+Learn how to configure logging, install custom versions of aktualizr, and override the version indicator for sofware updates.
++
+* xref:{aktualizr-docsroot}meta-updater-testing.adoc#_qa_with_oe_selftest[QA with oe-selftest]
++
+Learn how to use the `oe-selftest` framework for quality assurance.
++
+* xref:{aktualizr-docsroot}meta-updater-testing.adoc#_aktualizr_test_suite_with_ptest[Aktualizr test suite with ptest]
++
+Learn how to enable Yocto's package test functionality and run parts of the aktualizr test suite.
++
+* xref:{aktualizr-docsroot}meta-updater-provisioning-methods.adoc[Provisoning methods]
++
+Learn how to enable different methods for provisioning devices.
 
 == License
 
diff --git a/classes/image_types_ostree.bbclass b/classes/image_types_ostree.bbclass
index 2e8e8f5..795e01b 100644
--- a/classes/image_types_ostree.bbclass
+++ b/classes/image_types_ostree.bbclass
@@ -237,10 +237,20 @@ IMAGE_CMD_garagesign () {
         # Push may fail due to race condition when multiple build machines try to push simultaneously
         #   in which case targets.json should be pulled again and the whole procedure repeated
         push_success=0
-        target_url=""
-        if [ -n "${GARAGE_TARGET_URL}" ]; then
-                target_url='--url ${GARAGE_TARGET_URL}'
-        fi
+        target_url=""
+        if [ -n "${GARAGE_TARGET_URL}" ]; then
+            target_url="--url ${GARAGE_TARGET_URL}"
+        fi
+        target_expiry=""
+        if [ -n "${GARAGE_TARGET_EXPIRES}" ] && [ -n "${GARAGE_TARGET_EXPIRE_AFTER}" ]; then
+            bbfatal "Both GARAGE_TARGET_EXPIRES and GARAGE_TARGET_EXPIRE_AFTER are set. Only one can be set at a time."
+        elif [ -n "${GARAGE_TARGET_EXPIRES}" ]; then
+            target_expiry="--expires ${GARAGE_TARGET_EXPIRES}"
+        elif [ -n "${GARAGE_TARGET_EXPIRE_AFTER}" ]; then
+            target_expiry="--expire-after ${GARAGE_TARGET_EXPIRE_AFTER}"
+        else
+            target_expiry="--expire-after 1M"
+        fi
 
         for push_retries in $( seq 3 ); do
             garage-sign targets pull --repo tufrepo \
@@ -262,6 +272,7 @@ IMAGE_CMD_garagesign () {
             fi
             garage-sign targets sign --repo tufrepo \
                                      --home-dir ${GARAGE_SIGN_REPO} \
+                                     ${target_expiry} \
                                      --key-name=targets
             errcode=0
             garage-sign targets push --repo tufrepo \
diff --git a/classes/sota.bbclass b/classes/sota.bbclass
index 5506428..5620b76 100644
--- a/classes/sota.bbclass
+++ b/classes/sota.bbclass
@@ -51,6 +51,8 @@ GARAGE_SIGN_KEYNAME ?= "garage-key"
 GARAGE_TARGET_NAME ?= "${OSTREE_BRANCHNAME}"
 GARAGE_TARGET_VERSION ?= ""
 GARAGE_TARGET_URL ?= ""
+GARAGE_TARGET_EXPIRES ?= ""
+GARAGE_TARGET_EXPIRE_AFTER ?= ""
 GARAGE_CUSTOMIZE_TARGET ?= ""
 
 SOTA_MACHINE ??="none"
diff --git a/lib/oeqa/selftest/cases/updater_qemux86_64.py b/lib/oeqa/selftest/cases/updater_qemux86_64.py
index 24abcff..4506300 100644
--- a/lib/oeqa/selftest/cases/updater_qemux86_64.py
+++ b/lib/oeqa/selftest/cases/updater_qemux86_64.py
@@ -360,17 +360,7 @@ class IpSecondaryTests(OESelftestTestCase):
             self._test_ctx.append_config('SOTA_CLIENT_PROV = " aktualizr-shared-prov "')
 
         def is_ecu_registered(self, ecu_id):
-            max_number_of_tries = 120
-            try_counter = 0
-
-            # aktualizr-info is not always able to load ECU serials from DB
-            # so, let's run it a few times until it actually succeeds
-            while try_counter < max_number_of_tries:
-                device_status = self.get_info()
-                try_counter += 1
-                if device_status.find("load ECU serials") == -1:
-                    break
-                sleep(1)
+            device_status = self.get_info()
 
             if not ((device_status.find(ecu_id[0]) != -1) and (device_status.find(ecu_id[1]) != -1)):
                 return False
@@ -379,7 +369,7 @@ class IpSecondaryTests(OESelftestTestCase):
             return not_reg_start == -1 or (device_status.find(ecu_id[1], not_reg_start) == -1)
 
         def get_info(self):
-            stdout, stderr, retcode = self.send_command('aktualizr-info')
+            stdout, stderr, retcode = self.send_command('aktualizr-info --wait-until-provisioned', timeout=620)
             self._test_ctx.assertEqual(retcode, 0, 'Unable to run aktualizr-info: {}'.format(stderr))
             return stdout
 
diff --git a/recipes-core/images/initramfs-ostree-image.bb b/recipes-core/images/initramfs-ostree-image.bb
index b21be1c..7e03f3d 100644
--- a/recipes-core/images/initramfs-ostree-image.bb
+++ b/recipes-core/images/initramfs-ostree-image.bb
@@ -29,4 +29,4 @@ IMAGE_OVERHEAD_FACTOR = "1.0"
 
 BAD_RECOMMENDATIONS += "busybox-syslog"
 
-
+IMAGE_PREPROCESS_COMMAND_remove = "buildinfo_manifest;"
diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb
index 9adfce8..17aa15a 100644
--- a/recipes-sota/aktualizr/aktualizr_git.bb
+++ b/recipes-sota/aktualizr/aktualizr_git.bb
@@ -8,14 +8,14 @@ LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=9741c346eef56131163e13b9db1241b3"
 DEPENDS = "boost curl openssl libarchive libsodium sqlite3 asn1c-native"
 DEPENDS_append = "${@bb.utils.contains('PTEST_ENABLED', '1', ' coreutils-native net-tools-native ostree-native aktualizr-native ', '', d)}"
 RDEPENDS_${PN}_class-target = "aktualizr-configs lshw"
-RDEPENDS_${PN}-host-tools = "aktualizr aktualizr-repo aktualizr-cert-provider ${@bb.utils.contains('PACKAGECONFIG', 'sota-tools', 'garage-deploy garage-push', '', d)}"
+RDEPENDS_${PN}-host-tools = "aktualizr aktualizr-cert-provider ${@bb.utils.contains('PACKAGECONFIG', 'sota-tools', 'garage-deploy garage-push', '', d)}"
 
 RDEPENDS_${PN}-ptest += "bash cmake curl python3-misc python3-modules openssl-bin sqlite3 valgrind"
 
 PV = "1.0+git${SRCPV}"
 PR = "7"
 
-GARAGE_SIGN_PV = "0.7.0-19-g89ec974"
+GARAGE_SIGN_PV = "0.7.0-33-g214dfb1"
 
 SRC_URI = " \
   gitsm://github.com/advancedtelematic/aktualizr;branch=${BRANCH} \
@@ -28,10 +28,10 @@ SRC_URI = " \
   "
 
 # for garage-sign archive
-SRC_URI[md5sum] = "3ed27c1142860cd9b4a2594067312b8b"
-SRC_URI[sha256sum] = "e54eef3863118f373c3ebd9e2877f9de5bab4950ed157a15fb4f4ec575bc2ece"
+SRC_URI[md5sum] = "66ffe8dcd61d4c15646e1c4b7dde7401"
+SRC_URI[sha256sum] = "7a7193ddf7e1a33ea60fbb20f98318a8bd78c325dab391d8c4ebd644a738abdc"
 
-SRCREV = "03778511cc937d07bf53a8092f8b268e65f5d9a6"
+SRCREV = "3bb9fe91b4c614a79373beadc721272fcf7acce2"
 BRANCH ?= "master"
 
 S = "${WORKDIR}/git"
diff --git a/scripts/qemucommand.py b/scripts/qemucommand.py
index a869d4d..9b23c54 100644
--- a/scripts/qemucommand.py
+++ b/scripts/qemucommand.py
@@ -2,6 +2,7 @@ from os.path import exists, isdir, join, realpath, abspath
 from os import listdir
 import random
 import socket
+from shutil import copyfile
 from subprocess import check_output
 
 EXTENSIONS = {
@@ -39,6 +40,8 @@ def random_mac():
 
 class QemuCommand(object):
     def __init__(self, args):
+        self.dry_run = args.dry_run
+        self.overlay = args.overlay
         if args.machine:
             self.machine = args.machine
         else:
@@ -49,21 +52,53 @@ class QemuCommand(object):
                 self.machine = machines[0]
             else:
                 raise ValueError("Could not autodetect machine type. More than one entry in %s. Maybe --machine qemux86-64?" % args.dir)
+
+        # If using an overlay with U-Boot, copy the rom when we create the
+        # overlay so that we can keep it around just in case.
         if args.efi:
             self.bios = 'OVMF.fd'
         else:
-            uboot = abspath(join(args.dir, self.machine, 'u-boot-qemux86-64.rom'))
-            if not exists(uboot):
-                raise ValueError("U-Boot image %s does not exist" % uboot)
-            self.bios = uboot
+            uboot_path = abspath(join(args.dir, self.machine, 'u-boot-qemux86-64.rom'))
+            if self.overlay:
+                new_uboot_path = self.overlay + '.u-boot.rom'
+                if not exists(self.overlay):
+                    if not exists(uboot_path):
+                        raise ValueError("U-Boot image %s does not exist" % uboot_path)
+                    if not exists(new_uboot_path):
+                        if self.dry_run:
+                            print("cp %s %s" % (uboot_path, new_uboot_path))
+                        else:
+                            copyfile(uboot_path, new_uboot_path)
+                uboot_path = new_uboot_path
+            if not exists(uboot_path) and not (self.dry_run and not exists(self.overlay)):
+                raise ValueError("U-Boot image %s does not exist" % uboot_path)
+            self.bios = uboot_path
+
+        # If using an overlay, we need to keep the "backing" image around, as
+        # bitbake will often clean it up, and the overlay silently depends on
+        # the hardcoded path. The easiest solution is to keep the file and use
+        # a relative path to it.
         if exists(args.imagename):
-            image = args.imagename
+            image = realpath(args.imagename)
         else:
             ext = EXTENSIONS.get(self.machine, 'wic')
             image = join(args.dir, self.machine, '%s-%s.%s' % (args.imagename, self.machine, ext))
-        self.image = realpath(image)
-        if not exists(self.image):
+        if self.overlay:
+            new_image_path = self.overlay + '.img'
+            if not exists(self.overlay):
+                if not exists(image):
+                    raise ValueError("OS image %s does not exist" % image)
+                if not exists(new_image_path):
+                    if self.dry_run:
+                        print("cp %s %s" % (image, new_image_path))
+                    else:
+                        copyfile(image, new_image_path)
+            self.image = new_image_path
+        else:
+            self.image = realpath(image)
+        if not exists(self.image) and not (self.dry_run and not exists(self.overlay)):
             raise ValueError("OS image %s does not exist" % self.image)
+
         if args.mac:
             self.mac_address = args.mac
         else:
@@ -86,7 +121,6 @@ class QemuCommand(object):
         self.gui = not args.no_gui
         self.gdb = args.gdb
         self.pcap = args.pcap
-        self.overlay = args.overlay
         self.secondary_network = args.secondary_network
 
     def command_line(self):
diff --git a/scripts/run-qemu-ota b/scripts/run-qemu-ota
index de63297..232ee11 100755
--- a/scripts/run-qemu-ota
+++ b/scripts/run-qemu-ota
@@ -2,7 +2,7 @@
 
 from argparse import ArgumentParser
 from subprocess import Popen
-from os.path import exists
+from os.path import exists, dirname
 import sys
 from qemucommand import QemuCommand
 
@@ -39,27 +39,37 @@ def main():
                              'This can be used to test Uptane Primary/Secondary communication.')
     parser.add_argument('-n', '--dry-run', help='Print qemu command line rather then run it', action='store_true')
     args = parser.parse_args()
+
+    if args.overlay and not exists(args.overlay) and dirname(args.overlay) and not dirname(args.overlay) == '.':
+        print('Error: please provide a file name in the current working directory. ' +
+                'Overlays do not work properly with other directories.')
+        sys.exit(1)
+    if args.overlay and exists(args.overlay) and args.imagename != parser.get_default('imagename'):
+        # qemu-img amend -o <filename> might work, but it has not yet been done
+        # successfully.
+        print('Warning: cannot change backing image of overlay after it has been created.')
+
     try:
         qemu_command = QemuCommand(args)
     except ValueError as e:
         print(e.message)
         sys.exit(1)
 
-    print("Launching %s with mac address %s" % (args.imagename, qemu_command.mac_address))
-    print("To connect via SSH:")
-    print(" ssh -o StrictHostKeyChecking=no root@localhost -p %d" % qemu_command.ssh_port)
-    print("To connect to the serial console:")
-    print(" nc localhost %d" % qemu_command.serial_port)
-
     cmdline = qemu_command.command_line()
     if args.overlay and not exists(args.overlay):
-        print("Image file %s does not yet exist, creating." % args.overlay)
+        print("Overlay file %s does not yet exist, creating." % args.overlay)
         img_cmdline = qemu_command.img_command_line()
         if args.dry_run:
             print(" ".join(img_cmdline))
         else:
             Popen(img_cmdline).wait()
 
+    print("Launching %s with mac address %s" % (args.imagename, qemu_command.mac_address))
+    print("To connect via SSH:")
+    print(" ssh -o StrictHostKeyChecking=no root@localhost -p %d" % qemu_command.ssh_port)
+    print("To connect to the serial console:")
+    print(" nc localhost %d" % qemu_command.serial_port)
+
     if args.dry_run:
         print(" ".join(cmdline))
     else: