Merge pull request #617 from advancedtelematic/feat/warrior/2019.9-backport

Feat/warrior/2019.9 backport

31 files changed, 220 insertions, 331 deletions

diff --git a/README.adoc b/README.adoc
index 12e0446..4cccc7b 100644
--- a/README.adoc
+++ b/README.adoc
@@ -1,17 +1,18 @@
 = meta-updater
 :toc: macro
 :toc-title:
-:aktualizr-docsroot: https://github.com/advancedtelematic/aktualizr/tree/master/docs/ota-client-guide/modules/ROOT/pages/
+:devguide-docsroot: https://docs.ota.here.com/ota-client/latest/
+:getstarted-docsroot: https://docs.ota.here.com/getstarted/dev/
 
 Meta-updater is a link:https://www.yoctoproject.org/software-overview/layers/[Yocto layer] that enables over-the-air updates (OTA) with https://github.com/ostreedev/ostree[OSTree] and https://github.com/advancedtelematic/aktualizr[Aktualizr] -- the default client for link:https://www.here.com/products/automotive/ota-technology[HERE OTA Connect].
 
 https://github.com/ostreedev/ostree[OSTree] is a tool for atomic full file system upgrades with rollback capability. OSTree has several advantages over traditional dual-bank systems, but the most important one is that it minimizes network bandwidth and data storage footprint by sharing files with the same contents across file system deployments.
 
-https://github.com/advancedtelematic/aktualizr[Aktualizr] (and https://github.com/advancedtelematic/rvi_sota_client[RVI SOTA client]) add authentication and provisioning capabilities to OTA and are integrated with OSTree. You can connect with these open-source applications or sign up for a free account at https://connect.ota.here.com/[HERE OTA Connect] to get started.
+https://github.com/advancedtelematic/aktualizr[Aktualizr] implements https://uptane.github.io/uptane-standard/uptane-standard.html[Uptane], supports device authentication and provisioning, and is integrated with OSTree. You can connect aktualizr to your own server solution or sign up for a free account at https://connect.ota.here.com/[HERE OTA Connect] to get started.
 
 == Quickstart
 
-If you don't already have a Yocto project that you want to add OTA to, you can use the xref:dev@getstarted::raspberry-pi.adoc[HERE OTA Connect Quickstart] project to rapidly get up and running on a Raspberry Pi. It takes a standard https://www.yoctoproject.org/tools-resources/projects/poky[poky] distribution, and adds OTA and OSTree capabilities.
+If you don't already have a Yocto project that you want to add OTA to, you can use the xref:{getstarted-docsroot}get-started.html[HERE OTA Connect Quickstart] project to rapidly get up and running on a xref:{getstarted-docsroot}raspberry-pi.html[Raspberry Pi] or with xref:{getstarted-docsroot}qemuvirtualbox.html[QEMU]. It takes a standard https://www.yoctoproject.org/tools-resources/projects/poky[poky] distribution, and adds OTA and OSTree capabilities.
 
 == Dependencies
 
@@ -30,43 +31,43 @@ sudo apt install ovmf
 [discrete]
 == Table of Contents
 
-The following documentation focuses on tasks that involve the meta-updater layer. If you want to get an idea of the overall developer workflow in OTA Connect, see the link:https://docs.ota.here.com/ota-client/dev/index.html[OTA Connect Developer Guide].
-[NOTE]
-====
-The following links point to files in the aktualizr repository where the source of the developer guide is stored.
-====
+The following documentation focuses on tasks that involve the meta-updater layer. If you want to get an idea of the overall developer workflow in OTA Connect, see the link:{devguide-docsroot}index.html[OTA Connect Developer Guide].
 
-* xref:{aktualizr-docsroot}meta-updater-build.adoc[Build]
+* xref:{devguide-docsroot}supported-boards.html[Supported boards]
 +
-Learn how to use this layer to build a basic disk image and add it to your own Yocto project.
+Find out if your board is supported and learn about the minimum hardware requirements.
 +
-* xref:{aktualizr-docsroot}supported-boards.adoc[Supported boards]
+* xref:{devguide-docsroot}build-agl.html[Build an Automotive Grade Linux image]
 +
-Find out if your board is supported and learn about the minimum hardware requirements.
+Learn how to use this layer as part of AGL.
++
+* xref:{devguide-docsroot}add-ota-functonality-existing-yocto-project.html[Add OTA functionality to an existing Yocto project]
++
+Learn how to add this layer to your own Yocto project.
 +
-* xref:{aktualizr-docsroot}build-configuration.adoc[SOTA-related variables in local.conf]
+* xref:{devguide-docsroot}build-configuration.html[SOTA-related variables in local.conf]
 +
-Learn how to configure OTA-related functionality when building disk images.
+Learn how to configure OTA-related functionality when building images, including how to install custom versions of aktualizr.
 +
-* xref:{aktualizr-docsroot}meta-updater-usage.adoc[Usage]
+* xref:{devguide-docsroot}recommended-clientconfig.html[Recommended configuration]
 +
-Learn about the `garage-push` and `garage-sign` utilities, aktualizr configuration and service resource control, and OSTree.
+Learn how to optimize your build for development or production.
 +
-* xref:{aktualizr-docsroot}meta-updater-dev-config.adoc[Development configuration]
+* xref:{devguide-docsroot}client-provisioning-methods.html[Provisoning methods]
 +
-Learn how to configure logging, install custom versions of aktualizr, and override the version indicator for sofware updates.
+Learn more about the methods for provisioning devices. For more detail, you may also want to read about how to xref:{devguide-docsroot}enable-device-cred-provisioning.html[enable device credential provisioning] or how to xref:{devguide-docsroot}simulate-device-cred-provtest.html[simulate it for testing].
 +
-* xref:{aktualizr-docsroot}meta-updater-testing.adoc#_qa_with_oe_selftest[QA with oe-selftest]
+* xref:{devguide-docsroot}meta-updater-usage.html[Advanced usage]
 +
-Learn how to use the `oe-selftest` framework for quality assurance.
+Learn about the `garage-push` and `garage-sign` utilities, aktualizr configuration recipes, and service resource control.
 +
-* xref:{aktualizr-docsroot}meta-updater-testing.adoc#_aktualizr_test_suite_with_ptest[Aktualizr test suite with ptest]
+* xref:{devguide-docsroot}meta-updater-testing.html[Testing with oe-selftest and ptest]
 +
-Learn how to enable Yocto's package test functionality and run parts of the aktualizr test suite.
+Learn how to use the `oe-selftest` framework for quality assurance and how to run the aktualizr test suite via ptest.
 +
-* xref:{aktualizr-docsroot}meta-updater-provisioning-methods.adoc[Provisoning methods]
+* xref:{devguide-docsroot}troubleshooting.html[Troubleshooting]
 +
-Learn how to enable different methods for provisioning devices.
+Get help on common problems.
 
 == License
 
diff --git a/classes/image_types_ostree.bbclass b/classes/image_types_ostree.bbclass
index 795e01b..7ffe99d 100644
--- a/classes/image_types_ostree.bbclass
+++ b/classes/image_types_ostree.bbclass
@@ -168,7 +168,8 @@ IMAGE_CMD_ostreecommit () {
            --skip-if-unchanged \
            --branch=${OSTREE_BRANCHNAME} \
            --subject="${OSTREE_COMMIT_SUBJECT}" \
-           --body="${OSTREE_COMMIT_BODY}"
+           --body="${OSTREE_COMMIT_BODY}" \
+           --bind-ref="${OSTREE_BRANCHNAME}-${IMAGE_BASENAME}"
 
     if [ "${OSTREE_UPDATE_SUMMARY}" = "1" ]; then
         ostree --repo=${OSTREE_REPO} summary -u
diff --git a/classes/sota_raspberrypi.bbclass b/classes/sota_raspberrypi.bbclass
index 69f09fd..e158651 100644
--- a/classes/sota_raspberrypi.bbclass
+++ b/classes/sota_raspberrypi.bbclass
@@ -12,29 +12,59 @@ UBOOT_DTBO_LOADADDRESS = "0x06000000"
 # Deploy config fragment list to OSTree root fs
 IMAGE_INSTALL_append = " fit-conf"
 
-DEV_MATCH_DIRECTIVE_pn-networkd-dhcp-conf = "Driver=smsc95xx lan78xx"
+DEV_MATCH_DIRECTIVE_pn-networkd-dhcp-conf = "Driver=smsc95xx lan78xx bcmgenet"
 IMAGE_INSTALL_append_sota = " virtual/network-configuration "
 
 PREFERRED_PROVIDER_virtual/bootloader_sota ?= "u-boot"
-UBOOT_ENTRYPOINT_sota ?= "0x00008000"
+UBOOT_ENTRYPOINT_sota ?= "0x00080000"
 
 IMAGE_FSTYPES_remove_sota = "rpi-sdimg"
 OSTREE_BOOTLOADER ?= "u-boot"
 
+def make_dtb_boot_files(d):
+    # Generate IMAGE_BOOT_FILES entries for device tree files listed in
+    # KERNEL_DEVICETREE.
+    #
+    # This function was taken from conf/machine/include/rpi-base.inc in
+    # meta-raspberrypi
+    alldtbs = d.getVar('KERNEL_DEVICETREE')
+    imgtyp = d.getVar('KERNEL_IMAGETYPE')
+
+    def transform(dtb):
+        base = os.path.basename(dtb)
+        if dtb.endswith('dtb'):
+            return base
+        elif dtb.endswith('dtbo'):
+            return '{};{}'.format(base, dtb)
+
+    return ' '.join([transform(dtb) for dtb in alldtbs.split(' ') if dtb])
+
+IMAGE_BOOT_FILES_sota = "bcm2835-bootfiles/* \
+                         u-boot.bin;${SDIMG_KERNELIMAGE} \
+                         "
+
 # OSTree puts its own boot.scr to bcm2835-bootfiles
-IMAGE_BOOT_FILES_sota = "bcm2835-bootfiles/* u-boot.bin;${SDIMG_KERNELIMAGE}"
+# raspberrypi4 needs dtb in /boot partition so that they can be read by the
+# firmware
+IMAGE_BOOT_FILES_append_sota_raspberrypi4 = "${@make_dtb_boot_files(d)}"
 
 # Just the overlays that will be used should be listed
 KERNEL_DEVICETREE_raspberrypi2_sota ?= " bcm2709-rpi-2-b.dtb "
 KERNEL_DEVICETREE_raspberrypi3_sota ?= " bcm2710-rpi-3-b.dtb overlays/vc4-kms-v3d.dtbo overlays/rpi-ft5406.dtbo"
 KERNEL_DEVICETREE_raspberrypi3-64_sota ?= " broadcom/bcm2710-rpi-3-b.dtb overlays/vc4-kms-v3d.dtbo overlays/vc4-fkms-v3d.dtbo overlays/rpi-ft5406.dtbo"
+KERNEL_DEVICETREE_raspberrypi4_sota ?= " bcm2711-rpi-4-b.dtb overlays/vc4-fkms-v3d.dtbo overlays/uart0-rpi4.dtbo"
+KERNEL_DEVICETREE_raspberrypi4-64_sota ?= " broadcom/bcm2711-rpi-4-b.dtb overlays/vc4-fkms-v3d.dtbo overlays/uart0-rpi4.dtbo"
 
 SOTA_MAIN_DTB_raspberrypi2 ?= "bcm2709-rpi-2-b.dtb"
 SOTA_MAIN_DTB_raspberrypi3 ?= "bcm2710-rpi-3-b.dtb"
 SOTA_MAIN_DTB_raspberrypi3-64 ?= "broadcom_bcm2710-rpi-3-b.dtb"
+SOTA_MAIN_DTB_raspberrypi4_sota ?= "bcm2711-rpi-4-b.dtb"
+SOTA_MAIN_DTB_raspberrypi4-64_sota ?= "broadcom_bcm2711-rpi-4-b.dtb"
 
 SOTA_DT_OVERLAYS_raspberrypi3 ?= "vc4-kms-v3d.dtbo rpi-ft5406.dtbo"
 SOTA_DT_OVERLAYS_raspberrypi3-64 ?= "vc4-kms-v3d.dtbo vc4-fkms-v3d.dtbo rpi-ft5406.dtbo"
+SOTA_DT_OVERLAYS_raspberrypi4 ?= "vc4-fkms-v3d.dtbo uart0-rpi4.dtbo"
+SOTA_DT_OVERLAYS_raspberrypi4-64 ?= "vc4-fkms-v3d.dtbo uart0-rpi4.dtbo"
 
 # Kernel args normally provided by RPi's internal bootloader. Non-updateable
 OSTREE_KERNEL_ARGS_sota ?= " 8250.nr_uarts=1 bcm2708_fb.fbwidth=656 bcm2708_fb.fbheight=614 bcm2708_fb.fbswap=1 vc_mem.mem_base=0x3ec00000 vc_mem.mem_size=0x40000000 dwc_otg.lpm_enable=0 console=ttyS0,115200 usbhid.mousepoll=0 "
diff --git a/conf/include/bblayers/sota_raspberrypi4-64.inc b/conf/include/bblayers/sota_raspberrypi4-64.inc
new file mode 100644
index 0000000..7e320af
--- /dev/null
+++ b/conf/include/bblayers/sota_raspberrypi4-64.inc
@@ -0,0 +1,3 @@
+BBLAYERS += "${METADIR}/meta-updater-raspberrypi"
+BBLAYERS += "${METADIR}/meta-raspberrypi"
+BBLAYERS += "${METADIR}/meta-openembedded/meta-networking"
diff --git a/conf/include/bblayers/sota_raspberrypi4.inc b/conf/include/bblayers/sota_raspberrypi4.inc
new file mode 100644
index 0000000..7e320af
--- /dev/null
+++ b/conf/include/bblayers/sota_raspberrypi4.inc
@@ -0,0 +1,3 @@
+BBLAYERS += "${METADIR}/meta-updater-raspberrypi"
+BBLAYERS += "${METADIR}/meta-raspberrypi"
+BBLAYERS += "${METADIR}/meta-openembedded/meta-networking"
diff --git a/conf/layer.conf b/conf/layer.conf
index ec791bb..035a46b 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -9,5 +9,15 @@ BBFILE_COLLECTIONS += "sota"
 BBFILE_PATTERN_sota = "^${LAYERDIR}/"
 BBFILE_PRIORITY_sota = "7"
 
-LAYERDEPENDS_sota = "filesystems-layer"
+LAYERDEPENDS_sota = "openembedded-layer"
+LAYERDEPENDS_sota += "meta-python"
+LAYERDEPENDS_sota += "filesystems-layer"
 LAYERSERIES_COMPAT_sota = "thud warrior"
+
+SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \
+  aktualizr-device-prov->aktualizr \
+  aktualizr-device-prov-hsm->aktualizr \
+  aktualizr-shared-prov->aktualizr \
+  aktualizr-shared-prov-creds->aktualizr \
+  aktualizr-uboot-env-rollback->aktualizr \
+"
diff --git a/recipes-connectivity/networkd-dhcp-conf/networkd-dhcp-conf.bb b/recipes-connectivity/networkd-dhcp-conf/networkd-dhcp-conf.bb
index b6076cd..394531e 100644
--- a/recipes-connectivity/networkd-dhcp-conf/networkd-dhcp-conf.bb
+++ b/recipes-connectivity/networkd-dhcp-conf/networkd-dhcp-conf.bb
@@ -4,7 +4,7 @@ interfaces through systemd-networkd"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
-inherit allarch systemd
+inherit systemd
 
 RPROVIDES_${PN} = "virtual/network-configuration"
 
diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb
deleted file mode 100644
index 6e02a50..0000000
--- a/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb
+++ /dev/null
@@ -1,60 +0,0 @@
-SUMMARY = "Credentials for device provisioning with fleet CA certificate"
-HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
-SECTION = "base"
-LICENSE = "MPL-2.0"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
-
-inherit allarch
-
-# WARNING: it is NOT a production solution. The secure way to provision devices
-# is to create certificate request directly on the device (either with HSM/TPM
-# or with software) and then sign it with a CA stored on a disconnected machine.
-
-DEPENDS = "aktualizr aktualizr-native"
-ALLOW_EMPTY_${PN} = "1"
-
-SRC_URI = " \
-            file://ca.cnf \
-            "
-
-require credentials.inc
-
-export SOTA_CACERT_PATH
-export SOTA_CAKEY_PATH
-
-do_install() {
-    if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
-        if [ -z ${SOTA_CACERT_PATH} ]; then
-            SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem
-            SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem
-            mkdir -p ${DEPLOY_DIR_IMAGE}/CA
-            bbwarn "SOTA_CACERT_PATH is not specified, use default one at ${SOTA_CACERT_PATH}"
-
-            if [ ! -f ${SOTA_CACERT_PATH} ]; then
-                bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA"
-                SOTA_CACERT_DIR_PATH="$(dirname "${SOTA_CACERT_PATH}")"
-                openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096
-                openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert
-                bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server"
-            fi
-        fi
-
-        if [ -z ${SOTA_CAKEY_PATH} ]; then
-            bbfatal "SOTA_CAKEY_PATH should be set when using device credential provisioning"
-        fi
-
-        install -m 0700 -d ${D}${localstatedir}/sota
-        aktualizr-cert-provider --credentials ${SOTA_PACKED_CREDENTIALS} \
-                                --fleet-ca ${SOTA_CACERT_PATH} \
-                                --fleet-ca-key ${SOTA_CAKEY_PATH} \
-                                --root-ca \
-                                --server-url \
-                                --local ${D} \
-                                --config ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred.toml
-    fi
-}
-
-FILES_${PN} = " \
-                ${localstatedir}/sota/*"
-
-# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
index c3cd593..4eadb77 100644
--- a/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
+++ b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
@@ -7,14 +7,16 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 inherit allarch
 
-DEPENDS = "aktualizr aktualizr-native"
-RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
+# We need to get the config files from the aktualizr-host-tools package built by
+# the aktualizr (target) recipe.
+DEPENDS = "aktualizr"
 
-SRC_URI = ""
+# If the config file from aktualizr used here is changed, you will need to bump
+# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
 PV = "1.0"
 PR = "6"
 
-require credentials.inc
+SRC_URI = ""
 
 do_install() {
     install -m 0700 -d ${D}${libdir}/sota/conf.d
diff --git a/recipes-sota/aktualizr/aktualizr-device-prov.bb b/recipes-sota/aktualizr/aktualizr-device-prov.bb
index d579532..55f398d 100644
--- a/recipes-sota/aktualizr/aktualizr-device-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-device-prov.bb
@@ -7,13 +7,16 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 inherit allarch
 
-DEPENDS = "aktualizr aktualizr-native openssl-native"
-RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
+# We need to get the config files from the aktualizr-host-tools package built by
+# the aktualizr (target) recipe.
+DEPENDS = "aktualizr"
 
+# If the config file from aktualizr used here is changed, you will need to bump
+# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
 PV = "1.0"
 PR = "1"
 
-require credentials.inc
+SRC_URI = ""
 
 do_install() {
     install -m 0700 -d ${D}${libdir}/sota/conf.d
diff --git a/recipes-sota/aktualizr/aktualizr-hwid.bb b/recipes-sota/aktualizr/aktualizr-hwid.bb
new file mode 100644
index 0000000..fd3e395
--- /dev/null
+++ b/recipes-sota/aktualizr/aktualizr-hwid.bb
@@ -0,0 +1,24 @@
+SUMMARY = "Aktualizr hwid configuration"
+HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
+SECTION = "base"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
+
+# Because of the dependency on MACHINE.
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+SRC_URI = ""
+
+do_install() {
+    install -m 0700 -d ${D}${libdir}/sota/conf.d
+    if [ -n "${SOTA_HARDWARE_ID}" ]; then
+        printf "[provision]\nprimary_ecu_hardware_id = ${SOTA_HARDWARE_ID}\n" > ${D}${libdir}/sota/conf.d/40-hardware-id.toml
+    fi
+}
+
+FILES_${PN} = " \
+                ${libdir}/sota/conf.d \
+                ${libdir}/sota/conf.d/40-hardware-id.toml \
+                "
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb
index 2701c07..9c6f0dd 100644
--- a/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb
+++ b/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb
@@ -6,9 +6,16 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 inherit allarch
 
-DEPENDS = "aktualizr-native zip-native"
+DEPENDS = "zip-native"
 ALLOW_EMPTY_${PN} = "1"
 
+# If the config file from aktualizr used here is changed, you will need to bump
+# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
+PV = "1.0"
+PR = "1"
+
+SRC_URI = ""
+
 require credentials.inc
 
 do_install() {
diff --git a/recipes-sota/aktualizr/aktualizr-shared-prov.bb b/recipes-sota/aktualizr/aktualizr-shared-prov.bb
index d3d6f16..2ee47a1 100644
--- a/recipes-sota/aktualizr/aktualizr-shared-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-shared-prov.bb
@@ -7,15 +7,18 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 inherit allarch
 
-DEPENDS = "aktualizr-native zip-native"
+# We need to get the config files from the aktualizr-host-tools package built by
+# the aktualizr (target) recipe.
+DEPENDS = "aktualizr"
 RDEPENDS_${PN}_append = "${@' aktualizr-shared-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
+
+# If the config file from aktualizr used here is changed, you will need to bump
+# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
 PV = "1.0"
 PR = "6"
 
 SRC_URI = ""
 
-require credentials.inc
-
 do_install() {
     if [ -n "${SOTA_AUTOPROVISION_CREDENTIALS}" ]; then
         bbwarn "SOTA_AUTOPROVISION_CREDENTIALS are ignored. Please use SOTA_PACKED_CREDENTIALS"
@@ -31,7 +34,7 @@ do_install() {
     fi
 
     install -m 0700 -d ${D}${libdir}/sota/conf.d
-    install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/sota-shared-cred.toml \
+    install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota-shared-cred.toml \
         ${D}${libdir}/sota/conf.d/20-sota-shared-cred.toml
 }
 
diff --git a/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb b/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb
index 860f225..2895e5c 100644
--- a/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb
+++ b/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb
@@ -6,14 +6,18 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 inherit allarch
 
-DEPENDS = "aktualizr-native"
-RDEPENDS_${PN} = "aktualizr"
+DEPENDS = "aktualizr"
+
+# If the config file from aktualizr used here is changed, you will need to bump
+# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
+PV = "1.0"
+PR = "1"
 
 SRC_URI = ""
 
 do_install() {
     install -m 0700 -d ${D}${libdir}/sota/conf.d
-    install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/sota-uboot-env.toml ${D}${libdir}/sota/conf.d/30-rollback.toml
+    install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota-uboot-env.toml ${D}${libdir}/sota/conf.d/30-rollback.toml
 }
 
 FILES_${PN} = " \
diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb
index d9f50c3..22cba07 100644
--- a/recipes-sota/aktualizr/aktualizr_git.bb
+++ b/recipes-sota/aktualizr/aktualizr_git.bb
@@ -3,11 +3,11 @@ DESCRIPTION = "SOTA Client application written in C++"
 HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
 SECTION = "base"
 LICENSE = "MPL-2.0"
-LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=9741c346eef56131163e13b9db1241b3"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=815ca599c9df247a0c7f619bab123dad"
 
 DEPENDS = "boost curl openssl libarchive libsodium sqlite3 asn1c-native"
 DEPENDS_append = "${@bb.utils.contains('PTEST_ENABLED', '1', ' coreutils-native net-tools-native ostree-native aktualizr-native ', '', d)}"
-RDEPENDS_${PN}_class-target = "aktualizr-configs lshw"
+RDEPENDS_${PN}_class-target = "aktualizr-configs aktualizr-hwid lshw"
 RDEPENDS_${PN}-host-tools = "aktualizr aktualizr-cert-provider ${@bb.utils.contains('PACKAGECONFIG', 'sota-tools', 'garage-deploy garage-push', '', d)}"
 
 RDEPENDS_${PN}-ptest += "bash cmake curl net-tools python3-core python3-misc python3-modules openssl-bin sqlite3 valgrind"
@@ -15,23 +15,22 @@ RDEPENDS_${PN}-ptest += "bash cmake curl net-tools python3-core python3-misc pyt
 PV = "1.0+git${SRCPV}"
 PR = "7"
 
-GARAGE_SIGN_PV = "0.7.0-33-g214dfb1"
+GARAGE_SIGN_PV = "0.7.0-49-g5ffd420"
 
 SRC_URI = " \
-  gitsm://github.com/advancedtelematic/aktualizr;branch=${BRANCH} \
+  gitsm://github.com/advancedtelematic/aktualizr;branch=${BRANCH};name=aktualizr \
   file://run-ptest \
   file://aktualizr.service \
   file://aktualizr-secondary.service \
   file://aktualizr-serialcan.service \
   file://10-resource-control.conf \
-  ${@ d.expand("https://ats-tuf-cli-releases.s3-eu-central-1.amazonaws.com/cli-${GARAGE_SIGN_PV}.tgz;unpack=0") if d.getVar('GARAGE_SIGN_AUTOVERSION') != '1' else ''} \
+  ${@ d.expand("https://ats-tuf-cli-releases.s3-eu-central-1.amazonaws.com/cli-${GARAGE_SIGN_PV}.tgz;unpack=0;name=garagesign") if d.getVar('GARAGE_SIGN_AUTOVERSION') != '1' else ''} \
   "
 
-# for garage-sign archive
-SRC_URI[md5sum] = "66ffe8dcd61d4c15646e1c4b7dde7401"
-SRC_URI[sha256sum] = "7a7193ddf7e1a33ea60fbb20f98318a8bd78c325dab391d8c4ebd644a738abdc"
+SRC_URI[garagesign.md5sum] = "de0877ecb693fd48ec11052e51b0ff1a"
+SRC_URI[garagesign.sha256sum] = "cf25759574c9c1206835daeaf6fc345f6db7b5ccdb95fb828c86d7451f78f0aa"
 
-SRCREV = "3bb9fe91b4c614a79373beadc721272fcf7acce2"
+SRCREV = "fa59e33208d3b1dc690a30ce8339b3b4162f8022"
 BRANCH ?= "master"
 
 S = "${WORKDIR}/git"
@@ -46,11 +45,11 @@ SYSTEMD_PACKAGES = "${PN} ${PN}-secondary"
 SYSTEMD_SERVICE_${PN} = "aktualizr.service"
 SYSTEMD_SERVICE_${PN}-secondary = "aktualizr-secondary.service"
 
-EXTRA_OECMAKE = "-DCMAKE_BUILD_TYPE=Release -DAKTUALIZR_VERSION=${PV} ${@bb.utils.contains('PTEST_ENABLED', '1', '-DTESTSUITE_VALGRIND=on', '', d)}"
+EXTRA_OECMAKE = "-DCMAKE_BUILD_TYPE=Release ${@bb.utils.contains('PTEST_ENABLED', '1', '-DTESTSUITE_VALGRIND=on', '', d)}"
 
 GARAGE_SIGN_OPS = "${@ d.expand('-DGARAGE_SIGN_ARCHIVE=${WORKDIR}/cli-${GARAGE_SIGN_PV}.tgz') if d.getVar('GARAGE_SIGN_AUTOVERSION') != '1' else ''}"
 
-PACKAGECONFIG ?= "ostree ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} ${@bb.utils.filter('SOTA_CLIENT_FEATURES', 'hsm serialcan ubootenv', d)}"
+PACKAGECONFIG ?= "ostree ${@bb.utils.filter('SOTA_CLIENT_FEATURES', 'hsm serialcan ubootenv', d)}"
 PACKAGECONFIG_class-native = "sota-tools"
 PACKAGECONFIG[warning-as-error] = "-DWARNING_AS_ERROR=ON,-DWARNING_AS_ERROR=OFF,"
 PACKAGECONFIG[ostree] = "-DBUILD_OSTREE=ON,-DBUILD_OSTREE=OFF,ostree,"
@@ -70,6 +69,14 @@ RESOURCE_CPU_WEIGHT = "100"
 RESOURCE_MEMORY_HIGH = "100M"
 RESOURCE_MEMORY_MAX = "80%"
 
+do_configure_prepend() {
+    # CMake has trouble finding yocto's git when cross-compiling, let's do this step manually
+    cd ${S}
+    if [ ! -f VERSION ]; then
+        ./scripts/get_version.sh > VERSION
+    fi
+}
+
 do_compile_ptest() {
     cmake_runcmake_build --target build_tests "${PARALLEL_MAKE}"
 }
@@ -102,10 +109,6 @@ do_install_append () {
     install -m 0700 -d ${D}${libdir}/sota/conf.d
     install -m 0700 -d ${D}${sysconfdir}/sota/conf.d
 
-    if [ -n "${SOTA_HARDWARE_ID}" ]; then
-        printf "[provision]\nprimary_ecu_hardware_id = ${SOTA_HARDWARE_ID}\n" > ${D}${libdir}/sota/conf.d/40-hardware-id.toml
-    fi
-
     install -m 0755 -d ${D}${systemd_unitdir}/system
     aktualizr_service=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', '${WORKDIR}/aktualizr-serialcan.service', '${WORKDIR}/aktualizr.service', d)}
     install -m 0644 ${aktualizr_service} ${D}${systemd_unitdir}/system/aktualizr.service
diff --git a/recipes-sota/config/aktualizr-virtualsec.bb b/recipes-sota/config/aktualizr-virtualsec.bb
new file mode 100644
index 0000000..b7d55aa
--- /dev/null
+++ b/recipes-sota/config/aktualizr-virtualsec.bb
@@ -0,0 +1,27 @@
+SUMMARY = "Example virtual secondary in aktualizr"
+DESCRIPTION = "Creates an example virtual secondary to be used to update an arbitrary file on the primary"
+HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
+SECTION = "base"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
+
+inherit allarch
+
+SRC_URI = " \
+            file://30-virtualsec.toml \
+            file://virtualsec.json \
+            "
+
+do_install_append () {
+    install -m 0700 -d ${D}${libdir}/sota/conf.d
+    install -m 0644 ${WORKDIR}/30-virtualsec.toml ${D}${libdir}/sota/conf.d/30-virtualsec.toml
+    install -m 0644 ${WORKDIR}/virtualsec.json ${D}${libdir}/sota/virtualsec.json
+}
+
+FILES_${PN} = " \
+                ${libdir}/sota/conf.d/30-virtualsec.toml \
+                ${libdir}/sota/virtualsec.json \
+                "
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
+
diff --git a/recipes-sota/config/files/30-virtualsec.toml b/recipes-sota/config/files/30-virtualsec.toml
new file mode 100644
index 0000000..987f692
--- /dev/null
+++ b/recipes-sota/config/files/30-virtualsec.toml
@@ -0,0 +1,3 @@
+[uptane]
+secondary_config_file = "/usr/lib/sota/virtualsec.json"
+
diff --git a/recipes-sota/config/files/virtualsec.json b/recipes-sota/config/files/virtualsec.json
new file mode 100644
index 0000000..dcdcdba
--- /dev/null
+++ b/recipes-sota/config/files/virtualsec.json
@@ -0,0 +1,14 @@
+{
+    "virtual": [
+        {
+            "partial_verifying": "false",
+            "ecu_hardware_id": "external-config",
+            "full_client_dir": "/var/sota/external-config",
+            "ecu_private_key": "sec.private",
+            "ecu_public_key": "sec.public",
+            "firmware_path": "/var/sota/external-config/config.txt",
+            "target_name_path": "/var/sota/external-config/target_name",
+            "metadata_path": "/var/sota/external-config/metadata"
+        }
+    ]
+}
diff --git a/recipes-test/demo-config/primary-config.bb b/recipes-test/demo-config/primary-config.bb
index 27cb553..b1964e2 100644
--- a/recipes-test/demo-config/primary-config.bb
+++ b/recipes-test/demo-config/primary-config.bb
@@ -4,6 +4,8 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 require shared-conf.inc
 
+inherit allarch
+
 PRIMARY_SECONDARIES ?= "${SECONDARY_IP}:${SECONDARY_PORT}"
 
 SRC_URI = "\
diff --git a/recipes-test/demo-config/secondary-config.bb b/recipes-test/demo-config/secondary-config.bb
index 9411646..ddbed89 100644
--- a/recipes-test/demo-config/secondary-config.bb
+++ b/recipes-test/demo-config/secondary-config.bb
@@ -4,6 +4,9 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 require shared-conf.inc
 
+# Because of the dependency on MACHINE.
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
 SECONDARY_SERIAL_ID ?= ""
 SOTA_HARDWARE_ID ?= "${MACHINE}-sndry"
 SECONDARY_HARDWARE_ID ?= "${SOTA_HARDWARE_ID}"
@@ -16,18 +19,18 @@ SRC_URI = "\
 
 do_install () {
     install -m 0700 -d ${D}${libdir}/sota/conf.d
-    install -m 0644 ${WORKDIR}/30-fake-pacman.toml ${D}/${libdir}/sota/conf.d/30-fake-pacman.toml
+    install -m 0644 ${WORKDIR}/30-fake-pacman.toml ${D}${libdir}/sota/conf.d/30-fake-pacman.toml
 
-    install -m 0644 ${WORKDIR}/35-network-config.toml ${D}/${libdir}/sota/conf.d/35-network-config.toml
+    install -m 0644 ${WORKDIR}/35-network-config.toml ${D}${libdir}/sota/conf.d/35-network-config.toml
     sed -i -e 's|@PORT@|${SECONDARY_PORT}|g' \
            -e 's|@PRIMARY_IP@|${PRIMARY_IP}|g' \
            -e 's|@PRIMARY_PORT@|${PRIMARY_PORT}|g' \
-           ${D}/${libdir}/sota/conf.d/35-network-config.toml
+           ${D}${libdir}/sota/conf.d/35-network-config.toml
 
-    install -m 0644 ${WORKDIR}/45-id-config.toml ${D}/${libdir}/sota/conf.d/45-id-config.toml
+    install -m 0644 ${WORKDIR}/45-id-config.toml ${D}${libdir}/sota/conf.d/45-id-config.toml
     sed -i -e 's|@SERIAL@|${SECONDARY_SERIAL_ID}|g' \
            -e 's|@HWID@|${SECONDARY_HARDWARE_ID}|g' \
-           ${D}/${libdir}/sota/conf.d/45-id-config.toml
+           ${D}${libdir}/sota/conf.d/45-id-config.toml
 
 }
 
diff --git a/recipes-test/demo-network-config/network-config.inc b/recipes-test/demo-network-config/network-config.inc
index ed623d4..b023f51 100644
--- a/recipes-test/demo-network-config/network-config.inc
+++ b/recipes-test/demo-network-config/network-config.inc
@@ -2,15 +2,18 @@ SRC_URI_append = "\
     file://26-${CONF_TYPE}-client.network \
     "
 
+# Because of the dependency on MACHINE.
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
 SECONDARY_INTERFACE ?= "${@ 'eth0' if d.getVar('MACHINE') == 'raspberrypi3' else 'enp0s5'}"
 
 do_install_append() {
     bbnote "Network configuration type to be applied: ${CONF_TYPE}"
-    install -d ${D}/usr/lib/systemd/network
-    install -m 0644 ${WORKDIR}/26-${CONF_TYPE}-client.network ${D}/usr/lib/systemd/network/
+    install -d ${D}${libdir}/systemd/network
+    install -m 0644 ${WORKDIR}/26-${CONF_TYPE}-client.network ${D}${libdir}/systemd/network/
     sed -i -e 's|@ADDR@|${IP_ADDR}|g' \
            -e 's|@IFNAME@|${SECONDARY_INTERFACE}|g' \
-           ${D}/usr/lib/systemd/network/26-${CONF_TYPE}-client.network
+           ${D}${libdir}/systemd/network/26-${CONF_TYPE}-client.network
 
 }
 
diff --git a/recipes-test/demo-network-config/primary-network-config.bb b/recipes-test/demo-network-config/primary-network-config.bb
index d840a95..544a5ec 100644
--- a/recipes-test/demo-network-config/primary-network-config.bb
+++ b/recipes-test/demo-network-config/primary-network-config.bb
@@ -2,19 +2,17 @@ DESCRIPTION = "Sample network configuration for an Uptane Primary"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
-inherit allarch
-
 SRC_URI = "\
     file://27-dhcp-client-external.network \
     "
 
-FILES_${PN} = "/usr/lib/systemd/network"
+FILES_${PN} = "${libdir}/systemd/network"
 
 PR = "1"
 
 do_install() {
-    install -d ${D}/usr/lib/systemd/network
-    install -m 0644 ${WORKDIR}/27-dhcp-client-external.network ${D}/usr/lib/systemd/network/
+    install -d ${D}${libdir}/systemd/network
+    install -m 0644 ${WORKDIR}/27-dhcp-client-external.network ${D}${libdir}/systemd/network/
 }
 
 PRIMARY_IP ?= "10.0.3.1"
diff --git a/recipes-test/demo-network-config/secondary-network-config.bb b/recipes-test/demo-network-config/secondary-network-config.bb
index b1d70f1..ca83d53 100644
--- a/recipes-test/demo-network-config/secondary-network-config.bb
+++ b/recipes-test/demo-network-config/secondary-network-config.bb
@@ -2,8 +2,6 @@ DESCRIPTION = "Sample network configuration for an Uptane Secondary"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
-inherit allarch
-
 # TODO: It configures the 'user' interface in NAT mode and provides an access to public Inet via it
 # which is not desired for Secondary. It cannot be just removed since we get SSH access to Secondary
 # VM via this interface. So, the task is to configure the interface in such way that it does provide access
@@ -12,13 +10,13 @@ SRC_URI = "\
     file://27-dhcp-client-external.network \
     "
 
-FILES_${PN} = "/usr/lib/systemd/network"
+FILES_${PN} = "${libdir}/systemd/network"
 
 PR = "1"
 
 do_install() {
-    install -d ${D}/usr/lib/systemd/network
-    install -m 0644 ${WORKDIR}/27-dhcp-client-external.network ${D}/usr/lib/systemd/network/
+    install -d ${D}${libdir}/systemd/network
+    install -m 0644 ${WORKDIR}/27-dhcp-client-external.network ${D}${libdir}/systemd/network/
 }
 
 SECONDARY_IP ?= "10.0.3.2"
diff --git a/recipes-test/images/secondary-image.bb b/recipes-test/images/secondary-image.bb
index 27d1e3f..7db2c68 100644
--- a/recipes-test/images/secondary-image.bb
+++ b/recipes-test/images/secondary-image.bb
@@ -14,7 +14,6 @@ IMAGE_INSTALL_remove = " \
                         aktualizr-shared-prov \
                         aktualizr-shared-prov-creds \
                         aktualizr-device-prov \
-                        aktualizr-device-prov-creds \
                         aktualizr-device-prov-hsm \
                         aktualizr-uboot-env-rollback \
                         virtual/network-configuration \
diff --git a/scripts/ci/Dockerfile.checkout b/scripts/ci/Dockerfile.checkout
deleted file mode 100644
index 5210c6b..0000000
--- a/scripts/ci/Dockerfile.checkout
+++ /dev/null
@@ -1,13 +0,0 @@
-FROM debian:stretch-slim
-LABEL Description="Image for checking out updater-repo"
-
-RUN sed -i 's#deb http://deb.debian.org/debian stretch main#deb http://deb.debian.org/debian stretch main contrib#g' /etc/apt/sources.list
-RUN sed -i 's#deb http://deb.debian.org/debian stretch-updates main#deb http://deb.debian.org/debian stretch-updates main contrib#g' /etc/apt/sources.list
-RUN apt-get update -q && apt-get install -qy \
-    git \
-    repo \
-    xmlstarlet
-
-# checkout script
-RUN mkdir /scripts
-COPY checkout-oe.sh /scripts/
diff --git a/scripts/ci/checkout-oe.sh b/scripts/ci/checkout-oe.sh
deleted file mode 100755
index fdc0e48..0000000
--- a/scripts/ci/checkout-oe.sh
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-set -x
-
-REMOTE_SOURCE=${REMOTE_SOURCE:-https://github.com/advancedtelematic}
-MANIFEST=${MANIFEST:-master}
-CURRENT_PROJECT=${CURRENT_PROJECT:-}
-
-# list of projects to pin to one version in the format:
-# "project:rev;project2:rev2..."
-PIN_LIST=${PIN_LIST:-}
-
-#CURRENT_REV=$(git rev-parse HEAD)
-LOCAL_REPO=$PWD
-
-mkdir -p updater-repo
-
-cd updater-repo
-
-if [ -d .repo/manifests ]; then
-    git -C .repo/manifests reset --hard
-fi
-
-repo init -m "${MANIFEST}.xml" -u "$REMOTE_SOURCE/updater-repo"
-
-# patch manifest:
-# - add a new "ats" remote that points to "$REMOTE_SOURCE"
-# - change projects that contain "advancedtelematic" to use the ats remote
-MANIFEST_FILE=".repo/manifests/${MANIFEST}.xml"
-xmlstarlet ed --omit-decl -L \
-    -s "/manifest" -t elem -n "remote" -v "" \
-    -i "/manifest/remote[last()]" -t attr -n "name" -v "ats" \
-    -i "/manifest/remote[last()]" -t attr -n "fetch" -v "$REMOTE_SOURCE" \
-    -d "/manifest/project[contains(@name, 'advancedtelematic')]/@remote" \
-    -i "/manifest/project[contains(@name, 'advancedtelematic')]" -t attr -n "remote" -v "ats" \
-    "$MANIFEST_FILE"
-
-# hack: sed on `advancedtelematic/` names, to remove this unwanted prefix
-sed -i 's#name="advancedtelematic/#name="#g' "$MANIFEST_FILE"
-
-# pin projects from the list
-(
-IFS=";"
-for pin in $PIN_LIST; do
-    IFS=":"
-    read -r project rev <<< "$pin"
-    xmlstarlet ed --omit-decl -L \
-        -d "/manifest/project[@name=\"$project\"]/@revision" \
-        -i "/manifest/project[@name=\"$project\"]/@revision" -t attr -n "revision" -v "$rev" \
-        -i "/manifest/project[@name=\"$project\"]" -t attr -n "revision" -v "$rev" \
-        "$MANIFEST_FILE"
-    IFS=";"
-done
-)
-
-# Remove the current project from the manifest if we have it checked out
-if [ -n "$CURRENT_PROJECT" ]; then
-    xmlstarlet ed --omit-decl -L \
-        -d "/manifest/project[@name=\"$CURRENT_PROJECT\"]" \
-        "$MANIFEST_FILE"
-fi
-
-repo manifest
-
-repo forall -c 'git reset --hard ; git clean -fdx'
-
-repo sync -d --force-sync
-
-if [ -n "$CURRENT_PROJECT" ]; then
-    rm -f "$CURRENT_PROJECT"
-    ln -s "$LOCAL_REPO" "$CURRENT_PROJECT"
-fi
-
-repo manifest -r
diff --git a/scripts/ci/docker/setup_kvm.sh b/scripts/ci/docker/setup_kvm.sh
deleted file mode 100755
index 1ffbbf5..0000000
--- a/scripts/ci/docker/setup_kvm.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/usr/bin/env bash
-
-# This script makes the gid of the 'kvm' group to match the group
-# owner of '/dev/kvm'
-#
-# These two are not guaranteed to match when a docker image starts
-# with access to '/dev/kvm' that comes from the host
-
-set -euo pipefail
-
-kvm_gid=$(stat -c "%g" /dev/kvm)
-groupmod -g "$kvm_gid" kvm
-usermod -a -G kvm bitbake
-ln -s /bin/true /usr/bin/kvm-ok
diff --git a/scripts/ci/gitlab/checkout.yml b/scripts/ci/gitlab/checkout.yml
deleted file mode 100644
index 28c9177..0000000
--- a/scripts/ci/gitlab/checkout.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-.bb_checkout:
-  # parameters:
-  #   - MANIFEST
-  #   - REMOTE_SOURCE
-  #   - CURRENT_PROJECT (will be symlinked instead of pulled)
-
-  image: $BITBAKE_CHECKOUT_IMAGE
-  cache:
-    paths:
-      - updater-repo
-  artifacts:
-    expire_in: "1 day"
-    paths:
-      - updater-repo
-  script:
-    - /scripts/checkout-oe.sh
diff --git a/scripts/ci/gitlab/docker.yml b/scripts/ci/gitlab/docker.yml
deleted file mode 100644
index ba488c6..0000000
--- a/scripts/ci/gitlab/docker.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-.bb_docker_local:
-  # intended to be run on meta-updater's master branch which contains the
-  # reference docker files
-  # parameters:
-  #   - BITBAKE_IMAGE
-  #   - BITBAKE_CHECKOUT_IMAGE
-  #   - BITBKAE_IMAGE_MASTER
-  #   - BITBAKE_CHECKOUT_IMAGE_MASTER
-  image: docker:18
-  stage: docker
-  services:
-    - docker:18-dind
-  script:
-    - docker login -u gitlab-ci-token -p "$CI_JOB_TOKEN" "$CI_REGISTRY"
-
-    - docker pull "$BITBAKE_IMAGE" || docker pull "$BITBKAE_IMAGE_MASTER" || true
-    - docker build --pull --cache-from "$BITBKAE_IMAGE_MASTER" --cache-from "$BITBAKE_IMAGE" -f ./scripts/ci/Dockerfile.bitbake -t "$BITBAKE_IMAGE" ./scripts/ci
-    - docker push "$BITBAKE_IMAGE"
-
-    - docker pull "$BITBAKE_CHECKOUT_IMAGE" || docker pull "$BITBAKE_CHECKOUT_IMAGE_MASTER" || true
-    - docker build --pull --cache-from "$BITBAKE_CHECKOUT_IMAGE_MASTER" --cache-from "$BITBAKE_CHECKOUT_IMAGE" -f ./scripts/ci/Dockerfile.checkout -t "$BITBAKE_CHECKOUT_IMAGE" ./scripts/ci
-    - docker push "$BITBAKE_CHECKOUT_IMAGE"
-
-.bb_docker_remote:
-  # intended to be run on other branches and repos: just pulls the last master image
-  # parameters:
-  #   - BITBAKE_IMAGE
-  #   - BITBAKE_CHECKOUT_IMAGE
-  image: docker:18
-  stage: docker
-  services:
-    - docker:18-dind
-  script:
-    - docker login -u gitlab-ci-token -p "$CI_JOB_TOKEN" "$CI_REGISTRY"
-
-    - docker pull "$BITBAKE_IMAGE"
-    - docker pull "$BITBAKE_CHECKOUT_IMAGE"
diff --git a/scripts/ci/gitlab/tests.yml b/scripts/ci/gitlab/tests.yml
deleted file mode 100644
index 4175412..0000000
--- a/scripts/ci/gitlab/tests.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-.bitbake:
-  # parameters:
-  #   - TEST_BUILD_DIR
-  #   - TEST_MACHINE (defaults to qemux86-64)
-  #   - BITBAKE_TARGETS
-  image: $BITBAKE_IMAGE
-  dependencies:
-    - Checkout
-  tags:
-    - bitbake
-  script:
-    - /scripts/configure.sh
-    - /scripts/build.sh $BITBAKE_TARGETS
-
-.oe-selftest:
-  # parameters:
-  #   - TEST_BUILD_DIR
-  #   - TEST_MACHINE (defaults to qemux86-64)
-  #   - OE_SELFTESTS
-  image: $BITBAKE_IMAGE
-  dependencies:
-    - Checkout
-  tags:
-    - bitbake
-  variables:
-    TEST_AKTUALIZR_CREDENTIALS: $CI_PROJECT_DIR/credentials.zip
-  script:
-    - aws s3 cp s3://ota-gitlab-ci/hereotaconnect_prod.zip credentials.zip
-    - sudo /usr/local/bin/setup_kvm.sh
-    - |
-      # sg is needed after adding bitbake to the kvm group (see setup_kvm.sh)
-      sg kvm << EOS
-      /scripts/configure.sh
-      /scripts/oe-selftest.sh $OE_SELFTESTS
-      EOS
diff --git a/scripts/find_aktualizr_dependencies.sh b/scripts/find_aktualizr_dependencies.sh
index 493df80..fcb2f97 100755
--- a/scripts/find_aktualizr_dependencies.sh
+++ b/scripts/find_aktualizr_dependencies.sh
@@ -13,7 +13,6 @@ ${parentdir}/find_dependencies.py aktualizr
 ${parentdir}/find_dependencies.py aktualizr-shared-prov
 ${parentdir}/find_dependencies.py aktualizr-shared-prov-creds
 ${parentdir}/find_dependencies.py aktualizr-device-prov
-${parentdir}/find_dependencies.py aktualizr-device-prov-creds
 ${parentdir}/find_dependencies.py aktualizr-device-prov-hsm
 ${parentdir}/find_dependencies.py aktualizr-auto-reboot
 ${parentdir}/find_dependencies.py aktualizr-disable-send-ip