18 files changed, 175 insertions, 199 deletions

diff --git a/CONTRIBUTING.adoc b/CONTRIBUTING.adoc
index 1cd1eef..0b40438 100644
--- a/CONTRIBUTING.adoc
+++ b/CONTRIBUTING.adoc
@@ -23,7 +23,7 @@ New pull requests will automatically be checked by the https://probot.github.io/
 
 * OTA-enabled build succeeds for at least one platform, the resulting image boots, and an update can be installed. This check is absolutely necessary for every pull request unless it only touches documentation.
 * If your change touches platform code (like `classes/sota_<platform>.bbclass`), please check building and updating on this particular platform.
-* oe-selftest succeeds. To test meta-updater, run `oe-selftest -r updater` from a build directory with `MACHINE` set to `qemux86-64`.
+* oe-selftest succeeds. To test meta-updater, run `oe-selftest -r updater` from a build directory with `MACHINE` set to `qemux86-64`. See the link:README.adoc#qa-with-oe-selftest[relevant section of the README] for more details.
 * Updates are forwards- and backwards-compatible. You should be able to update an OTA-enabled build before the change is applied to the version with change applied and vice versa. One should pay double attention to the compatibility when bootloader code is affected.
 * The patch/branch should be based on the latest version of the target branch. This may mean that rebasing is necessary if other PRs are merged before yours is approved.
 
diff --git a/README.adoc b/README.adoc
index e14d7bd..994ad67 100644
--- a/README.adoc
+++ b/README.adoc
@@ -6,7 +6,7 @@ This layer enables over-the-air updates (OTA) with https://github.com/ostreedev/
 
 https://github.com/ostreedev/ostree[OSTree] is a tool for atomic full file system upgrades with rollback capability. OSTree has several advantages over traditional dual-bank systems, but the most important one is that it minimizes network bandwidth and data storage footprint by sharing files with the same contents across file system deployments.
 
-https://github.com/advancedtelematic/aktualizr[Aktualizr] (and https://github.com/advancedtelematic/rvi_sota_client[RVI SOTA client]) add authentication and provisioning capabilities to OTA and are integrated with OSTree. You can connect with the open-source https://github.com/advancedtelematic/rvi_sota_server[RVI SOTA server] or sign up for a free account at https://app.atsgarage.com[ATS Garage] to get started.
+https://github.com/advancedtelematic/aktualizr[Aktualizr] (and https://github.com/advancedtelematic/rvi_sota_client[RVI SOTA client]) add authentication and provisioning capabilities to OTA and are integrated with OSTree. You can connect with these open-source applications or sign up for a free account at https://connect.ota.here.com/[HERE OTA Connect] to get started.
 
 [discrete]
 == Table of Contents
@@ -17,7 +17,7 @@ toc::[]
 
 === Quickstart
 
-If you don't already have a Yocto project that you want to add OTA to, you can use the https://docs.atsgarage.com/quickstarts/raspberry-pi.html[ATS Garage Quickstart] project to rapidly get up and running on a Raspberry Pi. It takes a standard https://www.yoctoproject.org/tools-resources/projects/poky[poky] distribution, and adds OTA and OSTree capabilities.
+If you don't already have a Yocto project that you want to add OTA to, you can use the https://docs.atsgarage.com/quickstarts/raspberry-pi.html[HERE OTA Connect Quickstart] project to rapidly get up and running on a Raspberry Pi. It takes a standard https://www.yoctoproject.org/tools-resources/projects/poky[poky] distribution, and adds OTA and OSTree capabilities.
 
 === Adding meta-updater capabilities to your build
 
@@ -86,8 +86,8 @@ Although we have used U-Boot so far, other boot loaders can be configured work w
 * `SOTA_DEPLOY_CREDENTIALS` - when set to '1' (default value), deploys credentials to the built image. Override it in `local.conf` to built a generic image that can be provisioned manually after the build.
 * `SOTA_CLIENT_PROV` - which provisioning method to use. Valid options are https://github.com/advancedtelematic/aktualizr/blob/master/docs/automatic-provisioning.adoc[`aktualizr-auto-prov`], https://github.com/advancedtelematic/aktualizr/blob/master/docs/implicit-provisioning.adoc[`aktualizr-ca-implicit-prov`], and https://github.com/advancedtelematic/aktualizr/blob/master/docs/hsm-provisioning.adoc[`aktualizr-hsm-prov`]. The default is `aktualizr-auto-prov`. This can also be set to an empty string to avoid using a provisioning recipe.
 * `SOTA_CLIENT_FEATURES` - extensions to aktualizr. The only valid options are `hsm` (to build with HSM support) and `secondary-network` (to set up a simulated 'in-vehicle' network with support for a primary node with a DHCP server and a secondary node with a DHCP client).
-* `SOTA_SECONDARY_ECUS` - a list of paths separated by spaces of JSON configuration files for virtual secondaries on the host. These will be installed into `/var/sota/ecus` on the device.
-* `SOTA_VIRTUAL_SECONDARIES` - a list of paths separated by spaces of JSON configuration files for virtual secondaries installed on the device. If `SOTA_SECONDARY_ECUS` is used to install them, then you can expect them to be installed in `/var/sota/ecus`.
+* `SOTA_SECONDARY_CONFIG_DIR` - a directory containing JSON configuration files for virtual secondaries on the host. These will be installed into `/etc/sota/ecus` on the device and automatically provided to aktualizr.
+* `SOTA_HARDWARE_ID` - a custom hardware ID that will be written to the aktualizr config. Defaults to MACHINE if not set.
 
 == Usage
 
@@ -131,7 +131,7 @@ ostree admin deploy --os=agl agl-snapshot:agl-ota
 
 === garage-push
 
-The https://github.com/advancedtelematic/aktualizr[aktualizr repo] contains a tool, garage-push, which lets you push the changes in OSTree repository generated by bitbake process. It communicates with an http server capable of querying files with HEAD requests and uploading them with POST requests. In particular, this can be used with http://www.atsgarage.com/[ATS Garage]. garage-push is used as follows:
+The https://github.com/advancedtelematic/aktualizr[aktualizr repo] contains a tool, garage-push, which lets you push the changes in OSTree repository generated by bitbake process. It communicates with an http server capable of querying files with HEAD requests and uploading them with POST requests. In particular, this can be used with https://connect.ota.here.com/[HERE OTA Connect]. garage-push is used as follows:
 
 ....
 garage-push --repo=/path/to/ostree-repo --ref=mybranch --credentials=/path/to/credentials.zip
@@ -147,8 +147,7 @@ First, you can set `SOTA_CLIENT_PROV` to control which provisioning recipe is us
 
 Second, you can write recipes to install additional config files with customized options. A few recipes already exist to address common needs and provide an example:
 
-* link:recipes-sota/config/aktualizr-example-interface.bb[aktualizr-example-interface.bb] will configure aktualizr to connect to an example interface for a legacy flasher. This is intended to be used in conjunction with the `aktualizr-examples` package. See https://github.com/advancedtelematic/aktualizr/blob/master/docs/legacysecondary.adoc[legacysecondary.adoc] in the aktualizr repo for more information.
-* link:recipes-sota/config/aktualizr-disable-send-ip.bb[aktualizr-disable-send-ip.bb] disables the reporting of networking information to the server. This is enabled by default and supported by https://app.atsgarage.com[ATS Garage]. However, if you are using a different server that does not support this feature, you may want to disable it in aktualizr.
+* link:recipes-sota/config/aktualizr-disable-send-ip.bb[aktualizr-disable-send-ip.bb] disables the reporting of networking information to the server. This is enabled by default and supported by https://connect.ota.here.com/[HERE OTA Connect]. However, if you are using a different server that does not support this feature, you may want to disable it in aktualizr.
 * link:recipes-sota/config/aktualizr-log-debug.bb[aktualizr-log-debug.bb] sets the log level of aktualizr to 0 (trace). The default is 2 (info). This recipe is intended for development and debugging purposes.
 
 To use these recipes, you will need to add them to your image with a line such as `IMAGE_INSTALL_append = " aktualizr-log-debug "` in your `local.conf`.
@@ -182,7 +181,7 @@ Please note that [target name, target version] pairs are expected to be unique i
 
 == QA with oe-selftest
 
-This layer relies on the test framework oe-selftest for quality assurance. Follow the steps below to run the tests:
+This layer relies on the test framework oe-selftest for quality assurance. Currently, you will need to run this in a build directory with `MACHINE` set to `qemux86-64`. Follow the steps below to run the tests:
 
 1. Append the line below to `conf/local.conf` to disable the warning about supported operating systems:
 +
diff --git a/classes/image_repo_manifest.bbclass b/classes/image_repo_manifest.bbclass
index 467fd9a..c2e7056 100644
--- a/classes/image_repo_manifest.bbclass
+++ b/classes/image_repo_manifest.bbclass
@@ -12,7 +12,7 @@
 HOSTTOOLS_NONFATAL += " repo "
 
 # Write build information to target filesystem
-buildinfo () {
+buildinfo_manifest () {
   if [ $(which repo) ]; then
     repo manifest --revision-as-HEAD -o ${IMAGE_ROOTFS}${sysconfdir}/manifest.xml || bbwarn "Android repo tool failed to run; manifest not copied"
   else
@@ -20,4 +20,4 @@ buildinfo () {
   fi
 }
 
-IMAGE_PREPROCESS_COMMAND += "buildinfo;"
+IMAGE_PREPROCESS_COMMAND += "buildinfo_manifest;"
diff --git a/classes/image_types_ostree.bbclass b/classes/image_types_ostree.bbclass
index 0db8e50..4095de0 100644
--- a/classes/image_types_ostree.bbclass
+++ b/classes/image_types_ostree.bbclass
@@ -1,42 +1,30 @@
 # OSTree deployment
-
-do_image_ostree[depends] += "ostree-native:do_populate_sysroot \
-                        openssl-native:do_populate_sysroot \
-                        coreutils-native:do_populate_sysroot \
-                        unzip-native:do_populate_sysroot \
-                        virtual/kernel:do_deploy \
-                        ${INITRAMFS_IMAGE}:do_image_complete \
-"
-do_image_ostree[lockfiles] += "${OSTREE_REPO}/ostree.lock"
-
-export OSTREE_REPO
-export OSTREE_BRANCHNAME
-export GARAGE_TARGET_NAME
+inherit distro_features_check
 
 OSTREE_KERNEL ??= "${KERNEL_IMAGETYPE}"
-
+OSTREE_ROOTFS ??= "${WORKDIR}/ostree-rootfs"
 OSTREE_COMMIT_SUBJECT ??= "Commit-id: ${IMAGE_NAME}"
 OSTREE_COMMIT_BODY ??= ""
 OSTREE_UPDATE_SUMMARY ??= "0"
 
-export SYSTEMD_USED = "${@oe.utils.ifelse(d.getVar('VIRTUAL-RUNTIME_init_manager', True) == 'systemd', 'true', '')}"
+BUILD_OSTREE_TARBALL ??= "1"
 
-IMAGE_CMD_ostree () {
-    if [ -z "$OSTREE_REPO" ]; then
-        bbfatal "OSTREE_REPO should be set in your local.conf"
-    fi
+SYSTEMD_USED = "${@oe.utils.ifelse(d.getVar('VIRTUAL-RUNTIME_init_manager', True) == 'systemd', 'true', '')}"
 
-    if [ -z "$OSTREE_BRANCHNAME" ]; then
-        bbfatal "OSTREE_BRANCHNAME should be set in your local.conf"
-    fi
+IMAGE_CMD_TAR = "tar --xattrs --xattrs-include=*"
+CONVERSION_CMD_tar = "touch ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}; ${IMAGE_CMD_TAR} --numeric-owner -cf ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.tar -C ${OTA_IMAGE_ROOTFS} . || [ $? -eq 1 ]"
+CONVERSIONTYPES_append = " tar"
 
-    OSTREE_ROOTFS=`mktemp -du ${WORKDIR}/ostree-root-XXXXX`
-    cp -a ${IMAGE_ROOTFS} ${OSTREE_ROOTFS}
+REQUIRED_DISTRO_FEATURES = "usrmerge"
+OTA_IMAGE_ROOTFS_task-image-ostree = "${OSTREE_ROOTFS}"
+do_image_ostree[dirs] = "${OSTREE_ROOTFS}"
+do_image_ostree[cleandirs] = "${OSTREE_ROOTFS}"
+do_image_ostree[depends] = "coreutils-native:do_populate_sysroot virtual/kernel:do_deploy ${INITRAMFS_IMAGE}:do_image_complete"
+IMAGE_CMD_ostree () {
+    cp -a ${IMAGE_ROOTFS}/* ${OSTREE_ROOTFS}
     chmod a+rx ${OSTREE_ROOTFS}
     sync
 
-    cd ${OSTREE_ROOTFS}
-
     for d in var/*; do
       if [ "${d}" != "var/local" ]; then
         rm -rf ${d}
@@ -53,18 +41,8 @@ IMAGE_CMD_ostree () {
     mkdir -p usr/rootdirs
 
     mv etc usr/
-    # Implement UsrMove
-    dirs="bin sbin lib"
-
-    for dir in ${dirs} ; do
-        if [ -d ${dir} ] && [ ! -L ${dir} ] ; then
-            mv ${dir} usr/rootdirs/
-            rm -rf ${dir}
-            ln -sf usr/rootdirs/${dir} ${dir}
-        fi
-    done
 
-    if [ -n "$SYSTEMD_USED" ]; then
+    if [ -n "${SYSTEMD_USED}" ]; then
         mkdir -p usr/etc/tmpfiles.d
         tmpfiles_conf=usr/etc/tmpfiles.d/00ostree-tmpfiles.conf
         echo "d /var/rootdirs 0755 root root -" >>${tmpfiles_conf}
@@ -100,7 +78,7 @@ IMAGE_CMD_ostree () {
                 bbwarn "Data in /$dir directory is not preserved by OSTree. Consider moving it under /usr"
             fi
 
-            if [ -n "$SYSTEMD_USED" ]; then
+            if [ -n "${SYSTEMD_USED}" ]; then
                 echo "d /var/rootdirs/${dir} 0755 root root -" >>${tmpfiles_conf}
             else
                 echo "mkdir -p /var/rootdirs/${dir}; chown 755 /var/rootdirs/${dir}" >>${tmpfiles_conf}
@@ -112,11 +90,10 @@ IMAGE_CMD_ostree () {
 
     if [ -d root ] && [ ! -L root ]; then
         if [ "$(ls -A root)" ]; then
-            bberror "Data in /root directory is not preserved by OSTree."
-            exit 1
+            bbfatal "Data in /root directory is not preserved by OSTree."
         fi
 
-        if [ -n "$SYSTEMD_USED" ]; then
+        if [ -n "${SYSTEMD_USED}" ]; then
             echo "d /var/roothome 0755 root root -" >>${tmpfiles_conf}
         else
             echo "mkdir -p /var/roothome; chown 755 /var/roothome" >>${tmpfiles_conf}
@@ -126,11 +103,6 @@ IMAGE_CMD_ostree () {
         ln -sf var/roothome root
     fi
 
-    if [ -n "${SOTA_SECONDARY_ECUS}" ]; then
-        mkdir -p var/sota/ecus
-        cp ${SOTA_SECONDARY_ECUS} var/sota/ecus
-    fi
-
     checksum=`sha256sum ${DEPLOY_DIR_IMAGE}/${OSTREE_KERNEL} | cut -f 1 -d " "`
 
     cp ${DEPLOY_DIR_IMAGE}/${OSTREE_KERNEL} boot/vmlinuz-${checksum}
@@ -145,17 +117,12 @@ IMAGE_CMD_ostree () {
 
     # Copy image manifest
     cat ${IMAGE_MANIFEST} | cut -d " " -f1,3 > usr/package.manifest
+}
 
-    cd ${WORKDIR}
-
-    # Create a tarball that can be then commited to OSTree repo
-    OSTREE_TAR=${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.rootfs.ostree.tar.bz2
-    tar -C ${OSTREE_ROOTFS} --xattrs --xattrs-include='*' -cjf ${OSTREE_TAR} .
-    sync
-
-    rm -f ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.rootfs.ostree.tar.bz2
-    ln -s ${IMAGE_NAME}.rootfs.ostree.tar.bz2 ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.rootfs.ostree.tar.bz2
-
+IMAGE_TYPEDEP_ostreecommit = "ostree"
+do_image_ostreecommit[depends] += "ostree-native:do_populate_sysroot"
+do_image_ostreecommit[lockfiles] += "${OSTREE_REPO}/ostree.lock"
+IMAGE_CMD_ostreecommit () {
     if ! ostree --repo=${OSTREE_REPO} refs 2>&1 > /dev/null; then
         ostree --repo=${OSTREE_REPO} init --mode=archive-z2
     fi
@@ -171,11 +138,9 @@ IMAGE_CMD_ostree () {
     if [ "${OSTREE_UPDATE_SUMMARY}" = "1" ]; then
         ostree --repo=${OSTREE_REPO} summary -u
     fi
-
-    rm -rf ${OSTREE_ROOTFS}
 }
 
-IMAGE_TYPEDEP_ostreepush = "ostree"
+IMAGE_TYPEDEP_ostreepush = "ostreecommit"
 do_image_ostreepush[depends] += "aktualizr-native:do_populate_sysroot ca-certificates-native:do_populate_sysroot"
 IMAGE_CMD_ostreepush () {
     # Print warnings if credetials are not set or if the file has not been found.
@@ -194,7 +159,7 @@ IMAGE_CMD_ostreepush () {
 }
 
 IMAGE_TYPEDEP_garagesign = "ostreepush"
-do_image_garagesign[depends] += "aktualizr-native:do_populate_sysroot"
+do_image_garagesign[depends] += "unzip-native:do_populate_sysroot"
 IMAGE_CMD_garagesign () {
     if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
         # if credentials are issued by a server that doesn't support offline signing, exit silently
@@ -202,11 +167,9 @@ IMAGE_CMD_garagesign () {
 
         java_version=$( java -version 2>&1 | awk -F '"' '/version/ {print $2}' )
         if [ "${java_version}" = "" ]; then
-            bberror "Java is required for synchronization with update backend, but is not installed on the host machine"
-            exit 1
+            bbfatal "Java is required for synchronization with update backend, but is not installed on the host machine"
         elif [ "${java_version}" \< "1.8" ]; then
-            bberror "Java version >= 8 is required for synchronization with update backend"
-            exit 1
+            bbfatal "Java version >= 8 is required for synchronization with update backend"
         fi
 
         rm -rf ${GARAGE_SIGN_REPO}
@@ -240,7 +203,7 @@ IMAGE_CMD_garagesign () {
                                     --length 0 \
                                     --url "${GARAGE_TARGET_URL}" \
                                     --sha256 ${ostree_target_hash} \
-                                    --hardwareids ${MACHINE}
+                                    --hardwareids ${SOTA_HARDWARE_ID}
             garage-sign targets sign --repo tufrepo \
                                      --home-dir ${GARAGE_SIGN_REPO} \
                                      --key-name=targets
@@ -257,14 +220,12 @@ IMAGE_CMD_garagesign () {
         rm -rf ${GARAGE_SIGN_REPO}
 
         if [ "$push_success" -ne "1" ]; then
-            bberror "Couldn't push to garage repository"
-            exit 1
+            bbfatal "Couldn't push to garage repository"
         fi
     fi
 }
 
-IMAGE_TYPEDEP_garagecheck = "ostreepush garagesign"
-do_image_garagecheck[depends] += "aktualizr-native:do_populate_sysroot"
+IMAGE_TYPEDEP_garagecheck = "garagesign"
 IMAGE_CMD_garagecheck () {
     if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
         # if credentials are issued by a server that doesn't support offline signing, exit silently
diff --git a/classes/image_types_ota.bbclass b/classes/image_types_ota.bbclass
index 03fe8d8..9883a68 100644
--- a/classes/image_types_ota.bbclass
+++ b/classes/image_types_ota.bbclass
@@ -1,15 +1,9 @@
 # Image to use with u-boot as BIOS and OSTree deployment system
 
-#inherit image_types
-
 # Boot filesystem size in MiB
 # OSTree updates may require some space on boot file system for
 # boot scripts, kernel and initramfs images
 #
-
-
-do_image_ota_ext4[depends] += "e2fsprogs-native:do_populate_sysroot"
-
 calculate_size () {
         BASE=$1
         SCALE=$2
@@ -43,34 +37,14 @@ calculate_size () {
         echo "${SIZE}"
 }
 
-export OSTREE_OSNAME
-export OSTREE_BRANCHNAME
-export OSTREE_REPO
-export OSTREE_BOOTLOADER
-
-export GARAGE_TARGET_NAME
-
-export OTA_SYSROOT="${WORKDIR}/ota-sysroot"
-
-## Common OTA image setup
-fakeroot do_otasetup () {
-        
-        if [ -z "$OSTREE_REPO" ]; then
-                bbfatal "OSTREE_REPO should be set in your local.conf"
-        fi
-
-        if [ -z "$OSTREE_OSNAME" ]; then
-                bbfatal "OSTREE_OSNAME should be set in your local.conf"
-        fi
-
-        if [ -z "$OSTREE_BRANCHNAME" ]; then
-                bbfatal "OSTREE_BRANCHNAME should be set in your local.conf"
-        fi
-
-        # HaX! Since we are using a peristent directory, we need to be sure to clean it on run.
-        mkdir -p ${OTA_SYSROOT}
-        rm -rf ${OTA_SYSROOT}/*
-
+OTA_SYSROOT = "${WORKDIR}/ota-sysroot"
+OTA_IMAGE_ROOTFS_task-image-ota = "${OTA_SYSROOT}"
+IMAGE_TYPEDEP_ota = "ostreecommit"
+do_image_ota[dirs] = "${OTA_SYSROOT}"
+do_image_ota[cleandirs] = "${OTA_SYSROOT}"
+do_image_ota[depends] = "${@'grub:do_populate_sysroot' if d.getVar('OSTREE_BOOTLOADER', True) == 'grub' else ''} \
+                         ${@'virtual/bootloader:do_deploy' if d.getVar('OSTREE_BOOTLOADER', True) == 'u-boot' else ''}"
+IMAGE_CMD_ota () {
         ostree admin --sysroot=${OTA_SYSROOT} init-fs ${OTA_SYSROOT}
         ostree admin --sysroot=${OTA_SYSROOT} os-init ${OSTREE_OSNAME}
         mkdir -p ${OTA_SYSROOT}/boot/loader.0
@@ -82,13 +56,12 @@ fakeroot do_otasetup () {
         elif [ "${OSTREE_BOOTLOADER}" = "u-boot" ]; then
                 touch ${OTA_SYSROOT}/boot/loader/uEnv.txt
         else
-                bberror "Invalid bootloader: ${OSTREE_BOOTLOADER}"
-        fi;
+                bbfatal "Invalid bootloader: ${OSTREE_BOOTLOADER}"
+        fi
 
         ostree_target_hash=$(cat ${OSTREE_REPO}/refs/heads/${OSTREE_BRANCHNAME})
 
         ostree --repo=${OTA_SYSROOT}/ostree/repo pull-local --remote=${OSTREE_OSNAME} ${OSTREE_REPO} ${ostree_target_hash}
-        export OSTREE_BOOT_PARTITION="/boot"
         kargs_list=""
         for arg in ${OSTREE_KERNEL_ARGS}; do
                 kargs_list="${kargs_list} --karg-append=$arg"
@@ -96,19 +69,14 @@ fakeroot do_otasetup () {
 
         ostree admin --sysroot=${OTA_SYSROOT} deploy ${kargs_list} --os=${OSTREE_OSNAME} ${ostree_target_hash}
 
-        # Copy deployment /home and /var/sota to sysroot
-        HOME_TMP=`mktemp -d ${WORKDIR}/home-tmp-XXXXX`
-
-        tar --xattrs --xattrs-include='*' -C ${HOME_TMP} -xf ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.rootfs.ostree.tar.bz2 ./usr/homedirs ./var/local || true
-
         cp -a ${IMAGE_ROOTFS}/var/sota ${OTA_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/ || true
         # Create /var/sota if it doesn't exist yet
         mkdir -p ${OTA_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/sota
         # Ensure the permissions are correctly set
         chmod 700 ${OTA_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/sota
 
-        mv ${HOME_TMP}/var/local ${OTA_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/ || true
-        mv ${HOME_TMP}/usr/homedirs/home ${OTA_SYSROOT}/ || true
+        cp -a ${OSTREE_ROOTFS}/var/local ${OTA_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/ || true
+        cp -a ${OSTREE_ROOTFS}/usr/homedirs/home ${OTA_SYSROOT}/ || true
         # Ensure that /var/local exists (AGL symlinks /usr/local to /var/local)
         install -d ${OTA_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/local
         # Set package version for the first deployment
@@ -120,38 +88,26 @@ fakeroot do_otasetup () {
         fi
         mkdir -p ${OTA_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/sota/import
         echo "{\"${ostree_target_hash}\":\"${GARAGE_TARGET_NAME}-${target_version}\"}" > ${OTA_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/sota/import/installed_versions
-        echo "All done. Cleaning up dir: ${HOME_TMP}"
-        rm -rf ${HOME_TMP}
 }
 
+IMAGE_TYPEDEP_ota-ext4 = "ota"
+do_image_ota_ext4[depends] = "e2fsprogs-native:do_populate_sysroot"
 IMAGE_CMD_ota-ext4 () {
         # Calculate image type
-        OTA_ROOTFS_SIZE=$(calculate_size `du -ks $OTA_SYSROOT | cut -f 1`  "${IMAGE_OVERHEAD_FACTOR}" "${IMAGE_ROOTFS_SIZE}" "${IMAGE_ROOTFS_MAXSIZE}" `expr ${IMAGE_ROOTFS_EXTRA_SPACE}` "${IMAGE_ROOTFS_ALIGNMENT}")
+        OTA_ROOTFS_SIZE=$(calculate_size `du -ks ${OTA_SYSROOT} | cut -f 1`  "${IMAGE_OVERHEAD_FACTOR}" "${IMAGE_ROOTFS_SIZE}" "${IMAGE_ROOTFS_MAXSIZE}" `expr ${IMAGE_ROOTFS_EXTRA_SPACE}` "${IMAGE_ROOTFS_ALIGNMENT}")
 
-        if [ $OTA_ROOTFS_SIZE -lt 0 ]; then
+        if [ ${OTA_ROOTFS_SIZE} -lt 0 ]; then
                 bbfatal "create_ota failed to calculate OTA rootfs size!"
         fi
 
         eval local COUNT=\"0\"
         eval local MIN_COUNT=\"60\"
-        if [ $OTA_ROOTFS_SIZE -lt $MIN_COUNT ]; then
-                eval COUNT=\"$MIN_COUNT\"
+        if [ ${OTA_ROOTFS_SIZE} -lt ${MIN_COUNT} ]; then
+                eval COUNT=\"${MIN_COUNT}\"
         fi
 
-        dd if=/dev/zero of=${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.ota-ext4 seek=${OTA_ROOTFS_SIZE} count=$COUNT bs=1024
+        dd if=/dev/zero of=${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.ota-ext4 seek=${OTA_ROOTFS_SIZE} count=${COUNT} bs=1024
         mkfs.ext4 -O ^64bit ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.ota-ext4 -L otaroot -d ${OTA_SYSROOT}
 }
 
-IMAGE_CMD_ota-tar () {
-        tar -cf ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.ota-tar -C ${OTA_SYSROOT} .
-}
-
-do_otasetup[doc] = "Sets up the base ota rootfs used for subsequent image generation"
-do_otasetup[depends] += "virtual/fakeroot-native:do_populate_sysroot \
-                        ${@'grub:do_populate_sysroot' if d.getVar('OSTREE_BOOTLOADER', True) == 'grub' else ''} \
-                        ${@'virtual/bootloader:do_deploy' if d.getVar('OSTREE_BOOTLOADER', True) == 'u-boot' else ''}"
-
-addtask do_otasetup after do_image_ostree before do_image_ota_ext4 do_image_ota_tar
-
-IMAGE_TYPEDEP_ota-ext4 = "ostree"
-IMAGE_TYPEDEP_ota-tar = "ostree"
+do_image_wic[depends] += "${@bb.utils.contains('DISTRO_FEATURES', 'sota', '%s:do_image_ota_ext4' % d.getVar('IMAGE_BASENAME', True), '', d)}"
diff --git a/classes/sota.bbclass b/classes/sota.bbclass
index 98cc3de..93f59eb 100644
--- a/classes/sota.bbclass
+++ b/classes/sota.bbclass
@@ -1,9 +1,3 @@
-export BUILD_OTA_TARBALL
-python __anonymous() {
-    if bb.utils.contains('DISTRO_FEATURES', 'sota', True, False, d):
-        d.appendVarFlag("do_image_wic", "depends", " %s:do_image_ota_ext4" % d.getVar("IMAGE_BASENAME", True))
-}
-
 OVERRIDES .= "${@bb.utils.contains('DISTRO_FEATURES', 'sota', ':sota', '', d)}"
 
 HOSTTOOLS_NONFATAL += "java"
@@ -11,12 +5,14 @@ HOSTTOOLS_NONFATAL += "java"
 SOTA_CLIENT ??= "aktualizr"
 SOTA_CLIENT_PROV ??= "aktualizr-auto-prov"
 SOTA_DEPLOY_CREDENTIALS ?= "1"
+SOTA_HARDWARE_ID ??= "${MACHINE}"
 
 IMAGE_INSTALL_append_sota = " ostree os-release ${SOTA_CLIENT} ${SOTA_CLIENT_PROV}"
 IMAGE_CLASSES += " image_types_ostree image_types_ota"
 
 IMAGE_FSTYPES += "${@bb.utils.contains('DISTRO_FEATURES', 'sota', 'ostreepush garagesign garagecheck ota-ext4 wic', ' ', d)}"
-IMAGE_FSTYPES += "${@bb.utils.contains('BUILD_OTA_TARBALL', '1', 'ota-tar ota-tar.xz', ' ', d)}"
+IMAGE_FSTYPES += "${@bb.utils.contains('BUILD_OSTREE_TARBALL', '1', 'ostree.tar.bz2', ' ', d)}"
+IMAGE_FSTYPES += "${@bb.utils.contains('BUILD_OTA_TARBALL', '1', 'ota.tar.xz', ' ', d)}"
 
 PACKAGECONFIG_append_pn-curl = " ssl"
 PACKAGECONFIG_remove_pn-curl = "gnutls"
@@ -28,11 +24,13 @@ EXTRA_IMAGEDEPENDS_append_sota = " parted-native mtools-native dosfstools-native
 INITRAMFS_FSTYPES ??= "${@oe.utils.ifelse(d.getVar('OSTREE_BOOTLOADER', True) == 'u-boot', 'cpio.gz.u-boot', 'cpio.gz')}"
 
 # Please redefine OSTREE_REPO in order to have a persistent OSTree repo
-OSTREE_REPO ?= "${DEPLOY_DIR_IMAGE}/ostree_repo"
-OSTREE_BRANCHNAME ?= "${MACHINE}"
-OSTREE_OSNAME ?= "poky"
+export OSTREE_REPO ?= "${DEPLOY_DIR_IMAGE}/ostree_repo"
+export OSTREE_BRANCHNAME ?= "${SOTA_HARDWARE_ID}"
+export OSTREE_OSNAME ?= "poky"
+export OSTREE_BOOTLOADER ??= 'u-boot'
+export OSTREE_BOOT_PARTITION ??= "/boot"
+
 INITRAMFS_IMAGE ?= "initramfs-ostree-image"
-OSTREE_BOOTLOADER ??= 'u-boot'
 
 GARAGE_SIGN_REPO ?= "${DEPLOY_DIR_IMAGE}/garage_sign_repo"
 GARAGE_SIGN_KEYNAME ?= "garage-key"
@@ -48,6 +46,7 @@ SOTA_MACHINE_intel-corei7-64 ?= "minnowboard"
 SOTA_MACHINE_qemux86-64 ?= "qemux86-64"
 SOTA_MACHINE_am335x-evm ?= "am335x-evm-wifi"
 
-inherit sota_${SOTA_MACHINE}
+SOTA_OVERRIDES_BLACKLIST = "ostree ota"
+SOTA_REQUIRED_VARIABLES = "OSTREE_REPO OSTREE_BRANCHNAME OSTREE_OSNAME OSTREE_BOOTLOADER OSTREE_BOOT_PARTITION GARAGE_SIGN_REPO GARAGE_TARGET_NAME"
 
-inherit image_repo_manifest
+inherit sota_sanity sota_${SOTA_MACHINE} image_repo_manifest
diff --git a/classes/sota_sanity.bbclass b/classes/sota_sanity.bbclass
new file mode 100644
index 0000000..e47de19
--- /dev/null
+++ b/classes/sota_sanity.bbclass
@@ -0,0 +1,54 @@
+# Sanity check the sota setup for common misconfigurations
+
+def sota_check_overrides(status, d):
+    for var in (d.getVar('SOTA_OVERRIDES_BLACKLIST', True) or "").split():
+        if var in d.getVar('OVERRIDES', True).split(':'):
+            status.addresult("%s should not be a overrides, because it is a image fstype in updater layer, please check your OVERRIDES setting.\n" % var)
+
+def sota_check_required_variables(status, d):
+    for var in (d.getVar('SOTA_REQUIRED_VARIABLES', True) or "").split():
+        if not d.getVar(var, True):
+            status.addresult("%s should be set in your local.conf.\n" % var)
+
+def sota_raise_sanity_error(msg, d):
+    if d.getVar("SANITY_USE_EVENTS", True) == "1":
+        bb.event.fire(bb.event.SanityCheckFailed(msg), d)
+        return
+
+    bb.fatal("Sota's config sanity checker detected a potential misconfiguration.\n"
+             "Please fix the cause of this error then you can continue to build.\n"
+             "Following is the list of potential problems / advisories:\n"
+             "\n%s" % msg)
+
+def sota_check_sanity(sanity_data):
+    class SanityStatus(object):
+        def __init__(self):
+            self.messages = ""
+            self.reparse = False
+
+        def addresult(self, message):
+            if message:
+                self.messages = self.messages + message
+
+    status = SanityStatus()
+
+    sota_check_overrides(status, sanity_data)
+    sota_check_required_variables(status, sanity_data)
+
+    if status.messages != "":
+        sota_raise_sanity_error(sanity_data.expand(status.messages), sanity_data)
+
+addhandler sota_check_sanity_eventhandler
+sota_check_sanity_eventhandler[eventmask] = "bb.event.SanityCheck"
+
+python sota_check_sanity_eventhandler() {
+    if bb.event.getName(e) == "SanityCheck":
+        sanity_data = copy_data(e)
+        if e.generateevents:
+            sanity_data.setVar("SANITY_USE_EVENTS", "1")
+        reparse = sota_check_sanity(sanity_data)
+        e.data.setVar("BB_INVALIDCONF", reparse)
+        bb.event.fire(bb.event.SanityCheckPassed(), e.data)
+
+    return
+}
diff --git a/conf/distro/sota.conf.inc b/conf/distro/sota.conf.inc
index ea1ca95..8de9597 100644
--- a/conf/distro/sota.conf.inc
+++ b/conf/distro/sota.conf.inc
@@ -4,7 +4,7 @@
 #
 # require conf/distro/sota.conf.inc
 
-DISTRO_FEATURES_append = " sota"
+DISTRO_FEATURES_append = " sota usrmerge"
 DISTRO_FEATURES_NATIVE_append = " sota"
 INHERIT += " sota"
 # Prelinking increases the size of downloads and causes build errors
diff --git a/lib/oeqa/selftest/cases/updater.py b/lib/oeqa/selftest/cases/updater.py
index e4b2fa5..92bf6fc 100644
--- a/lib/oeqa/selftest/cases/updater.py
+++ b/lib/oeqa/selftest/cases/updater.py
@@ -36,6 +36,10 @@ class GeneralTests(OESelftestTestCase):
         result = get_bb_var('DISTRO_FEATURES').find('sota')
         self.assertNotEqual(result, -1, 'Feature "sota" not set at DISTRO_FEATURES')
 
+    def test_feature_usrmerge(self):
+        result = get_bb_var('DISTRO_FEATURES').find('usrmerge')
+        self.assertNotEqual(result, -1, 'Feature "sota" not set at DISTRO_FEATURES')
+
     def test_feature_systemd(self):
         result = get_bb_var('DISTRO_FEATURES').find('systemd')
         self.assertNotEqual(result, -1, 'Feature "systemd" not set at DISTRO_FEATURES')
@@ -103,7 +107,7 @@ class AktualizrToolsTests(OESelftestTestCase):
         bitbake('aktualizr-native')
 
     def test_cert_provider_help(self):
-        akt_native_run(self, 'aktualizr_cert_provider --help')
+        akt_native_run(self, 'aktualizr-cert-provider --help')
 
     def test_cert_provider_local_output(self):
         logger = logging.getLogger("selftest")
@@ -115,7 +119,7 @@ class AktualizrToolsTests(OESelftestTestCase):
         bb_vars_prov = get_bb_vars(['STAGING_DIR_HOST', 'libdir'], 'aktualizr-ca-implicit-prov')
         config = bb_vars_prov['STAGING_DIR_HOST'] + bb_vars_prov['libdir'] + '/sota/sota_implicit_prov_ca.toml'
 
-        akt_native_run(self, 'aktualizr_cert_provider -c {creds} -r -l {temp} -g {config}'
+        akt_native_run(self, 'aktualizr-cert-provider -c {creds} -r -l {temp} -g {config}'
                        .format(creds=creds, temp=temp_dir, config=config))
 
         # Might be nice if these names weren't hardcoded.
@@ -285,9 +289,9 @@ class RpiTests(OESelftestTestCase):
 
     def test_rpi(self):
         logger = logging.getLogger("selftest")
-        logger.info('Running bitbake to build rpi-basic-image')
+        logger.info('Running bitbake to build core-image-minimal')
         self.append_config('SOTA_CLIENT_PROV = "aktualizr-auto-prov"')
-        bitbake('rpi-basic-image')
+        bitbake('core-image-minimal')
         credentials = get_bb_var('SOTA_PACKED_CREDENTIALS')
         # Skip the test if the variable SOTA_PACKED_CREDENTIALS is not set.
         if credentials is None:
@@ -295,7 +299,7 @@ class RpiTests(OESelftestTestCase):
         # Check if the file exists.
         self.assertTrue(os.path.isfile(credentials), "File %s does not exist" % credentials)
         deploydir = get_bb_var('DEPLOY_DIR_IMAGE')
-        imagename = get_bb_var('IMAGE_LINK_NAME', 'rpi-basic-image')
+        imagename = get_bb_var('IMAGE_LINK_NAME', 'core-image-minimal')
         # Check if the credentials are included in the output image.
         result = runCmd('tar -jtvf %s/%s.tar.bz2 | grep sota_provisioning_credentials.zip' %
                         (deploydir, imagename), ignore_status=True)
@@ -424,14 +428,14 @@ class ImplProvTests(OESelftestTestCase):
         self.assertIn(b'Fetched metadata: no', stdout,
                       'Device already provisioned!? ' + stderr.decode() + stdout.decode())
 
-        # Run cert_provider.
+        # Run aktualizr-cert-provider.
         bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS'], 'aktualizr-native')
         creds = bb_vars['SOTA_PACKED_CREDENTIALS']
         bb_vars_prov = get_bb_vars(['STAGING_DIR_HOST', 'libdir'], 'aktualizr-ca-implicit-prov')
         config = bb_vars_prov['STAGING_DIR_HOST'] + bb_vars_prov['libdir'] + '/sota/sota_implicit_prov_ca.toml'
 
         print('Provisining at root@localhost:%d' % self.qemu.ssh_port)
-        akt_native_run(self, 'aktualizr_cert_provider -c {creds} -t root@localhost -p {port} -s -u -r -g {config}'
+        akt_native_run(self, 'aktualizr-cert-provider -c {creds} -t root@localhost -p {port} -s -u -r -g {config}'
                        .format(creds=creds, port=self.qemu.ssh_port, config=config))
 
         verifyProvisioned(self, machine)
@@ -509,13 +513,13 @@ class HsmTests(OESelftestTestCase):
         self.assertNotEqual(retcode, 0, 'softhsm2-tool succeeded before initialization: ' +
                         stdout.decode() + stderr.decode())
 
-        # Run cert_provider.
+        # Run aktualizr-cert-provider.
         bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS'], 'aktualizr-native')
         creds = bb_vars['SOTA_PACKED_CREDENTIALS']
         bb_vars_prov = get_bb_vars(['STAGING_DIR_HOST', 'libdir'], 'aktualizr-hsm-prov')
         config = bb_vars_prov['STAGING_DIR_HOST'] + bb_vars_prov['libdir'] + '/sota/sota_hsm_prov.toml'
 
-        akt_native_run(self, 'aktualizr_cert_provider -c {creds} -t root@localhost -p {port} -r -s -u -g {config}'
+        akt_native_run(self, 'aktualizr-cert-provider -c {creds} -t root@localhost -p {port} -r -s -u -g {config}'
                        .format(creds=creds, port=self.qemu.ssh_port, config=config))
 
         # Verify that HSM is able to initialize.
@@ -655,7 +659,13 @@ def qemu_launch(efi=False, machine=None, imagename=None):
     args.dir = 'tmp/deploy/images'
     args.efi = efi
     args.machine = machine
-    args.kvm = None  # Autodetect
+    qemu_use_kvm = get_bb_var("QEMU_USE_KVM")
+    if qemu_use_kvm and \
+       (qemu_use_kvm == 'True' and 'x86' in machine or \
+        get_bb_var('MACHINE') in qemu_use_kvm.split()):
+        args.kvm = True
+    else:
+        args.kvm = None  # Autodetect
     args.no_gui = True
     args.gdb = False
     args.pcap = None
diff --git a/recipes-sota/aktualizr/aktualizr-auto-prov.bb b/recipes-sota/aktualizr/aktualizr-auto-prov.bb
index 01f21fa..f506cab 100644
--- a/recipes-sota/aktualizr/aktualizr-auto-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-auto-prov.bb
@@ -12,7 +12,6 @@ PR = "6"
 
 SRC_URI = ""
 
-require environment.inc
 require credentials.inc
 
 do_install() {
@@ -30,7 +29,6 @@ do_install() {
     fi
 
     install -m 0700 -d ${D}${libdir}/sota/conf.d
-    install -m 0700 -d ${D}${localstatedir}/sota
     aktualizr_toml=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-network', 'sota_autoprov_primary.toml', 'sota_autoprov.toml', d)}
 
     install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/${aktualizr_toml} \
@@ -40,8 +38,6 @@ do_install() {
 FILES_${PN} = " \
                 ${libdir}/sota/conf.d \
                 ${libdir}/sota/conf.d/20-${aktualizr_toml} \
-                ${localstatedir}/sota \
-                ${localstatedir}/sota/sota_provisioning_credentials.zip \
                 "
 
 # vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb
index a729e6b..7420983 100644
--- a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb
+++ b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb
@@ -21,11 +21,11 @@ do_install() {
             SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem
             SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem
             mkdir -p ${DEPLOY_DIR_IMAGE}/CA
-            bbwarn "SOTA_CACERT_PATH is not specified, use default one at $SOTA_CACERT_PATH"
+            bbwarn "SOTA_CACERT_PATH is not specified, use default one at ${SOTA_CACERT_PATH}"
 
             if [ ! -f ${SOTA_CACERT_PATH} ]; then
                 bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA"
-                SOTA_CACERT_DIR_PATH="$(dirname "$SOTA_CACERT_PATH")"
+                SOTA_CACERT_DIR_PATH="$(dirname "${SOTA_CACERT_PATH}")"
                 openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096
                 openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert
                 bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server"
@@ -33,13 +33,13 @@ do_install() {
         fi
 
         if [ -z ${SOTA_CAKEY_PATH} ]; then
-            bberror "SOTA_CAKEY_PATH should be set when using implicit provisioning"
+            bbfatal "SOTA_CAKEY_PATH should be set when using implicit provisioning"
         fi
 
         install -m 0700 -d ${D}${localstatedir}/sota
-        aktualizr_cert_provider --credentials ${SOTA_PACKED_CREDENTIALS} \
-                                --device-ca ${SOTA_CACERT_PATH} \
-                                --device-ca-key ${SOTA_CAKEY_PATH} \
+        aktualizr-cert-provider --credentials ${SOTA_PACKED_CREDENTIALS} \
+                                --fleet-ca ${SOTA_CACERT_PATH} \
+                                --fleet-ca-key ${SOTA_CAKEY_PATH} \
                                 --root-ca \
                                 --server-url \
                                 --local ${D} \
diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
index 2763185..5893ed2 100644
--- a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
@@ -15,7 +15,6 @@ RDEPENDS_${PN}_append = "${@' aktualizr-ca-implicit-prov-creds' if d.getVar('SOT
 PV = "1.0"
 PR = "1"
 
-require environment.inc
 require credentials.inc
 
 do_install() {
diff --git a/recipes-sota/aktualizr/aktualizr-hsm-prov.bb b/recipes-sota/aktualizr/aktualizr-hsm-prov.bb
index e915046..7947edd 100644
--- a/recipes-sota/aktualizr/aktualizr-hsm-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-hsm-prov.bb
@@ -12,7 +12,6 @@ SRC_URI = ""
 PV = "1.0"
 PR = "6"
 
-require environment.inc
 require credentials.inc
 
 do_install() {
diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb
index 50a9f16..d49f28c 100755
--- a/recipes-sota/aktualizr/aktualizr_git.bb
+++ b/recipes-sota/aktualizr/aktualizr_git.bb
@@ -27,7 +27,7 @@ SRC_URI = " \
   file://aktualizr-serialcan.service \
   "
 
-SRCREV = "3c1c77c005fc1f872f1e12080528ed6f8a32bbf3"
+SRCREV = "d00d1a04cc2366d1a5f143b84b9f507f8bd32c44"
 BRANCH ?= "master"
 
 S = "${WORKDIR}/git"
@@ -69,6 +69,21 @@ do_install_append () {
     install -m 0644 ${WORKDIR}/aktualizr-secondary.service ${D}${systemd_unitdir}/system/aktualizr-secondary.service
     install -m 0700 -d ${D}${libdir}/sota/conf.d
     install -m 0700 -d ${D}${sysconfdir}/sota/conf.d
+
+    if [ -n "${SOTA_HARDWARE_ID}" ]; then
+        echo "[provision]\nprimary_ecu_hardware_id = ${SOTA_HARDWARE_ID}\n" > ${D}${libdir}/sota/conf.d/40-hardware-id.toml
+    fi
+
+    if [ -n "${SOTA_SECONDARY_CONFIG_DIR}" ]; then
+        if [ -d "${SOTA_SECONDARY_CONFIG_DIR}" ]; then
+            install -m 0700 -d ${D}${sysconfdir}/sota/ecus
+            install -m 0644 "${SOTA_SECONDARY_CONFIG_DIR}"/* ${D}${sysconfdir}/sota/ecus/
+            echo "[uptane]\nsecondary_configs_dir = /etc/sota/ecus/\n" > ${D}${libdir}/sota/conf.d/30-secondary-configs-dir.toml
+        else
+            bbwarn "SOTA_SECONDARY_CONFIG_DIR is set to an invalid directory (${SOTA_SECONDARY_CONFIG_DIR})"
+        fi
+    fi
+
 }
 
 do_install_append_class-target () {
@@ -91,15 +106,16 @@ FILES_${PN} = " \
                 ${systemd_unitdir}/system/aktualizr.service \
                 ${libdir}/sota/conf.d \
                 ${sysconfdir}/sota/conf.d \
+                ${sysconfdir}/sota/ecus/* \
                 "
 
 FILES_${PN}-examples = " \
-                ${bindir}/hmi_stub \
+                ${bindir}/hmi-stub \
                 "
 
 FILES_${PN}-host-tools = " \
                 ${bindir}/aktualizr-repo \
-                ${bindir}/aktualizr_cert_provider \
+                ${bindir}/aktualizr-cert-provider \
                 ${bindir}/garage-deploy \
                 ${bindir}/garage-push \
                 ${libdir}/sota/sota_autoprov.toml \
diff --git a/recipes-sota/aktualizr/environment.inc b/recipes-sota/aktualizr/environment.inc
deleted file mode 100644
index 16e789e..0000000
--- a/recipes-sota/aktualizr/environment.inc
+++ /dev/null
@@ -1,11 +0,0 @@
-export SOTA_VIRTUAL_SECONDARIES
-
-do_install_append() {
-  for sec in ${SOTA_VIRTUAL_SECONDARIES}; do
-    AKTUALIZR_PARAMETERS_VIRTUALSECS="${AKTUALIZR_PARAMETERS_VIRTUALSECS} --secondary-config $sec"
-  done
-
-  echo "AKTUALIZR_CMDLINE_PARAMETERS=${AKTUALIZR_PARAMETERS_VIRTUALSECS}" > ${D}${libdir}/sota/sota.env
-}
-
-FILES_${PN}_append = " ${libdir}/sota/sota.env"
diff --git a/recipes-sota/aktualizr/files/aktualizr-secondary.service b/recipes-sota/aktualizr/files/aktualizr-secondary.service
index a1e0e1b..9628ee3 100644
--- a/recipes-sota/aktualizr/files/aktualizr-secondary.service
+++ b/recipes-sota/aktualizr/files/aktualizr-secondary.service
@@ -4,6 +4,5 @@ Description=Aktualizr SOTA Client (UPTANE Secondary)
 [Service]
 RestartSec=10
 Restart=always
-EnvironmentFile=-/etc/sota/sota.env
 ExecStart=/usr/bin/aktualizr-secondary --config /usr/lib/sota/sota_secondary.toml
 
diff --git a/recipes-sota/aktualizr/files/aktualizr.service b/recipes-sota/aktualizr/files/aktualizr.service
index 6de4474..726809e 100644
--- a/recipes-sota/aktualizr/files/aktualizr.service
+++ b/recipes-sota/aktualizr/files/aktualizr.service
@@ -5,8 +5,6 @@ After=network.target
 [Service]
 RestartSec=10
 Restart=always
-EnvironmentFile=/usr/lib/sota/sota.env
-EnvironmentFile=-/etc/sota/sota.env
 ExecStart=/usr/bin/aktualizr $AKTUALIZR_CMDLINE_PARAMETERS
 
 [Install]
diff --git a/scripts/find_aktualizr_dependencies.sh b/scripts/find_aktualizr_dependencies.sh
index 786d8a9..986b541 100755
--- a/scripts/find_aktualizr_dependencies.sh
+++ b/scripts/find_aktualizr_dependencies.sh
@@ -11,11 +11,12 @@ parentdir="$(dirname "$0")"
 # those are common dependencies not enabled by default.
 ${parentdir}/find_dependencies.py aktualizr
 ${parentdir}/find_dependencies.py aktualizr-auto-prov
-${parentdir}/find_dependencies.py aktualizr-implicit-prov
+${parentdir}/find_dependencies.py aktualizr-auto-prov-creds
 ${parentdir}/find_dependencies.py aktualizr-ca-implicit-prov
+${parentdir}/find_dependencies.py aktualizr-ca-implicit-prov-creds
 ${parentdir}/find_dependencies.py aktualizr-hsm-prov
+${parentdir}/find_dependencies.py aktualizr-hsm-prov-creds
 ${parentdir}/find_dependencies.py aktualizr-disable-send-ip
-${parentdir}/find_dependencies.py aktualizr-example-interface
 ${parentdir}/find_dependencies.py aktualizr-log-debug
 ${parentdir}/find_dependencies.py libp11
 ${parentdir}/find_dependencies.py dpkg