35 files changed, 478 insertions, 188 deletions

diff --git a/README.adoc b/README.adoc
index 01f1c85..5c4e5bc 100644
--- a/README.adoc
+++ b/README.adoc
@@ -87,11 +87,12 @@ Your images will also need network connectivity to be able to reach an actual OT
 * `GARAGE_SIGN_AUTOVERSION` - Set this to '1' to automatically fetch the last version of the garage tools installed by the aktualizr-native. Otherwise use the fixed version specified in the recipe.
 * `SOTA_PACKED_CREDENTIALS` - when set, your ostree commit will be pushed to a remote repo as a bitbake step. This should be the path to a zipped credentials file in https://github.com/advancedtelematic/aktualizr/blob/master/docs/credentials.adoc[the format accepted by garage-push].
 * `SOTA_DEPLOY_CREDENTIALS` - when set to '1' (default value), deploys credentials to the built image. Override it in `local.conf` to built a generic image that can be provisioned manually after the build.
-* `SOTA_CLIENT_PROV` - which provisioning method to use. Valid options are https://github.com/advancedtelematic/aktualizr/blob/master/docs/automatic-provisioning.adoc[`aktualizr-auto-prov`], https://github.com/advancedtelematic/aktualizr/blob/master/docs/implicit-provisioning.adoc[`aktualizr-ca-implicit-prov`], and https://github.com/advancedtelematic/aktualizr/blob/master/docs/hsm-provisioning.adoc[`aktualizr-hsm-prov`]. The default is `aktualizr-auto-prov`. This can also be set to an empty string to avoid using a provisioning recipe.
+* `SOTA_CLIENT_PROV` - which provisioning method to use. Valid options are `aktualizr-shared-prov`, `aktualizr-device-prov`, and `aktualizr-device-prov-hsm`. For more information on these provisioning methods, see the https://docs.ota.here.com/client-config/client-provisioning-methods.html[OTA Connect documentation]. The default is `aktualizr-shared-prov`. This can also be set to an empty string to avoid using a provisioning recipe.
 * `SOTA_CLIENT_FEATURES` - extensions to aktualizr. The only valid options are `hsm` (to build with HSM support) and `secondary-network` (to set up a simulated 'in-vehicle' network with support for a primary node with a DHCP server and a secondary node with a DHCP client).
 * `SOTA_SECONDARY_CONFIG_DIR` - a directory containing JSON configuration files for virtual secondaries on the host. These will be installed into `/etc/sota/ecus` on the device and automatically provided to aktualizr.
 * `SOTA_HARDWARE_ID` - a custom hardware ID that will be written to the aktualizr config. Defaults to MACHINE if not set.
 * `RESOURCE_xxx_pn-aktualizr` - controls maximum resource usage of the aktualizr service, when `aktualizr-resource-control` is installed on the image. See <<aktualizr service resource control>> for details.
+* `SOTA_POLLING_SEC` - sets polling interval for aktualizr to check for updates if aktualizr-polling-sec is included in the image.
 
 == Usage
 
@@ -248,13 +249,13 @@ The aktualizr ptests can be run via oe-selftest with `oe-selftest -r updater_qem
 
 As described in <<sota-related-variables-in-localconf,SOTA-related variables in local.conf>> section you can set `SOTA_DEPLOY_CREDENTIALS` to `0` to prevent deploying credentials to the built `wic` image. In this case you get a generic image that you can use e.g. on a production line to flash a series of devices. The cost of this approach is that this image is half-baked and should be provisioned before it can connect to the backend.
 
-Provisioning procedure depends on your provisioning recipe, i.e. the value of `SOTA_CLIENT_PROV` (equal to `aktualizr-auto-prov` by default):
+Provisioning procedure depends on your provisioning recipe, i.e. the value of `SOTA_CLIENT_PROV` (equal to `aktualizr-shared-prov` by default):
 
-* For `aktualizr-auto-prov` put your `credentials.zip` to `/var/sota/sota_provisioning_credentials.zip` on the filesystem of a running device. If you have the filesystem of our device mounted to your build machine, prefix all paths with `/ostree/deploy/poky` as in `/ostree/deploy/poky/var/sota/sota_provisioning_credentials.zip`.
-* For `aktualizr-ca-implicit-prov`
+* For `aktualizr-shared-prov` put your `credentials.zip` to `/var/sota/sota_provisioning_credentials.zip` on the filesystem of a running device. If you have the filesystem of our device mounted to your build machine, prefix all paths with `/ostree/deploy/poky` as in `/ostree/deploy/poky/var/sota/sota_provisioning_credentials.zip`.
+* For `aktualizr-device-prov`
 ** put URL to the backend server (together with protocol prefix and port number) at `/var/sota/gateway.url`. If you're using HERE OTA Connect, you can find the URL in the `autoprov.url` file in your credentials archive.
 ** put client certificate, private key and root CA certificate (for the *server*, not for the *device*) at `/var/sota/import/client.pem`, `/var/sota/import/pkey.pem` and `/var/sota/import/root.crt` respectively.
-* For  `aktualizr-hsm-prov`
+* For  `aktualizr-device-prov-hsm`
 ** put URL to the server backend (together with protocol prefix and port number) at `/var/sota/gateway.url`. If you're using HERE OTA Connect, you can find the URL in the `autoprov.url` file in your credentials archive.
 ** put root CA certificate (for the *server*, not for the *device*) at `/var/sota/import/root.crt`.
 ** put client certificate and private key to slots 1 and 2 of the PKCS#11-compatible device.
diff --git a/classes/sota.bbclass b/classes/sota.bbclass
index cb00a80..82278b2 100644
--- a/classes/sota.bbclass
+++ b/classes/sota.bbclass
@@ -3,15 +3,29 @@ python __anonymous() {
         d.appendVarFlag("do_image_wic", "depends", " %s:do_image_otaimg" % d.getVar("IMAGE_BASENAME", True))
 }
 
-OVERRIDES .= "${@bb.utils.contains('DISTRO_FEATURES', 'sota', ':sota', '', d)}"
+DISTROOVERRIDES .= "${@bb.utils.contains('DISTRO_FEATURES', 'sota', ':sota', '', d)}"
 
 HOSTTOOLS_NONFATAL += "java"
 
 SOTA_CLIENT ??= "aktualizr"
-SOTA_CLIENT_PROV ??= "aktualizr-auto-prov"
+SOTA_CLIENT_PROV ??= "aktualizr-shared-prov"
 SOTA_DEPLOY_CREDENTIALS ?= "1"
 SOTA_HARDWARE_ID ??= "${MACHINE}"
 
+# Translate old provisioning recipe names into the new versions.
+python () {
+    prov = d.getVar("SOTA_CLIENT_PROV")
+    if prov == "aktualizr-auto-prov":
+        bb.warn('aktualizr-auto-prov is deprecated. Please use aktualizr-shared-prov instead.')
+        d.setVar("SOTA_CLIENT_PROV", "aktualizr-shared-prov")
+    elif prov == "aktualizr-ca-implicit-prov":
+        bb.warn('aktualizr-ca-implicit-prov is deprecated. Please use aktualizr-device-prov instead.')
+        d.setVar("SOTA_CLIENT_PROV", "aktualizr-device-prov")
+    elif prov == "aktualizr-hsm-prov":
+        bb.warn('aktualizr-hsm-prov is deprecated. Please use aktualizr-device-prov-hsm instead.')
+        d.setVar("SOTA_CLIENT_PROV", "aktualizr-device-prov-hsm")
+}
+
 IMAGE_INSTALL_append_sota = " ostree os-release ${SOTA_CLIENT} ${SOTA_CLIENT_PROV}"
 IMAGE_CLASSES += " image_types_ostree image_types_ota"
 IMAGE_FSTYPES += "${@bb.utils.contains('DISTRO_FEATURES', 'sota', 'ostreepush garagesign garagecheck otaimg wic', ' ', d)}"
diff --git a/lib/oeqa/selftest/cases/testutils.py b/lib/oeqa/selftest/cases/testutils.py
index 2ad99ad..f8b1904 100644
--- a/lib/oeqa/selftest/cases/testutils.py
+++ b/lib/oeqa/selftest/cases/testutils.py
@@ -7,49 +7,57 @@ from time import sleep
 from oeqa.utils.commands import runCmd, bitbake, get_bb_var, get_bb_vars
 from qemucommand import QemuCommand
 
+logger = logging.getLogger("selftest")
 
-def qemu_launch(efi=False, machine=None, imagename=None):
-    logger = logging.getLogger("selftest")
-    if imagename is None:
-        imagename = 'core-image-minimal'
-    logger.info('Running bitbake to build {}'.format(imagename))
-    bitbake(imagename)
+
+def qemu_launch(efi=False, machine=None, imagename='core-image-minimal', **kwargs):
+    qemu_bake_image(imagename)
+    return qemu_boot_image(efi=efi, machine=machine, imagename=imagename, **kwargs)
+
+
+def qemu_terminate(s):
+    try:
+        s.terminate()
+        s.wait(timeout=10)
+    except KeyboardInterrupt:
+        pass
+
+
+def qemu_boot_image(imagename, **kwargs):
     # Create empty object.
     args = type('', (), {})()
     args.imagename = imagename
-    args.mac = None
+    args.mac = kwargs.get('mac', None)
     # Could use DEPLOY_DIR_IMAGE here but it's already in the machine
     # subdirectory.
     args.dir = 'tmp/deploy/images'
-    args.efi = efi
-    args.machine = machine
+    args.efi = kwargs.get('efi', False)
+    args.machine = kwargs.get('machine', None)
     qemu_use_kvm = get_bb_var("QEMU_USE_KVM")
     if qemu_use_kvm and \
-            (qemu_use_kvm == 'True' and 'x86' in machine or
+            (qemu_use_kvm == 'True' and 'x86' in args.machine or
              get_bb_var('MACHINE') in qemu_use_kvm.split()):
         args.kvm = True
     else:
         args.kvm = None  # Autodetect
-    args.no_gui = True
-    args.gdb = False
-    args.pcap = None
-    args.overlay = None
-    args.dry_run = False
-    args.secondary_network = False
+    args.no_gui = kwargs.get('no_gui', True)
+    args.gdb = kwargs.get('gdb', False)
+    args.pcap = kwargs.get('pcap', None)
+    args.overlay = kwargs.get('overlay', None)
+    args.dry_run = kwargs.get('dry_run', False)
+    args.secondary_network = kwargs.get('secondary_network', False)
 
     qemu = QemuCommand(args)
     cmdline = qemu.command_line()
     print('Booting image with run-qemu-ota...')
     s = subprocess.Popen(cmdline)
-    sleep(10)
+    sleep(kwargs.get('wait_for_boot_time', 10))
     return qemu, s
 
 
-def qemu_terminate(s):
-    try:
-        s.terminate()
-    except KeyboardInterrupt:
-        pass
+def qemu_bake_image(imagename):
+    logger.info('Running bitbake to build {}'.format(imagename))
+    bitbake(imagename)
 
 
 def qemu_send_command(port, command, timeout=60):
@@ -122,7 +130,6 @@ def verifyProvisioned(testInst, machine):
     m = p.search(stdout.decode())
     testInst.assertTrue(m, 'Device ID could not be read: ' + stderr.decode() + stdout.decode())
     testInst.assertGreater(m.lastindex, 0, 'Device ID could not be read: ' + stderr.decode() + stdout.decode())
-    logger = logging.getLogger("selftest")
     logger.info('Device successfully provisioned with ID: ' + m.group(1))
 
 # vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/lib/oeqa/selftest/cases/updater_minnowboard.py b/lib/oeqa/selftest/cases/updater_minnowboard.py
index f5df584..267445b 100644
--- a/lib/oeqa/selftest/cases/updater_minnowboard.py
+++ b/lib/oeqa/selftest/cases/updater_minnowboard.py
@@ -29,7 +29,7 @@ class MinnowTests(OESelftestTestCase):
             self.meta_minnow = None
         self.append_config('MACHINE = "intel-corei7-64"')
         self.append_config('OSTREE_BOOTLOADER = "grub"')
-        self.append_config('SOTA_CLIENT_PROV = " aktualizr-auto-prov "')
+        self.append_config('SOTA_CLIENT_PROV = " aktualizr-shared-prov "')
         self.qemu, self.s = qemu_launch(efi=True, machine='intel-corei7-64')
 
     def tearDownLocal(self):
diff --git a/lib/oeqa/selftest/cases/updater_qemux86_64.py b/lib/oeqa/selftest/cases/updater_qemux86_64.py
index bad7a87..218d361 100644
--- a/lib/oeqa/selftest/cases/updater_qemux86_64.py
+++ b/lib/oeqa/selftest/cases/updater_qemux86_64.py
@@ -4,18 +4,19 @@ import logging
 import re
 import unittest
 from time import sleep
+from uuid import uuid4
 
 from oeqa.selftest.case import OESelftestTestCase
 from oeqa.utils.commands import runCmd, bitbake, get_bb_var, get_bb_vars
 from testutils import qemu_launch, qemu_send_command, qemu_terminate, \
-    akt_native_run, verifyNotProvisioned, verifyProvisioned
+    akt_native_run, verifyNotProvisioned, verifyProvisioned, qemu_bake_image, qemu_boot_image
 
 
 class GeneralTests(OESelftestTestCase):
     def test_credentials(self):
         logger = logging.getLogger("selftest")
         logger.info('Running bitbake to build core-image-minimal')
-        self.append_config('SOTA_CLIENT_PROV = "aktualizr-auto-prov"')
+        self.append_config('SOTA_CLIENT_PROV = "aktualizr-shared-prov"')
         bitbake('core-image-minimal')
         credentials = get_bb_var('SOTA_PACKED_CREDENTIALS')
         # skip the test if the variable SOTA_PACKED_CREDENTIALS is not set
@@ -45,13 +46,13 @@ class AktualizrToolsTests(OESelftestTestCase):
 
     def test_cert_provider_local_output(self):
         logger = logging.getLogger("selftest")
-        logger.info('Running bitbake to build aktualizr-ca-implicit-prov')
-        bitbake('aktualizr-ca-implicit-prov')
+        logger.info('Running bitbake to build aktualizr-device-prov')
+        bitbake('aktualizr-device-prov')
         bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS', 'T'], 'aktualizr-native')
         creds = bb_vars['SOTA_PACKED_CREDENTIALS']
         temp_dir = bb_vars['T']
-        bb_vars_prov = get_bb_vars(['STAGING_DIR_HOST', 'libdir'], 'aktualizr-ca-implicit-prov')
-        config = bb_vars_prov['STAGING_DIR_HOST'] + bb_vars_prov['libdir'] + '/sota/sota_implicit_prov_ca.toml'
+        bb_vars_prov = get_bb_vars(['STAGING_DIR_HOST', 'libdir'], 'aktualizr-device-prov')
+        config = bb_vars_prov['STAGING_DIR_HOST'] + bb_vars_prov['libdir'] + '/sota/sota-device-cred.toml'
 
         akt_native_run(self, 'aktualizr-cert-provider -c {creds} -r -l {temp} -g {config}'
                        .format(creds=creds, temp=temp_dir, config=config))
@@ -68,7 +69,7 @@ class AktualizrToolsTests(OESelftestTestCase):
         self.assertTrue(os.path.getsize(ca_path) > 0, "Client certificate at %s is empty." % ca_path)
 
 
-class AutoProvTests(OESelftestTestCase):
+class SharedCredProvTests(OESelftestTestCase):
 
     def setUpLocal(self):
         layer = "meta-updater-qemux86-64"
@@ -84,7 +85,7 @@ class AutoProvTests(OESelftestTestCase):
         else:
             self.meta_qemu = None
         self.append_config('MACHINE = "qemux86-64"')
-        self.append_config('SOTA_CLIENT_PROV = " aktualizr-auto-prov "')
+        self.append_config('SOTA_CLIENT_PROV = " aktualizr-shared-prov "')
         self.qemu, self.s = qemu_launch(machine='qemux86-64')
 
     def tearDownLocal(self):
@@ -126,7 +127,7 @@ class ManualControlTests(OESelftestTestCase):
         else:
             self.meta_qemu = None
         self.append_config('MACHINE = "qemux86-64"')
-        self.append_config('SOTA_CLIENT_PROV = " aktualizr-auto-prov "')
+        self.append_config('SOTA_CLIENT_PROV = " aktualizr-shared-prov "')
         self.append_config('SYSTEMD_AUTO_ENABLE_aktualizr = "disable"')
         self.qemu, self.s = qemu_launch(machine='qemux86-64')
 
@@ -154,7 +155,7 @@ class ManualControlTests(OESelftestTestCase):
                       'Aktualizr should have run' + stderr.decode() + stdout.decode())
 
 
-class ImplProvTests(OESelftestTestCase):
+class DeviceCredProvTests(OESelftestTestCase):
 
     def setUpLocal(self):
         layer = "meta-updater-qemux86-64"
@@ -170,9 +171,9 @@ class ImplProvTests(OESelftestTestCase):
         else:
             self.meta_qemu = None
         self.append_config('MACHINE = "qemux86-64"')
-        self.append_config('SOTA_CLIENT_PROV = " aktualizr-ca-implicit-prov "')
+        self.append_config('SOTA_CLIENT_PROV = " aktualizr-device-prov "')
         self.append_config('SOTA_DEPLOY_CREDENTIALS = "0"')
-        runCmd('bitbake -c cleanall aktualizr aktualizr-ca-implicit-prov')
+        runCmd('bitbake -c cleanall aktualizr aktualizr-device-prov')
         self.qemu, self.s = qemu_launch(machine='qemux86-64')
 
     def tearDownLocal(self):
@@ -200,8 +201,8 @@ class ImplProvTests(OESelftestTestCase):
         # Run aktualizr-cert-provider.
         bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS'], 'aktualizr-native')
         creds = bb_vars['SOTA_PACKED_CREDENTIALS']
-        bb_vars_prov = get_bb_vars(['STAGING_DIR_HOST', 'libdir'], 'aktualizr-ca-implicit-prov')
-        config = bb_vars_prov['STAGING_DIR_HOST'] + bb_vars_prov['libdir'] + '/sota/sota_implicit_prov_ca.toml'
+        bb_vars_prov = get_bb_vars(['STAGING_DIR_HOST', 'libdir'], 'aktualizr-device-prov')
+        config = bb_vars_prov['STAGING_DIR_HOST'] + bb_vars_prov['libdir'] + '/sota/sota-device-cred.toml'
 
         print('Provisining at root@localhost:%d' % self.qemu.ssh_port)
         akt_native_run(self, 'aktualizr-cert-provider -c {creds} -t root@localhost -p {port} -s -u -r -g {config}'
@@ -210,7 +211,7 @@ class ImplProvTests(OESelftestTestCase):
         verifyProvisioned(self, machine)
 
 
-class HsmTests(OESelftestTestCase):
+class DeviceCredProvHsmTests(OESelftestTestCase):
 
     def setUpLocal(self):
         layer = "meta-updater-qemux86-64"
@@ -226,11 +227,11 @@ class HsmTests(OESelftestTestCase):
         else:
             self.meta_qemu = None
         self.append_config('MACHINE = "qemux86-64"')
-        self.append_config('SOTA_CLIENT_PROV = "aktualizr-hsm-prov"')
+        self.append_config('SOTA_CLIENT_PROV = "aktualizr-device-prov-hsm"')
         self.append_config('SOTA_DEPLOY_CREDENTIALS = "0"')
         self.append_config('SOTA_CLIENT_FEATURES = "hsm"')
         self.append_config('IMAGE_INSTALL_append = " softhsm-testtoken"')
-        runCmd('bitbake -c cleanall aktualizr aktualizr-hsm-prov')
+        runCmd('bitbake -c cleanall aktualizr aktualizr-device-prov-hsm')
         self.qemu, self.s = qemu_launch(machine='qemux86-64')
 
     def tearDownLocal(self):
@@ -268,8 +269,8 @@ class HsmTests(OESelftestTestCase):
         # Run aktualizr-cert-provider.
         bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS'], 'aktualizr-native')
         creds = bb_vars['SOTA_PACKED_CREDENTIALS']
-        bb_vars_prov = get_bb_vars(['STAGING_DIR_NATIVE', 'libdir'], 'aktualizr-hsm-prov')
-        config = bb_vars_prov['STAGING_DIR_NATIVE'] + bb_vars_prov['libdir'] + '/sota/sota_hsm_prov.toml'
+        bb_vars_prov = get_bb_vars(['STAGING_DIR_NATIVE', 'libdir'], 'aktualizr-device-prov-hsm')
+        config = bb_vars_prov['STAGING_DIR_NATIVE'] + bb_vars_prov['libdir'] + '/sota/sota-device-cred-hsm.toml'
 
         akt_native_run(self, 'aktualizr-cert-provider -c {creds} -t root@localhost -p {port} -r -s -u -g {config}'
                        .format(creds=creds, port=self.qemu.ssh_port, config=config))
@@ -309,7 +310,91 @@ class HsmTests(OESelftestTestCase):
         verifyProvisioned(self, machine)
 
 
-class SecondaryTests(OESelftestTestCase):
+class IpSecondaryTests(OESelftestTestCase):
+
+    class Image:
+        def __init__(self, imagename, binaryname, machine='qemux86-64', bake=True, **kwargs):
+            self.machine = machine
+            self.imagename = imagename
+            self.boot_kwargs = kwargs
+            self.binaryname = binaryname
+            self.stdout = ''
+            self.stderr = ''
+            self.retcode = 0
+            if bake:
+                self.bake()
+
+        def bake(self):
+            self.configure()
+            qemu_bake_image(self.imagename)
+
+        def send_command(self, cmd):
+            stdout, stderr, retcode = qemu_send_command(self.qemu.ssh_port, cmd, timeout=60)
+            return str(stdout), str(stderr), retcode
+
+        def __enter__(self):
+            self.qemu, self.process = qemu_boot_image(machine=self.machine, imagename=self.imagename,
+                                                      wait_for_boot_time=1, **self.boot_kwargs)
+            # wait until the VM is booted and is SSHable
+            self.wait_till_sshable()
+
+        def __exit__(self, exc_type, exc_val, exc_tb):
+            qemu_terminate(self.process)
+
+        def wait_till_sshable(self):
+            # qemu_send_command tries to ssh into the qemu VM and blocks until it gets there or timeout happens
+            # so it helps us to block q control flow until the VM is booted and a target binary/daemon is running there
+            self.stdout, self.stderr, self.retcode = self.send_command(self.binaryname + ' --help')
+
+        def was_successfully_booted(self):
+            return self.retcode == 0
+
+    class Secondary(Image):
+        def __init__(self, test_ctx):
+            self._test_ctx = test_ctx
+            self.sndry_serial = str(uuid4())
+            self.sndry_hw_id = 'qemux86-64-oeselftest-sndry'
+            self.id = (self.sndry_hw_id, self.sndry_serial)
+            super(IpSecondaryTests.Secondary, self).__init__('secondary-image', 'aktualizr-secondary',
+                                                             secondary_network=True)
+
+        def configure(self):
+            self._test_ctx.append_config('SECONDARY_SERIAL_ID = "{}"'.format(self.sndry_serial))
+            self._test_ctx.append_config('SECONDARY_HARDWARE_ID = "{}"'.format(self.sndry_hw_id))
+
+    class Primary(Image):
+        def __init__(self, test_ctx):
+            self._test_ctx = test_ctx
+            super(IpSecondaryTests.Primary, self).__init__('primary-image', 'aktualizr', secondary_network=True)
+
+        def configure(self):
+            self._test_ctx.append_config('MACHINE = "qemux86-64"')
+            self._test_ctx.append_config('SOTA_CLIENT_PROV = " aktualizr-shared-prov "')
+
+        def is_ecu_registered(self, ecu_id):
+            max_number_of_tries = 20
+            try_counter = 0
+
+            # aktualizr-info is not always able to load ECU serials from DB
+            # so, let's run it a few times until it actually succeeds
+            while try_counter < max_number_of_tries:
+                device_status = self.get_info()
+                try_counter += 1
+                if device_status.find("load ECU serials") == -1:
+                    break
+                sleep(1)
+
+            if not ((device_status.find(ecu_id[0]) != -1) and (device_status.find(ecu_id[1]) != -1)):
+                return False
+            not_registered_field = "Removed or not registered ecus:"
+            not_reg_start = device_status.find(not_registered_field)
+            return not_reg_start == -1 or (device_status.find(ecu_id[1], not_reg_start) == -1)
+
+        def get_info(self):
+            stdout, stderr, retcode = self.send_command('aktualizr-info')
+            self._test_ctx.assertEqual(retcode, 0, 'Unable to run aktualizr-info: {}'.format(stderr))
+            return stdout
+
     def setUpLocal(self):
         layer = "meta-updater-qemux86-64"
         result = runCmd('bitbake-layers show-layers')
@@ -323,57 +408,37 @@ class SecondaryTests(OESelftestTestCase):
             runCmd('bitbake-layers add-layer "%s"' % self.meta_qemu)
         else:
             self.meta_qemu = None
-        self.append_config('MACHINE = "qemux86-64"')
-        self.append_config('SOTA_CLIENT_PROV = " aktualizr-auto-prov "')
-        self.qemu, self.s = qemu_launch(machine='qemux86-64', imagename='secondary-image')
+
+        self.primary = IpSecondaryTests.Primary(self)
+        self.secondary = IpSecondaryTests.Secondary(self)
 
     def tearDownLocal(self):
-        qemu_terminate(self.s)
         if self.meta_qemu:
             runCmd('bitbake-layers remove-layer "%s"' % self.meta_qemu, ignore_status=True)
 
-    def qemu_command(self, command):
-        return qemu_send_command(self.qemu.ssh_port, command)
+    def test_ip_secondary_registration_if_secondary_starts_first(self):
+        with self.secondary:
+            self.assertTrue(self.secondary.was_successfully_booted(),
+                            'The secondary failed to boot: {}'.format(self.secondary.stderr))
 
-    def test_secondary_present(self):
-        print('Checking aktualizr-secondary is present')
-        stdout, stderr, retcode = self.qemu_command('aktualizr-secondary --help')
-        self.assertEqual(retcode, 0, "Unable to run aktualizr-secondary --help")
-        self.assertEqual(stderr, b'', 'Error: ' + stderr.decode())
+            with self.primary:
+                self.assertTrue(self.primary.was_successfully_booted(),
+                                'The primary failed to boot: {}'.format(self.primary.stderr))
 
+                self.assertTrue(self.primary.is_ecu_registered(self.secondary.id),
+                                "The secondary wasn't registered at the primary: {}".format(self.primary.get_info()))
 
-class PrimaryTests(OESelftestTestCase):
-    def setUpLocal(self):
-        layer = "meta-updater-qemux86-64"
-        result = runCmd('bitbake-layers show-layers')
-        if re.search(layer, result.output) is None:
-            # Assume the directory layout for finding other layers. We could also
-            # make assumptions by using 'show-layers', but either way, if the
-            # layers we need aren't where we expect them, we are out of luck.
-            path = os.path.abspath(os.path.dirname(__file__))
-            metadir = path + "/../../../../../"
-            self.meta_qemu = metadir + layer
-            runCmd('bitbake-layers add-layer "%s"' % self.meta_qemu)
-        else:
-            self.meta_qemu = None
-        self.append_config('MACHINE = "qemux86-64"')
-        self.append_config('SOTA_CLIENT_PROV = " aktualizr-auto-prov "')
-        self.append_config('SOTA_CLIENT_FEATURES = "secondary-network"')
-        self.qemu, self.s = qemu_launch(machine='qemux86-64', imagename='primary-image')
-
-    def tearDownLocal(self):
-        qemu_terminate(self.s)
-        if self.meta_qemu:
-            runCmd('bitbake-layers remove-layer "%s"' % self.meta_qemu, ignore_status=True)
+    def test_ip_secondary_registration_if_primary_starts_first(self):
+        with self.primary:
+            self.assertTrue(self.primary.was_successfully_booted(),
+                            'The primary failed to boot: {}'.format(self.primary.stderr))
 
-    def qemu_command(self, command):
-        return qemu_send_command(self.qemu.ssh_port, command)
+            with self.secondary:
+                self.assertTrue(self.secondary.was_successfully_booted(),
+                                'The secondary failed to boot: {}'.format(self.secondary.stderr))
 
-    def test_aktualizr_present(self):
-        print('Checking aktualizr is present')
-        stdout, stderr, retcode = self.qemu_command('aktualizr --help')
-        self.assertEqual(retcode, 0, "Unable to run aktualizr --help")
-        self.assertEqual(stderr, b'', 'Error: ' + stderr.decode())
+                self.assertTrue(self.primary.is_ecu_registered(self.secondary.id),
+                                "The secondary wasn't registered at the primary: {}".format(self.primary.get_info()))
 
 
 class ResourceControlTests(OESelftestTestCase):
@@ -391,7 +456,7 @@ class ResourceControlTests(OESelftestTestCase):
         else:
             self.meta_qemu = None
         self.append_config('MACHINE = "qemux86-64"')
-        self.append_config('SOTA_CLIENT_PROV = " aktualizr-auto-prov "')
+        self.append_config('SOTA_CLIENT_PROV = " aktualizr-shared-prov "')
         self.append_config('IMAGE_INSTALL_append += " aktualizr-resource-control "')
         self.append_config('RESOURCE_CPU_WEIGHT_pn-aktualizr = "1000"')
         self.append_config('RESOURCE_MEMORY_HIGH_pn-aktualizr = "50M"')
diff --git a/lib/oeqa/selftest/cases/updater_raspberrypi.py b/lib/oeqa/selftest/cases/updater_raspberrypi.py
index 1cab2b8..6b71a03 100644
--- a/lib/oeqa/selftest/cases/updater_raspberrypi.py
+++ b/lib/oeqa/selftest/cases/updater_raspberrypi.py
@@ -53,7 +53,7 @@ class RpiTests(OESelftestTestCase):
             self.meta_qemu = None
 
         self.append_config('MACHINE = "raspberrypi3"')
-        self.append_config('SOTA_CLIENT_PROV = " aktualizr-auto-prov "')
+        self.append_config('SOTA_CLIENT_PROV = " aktualizr-shared-prov "')
 
     def tearDownLocal(self):
         if self.meta_qemu:
@@ -68,7 +68,6 @@ class RpiTests(OESelftestTestCase):
     def test_build(self):
         logger = logging.getLogger("selftest")
         logger.info('Running bitbake to build rpi-basic-image')
-        self.append_config('SOTA_CLIENT_PROV = "aktualizr-auto-prov"')
         bitbake('rpi-basic-image')
         credentials = get_bb_var('SOTA_PACKED_CREDENTIALS')
         # Skip the test if the variable SOTA_PACKED_CREDENTIALS is not set.
diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
deleted file mode 100644
index 0d1c860..0000000
--- a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
+++ /dev/null
@@ -1,30 +0,0 @@
-SUMMARY = "Aktualizr configuration for implicit provisioning with CA"
-DESCRIPTION = "Configuration for implicitly provisioning Aktualizr using externally provided or generated CA"
-
-HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
-SECTION = "base"
-LICENSE = "MPL-2.0"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
-
-inherit allarch
-
-DEPENDS = "aktualizr aktualizr-native openssl-native"
-RDEPENDS_${PN}_append = "${@' aktualizr-ca-implicit-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}"
-
-PV = "1.0"
-PR = "1"
-
-require credentials.inc
-
-do_install() {
-    install -m 0700 -d ${D}${libdir}/sota/conf.d
-
-    install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml \
-        ${D}${libdir}/sota/conf.d/20-sota_implicit_prov_ca.toml
-}
-
-FILES_${PN} = " \
-                ${libdir}/sota/conf.d/20-sota_implicit_prov_ca.toml \
-                "
-
-# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb
index da17d77..6e02a50 100644
--- a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb
+++ b/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb
@@ -1,4 +1,5 @@
-SUMMARY = "Credentials for implicit provisioning with CA certificate"
+SUMMARY = "Credentials for device provisioning with fleet CA certificate"
+HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
 SECTION = "base"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
@@ -13,8 +14,8 @@ DEPENDS = "aktualizr aktualizr-native"
 ALLOW_EMPTY_${PN} = "1"
 
 SRC_URI = " \
-  file://ca.cnf \
-  "
+            file://ca.cnf \
+            "
 
 require credentials.inc
 
@@ -39,7 +40,7 @@ do_install() {
         fi
 
         if [ -z ${SOTA_CAKEY_PATH} ]; then
-            bbfatal "SOTA_CAKEY_PATH should be set when using implicit provisioning"
+            bbfatal "SOTA_CAKEY_PATH should be set when using device credential provisioning"
         fi
 
         install -m 0700 -d ${D}${localstatedir}/sota
@@ -49,9 +50,11 @@ do_install() {
                                 --root-ca \
                                 --server-url \
                                 --local ${D} \
-                                --config ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml
+                                --config ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred.toml
     fi
 }
 
 FILES_${PN} = " \
                 ${localstatedir}/sota/*"
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/aktualizr-hsm-prov.bb b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
index f738f3e..83840e5 100644
--- a/recipes-sota/aktualizr/aktualizr-hsm-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
@@ -1,5 +1,5 @@
-SUMMARY = "Aktualizr configuration with HSM support"
-DESCRIPTION = "Configuration for HSM provisioning with Aktualizr, the SOTA Client application written in C++"
+SUMMARY = "Aktualizr configuration for device credential provisioning with HSM support"
+DESCRIPTION = "Configuration for provisioning Aktualizr with device credentials using externally provided or generated CA with HSM support"
 HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
 SECTION = "base"
 LICENSE = "MPL-2.0"
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 inherit allarch
 
 DEPENDS = "aktualizr aktualizr-native"
-RDEPENDS_${PN}_append = "${@' aktualizr-ca-implicit-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}"
+RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}"
 
 SRC_URI = ""
 PV = "1.0"
@@ -18,13 +18,13 @@ require credentials.inc
 
 do_install() {
     install -m 0700 -d ${D}${libdir}/sota/conf.d
-    install -m 0644 ${STAGING_DIR_NATIVE}${libdir_native}/sota/sota_hsm_prov.toml \
-        ${D}${libdir}/sota/conf.d/20-sota_hsm_prov.toml
+    install -m 0644 ${STAGING_DIR_NATIVE}${libdir_native}/sota/sota-device-cred-hsm.toml \
+        ${D}${libdir}/sota/conf.d/20-sota-device-cred-hsm.toml
 }
 
 FILES_${PN} = " \
                 ${libdir}/sota/conf.d \
-                ${libdir}/sota/conf.d/20-sota_hsm_prov.toml \
+                ${libdir}/sota/conf.d/20-sota-device-cred-hsm.toml \
                 "
 
 # vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/aktualizr-device-prov.bb b/recipes-sota/aktualizr/aktualizr-device-prov.bb
new file mode 100644
index 0000000..be0f5c8
--- /dev/null
+++ b/recipes-sota/aktualizr/aktualizr-device-prov.bb
@@ -0,0 +1,29 @@
+SUMMARY = "Aktualizr configuration for device credential provisioning"
+DESCRIPTION = "Configuration for provisioning Aktualizr with device credentials using externally provided or generated CA"
+HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
+SECTION = "base"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
+
+inherit allarch
+
+DEPENDS = "aktualizr aktualizr-native openssl-native"
+RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}"
+
+PV = "1.0"
+PR = "1"
+
+require credentials.inc
+
+do_install() {
+    install -m 0700 -d ${D}${libdir}/sota/conf.d
+    install -m 0644 ${STAGING_DIR_NATIVE}${libdir_native}/sota/sota-device-cred.toml \
+        ${D}${libdir}/sota/conf.d/20-sota-device-cred.toml
+}
+
+FILES_${PN} = " \
+                ${libdir}/sota/conf.d \
+                ${libdir}/sota/conf.d/20-sota-device-cred.toml \
+                "
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb
index 6b2dd27..dbb5fde 100644
--- a/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb
+++ b/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb
@@ -1,4 +1,5 @@
-SUMMARY = "Credentials for autoprovisioning scenario"
+SUMMARY = "Credentials for shared provisioning"
+HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
 SECTION = "base"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
diff --git a/recipes-sota/aktualizr/aktualizr-auto-prov.bb b/recipes-sota/aktualizr/aktualizr-shared-prov.bb
index 3e4c208..c42546c 100644
--- a/recipes-sota/aktualizr/aktualizr-auto-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-shared-prov.bb
@@ -1,5 +1,5 @@
-SUMMARY = "Aktualizr configuration for autoprovisioning"
-DESCRIPTION = "Configuration for automatically provisioning Aktualizr, the SOTA Client application written in C++"
+SUMMARY = "Aktualizr configuration for shared credential provisioning"
+DESCRIPTION = "Configuration for provisioning Aktualizr with shared credentials"
 HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
 SECTION = "base"
 LICENSE = "MPL-2.0"
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 inherit allarch
 
 DEPENDS = "aktualizr-native zip-native"
-RDEPENDS_${PN}_append = "${@' aktualizr-auto-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}"
+RDEPENDS_${PN}_append = "${@' aktualizr-shared-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS', True) == '1' else ''}"
 PV = "1.0"
 PR = "6"
 
@@ -31,15 +31,13 @@ do_install() {
     fi
 
     install -m 0700 -d ${D}${libdir}/sota/conf.d
-    aktualizr_toml=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-network', 'sota_autoprov_primary.toml', 'sota_autoprov.toml', d)}
-
-    install -m 0644 ${STAGING_DIR_NATIVE}${libdir_native}/sota/${aktualizr_toml} \
-        ${D}${libdir}/sota/conf.d/20-${aktualizr_toml}
+    install -m 0644 ${STAGING_DIR_NATIVE}${libdir_native}/sota/sota-shared-cred.toml \
+        ${D}${libdir}/sota/conf.d/20-sota-shared-cred.toml
 }
 
 FILES_${PN} = " \
                 ${libdir}/sota/conf.d \
-                ${libdir}/sota/conf.d/20-${aktualizr_toml} \
+                ${libdir}/sota/conf.d/20-sota-shared-cred.toml \
                 "
 
 # vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb b/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb
index ed1e3a8..2bc2e3f 100644
--- a/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb
+++ b/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb
@@ -11,7 +11,7 @@ RDEPENDS_${PN} = "aktualizr"
 
 do_install() {
     install -m 0700 -d ${D}${libdir}/sota/conf.d
-    install -m 0644 ${STAGING_DIR_NATIVE}${libdir_native}/sota/sota_uboot_env.toml ${D}${libdir}/sota/conf.d/30-rollback.toml
+    install -m 0644 ${STAGING_DIR_NATIVE}${libdir_native}/sota/sota-uboot-env.toml ${D}${libdir}/sota/conf.d/30-rollback.toml
 }
 
 FILES_${PN} = " \
diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb
index a49095a..4dbfb06 100755..100644
--- a/recipes-sota/aktualizr/aktualizr_git.bb
+++ b/recipes-sota/aktualizr/aktualizr_git.bb
@@ -15,24 +15,23 @@ RDEPENDS_${PN}-ptest += "bash cmake curl python3-misc python3-modules sqlite3 va
 PV = "1.0+git${SRCPV}"
 PR = "7"
 
-GARAGE_SIGN_PV = "0.6.0-18-g5b8b259"
+GARAGE_SIGN_PV = "0.7.0-3-gf5ba640"
 
 SRC_URI = " \
   gitsm://github.com/advancedtelematic/aktualizr;branch=${BRANCH} \
   file://run-ptest \
   file://aktualizr.service \
   file://aktualizr-secondary.service \
-  file://aktualizr-secondary.socket \
   file://aktualizr-serialcan.service \
   file://10-resource-control.conf \
   ${@ d.expand("https://ats-tuf-cli-releases.s3-eu-central-1.amazonaws.com/cli-${GARAGE_SIGN_PV}.tgz;unpack=0") if d.getVar('GARAGE_SIGN_AUTOVERSION') != '1' else ''} \
   "
 
 # for garage-sign archive
-SRC_URI[md5sum] = "c5e9968dfe78a7264ab9a8338c11725d"
-SRC_URI[sha256sum] = "3a19258d7a1825a308aca0da82f7a337985bec05e8951355c4c95f0fcf2444f4"
+SRC_URI[md5sum] = "e104ccd4f32e52571a5fc0e5042db050"
+SRC_URI[sha256sum] = "c590be1a57523bfe097af82279eda5c97cf40ae47fb27162cf33c469702c8a9b"
 
-SRCREV = "c50feb37034eceb1254429d3e3ed38e5b8a0dc60"
+SRCREV = "fce5854ff10e7efd52d69bbaf68dc2af990d5746"
 BRANCH ?= "master"
 
 S = "${WORKDIR}/git"
@@ -45,7 +44,7 @@ PTEST_ENABLED = "0"
 
 SYSTEMD_PACKAGES = "${PN} ${PN}-secondary"
 SYSTEMD_SERVICE_${PN} = "aktualizr.service"
-SYSTEMD_SERVICE_${PN}-secondary = "aktualizr-secondary.socket"
+SYSTEMD_SERVICE_${PN}-secondary = "aktualizr-secondary.service"
 
 EXTRA_OECMAKE = "-DCMAKE_BUILD_TYPE=Release -DAKTUALIZR_VERSION=${PV} -Dgtest_disable_pthreads=ON ${@bb.utils.contains('PTEST_ENABLED', '1', '-DTESTSUITE_VALGRIND=on', '', d)}"
 
@@ -94,14 +93,12 @@ do_install_ptest() {
 
 do_install_append () {
     install -d ${D}${libdir}/sota
-    install -m 0644 ${S}/config/sota_autoprov.toml ${D}/${libdir}/sota/sota_autoprov.toml
-    install -m 0644 ${S}/config/sota_autoprov_primary.toml ${D}/${libdir}/sota/sota_autoprov_primary.toml
-    install -m 0644 ${S}/config/sota_hsm_prov.toml ${D}/${libdir}/sota/sota_hsm_prov.toml
-    install -m 0644 ${S}/config/sota_implicit_prov_ca.toml ${D}/${libdir}/sota/sota_implicit_prov_ca.toml
-    install -m 0644 ${S}/config/sota_secondary.toml ${D}/${libdir}/sota/sota_secondary.toml
-    install -m 0644 ${S}/config/sota_uboot_env.toml ${D}/${libdir}/sota/sota_uboot_env.toml
+    install -m 0644 ${S}/config/sota-shared-cred.toml ${D}/${libdir}/sota/sota-shared-cred.toml
+    install -m 0644 ${S}/config/sota-device-cred-hsm.toml ${D}/${libdir}/sota/sota-device-cred-hsm.toml
+    install -m 0644 ${S}/config/sota-device-cred.toml ${D}/${libdir}/sota/sota-device-cred.toml
+    install -m 0644 ${S}/config/sota-secondary.toml ${D}/${libdir}/sota/sota-secondary.toml
+    install -m 0644 ${S}/config/sota-uboot-env.toml ${D}/${libdir}/sota/sota-uboot-env.toml
     install -d ${D}${systemd_unitdir}/system
-    install -m 0644 ${WORKDIR}/aktualizr-secondary.socket ${D}${systemd_unitdir}/system/aktualizr-secondary.socket
     install -m 0644 ${WORKDIR}/aktualizr-secondary.service ${D}${systemd_unitdir}/system/aktualizr-secondary.service
     install -m 0700 -d ${D}${libdir}/sota/conf.d
     install -m 0700 -d ${D}${sysconfdir}/sota/conf.d
@@ -176,8 +173,7 @@ FILES_${PN}-examples = " \
 
 FILES_${PN}-secondary = " \
                 ${bindir}/aktualizr-secondary \
-                ${libdir}/sota/sota_secondary.toml \
-                ${systemd_unitdir}/system/aktualizr-secondary.socket \
+                ${libdir}/sota/sota-secondary.toml \
                 ${systemd_unitdir}/system/aktualizr-secondary.service \
                 "
 
diff --git a/recipes-sota/aktualizr/files/aktualizr-secondary.service b/recipes-sota/aktualizr/files/aktualizr-secondary.service
index 9628ee3..b577ae8 100644
--- a/recipes-sota/aktualizr/files/aktualizr-secondary.service
+++ b/recipes-sota/aktualizr/files/aktualizr-secondary.service
@@ -1,8 +1,12 @@
 [Unit]
 Description=Aktualizr SOTA Client (UPTANE Secondary)
+After=network.target
 
 [Service]
 RestartSec=10
 Restart=always
-ExecStart=/usr/bin/aktualizr-secondary --config /usr/lib/sota/sota_secondary.toml
+ExecStart=/usr/bin/aktualizr-secondary
+
+[Install]
+WantedBy=multi-user.target
 
diff --git a/recipes-sota/aktualizr/files/aktualizr-secondary.socket b/recipes-sota/aktualizr/files/aktualizr-secondary.socket
deleted file mode 100644
index da0ee44..0000000
--- a/recipes-sota/aktualizr/files/aktualizr-secondary.socket
+++ /dev/null
@@ -1,6 +0,0 @@
-[Socket]
-ListenStream=9030
-ListenDatagram=9031
-
-[Install]
-WantedBy=sockets.target
\ No newline at end of file
diff --git a/recipes-sota/config/aktualizr-polling-interval.bb b/recipes-sota/config/aktualizr-polling-interval.bb
new file mode 100644
index 0000000..53c008a
--- /dev/null
+++ b/recipes-sota/config/aktualizr-polling-interval.bb
@@ -0,0 +1,29 @@
+SUMMARY = "Set polling interval in Aktualizr"
+DESCRIPTION = "Configures aktualizr to poll at a custom frequency (suitable for testing or other purposes)"
+HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
+SECTION = "base"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
+
+inherit allarch
+
+SRC_URI = " \
+            file://60-polling-interval.toml \
+            "
+
+SOTA_POLLING_SEC ?= "30"
+
+do_install_append () {
+    install -m 0700 -d ${D}${libdir}/sota/conf.d
+    install -m 0644 ${WORKDIR}/60-polling-interval.toml ${D}${libdir}/sota/conf.d/60-polling-interval.toml
+
+    sed -i -e 's|@POLLING_SEC@|${SOTA_POLLING_SEC}|g' \
+           ${D}${libdir}/sota/conf.d/60-polling-interval.toml
+}
+
+FILES_${PN} = " \
+                ${libdir}/sota/conf.d/60-polling-interval.toml \
+                "
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
+
diff --git a/recipes-sota/config/files/60-polling-interval.toml b/recipes-sota/config/files/60-polling-interval.toml
new file mode 100644
index 0000000..7d25d05
--- /dev/null
+++ b/recipes-sota/config/files/60-polling-interval.toml
@@ -0,0 +1,2 @@
+[uptane]
+polling_sec = @POLLING_SEC@
diff --git a/recipes-test/big-update/big-update_1.0.bb b/recipes-test/big-update/big-update_1.0.bb
index 68b9746..3b1d652 100644
--- a/recipes-test/big-update/big-update_1.0.bb
+++ b/recipes-test/big-update/big-update_1.0.bb
@@ -1,5 +1,5 @@
 DESCRIPTION = "Example Package with 10MB of random, seeded content"
-LICENSE = "CLOSED"
+LICENSE = "MPL-2.0"
 
 SRC_URI = "file://rand_file.py"
 
diff --git a/recipes-test/big-update/big-update_2.0.bb b/recipes-test/big-update/big-update_2.0.bb
index 20c8138..7cb6e94 100644
--- a/recipes-test/big-update/big-update_2.0.bb
+++ b/recipes-test/big-update/big-update_2.0.bb
@@ -1,5 +1,5 @@
 DESCRIPTION = "Example Package with 12MB of random, seeded content"
-LICENSE = "CLOSED"
+LICENSE = "MPL-2.0"
 
 SRC_URI = "file://rand_file.py"
 
diff --git a/recipes-test/demo-config/files/30-fake-pacman.toml b/recipes-test/demo-config/files/30-fake-pacman.toml
new file mode 100644
index 0000000..3fb5cf2
--- /dev/null
+++ b/recipes-test/demo-config/files/30-fake-pacman.toml
@@ -0,0 +1,2 @@
+[pacman]
+type = "fake"
diff --git a/recipes-test/demo-config/files/30-secondary-config.toml b/recipes-test/demo-config/files/30-secondary-config.toml
new file mode 100644
index 0000000..7714240
--- /dev/null
+++ b/recipes-test/demo-config/files/30-secondary-config.toml
@@ -0,0 +1,2 @@
+[uptane]
+secondary_config_file = "@CFG_FILEPATH@"
diff --git a/recipes-test/demo-config/files/35-network-config.toml b/recipes-test/demo-config/files/35-network-config.toml
new file mode 100644
index 0000000..db7a1bb
--- /dev/null
+++ b/recipes-test/demo-config/files/35-network-config.toml
@@ -0,0 +1,4 @@
+[network]
+port = @PORT@
+primary_ip = @PRIMARY_IP@
+primary_port = @PRIMARY_PORT@
diff --git a/recipes-test/demo-config/files/45-id-config.toml b/recipes-test/demo-config/files/45-id-config.toml
new file mode 100644
index 0000000..6cbd77f
--- /dev/null
+++ b/recipes-test/demo-config/files/45-id-config.toml
@@ -0,0 +1,3 @@
+[uptane]
+ecu_serial = @SERIAL@
+ecu_hardware_id = @HWID@
diff --git a/recipes-test/demo-config/files/ip_secondary_config.json b/recipes-test/demo-config/files/ip_secondary_config.json
new file mode 100644
index 0000000..690cf2e
--- /dev/null
+++ b/recipes-test/demo-config/files/ip_secondary_config.json
@@ -0,0 +1,7 @@
+{
+    "IP": {
+            "secondaries_wait_port": @PORT@,
+            "secondaries_wait_timeout": @TIMEOUT@,
+            "secondaries": @ADDR_ARRAY@ 
+    }
+}
diff --git a/recipes-test/demo-config/primary-config.bb b/recipes-test/demo-config/primary-config.bb
new file mode 100644
index 0000000..27cb553
--- /dev/null
+++ b/recipes-test/demo-config/primary-config.bb
@@ -0,0 +1,68 @@
+DESCRIPTION = "Sample configuration for an Uptane Primary to support IP/Posix Secondary"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
+
+require shared-conf.inc
+
+PRIMARY_SECONDARIES ?= "${SECONDARY_IP}:${SECONDARY_PORT}"
+
+SRC_URI = "\
+    file://30-secondary-config.toml \
+    file://ip_secondary_config.json \
+    "
+
+def get_secondary_addrs(d):
+    import json
+
+    secondaries = d.getVar('PRIMARY_SECONDARIES')
+    sec_array = []
+    for secondary in secondaries.split():
+        sec_array.append({"addr": secondary})
+
+    return json.dumps(sec_array) 
+
+do_install () {
+
+    if [ ! -n "${SOTA_SECONDARY_CONFIG}" ]; then
+        bbwarn "SOTA_SECONDARY_CONFIG hasn't been specified in the local config, generate a default one"
+
+        IP_SECONDARY_CONFIG_FILE=${WORKDIR}/ip_secondary_config.json
+        IP_SECONDARY_ADDRS='${@get_secondary_addrs(d)}'
+    else
+        bbwarn "SOTA_SECONDARY_CONFIG has been specified in the local config: ${SOTA_SECONDARY_CONFIG}"
+
+        IP_SECONDARY_CONFIG_FILE=${SOTA_SECONDARY_CONFIG}
+    fi
+
+    if [ ! -f $IP_SECONDARY_CONFIG_FILE ]; then
+        bbfatal "Secondary config file does not exist: $IP_SECONDARY_CONFIG_FILE"
+    fi
+
+    SECONDARY_CONFIG_DEST_DIR="${D}${sysconfdir}/sota/ecus"
+    SECONDARY_CONFIG_DEST_FILEPATH=$SECONDARY_CONFIG_DEST_DIR/$(basename -- $IP_SECONDARY_CONFIG_FILE)
+    SECONDARY_CONFIG_FILEPATH_ON_IMAGE="${sysconfdir}/sota/ecus/$(basename -- $IP_SECONDARY_CONFIG_FILE)"
+
+    # install the secondary configuration file (json)
+    install -m 0700 -d $SECONDARY_CONFIG_DEST_DIR
+    install -m 0644 $IP_SECONDARY_CONFIG_FILE $SECONDARY_CONFIG_DEST_DIR
+
+    # if SOTA_SECONDARY_CONFIG/secondary config file is not defined in the local conf 
+    # then a default template is used and filled with corresponding configuration variable values 
+    if [ ! -n "${SOTA_SECONDARY_CONFIG}" ]; then
+        sed -i -e "s|@PORT@|${PRIMARY_PORT}|g" \
+               -e "s|@TIMEOUT@|${PRIMARY_WAIT_TIMEOUT}|g" \
+               -e "s|@ADDR_ARRAY@|$IP_SECONDARY_ADDRS|g" $SECONDARY_CONFIG_DEST_FILEPATH
+    fi
+
+    # install aktualizr config file (toml) that points to the secondary config file, so aktualizr is aware about it
+    install -m 0700 -d ${D}${libdir}/sota/conf.d
+    install -m 0644 ${WORKDIR}/30-secondary-config.toml ${D}${libdir}/sota/conf.d
+    sed -i "s|@CFG_FILEPATH@|$SECONDARY_CONFIG_FILEPATH_ON_IMAGE|g" ${D}${libdir}/sota/conf.d/30-secondary-config.toml
+}
+
+FILES_${PN} = " \
+                ${libdir}/sota/conf.d/* \
+                ${sysconfdir}/sota/ecus/* \
+                "
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-test/demo-config/secondary-config.bb b/recipes-test/demo-config/secondary-config.bb
new file mode 100644
index 0000000..9411646
--- /dev/null
+++ b/recipes-test/demo-config/secondary-config.bb
@@ -0,0 +1,41 @@
+DESCRIPTION = "Sample configuration for an Uptane Secondary"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
+
+require shared-conf.inc
+
+SECONDARY_SERIAL_ID ?= ""
+SOTA_HARDWARE_ID ?= "${MACHINE}-sndry"
+SECONDARY_HARDWARE_ID ?= "${SOTA_HARDWARE_ID}"
+
+SRC_URI = "\
+    file://30-fake-pacman.toml \
+    file://35-network-config.toml \
+    file://45-id-config.toml \
+    "
+
+do_install () {
+    install -m 0700 -d ${D}${libdir}/sota/conf.d
+    install -m 0644 ${WORKDIR}/30-fake-pacman.toml ${D}/${libdir}/sota/conf.d/30-fake-pacman.toml
+
+    install -m 0644 ${WORKDIR}/35-network-config.toml ${D}/${libdir}/sota/conf.d/35-network-config.toml
+    sed -i -e 's|@PORT@|${SECONDARY_PORT}|g' \
+           -e 's|@PRIMARY_IP@|${PRIMARY_IP}|g' \
+           -e 's|@PRIMARY_PORT@|${PRIMARY_PORT}|g' \
+           ${D}/${libdir}/sota/conf.d/35-network-config.toml
+
+    install -m 0644 ${WORKDIR}/45-id-config.toml ${D}/${libdir}/sota/conf.d/45-id-config.toml
+    sed -i -e 's|@SERIAL@|${SECONDARY_SERIAL_ID}|g' \
+           -e 's|@HWID@|${SECONDARY_HARDWARE_ID}|g' \
+           ${D}/${libdir}/sota/conf.d/45-id-config.toml
+
+}
+
+FILES_${PN} = " \
+                ${libdir}/sota/conf.d \
+                ${libdir}/sota/conf.d/30-fake-pacman.toml \
+                ${libdir}/sota/conf.d/35-network-config.toml \
+                ${libdir}/sota/conf.d/45-id-config.toml \
+                "
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-test/demo-config/shared-conf.inc b/recipes-test/demo-config/shared-conf.inc
new file mode 100644
index 0000000..ce2bb44
--- /dev/null
+++ b/recipes-test/demo-config/shared-conf.inc
@@ -0,0 +1,5 @@
+SECONDARY_IP ?= "10.0.3.2"
+SECONDARY_PORT ?= "9050"
+PRIMARY_IP ?= "10.0.3.1"
+PRIMARY_PORT ?= "9040"
+PRIMARY_WAIT_TIMEOUT ?= "120"
diff --git a/recipes-test/demo-network-config/files/26-static-client.network b/recipes-test/demo-network-config/files/26-static-client.network
new file mode 100644
index 0000000..19a6b83
--- /dev/null
+++ b/recipes-test/demo-network-config/files/26-static-client.network
@@ -0,0 +1,7 @@
+[Match]
+Name=@IFNAME@
+
+[Network]
+Description=Private internal network between aktualizr Primary and Secondary nodes
+Address=@ADDR@
+DHCP=no
diff --git a/recipes-test/demo-network-config/primary-network-config.bb b/recipes-test/demo-network-config/primary-network-config.bb
index 78678a2..c7daa15 100644
--- a/recipes-test/demo-network-config/primary-network-config.bb
+++ b/recipes-test/demo-network-config/primary-network-config.bb
@@ -1,10 +1,12 @@
 DESCRIPTION = "Sample network configuration for an Uptane Primary"
-LICENSE = "CLOSED"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
 inherit allarch
 
-SRC_URI = "file://25-dhcp-server.network"
-
+SRC_URI = "\
+    file://27-dhcp-client-external.network \
+    "
 
 FILES_${PN} = "/usr/lib/systemd/network"
 
@@ -12,5 +14,12 @@ PR = "1"
 
 do_install() {
     install -d ${D}/usr/lib/systemd/network
-    install -m 0644 ${WORKDIR}/25-dhcp-server.network ${D}/usr/lib/systemd/network/
+    install -m 0644 ${WORKDIR}/27-dhcp-client-external.network ${D}/usr/lib/systemd/network/
 }
+
+PRIMARY_IP ?= "10.0.3.1"
+IP_ADDR = "${PRIMARY_IP}"
+
+require static-network-config.inc
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-test/demo-network-config/secondary-network-config.bb b/recipes-test/demo-network-config/secondary-network-config.bb
index 9091c65..c70d88a 100644
--- a/recipes-test/demo-network-config/secondary-network-config.bb
+++ b/recipes-test/demo-network-config/secondary-network-config.bb
@@ -1,20 +1,29 @@
 DESCRIPTION = "Sample network configuration for an Uptane Secondary"
-LICENSE = "CLOSED"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
 inherit allarch
 
+# TODO: It configures the 'user' interface in NAT mode and provides an access to public Inet via it
+# which is not desired for Secondary. It cannot be just removed since we get SSH access to Secondary
+# VM via this interface. So, the task is to configure the interface in such way that it does provide access
+# via SSH from a host machine and forbids an access to Inet
 SRC_URI = "\
-    file://26-dhcp-client.network \
     file://27-dhcp-client-external.network \
     "
 
-
 FILES_${PN} = "/usr/lib/systemd/network"
 
 PR = "1"
 
 do_install() {
     install -d ${D}/usr/lib/systemd/network
-    install -m 0644 ${WORKDIR}/26-dhcp-client.network ${D}/usr/lib/systemd/network/
     install -m 0644 ${WORKDIR}/27-dhcp-client-external.network ${D}/usr/lib/systemd/network/
 }
+
+SECONDARY_IP ?= "10.0.3.2"
+IP_ADDR = "${SECONDARY_IP}"
+
+require static-network-config.inc
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-test/demo-network-config/static-network-config.inc b/recipes-test/demo-network-config/static-network-config.inc
new file mode 100644
index 0000000..e64675e
--- /dev/null
+++ b/recipes-test/demo-network-config/static-network-config.inc
@@ -0,0 +1,16 @@
+SRC_URI_append = "\
+    file://26-static-client.network \
+    "
+
+SECONDARY_INTERFACE ?= "enp0s5"
+
+do_install_append() {
+    install -d ${D}/usr/lib/systemd/network
+    install -m 0644 ${WORKDIR}/26-static-client.network ${D}/usr/lib/systemd/network/
+    sed -i -e 's|@ADDR@|${IP_ADDR}|g' \
+           -e 's|@IFNAME@|${SECONDARY_INTERFACE}|g' \
+           ${D}/usr/lib/systemd/network/26-static-client.network
+
+}
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-test/images/primary-image.bb b/recipes-test/images/primary-image.bb
index 6d2df94..ba1dc1f 100644
--- a/recipes-test/images/primary-image.bb
+++ b/recipes-test/images/primary-image.bb
@@ -2,13 +2,15 @@ include recipes-core/images/core-image-minimal.bb
 
 SUMMARY = "A minimal Uptane Primary image running aktualizr, for testing with a Linux secondary"
 
-LICENSE = "MIT"
+LICENSE = "MPL-2.0"
 
 IMAGE_INSTALL_remove = " \
+                        virtual/network-configuration \
                         "
 
 IMAGE_INSTALL_append = " \
-                        primary-network-config \
+                         primary-network-config \
+                         primary-config \
                        "
 
 # vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-test/images/secondary-image.bb b/recipes-test/images/secondary-image.bb
index 61df85b..27d1e3f 100644
--- a/recipes-test/images/secondary-image.bb
+++ b/recipes-test/images/secondary-image.bb
@@ -2,18 +2,20 @@ include recipes-core/images/core-image-minimal.bb
 
 SUMMARY = "A minimal Uptane Secondary image running aktualizr-secondary"
 
-LICENSE = "MIT"
+LICENSE = "MPL-2.0"
 
+SECONDARY_SERIAL_ID ?= ""
+SOTA_HARDWARE_ID ?= "${MACHINE}-sndry"
 
 # Remove default aktualizr primary, and the provisioning configuration (which
 # RDEPENDS on aktualizr)
 IMAGE_INSTALL_remove = " \
                         aktualizr \
-                        aktualizr-auto-prov \
-                        aktualizr-auto-prov-creds \
-                        aktualizr-ca-implicit-prov \
-                        aktualizr-ca-implicit-prov-creds \
-                        aktualizr-hsm-prov \
+                        aktualizr-shared-prov \
+                        aktualizr-shared-prov-creds \
+                        aktualizr-device-prov \
+                        aktualizr-device-prov-creds \
+                        aktualizr-device-prov-hsm \
                         aktualizr-uboot-env-rollback \
                         virtual/network-configuration \
                         "
@@ -21,6 +23,7 @@ IMAGE_INSTALL_remove = " \
 IMAGE_INSTALL_append = " \
                         aktualizr-secondary \
                         secondary-network-config \
+                        secondary-config \
                         "
 
 # vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/scripts/qemucommand.py b/scripts/qemucommand.py
index 9b21a66..532e331 100644
--- a/scripts/qemucommand.py
+++ b/scripts/qemucommand.py
@@ -109,8 +109,8 @@ class QemuCommand(object):
             cmdline += ['-net', 'dump,file=' + self.pcap]
         if self.secondary_network:
             cmdline += [
-                '-net', 'nic,vlan=1,macaddr='+random_mac(),
-                '-net', 'socket,vlan=1,mcast=230.0.0.1:1234,localaddr=127.0.0.1',
+                '-netdev', 'socket,id=vlan1,mcast=230.0.0.1:1234,localaddr=127.0.0.1',
+                '-device', 'e1000,netdev=vlan1,mac='+random_mac(),
             ]
         if self.gui:
             cmdline += ["-serial", "stdio"]