<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Yocto | Academic OSS ELC</title><link>https://academic-oss-elc.netlify.app/tags/yocto/</link><atom:link href="https://academic-oss-elc.netlify.app/tags/yocto/index.xml" rel="self" type="application/rss+xml"/><description>Yocto</description><generator>Source Themes Academic (https://sourcethemes.com/academic/)</generator><language>en-us</language><lastBuildDate>Thu, 02 Jul 2020 00:00:00 +0000</lastBuildDate><image><url>https://academic-oss-elc.netlify.app/images/icon_hu0b7a4cb9992c9ac0e91bd28ffd38dd00_9727_512x512_fill_lanczos_center_2.png</url><title>Yocto</title><link>https://academic-oss-elc.netlify.app/tags/yocto/</link></image><item><title>Yocto Project Dev Day Virtual NA 2020</title><link>https://academic-oss-elc.netlify.app/project/2020-yocto-project-dev-day/</link><pubDate>Thu, 02 Jul 2020 00:00:00 +0000</pubDate><guid>https://academic-oss-elc.netlify.app/project/2020-yocto-project-dev-day/</guid><description>&lt;blockquote>
&lt;p>The Yocto Project Developer Day Virtual is a one day presentation and hands-on training event that puts you in direct contact with Yocto Project technical experts and developers. Its primary aim is to show developers how to create, customize, and optimize Linux distributions for embedded devices using the rich features, tools, and content of Yocto Project. Our knowledgeable and engaging instructors will help you better understand topics like build system workflow, working with containers, building applications, optimizing images, hardening your devices, and leveraging tools like devtool. You will also have a chance to network and put your new skills to work.&lt;/p>
&lt;/blockquote>
&lt;h3 id="program">Program&lt;/h3>
&lt;ul>
&lt;li>Keynote &amp;amp; Welcome&lt;/li>
&lt;li>Security Hardening&lt;/li>
&lt;li>Image Size Optimization&lt;/li>
&lt;li>Reproducible Builds&lt;/li>
&lt;li>LTS&lt;/li>
&lt;li>CI/CD&lt;/li>
&lt;li>DevTool Lab&lt;/li>
&lt;li>User Space Lab&lt;/li>
&lt;li>Kernel Lab&lt;/li>
&lt;li>and more…&lt;/li>
&lt;/ul>
&lt;h3 id="agenda">Agenda&lt;/h3>
&lt;pre>&lt;code class="language-none">9:00 30 Paul Barker, &amp;quot;Highly-scalable build automation&amp;quot;
9:30 45 Robert Berger, &amp;quot;Containers and micro services&amp;quot;, use cases: containers on host and target
10:15 15 --- Morning break ---
10:30 90 Trevor, &amp;quot;Kernel Lab&amp;quot;, HANDS ON
12:00 60 --- Lunch ---
1:00 15 BugBoard Presentation, Call to action
1:15 30 Scott, &amp;quot;Security Hardening&amp;quot;
1:45 30 Khem, “Techniques and tools to reduce image size with Yocto Projects&amp;quot;
2:15 30 Konrad, &amp;quot;CI/CD&amp;quot;
2:45 15 --- Afternoon break ---
3:00 60 Rudi, User Space, HANDS ON
4:00 30 Paul Eggelton, &amp;quot;DevTool&amp;quot;
4:30 30 Christopher Clark &amp;amp; TimO, &amp;quot;Virtualization&amp;quot;
&lt;/code>&lt;/pre>
&lt;h2 id="highly-scalable-build-automation">Highly scalable build automation&lt;/h2>
&lt;h3 id="solutions">Solutions&lt;/h3>
&lt;p>Solutions?&lt;/p>
&lt;ul>
&lt;li>Buildbot&lt;/li>
&lt;li>GitLab CI&lt;/li>
&lt;li>Jenkins&lt;/li>
&lt;/ul>
&lt;p>Design&lt;/p>
&lt;ul>
&lt;li>ideally CI should run a single comamnd&lt;/li>
&lt;li>Ensure you can run the same scrip tlocally&lt;/li>
&lt;li>allo manual build and release manually if your CI system breaks&lt;/li>
&lt;/ul>
&lt;p>Pulling in other layers&lt;/p>
&lt;ul>
&lt;li>git submodule&lt;/li>
&lt;li>repo&lt;/li>
&lt;li>oe-layersetup&lt;/li>
&lt;li>kas&lt;/li>
&lt;/ul>
&lt;p>examin simple setup&lt;/p>
&lt;p>Build environment
sstate cahce
download cache
artifact storage
log storage management interface&lt;/p>
&lt;p>Scaling up&lt;/p>
&lt;ul>
&lt;li>bigger build machine&lt;/li>
&lt;li>NVMe &amp;gt; SATA SSD &amp;gt; SATA HDD&lt;/li>
&lt;li>Verify write edurance on SSD&lt;/li>
&lt;li>Server/Workstation Hardware&lt;/li>
&lt;/ul>
&lt;p>CPU and RAM&lt;/p>
&lt;ul>
&lt;li>Don&amp;rsquo;t blinly assume more expenseive is better&lt;/li>
&lt;li>check for single threaded bottlenecks
&lt;ul>
&lt;li>if they dominate go for high clock&lt;/li>
&lt;li>otherwise go for high core count&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>profile RAM usage&lt;/li>
&lt;/ul>
&lt;p>Tips&lt;/p>
&lt;ul>
&lt;li>dedicated machine not VM&lt;/li>
&lt;li>if you use docker make sure you look into settings&lt;/li>
&lt;/ul>
&lt;p>Benefits of Scaling Out&lt;/p>
&lt;ul>
&lt;li>developer machines can use central sstate cache&lt;/li>
&lt;li>maintain download mirror
&lt;ul>
&lt;li>license compliance&lt;/li>
&lt;li>protect if upstream sources disappear&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>reduce single points of failure&lt;/li>
&lt;/ul>
&lt;p>Local Scale Out&lt;/p>
&lt;ul>
&lt;li>High speed networking
&lt;ul>
&lt;li>10Gbps between build machines and NAS&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;p>Global Scale Out&lt;/p>
&lt;ul>
&lt;li>issues
&lt;ul>
&lt;li>Limited network speeds&lt;/li>
&lt;li>Packet drops and errors will happen&lt;/li>
&lt;li>may see errors accessing the cache&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>server caches over https&lt;/li>
&lt;li>update cache over SSH or an API&lt;/li>
&lt;/ul>
&lt;p>Distributed Cache and Aritacts Storage&lt;/p>
&lt;ul>
&lt;li>Build your own storage cluster
&lt;ul>
&lt;li>Ceph, Gluster, etc&lt;/li>
&lt;li>Minio is also an option with S3 compatbile API&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h3 id="a-low-cost-example">A low cost example&lt;/h3>
&lt;ul>
&lt;li>meta-sancloud bsp layer&lt;/li>
&lt;/ul>
&lt;p>high level design&lt;/p>
&lt;ul>
&lt;li>GItlab CI&lt;/li>
&lt;li>BackBlaze B2&lt;/li>
&lt;li>CloudFlare eliminate bandwidth costs&lt;/li>
&lt;/ul>
&lt;p>kas&lt;/p>
&lt;ul>
&lt;li>desrived in yaml&lt;/li>
&lt;/ul>
&lt;p>gitlab-ci&lt;/p>
&lt;p>Build agend&lt;/p>
&lt;ul>
&lt;li>Ryzen 7 3700X&lt;/li>
&lt;li>64GB DDR4 EEC&lt;/li>
&lt;li>2x 1TB NVMe drives in RAID1 pair&lt;/li>
&lt;/ul>
&lt;p>GitLab Runner configuration&lt;/p>
&lt;ul>
&lt;li>gitlab runner has very min configuration&lt;/li>
&lt;li>limit concurrent jobs&lt;/li>
&lt;li>select the docker job executor&lt;/li>
&lt;li>register with gitlab ci&lt;/li>
&lt;/ul>
&lt;p>docker&lt;/p>
&lt;ul>
&lt;li>mostly use crops/yocto&lt;/li>
&lt;li>sometimes custom&lt;/li>
&lt;/ul>
&lt;p>BackBlaze2&lt;/p>
&lt;ul>
&lt;li>No upload cost&lt;/li>
&lt;li>cost for download&lt;/li>
&lt;/ul>
&lt;p>CloudFlare&lt;/p>
&lt;ul>
&lt;li>downloads from BackBlaze via CloudClare are free&lt;/li>
&lt;li>dedicated domain&lt;/li>
&lt;li>make sure you disable browser integrity check&lt;/li>
&lt;/ul>
&lt;p>Uploading&lt;/p>
&lt;ul>
&lt;li>use rclone&lt;/li>
&lt;li>API key stored in gitlab-ci&lt;/li>
&lt;/ul>
&lt;p>MOnnthly&lt;/p>
&lt;ul>
&lt;li>
&lt;p>Build Agents about $60 per month&lt;/p>
&lt;/li>
&lt;li>
&lt;p>BackBlaze B2 approx $2 per month&lt;/p>
&lt;/li>
&lt;li>
&lt;p>no long te4rm commitments&lt;/p>
&lt;/li>
&lt;li>
&lt;p>Bitbake inc files&lt;/p>
&lt;ul>
&lt;li>sstate&lt;/li>
&lt;li>download mirro&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>
&lt;p>gitlab-ci&lt;/p>
&lt;/li>
&lt;li>
&lt;p>kas config&lt;/p>
&lt;ul>
&lt;li>kas poky&lt;/li>
&lt;li>kas argo&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;p>Summary&lt;/p>
&lt;ul>
&lt;li>requires some sysadmin work in setup and maintenance&lt;/li>
&lt;/ul>
&lt;h2 id="2">2&lt;/h2>
&lt;ol>
&lt;li>mosquitto - mqtt browker&lt;/li>
&lt;li>telegraf - colect analyze&lt;/li>
&lt;li>influxdb&lt;/li>
&lt;li>Grafana&lt;/li>
&lt;/ol>
&lt;p>mTIG Set ups&lt;/p>
&lt;ul>
&lt;li>mTIG Stack - &amp;ldquo;classic&amp;rdquo;&lt;/li>
&lt;li>mTIG Stack - &amp;ldquo;vms&amp;rdquo;&lt;/li>
&lt;li>mTIG Stack - &amp;ldquo;containers&amp;rdquo; - microservices&lt;/li>
&lt;li>mTIG Stack - &amp;ldquo;docker-compose&amp;rdquo;&lt;/li>
&lt;/ul>
&lt;p>Showed Dockerfile for mosquitto&lt;/p>
&lt;ul>
&lt;li>volumes for host storage&lt;/li>
&lt;li>expose for port acces&lt;/li>
&lt;/ul>
&lt;p>yoctozing the setup!&lt;/p>
&lt;ul>
&lt;li>
&lt;p>populate sdk&lt;/p>
&lt;/li>
&lt;li>
&lt;p>building packages from source&lt;/p>
&lt;ul>
&lt;li>time consuming task&lt;/li>
&lt;li>normally glang magically pulls in required dependencies&lt;/li>
&lt;li>depency hell&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;p>prebuilt binaries&lt;/p>
&lt;ul>
&lt;li>influxdb-prebuilt&lt;/li>
&lt;li>this was easier&lt;/li>
&lt;li>but
&lt;ul>
&lt;li>prebuilt binaries are packaged differently&lt;/li>
&lt;li>how reproducable is this? not at all&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;p>package summary&lt;/p>
&lt;ul>
&lt;li>additional work is required&lt;/li>
&lt;li>image recipe - easy&lt;/li>
&lt;li>mosquitto - easy recipe upstream&lt;/li>
&lt;li>influxdb&lt;/li>
&lt;li>telegraph&lt;/li>
&lt;/ul>
&lt;p>Yocto Person - get docker packages on the target&lt;/p>
&lt;ul>
&lt;li>add packages&lt;/li>
&lt;li>configure kernel&lt;/li>
&lt;/ul>
&lt;p>Docker on the Target&lt;/p>
&lt;p>bitbaking from sources seems to be hard
prebuilt containers for the target
need docker and friends&lt;/p>
&lt;p>docker architecture&lt;/p>
&lt;p>Start it up&lt;/p>
&lt;ul>
&lt;li>docker-compose up
&lt;ul>
&lt;li>same as before&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h4 id="put-it-all-together">Put it all together&lt;/h4>
&lt;ul>
&lt;li>container standardization&lt;/li>
&lt;/ul>
&lt;p>app-container-image-influxdb-prebuilt-oci&lt;/p>
&lt;ul>
&lt;li>we need minimal rootfs without kernel and meta-virtualization&lt;/li>
&lt;li>skopeo in host container or host machine&lt;/li>
&lt;li>app-container-image-oci.bb&lt;/li>
&lt;li>IMAGE_FSTYPE &amp;lsquo;oci&amp;rsquo; from meta-virtualization&lt;/li>
&lt;li>IMAGE_CONTAINER_NO_DUMMY = &amp;ldquo;0&amp;rdquo; -&amp;gt; no kernel&lt;/li>
&lt;/ul>
&lt;p>Building container images with OE and Yocto Project Scott Murry 2018&lt;/p>
&lt;h2 id="kernel">Kernel&lt;/h2>
&lt;ul>
&lt;li>
&lt;p>upstream linux&lt;/p>
&lt;/li>
&lt;li>
&lt;p>linux-stable&lt;/p>
&lt;/li>
&lt;li>
&lt;p>vendor kernel&lt;/p>
&lt;/li>
&lt;li>
&lt;p>eveil vendor kernel (fraken-kernel)&lt;/p>
&lt;/li>
&lt;li>
&lt;p>Install kernel, dtb&lt;/p>
&lt;/li>
&lt;li>
&lt;p>installed is highly board specific&lt;/p>
&lt;/li>
&lt;/ul>
&lt;h3 id="kernel-workflow-multiple-users">Kernel Workflow multiple users&lt;/h3>
&lt;ul>
&lt;li>tewaking a kernel/config or writing a kernel module using an existing BSP&lt;/li>
&lt;li>board bring-up (creating a BSP)&lt;/li>
&lt;/ul>
&lt;p>Kernel Workflow TODO existin BSP chang kernel&lt;/p>
&lt;ul>
&lt;li>many kernels&lt;/li>
&lt;li>linux-yocto plus tolling to use your own&lt;/li>
&lt;li>linux-yocto has variants
&lt;ul>
&lt;li>-dev, - -tiny, -rt&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;p>new BSP&lt;/p>
&lt;ul>
&lt;li>obtain kernel&lt;/li>
&lt;li>setup cross toolchain - set the processor TUNE&lt;/li>
&lt;li>configure kernel and tweak DT . lots of yocto tooling&lt;/li>
&lt;li>install kernel modules DTB&lt;/li>
&lt;/ul>
&lt;h3 id="kernel-metadata">Kernel metadata&lt;/h3>
&lt;p>config fragment&lt;/p>
&lt;ul>
&lt;li>hands on we use devtool&lt;/li>
&lt;li>&lt;code>devtool&lt;/code> or &lt;code>-c menuconfig&lt;/code> &lt;code>-c diffconfig&lt;/code>&lt;/li>
&lt;li>filename has cfg ext&lt;/li>
&lt;/ul>
&lt;p>SCC&lt;/p>
&lt;ul>
&lt;li>series configuration control&lt;/li>
&lt;li>ties together config framgent or patches with extra metadata&lt;/li>
&lt;/ul>
&lt;p>Kernel Metadata - storage&lt;/p>
&lt;ul>
&lt;li>
&lt;p>two places to store&lt;/p>
&lt;ul>
&lt;li>in-tree&lt;/li>
&lt;li>in separate repository&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>
&lt;p>regardless add the lcoation of metadata to your SRC_URI.&lt;/p>
&lt;ul>
&lt;li>Make sure to specify &amp;ldquo;type=kmeta&amp;rdquo;&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>
&lt;p>its much more sophisticated&lt;/p>
&lt;/li>
&lt;li>
&lt;p>can define other kernel types &lt;code>KTYPE&lt;/code> and have featured enabled based on kernel type (&lt;code>-tiny,-dev,-rt&lt;/code>)&lt;/p>
&lt;ul>
&lt;li>scc files can include other scc files&lt;/li>
&lt;li>can restrict the includes of other scc&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>
&lt;p>examples of in-tree kmeta:&lt;/p>
&lt;ul>
&lt;li>meta-odroid&lt;/li>
&lt;li>meta-arm&lt;/li>
&lt;li>meta-xilinx&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>
&lt;p>example of just using *.cfg without *.scc&lt;/p>
&lt;ul>
&lt;li>meta-raspberrypi&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h2 id="security-hardening">Security Hardening&lt;/h2>
&lt;h3 id="intro">Intro&lt;/h3>
&lt;p>Agenda&lt;/p>
&lt;ul>
&lt;li>
&lt;p>Security Hardening?&lt;/p>
&lt;/li>
&lt;li>
&lt;p>Basic hardening with OE/YP&lt;/p>
&lt;/li>
&lt;li>
&lt;p>meta-security&lt;/p>
&lt;/li>
&lt;li>
&lt;p>meta-selinux&lt;/p>
&lt;/li>
&lt;li>
&lt;p>Updater layers&lt;/p>
&lt;/li>
&lt;li>
&lt;p>meta-sca&lt;/p>
&lt;/li>
&lt;li>
&lt;p>not an expert&lt;/p>
&lt;/li>
&lt;/ul>
&lt;p>Security Hardening?&lt;/p>
&lt;ul>
&lt;li>Securing a system by reducing its attack surface&lt;/li>
&lt;li>Remove unnecessary software/services, users&lt;/li>
&lt;li>Control network access, e.g. firewall&lt;/li>
&lt;li>Intrusion detection&lt;/li>
&lt;li>Remove/improve default passwords/users&lt;/li>
&lt;li>Updates to remove vulnerabilities&lt;/li>
&lt;li>etc.&lt;/li>
&lt;/ul>
&lt;h3 id="why">Why&lt;/h3>
&lt;p>Attackers are becoming more aware of Linux devices&lt;/p>
&lt;ul>
&lt;li>Scans of all of IPv4 are a thing, e.g. shodan.io&lt;/li>
&lt;li>Customers cannot be relied upon to not attach devices directly to the Internet&lt;/li>
&lt;li>uPnP may make device services visible unexpectedly&lt;/li>
&lt;/ul>
&lt;p>During ELC there were good discussions&lt;/p>
&lt;p>Some presentations this week with more detailed discussion&lt;/p>
&lt;ul>
&lt;li>&amp;ldquo;Introduction to Embedded Linux Security&amp;rdquo; - Sergio Prado, Embedded
Labworks&lt;/li>
&lt;li>&lt;a href="https://ossna2020.sched.com/event/c3XR/introduction-to-embedded-linux-security-sergio-prado-embedded-labworks#">https://ossna2020.sched.com/event/c3XR/introduction-to-embedded-linux-security-sergio-prado-embedded-labworks#&lt;/a>&lt;/li>
&lt;li>&amp;ldquo;IoT Developer&amp;rsquo;s Guide to Building Secure IoT Devices&amp;rdquo; - Yogesh Ojha, Tata Consultancy Services&lt;/li>
&lt;li>&lt;a href="https://ossna2020.sched.com/event/c3Tl/iot-developers-guide-to-building-secure-iot-devices-yogesh-ojha-tata-consultancy-services#">https://ossna2020.sched.com/event/c3Tl/iot-developers-guide-to-building-secure-iot-devices-yogesh-ojha-tata-consultancy-services#&lt;/a>&lt;/li>
&lt;/ul>
&lt;h3 id="owasp-vunerability-list">OWASP vunerability list&lt;/h3>
&lt;h3 id="oeyp-hardening">OE/YP Hardening&lt;/h3>
&lt;ul>
&lt;li>Read the Fine Manual&lt;/li>
&lt;li>&lt;a href="https://www.yoctoproject.org/docs/3.1.1/dev-">https://www.yoctoproject.org/docs/3.1.1/dev-&lt;/a> manual/dev-manual.html#making-images-more-secure&lt;/li>
&lt;li>Provides some useful high-level guidelines&lt;/li>
&lt;li>Has some more detailed guidance around disabling debug features, adding users and passwords, and security related compile flags&lt;/li>
&lt;li>Mentions meta-security and meta-selinux&lt;/li>
&lt;li>Useful, but mostly a starting point&lt;/li>
&lt;/ul>
&lt;h3 id="expanding-on-the-fm">Expanding on the FM&lt;/h3>
&lt;ul>
&lt;li>oe-pkgdata-util useful for finding what package files come from&lt;/li>
&lt;/ul>
&lt;p>Review kernel configuration&lt;/p>
&lt;ul>
&lt;li>Security options, but also things like hardware RNG, architecture specific address space randomization&lt;/li>
&lt;li>Some more ideas
in &lt;a href="https://www.whonix.org/wiki/Hardened-kernel">https://www.whonix.org/wiki/Hardened-kernel&lt;/a>&lt;/li>
&lt;li>Make sure CONFIG_DEVMEM is disabled if at all possible&lt;/li>
&lt;li>Typically used to access device registers as a workaround&lt;/li>
&lt;li>Somewhat better now with default values of STRICT_DEVMEM and IO_STRICT_DEVMEM, but using/fixing drivers and disabling is safer&lt;/li>
&lt;/ul>
&lt;p>It&amp;rsquo;s common for BSP layers to not enable desired features&amp;hellip;&lt;/p>
&lt;ul>
&lt;li>
&lt;p>e.g. cgroup, namespace, netfilter, BPF support&lt;/p>
&lt;/li>
&lt;li>
&lt;p>These become more visible when using systemd or container runtimes&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&amp;hellip;and to enable a lot of things you do not need&lt;/p>
&lt;/li>
&lt;li>
&lt;p>Usually err on the side of enabling a lot of driver subsystems and drivers&lt;/p>
&lt;/li>
&lt;li>
&lt;p>May enable DEBUG options that are problematic&lt;/p>
&lt;/li>
&lt;li>
&lt;p>ROOTFS_READ_ONLY feature is worth considering&lt;/p>
&lt;ul>
&lt;li>Increase difficulty for attackers&lt;/li>
&lt;li>Secondary benefit of also being useful for implementing reset to factory default schemes&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>
&lt;p>May require development effort&lt;/p>
&lt;ul>
&lt;li>Locally developed applications, or packages from outside oe-core may not work out of the box&lt;/li>
&lt;li>Combining with MAC schemes such as SELinux will require some work (as labelling is done on boot)&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h3 id="meta-security">meta-security&lt;/h3>
&lt;ul>
&lt;li>cve-check.bbclass&lt;/li>
&lt;li>SRTool (&lt;a href="https://wiki.yoctoproject.org/wiki/SRTool_User_Page">https://wiki.yoctoproject.org/wiki/SRTool_User_Page&lt;/a>) may be useful if you need to set up an issue tracker&lt;/li>
&lt;/ul>
&lt;p>meta-security – Compliance&lt;/p>
&lt;ul>
&lt;li>
&lt;p>Recipes in meta-security-compliance layer&lt;/p>
&lt;/li>
&lt;li>
&lt;p>Lynis (&lt;a href="https://cisofy.com/lynis">https://cisofy.com/lynis&lt;/a>) runtime system auditor&lt;/p>
&lt;/li>
&lt;li>
&lt;p>OpenSCAP (&lt;a href="https://www.open-scap.org">https://www.open-scap.org&lt;/a>)&lt;/p>
&lt;ul>
&lt;li>Implementation of Security Content Automation Protocol&lt;/li>
&lt;li>In simple terms, a specification of standardized naming for interaction with tools and databases&lt;/li>
&lt;li>oscap and oscap-daemon tools for checking NIST or other databases for vulnerabilities&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>
&lt;p>These seem likely to be overkill in a lot of embedded usecases&lt;/p>
&lt;/li>
&lt;li>
&lt;p>But perhaps still useful in a QA role&lt;/p>
&lt;/li>
&lt;li>
&lt;p>meta-security – Runtime Scanners&lt;/p>
&lt;/li>
&lt;/ul>
&lt;h3 id="meta-selinux">meta-selinux&lt;/h3>
&lt;h3 id="meta-sca">meta-sca&lt;/h3>
&lt;ul>
&lt;li>&lt;a href="https://github.com/priv-kweihmann/meta-sca">https://github.com/priv-kweihmann/meta-sca&lt;/a>&lt;/li>
&lt;li>Collection of static analysis tools maintained by Konrad Weihmann&lt;/li>
&lt;li>Static analysis for C, C++, python, etc.&lt;/li>
&lt;li>Classes to enable per package or per image scanning (some limits depending on specific tools)&lt;/li>
&lt;li>Significant documentation&lt;/li>
&lt;li>Actively maintained&lt;/li>
&lt;/ul>
&lt;h3 id="summary">Summary&lt;/h3>
&lt;ul>
&lt;li>Updater layers – meta-swupdate&lt;/li>
&lt;li>Updater layers – meta-mender&lt;/li>
&lt;li>Updater layers – meta-updater&lt;/li>
&lt;li>meta-sca - Collection of static analysis tools maintained by Konrad Weihmann&lt;/li>
&lt;/ul>
&lt;h2 id="cicd">CI/CD&lt;/h2>
&lt;h3 id="wrigel-the-third">Wrigel the Third&lt;/h3>
&lt;ul>
&lt;li>Docker, DockerSwam&lt;/li>
&lt;li>Designed for easy setup of small cluters&lt;/li>
&lt;li>internal build and in AWS&lt;/li>
&lt;li>&lt;a href="https://github.com/WindRiver-OpenSourceLabs/ci-scripts">https://github.com/WindRiver-OpenSourceLabs/ci-scripts&lt;/a>&lt;/li>
&lt;/ul>
&lt;p>WR setup tool and git-repo&lt;/p>
&lt;ul>
&lt;li>git-repo manages large tree of repos&lt;/li>
&lt;li>manifest generation by setup tool&lt;/li>
&lt;li>git repo detects changes across entire tree&lt;/li>
&lt;li>automatic rebase of local commits when syncing&lt;/li>
&lt;li>con: fork with support for bare repos&lt;/li>
&lt;/ul>
&lt;p>setup tool and layerindex&lt;/p>
&lt;ul>
&lt;li>dicovery and depenendecy management&lt;/li>
&lt;li>bitbake-layers layerindex-fetch is based on some of that&lt;/li>
&lt;/ul>
&lt;h3 id="developer-builds">Developer builds&lt;/h3>
&lt;ul>
&lt;li>
&lt;p>repo detects commits&lt;/p>
&lt;/li>
&lt;li>
&lt;p>fork repos and store commits on git server&lt;/p>
&lt;/li>
&lt;li>
&lt;p>containerized layerindex uses forks&lt;/p>
&lt;/li>
&lt;li>
&lt;p>recreate local buildarea on buildsystem&lt;/p>
&lt;/li>
&lt;li>
&lt;p>CONTAINERIZE layerindex???&lt;/p>
&lt;/li>
&lt;li>
&lt;p>start_devbuild.sh&lt;/p>
&lt;/li>
&lt;/ul>
&lt;h3 id="build-failure-login">Build Failure Login&lt;/h3>
&lt;ul>
&lt;li>
&lt;p>developer can&amp;rsquo;t reproduce build failure on build server&lt;/p>
&lt;/li>
&lt;li>
&lt;p>save docker container startup command&lt;/p>
&lt;/li>
&lt;li>
&lt;p>create temp ssh key, upload build server&lt;/p>
&lt;/li>
&lt;li>
&lt;p>add authorize key entry to run docker on login&lt;/p>
&lt;/li>
&lt;li>
&lt;p>build environment perfectly recreated&lt;/p>
&lt;/li>
&lt;li>
&lt;p>cleanup key&lt;/p>
&lt;/li>
&lt;li>
&lt;p>workspace_login.sh&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;a href="https://lava.ciplatform.org/">https://lava.ciplatform.org/&lt;/a>&lt;/p>
&lt;/li>
&lt;/ul>
&lt;h3 id="summary-1">Summary&lt;/h3>
&lt;ul>
&lt;li>expose large compuse to developers&lt;/li>
&lt;li>build and test patches before commit&lt;/li>
&lt;li>build failures inspection&lt;/li>
&lt;li>integration with runtime testing&lt;/li>
&lt;/ul>
&lt;h3 id="demo">Demo&lt;/h3>
&lt;ul>
&lt;li>
&lt;p>OERuntimeTestCase&lt;/p>
&lt;/li>
&lt;li>
&lt;p>searching layers in devbuild for local commits&lt;/p>
&lt;/li>
&lt;li>
&lt;p>yocto autobuilder helper scripts&lt;/p>
&lt;/li>
&lt;li>
&lt;p>awe to scale builds&lt;/p>
&lt;/li>
&lt;li>
&lt;p>k8s and tekton&lt;/p>
&lt;/li>
&lt;li>
&lt;p>yocto self-hosted AMIs&lt;/p>
&lt;/li>
&lt;li>
&lt;p>spot instances are a great deal&lt;/p>
&lt;/li>
&lt;/ul>
&lt;h3 id="questions">Questions&lt;/h3>
&lt;ul>
&lt;li>
&lt;p>try to prefer docker volumes.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>host path can be performant&lt;/p>
&lt;/li>
&lt;li>
&lt;p>Add tmpfs at the common tmp locations. Some recipes misbehave.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>you can do docker run and verify that nothing in overlay has changed.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;h2 id="techniques-and-tools-to-reduce-image-size-with-yocto-projects">Techniques and tools to reduce image size with Yocto Projects&lt;/h2>
&lt;p>Agenda&lt;/p>
&lt;ul>
&lt;li>Introduction&lt;/li>
&lt;li>&amp;ldquo;poky-tiny” Distribution&lt;/li>
&lt;li>Image analysis tools&lt;/li>
&lt;li>Compiler and toolchain optimizations&lt;/li>
&lt;li>C/C++ this time&lt;/li>
&lt;li>package refactoring&lt;/li>
&lt;li>Package selection&lt;/li>
&lt;/ul>
&lt;h3 id="introduction">Introduction&lt;/h3>
&lt;p>Reference Distrubtions&lt;/p>
&lt;ul>
&lt;li>poky-tiny
&lt;ul>
&lt;li>small size&lt;/li>
&lt;li>musl&lt;/li>
&lt;li>linux-yocto-tiny&lt;/li>
&lt;li>mdev&lt;/li>
&lt;li>custom init&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>poky-altconfig
&lt;ul>
&lt;li>systemd&lt;/li>
&lt;li>LTSI kernel&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h3 id="poky-tiny-distribution">&amp;ldquo;poky-tiny” Distribution&lt;/h3>
&lt;ul>
&lt;li>start small and then add&lt;/li>
&lt;li>much harder to remove things, often due to dependencies&lt;/li>
&lt;/ul>
&lt;p>Packages&lt;/p>
&lt;ul>
&lt;li>musl C Library
&lt;ul>
&lt;li>IMAGESIZE = 37668 -&amp;gt; 35532&lt;/li>
&lt;li>this requires changes in application&lt;/li>
&lt;li>changes interface to linux kernel&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>busybox init system
&lt;ul>
&lt;li>IMAGESIZE = 35532 -&amp;gt; 3120&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>mdev over udev&lt;/li>
&lt;/ul>
&lt;h3 id="image-analysis-tools">Image analysis tools&lt;/h3>
&lt;h3 id="compiler-and-toolchain-optimizations">Compiler and toolchain optimizations&lt;/h3>
&lt;h4 id="compiler-flags">Compiler Flags&lt;/h4>
&lt;ul>
&lt;li>SELECTED_OPTIMIZATION&lt;/li>
&lt;/ul>
&lt;pre>&lt;code class="language-python">TARGET_CFLAGS = &amp;quot;${TARGET_CPPFLAGS} ${SELECTED_OPTIMIZATION}&amp;quot;
…
DEBUG_FLAGS ?= &amp;quot;-g -feliminate-unused-debug-types ${DEBUG_PREFIX_MAP}&amp;quot;
# Disabled until the option works properly -feliminate-dwarf2-dups
FULL_OPTIMIZATION = &amp;quot;-O2 -pipe ${DEBUG_FLAGS}&amp;quot;
DEBUG_OPTIMIZATION = &amp;quot;-Og ${DEBUG_FLAGS} -pipe&amp;quot;
SELECTED_OPTIMIZATION = &amp;quot;${@d.getVar(oe.utils.vartrue('DEBUG_BUILD', 'DEBUG_OPTIMIZATION', 'FULL_OPTIMIZATION', d))}&amp;quot;
&lt;/code>&lt;/pre>
&lt;h4 id="lto">LTO&lt;/h4>
&lt;ul>
&lt;li>&lt;code>flto&lt;/code>&lt;/li>
&lt;li>clang support
&lt;ul>
&lt;li>thin LTO&lt;/li>
&lt;li>full LTO&lt;/li>
&lt;li>needs gold linker&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h3 id="package-selection">Package selection&lt;/h3>
&lt;h4 id="buildhistory">Buildhistory&lt;/h4>
&lt;pre>&lt;code class="language-python">USER_CLASSES ?= &amp;quot; buildhistory”
BUILDHISTORY_COMMIT ?= &amp;quot;1&amp;quot;
&lt;/code>&lt;/pre>
&lt;h4 id="refine-image">Refine Image&lt;/h4>
&lt;ul>
&lt;li>IMAGE_LINGUAS&lt;/li>
&lt;li>“en-us”&lt;/li>
&lt;li>Use “as needed”, prefer empty&lt;/li>
&lt;li>IMAGE_FEATURES&lt;/li>
&lt;li>Remove package-management&lt;/li>
&lt;li>Remove splash&lt;/li>
&lt;li>SSH – Use dropbear instead of OpenSSH&lt;/li>
&lt;li>Add ssh-server-dropbear to IMAGE_FEATURES&lt;/li>
&lt;/ul>
&lt;p>Build history analysis&lt;/p>
&lt;ul>
&lt;li>installed-package-sizes.txt&lt;/li>
&lt;li>dot files for dependencies between packages&lt;/li>
&lt;/ul>
&lt;h2 id="slack-channel">Slack Channel&lt;/h2>
&lt;ul>
&lt;li>&lt;a href="https://elinux.org/images/8/8f/Poky-tiny_and_Beyond.pdf">https://elinux.org/images/8/8f/Poky-tiny_and_Beyond.pdf&lt;/a>&lt;/li>
&lt;/ul>
&lt;h2 id="user-space-hands-on">User Space, HANDS ON&lt;/h2>
&lt;h3 id="packing-qa">Packing QA&lt;/h3>
&lt;ul>
&lt;li>packages-list
&lt;ul>
&lt;li>same package multiple times&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>installed-vs-shipped&lt;/li>
&lt;li>already-stripped&lt;/li>
&lt;li>ldflags - ELF binary has symbols but no GNU_HASH&lt;/li>
&lt;/ul>
&lt;h3 id="questions-1">Questions&lt;/h3>
&lt;ul>
&lt;li>Q: What is the &amp;ldquo;BACKFILL_CONSIDERED&amp;rdquo; mean?
&lt;ul>
&lt;li>if any packages says it needs &lt;code>sysvint&lt;/code> then you should just ignore it&lt;/li>
&lt;li>It&amp;rsquo;s features that were on by default (usually implictly because there was no knob), so you are acknowledging that &amp;ldquo;considered&amp;rdquo; you want it off (at least thats my interpretation)&lt;/li>
&lt;li>Bascially, it was non-configurable, then it became a knob, but they had to default it to &amp;ldquo;on&amp;rdquo; to maintain backward compatability&lt;/li>
&lt;li>&lt;a href="https://www.yoctoproject.org/docs/current/mega-manual/mega-manual.html#ref-features-backfill">https://www.yoctoproject.org/docs/current/mega-manual/mega-manual.html#ref-features-backfill&lt;/a>&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h2 id="devtool">DevTool&lt;/h2>
&lt;h3 id="devtool--past-presentations">devtool – past presentations&lt;/h3>
&lt;ul>
&lt;li>Using Devtool To Streamline Your Yocto Project Workflow - Tim Orling
&lt;ul>
&lt;li>&lt;a href="https://www.youtube.com/watch?v=CiD7rB35CRE">https://www.youtube.com/watch?v=CiD7rB35CRE&lt;/a>&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>Yocto Project Extensible SDK: Simplifying the Workflow for Application Developers - Henry Bruce
&lt;ul>
&lt;li>&lt;a href="https://www.youtube.com/watch?v=d3xanDJuXRA&amp;amp;t=57s">https://www.youtube.com/watch?v=d3xanDJuXRA&amp;amp;t=57s&lt;/a>&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h3 id="why-devtool-exists">Why devtool exists?&lt;/h3>
&lt;ul>
&lt;li>working with sources as hard
&lt;ul>
&lt;li>tempting to just edit sources under tmp&lt;/li>
&lt;li>painful (forced builds, mannual patch generations, lost work)&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h3 id="devtool-has-two-modes">Devtool has two modes&lt;/h3>
&lt;p>each has slight differences. It&amp;rsquo;s the only interfaces for eSDK.&lt;/p>
&lt;p>eSDK mode&lt;/p>
&lt;ul>
&lt;li>add&lt;/li>
&lt;li>build&lt;/li>
&lt;li>build-image&lt;/li>
&lt;li>build-sdk&lt;/li>
&lt;li>configure-help&lt;/li>
&lt;li>check-upgrade-status&lt;/li>
&lt;li>deploy-target&lt;/li>
&lt;li>edit-recipe&lt;/li>
&lt;li>export&lt;/li>
&lt;li>extract&lt;/li>
&lt;li>find-recipe&lt;/li>
&lt;li>finish&lt;/li>
&lt;li>import&lt;/li>
&lt;li>latest-version&lt;/li>
&lt;li>menuconfig&lt;/li>
&lt;li>modify&lt;/li>
&lt;li>package&lt;/li>
&lt;li>rename&lt;/li>
&lt;li>reset&lt;/li>
&lt;li>runqemu&lt;/li>
&lt;li>sdk-install&lt;/li>
&lt;li>sdk-update&lt;/li>
&lt;li>search&lt;/li>
&lt;li>status&lt;/li>
&lt;li>sync&lt;/li>
&lt;li>undeploy-target&lt;/li>
&lt;li>update-recipe&lt;/li>
&lt;li>upgrade&lt;/li>
&lt;/ul>
&lt;p>bitbake mode&lt;/p>
&lt;ul>
&lt;li>add&lt;/li>
&lt;li>build&lt;/li>
&lt;li>build-image&lt;/li>
&lt;li>configure-help&lt;/li>
&lt;li>check-upgrade-status&lt;/li>
&lt;li>create-workspace&lt;/li>
&lt;li>deploy-target&lt;/li>
&lt;li>edit-recipe&lt;/li>
&lt;li>export&lt;/li>
&lt;li>extract&lt;/li>
&lt;li>find-recipe&lt;/li>
&lt;li>finish&lt;/li>
&lt;li>import&lt;/li>
&lt;li>latest-version&lt;/li>
&lt;li>menuconfig&lt;/li>
&lt;li>modify&lt;/li>
&lt;li>rename&lt;/li>
&lt;li>reset&lt;/li>
&lt;li>search&lt;/li>
&lt;li>status&lt;/li>
&lt;li>sync&lt;/li>
&lt;li>undeploy-target&lt;/li>
&lt;li>update-recipe&lt;/li>
&lt;li>upgrade&lt;/li>
&lt;/ul>
&lt;h3 id="more-on-devtool">More on devtool&lt;/h3>
&lt;p>Devtool multiple targets&lt;/p>
&lt;ul>
&lt;li>specify target’s IP with un/deploy-target&lt;/li>
&lt;/ul>
&lt;h3 id="recipetool">recipetool&lt;/h3>
&lt;ul>
&lt;li>extra set of tools for working on recipes&lt;/li>
&lt;li>logic for creating recipes (used by devtool add)&lt;/li>
&lt;li>can also create update bbapends, programmactically set variables in recipes, etc&lt;/li>
&lt;/ul>
&lt;h3 id="future">Future&lt;/h3>
&lt;ul>
&lt;li>multiconfig support&lt;/li>
&lt;li>recipe modification fixes&lt;/li>
&lt;li>smart recipetool&lt;/li>
&lt;/ul>
&lt;h3 id="lab">Lab&lt;/h3>
&lt;pre>&lt;code>Host qemu
User root
Hostname localhost
Port 2222
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
&lt;/code>&lt;/pre>
&lt;h3 id="sidebar--slirp-versus-tuntap">sidebar – SLIRP versus TUN/TAP&lt;/h3>
&lt;ul>
&lt;li>SLIRP: advantage is no root access required, disadvantages are minimal documentation,
requires SSH knowledge&lt;/li>
&lt;li>TAP : advantage is simpler setup, disadvantage is that it requires sudo access&lt;/li>
&lt;/ul>
&lt;pre>&lt;code class="language-sh"># SLIRP
runqemu slirp nographic serial
devtool deploy-target nano qemu
# TAP
sudo runqemu nographic serial
$ devtool deploy-target nano root@192.168.7.2
&lt;/code>&lt;/pre>
&lt;h2 id="xen">Xen&lt;/h2>
&lt;h3 id="overview">Overview&lt;/h3>
&lt;ul>
&lt;li>Dom0 + Control Domain
&lt;ul>
&lt;li>Platform stuff&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>App VMS
&lt;ul>
&lt;li>Windows VM&lt;/li>
&lt;li>Linux VM&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;p>Xen hypervisor contains&lt;/p>
&lt;ul>
&lt;li>
&lt;p>Scheduler&lt;/p>
&lt;/li>
&lt;li>
&lt;p>Memory Mgmt&lt;/p>
&lt;/li>
&lt;li>
&lt;p>XSM Access Control&lt;/p>
&lt;/li>
&lt;li>
&lt;p>author works for open xt&lt;/p>
&lt;/li>
&lt;/ul>
&lt;h3 id="bitbaking-xen-for-rpi4">bitbaking Xen for RPI4&lt;/h3>
&lt;p>layers&lt;/p>
&lt;ul>
&lt;li>xen support in meta-virtualization&lt;/li>
&lt;li>rpi 4 suport in meta-raspberrypi&lt;/li>
&lt;li>poky with meta-openembedded&lt;/li>
&lt;li>&lt;a href="https://lists.yoctoproject.org/g/meta-virtualization/message/5495">https://lists.yoctoproject.org/g/meta-virtualization/message/5495&lt;/a>&lt;/li>
&lt;/ul>
&lt;p>conf&lt;/p>
&lt;pre>&lt;code class="language-python">MACHINE=”raspberrypi4-64&amp;quot;
DISTRO_FEATURES_append = &amp;quot; virtualization xen&amp;quot;;
QEMU_TARGETS = &amp;quot;i386 x86_64 aarch64 arm&amp;quot;
&lt;/code>&lt;/pre>
&lt;p>build&lt;/p>
&lt;pre>&lt;code class="language-sh">bitbake xen-image-minimal
&lt;/code>&lt;/pre>
&lt;h3 id="rpi4-boot-and-verify-xen">RPI4 Boot and verify xen&lt;/h3>
&lt;p>xl list
Testing basic Xen functionality at the console:&lt;/p>
&lt;pre>&lt;code class="language-sh"># list running VMs
xl list
# show data about the current hypervisor
xl info
# examine Linux’s Xen device nodes
ls -l /dev/xen
# read the contents of the XenStore tree
xenstore-ls
# see the Linux kernel messages relating to Xen
dmesg | grep Xen
# see the Xen boot messages
xl dmesg
&lt;/code>&lt;/pre>
&lt;p>Xen patch series&lt;/p>
&lt;ul>
&lt;li>&amp;ldquo;dynamic layer&amp;rdquo; for settings taht are specific to Xen-on-rpi4&lt;/li>
&lt;/ul>
&lt;h3 id="xen-beyond-pi">Xen beyond Pi&lt;/h3>
&lt;ul>
&lt;li>Intel x86-64
&lt;ul>
&lt;li>wic tool integration&lt;/li>
&lt;li>simple production of bootable&lt;/li>
&lt;li>&lt;code>wic create directdisk-xen -e xen-image-minimal&lt;/code>&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>Can run inside of runqemu!&lt;/li>
&lt;/ul>
&lt;h3 id="xen-questions">Xen Questions&lt;/h3>
&lt;ul>
&lt;li>Q: What does &amp;ldquo;directdisk&amp;rdquo; refer to when it comes to images? How does this differ from the other IMAGE_FS_TYPES?
&lt;ul>
&lt;li>will create image suitable for booting x86-64 type of image.&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h2 id="kvm">KVM&lt;/h2>
&lt;ul>
&lt;li>packagegroup-kvm-host
&lt;ul>
&lt;li>qemu, libvirt, libvirtd, virsh&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>kvm-binary-image-vessel-package
&lt;ul>
&lt;li>&amp;ldquo;vessel&amp;rdquo; is avoiding the overloaded meaning of &amp;ldquo;container&amp;rdquo;&lt;/li>
&lt;li>&lt;code>inherit bin_package&lt;/code>&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h3 id="future-work">future work&lt;/h3>
&lt;ul>
&lt;li>
&lt;p>secure boot&lt;/p>
&lt;/li>
&lt;li>
&lt;p>virsh (use a tempalte to create XML)&lt;/p>
&lt;/li>
&lt;li>
&lt;p>Launch script to auto boot the guest&lt;/p>
&lt;/li>
&lt;li>
&lt;p>Insert ssh keys into guest&lt;/p>
&lt;/li>
&lt;li>
&lt;p>Acorn is another type 1 hypervisor&lt;/p>
&lt;/li>
&lt;li>
&lt;p>yp-dev-day_virtualization&lt;/p>
&lt;ul>
&lt;li>gitlab instance with CI&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h3 id="kvm-questions">KVM Questions&lt;/h3>
&lt;ul>
&lt;li>
&lt;p>Xen vs KVM&lt;/p>
&lt;ul>
&lt;li>xen ~ vsphere, kvm ~ vmware/vmplayer&lt;/li>
&lt;li>Xen is type 1, KVM is type 2
&lt;ul>
&lt;li>you boot a &amp;ldquo;type 1&amp;rdquo; first before booting anything else&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>
&lt;p>Q: Has anyone used &amp;ldquo;cloud-init&amp;rdquo; with Yocto build image?&lt;/p>
&lt;ul>
&lt;li>A: we used cloud-init extensively in the meta-openstack days/layer&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul></description></item><item><title>Reproducible Builds and Hash Equivalence in the Yocto Project</title><link>https://academic-oss-elc.netlify.app/talk/2020-oss-elc/reproducible-builds-and-hash-equivalence-in-the-yocto-project-joshua-watt-garmin/</link><pubDate>Wed, 01 Jul 2020 00:00:00 +0000</pubDate><guid>https://academic-oss-elc.netlify.app/talk/2020-oss-elc/reproducible-builds-and-hash-equivalence-in-the-yocto-project-joshua-watt-garmin/</guid><description>&lt;blockquote>
&lt;p>As embedded Linux devices get more complex, many questions arise about the process of constructing these systems and how it can be improved. Can these complex systems be built more efficiently to reduce development time? How can developers be assured that these systems can be built reproducibly to ensure software supply chain integrity? Joshua will highlight two new features in the latest release of the Yocto project specifically designed to address these questions. The first feature is hash equivalence which reduces build times by collectively detecting when tasks have rebuilt unnecessarily and preventing rebuilds of downstream tasks. Joshua will explain how this feature works, how to apply it to your own projects, and what to expect when you do. The second feature is build reproducibility testing, which ensures that the project has binary identical outputs from one build to the next. Joshua will describe how these tests work, what they currently cover within the project, and how to enable them for your own projects. Taken together, these features improve the Yocto project’s unique ability to effectively construct complex Linux embedded systems that are cost effective and secure.&lt;/p>
&lt;/blockquote>
&lt;h2 id="notes">Notes&lt;/h2>
&lt;ul>
&lt;li>&lt;a href="https://reproducible-builds.org/">reproducible-builds&lt;/a>&lt;/li>
&lt;/ul>
&lt;h3 id="runqueue">RunQueue&lt;/h3>
&lt;p>MIA&lt;/p>
&lt;h3 id="runqueue-with-hash-equivalence">RunQueue with Hash Equivalence&lt;/h3>
&lt;ul>
&lt;li>Now each task also has &lt;code>unihash&lt;/code>&lt;/li>
&lt;li>breaks task hash from it&amp;rsquo;s upstream&lt;/li>
&lt;li>&lt;code>unihash&lt;/code> is &lt;code>tashhash&lt;/code> by default.&lt;/li>
&lt;li>&lt;code>outhash&lt;/code> is calculated. Then stored in &lt;code>hashserver&lt;/code>&lt;/li>
&lt;/ul>
&lt;p>Trickle down effect&lt;/p>
&lt;ul>
&lt;li>all downstream tasks will still have &lt;code>taskhash&lt;/code> updated.&lt;/li>
&lt;li>if it&amp;rsquo;s a trivial task we would like not to have to rebuild the downstream tasks.&lt;/li>
&lt;li>if the &lt;code>outhash&lt;/code> is the same even if the &lt;code>taskhash&lt;/code> changed, then the hashserver will set &lt;code>unihash&lt;/code> to a certain value
&lt;ul>
&lt;li>Now this &lt;code>unihash&lt;/code> propagates down to downstream tasks.&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h3 id="recipe-updates">Recipe Updates&lt;/h3>
&lt;p>Which updates work well with this hash equivalence server?&lt;/p>
&lt;ul>
&lt;li>Library updates &amp;amp; CVE Fixes&lt;/li>
&lt;li>Native tool updates&lt;/li>
&lt;/ul>
&lt;p>Output Hash Calc&lt;/p>
&lt;ul>
&lt;li>Checksum of all files and metadata that goes into an sstate object&lt;/li>
&lt;li>signature files can be found in depsig&lt;/li>
&lt;/ul>
&lt;p>Hash Equivalence Server&lt;/p>
&lt;ul>
&lt;li>Reference impl in bitbake
&lt;ul>
&lt;li>&lt;code>BB_HASHSERVE = &amp;quot;auto&amp;quot;&lt;/code>&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>can be shared between multiple clients
&lt;ul>
&lt;li>Specify server with BB_HASHSERVER&lt;/li>
&lt;li>Only makes sense if you are sharing SSTATE_CACHE&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;p>Debugging Hash Equiv.&lt;/p>
&lt;ul>
&lt;li>Can configure logging in &lt;code>local.conf&lt;/code>
&lt;ul>
&lt;li>&lt;code>BB_LOGCONFG = &amp;quot;logconfig.json&amp;quot;&lt;/code>&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;p>Future Improvements&lt;/p>
&lt;ul>
&lt;li>Read-only hash server for CI centered workflows
&lt;ul>
&lt;li>&amp;ldquo;read-only&amp;rdquo; flag for the client&lt;/li>
&lt;li>&amp;ldquo;read-mostly&amp;rdquo; flag for the client&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>better hash equivalence database introspection tools&lt;/li>
&lt;/ul>
&lt;h2 id="reproducable-builds">Reproducable Builds&lt;/h2>
&lt;ul>
&lt;li>&lt;a href="https://reproducible-builds.org/">https://reproducible-builds.org/&lt;/a>&lt;/li>
&lt;/ul>
&lt;ol>
&lt;li>Imrpove Hash Equiv. effectiveness&lt;/li>
&lt;li>Code archival&lt;/li>
&lt;li>Software supply chain
&lt;ol>
&lt;li>verify toolchain is not comprising your target&lt;/li>
&lt;/ol>
&lt;/li>
&lt;/ol>
&lt;h3 id="build-flow">Build FLow&lt;/h3>
&lt;ul>
&lt;li>tool builds almost all the tools it needs&lt;/li>
&lt;li>compile native tools from source&lt;/li>
&lt;/ul>
&lt;h3 id="reproducibility-qa-test">Reproducibility QA Test&lt;/h3>
&lt;ul>
&lt;li>reproducible build
&lt;ul>
&lt;li>available since 3.0 (zeus) release&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;p>QA Test&lt;/p>
&lt;ul>
&lt;li>Does an &amp;lsquo;A&amp;rsquo; and &amp;lsquo;B&amp;rsquo; build
&lt;ul>
&lt;li>A uses sstate&lt;/li>
&lt;li>B from scratch&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>test images
&lt;ul>
&lt;li>core-image-minimal&lt;/li>
&lt;li>core-image-full-cmdline&lt;/li>
&lt;li>core-image-sato&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>test packages formats
&lt;ul>
&lt;li>deb&lt;/li>
&lt;li>ipk&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;p>What causes reproducibility issues?&lt;/p>
&lt;ul>
&lt;li>build path differences&lt;/li>
&lt;li>timestamp differences&lt;/li>
&lt;li>host differences
&lt;ul>
&lt;li>consider using docker container to reduce issues&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;p>diffoscope&lt;/p>
&lt;ul>
&lt;li>report non-reproducible packages in browsable HTML&lt;/li>
&lt;li>supports diff inside of archive files
&lt;ul>
&lt;li>packages (deb, ipks)&lt;/li>
&lt;li>archives (tar, tar.xz, etc)&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h3 id="future-imrpovements">Future Imrpovements&lt;/h3>
&lt;p>NOTE: exttool-sdk provides all the tools required to rebuild&lt;/p>
&lt;ul>
&lt;li>test more packages
&lt;ul>
&lt;li>SDK images&lt;/li>
&lt;li>sato images&lt;/li>
&lt;li>world images&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>test rpm packages&lt;/li>
&lt;li>test final rootfs images&lt;/li>
&lt;li>test other deployed objectstest native tools&lt;/li>
&lt;li>test more architectures
&lt;ul>
&lt;li>Currently only tests x86-64&lt;/li>
&lt;li>AArch64 would be the highest priority&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>reproducible-builds.org recomended these things
&lt;ul>
&lt;li>Use DisorderFS to test for file system ordering non-reproducibility&lt;/li>
&lt;li>Use libfaketime to do proper timestamp testing
&lt;ul>
&lt;li>psuedo library needs adjustments&lt;/li>
&lt;li>provides fake timestamps&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h2 id="conclusions">Conclusions&lt;/h2>
&lt;h3 id="community">Community&lt;/h3>
&lt;ul>
&lt;li>Freenode IRC
&lt;ul>
&lt;li>#yocto&lt;/li>
&lt;li>#oe&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>Monthly virtual planning meeting
&lt;ul>
&lt;li>First Tuesday of each month at 8:00 AM Pacific Time&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>Bug triage
&lt;ul>
&lt;li>Thursday at 7:30&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h3 id="contact">Contact&lt;/h3>
&lt;ul>
&lt;li>JPEWhacker@gmail&lt;/li>
&lt;li>&lt;a href="mailto:Joshua.Watt@Garmin.com">Joshua.Watt@Garmin.com&lt;/a>&lt;/li>
&lt;/ul>
&lt;h3 id="questions">Questions&lt;/h3>
&lt;p>QA with Speaker&lt;/p>
&lt;ul>
&lt;li>restoring from sstate is called set-scene?
&lt;ul>
&lt;li>Yes, bitbake actually executes a task called do_populate_sysroot_setscene in place of of do_populate_sysroot to do the actual restoring from setsecene&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>Is the hash server part of the sstate cache?
&lt;ul>
&lt;li>No. It depends on the sstate cache contents (as I&amp;rsquo;ll cover in a bit), but it&amp;rsquo;s a separate entity.&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>Will the uni-hash always stay as the first &amp;lsquo;equivalent&amp;rsquo; task-hask?
&lt;ul>
&lt;li>The hash equivalence server currently uses the oldest reported hash as the &amp;ldquo;canonical&amp;rdquo; unihash, but the decision is internal to the server, so other things could be done.&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>What if a recipe doesn&amp;rsquo;t change it all but only a referenced file (using SRC_URI) which is copied by the recipe into the roots?
&lt;ul>
&lt;li>hash equivalence is based on the output of sstate tasks, so if the file changes sstate output, then it won&amp;rsquo;t be equivalent, but if the state output is the same, than it will be equivalent.&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>This is true for any of the things that go into a tasks hash (files, variables, etc).
&lt;ul>
&lt;li>how does hash equivalence work in a multiconfig scenario when building for both arm32 and aarch64?&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>Can you elaborate?
&lt;ul>
&lt;li>Can the path for your own tests be in a location outside of the poky repo?&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>Yes. In fact, OE&amp;rsquo;s QA test core will look in those paths in any layer, so you can simply drop the file in that path relative to your own layer root and it will find it.
&lt;ul>
&lt;li>Can you restate the reproducobilty project that recommend DisorderFS and Libfaketime?
reproducible-builds.org, and it&amp;rsquo;s on my references slide&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;p>My Questions&lt;/p>
&lt;ul>
&lt;li>Can you comment on &amp;lsquo;universal/&amp;rsquo; and on &amp;lsquo;uninative&amp;rsquo; with respect to sstate?
&lt;ul>
&lt;li>uninative provides consistent native tools. allows you to use the same tools&lt;/li>
&lt;li>really &amp;ldquo;light&amp;rdquo; container&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;p>Notes&lt;/p>
&lt;ul>
&lt;li>Paths encoded in dwarf symbols in debug symbols becomes problems&lt;/li>
&lt;/ul></description></item><item><title>Building Bare Metal Toolchains, Crosstool-ng and Yocto Project</title><link>https://academic-oss-elc.netlify.app/talk/2020-oss-elc/building-bare-metal-toolchains-crosstool-ng-and-yocto-project-mark-hatle-xilinx/</link><pubDate>Tue, 30 Jun 2020 00:00:00 +0000</pubDate><guid>https://academic-oss-elc.netlify.app/talk/2020-oss-elc/building-bare-metal-toolchains-crosstool-ng-and-yocto-project-mark-hatle-xilinx/</guid><description>&lt;blockquote>
&lt;p>Recently I was tasked to create a bare metal toolchain to create software for a variety of embedded processor architectures and configurations. Crosstool-ng is often used to create these toolchains, but Yocto Project SDK builder is capable of doing this as well. This presentation will compare both crosstool-ng and the Yocto Project for this task, include my experiences working with both tools, include Yocto Project configuration information and give the audience an understanding when they may want to use one tool vs the other.&lt;/p>
&lt;/blockquote>
&lt;h2 id="agenda">Agenda&lt;/h2>
&lt;ul>
&lt;li>crosstool-ng&lt;/li>
&lt;li>Yocto Project SDK builder&lt;/li>
&lt;li>Experience&lt;/li>
&lt;li>Yocto Project Configuration&lt;/li>
&lt;li>Recommendation&lt;/li>
&lt;li>Questions&lt;/li>
&lt;/ul>
&lt;h2 id="crosstool-ng">crosstool-ng&lt;/h2>
&lt;ul>
&lt;li>
&lt;p>crosstool-ng is versatile cross toolchain generator&lt;/p>
&lt;/li>
&lt;li>
&lt;p>good at reproducable toolchain&lt;/p>
&lt;/li>
&lt;li>
&lt;p>`ct-ng list-samples&lt;/p>
&lt;/li>
&lt;li>
&lt;p>Runtime relocatable&lt;/p>
&lt;ul>
&lt;li>can install in one location and mount/run from many&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>
&lt;p>binaries are very specific to the host environments they were built for&lt;/p>
&lt;ul>
&lt;li>determine which operating system the user is using&lt;/li>
&lt;li>builds on the oldest distro&lt;/li>
&lt;li>Can build from Cygwin&lt;/li>
&lt;li>expects you to have cygwin cross compiler&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>
&lt;p>Configuration is similar to kernel config&lt;/p>
&lt;/li>
&lt;li>
&lt;p>Config process will create ctx files&lt;/p>
&lt;/li>
&lt;li>
&lt;p>xilinx typically distributed &amp;ldquo;multilib&amp;rdquo; versions&lt;/p>
&lt;/li>
&lt;/ul>
&lt;h2 id="yocto-project-sdk-builder">Yocto Project SDK builder&lt;/h2>
&lt;h3 id="yocto-project">Yocto Project&lt;/h3>
&lt;ul>
&lt;li>yocto project is not linux specific
&lt;ul>
&lt;li>FreeRTOS&lt;/li>
&lt;li>OpenAMP&lt;/li>
&lt;li>Bare Metal&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>Outputs include
&lt;ul>
&lt;li>Run-time images&lt;/li>
&lt;li>SDK / eSDK&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;p>This talk is focusing on SDK&lt;/p>
&lt;h3 id="yocto-project-sdk">Yocto Project SDK&lt;/h3>
&lt;ul>
&lt;li>
&lt;p>target SDK&lt;/p>
&lt;ul>
&lt;li>matches operating system runtime environment&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>
&lt;p>defined SDK&lt;/p>
&lt;ul>
&lt;li>SDK where each component is define to be include in SDK&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>
&lt;p>SDK can be multilib enabled&lt;/p>
&lt;ul>
&lt;li>multilib are built independently of each other&lt;/li>
&lt;li>slower, but safer approach foor complex configuration&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>
&lt;p>self extracting installation file&lt;/p>
&lt;/li>
&lt;li>
&lt;p>built to isolate sdk environment from the host system&lt;/p>
&lt;ul>
&lt;li>SDK includes its own glibc, and some runtime components&lt;/li>
&lt;li>Don&amp;rsquo;t need your own cygwin and other environment&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>
&lt;p>installation and runtime locations must be the same&lt;/p>
&lt;/li>
&lt;li>
&lt;p>automatic runtime relocation is not supported&lt;/p>
&lt;ul>
&lt;li>note - this is supported by the plain &amp;lsquo;sdk&amp;rsquo;&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;p>example&lt;/p>
&lt;pre>&lt;code class="language-bash">oe-init-build-env build-baremeta-tc
DISTRO=xilinx-standalone MACHINE=microblaze-tc bitbake meta-toolchain
&lt;/code>&lt;/pre>
&lt;ul>
&lt;li>slower than crosstool-ng
&lt;ul>
&lt;li>more steps to prevent multilib contamination&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h3 id="sdk---distro-conf---xilinx-standaloneconf">SDK - distro conf - xilinx-standalone.conf&lt;/h3>
&lt;p>How to create SDK config (and distro) ?&lt;/p>
&lt;ul>
&lt;li>LIBC_DEPENDENCIES
&lt;ul>
&lt;li>newlib-static dev&lt;/li>
&lt;li>libgloss-staticdev&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>install static library
&lt;ul>
&lt;li>clear defaults for distro feature backfill&lt;/li>
&lt;li>virtual runtime init manager&lt;/li>
&lt;li>preffered virtual kernel&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;pre>&lt;code># xilinx-standalone.conf
SDK_VERSION = &amp;quot;&amp;quot;xilinx-standalone
&lt;/code>&lt;/pre>
&lt;h3 id="sdk---machine-conf---microblaze-tcconf">SDK - machine conf - microblaze-tc.conf&lt;/h3>
&lt;ul>
&lt;li>multilib
&lt;ul>
&lt;li>MULTILIB_GLOBAL_VARIANTS&lt;/li>
&lt;li>MULTILIBS += &amp;ldquo;multilib:libmble&amp;rdquo;&lt;/li>
&lt;li>tons more&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>default tune
&lt;ul>
&lt;li>&lt;code>DEFAULTTUNE = &amp;quot;microblaze&amp;quot;&lt;/code>&lt;/li>
&lt;li>AVAILTUNES&lt;/li>
&lt;li>BASE_LIB&lt;/li>
&lt;li>TUNE_FEATURES&lt;/li>
&lt;li>PACKAGES_EXTRA_ARCH&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h2 id="experience---part-1">Experience - part 1&lt;/h2>
&lt;h4 id="changes-from-crosstool-ng">Changes from crosstool-NG&lt;/h4>
&lt;ul>
&lt;li>binutils
&lt;ul>
&lt;li>set diffferent defaults to match prior toolchain&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>GCC
&lt;ul>
&lt;li>different default to match prior toolchain&lt;/li>
&lt;li>restore some previously disabled newlib options (sysroots)&lt;/li>
&lt;li>only build SDK GCC once, create symlinks for other multilibs (gnu-toolchain-canadian.bb)&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>newlib/libgloss
&lt;ul>
&lt;li>adjust defaults&lt;/li>
&lt;li>workaround issues with multilibs conflicted&lt;/li>
&lt;li>workaround issues where libgloss and newlib dependency wasn&amp;rsquo;t multilib aware&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h3 id="compare">Compare&lt;/h3>
&lt;ul>
&lt;li>cross
&lt;ul>
&lt;li>MIA&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>yocto
&lt;ul>
&lt;li>linux sample confs&lt;/li>
&lt;li>no baremetal confs&lt;/li>
&lt;li>not relocatable&lt;/li>
&lt;li>full feature toolchain&lt;/li>
&lt;li>support mingw&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h2 id="experience---part-2">Experience - part 2&lt;/h2>
&lt;h3 id="xilinx-bare-meta-toolchain">Xilinx Bare Meta Toolchain&lt;/h3>
&lt;ul>
&lt;li>transitions from crosstool-ng to Yocto Project SDK to unify toolchain source and testing&lt;/li>
&lt;li>transition was not painless from development perspective
&lt;ul>
&lt;li>2-3 weeks for first few weeks&lt;/li>
&lt;li>took 3 months to iterate the get it stable&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>lots of questions about multilib configuration&lt;/li>
&lt;li>why was this transition and maintence was hard
&lt;ul>
&lt;li>people didn&amp;rsquo;t understand &lt;strong>why&lt;/strong> certain settings were set&lt;/li>
&lt;li>old version of crosstool-ng, people were not keeping up on configuration&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>initial goals was compatability with fromer crosstool-ng and custom ARM toolchain
&lt;ul>
&lt;li>pseudo runtime relocation capable&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h3 id="bare-metal-multilibs">Bare Metal Multilibs&lt;/h3>
&lt;ul>
&lt;li>aarch32-tc.conf&lt;/li>
&lt;li>aarch32
&lt;ul>
&lt;li>standard ARM (A profile) 32bit instruction set&lt;/li>
&lt;li>multilib config based on GNU/ARM defaults&lt;/li>
&lt;li>17 multilibs defined
&lt;ul>
&lt;li>custom defined to match GNU/ARM settings&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>first we got it working&lt;/li>
&lt;li>Now we can focus on fine tuning&lt;/li>
&lt;li>Custom &lt;code>arm-rm-tc.conf&lt;/code>&lt;/li>
&lt;li>ARM R/M
&lt;ul>
&lt;li>readltime&lt;/li>
&lt;li>microcontroller&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>aarch64
&lt;ul>
&lt;li>&lt;code>aarch64-tc.conf&lt;/code>&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>Microblaze (microblaze-tc.conf)
&lt;ul>
&lt;li>common microblaze isntruction set permulation&lt;/li>
&lt;li>custom config&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h3 id="bare-meta-toolchain-configuration">Bare Meta Toolchain COnfiguration&lt;/h3>
&lt;ul>
&lt;li>binutils
&lt;ul>
&lt;li>disable: gold as LD, gprof, shared&lt;/li>
&lt;li>enable: enable-lto, static, multilib&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>gcc&lt;/li>
&lt;li>newlib/libgloss
&lt;ul>
&lt;li>&lt;code>recipes-core&lt;/code>&lt;/li>
&lt;li>xilinx baaremeta implements device specific items using libxil, but we use libgloss to provide the framework&lt;/li>
&lt;li>flags
&lt;ul>
&lt;li>enable-newlib-io-c99-format&lt;/li>
&lt;li>long-long&lt;/li>
&lt;li>io-flow&lt;/li>
&lt;li>long-double&lt;/li>
&lt;li>disable-newlib-supplied-syscall&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>libgloss multilib
&lt;ul>
&lt;li>&amp;ldquo;${MLPREFIX}newlib&amp;rdquo;&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;p>This was one of the major issues:&lt;/p>
&lt;ul>
&lt;li>disable &amp;lsquo;disable-initfini-array&amp;rsquo;&lt;/li>
&lt;/ul>
&lt;h3 id="lessons">Lessons&lt;/h3>
&lt;ul>
&lt;li>more multilib - longer initial project parse time&lt;/li>
&lt;li>microblaze parse time is nearly an hour (48 multilibs)
&lt;ul>
&lt;li>devlopment workaround, build for only one multilib&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>mingw32 builds are sequential with linux version, using shared sstatic-cache&lt;/li>
&lt;li>roughly 15 minutes on the same machine for mingw parts&lt;/li>
&lt;/ul>
&lt;h3 id="recommendations">Recommendations&lt;/h3>
&lt;ul>
&lt;li>for quick toolchain - use Crosstool-ng&lt;/li>
&lt;li>Yocto Project makes sense if you need Cygwin
&lt;ul>
&lt;li>less important since windows is moving to linux&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>Yocto Project take more time and effort
&lt;ul>
&lt;li>easy way for common source and configuration switchs&lt;/li>
&lt;li>simplify defect handling and propagation of fixes for systems&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h2 id="questions">Questions&lt;/h2>
&lt;ul>
&lt;li>Vivado vitis baremetal tools chians are built with this&lt;/li>
&lt;li>How did you converge configuration
&lt;ul>
&lt;li>query gcc&lt;/li>
&lt;li>check logs for what arguments were passed&lt;/li>
&lt;li>print config&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>which release was this against.
&lt;ul>
&lt;li>3.0 zeus&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>multilib vs multiconfig
&lt;ul>
&lt;li>this was largely due to legacy reasons&lt;/li>
&lt;li>one gcc binary to execute&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h2 id="author">Author&lt;/h2>
&lt;ul>
&lt;li>kernel-crashing.org&lt;/li>
&lt;li>author: fray&lt;/li>
&lt;/ul></description></item><item><title>Developing, Building and Testing Your Baremetal Applications Using The Yocto Project and OpenEmbedded Infrastructure</title><link>https://academic-oss-elc.netlify.app/talk/2020-oss-elc/developing-building-and-testing-your-baremetal-applications-using-the-yocto-project-and-openembedded-infrastructure-alejandro-hernandez-samaniego-microsoft/</link><pubDate>Tue, 30 Jun 2020 00:00:00 +0000</pubDate><guid>https://academic-oss-elc.netlify.app/talk/2020-oss-elc/developing-building-and-testing-your-baremetal-applications-using-the-yocto-project-and-openembedded-infrastructure-alejandro-hernandez-samaniego-microsoft/</guid><description>&lt;blockquote>
&lt;p>Multiarchitecture SoCs are more widely used, usually containing a large architecture where it can run a full operating system such as Linux, and one or more small architectures designed to run an RTOS or a baremetal application,requiring less hardware resources,leveraging suitable tasks from one to another creating a more efficient product.&lt;/p>
&lt;p>While the Yocto Project is well known for its capabilities on creating customized Embedded Linux Distributions,bitbake is also capable of building a toolchain to create Baremetal applications or an RTOS.&lt;/p>
&lt;p>In this presentation Alejandro will show how to create baremetal applications using the same flow currently used in OpenEmbedded to develop Linux applications, using recipes, classes and user configuration files, he will show how users from the community can benefit from a single flow, showcasing how to run these applications on QEMU and create tests for them to be automatically tested using the OpenEmbedded infrastructure along with their corresponding Linux distributions.&lt;/p>
&lt;p>Anyone from the community interested in learning about baremetal programming or about the Yocto Project might find the contents of this presentation interesting.&lt;/p>
&lt;/blockquote>
&lt;h2 id="notes">Notes&lt;/h2>
&lt;p>Multiarchitecture Embedded Devices&lt;/p>
&lt;ul>
&lt;li>Azure Sphere
&lt;ul>
&lt;li>Secured MCU&lt;/li>
&lt;li>Secured OS&lt;/li>
&lt;li>Cloud Security&lt;/li>
&lt;li>MT3620 Dev Board Diagram&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h3 id="oe-runtime-testing-infra">OE Runtime Testing Infra&lt;/h3>
&lt;ul>
&lt;li>
&lt;p>Testing a linux OS (poky)&lt;/p>
&lt;/li>
&lt;li>
&lt;p>TEST_TARGET&lt;/p>
&lt;ul>
&lt;li>QEMU&lt;/li>
&lt;li>Hardware (simpleremote)
&lt;ul>
&lt;li>Send commands via SSH (TEST_SERVER_IP)&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>
&lt;p>TEST_SUITES&lt;/p>
&lt;ul>
&lt;li>auto&lt;/li>
&lt;li>cases: ping ssh scp parselogs&lt;/li>
&lt;li>meta/lib/oeqa/runtime/cases&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h3 id="testimage_boot_patterns-in-oe">TESTIMAGE_BOOT_PATTERNS in OE&lt;/h3>
&lt;ul>
&lt;li>testimage.bbclass
&lt;ul>
&lt;li>TESTIMAGE_BOOT_PATTERNS&lt;/li>
&lt;li>TESTIMAGE_BOOT_PATTERNS[send_login_user]&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>qemurunner.py
&lt;ul>
&lt;li>default_boot_pattern&lt;/li>
&lt;li>accepted_patterns&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;h3 id="testimageflow">Testimageflow&lt;/h3>
&lt;ol>
&lt;li>H: Start booting&lt;/li>
&lt;li>T: Login&lt;/li>
&lt;li>H: ROOT\n&lt;/li>
&lt;li>T: Prints out root username&lt;/li>
&lt;li>H: SEND_COMMAND&lt;/li>
&lt;li>T: Check for another prompt&lt;/li>
&lt;li>H: READ&lt;/li>
&lt;/ol>
&lt;h3 id="baremetal-toolchain-on-the-yocto-project">Baremetal Toolchain on the Yocto Project&lt;/h3>
&lt;pre>&lt;code class="language-conf">MACHINE = &amp;quot;qemuarm64&amp;quot;
TCLIBC = &amp;quot;baremetal&amp;quot;
&lt;/code>&lt;/pre>
&lt;p>Then build and run in qemu&lt;/p>
&lt;pre>&lt;code class="language-sh">bitbake baremetal-helloworld
runqemu
&lt;/code>&lt;/pre>
&lt;p>Other tagets&lt;/p>
&lt;pre>&lt;code class="language-sh">bitbake meta-toolchain
bitbake baremetal-helloworld -c populate_sdk
&lt;/code>&lt;/pre>
&lt;ul>
&lt;li>&lt;code>TCLIBC=&amp;quot;newlib&amp;quot;&lt;/code> - little more than baremetal&lt;/li>
&lt;/ul>
&lt;h3 id="simple-baremetal-helloworld-on-aarch64">Simple Baremetal HelloWorld on Aarch64&lt;/h3>
&lt;ul>
&lt;li>QEMU source code (virt)&lt;/li>
&lt;li>UART, RAM, Kernel Address&lt;/li>
&lt;li>ARM Developers Manual - UART PL011&lt;/li>
&lt;/ul>
&lt;p>What files do you need?&lt;/p>
&lt;ul>
&lt;li>Start Code&lt;/li>
&lt;li>Linker Script&lt;/li>
&lt;li>Your source code&lt;/li>
&lt;/ul>
&lt;p>Example for aarch64&lt;/p>
&lt;ul>
&lt;li>hello_baremetal_aarch64.c&lt;/li>
&lt;li>startup_aarch64.s&lt;/li>
&lt;li>linkerscript_aarch64.ld&lt;/li>
&lt;/ul>
&lt;h3 id="creating-test-for-freertos">Creating test for FreeRTOS&lt;/h3>
&lt;ul>
&lt;li>Overriding Patterns in &lt;code>local.conf&lt;/code>
&lt;ul>
&lt;li>TEST_SUITES = &amp;ldquo;freertos_echo&amp;rdquo;&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>defined new test cases
&lt;ul>
&lt;li>&lt;a href="https://github.com/aehs29/meta-freertos">meta-freertos&lt;/a>&lt;/li>
&lt;li>[freertos_echo.py]](&lt;a href="https://github.com/aehs29/meta-freertos/blob/de4c8530b9bb31b9bbf08124a21a3ffc47d0121f/lib/oeqa/runtime/cases/freertos_echo.py#L1">https://github.com/aehs29/meta-freertos/blob/de4c8530b9bb31b9bbf08124a21a3ffc47d0121f/lib/oeqa/runtime/cases/freertos_echo.py#L1&lt;/a>)&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>These tests run in do_testimage&lt;/li>
&lt;/ul>
&lt;h3 id="how-to-create-freertos-test">How to create FreeRTOS test&lt;/h3>
&lt;p>This is a simple example of using OEQA test framework with a baremetal application.&lt;/p>
&lt;ul>
&lt;li>He then created a very basic C application that emulated the basic prompts for Linux.&lt;/li>
&lt;li>Hacky, but a simple way to get an initial test in with a framework focused on Linux testing.&lt;/li>
&lt;li>You could possibly get it working for libgloss&lt;/li>
&lt;/ul>
&lt;h2 id="questions">Questions&lt;/h2>
&lt;ul>
&lt;li>Q: Can a testimage.bb depend on something&lt;/li>
&lt;li>A: tests can depend on other recipes. Works with the build system itself.&lt;/li>
&lt;/ul></description></item></channel></rss>