meta-mender-kernel

Separate A/B kernel partitions for meta-mender.

Probably not very useful by itself, but is a prerequisite for things like encrypting the rootfs.

Overview

• Two additional A/B kernel partitions are created after the /data partition via the mender-core variable MENDER_EXTRA_PARTS.
• On boot, GRUB selects the corresponding kernel partition based on mender_boot_part. The kernel and/or initramfs are loaded from this partition.
• An ArtifactInstall state-script updates the kernel partition.
• Optional UEFI Secure Boot.

UEFI Secure Boot Integration

Requires meta-secure-core. See this kas file for more setup details.

There were a few gotchas integrating secure boot

SELoader is not setup to verify anything outside the /efi partition. To workaround this:

1. use SELoader to verify everything on /efi (config, env, EFI binaries, etc). This is noop and standard meta-efi-secure-boot operation.
2. use shim to verify the INITRAMFS_IMAGE_BUNDLE
   1. enforce INITRAMFS_IMAGE_BUNDLE
   2. sign INITRAMFS_IMAGE_BUNDLE with sb_sign to use MOK key(s)
   3. use chainloader instead of linux grub command to launch INITRAMFS_IMAGE_BUNDLE

Installation

• Add this layer to bblayers.conf
• local.conf should include: require conf/include/mender-kernel.inc and any configuration variables
• Image recipe should include: require conf/include/mender-kernel-image.inc

Configuration

Variables

Variable	Default	Description
MENDER/KERNEL_PART_SIZE_MB	256	size (MB) of each kernel partition

Release Schedule and Roadmap

This layer will remain compatible with the latest YOCTO LTS. This mirrors what meta-mender does.