diff --git a/meta-stboot/COPYING.MIT b/meta-stboot/COPYING.MIT
new file mode 100644
index 0000000000000000000000000000000000000000..fb950dc69feb8afa93493747f33d6e1c02659b55
--- /dev/null
+++ b/meta-stboot/COPYING.MIT
@@ -0,0 +1,17 @@
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/meta-stboot/README b/meta-stboot/README
new file mode 100644
index 0000000000000000000000000000000000000000..998c8ed3162c29091f141eac304d10d8ffc6abc7
--- /dev/null
+++ b/meta-stboot/README
@@ -0,0 +1,41 @@
+This README file contains information on the contents of the meta-stboot layer.
+
+Please see the corresponding sections below for details.
+
+Dependencies
+============
+
+ URI: <first dependency>
+ branch: <branch name>
+
+ URI: <second dependency>
+ branch: <branch name>
+
+ .
+ .
+ .
+
+Patches
+=======
+
+Please submit any patches against the meta-stboot layer to the xxxx mailing list (xxxx@zzzz.org)
+and cc: the maintainer:
+
+Maintainer: XXX YYYYYY <xxx.yyyyyy@zzzzz.com>
+
+Table of Contents
+=================
+
+ I. Adding the meta-stboot layer to your build
+ II. Misc
+
+
+I. Adding the meta-stboot layer to your build
+=================================================
+
+Run 'bitbake-layers add-layer meta-stboot'
+
+II. Misc
+========
+
+--- replace with specific information about the meta-stboot layer ---
diff --git a/meta-stboot/conf/distro/poky-stboot.conf b/meta-stboot/conf/distro/poky-stboot.conf
new file mode 100644
index 0000000000000000000000000000000000000000..89a6936031245696c0e0647eba3de11e2c35c0ed
--- /dev/null
+++ b/meta-stboot/conf/distro/poky-stboot.conf
@@ -0,0 +1,58 @@
+require conf/distro/include/gcsections.inc
+require conf/distro/poky.conf
+
+DISTRO = "poky-stboot"
+DISTRO_NAME = "Poky stboot"
+DISTROOVERRIDES = "poky:poky-stboot"
+TCLIBC = "musl"
+
+FULL_OPTIMIZATION="-Os -pipe ${DEBUG_FLAGS}"
+
+# Distro config is evaluated after the machine config, so we have to explicitly
+# set the kernel provider to override a machine config.
+PREFERRED_PROVIDER_virtual/kernel = "linux-yocto-tiny"
+PREFERRED_VERSION_linux-yocto-tiny ?= "6.5%"
+
+POKY_DEFAULT_EXTRA_RDEPENDS = "packagegroup-stboot"
+POKY_DEFAULT_DISTRO_FEATURES = "seccomp systemd"
+POKY_DEFAULT_EXTRA_RRECOMMENDS = ""
+
+# FIXME: what should we do with this?
+TCLIBCAPPEND = ""
+
+# Disable wide char support for ncurses as we don't include it in
+# in the LIBC features below.
+# Leave native enable to avoid build failures
+ENABLE_WIDEC = "false"
+ENABLE_WIDEC:class-native = "true"
+# Drop native language support. This removes the
+# eglibc->bash->gettext->libc-posix-clang-wchar dependency.
+USE_NLS="no"
+IMAGE_LINGUAS = ""
+POKY_INIT_MANAGER:poky-stboot = "systemd"
+
+# By default we only support initramfs. We don't build live as that
+# pulls in a lot of dependencies for the live image and the installer, like
+# udev, grub, etc. These pull in gettext, which fails to build with wide
+# character support.
+IMAGE_FSTYPES = "cpio.xz"
+QB_DEFAULT_FSTYPE = "cpio.xz"
+
+# Drop v86d from qemu dependency list (we support serial)
+# Drop grub from meta-intel BSPs
+# FIXME: A different mechanism is needed here. We could define -tiny
+# variants of all compatible machines, but that leads to a lot
+# more machine configs to maintain long term.
+MACHINE_ESSENTIAL_EXTRA_RDEPENDS = ""
+
+# The mtrace script included by eglibc is a perl script. This means the system
+# will build perl in case this package is installed. Since we don't care about
+# this script for the purposes of tiny, remove the dependency from here.
+RDEPENDS:${PN}-mtrace:pn-eglibc = ""
+
+# Disable python usage in opkg-utils since it won't build with tiny config
+PACKAGECONFIG:remove:pn-opkg-utils = "python"
+
+# If shadow-base is brought into the image, logins will fail because it
+# doesn't have the heuristics to work when CONFIG_MULTIUSER is unset.
+PACKAGE_EXCLUDE:poky-stboot = ""
diff --git a/meta-stboot/conf/layer.conf b/meta-stboot/conf/layer.conf
new file mode 100644
index 0000000000000000000000000000000000000000..1752077e39a84f91898327c564d73da434ef186f
--- /dev/null
+++ b/meta-stboot/conf/layer.conf
@@ -0,0 +1,13 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH .= ":${LAYERDIR}"
+
+# We have recipes-* directories, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+ ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "meta-stboot"
+BBFILE_PATTERN_meta-stboot = "^${LAYERDIR}/"
+BBFILE_PRIORITY_meta-stboot = "6"
+
+LAYERDEPENDS_meta-stboot = "core"
+LAYERSERIES_COMPAT_meta-stboot = "nanbield"
diff --git a/meta-stboot/recipes-core/images/stboot-image.bb b/meta-stboot/recipes-core/images/stboot-image.bb
new file mode 100644
index 0000000000000000000000000000000000000000..c494f0212e3f932caf55285f0b7ba0648f759573
--- /dev/null
+++ b/meta-stboot/recipes-core/images/stboot-image.bb
@@ -0,0 +1,7 @@
+SUMMARY = "stboot image"
+LICENSE = "MIT"
+
+inherit image
+
+IMAGE_FEATURES += "stateless-rootfs empty-root-password serial-autologin-root"
+IMAGE_INSTALL += "kexec-tools busybox systemd stboot"
\ No newline at end of file
diff --git a/meta-stboot/recipes-core/packagegroups/packagegroup-stboot.bb b/meta-stboot/recipes-core/packagegroups/packagegroup-stboot.bb
new file mode 100644
index 0000000000000000000000000000000000000000..27dc7bfc72fa205dbb38d6ce9fe55b35acc31c25
--- /dev/null
+++ b/meta-stboot/recipes-core/packagegroups/packagegroup-stboot.bb
@@ -0,0 +1,16 @@
+DESCRIPTION = "stboot tiny packagegroup"
+SUMMARY = "stboot packagegroup"
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+inherit packagegroup
+
+VIRTUAL-RUNTIME_dev_manager := "systemd"
+
+RDEPENDS_${PN} = " \
+ base-files \
+ base-passwd \
+ ${VIRTUAL-RUNTIME_base-utils} \
+ ${VIRTUAL-RUNTIME_init_manager} \
+ ${VIRTUAL-RUNTIME_dev_manager} \
+"
\ No newline at end of file
diff --git a/meta-stboot/recipes-core/stboot/stboot.bb b/meta-stboot/recipes-core/stboot/stboot.bb
new file mode 100644
index 0000000000000000000000000000000000000000..2eb7c729c013b33464f3a3167c4a15d3eb7ce16e
--- /dev/null
+++ b/meta-stboot/recipes-core/stboot/stboot.bb
@@ -0,0 +1,12 @@
+require stboot.inc
+
+do_install() {
+ go_do_install
+
+ mkdir -p ${D}${sysconfdir}
+ install -Dm 0644 ${WORKDIR}/host_configuration.json ${D}${sysconfdir}/
+ mkdir -p ${D}${sysconfdir}/trust_policy
+ install -Dm 0644 ${WORKDIR}/trust_policy.json ${D}${sysconfdir}/trust_policy/
+ install -Dm 0644 ${WORKDIR}/ospkg_signing_root.pem ${D}${sysconfdir}/trust_policy/
+ install -Dm 0644 ${WORKDIR}/isrgrootx1.pem ${D}${sysconfdir}/trust_policy/
+}
\ No newline at end of file
diff --git a/meta-stboot/recipes-core/stboot/stboot.inc b/meta-stboot/recipes-core/stboot/stboot.inc
new file mode 100644
index 0000000000000000000000000000000000000000..f63882a34bc5fe1a9d3d928ffa8af118ff8b299c
--- /dev/null
+++ b/meta-stboot/recipes-core/stboot/stboot.inc
@@ -0,0 +1,26 @@
+SUMMARY = "stboot minimal systemd implementation"
+HOMEPAGE = "https://git.glasklar.is/zaolin/stboot-systemd"
+
+DESCRIPTION = "stboot is a minimal systemd implementation for the stboot project."
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://src/${GO_IMPORT}/LICENSE;md5=3d8d8c074b95e304fd03f2b6c6d00efd"
+
+GO_IMPORT = "git.glasklar.is/zaolin/stboot-systemd"
+SRCREV = "db0ebcf124477124dd532882407bddccbdb2c6ae"
+SRCBRANCH = "master"
+SRC_URI = "git://${GO_IMPORT};protocol=https;branch=${SRCBRANCH} \
+ file://host_configuration.json \
+ file://trust_policy.json \
+ file://isrgrootx1.pem \
+ file://ospkg_signing_root.pem \
+ "
+
+GO_INSTALL = "${GO_IMPORT}"
+do_compile[network] = "1"
+
+GO_LINKSHARED = ""
+GO_EXTRA_LDFLAGS = "-w"
+GOBUILDFLAGS:remove = "-buildmode=pie"
+
+inherit go-mod
diff --git a/meta-stboot/recipes-core/stboot/stboot/finalize.sh b/meta-stboot/recipes-core/stboot/stboot/finalize.sh
new file mode 100755
index 0000000000000000000000000000000000000000..f86f93726497533a6b31919abdca1db9e16f2742
--- /dev/null
+++ b/meta-stboot/recipes-core/stboot/stboot/finalize.sh
@@ -0,0 +1,87 @@
+#!/bin/bash
+
+set -xe
+
+read -r -d '' TRUST_POLICY << EOF || true
+{
+ "ospkg_signature_threshold": 1,
+ "ospkg_fetch_method": "network"
+}
+EOF
+
+read -r -d '' SIGNING_CERT << EOF || true
+-----BEGIN CERTIFICATE-----
+MIHPMIGCoAMCAQICEBoUD11GZT0KYUXDVER+To4wBQYDK2VwMAAwHhcNMjQwNDA4
+MDg0MzQwWhcNMjQwNDExMDg0MzQwWjAAMCowBQYDK2VwAyEABhYlOSi6eilR4cNZ
+eI92+bZ7GlTEkwkFnJz7EVR+g4OjEjAQMA4GA1UdDwEB/wQEAwIHgDAFBgMrZXAD
+QQDiyk1joVSTTWPEN/Iw5Dh9hzbK5A0+meVN2WP1gh6IxCoye4a4ZfyecGzAYGQh
+nbeSa4zfVsuQ8Onz4HD5q4cN
+-----END CERTIFICATE-----
+EOF
+
+read -r -d '' HOST_CONFIG << EOF || true
+{
+ "network_mode":"dhcp",
+ "host_ip":null,
+ "gateway":null,
+ "dns":null,
+ "network_interfaces":[
+ {
+ "interface_name": "enp0s2",
+ "mac_address": "aa:bb:cc:dd:ee:ff"
+ }
+ ],
+ "ospkg_pointer": "http://10.42.23.1:8080/stimage.json",
+ "identity":null,
+ "authentication":null,
+ "bonding_mode": "active-backup",
+ "bond_name": "bond0"
+}
+EOF
+
+read -r -d '' HTTPS_ROOTS_CERT << EOF || true
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+-----END CERTIFICATE-----
+EOF
+
+# Write startup command into root .bash_login
+mkdir -p $DESTDIR/root
+echo "clear" >> $DESTDIR/root/.bash_login
+echo "echo \"Starting stboot-systemd...\"" >> $DESTDIR/root/.bash_login
+echo "stboot-systemd" >> $DESTDIR/root/.bash_login
+
+# Write configs
+mkdir -p $DESTDIR/etc/trust_policy
+echo "$HOST_CONFIG" > $DESTDIR/etc/host_configuration.json
+echo "$TRUST_POLICY" > $DESTDIR/etc/trust_policy/trust_policy.json
+echo "$SIGNING_CERT" > $DESTDIR/etc/trust_policy/ospkg_signing_root.pem
+echo "$HTTPS_ROOTS_CERT" > $DESTDIR/etc/trust_policy/isrgrootx1.pem
\ No newline at end of file
diff --git a/meta-stboot/recipes-core/stboot/stboot/host_configuration.json b/meta-stboot/recipes-core/stboot/stboot/host_configuration.json
new file mode 100644
index 0000000000000000000000000000000000000000..bcd266e4256b05823d6615b4dd13bcf7d4fc1f49
--- /dev/null
+++ b/meta-stboot/recipes-core/stboot/stboot/host_configuration.json
@@ -0,0 +1,17 @@
+{
+ "network_mode":"dhcp",
+ "host_ip":null,
+ "gateway":null,
+ "dns":null,
+ "network_interfaces":[
+ {
+ "interface_name": "enp0s2",
+ "mac_address": "aa:bb:cc:dd:ee:ff"
+ }
+ ],
+ "ospkg_pointer": "http://10.42.23.1:8080/stimage.json",
+ "identity":null,
+ "authentication":null,
+ "bonding_mode": "active-backup",
+ "bond_name": "bond0"
+}
\ No newline at end of file
diff --git a/meta-stboot/recipes-core/stboot/stboot/isrgrootx1.pem b/meta-stboot/recipes-core/stboot/stboot/isrgrootx1.pem
new file mode 100644
index 0000000000000000000000000000000000000000..57d4a3766c4d6c439088dfb1eb18cadc9b4445be
--- /dev/null
+++ b/meta-stboot/recipes-core/stboot/stboot/isrgrootx1.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/meta-stboot/recipes-core/stboot/stboot/ospkg_signing_root.pem b/meta-stboot/recipes-core/stboot/stboot/ospkg_signing_root.pem
new file mode 100644
index 0000000000000000000000000000000000000000..718c65593b5b2f916fa3d8e717e5b9e9b95606c5
--- /dev/null
+++ b/meta-stboot/recipes-core/stboot/stboot/ospkg_signing_root.pem
@@ -0,0 +1,7 @@
+-----BEGIN CERTIFICATE-----
+MIHPMIGCoAMCAQICEBoUD11GZT0KYUXDVER+To4wBQYDK2VwMAAwHhcNMjQwNDA4
+MDg0MzQwWhcNMjQwNDExMDg0MzQwWjAAMCowBQYDK2VwAyEABhYlOSi6eilR4cNZ
+eI92+bZ7GlTEkwkFnJz7EVR+g4OjEjAQMA4GA1UdDwEB/wQEAwIHgDAFBgMrZXAD
+QQDiyk1joVSTTWPEN/Iw5Dh9hzbK5A0+meVN2WP1gh6IxCoye4a4ZfyecGzAYGQh
+nbeSa4zfVsuQ8Onz4HD5q4cN
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/meta-stboot/recipes-core/stboot/stboot/trust_policy.json b/meta-stboot/recipes-core/stboot/stboot/trust_policy.json
new file mode 100644
index 0000000000000000000000000000000000000000..f704cc2735fe8b256f6af04245d47bea6ba18fe9
--- /dev/null
+++ b/meta-stboot/recipes-core/stboot/stboot/trust_policy.json
@@ -0,0 +1,4 @@
+{
+ "ospkg_signature_threshold": 1,
+ "ospkg_fetch_method": "network"
+}
\ No newline at end of file
diff --git a/meta-stboot/recipes-example/example/example_0.1.bb b/meta-stboot/recipes-example/example/example_0.1.bb
new file mode 100644
index 0000000000000000000000000000000000000000..facaae35d23ada89791f13c58faf8a6e56cb1ed1
--- /dev/null
+++ b/meta-stboot/recipes-example/example/example_0.1.bb
@@ -0,0 +1,13 @@
+SUMMARY = "bitbake-layers recipe"
+DESCRIPTION = "Recipe created by bitbake-layers"
+LICENSE = "MIT"
+
+python do_display_banner() {
+ bb.plain("***********************************************");
+ bb.plain("* *");
+ bb.plain("* Example recipe created by bitbake-layers *");
+ bb.plain("* *");
+ bb.plain("***********************************************");
+}
+
+addtask display_banner before do_build
diff --git a/meta/recipes-core/systemd/systemd_254.4.bb b/meta/recipes-core/systemd/systemd_254.4.bb
index 285ca92e680d274ef01fadc672d3175e6c950c50..be0174f36f0c8ab8b4462e56fe3210dedb239d74 100644
--- a/meta/recipes-core/systemd/systemd_254.4.bb
+++ b/meta/recipes-core/systemd/systemd_254.4.bb
@@ -66,39 +66,8 @@ PAM_PLUGINS = " \
"
PACKAGECONFIG ??= " \
- ${@bb.utils.filter('DISTRO_FEATURES', 'acl audit efi ldconfig pam selinux smack usrmerge polkit seccomp', d)} \
- ${@bb.utils.contains('DISTRO_FEATURES', 'wifi', 'rfkill', '', d)} \
- ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'xkbcommon', '', d)} \
- ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', '', 'link-udev-shared', d)} \
- backlight \
- binfmt \
- gshadow \
- hibernate \
- hostnamed \
- idn \
- ima \
- kmod \
- localed \
- logind \
- machined \
- myhostname \
+ seccomp \
networkd \
- nss \
- nss-mymachines \
- nss-resolve \
- quotacheck \
- randomseed \
- resolved \
- set-time-epoch \
- sysusers \
- sysvinit \
- timedated \
- timesyncd \
- userdb \
- utmp \
- vconsole \
- wheel-group \
- zstd \
"
PACKAGECONFIG:remove:libc-musl = " \
@@ -258,7 +227,7 @@ EXTRA_OEMESON += "-Dkexec-path=${sbindir}/kexec \
-Dsetfont-path=${bindir}/setfont"
# The 60 seconds is watchdog's default vaule.
-WATCHDOG_TIMEOUT ??= "60"
+WATCHDOG_TIMEOUT ??= "10"
do_configure:prepend() {
sed s@:ROOT_HOME:@${ROOT_HOME}@g ${WORKDIR}/basic.conf.in > ${S}/sysusers.d/basic.conf.in
@@ -361,9 +330,6 @@ do_install() {
install -m 0644 ${WORKDIR}/org.freedesktop.hostname1_no_polkit.conf ${D}${datadir}/dbus-1/system.d/
fi
- # create link for existing udev rules
- ln -s ${base_bindir}/udevadm ${D}${base_sbindir}/udevadm
-
# install default policy for presets
# https://www.freedesktop.org/wiki/Software/systemd/Preset/#howto
install -Dm 0644 ${WORKDIR}/99-default.preset ${D}${systemd_unitdir}/system-preset/99-default.preset
@@ -375,6 +341,10 @@ do_install() {
sed -i -e 's/#RebootWatchdogSec=10min/RebootWatchdogSec=${WATCHDOG_TIMEOUT}/' \
${D}/${sysconfdir}/systemd/system.conf
fi
+
+ rm -rf ${D}${rootlibexecdir}/udev/hwdb.d
+ rm -f ${D}${base_sbindir}/udevadm
+ rm -f ${D}${base_bindir}/udevadm
}
python populate_packages:prepend (){
@@ -400,7 +370,6 @@ PACKAGE_BEFORE_PN = "\
${PN}-udev-rules \
libsystemd-shared \
udev \
- udev-hwdb \
"
SUMMARY:${PN}-container = "Tools for containers and VMs"
@@ -686,17 +655,12 @@ FILES:${PN} = " ${base_bindir}/* \
FILES:${PN}-dev += "${base_libdir}/security/*.la ${datadir}/dbus-1/interfaces/ ${sysconfdir}/rpm/macros.systemd"
-RDEPENDS:${PN} += "kmod dbus util-linux-mount util-linux-umount udev (= ${EXTENDPKGV}) systemd-udev-rules util-linux-agetty util-linux-fsck util-linux-swaponoff"
+RDEPENDS:${PN} += "util-linux-mount util-linux-umount udev (= ${EXTENDPKGV}) systemd-udev-rules util-linux-agetty"
RDEPENDS:${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'serial-getty-generator', '', 'systemd-serialgetty', d)}"
RDEPENDS:${PN} += "volatile-binds"
-RRECOMMENDS:${PN} += "systemd-extra-utils \
- udev-hwdb \
- e2fsprogs-e2fsck \
- kernel-module-autofs4 kernel-module-unix kernel-module-ipv6 kernel-module-sch-fq-codel \
- os-release \
+RRECOMMENDS:${PN} += "os-release \
systemd-conf \
- ${@bb.utils.contains('PACKAGECONFIG', 'logind', 'pam-plugin-umask', '', d)} \
"
INSANE_SKIP:${PN} += "dev-so libdir"
@@ -708,8 +672,6 @@ FILES:libsystemd-shared = "${rootlibdir}/systemd/libsystemd-shared*.so"
RPROVIDES:udev = "hotplug"
-RDEPENDS:udev-hwdb += "udev"
-
FILES:udev += "${base_sbindir}/udevd \
${rootlibexecdir}/systemd/network/99-default.link \
${rootlibexecdir}/systemd/systemd-udevd \
@@ -766,16 +728,8 @@ FILES:udev += "${base_sbindir}/udevd \
${sysconfdir}/init.d/systemd-udevd \
${systemd_system_unitdir}/*udev* \
${systemd_system_unitdir}/*.wants/*udev* \
- ${base_bindir}/systemd-hwdb \
- ${base_bindir}/udevadm \
- ${base_sbindir}/udevadm \
- ${datadir}/bash-completion/completions/udevadm \
- ${systemd_system_unitdir}/systemd-hwdb-update.service \
"
-FILES:udev-hwdb = "${rootlibexecdir}/udev/hwdb.d \
- "
-
RCONFLICTS:${PN} = "tiny-init ${@bb.utils.contains('PACKAGECONFIG', 'resolved', 'resolvconf', '', d)}"
INITSCRIPT_PACKAGES = "udev"
@@ -853,15 +807,4 @@ pkg_prerm:${PN}:libc-glibc () {
fi
}
-PACKAGE_WRITE_DEPS += "qemu-native"
-pkg_postinst:udev-hwdb () {
- if test -n "$D"; then
- $INTERCEPT_DIR/postinst_intercept update_udev_hwdb ${PKG} mlprefix=${MLPREFIX} binprefix=${MLPREFIX} rootlibexecdir="${rootlibexecdir}" PREFERRED_PROVIDER_udev="${PREFERRED_PROVIDER_udev}" base_bindir="${base_bindir}"
- else
- udevadm hwdb --update
- fi
-}
-
-pkg_prerm:udev-hwdb () {
- rm -f $D${sysconfdir}/udev/hwdb.bin
-}
+PACKAGE_WRITE_DEPS += "qemu-native"
\ No newline at end of file