This project is designed to wrap around the Yocto build system, to simplify usage and as well as managing common security features over the built image.
Thistle-yocto-build works by accepting a configuration file in YAML format and outputting a fully built image. The configuration file is based on the format used by the kas project with extensions to specify the security components to be used by the assembled image.
- clone and checkout BitBake layers automatically
- build a Yocto image
- safe defaults (disabled ssh on production builds, etc..)
- default configurations for qemuarm64, Raspberry Pi 4, BeagleBoneBlack
- basic security check & CVE audit post build
- direct integration with Thistle Update Client
- quality-of-life features such as one-line configuration flag to enable curl, openssl, etc..
Some features used in the repository are based off the meta-thistle layer - such as the Infineon TrustM linux tool integration.
header:
version: 11
target: base
machine: qemuarm64-thistle
distro: thistle-base
thistle-features:
meta-thistle: e05a0ab0e3abfc3c8fcb5371fdffa451765826af
curl:
bin: true
lib: true
tls: openssl
repos:
openembedded-core:
url: git://git.openembedded.org/openembedded-core
refspec: 54ee67b1a805a07288925d56e9956aabc23b6ab2
layers:
- meta
meta-openembedded:
url: git://git.openembedded.org/meta-openembedded
refspec: kirkstone
layers:
- meta-oe
- meta-python
- meta-networking
- meta-perl
local_conf_header:
standard: |
PACKAGE_CLASSES = "package_rpm"
CONF_VERSION = "2"Dowload a released binary from the releases page or see the build instructions below.
$ ./thistle-yocto-build --help
$ ./thistle-yocto-build gen-config qemu
$ ./thistle-yocto-build build --debug conf.yml
# Default image build time is ~ 45mins on a Ryzen 5 3600. Requires ~50GB of free storage.note: the project only builds on x86_64 linux due to C dependency on crypt(3) functions
# requires rust, x86_64-unknown-linux-musl target and clang
$ make releaseNote: The default Linux login for the built images is:
- username:
thistle - password:
is_awesome
$ docker build --platform=linux/amd64 \
-f dockerfiles/Dockerfile.qemuarm64 \
-t qemuarm64:latest \
.
$ mkdir build_out && chmod 777 build_out
# Copy built images to build_out/
$ docker run -v "$(pwd)/build_out":/home/builder/tyb_build_out \
--rm -i qemuarm64:latest \
/bin/bash -c "cp -r /home/builder/build/deploy/images/* /home/builder/tyb_build_out/"Build Raspberry Pi 4 image with OPTIGA™ Trust-M Linux tools
$ docker build --platform=linux/amd64 \
-f dockerfiles/Dockerfile.rpi4-trustm \
-t rpi4trustm:latest \
.
$ mkdir build_out && chmod 777 build_out
# Copy built images to build_out/
$ docker run -v "$(pwd)/build_out":/home/builder/tyb_build_out \
--rm -i rpi4trustm:latest \
/bin/bash -c "cp -r /home/builder/build/deploy/images/* /home/builder/tyb_build_out/"