initial commit

.gitignore

@@ -0,0 +1 @@
+build/

README.md

@@ -0,0 +1,15 @@
+
+
+## Very basic build instructions
+
+    $ source setup-build-env
+    $ bitbake citadel-image-minimal
+
+## Git subtrees included
+
+    $ git subtree add --prefix poky git://git.yoctoproject.org/poky.git master --squash
+    $ git subtree add --prefix meta-intel  git://git.yoctoproject.org/meta-intel.git master --squash
+    $ git gc && git prune
+
+* `https://www.atlassian.com/blog/git/alternatives-to-git-submodule-git-subtree`
+* `https://legacy-developer.atlassian.com/blog/2015/05/the-power-of-git-subtree/`

meta-citadel-distro/conf/bblayers.conf.sample

@@ -0,0 +1,13 @@
+# POKY_BBLAYERS_CONF_VERSION is increased each time build/conf/bblayers.conf
+# changes incompatibly
+POKY_BBLAYERS_CONF_VERSION = "2"
+
+BBPATH = "${TOPDIR}"
+BBFILES ?= ""
+
+BBLAYERS ?= " \
+  ##OEROOT##/meta \
+  ##OEROOT##/../meta-intel \
+  ##OEROOT##/../meta-citadel \
+  ##OEROOT##/../meta-citadel-distro \
+  "

meta-citadel-distro/conf/distro/citadel-distro.conf

@@ -0,0 +1,39 @@
+DISTRO = "citadel-distro"
+DISTRO_NAME = "Subgraph OS Citadel"
+DISTRO_VERSION = "1.0"
+
+CITADEL_DEFAULT_DISTRO_FEATURES = "largefile systemd"
+DISTRO_FEATURES ?= "${DISTRO_FEATURES_DEFAULT} ${DISTRO_FEATURES_LIBC} ${CITADEL_DEFAULT_DISTRO_FEATURES}"
+
+#
+# Use systemd for system initialization
+#
+VIRTUAL-RUNTIME_init_manager = "systemd"
+VIRTUAL-RUNTIME_initscripts = ""
+VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"
+DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
+
+PREFERRED_PROVIDER_virtual/kernel = "linux-citadel"
+
+PACKAGE_CLASSES ?= "package_deb"
+
+INITRAMFS_IMAGE_BUNDLE = "1"
+INITRAMFS_IMAGE = "citadel-initramfs"
+
+NOISO = "1"
+EFI_PROVIDER = "systemd-boot"
+IMAGE_FSTYPES = "wic"
+IMAGE_FEATURES = "read-only-rootfs"
+
+GLIBC_SPLIT_LC_PACKAGES = "0"
+IMAGE_LINGUAS = "en-us"
+
+BUILD_REPRODUCIBLE_BINARIES = "1"
+
+IMAGE_CLASSES += "qemuboot"
+QB_NET = "none"
+QB_MEM = "-m 1024"
+QB_DEFAULT_FSTYPE = "wic"
+
+require conf/distro/include/security_flags.inc
+

meta-citadel-distro/conf/layer.conf

@@ -0,0 +1,18 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH =. "${LAYERDIR}:"
+
+# We have recipes-* directories, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+            ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "citadeldist"
+BBFILE_PATTERN_citadeldist = "^${LAYERDIR}/"
+BBFILE_PRIORITY_citadeldist = "5"
+
+LAYERSERIES_COMPAT_citadeldist = "rocko"
+
+# This should only be incremented on significant changes that will
+# cause compatibility issues with other layers
+LAYERVERSION_citadel = "1"
+
+REQUIRED_POKY_BBLAYERS_CONF_VERSION = "2"

meta-citadel-distro/conf/local.conf.sample

@@ -0,0 +1,199 @@
+#
+# This file is your local configuration file and is where all local user settings
+# are placed. The comments in this file give some guide to the options a new user
+# to the system might want to change but pretty much any configuration option can
+# be set in this file. More adventurous users can look at local.conf.extended
+# which contains other examples of configuration which can be placed in this file
+# but new users likely won't need any of them initially.
+#
+# Lines starting with the '#' character are commented out and in some cases the
+# default values are provided as comments to show people example syntax. Enabling
+# the option is a question of removing the # character and making any change to the
+# variable as required.
+
+# Distro configuration:
+#
+#  meta-citadel-distro/conf/distro/citadel-distro.conf
+#
+
+DISTRO ?= "citadel-distro"
+
+# Machine configuration:
+#
+#   meta-intel/conf/machine/intel-corei7-64.conf
+#
+
+MACHINE ?= "intel-corei7-64"
+
+
+#
+#
+# Where to place downloads
+#
+# During a first build the system will download many different source code tarballs
+# from various upstream projects. This can take a while, particularly if your network
+# connection is slow. These are all stored in DL_DIR. When wiping and rebuilding you
+# can preserve this directory to speed up this part of subsequent builds. This directory
+# is safe to share between multiple builds on the same machine too.
+#
+# The default is a downloads directory under TOPDIR which is the build directory.
+#
+# DL_DIR ?= "${TOPDIR}/downloads"
+
+#
+# Where to place shared-state files
+#
+# BitBake has the capability to accelerate builds based on previously built output.
+# This is done using "shared state" files which can be thought of as cache objects
+# and this option determines where those files are placed.
+#
+# You can wipe out TMPDIR leaving this directory intact and the build would regenerate
+# from these files if no changes were made to the configuration. If changes were made
+# to the configuration, only shared state files where the state was still valid would
+# be used (done using checksums).
+#
+# The default is a sstate-cache directory under TOPDIR.
+#
+# SSTATE_DIR ?= "${TOPDIR}/sstate-cache"
+
+#
+# Where to place the build output
+#
+# This option specifies where the bulk of the building work should be done and
+# where BitBake should place its temporary files and output. Keep in mind that
+# this includes the extraction and compilation of many applications and the toolchain
+# which can use Gigabytes of hard disk space.
+#
+# The default is a tmp directory under TOPDIR.
+#
+#TMPDIR = "${TOPDIR}/tmp"
+
+
+#
+# SDK target architecture
+#
+# This variable specifies the architecture to build SDK items for and means
+# you can build the SDK packages for architectures other than the machine you are
+# running the build on (i.e. building i686 packages on an x86_64 host).
+# Supported values are i686 and x86_64
+#SDKMACHINE ?= "i686"
+
+#
+# Extra image configuration defaults
+#
+# The EXTRA_IMAGE_FEATURES variable allows extra packages to be added to the generated
+# images. Some of these options are added to certain image types automatically. The
+# variable can contain the following options:
+#  "dbg-pkgs"       - add -dbg packages for all installed packages
+#                     (adds symbol information for debugging/profiling)
+#  "dev-pkgs"       - add -dev packages for all installed packages
+#                     (useful if you want to develop against libs in the image)
+#  "ptest-pkgs"     - add -ptest packages for all ptest-enabled packages
+#                     (useful if you want to run the package test suites)
+#  "tools-sdk"      - add development tools (gcc, make, pkgconfig etc.)
+#  "tools-debug"    - add debugging tools (gdb, strace)
+#  "eclipse-debug"  - add Eclipse remote debugging support
+#  "tools-profile"  - add profiling tools (oprofile, lttng, valgrind)
+#  "tools-testapps" - add useful testing tools (ts_print, aplay, arecord etc.)
+#  "debug-tweaks"   - make an image suitable for development
+#                     e.g. ssh root access has a blank password
+# There are other application targets that can be used here too, see
+# meta/classes/image.bbclass and meta/classes/core-image.bbclass for more details.
+# We default to enabling the debugging tweaks.
+EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
+
+#
+# Additional image features
+#
+# The following is a list of additional classes to use when building images which
+# enable extra features. Some available options which can be included in this variable
+# are:
+#   - 'buildstats' collect build statistics
+#   - 'image-mklibs' to reduce shared library files size for an image
+#   - 'image-prelink' in order to prelink the filesystem image
+# NOTE: if listing mklibs & prelink both, then make sure mklibs is before prelink
+# NOTE: mklibs also needs to be explicitly enabled for a given image, see local.conf.extended
+USER_CLASSES ?= "buildstats"
+
+#
+# Runtime testing of images
+#
+# The build system can test booting virtual machine images under qemu (an emulator)
+# after any root filesystems are created and run tests against those images. To
+# enable this uncomment this line. See classes/testimage(-auto).bbclass for
+# further details.
+#TEST_IMAGE = "1"
+#
+# Interactive shell configuration
+#
+# Under certain circumstances the system may need input from you and to do this it
+# can launch an interactive shell. It needs to do this since the build is
+# multithreaded and needs to be able to handle the case where more than one parallel
+# process may require the user's attention. The default is iterate over the available
+# terminal types to find one that works.
+#
+# Examples of the occasions this may happen are when resolving patches which cannot
+# be applied, to use the devshell or the kernel menuconfig
+#
+# Supported values are auto, gnome, xfce, rxvt, screen, konsole (KDE 3.x only), none
+# Note: currently, Konsole support only works for KDE 3.x due to the way
+# newer Konsole versions behave
+#OE_TERMINAL = "auto"
+# By default disable interactive patch resolution (tasks will just fail instead):
+PATCHRESOLVE = "noop"
+
+#
+# Disk Space Monitoring during the build
+#
+# Monitor the disk space during the build. If there is less that 1GB of space or less
+# than 100K inodes in any key build location (TMPDIR, DL_DIR, SSTATE_DIR), gracefully
+# shutdown the build. If there is less that 100MB or 1K inodes, perform a hard abort
+# of the build. The reason for this is that running completely out of space can corrupt
+# files and damages the build in ways which may not be easily recoverable.
+# It's necesary to monitor /tmp, if there is no space left the build will fail
+# with very exotic errors.
+BB_DISKMON_DIRS = "\
+    STOPTASKS,${TMPDIR},1G,100K \
+    STOPTASKS,${DL_DIR},1G,100K \
+    STOPTASKS,${SSTATE_DIR},1G,100K \
+    STOPTASKS,/tmp,100M,100K \
+    ABORT,${TMPDIR},100M,1K \
+    ABORT,${DL_DIR},100M,1K \
+    ABORT,${SSTATE_DIR},100M,1K \
+    ABORT,/tmp,10M,1K"
+
+#
+# Shared-state files from other locations
+#
+# As mentioned above, shared state files are prebuilt cache data objects which can
+# used to accelerate build time. This variable can be used to configure the system
+# to search other mirror locations for these objects before it builds the data itself.
+#
+# This can be a filesystem directory, or a remote url such as http or ftp. These
+# would contain the sstate-cache results from previous builds (possibly from other
+# machines). This variable works like fetcher MIRRORS/PREMIRRORS and points to the
+# cache locations to check for the shared objects.
+# NOTE: if the mirror uses the same structure as SSTATE_DIR, you need to add PATH
+# at the end as shown in the examples below. This will be substituted with the
+# correct path within the directory structure.
+#SSTATE_MIRRORS ?= "\
+#file://.* http://someserver.tld/share/sstate/PATH;downloadfilename=PATH \n \
+#file://.* file:///some/local/dir/sstate/PATH"
+
+
+#
+# Qemu configuration
+#
+# By default qemu will build with a builtin VNC server where graphical output can be
+# seen. The two lines below enable the SDL backend too. By default libsdl-native will
+# be built, if you want to use your host's libSDL instead of the minimal libsdl built
+# by libsdl-native then uncomment the ASSUME_PROVIDED line below.
+PACKAGECONFIG_append_pn-qemu-native = " sdl"
+PACKAGECONFIG_append_pn-nativesdk-qemu = " sdl"
+#ASSUME_PROVIDED += "libsdl-native"
+
+# CONF_VERSION is increased each time build/conf/ changes incompatibly and is used to
+# track the version of this file when it was generated. This can safely be ignored if
+# this doesn't mean anything to you.
+CONF_VERSION = "1"
+INHERIT+="toaster buildhistory"

meta-citadel-distro/recipes-core/base-files/base-files_%.bbappend

@@ -0,0 +1 @@
+hostname="citadel"

meta-citadel-distro/recipes-core/images/citadel-image-minimal.bb

@@ -0,0 +1,17 @@
+DESCRIPTION = "Subgraph OS Citadel minimal image builder"
+LICENSE = "MIT"
+
+IMAGE_FEATURES_append = " empty-root-password"
+
+IMAGE_INSTALL = "\
+    packagegroup-core-boot \
+    packagegroup-core-full-cmdline-utils \
+    "
+
+ROOT_PASSWORD ?= "citadel"
+
+inherit core-image
+
+WKS_FILE="citadel-image-minimal.wks"
+DEPENDS += "linux-citadel"
+

meta-citadel-distro/recipes-core/images/citadel-initramfs.bb

@@ -0,0 +1,17 @@
+DESCRIPTION = "Image for rootfs"
+
+PACKAGE_INSTALL = "initramfs-framework-base initramfs-module-udev initramfs-module-setup-live ${VIRTUAL-RUNTIME_base-utils} udev base-passwd ${ROOTFS_BOOTSTRAP_INSTALL} linux-firmware-i915 kernel-modules"
+
+IMAGE_FEATURES = ""
+export IMAGE_BASENAME = "citadel-initramfs"
+IMAGE_LINGUAS = ""
+
+LICENSE = "MIT"
+
+INITRAMFS_MAXSIZE = "512000"
+
+IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"
+inherit core-image
+
+IMAGE_ROOTFS_SIZE = "8192"
+IMAGE_ROOTFS_EXTRA_SPACE = "0"

meta-citadel-distro/wic/citadel-image-minimal.wks

@@ -0,0 +1,3 @@
+part /boot --source bootimg-efi --sourceparams="loader=systemd-boot" --size=128 --fstype=vfat --label boot --active --align 1024 --use-uuid
+part / --source rootfs --fstype=ext4 --label rootfs --align 1024 --use-uuid 
+bootloader --ptable gpt --timeout=5  --append="console=ttyS0,115200 console=tty0"

meta-citadel/conf/layer.conf

@@ -0,0 +1,18 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH =. "${LAYERDIR}:"
+
+# We have recipes-* directories, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+            ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "citadel"
+BBFILE_PATTERN_citadel = "^${LAYERDIR}/"
+BBFILE_PRIORITY_citadel = "5"
+
+LAYERSERIES_COMPAT_citadel = "rocko"
+
+# This should only be incremented on significant changes that will
+# cause compatibility issues with other layers
+LAYERVERSION_citadel = "1"
+
+REQUIRED_POKY_BBLAYERS_CONF_VERSION = "2"

meta-citadel/recipes-devtools/checksec/checksec_1.5-1.bb

@@ -0,0 +1,25 @@
+SUMMARY = "Checksec tool"
+DESCRIPTION = "The checksec.sh script is designed to test what standard Linux OS and PaX security features are being used."
+SECTION = "security"
+LICENSE = "BSD-3-Clause"
+HOMEPAGE="http://www.trapkit.de/tools/checksec.html"
+
+LIC_FILES_CHKSUM = "file://checksec-${PV}.sh;beginline=3;endline=34;md5=6dab14470bfdf12634b866dbdd7a04b0"
+
+SRC_URI = "http://www.trapkit.de/tools/checksec.sh;downloadfilename=checksec-${PV}.sh"
+
+SRC_URI[md5sum] = "57cc3fbbbe48e8ebd4672c569954374d"
+SRC_URI[sha256sum] = "05822cd8668589038d20650faa0e56f740911d8ad06f7005b3d12a5c76591b90"
+
+
+S = "${WORKDIR}"
+
+do_install() {
+    install -d ${D}${bindir}
+    install -m 0755 ${WORKDIR}/checksec-${PV}.sh    ${D}${bindir}/checksec.sh
+    sed -i 's/\r//' ${D}${bindir}/checksec.sh
+}
+
+RDEPENDS_${PN} = "bash binutils"
+
+BBCLASSEXTEND = "native"

meta-citadel/recipes-devtools/gcc/gcc-cross_7.2.bbappend

@@ -0,0 +1,16 @@
+
+# headers needed to compile gcc plugins, needed for grsec gcc plugins during kernel build
+do_install_append () {
+	cp ${S}/include/libiberty.h ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/plugin/include/
+	cp ${S}/gcc/mem-stats-traits.h ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/plugin/include/
+	cp ${S}/gcc/hash-traits.h ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/plugin/include/
+	cp ${S}/gcc/hash-map-traits.h ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/plugin/include/
+	cp ${S}/gcc/mem-stats.h ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/plugin/include/
+	cp ${S}/gcc/memory-block.h ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/plugin/include/
+	cp ${S}/gcc/config/i386/linux64.h ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/plugin/include/config/i386
+	cp ${S}/gcc/brig-builtins.def ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/plugin/include/
+	cp ${S}/gcc/expr.h ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/plugin/include/
+	cp ${S}/gcc/tree-vrp.h ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/plugin/include/
+	cp ${S}/gcc/builtins.h ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/plugin/include/
+	cp ${S}/gcc/backend.h ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/plugin/include/
+}

meta-citadel/recipes-kernel/linux/files/ignore-sysroot-for-plugin-build.patch

@@ -0,0 +1,186 @@
+diff -uprN a/scripts/gcc-plugins/checker_plugin.c b/scripts/gcc-plugins/checker_plugin.c
+--- a/scripts/gcc-plugins/checker_plugin.c	2017-12-03 13:20:42.743986199 -0500
++++ b/scripts/gcc-plugins/checker_plugin.c	2017-12-03 13:33:14.506519393 -0500
+@@ -457,7 +457,7 @@ __visible int plugin_init(struct plugin_
+ //	PASS_INFO(context, "ssa", 1, PASS_POS_INSERT_AFTER);
+ 	PASS_INFO(context, "phiprop", 1, PASS_POS_INSERT_AFTER);
+ 
+-	if (!plugin_default_version_check(version, &gcc_version)) {
++	if (!plugin_version_check_buildhack(version, &gcc_version)) {
+ 		error_gcc_version(version);
+ 		return 1;
+ 	}
+diff -uprN a/scripts/gcc-plugins/colorize_plugin.c b/scripts/gcc-plugins/colorize_plugin.c
+--- a/scripts/gcc-plugins/colorize_plugin.c	2017-12-03 13:20:42.743986199 -0500
++++ b/scripts/gcc-plugins/colorize_plugin.c	2017-12-03 13:33:43.865657576 -0500
+@@ -121,7 +121,7 @@ __visible int plugin_init(struct plugin_
+ 
+ 	PASS_INFO(colorize_rearm, "*free_lang_data", 1, PASS_POS_INSERT_AFTER);
+ 
+-	if (!plugin_default_version_check(version, &gcc_version)) {
++	if (!plugin_version_check_buildhack(version, &gcc_version)) {
+ 		error_gcc_version(version);
+ 		return 1;
+ 	}
+diff -uprN a/scripts/gcc-plugins/constify_plugin.c b/scripts/gcc-plugins/constify_plugin.c
+--- a/scripts/gcc-plugins/constify_plugin.c	2017-12-03 13:20:42.744986204 -0500
++++ b/scripts/gcc-plugins/constify_plugin.c	2017-12-03 13:31:56.239151019 -0500
+@@ -546,7 +546,7 @@ __visible int plugin_init(struct plugin_
+ 
+ 	PASS_INFO(check_local_variables, "ssa", 1, PASS_POS_INSERT_BEFORE);
+ 
+-	if (!plugin_default_version_check(version, &gcc_version)) {
++	if (!plugin_version_check_buildhack(version, &gcc_version)) {
+ 		error_gcc_version(version);
+ 		return 1;
+ 	}
+diff -uprN a/scripts/gcc-plugins/cyc_complexity_plugin.c b/scripts/gcc-plugins/cyc_complexity_plugin.c
+--- a/scripts/gcc-plugins/cyc_complexity_plugin.c	2017-12-03 13:20:42.744986204 -0500
++++ b/scripts/gcc-plugins/cyc_complexity_plugin.c	2017-12-03 13:34:33.724892242 -0500
+@@ -55,7 +55,7 @@ __visible int plugin_init(struct plugin_
+ 
+ 	PASS_INFO(cyc_complexity, "ssa", 1, PASS_POS_INSERT_AFTER);
+ 
+-	if (!plugin_default_version_check(version, &gcc_version)) {
++	if (!plugin_version_check_buildhack(version, &gcc_version)) {
+ 		error_gcc_version(version);
+ 		return 1;
+ 	}
+diff -uprN a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h
+--- a/scripts/gcc-plugins/gcc-common.h	2017-12-03 13:20:42.745986209 -0500
++++ b/scripts/gcc-plugins/gcc-common.h	2017-12-03 13:29:54.228576760 -0500
+@@ -189,6 +189,26 @@ static inline tree build_const_char_stri
+ 	return cstr;
+ }
+ 
++static inline bool plugin_version_check_buildhack(struct plugin_gcc_version *gcc_version, 
++		struct plugin_gcc_version *plugin_version) 
++{
++
++	if (!gcc_version || !plugin_version)
++		return false;
++
++	if (strcmp (gcc_version->basever, plugin_version->basever))
++		return false;
++	if (strcmp (gcc_version->datestamp, plugin_version->datestamp))
++		return false;
++	if (strcmp (gcc_version->devphase, plugin_version->devphase))
++		return false;
++	if (strcmp (gcc_version->revision, plugin_version->revision))
++		return false;
++	// if (strcmp (gcc_version->configuration_arguments, plugin_version->configuration_arguments))
++	//	return false;
++	return true;
++}
++
+ static inline void error_gcc_version(struct plugin_gcc_version *version)
+ {
+ 	error(G_("incompatible gcc/plugin versions: need '%s' '%s' '%s' '%s' but have '%s' '%s' '%s' '%s'\n'%s':\n'%s'"),
+diff -uprN a/scripts/gcc-plugins/initify_plugin.c b/scripts/gcc-plugins/initify_plugin.c
+--- a/scripts/gcc-plugins/initify_plugin.c	2017-12-03 13:20:42.744986204 -0500
++++ b/scripts/gcc-plugins/initify_plugin.c	2017-12-03 13:32:44.566378477 -0500
+@@ -1819,7 +1819,7 @@ __visible int plugin_init(struct plugin_
+ 
+ 	PASS_INFO(initify, "inline", 1, PASS_POS_INSERT_AFTER);
+ 
+-	if (!plugin_default_version_check(version, &gcc_version)) {
++	if (!plugin_version_check_buildhack(version, &gcc_version)) {
+ 		error_gcc_version(version);
+ 		return 1;
+ 	}
+diff -uprN a/scripts/gcc-plugins/kallocstat_plugin.c b/scripts/gcc-plugins/kallocstat_plugin.c
+--- a/scripts/gcc-plugins/kallocstat_plugin.c	2017-12-03 13:20:42.744986204 -0500
++++ b/scripts/gcc-plugins/kallocstat_plugin.c	2017-12-03 13:33:57.240720527 -0500
+@@ -119,7 +119,7 @@ __visible int plugin_init(struct plugin_
+ 
+ 	PASS_INFO(kallocstat, "ssa", 1, PASS_POS_INSERT_AFTER);
+ 
+-	if (!plugin_default_version_check(version, &gcc_version)) {
++	if (!plugin_version_check_buildhack(version, &gcc_version)) {
+ 		error_gcc_version(version);
+ 		return 1;
+ 	}
+diff -uprN a/scripts/gcc-plugins/kernexec_plugin.c b/scripts/gcc-plugins/kernexec_plugin.c
+--- a/scripts/gcc-plugins/kernexec_plugin.c	2017-12-03 13:20:42.744986204 -0500
++++ b/scripts/gcc-plugins/kernexec_plugin.c	2017-12-03 13:34:23.499844120 -0500
+@@ -360,7 +360,7 @@ __visible int plugin_init(struct plugin_
+ 	PASS_INFO(kernexec_fptr, "pre", 1, PASS_POS_INSERT_AFTER);
+ 	PASS_INFO(kernexec_retaddr, "pro_and_epilogue", 1, PASS_POS_INSERT_AFTER);
+ 
+-	if (!plugin_default_version_check(version, &gcc_version)) {
++	if (!plugin_version_check_buildhack(version, &gcc_version)) {
+ 		error_gcc_version(version);
+ 		return 1;
+ 	}
+diff -uprN a/scripts/gcc-plugins/latent_entropy_plugin.c b/scripts/gcc-plugins/latent_entropy_plugin.c
+--- a/scripts/gcc-plugins/latent_entropy_plugin.c	2017-12-03 13:20:42.745986209 -0500
++++ b/scripts/gcc-plugins/latent_entropy_plugin.c	2017-12-03 13:34:09.419777850 -0500
+@@ -584,7 +584,7 @@ __visible int plugin_init(struct plugin_
+ 
+ 	PASS_INFO(latent_entropy, "optimized", 1, PASS_POS_INSERT_BEFORE);
+ 
+-	if (!plugin_default_version_check(version, &gcc_version)) {
++	if (!plugin_version_check_buildhack(version, &gcc_version)) {
+ 		error_gcc_version(version);
+ 		return 1;
+ 	}
+diff -uprN a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c
+--- a/scripts/gcc-plugins/randomize_layout_plugin.c	2017-12-03 13:20:42.745986209 -0500
++++ b/scripts/gcc-plugins/randomize_layout_plugin.c	2017-12-03 13:32:55.752431126 -0500
+@@ -894,7 +894,7 @@ __visible int plugin_init(struct plugin_
+ 	find_bad_casts_pass_info.ref_pass_instance_number	= 1;
+ 	find_bad_casts_pass_info.pos_op			= PASS_POS_INSERT_AFTER;
+ 
+-	if (!plugin_default_version_check(version, &gcc_version)) {
++	if (!plugin_version_check_buildhack(version, &gcc_version)) {
+ 		error(G_("incompatible gcc/plugin versions"));
+ 		return 1;
+ 	}
+diff -uprN a/scripts/gcc-plugins/sancov_plugin.c b/scripts/gcc-plugins/sancov_plugin.c
+--- a/scripts/gcc-plugins/sancov_plugin.c	2017-12-03 13:20:42.745986209 -0500
++++ b/scripts/gcc-plugins/sancov_plugin.c	2017-12-03 13:33:29.458589768 -0500
+@@ -114,7 +114,7 @@ __visible int plugin_init(struct plugin_
+ 	PASS_INFO(sancov, "nrv", 1, PASS_POS_INSERT_BEFORE);
+ #endif
+ 
+-	if (!plugin_default_version_check(version, &gcc_version)) {
++	if (!plugin_version_check_buildhack(version, &gcc_version)) {
+ 		error_gcc_version(version);
+ 		return 1;
+ 	}
+diff -uprN a/scripts/gcc-plugins/size_overflow_plugin/size_overflow_plugin.c b/scripts/gcc-plugins/size_overflow_plugin/size_overflow_plugin.c
+--- a/scripts/gcc-plugins/size_overflow_plugin/size_overflow_plugin.c	2017-12-03 13:20:42.755986255 -0500
++++ b/scripts/gcc-plugins/size_overflow_plugin/size_overflow_plugin.c	2017-12-03 13:32:32.419321305 -0500
+@@ -242,7 +242,7 @@ __visible int plugin_init(struct plugin_
+ 	PASS_INFO(disable_ubsan_si_overflow, "ubsan", 1, PASS_POS_REPLACE);
+ #endif
+ 
+-	if (!plugin_default_version_check(version, &gcc_version)) {
++	if (!plugin_version_check_buildhack(version, &gcc_version)) {
+ 		error_gcc_version(version);
+ 		return 1;
+ 	}
+diff -uprN a/scripts/gcc-plugins/stackleak_plugin.c b/scripts/gcc-plugins/stackleak_plugin.c
+--- a/scripts/gcc-plugins/stackleak_plugin.c	2017-12-03 13:20:42.745986209 -0500
++++ b/scripts/gcc-plugins/stackleak_plugin.c	2017-12-03 13:32:13.267231164 -0500
+@@ -304,7 +304,7 @@ __visible int plugin_init(struct plugin_
+ 	PASS_INFO(stackleak_tree_instrument, "optimized", 1, PASS_POS_INSERT_BEFORE);
+ 	PASS_INFO(stackleak_final, "final", 1, PASS_POS_INSERT_BEFORE);
+ 
+-	if (!plugin_default_version_check(version, &gcc_version)) {
++	if (!plugin_version_check_buildhack(version, &gcc_version)) {
+ 		error_gcc_version(version);
+ 		return 1;
+ 	}
+diff -uprN a/scripts/gcc-plugins/structleak_plugin.c b/scripts/gcc-plugins/structleak_plugin.c
+--- a/scripts/gcc-plugins/structleak_plugin.c	2017-12-03 13:20:42.745986209 -0500
++++ b/scripts/gcc-plugins/structleak_plugin.c	2017-12-03 13:31:29.704026128 -0500
+@@ -206,7 +206,7 @@ __visible int plugin_init(struct plugin_
+ 
+ 	PASS_INFO(structleak, "early_optimizations", 1, PASS_POS_INSERT_BEFORE);
+ 
+-	if (!plugin_default_version_check(version, &gcc_version)) {
++	if (!plugin_version_check_buildhack(version, &gcc_version)) {
+ 		error_gcc_version(version);
+ 		return 1;
+ 	}

meta-citadel/recipes-kernel/linux/linux-citadel.inc

@@ -0,0 +1,39 @@
+DESCRIPTION = "Citadel linux kernel"
+SECTION = "kernel"
+LICENSE = "GPLv2"
+
+inherit kernel 
+
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=d7810fab7487fb0aad327b76f1be7cd7"
+LINUX_VERSION ?= "${PV}"
+LINUX_VERSION_EXTENSION_append = "-citadel"
+
+SRC_URI = "https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-${LINUX_VERSION}.tar.xz;name=kernel"
+
+
+SRC_URI += "https://github.com/minipli/linux-unofficial_grsec/releases/download/v${LINUX_VERSION}-unofficial_grsec/v${LINUX_VERSION}-unofficial_grsec-${PATCH_DATE_TAG}.diff;name=patch"
+
+SRC_URI += " \
+    file://defconfig \
+    file://ignore-sysroot-for-plugin-build.patch \
+    "
+
+S = "${WORKDIR}/linux-${LINUX_VERSION}"
+
+do_deploy_append() {
+    rm ${DEPLOYDIR}/bzImage
+    ln -sf bzImage-initramfs${KERNEL_IMAGE_BASE_NAME}.bin ${DEPLOYDIR}/bzImage
+}
+
+#
+# https://github.com/96boards/meta-96boards/issues/81#issuecomment-311256044
+# https://github.com/96boards/meta-96boards/blob/master/recipes-kernel/linux/linux-96boards_4.4.bb
+#
+# coreutils for /usr/bin/seq which pax size overflow gcc plugin uses
+
+DEPENDS += "openssl-native coreutils-native"
+HOST_EXTRACFLAGS += "-I${STAGING_INCDIR_NATIVE}"
+
+COMPATIBLE_MACHINE = "(intel-corei7-64)"
+

meta-citadel/recipes-kernel/linux/linux-citadel_4.9.65.bb

@@ -0,0 +1,10 @@
+require linux-citadel.inc
+
+SRC_URI[kernel.md5sum] = "60e1a229fb5ffc2a82462ed9400ce3d0"
+SRC_URI[kernel.sha256sum] = "24ba70877549a3cf25dc5f12efd260d3e957bce64c087de98baf8968ee514895"
+
+PATCH_DATE_TAG = "20171124142753"
+
+SRC_URI[patch.md5sum] = "3c1521b8ada079fbbca372d5191fa351"
+SRC_URI[patch.sha256sum] = "f25398621854074f1a286d97fd39224462c054b568c7ae8181765340a439faf9"
+

meta-citadel/recipes-support/plymouth/plymouth_0.9.2.bb

@@ -0,0 +1,66 @@
+SUMMARY = "Plymouth is a project from Fedora providing a flicker-free graphical boot process."
+
+DESCRIPTION = "Plymouth is an application that runs very early in the boot process \
+    (even before the root filesystem is mounted!) that provides a \
+    graphical boot animation while the boot process happens in the background. \
+"
+
+HOMEPAGE = "http://www.freedesktop.org/wiki/Software/Plymouth"
+SECTION = "base"
+
+LICENSE = "GPLv2+"
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
+
+DEPENDS = "libcap libpng cairo dbus udev"
+PROVIDES = "virtual/psplash"
+RPROVIDES_${PN} = "virtual-psplash virtual-psplash-support"
+
+SRC_URI = "http://www.freedesktop.org/software/plymouth/releases/${BPN}-${PV}.tar.bz2"
+SRC_URI[md5sum] = "ff420994deb7ea203df678df92e7ab7d"
+SRC_URI[sha256sum] = "2f0ce82042cf9c7eadd2517a1f74c8a85fa8699781d9f294a06eade29fbed57f"
+
+EXTRA_OECONF += " --enable-shared --disable-static --disable-gtk --disable-documentation \
+    --with-logo=${LOGO} \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--enable-systemd-integration --with-system-root-install', '', d)} \
+"
+
+PACKAGECONFIG ??= "pango initrd"
+PACKAGECONFIG_append_x86 = " drm"
+PACKAGECONFIG_append_x86-64 = " drm"
+
+PACKAGECONFIG[drm] = "--enable-drm,--disable-drm,libdrm"
+PACKAGECONFIG[pango] = "--enable-pango,--disable-pango,pango"
+PACKAGECONFIG[gtk] = "--enable-gtk,--disable-gtk,gtk+"
+PACKAGECONFIG[initrd] = ",,,"
+
+LOGO ??= "${datadir}/plymouth/bizcom.png"
+
+inherit autotools pkgconfig systemd
+
+do_install_append() {
+    install -d ${D}${systemd_unitdir}/system
+    install -m 644 ${B}/systemd-units/*.service ${D}${systemd_unitdir}/system
+    install -m 644 ${B}/systemd-units/systemd-ask-password-plymouth.path ${D}${systemd_unitdir}/system
+    # Remove /var/run from package as plymouth will populate it on startup
+    rm -fr "${D}${localstatedir}/run"
+
+    if ! ${@bb.utils.contains('PACKAGECONFIG', 'initrd', 'true', 'false', d)}; then
+        rm -rf "${D}${libexecdir}"
+    fi
+}
+
+PACKAGES =. "${@bb.utils.contains('PACKAGECONFIG', 'initrd', '${PN}-initrd ', '', d)}"
+PACKAGES =+ "${PN}-set-default-theme"
+
+FILES_${PN}-initrd = "${libexecdir}/plymouth/*"
+FILES_${PN}-set-default-theme = "${sbindir}/plymouth-set-default-theme"
+
+FILES_${PN} += "${systemd_unitdir}/system/*"
+FILES_${PN}-dbg += "${libdir}/plymouth/renderers/.debug"
+
+
+RDEPENDS_${PN}-initrd = "bash dracut"
+RDEPENDS_${PN}-set-default-theme = "bash"
+
+SYSTEMD_SERVICE_${PN} = "plymouth-start.service"

meta-citadel/recipes-support/tree/tree_1.7.0.bb

@@ -0,0 +1,21 @@
+SUMMARY = "A recursive directory listing command"
+HOMEPAGE = "http://mama.indstate.edu/users/ice/tree/"
+SECTION = "console/utils"
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI = "ftp://mama.indstate.edu/linux/${BPN}/${BP}.tgz"
+SRC_URI[md5sum] = "abe3e03e469c542d8e157cdd93f4d8a6"
+SRC_URI[sha256sum] = "6957c20e82561ac4231638996e74f4cfa4e6faabc5a2f511f0b4e3940e8f7b12"
+
+# tree's default CFLAGS for Linux
+CFLAGS += "-Wall -DLINUX -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
+
+EXTRA_OEMAKE = "CC='${CC}' CFLAGS='${CFLAGS}' LDFLAGS='${LDFLAGS}'"
+
+do_configure[noexec] = "1"
+
+do_install() {
+    install -d ${D}${bindir}
+    install -m 0755 ${S}/${BPN} ${D}${bindir}/
+}

meta-citadel/recipes-support/vim/files/disable_acl_header_check.patch

@@ -0,0 +1,27 @@
+Upstream-Status: pending
+
+Don't check 'sys/acl.h' if acl support disabled for vim/vim-tiny.
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+================================================
+diff --git a/src/configure.ac b/src/configure.ac
+index fb965e5..d734064 100644
+--- a/src/configure.ac
++++ b/src/configure.ac
+@@ -2511,7 +2511,7 @@ AC_CHECK_HEADERS(stdarg.h stdint.h stdlib.h string.h \
+ 	sys/systeminfo.h locale.h sys/stream.h termios.h \
+ 	libc.h sys/statfs.h poll.h sys/poll.h pwd.h \
+ 	utime.h sys/param.h libintl.h libgen.h \
+-	util/debug.h util/msg18n.h frame.h sys/acl.h \
++	util/debug.h util/msg18n.h frame.h \
+ 	sys/access.h sys/sysinfo.h wchar.h wctype.h)
+ 
+ dnl sys/ptem.h depends on sys/stream.h on Solaris
+@@ -3112,6 +3112,7 @@ AC_ARG_ENABLE(acl,
+ 	, [enable_acl="yes"])
+ if test "$enable_acl" = "yes"; then
+ AC_MSG_RESULT(no)
++AC_CHECK_HEADERS(sys/acl.h)
+ AC_CHECK_LIB(posix1e, acl_get_file, [LIBS="$LIBS -lposix1e"],
+ 	AC_CHECK_LIB(acl, acl_get_file, [LIBS="$LIBS -lacl"
+ 		  AC_CHECK_LIB(attr, fgetxattr, LIBS="$LIBS -lattr",,)],,),)

meta-citadel/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch

@@ -0,0 +1,38 @@
+vim: add knob whether elf.h are checked
+
+Previously, it still was checked when there was no elf library in sysroots directory.
+Add knob to decide whether elf.h are checked or not.
+
+Upstream-status: Pending
+
+Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
+---
+ src/configure.ac |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/configure.ac b/src/configure.ac
+index d734064..f504fa6 100644
+--- a/src/configure.ac
++++ b/src/configure.ac
+@@ -2483,11 +2483,18 @@ AC_TRY_COMPILE([#include <stdio.h>], [int x __attribute__((unused));],
+ 	AC_MSG_RESULT(no))
+ 
+ dnl Checks for header files.
++AC_MSG_CHECKING(whether or not to look for elf.h)
++AC_ARG_ENABLE(elf-check,
++        [  --enable-elf-check      If elfutils, check for elf.h [default=no]],
++        , enable_elf_check="no")
++AC_MSG_RESULT($enable_elf_check)
++if test "x$enable_elf_check" != "xno"; then
+ AC_CHECK_HEADER(elf.h, HAS_ELF=1)
+ dnl AC_CHECK_HEADER(dwarf.h, SVR4=1)
+ if test "$HAS_ELF" = 1; then
+   AC_CHECK_LIB(elf, main)
+ fi
++fi
+ 
+ AC_HEADER_DIRENT
+ 
+-- 
+1.7.9.5
+

meta-citadel/recipes-support/vim/vim-tiny_8.0.0983.bb

@@ -0,0 +1,13 @@
+require vim_${PV}.bb
+
+SUMMARY += " (with tiny features)"
+
+PACKAGECONFIG += "tiny"
+
+do_install() {
+    install -d ${D}/${bindir}
+    install -m 0755 ${S}/vim ${D}/${bindir}/vim.tiny
+}
+
+ALTERNATIVE_PRIORITY = "90"
+ALTERNATIVE_TARGET = "${bindir}/vim.tiny"

meta-citadel/recipes-support/vim/vim_8.0.0983.bb

@@ -0,0 +1,112 @@
+SUMMARY = "Vi IMproved - enhanced vi editor"
+SECTION = "console/utils"
+DEPENDS = "ncurses gettext-native"
+# vimdiff doesn't like busybox diff
+RSUGGESTS_${PN} = "diffutils"
+LICENSE = "vim"
+LIC_FILES_CHKSUM = "file://../runtime/doc/uganda.txt;md5=eea32ac1424bba14096736a494ae9045"
+
+SRC_URI = "git://github.com/vim/vim.git \
+           file://disable_acl_header_check.patch;patchdir=.. \
+           file://vim-add-knob-whether-elf.h-are-checked.patch;patchdir=.. \
+"
+SRCREV = "3f9a1ff141412e9e85f7dff47d02946cb9be9228"
+
+S = "${WORKDIR}/git/src"
+
+VIMDIR = "vim${@d.getVar('PV').split('.')[0]}${@d.getVar('PV').split('.')[1]}"
+
+inherit autotools update-alternatives
+inherit autotools-brokensep
+
+# vim configure.in contains functions which got 'dropped' by autotools.bbclass
+do_configure () {
+    rm -f auto/*
+    touch auto/config.mk
+    aclocal
+    autoconf
+    oe_runconf
+    touch auto/configure
+    touch auto/config.mk auto/config.h
+}
+
+#Available PACKAGECONFIG options are gtkgui, acl, x11, tiny
+PACKAGECONFIG ??= ""
+PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
+
+PACKAGECONFIG[gtkgui] = "--enable-gtk2-test --enable-gui=gtk2,--enable-gui=no,gtk+,"
+PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl,"
+PACKAGECONFIG[x11] = "--with-x,--without-x,xt,"
+PACKAGECONFIG[tiny] = "--with-features=tiny,--with-features=big,,"
+PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,"
+PACKAGECONFIG[elfutils] = "--enable-elf-check,,elfutils,"
+
+EXTRA_OECONF = " \
+    --disable-gpm \
+    --disable-gtktest \
+    --disable-xim \
+    --disable-netbeans \
+    --with-tlib=ncurses \
+    ac_cv_small_wchar_t=no \
+    vim_cv_getcwd_broken=no \
+    vim_cv_memmove_handles_overlap=yes \
+    vim_cv_stat_ignores_slash=no \
+    vim_cv_terminfo=yes \
+    vim_cv_tgent=non-zero \
+    vim_cv_toupper_broken=no \
+    vim_cv_tty_group=world \
+    STRIP=/bin/true \
+"
+
+do_install() {
+    autotools_do_install
+
+    # Work around file-rdeps picking up csh, awk, perl or python as a dep
+    chmod -x ${D}${datadir}/${BPN}/${VIMDIR}/tools/vim132
+    chmod -x ${D}${datadir}/${BPN}/${VIMDIR}/tools/mve.awk
+    chmod -x ${D}${datadir}/${BPN}/${VIMDIR}/tools/*.pl
+    chmod -x ${D}${datadir}/${BPN}/${VIMDIR}/tools/*.py
+
+    # Install example vimrc from runtime files
+    install -m 0644 ../runtime/vimrc_example.vim ${D}/${datadir}/${BPN}/vimrc
+
+    # we use --with-features=big as default
+    mv ${D}${bindir}/${BPN} ${D}${bindir}/${BPN}.${BPN}
+}
+
+PARALLEL_MAKEINST = ""
+
+PACKAGES =+ "${PN}-common ${PN}-syntax ${PN}-help ${PN}-tutor ${PN}-vimrc ${PN}-tools"
+FILES_${PN}-syntax = "${datadir}/${BPN}/${VIMDIR}/syntax"
+FILES_${PN}-help = "${datadir}/${BPN}/${VIMDIR}/doc"
+FILES_${PN}-tutor = "${datadir}/${BPN}/${VIMDIR}/tutor ${bindir}/${BPN}tutor"
+FILES_${PN}-vimrc = "${datadir}/${BPN}/vimrc"
+FILES_${PN}-data = "${datadir}/${BPN}"
+FILES_${PN}-tools = "${datadir}/${BPN}/${VIMDIR}/tools"
+FILES_${PN}-common = " \
+    ${datadir}/${BPN}/${VIMDIR}/*.vim \
+    ${datadir}/${BPN}/${VIMDIR}/autoload \
+    ${datadir}/${BPN}/${VIMDIR}/colors \
+    ${datadir}/${BPN}/${VIMDIR}/compiler \
+    ${datadir}/${BPN}/${VIMDIR}/ftplugin \
+    ${datadir}/${BPN}/${VIMDIR}/indent \
+    ${datadir}/${BPN}/${VIMDIR}/keymap \
+    ${datadir}/${BPN}/${VIMDIR}/lang \
+    ${datadir}/${BPN}/${VIMDIR}/macros \
+    ${datadir}/${BPN}/${VIMDIR}/plugin \
+    ${datadir}/${BPN}/${VIMDIR}/print \
+    ${datadir}/${BPN}/${VIMDIR}/spell \
+    ${datadir}/icons \
+"
+
+RDEPENDS_${BPN} = "ncurses-terminfo-base"
+# Recommend that runtime data is installed along with vim
+RRECOMMENDS_${BPN} = "${PN}-syntax ${PN}-help ${PN}-tutor ${PN}-vimrc ${PN}-common"
+
+ALTERNATIVE_${PN} = "vi vim"
+ALTERNATIVE_TARGET = "${bindir}/${BPN}.${BPN}"
+ALTERNATIVE_LINK_NAME[vi] = "${base_bindir}/vi"
+ALTERNATIVE_LINK_NAME[vim] = "${bindir}/vim"
+ALTERNATIVE_PRIORITY = "100"
+
+BBCLASSEXTEND = "native"

setup-build-env

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+if [ -n "$BASH_SOURCE" ]; then
+    THIS_SCRIPT=$BASH_SOURCE
+elif [ -n "$ZSH_NAME" ]; then
+    THIS_SCRIPT=$0
+else
+    THIS_SCRIPT="$(pwd)/setup-build-env"
+fi
+
+if [ -z "$ZSH_NAME" ] && [ "$0" = "$THIS_SCRIPT" ]; then
+    echo "Error: This script needs to be sourced. Please run as '. $THIS_SCRIPT'"
+    exit 1
+fi
+
+TEMPLATECONF=../meta-citadel-distro/conf
+. poky/oe-init-build-env
+