To build NVIDIA Yocto Project-based components#
Note
Bitbake compatibility with AppArmor Security Restrictions. Users on Ubuntu 24.04 host will need to disable AppArmor restrictions for unprivileged user namespace to effectively run bitbake. This can be done by executing the following as root before continuing with steps below:
echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns
https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890
The Yocto build must launch from a non-root userid, because Yocto does not allow builds as root.
sudo su nvidia # password : 'nvidia'
Set up the Yocto environment in Docker using the automated script. This script must be executed prior to launching the bitbake tool :
export NV_WORKSPACE=/drive/
cd $NV_WORKSPACE/drive-linux_src/yocto/scripts
source setup_yocto_env.sh
Select the type of image by setting the value of
IMAGE_TYPE:
export IMAGE_TYPE=<full|prod|samples|debug-utils>
* prod : Rootfs with upstream OSS (baseline Yocto distro) and Tegra software libraries.
* samples : Rootfs with contents of _prod_ , plus DriveOS samples (NVmedia, Gfx etc. samples).
* debug-utils : Rootfs with contents of _prod_ , plus utilities to support debug and profiling (OSS and NV-proprietary debug utils).
* full : Superset rootfs with everything in _prod_ , _samples_ and _debug-utils_ packaged.
Note
Default image type is set to full.
Select
KERNEL_CONFIG_TYPEto choose the flavor of kernel to be built.
export KERNEL_CONFIG_TYPE=<standard|production|safety|production_debug|safety_debug>
Note
Default KERNEL_CONFIG_TYPE is set to standard.
Select
COPYTARGET_VARIANT.
export COPYTARGET_VARIANT=<rfs|boot_initramfs>
Note
Default COPYTARGET_VARIANT is set to rfs for tegra-drive-os-av-image and should be set to boot_initramfs for initramfs builds.
The complete set of valid combinations of
IMAGE_TYPE,KERNEL_CONFIG_TYPE,COPYTARGET_VARIANT, and thePCTis documented below:
IMAGE_TYPE |
KERNEL_CONFIG_TYPE |
COPYTARGET_VARIANT |
PCT |
full |
standard |
rfs |
dev_nsr |
prod |
standard |
rfs |
|
samples |
standard |
rfs |
|
debug-utils |
standard |
rfs |
|
prod |
production |
rfs |
prod_nsr |
samples |
production |
rfs |
prod_nsr |
full |
production_debug |
rfs |
test_nsr |
samples |
production_debug |
rfs |
|
debug-utils |
production_debug |
rfs |
|
N/A |
standard |
boot_initramfs |
any |
N/A |
production |
boot_initramfs |
any |
Dual branch support is enabled with Yocto. Available branches are
Scarthgap(Yocto 5.0) and Nanbield (Yocto 4.3). Yocto 5.0 is the default selected branch. To build Yocto images with 4.3 baseline, source the respective init script : :
cd $NV_WORKSPACE/drive-linux_src/yocto/
mv build/ build_bkp/
export DISTRO_CODE="nanbield"
source oss/nanbield/poky/oe-init-build-env
Network has to be enabled for Yocto 4.3 to download sources from upstream by setting BB_NO_NETWORK as follows:
export BB_NO_NETWORK='0'
Build component or image, depending on the recipe, with the following command:
bitbake <recipe>
Recipes of interest are:
bitbake |
Function / Remarks |
|---|---|
|
Yocto DRIVE AV rootfs |
|
Cold boot initramfs |
|
Cold boot initramfs with production config |
Kernel Security Feature Configurations:
1. The default kernel recipe uses prebuilt components to account for signature matching of the base kernel and Tegra kernel modules. To rebuild the base kernel from the source, launch bitbake on the linux-nvidia recipe manually
2. SELinux support is enabled in Yocto with default mode as permissive. If you need to begin testing system behavior in enforcing mode, you must modify the DEFAULT_ENFORCING to "enforcing" in ``${NV_WORKSPACE}/drive-linux_yocto/yocto/layers/meta-drive/recipes-security/refpolicy/refpolicy-minimum_%.bbappend``.
3. Steps to enable read-only root filesystem and dm-verity kernel security features are described in [DM-Verity and Read-Only File System Support](dm_verity_and_read_only_file_system_support.html)
Note
To disable Auto IP Assignment (APIPA) on the target, append LinkLocalAddressing=no in the [Network] section of the /etc/systemd/networkd.conf file.