Update balena engine to v25.0.14

meta-balena-common/classes/resin-sanity.bbclass

@@ -16,8 +16,8 @@ def balenaos_build_configuration(d):
         bb.warn("ResinOS distro depends on opkg packages (ipk). Make sure PACKAGE_CLASSES is set on package_ipk.")
     if d.getVar('DOCKER_STORAGE', True):
         bb.warn("DOCKER_STORAGE variable was replaced by BALENA_STORAGE. Please update your build configuration.")
-    if d.getVar('BALENA_STORAGE', True) not in ['aufs', 'overlay2']:
-        bb.error("ResinOS supports only aufs and overlay2 as balena storage drivers.")
+    if d.getVar('BALENA_STORAGE', True) != 'overlay2':
+        bb.error("balenaOS only supports overlay2 as the balena storage driver.")
         success = False
     if d.getVar('RESIN_CONNECTABLE', True) or d.getVar('RESIN_CONNECTABLE_SERVICES', True) or d.getVar('RESIN_CONNECTABLE_ENABLE_SERVICES', True):
         bb.warn("Your build configuration uses RESIN_CONNECTABLE* variables. These variables are no longer used. There is only one type of resinOS image type which is unconnected by default. The os-config tool is used to configure the resinOS image for connectivity to a resin instance.")

meta-balena-common/conf/distro/include/balena-os.inc

@@ -111,7 +111,6 @@ IMAGE_NAME_SUFFIX = ""
 # resinOS defaults to ipk packages
 PACKAGE_CLASSES = "package_ipk"
 
-# Default the docker storage driver to aufs
 BALENA_STORAGE = "overlay2"
 python () {
     docker_storage = d.getVar('DOCKER_STORAGE', True)
@@ -137,8 +136,8 @@ PREFERRED_VERSION_upx-native:arm = "3.94"
 # let's pin linux-firmware to the version we imported from Poky scarthgap release
 PREFERRED_VERSION_linux-firmware = "20240909"
 
-# Scarthgap go version, meets balena-engine go version requirement
-GOVERSION = "1.22.12"
+# Go version from walnascar, meets balena-engine v25 requirement
+GOVERSION = "1.24.6"
 PREFERRED_PROVIDER_go-native = "go-binary-native"
 
 # Firmware compression support

meta-balena-common/recipes-containers/balena/balena/0001-dynbinary-use-go-cross-compiler.patch

@@ -1,23 +1,111 @@
-From bbf600cc4d46c3f7ec0c1b486790a2402d41f550 Mon Sep 17 00:00:00 2001
+From 3ce6089417b8c6c4e8279e6ef60213436ebf8793 Mon Sep 17 00:00:00 2001
 From: Bruce Ashfield <bruce.ashfield@gmail.com>
 Date: Tue, 30 Jun 2020 22:23:33 -0400
 Subject: [PATCH] dynbinary: use go cross compiler
 
+MJ: use ${GO} also in "go env" calls, because native go:
+  $ go env GOARM
+  5
+while go cross compiler for my target:
+  $ ${GO} env GOARM
+  7
+this can lead to:
+  error: switch '-mcpu=cortex-a9' conflicts with switch '-march=armv5t' [-Werror]
+
+but even after fixing it to use "better" -march it still doesn't match with -mcpu
+set in our GOBUILDFLAGS, causing e.g.:
+  error: switch '-mcpu=cortex-a9' conflicts with switch '-march=armv7-a+simd' [-Werror]
+
+so drop CGO_CFLAGS/CGO_CXXFLAGS as in OE builds we don't need them
+as long as ${GO} and GOBUILDFLAGS are respected
+
+it was added in:
+https://github.com/moby/moby/commit/12558c8d6ea9f388b54eb94ba6b9eb4a9fc5c9f2
+
+and it wasn't an issue before:
+https://github.com/moby/moby/commit/8c12a6648b368cc2acaea0339d6c57c920ed265c
+
+because it was using 'case "${GOARM}" in' and ${GOARM} was empty in our builds
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
 Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
 ---
- hack/make/.binary | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ hack/make/.binary | 37 ++++++++-----------------------------
+ 1 file changed, 8 insertions(+), 29 deletions(-)
 
-Index: git/src/import/hack/make/.binary
+Index: import/hack/make/.binary
 ===================================================================
---- git.orig/src/import/hack/make/.binary
-+++ git/src/import/hack/make/.binary
-@@ -81,7 +81,7 @@
+--- import.orig/hack/make/.binary
++++ import/hack/make/.binary
+@@ -3,7 +3,7 @@
+
+ # a helper to provide ".exe" when it's appropriate
+ binary_extension() {
+-	if [ "$(go env GOOS)" = 'windows' ]; then
++	if [ "$(${GO} env GOOS)" = 'windows' ]; then
+ 		echo -n '.exe'
+ 	fi
+ }
+@@ -16,33 +16,12 @@
+ (
+ 	export GOGC=${DOCKER_BUILD_GOGC:-1000}
+
+-	if [ "$(go env GOOS)/$(go env GOARCH)" != "$(go env GOHOSTOS)/$(go env GOHOSTARCH)" ]; then
+-		# must be cross-compiling!
+-		if [ "$(go env GOOS)/$(go env GOARCH)" = "linux/arm" ]; then
+-			# specify name of the target ARM architecture
+-			case "$(go env GOARM)" in
+-				5)
+-					export CGO_CFLAGS="-march=armv5t"
+-					export CGO_CXXFLAGS="-march=armv5t"
+-					;;
+-				6)
+-					export CGO_CFLAGS="-march=armv6"
+-					export CGO_CXXFLAGS="-march=armv6"
+-					;;
+-				7)
+-					export CGO_CFLAGS="-march=armv7-a"
+-					export CGO_CXXFLAGS="-march=armv7-a"
+-					;;
+-			esac
+-		fi
+-	fi
+-
+ 	# -buildmode=pie is not supported on Windows arm64 and Linux mips*, ppc64be
+ 	# https://github.com/golang/go/blob/go1.19.4/src/cmd/internal/sys/supported.go#L125-L132
+ 	if ! [ "$DOCKER_STATIC" = "1" ]; then
+ 		# -buildmode=pie not supported when -race is enabled
+ 		if [[ " $BUILDFLAGS " != *" -race "* ]]; then
+-			case "$(go env GOOS)/$(go env GOARCH)" in
++			case "$(${GO} env GOOS)/$(${GO} env GOARCH)" in
+ 				windows/arm64 | linux/mips* | linux/ppc64) ;;
+ 				*)
+ 					BUILDFLAGS+=("-buildmode=pie")
+@@ -66,11 +45,11 @@
+ 	# only necessary for non-sandboxed invocation where TARGETPLATFORM is empty
+ 	PLATFORM_NAME=$TARGETPLATFORM
+ 	if [ -z "$PLATFORM_NAME" ]; then
+-		PLATFORM_NAME="$(go env GOOS)/$(go env GOARCH)"
+-		if [ -n "$(go env GOARM)" ]; then
+-			PLATFORM_NAME+="/v$(go env GOARM)"
+-		elif [ -n "$(go env GOAMD64)" ] && [ "$(go env GOAMD64)" != "v1" ]; then
+-			PLATFORM_NAME+="/$(go env GOAMD64)"
++		PLATFORM_NAME="$(${GO} env GOOS)/$(${GO} env GOARCH)"
++		if [ -n "$(${GO} env GOARM)" ]; then
++			PLATFORM_NAME+="/v$(${GO} env GOARM)"
++		elif [ -n "$(${GO} env GOAMD64)" ] && [ "$(${GO} env GOAMD64)" != "v1" ]; then
++			PLATFORM_NAME+="/$(${GO} env GOAMD64)"
+ 		fi
+ 	fi
+
+@@ -82,7 +61,7 @@
+ 	if [ -n "$DOCKER_DEBUG" ]; then
+ 		set -x
+ 	fi
+-	./hack/with-go-mod.sh go build -mod=vendor -modfile=vendor.mod -o "$DEST/$BINARY_FULLNAME" "${BUILDFLAGS[@]}" -ldflags "$LDFLAGS $LDFLAGS_STATIC $DOCKER_LDFLAGS" -gcflags="${GCFLAGS}" "$GO_PACKAGE"
++	./hack/with-go-mod.sh ${GO} build -trimpath -mod=vendor -modfile=vendor.mod -o "$DEST/$BINARY_FULLNAME" "${BUILDFLAGS[@]}" -ldflags "$LDFLAGS $LDFLAGS_STATIC $DOCKER_LDFLAGS" -gcflags="${GCFLAGS}" "$GO_PACKAGE"
+ )
 
- 	echo "Building: $DEST/$BINARY_FULLNAME"
- 	echo "GOOS=\"${GOOS}\" GOARCH=\"${GOARCH}\" GOARM=\"${GOARM}\""
--	go build \
-+	${GO} build \
- 		-o "$DEST/$BINARY_FULLNAME" \
- 		"${BUILDFLAGS[@]}" \
- 		-ldflags "
+ echo "Created binary: $DEST/$BINARY_FULLNAME"

meta-balena-common/recipes-containers/balena/balena_git.bb

@@ -15,10 +15,10 @@ inherit goarch
 inherit pkgconfig
 inherit useradd
 
-BALENA_VERSION = "v20.10.27"
-BALENA_BRANCH = "release/v20.10"
+BALENA_VERSION = "v25.0.14"
+BALENA_BRANCH = "kyle/v25"
 
-SRCREV = "f4c93ad2b3c4ffa190ad29abba0a6f3e0779c797"
+SRCREV = "5875bf63065ceb4e66f03e512c7dcc4db1d372fa"
 # NOTE: update patches when bumping major versions
 # [0] will have up-to-date versions, make sure poky version matches what
 # meta-balena uses
@@ -31,9 +31,8 @@ SRC_URI = "\
 	file://balena-host.socket \
 	file://balena-healthcheck \
 	file://var-lib-docker.mount \
-	file://balena.conf.storagemigration \
 	file://balena-tmpfiles.conf \
-	file://0001-dynbinary-use-go-cross-compiler.patch \
+	file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \
 	"
 S = "${WORKDIR}/git"
 
@@ -103,6 +102,7 @@ do_compile() {
 	export DOCKER_BUILDTAGS="${BUILD_TAGS} ${PACKAGECONFIG_CONFARGS}"
 	export DOCKER_LDFLAGS="-s"
 	export GO111MODULE=off
+	export GOTOOLCHAIN=local
 
 	export DISABLE_WARN_OUTSIDE_CONTAINER=1
 
@@ -142,9 +142,6 @@ do_install() {
 	mkdir -p ${D}/usr/lib/balena
 	install -m 0755 ${WORKDIR}/balena-healthcheck ${D}/usr/lib/balena/balena-healthcheck
 
-	install -d ${D}${sysconfdir}/systemd/system/balena.service.d
-	install -c -m 0644 ${WORKDIR}/balena.conf.storagemigration ${D}${sysconfdir}/systemd/system/balena.service.d/storagemigration.conf
-
 	install -d ${D}/${ROOT_HOME}/.docker
 	ln -sf .docker ${D}/${ROOT_HOME}/.balena
 	ln -sf .docker ${D}/${ROOT_HOME}/.balena-engine

meta-balena-common/recipes-core/packagegroups/packagegroup-resin.bb

@@ -32,7 +32,6 @@ RDEPENDS:${PN} += " \
     timeinit \
     systemd-zram-swap \
     os-extra-firmware \
-    ${@bb.utils.contains('BALENA_STORAGE', 'aufs', 'aufs-util-auplink', '', d)} \
     ${BALENA_SUPERVISOR} \
     disk-watchdog \
     "

meta-balena-common/recipes-devtools/go/go-1.22.12.inc → meta-balena-common/recipes-devtools/go/go-1.24.6.inc

@@ -2,7 +2,7 @@ require go-common.inc
 
 FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/go:"
 
-LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=7998cb338f82d15c0eff93b7004d272a"
 
 SRC_URI += "\
     file://0001-cmd-go-make-content-based-hash-generation-less-pedan.patch \
@@ -14,21 +14,9 @@ SRC_URI += "\
     file://0007-exec.go-filter-out-build-specific-paths-from-linker-.patch \
     file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \
     file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \
-    file://CVE-2025-22870.patch \
-    file://CVE-2025-22871.patch \
-    file://CVE-2025-4673.patch \
-    file://CVE-2025-4674.patch \
-    file://CVE-2025-47907-pre.patch \
-    file://CVE-2025-47907.patch \
-    file://CVE-2025-47906.patch \
-    file://CVE-2025-58185.patch \
-    file://CVE-2025-58187.patch \
-    file://CVE-2025-58188.patch \
-    file://CVE-2025-58189.patch \
-    file://CVE-2025-47912.patch \
-    file://CVE-2025-61723.patch \
-    file://CVE-2025-61724.patch \
+    file://0010-cmd-go-clear-GOROOT-for-func-ldShared-when-trimpath-.patch \
+    file://6d265b008e3d106b2706645e5a88cd8e2fb98953.patch \
 "
-SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
+SRC_URI[main.sha256sum] = "e1cb5582aab588668bc04c07de18688070f6b8c9b2aaf361f821e19bd47cfdbd"
 
 CVE_STATUS[CVE-2025-0913] = "not-applicable-platform: Issue only applies on Windows"

meta-balena-common/recipes-devtools/go/go-binary-native_1.22.12.bb → meta-balena-common/recipes-devtools/go/go-binary-native_1.24.6.bb

@@ -3,15 +3,15 @@
 SUMMARY = "Go programming language compiler (upstream binary for bootstrap)"
 HOMEPAGE = " http://golang.org/"
 LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=7998cb338f82d15c0eff93b7004d272a"
 
 PROVIDES = "go-native"
 
 # Checksums available at https://go.dev/dl/
 SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}"
-SRC_URI[go_linux_amd64.sha256sum] = "4fa4f869b0f7fc6bb1eb2660e74657fbf04cdd290b5aef905585c86051b34d43"
-SRC_URI[go_linux_arm64.sha256sum] = "fd017e647ec28525e86ae8203236e0653242722a7436929b1f775744e26278e7"
-SRC_URI[go_linux_ppc64le.sha256sum] = "9573d30003b0796717a99d9e2e96c48fddd4fc0f29d840f212c503b03d7de112"
+SRC_URI[go_linux_amd64.sha256sum] = "bbca37cc395c974ffa4893ee35819ad23ebb27426df87af92e93a9ec66ef8712"
+SRC_URI[go_linux_arm64.sha256sum] = "124ea6033a8bf98aa9fbab53e58d134905262d45a022af3a90b73320f3c3afd5"
+SRC_URI[go_linux_ppc64le.sha256sum] = "63fc9559a3d6dfd63aa902f714375b879bbc848466181c035c122489b9646e27"
 
 UPSTREAM_CHECK_URI = "https://golang.org/dl/"
 UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux"

meta-balena-common/recipes-devtools/go/go-common.inc

@@ -39,8 +39,6 @@ export GOARCH ?= "${TARGET_GOARCH}"
 export GOARM ?= "${TARGET_GOARM}"
 export GO386 ?= "${TARGET_GO386}"
 export GOMIPS ?= "${TARGET_GOMIPS}"
-export GOROOT_FINAL ?= "${libdir}/go"
-
 export GODEBUG = "gocachehash=1"
 
 do_compile:prepend() {

meta-balena-common/recipes-devtools/go/go-runtime.inc

@@ -34,7 +34,7 @@ do_compile() {
 	if [ -n "${GO_DYNLINK}" ]; then
 		export GOTOOLDIR="${B}/pkg/tool/native_native"
 		CC="$CC_FOR_${TARGET_GOTUPLE}" GOARCH="${TARGET_GOARCH}" GOOS="${TARGET_GOOS}" GOROOT=${B} \
-			$GOTOOLDIR/go_bootstrap install -linkshared -buildmode=shared ${GO_SHLIB_LDFLAGS} std
+			$GOTOOLDIR/go_bootstrap install -linkshared -trimpath -buildmode=shared ${GO_SHLIB_LDFLAGS} std
 	fi
 	cd ${B}
 }