2 files changed, 16 insertions, 1 deletions

diff --git a/meta-security/wic/beaglebone-yocto-verity.wks.in b/meta-security/wic/beaglebone-yocto-verity.wks.in
index cd1702e1b..658018bac 100644
--- a/meta-security/wic/beaglebone-yocto-verity.wks.in
+++ b/meta-security/wic/beaglebone-yocto-verity.wks.in
@@ -11,5 +11,5 @@
 # This .wks only works with the dm-verity-img class.
 
 part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label boot --active --align 4 --size 16 --sourceparams="loader=u-boot" --use-uuid
-part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity"
+part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity"
 bootloader --append="console=ttyS0,115200"
diff --git a/meta-security/wic/systemd-bootdisk-dmverity.wks.in b/meta-security/wic/systemd-bootdisk-dmverity.wks.in
new file mode 100644
index 000000000..ef114cab0
--- /dev/null
+++ b/meta-security/wic/systemd-bootdisk-dmverity.wks.in
@@ -0,0 +1,15 @@
+# A dm-verity variant of the regular wks for IA machines. We need to fetch
+# the partition images from the IMGDEPLOYDIR as the rootfs source plugin will
+# not recreate the exact block device corresponding with the hash tree. We must
+# not alter the label or any other setting on the image.
+# Based on OE-core's systemd-bootdisk.wks and meta-security's beaglebone-yocto-verity.wks.in file
+#
+# This .wks only works with the dm-verity-img class.
+
+part /boot --source bootimg-efi --sourceparams="loader=systemd-boot,initrd=microcode.cpio" --ondisk sda --label msdos --active --align 1024 --use-uuid
+
+part / --source rawcopy --ondisk sda  --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" --use-uuid
+
+part swap --ondisk sda --size 44 --label swap1 --fstype=swap --use-uuid
+
+bootloader --ptable gpt --timeout=5 --append=" "