OrgZephyr/mcuboot
OrgZephyr
/
mcuboot
mirror of https://github.com/zephyrproject-rtos/mcuboot.git
1
0
Fork 0
Code Issues Releases Wiki Activity

ci: add FIH hardening tests to workflows 

Add workflows to run FIH tests using GH actions. Update scripts to add
parsing of FIH parameters from a env matrix and disable docker caching
when running on GH.

Signed-off-by: Fabio Utzig <utzig@apache.org>
This commit is contained in:
Fabio Utzig 2021-09-23 18:56:40 -03:00 committed by Fabio Utzig
parent 712fdb5ad0
commit 7aa1c87dd8
3 changed files with 75 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
.github/workflows/fih_tests.yaml vendored Normal file
View File

@ -0,0 +1,49 @@
on:
push:
branches:
- main
pull_request:
name: FIH hardening
jobs:
config:
strategy:
matrix:
fih_env:
# FIH environment must use the following space separated format:
# BUILD_TYPE SKIP_SIZE DAMAGE_TYPE FIH_LEVEL(optional)
- "RELEASE 2,4,6,8,10 SIGNATURE"
- "RELEASE 2,4,6,8,10 SIGNATURE LOW"
- "RELEASE 2,4,6,8,10 SIGNATURE MEDIUM"
- "MINSIZEREL 2,4,6 SIGNATURE"
- "MINSIZEREL 2,4,6 SIGNATURE LOW"
- "MINSIZEREL 2,4,6 SIGNATURE MEDIUM"
- "MINSIZEREL 8,10 SIGNATURE"
- "MINSIZEREL 8,10 SIGNATURE LOW"
- "MINSIZEREL 8,10 SIGNATURE MEDIUM"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
# Uses Mbed TLS from TFM, and nothing else from here.
submodules: false
- name: Print the environment
run: |
uname -a
lscpu
free
pwd
- name: Signed commit check
if: ${{ github.event_name == 'pull_request' }}
run: |
./ci/check-signed-off-by.sh
- name: FIH hardening test install
run: |
./ci/fih-tests_install.sh
- name: FIH hardening test run
env:
FIH_ENV: ${{ matrix.fih_env }}
run: |
./ci/fih-tests_run.sh

2
ci/fih-tests_install.sh
View File

@ -26,5 +26,7 @@ CACHED_IMAGE=$DOCKER_DIR/$IMAGE
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
docker pull mcuboot/$IMAGE docker pull mcuboot/$IMAGE
if [[ $GITHUB_ACTIONS != true ]]; then
docker save mcuboot/$IMAGE | gzip > $CACHED_IMAGE docker save mcuboot/$IMAGE | gzip > $CACHED_IMAGE
fi
fi fi

22
ci/fih-tests_run.sh
View File

@ -22,6 +22,28 @@ pushd .. &&\
git checkout TF-Mv1.4.0 &&\ git checkout TF-Mv1.4.0 &&\
popd popd
if [[ $GITHUB_ACTIONS == true ]]; then
if [[ -z $FIH_ENV ]]; then
echo "Workflow has found no \$FIH_ENV"
exit 1
fi
args=($FIH_ENV)
len=${#args[@]}
if [[ $len < 3 ]]; then
echo "Invalid number of \$FIH_ENV args"
exit 1
fi
BUILD_TYPE=${args[0]}
SKIP_SIZE=${args[1]}
DAMAGE_TYPE=${args[2]}
if [[ $len > 3 ]]; then
FIH_LEVEL=${args[3]}
fi
fi
if test -z "$FIH_LEVEL"; then if test -z "$FIH_LEVEL"; then
docker run --rm -v $(pwd):/root/work/tfm:rw,z mcuboot/fih-test /bin/sh -c '/root/work/tfm/mcuboot/ci/fih_test_docker/execute_test.sh $0 $1 $2' $SKIP_SIZE $BUILD_TYPE $DAMAGE_TYPE docker run --rm -v $(pwd):/root/work/tfm:rw,z mcuboot/fih-test /bin/sh -c '/root/work/tfm/mcuboot/ci/fih_test_docker/execute_test.sh $0 $1 $2' $SKIP_SIZE $BUILD_TYPE $DAMAGE_TYPE
else else