ci: add FIH hardening tests to workflows

Add workflows to run FIH tests using GH actions. Update scripts to add parsing of FIH parameters from a env matrix and disable docker caching when running on GH. Signed-off-by: Fabio Utzig <utzig@apache.org>
2021-09-23 18:56:40 -03:00 · 2021-09-23 18:56:40 -03:00 · 7aa1c87dd8
parent 712fdb5ad0
commit 7aa1c87dd8
3 changed files with 75 additions and 2 deletions
--- a/.github/workflows/fih_tests.yaml
+++ b/.github/workflows/fih_tests.yaml
@ -0,0 +1,49 @@
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+name: FIH hardening
+
+jobs:
+  config:
+    strategy:
+      matrix:
+        fih_env:
+        # FIH environment must use the following space separated format:
+        #   BUILD_TYPE SKIP_SIZE DAMAGE_TYPE FIH_LEVEL(optional)
+        - "RELEASE 2,4,6,8,10 SIGNATURE"
+        - "RELEASE 2,4,6,8,10 SIGNATURE LOW"
+        - "RELEASE 2,4,6,8,10 SIGNATURE MEDIUM"
+        - "MINSIZEREL 2,4,6 SIGNATURE"
+        - "MINSIZEREL 2,4,6 SIGNATURE LOW"
+        - "MINSIZEREL 2,4,6 SIGNATURE MEDIUM"
+        - "MINSIZEREL 8,10 SIGNATURE"
+        - "MINSIZEREL 8,10 SIGNATURE LOW"
+        - "MINSIZEREL 8,10 SIGNATURE MEDIUM"
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        fetch-depth: 0
+        # Uses Mbed TLS from TFM, and nothing else from here.
+        submodules: false
+    - name: Print the environment
+      run: |
+        uname -a
+        lscpu
+        free
+        pwd
+    - name: Signed commit check
+      if: ${{ github.event_name == 'pull_request' }}
+      run: |
+        ./ci/check-signed-off-by.sh
+    - name: FIH hardening test install
+      run: |
+        ./ci/fih-tests_install.sh
+    - name: FIH hardening test run
+      env:
+        FIH_ENV: ${{ matrix.fih_env }}
+      run: |
+        ./ci/fih-tests_run.sh
--- a/ci/fih-tests_install.sh
+++ b/ci/fih-tests_install.sh
@ -25,6 +25,8 @@ CACHED_IMAGE=$DOCKER_DIR/$IMAGE
 [[ -f $CACHED_IMAGE ]] && (gzip -dc $CACHED_IMAGE | docker load)

 if [[ $? -ne 0 ]]; then
-  docker pull mcuboot/$IMAGE
-  docker save mcuboot/$IMAGE | gzip > $CACHED_IMAGE
+    docker pull mcuboot/$IMAGE
+    if [[ $GITHUB_ACTIONS != true ]]; then
+        docker save mcuboot/$IMAGE | gzip > $CACHED_IMAGE
+    fi
 fi
--- a/ci/fih-tests_run.sh
+++ b/ci/fih-tests_run.sh
@ -22,6 +22,28 @@ pushd .. &&\
   git checkout TF-Mv1.4.0 &&\
   popd

+if [[ $GITHUB_ACTIONS == true ]]; then
+    if [[ -z $FIH_ENV ]]; then
+        echo "Workflow has found no \$FIH_ENV"
+        exit 1
+    fi
+
+    args=($FIH_ENV)
+    len=${#args[@]}
+    if [[ $len < 3 ]]; then
+        echo "Invalid number of \$FIH_ENV args"
+        exit 1
+    fi
+
+    BUILD_TYPE=${args[0]}
+    SKIP_SIZE=${args[1]}
+    DAMAGE_TYPE=${args[2]}
+
+    if [[ $len > 3 ]]; then
+        FIH_LEVEL=${args[3]}
+    fi
+fi
+
 if test -z "$FIH_LEVEL"; then
    docker run --rm -v $(pwd):/root/work/tfm:rw,z mcuboot/fih-test /bin/sh -c '/root/work/tfm/mcuboot/ci/fih_test_docker/execute_test.sh $0 $1 $2' $SKIP_SIZE $BUILD_TYPE $DAMAGE_TYPE
 else