Commit Graph

55 Commits

Author SHA1 Message Date
Jerzy Kasenberg 7a4b192690 ci: mynewt: Download nrfx from separate repository
Mynewt used to have copy of nrfx.
Now nrfx is taken from original repository and since some CI
targets want to build for NRF MCUs nrfx repository nees to be
downloaded.

Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
2023-05-10 20:49:59 -03:00
Fabio Utzig 86dba4d6c1 ci: update toml dependency
Switch from toml to tomllib when supported, Python 3.11+, and fallback to
using tomli instead of toml otherwise.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2023-04-27 12:35:12 -03:00
Szymon Janc 22096886a6 ci: mynewt: Enable Mynewt specific tests
This allows to run Mynewt bootserial tests in CI.

Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
2023-03-17 11:14:24 -03:00
Fabio Utzig 9c5d14ae67 ci: Update signed commit check to accept a SHA
Try a merge commit if no parameters are passed, otherwise accept the
first parameter as the oldest SHA to check.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2023-03-14 08:18:52 -06:00
Roland Mikhel 9f4ef83dc0 ci: Improve FIH job result assesment
Modify the FIH CI job to fail in case successful boot happens
below a certain treshold. CI should fail if a successful boot
is achieved by bypassing one or two instructions as it would
defeat the purpose of the FIH mechanisms.

Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: If1703d57e3ba87e5fd73d4ba954bfd38ed1c0cc6
2023-03-02 14:24:25 -07:00
Dominik Ermel 76d2b89b40 ci: Skip sign-off checks for dependabot
Dependabot uses different e-mails for signoff and commit.

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
2023-02-23 08:12:12 -07:00
Tamas Ban 4a34b0fed1 ci: Update TF-M version to be aligned with FIH library changes
So far the FIH CI job was fetching a WIP change from
TF-M Gerrit to align the MCUboot and TF-M from the FIH
library point of view. This change is replacing to fetch
the final version instead of the WIP change.

Signed-off-by: Tamas Ban <tamas.ban@arm.com>
2023-02-22 08:14:09 -07:00
Almir Okato bfdf934e3a espressif: ci: Add new building jobs configs for Espressif chips
Add jobs for testing build ESP32-XX within more features:
Serial Recovery, Multi Image and Multi Boot

Signed-off-by: Almir Okato <almir.okato@espressif.com>
2023-02-03 18:05:07 -03:00
Almir Okato 3eb0681273 ci: add single parent commit case on check-signed-off-by script
Signed-off-by: Almir Okato <almir.okato@espressif.com>
2023-02-03 18:05:07 -03:00
Michael Grand 5047f032c9 fih: Hardening of fault injection countermeasures
Returned values are now hardcoded. Indeed, while it is not
strictly needed (few return values different from SUCCESS
or FAILURE) complexity added by encoding return values might
cause the software to be vulnerable to fault attacks.

Return type changed from fih_int to fih_ret to make
the whole thing much simpler and therefore more robust
to fault attacks. In addition, its easier to predict
compiler behavior.

Affectation of sentive variables has been hardened using macro
FIH_SET (affectation + check wether write access has been properly
done). FIH_DECLARE() is added to ease the declaration of sentive
variables.

Equality tests fih_eq() and fih_not_eq() are now macros because
inlining produce more complex code (and weaker) than macros.
In addition fih_not_eq is modified to be the negation of fih_eq
which was not the case until now.

when FIH_NOT_EQ is used , FIH_SET(fih_rc, FIH_FAILURE) has been added
in some part of the code.

variable image_mask (bootutil_priv.h) is now volatile because a
double IF test is made on it.

some others parts of the code have been hardenned (eg. loop on images)

Signed-off-by: Michael Grand <m.grand@trustngo.tech>
2023-01-30 09:34:34 -07:00
Fabio Utzig 5a013e321f ci: add Mynewt test target for swap move
Add a new Mynewt build configuration that uses the swap move mode.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2023-01-06 17:41:03 -03:00
Fabio Utzig 46e554e7c0 ci: Fix compatibility with packaging==22
packaging >= 22 dropped support for LegacyVersion, which was the usual
result of an invalid version number being parsed. Now it is PEP-440
strict and throws an exception on fails. This fixes the script to work
with both older and newer releases.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2023-01-04 11:22:24 -03:00
Tamas Ban 166075ef4b ci: fih: update TF-M version to 1.7.0 and adjust test suite
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: I1a810bac6e0409ff06af80c8151b8d37a97effdc
2022-12-16 13:06:11 +01:00
Almir Okato fa173df366 espressif: Add warning for unsupported chip revision
Added checking and warning for ESP32, ESP32-S2, ESP32-C3, ESP32-S3
unsupported chip revisions on their initialization.

Made respectively changes for build system and documentation.

Signed-off-by: Almir Okato <almir.okato@espressif.com>
2022-05-09 15:55:23 -03:00
Gustavo Henrique Nihei d6e98106b6 espressif: Improve CI script for targetting multiple chips at once
This enables using "espressif_run.sh" locally for a quick validation
that the build passes for multiple Espressif targets.

Signed-off-by: Gustavo Henrique Nihei <gustavo.nihei@espressif.com>
2021-12-29 09:19:02 -03:00
Gustavo Henrique Nihei 67b73d3c79 espressif: Add CI jobs for Secure boot enabled images
Signed-off-by: Gustavo Henrique Nihei <gustavo.nihei@espressif.com>
2021-12-20 09:20:14 -03:00
Gustavo Henrique Nihei 38453f679c ci: Enable build of espressif port for supported chips
Signed-off-by: Gustavo Henrique Nihei <gustavo.nihei@espressif.com>
2021-11-04 06:32:43 -03:00
Fabio Utzig 8fcdfc5c67 ci: bump FIH docker release
Use version 0.0.2 of the FIH docker image, which is just a rebuild with
upgraded packages. This should fix the SSL issues cloning the tf-m-tests
repo from the docker run.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2021-10-07 12:40:24 -03:00
Fabio Utzig f859255838 ci: update signed-off-by with string comparison
Force use of string comparison to avoid issues comparing strings that
include specific characters like `[` and `]`, which are special symbols
and break the bash test.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2021-09-29 16:51:59 -06:00
Fabio Utzig 7aa1c87dd8 ci: add FIH hardening tests to workflows
Add workflows to run FIH tests using GH actions. Update scripts to add
parsing of FIH parameters from a env matrix and disable docker caching
when running on GH.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2021-09-27 14:23:19 -03:00
Mate Toth-Pal 056d9bc8dd ci: Change TF-M log level
Change the log level of TF-M so that the message that the CI is looking
for appears in the output.

Signed-off-by: Fabio Utzig <utzig@apache.org>
Change-Id: I763ccef4aaf6158ed578b230096f595a1e5cbfd9
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2021-09-22 12:41:20 +02:00
Fabio Utzig 66fecebb80 ci: Fix FIH YAML result parsing
The running test was generating an YAML output with the following line:

```
last_line: '  Description: 'ECDSA signature test of attest token''
```

This string comes from the test with the single quotes, and using single
quotes twice break the YAML format, so this commit changes the string
after last_line to be enclosed in the double quotes.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2021-09-22 12:41:20 +02:00
Sherry Zhang 3c4f69cb6e ci: Update the TF-M version in fih test
Signed-off-by: Sherry Zhang <sherry.zhang2@arm.com>
Change-Id: I357ca9266629310deddf8431aa912f3fdbe9f34c
2021-09-22 12:41:20 +02:00
David Brown 65643a6a28 Revert "ci: fix wget error downloading arm-gcc-embedded"
This reverts commit 34f68ed67c.

Re-enable certificate checking when downloading the Arm toolchain.
Although, this is probably not all that great of a risk, the certificate
issue was transient, and was fixed shortly after it was noticed.

Signed-off-by: David Brown <david.brown@linaro.org>
2021-09-18 19:11:05 -03:00
Fabio Utzig 34f68ed67c ci: fix wget error downloading arm-gcc-embedded
Disable certificate verification for developer.arm.com to avoid
certificate issues when installing arm embedded tools to build Mynewt.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2021-09-16 08:34:38 -03:00
David Brown fe0bfcfba9 Migrate master->main
Change references in CI and docs from 'master' to 'main' as the primary
branch has been renamed.

Signed-off-by: David Brown <david.brown@linaro.org>
2021-05-14 14:56:39 -06:00
Fabio Utzig e58f48f58a ci: update imgtool script to to use python/pip
Switch from hard-coded python3/pip to base python/pip. Also install full
imgtool package.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2021-02-12 09:28:47 -03:00
Fabio Utzig ce503341ad ci: relax signed-off-by checks on forks
Addresses issues when running signed-off-by checks on the Zephyr fork
due to GH rebases done on UX rewriting the commit with the primary email
instead of whatever email was used originally.

Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
2021-01-15 11:13:18 +01:00
Raef Coles 713bb79549 ci: Update TF-M version
To fix a regression caused by f68473814f,
where an older TF-M version was used that didn't support the bootutil
cmake.

Signed-off-by: Raef Coles <raef.coles@arm.com>
2021-01-15 11:11:42 +01:00
David Brown ed90fbfe9f ci: Add timing info to test builds
To help determine where time is being spent in tests, add a 'time'
command to the test invocation script.  In addition, split the test
invocation into a separate build and run stage.  This can be useful with
another change to ptest that logs all test outputs instead of just
failures.

Signed-off-by: David Brown <david.brown@linaro.org>
2021-01-14 13:19:58 -07:00
Fabio Utzig 6907c90e31 ci: pull trusted-firmware-m repo on Travis run
Update volume maps so local directories in the Travis VM map correctly
to the Docker expected PATH for script running. Misc cleanups.

Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
2021-01-06 14:13:44 -03:00
Fabio Utzig bd0ce62073 ci: pull fih-test docker image on install
Update install script to avoid building a docker image and instead pull;
also add proper caching for re-runs.

Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
2021-01-06 14:13:44 -03:00
Fabio Utzig a069befebd ci: docker: remove source repos from fih-test
Update Dockerfile to only build a distro and required tooling, avoiding
adding source repositories, including tfm and mcuboot, so that it can be
reused without the need to rebuild all the time.

This should allow pushing the image under mcuboot/fih-test and
pulling+caching in Travis.

Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
2021-01-06 14:13:44 -03:00
Raef Coles f68473814f ci: Pin tf-m-tests version in FIH test
To avoid problems where the latest master of tf-m-tests is incompatible
with the fixed version used by the FIH test. Bump the version of TF-M
used slightly to a commit that allows the version of tf-m-tests to be
easily overridden.

Signed-off-by: Raef Coles <raef.coles@arm.com>
2021-01-05 11:17:14 -03:00
Raef Coles 7cca88ab8e ci: Update tf-m version in FIH test
To a version which uses the new bootutil cmake, allowing the bootutil
files to be moved/renamed without breaking the FIH test.

Signed-off-by: Raef Coles <raef.coles@arm.com>
2020-12-18 10:44:00 +01:00
Fabio Utzig 9723b52a80 ci: use python3 for building imgtool wheel
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
2020-11-12 13:27:47 -03:00
Fabio Utzig 395a9f9c5a ci: add wheel dependency to imgtool publishing
Should fix the current fail trying to build a bdist_wheel.

Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
2020-11-12 08:52:20 -03:00
Mate Toth-Pal d4f605300e travis: Add Script to summarize FIH test output
Change-Id: I5fbbad8cdaf829dc11543a70e419de45f07002a0
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2020-11-12 09:27:10 +01:00
Mate Toth-Pal b1163985bd travis: Add python script for damaging MCUboot image
Change-Id: Ic975b2fa937baafe57c8c492ef889ffb292f691e
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2020-11-12 09:27:10 +01:00
Mate Toth-Pal 0eead8c263 travis: Add FIH test cases to .travis.yml
Change-Id: I7ce96821e4af645a8d20696d02d8a09d9822b9f7
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2020-11-12 09:27:10 +01:00
Mate Toth-Pal 6298067d02 travis: Add FIH test scripts
Add scripts that can run instruction skip FIH tests on QEMU.

Co-authored-by: Raef Coles <raef.coles@arm.com>
Change-Id: Ia6da00174115e1dabaf84fdfc0e40476dc1b7a10
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2020-11-12 09:27:10 +01:00
Mate Toth-Pal 5495f20355 travis: Build MCUBoot for Armv8-M
Build MCUBoot with TF-M build system for AN521 platform, and run it in
QEMU. The result of the test run is not evaluated yet.

Change-Id: I5fbfef8e6d8dec99a8e3e00d659a07ccfcaf0b5b
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2020-11-12 09:27:10 +01:00
Fabio Utzig c06694e25c ci: move imgtool publishing to GH workflows
Disable imgtool publishing on Travis; update scripts to work on both
Travis and GH; add GH workflow for publishing.

Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
2020-11-10 14:19:05 -03:00
Fabio Utzig 301e9755bd boot: mynewt: fix CI issues with mbedTLS CTR mode
Enable Mynewt syscfg to bring in mbedTLS CTR mode.

Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
Signed-off-by: Blaž Hrastnik <blaz@mxxn.io>
2020-09-28 09:08:44 -06:00
Fabio Utzig 377307de7d Fix imgtool publishing missing python package
Add missing `packaging` to allow version comparison.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-04-23 12:03:48 -06:00
Fabio Utzig 14301abbc1 travis: add imgtool publishing
Add new CI vm that parses the imgtool version from __init__.py and
compares with the current published release. If the version in the repo
is newer it will be published automatically.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-04-23 09:56:58 -06:00
Fabio Utzig 729139f80f ci: add tool to check for Cargo features
When running tests from .travis.yml, the passed in features are first
checked locally for support in the current simulator. The list of
supported features was manually maintained, allowing newly implemented
features to be skipped, also skipping the related test (without
warnings). This adds a new tool that parses and prints the list of
features directly from the given Cargo.toml.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-01-07 16:03:55 -03:00
Sam Bristow d0ca0ffc27 Fix up typos
Ran automated checker for common typos [1]. Most of these changes have
no functional change *except* for `./ci/sim_run.sh` where, previously
the `bootstrap` feature wasn't being selected properly.

I didn't touch anything in the `./ext/` folder as anything in there
should probably be fixed in the upstream repo.

[1] https://github.com/codespell-project/codespell

Signed-off-by: Sam Bristow <sam@bristow.nz>
2019-10-30 06:24:10 -03:00
Fabio Utzig 63ae7dee22 Add pkgpath to Mynewt key_files
This allows the CI targets to be built if MCUBoot is a dependency of
other repos as well as current local package only build support.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-04-17 18:12:23 -03:00
Fabio Utzig 4b2547c755 Remove symlinks, newt should find packages
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-03-15 07:51:28 -03:00