Add git recipe versions that track the latest git versions of u-boot and
the various OP-TEE recipes. This, in combination with the previously
existing trusted firmware a and m recipes, allows for using the latest
code in platform development and testing (as part of CI).
For CI usage, a KAS yml file has been created to allow for those recipes
to be used, and an entry for fvp-base has been added to the gitlab CI
yml file.
NOTE: the wildcard for corstone1000 u-boot PREFERRED_VERSION was causing
it to pick-up the newest version (and failing to apply the patches).
The wildcard is unnecessary, since it is using a layer supplied package.
So, remove it and everyone is happy.
Signed-off-by: Jon Mason <jon.mason@arm.com>
Now that clang is in core, we don't need to use meta-clang anymore.
Also, use PREFERRED_TOOLCHAIN_TARGET to specify the toolchain to use.
Signed-off-by: Jon Mason <jon.mason@arm.com>
Moving forwards, it's expected that the poky repository will no longer be
updated as the integration of bitbake-setup means that users are
encouraged to use bitbake+oe-core separately instead.
We also need to fetch meta-yocto as our CI is currently explicitly based
on the poky distribution.
This is effectively a no-op change, as poky is simply these component
repositories glued into a single repository for convenience.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
oe-selftest is now logging having rm_work enabled as an error, which is
causing the test to fail. Remove this from the selftest.yml file, and
everything works as before.
Signed-off-by: Jon Mason <jon.mason@arm.com>
The oe-core perf recipe will now enable coresight support automatically
if the coresight MACHINE_FEATURE is set[1], so we can remove the manual
configuration in our CI and let the machines enable it where appropriate.
[1] oe-core c455bd03910 ("perf: enable coresight if enabled in MACHINE_FEATURES")
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Originally we customised the CI build for speed, by switching to ipkg
instead of rpm for the packages and disabling graphical output support
in qemu-system-native.
These are admirable goals, but more admirable is sharing sstate and
people may wish to use the output of this CI without having to make the
same alterations.
Drop these two changes so that our configuration matches poky. I've
verified that with this change, a build of core-image-sato for qemuarm64
can be built almost entirely from the autobuilder's sstate[1].
[1] gator-daemon, opencsd, and perf are built as these are not built on
the AB in this configuration.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
testimage.yml was skipping the opkg tests, but we also need to skip the
dnf tests for when PACKAGE_CLASSES="package_rpm".
These skips are FVP-specific as they are due to the wrong IP being used
by the test suite. This should be fixed in the FVP test harness, but
for now move the exclusions into fvp.yml so they're isolated.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The caller should (and does) use ci/testimage.yml explicitly instead.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The test cases for fvp-base will not fully run because the trusted
servies ones are the only ones (instead of being appended to the list).
Correcting this issue so that all the tests can be run.
Signed-off-by: Jon Mason <jon.mason@arm.com>
The Yocto project changed the server name for sstate, though the
previous one does still appear to work. Update here to the one matching
the YP documentation.
Signed-off-by: Jon Mason <jon.mason@arm.com>
This switches CI back to using the master branches.
Currently there are two known failures:
- sbsa-ref
- perf on musl
This reverts commit e0c1f0f94a.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The logging service provides an SPMC agonistic to create log messages.
The current version will simply dump the incoming log messages to a
setial line. Future versions could provide access to log messages from
the NWd, could encrypt the essages and perform more efficient when
logging large messages.
This change enables the logging SP on the fvp_base platform. All log
messages made by SPs after the boot phase will be sent to UART3.
Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Bound Authenticated Variable configuration related settings to yocto
variables. The aim is easier configuration by hiding SmmGW build system
internals at the yocto recipe level.
For details please see documentation/trusted-services.md
Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Seeing the warning:
lack of whitespace around the assignment: 'TS_ENV="sp"'
Add the spaces to address the issue
Signed-off-by: Jon Mason <jon.mason@arm.com>
Add FVP support to sgi575 and run a boot test as part of CI. Networking
is not currently working and seems to require an older version of edk2
to boot the kernel. Also, the unique files for grub and wks do not seem
to be necessary.
Signed-off-by: Jon Mason <jon.mason@arm.com>
Instead of assuming that the repository was created with the latest URL,
fetch the repository explicitly when fetching.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Integrating the binary Arm GCC toolchain into OE is quite complicated
because the binary release and oe-core's toolchain are arranged slightly
differently, which makes it quite fragile.
As it's obviously a binary release we cannot patch it to fix issues.
Also it has some fairly sizable limitations: for example the kernel
headers are old (from linux 4.19) and the locale packaging is different
so locale package dependencies don't work.
The main historic users of the external toolchain no longer use it, so
remove it. The recipes will remain in the LTS branches for users who
are using it currently, but will not be part of the next release.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Acked-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Unified Kernel Image includes kernel and initrd which
both are signed with UEFI secure boot. This brings secure
boot closer to userspace.
Use core-image-initramfs-boot to find the real
rootfs and boot systemd init there. No need to hard code
rootfs via qemuboot/runqemu variables.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Setting INIT_MANAGER to "systemd" already sets needed
feature flags. Appending to them only causes sstate
cache invalidation and recompilations.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
xen-image-minimal now requires systemd. Add poky-altcfg (which has
systemd amongst other things) as an includes in the xen.yml file to work
around this. Also, xen requires openssh instead of dropbear. So,
override that entry.
Signed-off-by: Jon Mason <jon.mason@arm.com>
UEFI capsule update is a mechanism that allows firmware updates to be
delivered and applied in a standardized way. It is part of the UEFI
specification and provides a way to update system firmware components
like the BIOS, UEFI drivers, or other platform firmware.
Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Enable network boot via HTTP protocol. Many embedded and server-class
systems use network boot for booting. Enabling network boot on devices
allows:
- Shipping devices without OS images. When we power up the device, the
firmware can connect to the Internet and download and install suitable
boot images for this specific device. Administrators can centrally
manage the boot images and configuration files on a network server.
This centralization streamlines the management of boot options and
ensures consistency across all devices.
- This is particularly useful in enterprise environments. On mass
deployments, there is a need to install the operating system on
multiple devices simultaneously.
- Ability to maintain a completely diskless system if needed
The plain HTTP protocol lacks encryption. It's intended to be used on
local networks. Secure http protocol support is under review.
Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Encapsulate all UEFI Secure Boot required settings in one Kas
configuration file.
Introduce SBSIGN_KEYS_DIR variable where UEFI keys will be generated
to sign UEFI binaries.
Introduce uefi-secureboot machine feature, which is being used to
conditionally set the proper UEFI settings in recipes.
Replace Grub bootloader with systemd-boot, which it makes easier to
enable Secure Boot.
Advantages using systemd as Init Manager:
- Extending secure boot to userspace is a lot easier with systemd than
with sysvinit where custom scripts will need to be written for all use
cases.
- systemd supports dm-verity and TPM devices for encryption usecases out
of the box. Enabling them is a lot easier than writing custom scripts
for sysvinit.
- systemd also supports EUFI signing the UKI binaries which merge kernel,
command line and initrd which helps in bringing secure boot towards
rootfs.
- systemd offers a modular structure with unit files that are more
predictable and easier to manage than the complex and varied scripts
used by SysVinit. This modularity allows for better control and
customization of the boot process, which is beneficial in Secure Boot
environments.
- Add CI settings to build and test UEFI Secure Boot.
Add one test to verify Secure Boot using OE Testing infraestructure:
$ kas build ci/qemuarm64-secureboot.yml:ci/meta-secure-core.yml:ci/uefi-secureboot.yml:ci/testimage.yml
...
RESULTS - uefi_secureboot.UEFI_SB_TestSuite.test_uefi_secureboot: PASSED (0.62s)
...
SUMMARY:
core-image-base () - Ran 73 tests in 28.281s
core-image-base - OK - All required tests passed (successes=19, skipped=54, failures=0, errors=0)
Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> [yml file include fix]
Signed-off-by: Jon Mason <jon.mason@arm.com>
Using resulttool we can transform the oeqa JSON reports into JUnit XML,
which GitLab can display in pipelines and merge requests.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Re-enable parselogs testing for fvp-base and corstone1000-fvp, and add
an ignore file for the relevant entries. Also, increase the testing
being done on corstone1000-fvp.
Signed-off-by: Jon Mason <jon.mason@arm.com>
Add the bits to enable poky-altcfg to boot to prompt on fvp-base.
Unfortunately, ssh takes a very long time to come up, which causes the
ssh test to timeout. So, don't enable this by default in CI.
Also, switch to building full-cmdline instead of sato, since we're never
actually testing the graphics on this platform.
Signed-off-by: Jon Mason <jon.mason@arm.com>
The Secure Debug functionality can be enabled on MPS3 by using the new
corstone1000-mps3-secure-debug.yml kas file. The kas file adds the new
secure-debug machine feature. The TF-M recipe adds the needed TF-M
build flags and patches in order to make the Secure Debug work.
This way, the Corstone-1000 will only boot fully if a debugger is
connected and a debug authentication is initiated.
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The edk file removed xorg from being tested, which is currently working
on qemuarm and qemuarm64. Also, the section name collies with one in
fvp.yml, which has other things that are removed. Remove this removal
to get things working as expected.
Signed-off-by: Jon Mason <jon.mason@arm.com>
With the resolution of meta-clang issue 766 and
OE-Core 15d09b02b2632ab1cabc3b1bd9f521e6d3d3b83f
many of the settings are no longer necessary to be set as part of our
CI. Remove them, as it is causing other issues with CI.
Signed-off-by: Jon Mason <jon.mason@arm.com>
Update the Arm Binary toolchain to version 13.3-rel1. The upper to
lowercase 'r' in rel was intentional, as the exact match is needed for
devtool to properly determine the correct version.
Signed-off-by: Jon Mason <jon.mason@arm.com>
uefi-test is failing on qemuarm64-secureboot with TS enabled with a "Bus
Error". This regression is caused by the update of QEMU from v8.2.1 to
v9.0.0. Temporarily disable this test (via disabling ts-smm-gateway) to
get CI green until it can be root caused.
Signed-off-by: Jon Mason <jon.mason@arm.com>
We boot genericarm64 inside a qemu, so add the pregenerated keys to speed
up testing. This isn't a risk because we don't publish the images.
Signed-off-by: Ross Burton <ross.burton@arm.com>
The BB_HASHSERVE_UPSTREAM has issues which cause significantly less of a
match than expected. Update with the correct values to get the expected
behavior.
Fixes: 6e9525115b ("CI: add Yocto Project SSTATE Mirror")
Signed-off-by: Jon Mason <jon.mason@arm.com>
On some CI systems, the bitbake server is timing out at 1 mins.
Increase to 5 mins, which hopefully should give enough time without
letting it run forever.
Signed-off-by: Jon Mason <jon.mason@arm.com>
optee-os test xtest needs additional test trusted applications (TA) from
optee-os-ta package to pass. Execution time for ftpm test is around 21
seconds and 596 seconds for optee-test/xtest on an x86_64 build machine.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
optee-os test xtest needs additional test trusted applications (TA) from
optee-os-ta package to pass. Execution time for ftpm test is around 18
seconds and 430 seconds for optee-test/xtest on an x86_64 build machine.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
There are two recipes in meta-arm-systemready that download ISOs for
testing purposes. Build them in CI to verify that the fetch is
successful.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
