Add a Kas fragment to enable the CVE checker. Disable warnings by
default but show them for the layers in meta-arm, because we only care
about meta-arm issues in this CI.
Explicitly hide kernel warnings as the kernel typically has tens of open
CVEs, and if we're carrying a kernel explicitly then it's typically an
interim kernel between releases.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Extend jobs-to-kas so the first argument is still the GitLab job name,
but allow further arguments to specify extra Kas files to use in
addition.
Then add a variable EXTRA_KAS_FILES to the CI configuration that
defaults to the empty string and pass this to jobs-to-kas.
This lets specific pipeline runs add extra Kas files, for example to use
experimental branches or enable extra features without touching the CI
directly.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Add CI builds for Arm SystemReady Firmware within the fvp-base CI job and a new
Arm SystemReady IR ACS build job. Add the CI kas config for each of these
builds.
The ACS build can be controlled by the ACS_TEST GitLab variable to specify
whether or not to run the testimage. If this variable is not set, the
testimage step will not run. The job tag can be controlled by the ACS_TAG GitLab
variable.
Signed-off-by: Debbie Martin <Debbie.Martin@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Now that we've released 4.3 and branched, we can switch master CI back
to master.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Upgrade the Arm binary toolchains to the latest version. Of note, the
untarred directory has camelcased the "R" in Rel (which was "rel" in the
previous versions).
Signed-off-by: Jon Mason <jon.mason@arm.com>
Use IMAGE_CLASSES rather than a direct INHERIT for fvpboot.
This is Yocto best practice as it is used to enable
functionality across all image recipes.
Signed-off-by: Debbie Martin <Debbie.Martin@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Some FVPs are available as x86-64 and aarch64 binaries, so build target
(qemuarm64) and nativesdk (x86-64) packages for these to verify the
checksums are correct.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
meta-clang and meta-virtualisation don't yet have nanbield branches, so
we need to use master for those at the moment.
Signed-off-by: Ross Burton <ross.burton@arm.com>
To allow running the TF-A TFTF tests we need to ensure the images for
N1SDP and Corstone-1000 MPS3 boards build
Signed-off-by: Drew Reed <Drew.Reed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The terribly named qemutiny test case tries to login to the target over
the serial console. It's designed for poky-tiny, so add it to the tests
we run in poky-tiny builds.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Adds meta-secure-core to corstone1000.yml to enable signed capsule
update feature.
Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Meta-secure-core is used to create signed capsule (firmware update
images). This adds meta-secure-core.yml file and since it depends on meta-perl
from oe-core, it adds that layer to meta-openembedded.yml
Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The fvp-baser-aemv8r64 machine will not be actively maintained.
Signed-off-by: Divin Raj <divin.raj@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
QEMU_USE_SLIRP is no longer needed[1] as adding slirp to
TEST_RUNQEMUPARAMS is sufficient, so remove that.
Setting TEST_SERVER_IP also isn't needed as there's a default value now,
and we disable the package management tests that would use the server
IP. When they work the correct IP can be set.
[1] As of oe-core f4e8650
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The update-repos script currently exits immediately if one of the
underlying Git commands fails (e.g. because of a network issue). If the
repo already exists, then catch this error inside the loop and
carrying on attempting to update other repos, as the network error may
be upstream.
KAS_REPO_REF_DIR is ultimately an optimization and subsequent build
stages should be able to continue if one of the updates fail. Therefore,
ensure the script returns a special error code if at least of the Git
commands fail, and use this to set the allow_failure property of the
job.
If a repo does not exist, fail immediately as before.
Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Build a custom N1SDP image with only optee-xtests as part of the image. A fresh custom image build is necessary to include the relevant test suite for running the xtests.
Signed-off-by: Anusmita Dutta Mazumder <anusmita.duttamazumder@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Add back the 11.2 release of GCC, because TF-M has code generation
problems with 11.3 onwards.
This recipe has the major version embedded in the recipe name so that it
has to be specifically asked for in a per-recipe basis.
Signed-off-by: Ross Burton <ross.burton@arm.com>
This was added to build an Android Common Kernel with the Android
compiler, but we don't need to build that anymore.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Temporary workaround for a number binaries in the toolchains that are
using 32bit timer API. This must be done in the CI yml file instead of
the recipe because of all the libraries in the toolchain have the issue.
Signed-off-by: Jon Mason <jon.mason@arm.com>
Pre-populate the standard values of get-binary-toolchains so that it
will work without variables in a standard kas container. This will aid
in ease-of-use for development and testing of binary toolchains.
Signed-off-by: Jon Mason <jon.mason@arm.com>
The following error is seen:
ERROR: Nothing PROVIDES 'llvm-native' (but virtual:native:/builds/jonmason00/meta-arm/work/build/../poky/meta/recipes-graphics/mesa/mesa_23.1.3.bb DEPENDS on or otherwise requires it). Close matches:
ovmf-native
rust-llvm-native
vim-native
Work around this by using the llvm-native from meta-clang
Signed-off-by: Jon Mason <jon.mason@arm.com>
This tool makes it easy to lock a build to a known good configuration,
for example by locking the SHAs to the last good build of master.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Kas 3.3 uses branch and commit keys instead of a general-purpose
refspec. Change the base to use branch:mickledore and remove the
explicit use of master for meta-virtualization now that a mickledore
branch exists there too now.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
This recipe is a rebuild from source of the Arm GCC release, with
patches from oe-core added to make it work well in our environment.
Most people are happy with the GCC in oe-core, and this release is often
behind: at the time of writing oe-core has mainline GCC 13.1, but Arm
GCC is 12.2. Users who actually want the improvements in Arm GCC will
likely want to use the binary toolchain so that they can have support
from Arm, and they're welcome to do so via the "external-arm" binary
toolchain.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Split trusted-services.xml into qemuarm64-secureboot-ts.yml and
n1sdp-ts.yml as collection of Trusted Services which can be tested on
each platform has diverged.
Signed-off-by: Adam Johnston <adam.johnston@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
TF-A v2.8 does not support measured boot and FF-A which is mandatory for
PSA Initial Attestation SP to work correctly.
Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
There are cases where a developer might want to enable things, like
debug-tweaks, which are useful in their testing but not something we
would want in a production environment. Create a file where these can
be added without affecting other things.
Signed-off-by: Jon Mason <jon.mason@arm.com>
debug-tweaks is useful in testing and internal usage, but is a massive
security hole (as it allow password-less root login). Remove the
default enablement on machine files and in kas base yml.
Signed-off-by: Jon Mason <jon.mason@arm.com>
It is only necessary to accept the FVP usage license when using FVPs.
So, move that to the fvp.yml file from the base.yml file to make things
a little cleaner.
Signed-off-by: Jon Mason <jon.mason@arm.com>
Installing SMM Gateway SP on the N1SDP may stop the platform from booting
for on-device testing in CI.
In n1sdp.yml, remove `ts-smm-gateway` if it has been added
Keep `ts-smm-gateway` in default SP set so it can still be tested with
`qemu-secureboot`
Signed-off-by: Adam Johnston <adam.johnston@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Add tc1 ecosystem FVP and bits to enable in the tc1 machine config file
Also, do some hacks to speed things up.
Signed-off-by: Jon Mason <jon.mason@arm.com>
meta-clang's clang recipe has an irritating interaction with oe-core's
llvm recipe which can result in build warnings, which cause builds to
fail in our pedantic CI.
The current best known workaround is to simply mask out the llvm recipes
if clang is being used.
For more details, see https://github.com/kraj/meta-clang/pull/766.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
If the repository reference directory gets corrupted it's not easy to
wipe it, so add a variable CI_CLEAN_REPOS that if set in the pipeline
will clean the clones and re-fetch them.
Also, stop the fetch from detaching during the garbage collection, just
in case it was a long-running GC that got killed that caused the
corruption in the first place.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
fvp-base-arm32 isn't a real machine and supporting it has become hacky.
Drop support and remove from meta-arm-bsp
Signed-off-by: Jon Mason <jon.mason@arm.com>
Add the various kernels available in oe-core, as well as the poky-tiny
minimal distribution (which has a minimal kernel config). This
necessitated combining some kernel bbappends to have patching coverage
for all the variants.
Signed-off-by: Jon Mason <jon.mason@arm.com>
Make things more obvious by adding yml files for the poky defaults
instead of disregarding them in the jobs-to-kas script
Signed-off-by: Jon Mason <jon.mason@arm.com>
Update the Arm GCC source to the latest version. Also, update the GCC
patches to apply cleanly, removing those that are no longer relevant.
Signed-off-by: Jon Mason <jon.mason@arm.com>
meta-clang now builds pixman with GCC until this is resolved.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Now we're using master these workarounds are not needed anymore.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
