Do so for the usual reason of avoiding network access during recipe
parsing. Occasionally parsing will stall for me as it seems connectivity
to trustedfirmware.org can be flaky.
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Jon Mason <jon.mason@arm.com>
developer.arm.com has a reorganisation and whilst most paths have a
redirect in place, the older FVP binaries did not. Update the URL for
this FVP to the new canonical URLs.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The download filename wasn't versioned so multiple versions would write
to the same file on disk and conflict, causing repeated downloads and
fetch failures.
Add the PV to the filename on disk to resolve this.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
- Implement unattended installation for Debian
- Upgrade Debian version to 12.8.0
Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
- Replace THISDIR with UNPACKDIR by adding unattended conf to SRC_URI
Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
- Replace THISDIR with UNPACKDIR by adding unattended conf to SRC_URI
Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Newer versions of the FVP now contain a full log entry for the
"Listening for serial connection on port" regex of the form:
INFO: FVP_NAME: terminal_uart: Listening for serial connection...
Relax the regex to support this new logging format and change from
re.match to re.search as the regex may not appear at the start of the
line.
This change is backwards-compatible with older versions of the FVP.
Signed-off-by: Peter Hoyes <peter.hoyes@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The SHA of the dependent community layers are set to
the tested SHA from the `styhead` branch of each layer.
Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The SHA of the dependent community layers are commented out and set to
the tested SHA from the `styhead` branch of each layer.
The set SHAs are to be uncommented in the `styhead` branch which is
to be used to create the `CORSTONE1000-2024.11` tag.
Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
* Fix typographical error in documentation.
* Add missing instructions.
* Create paragraphs where necessary to improve readability.
* Change `note` box to `important` box
* Remove verification of arm_tstee driver presence:
arm-tstee driver has been integrated in Linux v6.10.14 which is
the one used in the software stack. It is built as part of Linux and
is no longer a loadable module.
The steps to verify the driver presence are no longer applicable.
* Standardise naming of the target platform:
Consistently use the name `Corstone-1000` to refer to the target platform.
* Update Debian OS version from 12.4 to 12.7
Debian version 12.4 has a bug in Shim 15.7.
This bug causes a fatal error when attempting to boot media installer
for Debian,and resets the platform before installation starts.
A patch to skip the Shim was applied to Corstone-1000 to avoid
the error.
Debian version 12.7 no longer has the bug in the Shim thus making
the usage of the patch redundant.
Bump Debian installer to version 12.7 and remove usage of the patch
for the Debian installation test.
* Replace xterm with tmux:
Update the user guide to specify tmux instead of xterm.
Using tmux as opposed to xterm provides a better user experience
when running the commands listed on the user guide.
* Use ACS image for FVP SystemReady test:
Due to fixed timeout values in the meta-arm-systemready the ACS time
test do not complete successfully.
Instead, specify commands to use the pre-built ACS image.
* List Trusted Services as a host component:
Add Trusted Services to the list of components used on the Host processor
of the Corstone-1000. The various BitBake recipes and append files used to
build Trusted Services are listed for the component.
* Update release version to CORSTONE1000-2024.11:
All references to the version of the Corstone-1000 software reference
stack have been updated from CORSTONE1000-2024.06 to CORSTONE1000-2024.11.
Add to the changelog the 2024.11 release information.
Add the 2024.11 release notes.
Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The meta-arm styhead branch should be using the styhead branches of
meta-clang, meta-virtualization, and meta-secure-core. Remove the
master branch specific line to allow for these to be used.
Signed-off-by: Jon Mason <jon.mason@arm.com>
qemuarm64-secureboot is using systemd for uefi-secureboot, which has
warnings with musl (and fails to compile with clang and musl). So,
modify the matrix to keep the coverage of everything else but musl.
Signed-off-by: Jon Mason <jon.mason@arm.com>
Encapsulate all UEFI Secure Boot required settings in one Kas
configuration file.
Introduce SBSIGN_KEYS_DIR variable where UEFI keys will be generated
to sign UEFI binaries.
Introduce uefi-secureboot machine feature, which is being used to
conditionally set the proper UEFI settings in recipes.
Replace Grub bootloader with systemd-boot, which it makes easier to
enable Secure Boot.
Advantages using systemd as Init Manager:
- Extending secure boot to userspace is a lot easier with systemd than
with sysvinit where custom scripts will need to be written for all use
cases.
- systemd supports dm-verity and TPM devices for encryption usecases out
of the box. Enabling them is a lot easier than writing custom scripts
for sysvinit.
- systemd also supports EUFI signing the UKI binaries which merge kernel,
command line and initrd which helps in bringing secure boot towards
rootfs.
- systemd offers a modular structure with unit files that are more
predictable and easier to manage than the complex and varied scripts
used by SysVinit. This modularity allows for better control and
customization of the boot process, which is beneficial in Secure Boot
environments.
- Add CI settings to build and test UEFI Secure Boot.
Add one test to verify Secure Boot using OE Testing infraestructure:
$ kas build ci/qemuarm64-secureboot.yml:ci/meta-secure-core.yml:ci/uefi-secureboot.yml:ci/testimage.yml
...
RESULTS - uefi_secureboot.UEFI_SB_TestSuite.test_uefi_secureboot: PASSED (0.62s)
...
SUMMARY:
core-image-base () - Ran 73 tests in 28.281s
core-image-base - OK - All required tests passed (successes=19, skipped=54, failures=0, errors=0)
Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> [yml file include fix]
Signed-off-by: Jon Mason <jon.mason@arm.com>
In the target, Secure Boot starts from the firmware (u-boot), adds the
signing keys, and verifies the bootloader (systemd-boot) and kernel
(Linux).
sbsign bbclass is used to sign the binaries. sbsign is the name of the
tool used to sign these binaries. Hence the name of this class to sbsign
and variables with SBSIGN prefix.
Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
oe-core master now has 6.10.11 which incorporates this patch, so we don't
need to carry it anymore.
This reverts commit 60fd47edd0.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Some of the existing patches were submitted and merged to the
upstream TF-M repository.
In this commit, the upstream statuses are updated, and the patches are
reordered so the submitted patches are applied first.
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The patch with pending status was submitted to the upstream OP-TEE
repo.
Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Using resulttool we can transform the oeqa JSON reports into JUnit XML,
which GitLab can display in pipelines and merge requests.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
We had two instances of the same job, so consolidate them into one.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Instead of always using KAS_WORK_DIR/build to refer to the build tree,
on the assumption that is where the build tree is, export KAS_BUILD_DIR
and use that variable instead.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The point of this recipe is to allow people to quickly test more recent
commits that aren't yet part of any release just yet.
One should really not use it in any product, but it's nice for CI and
development purposes.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The added TF-M patches:
- Remove unused files from TF-M's BL1
- Remove unecessary duplications in metadata write functions
- Fix compiler switches in metadata handling functions: the runtime TF-M
uses the GPT to get the offsets for the metadata.
- Validate both metadata replica in the beginning by checking the crc32
checksum. If one of the replicas is corrupted then update it using the
other replica.
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
b4[1] is a very nice tool for mail-based contribution. A config[2] file
exists to set up a few defaults. We can use it to set the To recipients
to always add, in our case the mailing list.
This shouldn't be necessary if we had a script that b4 prep --auto-to-cc
could call to find the mail address(es) to send to. Let's start without
it for now.
[1] https://pypi.org/project/b4/
[2] https://b4.docs.kernel.org/en/latest/config.html
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Jon Mason <jon.mason@arm.com>
If a /dev/teepriv[0-9]* device is detected, start an instance of
tee-supplicant.service with the device name as parameter.
Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The current code is waiting 5 seconds to get an EOF on the
console pexpect spawn object, on a particularly slow machine
this timeout was not enough ending up into a TIMEOUT exception.
To solve this, increase the timeout and handle the TIMEOUT exception
by printing an error on the debug console instead of letting the
exception raise up to the stack, force the spawn object close() call
as well, since at this stage we would like the process to terminate
anyway.
Signed-off-by: Luca Fancellu <luca.fancellu@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Modify the upstream status and commit descriptions of Trusted-Services patches.
Few patches have been been upstreamed to external Trusted-Services gerrit repository
for review. So, update upstream status of those patches accordingly.
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Re-enable parselogs testing for fvp-base and corstone1000-fvp, and add
an ignore file for the relevant entries. Also, increase the testing
being done on corstone1000-fvp.
Signed-off-by: Jon Mason <jon.mason@arm.com>
Add the bits to enable poky-altcfg to boot to prompt on fvp-base.
Unfortunately, ssh takes a very long time to come up, which causes the
ssh test to timeout. So, don't enable this by default in CI.
Also, switch to building full-cmdline instead of sato, since we're never
actually testing the graphics on this platform.
Signed-off-by: Jon Mason <jon.mason@arm.com>
util-linux is failing when compiling with:
| configure: error: libmount_mountfd_support selected, but required mount FDs based API not available
Remove this feature when building with the binary toolchain to avoid
this issue.
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The Application Root of Trust and the PSA Root of Trust was not
isolated in TF-M Isolation Level 2 beacuse of the misconfiguration of
the MPU. The added patch fixes this issue.
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Includes:
* Sentence clarifications
* Usage of list numbering where steps are given
* Usage of code syntax where appropriate
* Usage of RST syntax for notes
* Appropriate capitalization of component names
* Consistently use the term MPS3 to refer to the physical hardware
* Present tests in a clear and consistent manner
* Wrap commands to reduce horizontal scrolling
* Creating paragraphs to improve readability
* Usage of shell variables for placeholders so user can
create their shell variables and use the provided commands
as in the user guide.
Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The arm-tstee driver was upstreamed to the v6.10 kernel so it doesn't
have to be loaded manually. Updated the related parts in the
Corstone-1000 user guide.
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
This commit updates the linux-yocto version to the latest availabe one.
No additional work was needed to make it work in Corstone-1000.
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The ts-tee driver was upstreamed into the v6.10 kernel. Remove
arm-tstee driver package, since the upstream one should be used.
optee and arm ffa driver are logging non-fatal errors in dmesg, which is
causing the parselogs test to fail. This is due to arm ffa needing
givc3.
Signed-off-by: Jon Mason <jon.mason@arm.com>
CI test for Trusted Services is failing with the recent musl update.
The issue was bisected to an update in musl modifying the behavior of
PAGE_SIZE. Revert this change in musl while using trusted-services
until a proper solution can be found.
Signed-off-by: Jon Mason <jon.mason@arm.com>