Encapsulate all UEFI Secure Boot required settings in one Kas
configuration file.
Introduce SBSIGN_KEYS_DIR variable where UEFI keys will be generated
to sign UEFI binaries.
Introduce uefi-secureboot machine feature, which is being used to
conditionally set the proper UEFI settings in recipes.
Replace Grub bootloader with systemd-boot, which it makes easier to
enable Secure Boot.
Advantages using systemd as Init Manager:
- Extending secure boot to userspace is a lot easier with systemd than
with sysvinit where custom scripts will need to be written for all use
cases.
- systemd supports dm-verity and TPM devices for encryption usecases out
of the box. Enabling them is a lot easier than writing custom scripts
for sysvinit.
- systemd also supports EUFI signing the UKI binaries which merge kernel,
command line and initrd which helps in bringing secure boot towards
rootfs.
- systemd offers a modular structure with unit files that are more
predictable and easier to manage than the complex and varied scripts
used by SysVinit. This modularity allows for better control and
customization of the boot process, which is beneficial in Secure Boot
environments.
- Add CI settings to build and test UEFI Secure Boot.
Add one test to verify Secure Boot using OE Testing infraestructure:
$ kas build ci/qemuarm64-secureboot.yml:ci/meta-secure-core.yml:ci/uefi-secureboot.yml:ci/testimage.yml
...
RESULTS - uefi_secureboot.UEFI_SB_TestSuite.test_uefi_secureboot: PASSED (0.62s)
...
SUMMARY:
core-image-base () - Ran 73 tests in 28.281s
core-image-base - OK - All required tests passed (successes=19, skipped=54, failures=0, errors=0)
Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> [yml file include fix]
Signed-off-by: Jon Mason <jon.mason@arm.com>
Using resulttool we can transform the oeqa JSON reports into JUnit XML,
which GitLab can display in pipelines and merge requests.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
We had two instances of the same job, so consolidate them into one.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Instead of always using KAS_WORK_DIR/build to refer to the build tree,
on the assumption that is where the build tree is, export KAS_BUILD_DIR
and use that variable instead.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Add the changes necessary to get edk2 booting and testimage passing on
fvp-base. All that is really necessary is adding the dtb to the too
partition.
Signed-off-by: Jon Mason <jon.mason@arm.com>
The Kas 4.4 image includes the websocket module, needed to use the
public hashserv/sstate.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Added the Corstone-1000 FVP platform to the ACS test build as well as
adding the arm-systemready-firmware variant to the Corstone-1000 FVP
build.
Signed-off-by: Drew Reed <Drew.Reed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
When trying to replicate a build locally, having the exact list of Kas
files that was used is very useful.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
These BSPs are now obsolete.
Users of generic-arm64 should use genericarm64 from meta-yocto-bsp.
Users of qemu-generic-arm64 should use sbsa-ref from meta-arm-bsp.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
This is mostly based on the existing qemu-generic-arm64 machine, but by
not being based on the genericarm64 and instead being specifically a
machine to run on the qemu sbsa-ref machine we get to tune differently.
Specifically, this configures sbsa-ref to be a Neoverse N2 (v9), and the
tune is set to match. Another notable difference to qemu-generic-arm64
is that the kernel configuration is at present defconfig. We may wish
to change this in the future to be the same fragmented configuration as
genericarm64.
We have to ignore two testimage parselogs failures: one from NUMA which
will be fixed in a future EDK2 release, and one from efifb where we
should be using the bochsdrm driver instead (further investigation is
needed)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Add the new genericarm64 in meta-yocto-bsp to the CI.
This new BSP is heavily based on the meta-arm generic-arm64 machine, but
with an all-new fragmented kernel configuration.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Add configuration settings to TF-A, OP-TEE and TS SPs needed to get TS
built and run on the fvp-base machine.
Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
To reduce build and test times in CI, move the dev kernel outside the
standard matrix. This results in it still being built and tested for
the platform, but only with gcc/glibc (and not against clang and musl).
This greatly reduces the number of permutations that need to be
verified.
Signed-off-by: Jon Mason <jon.mason@arm.com>
Setting an API key means we get higher rate limits. Because keys are
private, the key must be set in the environment of the runner.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Extend jobs-to-kas so the first argument is still the GitLab job name,
but allow further arguments to specify extra Kas files to use in
addition.
Then add a variable EXTRA_KAS_FILES to the CI configuration that
defaults to the empty string and pass this to jobs-to-kas.
This lets specific pipeline runs add extra Kas files, for example to use
experimental branches or enable extra features without touching the CI
directly.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Add CI builds for Arm SystemReady Firmware within the fvp-base CI job and a new
Arm SystemReady IR ACS build job. Add the CI kas config for each of these
builds.
The ACS build can be controlled by the ACS_TEST GitLab variable to specify
whether or not to run the testimage. If this variable is not set, the
testimage step will not run. The job tag can be controlled by the ACS_TAG GitLab
variable.
Signed-off-by: Debbie Martin <Debbie.Martin@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Now that there's a FVP for aarch64, we don't need to pin the CI pipeline
to x86-64.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
To allow running the TF-A TFTF tests we need to ensure the images for
N1SDP and Corstone-1000 MPS3 boards build
Signed-off-by: Drew Reed <Drew.Reed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Just execute all tests with the meta-arm tag, instead of hardcoding the
list of tests.
Also run two tests in parallel as there's no reason to limit it to one.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The Kas binary is identical, but the container has been rebuilt using
Debian 12 (Bookworm).
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The Kas container in version 4 onwards is based on Debian 12, which
forbids pip from installing files into /usr or ~/.local/.
We want to install the arbitrary dependencies for the documentation
build, so these should be installed in a venv.
The kas container doesn't currently install python3-venv, so we have to
install that manually (patch sent upstream).
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The fvp-baser-aemv8r64 machine will not be actively maintained.
Signed-off-by: Divin Raj <divin.raj@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The update-repos script currently exits immediately if one of the
underlying Git commands fails (e.g. because of a network issue). If the
repo already exists, then catch this error inside the loop and
carrying on attempting to update other repos, as the network error may
be upstream.
KAS_REPO_REF_DIR is ultimately an optimization and subsequent build
stages should be able to continue if one of the updates fail. Therefore,
ensure the script returns a special error code if at least of the Git
commands fail, and use this to set the allow_failure property of the
job.
If a repo does not exist, fail immediately as before.
Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
To make the pipeline slightly more resilient to external networking
issues, allow a local container registry mirror to be specified in the
GitLab settings. If not specified, the upstream container registry is
used automatically.
Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Build a custom N1SDP image with only optee-xtests as part of the image. A fresh custom image build is necessary to include the relevant test suite for running the xtests.
Signed-off-by: Anusmita Dutta Mazumder <anusmita.duttamazumder@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
In the update-repos job, generate a Kas lock file to pin the SHAs of the
repositories being build during the build. This ensures that commits to
the repositories _during_ the build doesn't cause differing builds. All
of the kas calls use this lock file to ensure that their builds are
identical.
This lockfile is also added to the artifacts, so that it can be reused
afterwards to replicate the build: either as a known good base or to
replicate failures.
This lock file is only generated if it doesn't exist, so that
development branches can temporarily add a lockfile.yml if for example
master is too unstable to develop on.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Kas 3.3 has the following new features:
- kas: Introduce commit and branch as alternative to refspec key
- kas: Warn if a repo uses legacy refspec
- kas: add support for lock files via dump plugin
- kas: track root repo dir config files of menu plugin
- kas: add support for --log-level argument
- kas: add GIT_CREDENTIAL_USEHTTPPATH environment variable
- kas: improve error reporting
- kas: drop support for Python 3.5
- kas-container: fix invocations with --isar for some layers
- kas-container: Purge tmp* on clean
- kas-container: enable colored logging
4.0 is basically the same but the Kas container uses Debian 12, which is
not yet supported as a tested platform. Until Debian 12 is tested we
should continue to use 3.3.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
It's useful to have known good logs when debugging problems, so always
preserve the logs.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
This recipe is a rebuild from source of the Arm GCC release, with
patches from oe-core added to make it work well in our environment.
Most people are happy with the GCC in oe-core, and this release is often
behind: at the time of writing oe-core has mainline GCC 13.1, but Arm
GCC is 12.2. Users who actually want the improvements in Arm GCC will
likely want to use the binary toolchain so that they can have support
from Arm, and they're welcome to do so via the "external-arm" binary
toolchain.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Split trusted-services.xml into qemuarm64-secureboot-ts.yml and
n1sdp-ts.yml as collection of Trusted Services which can be tested on
each platform has diverged.
Signed-off-by: Adam Johnston <adam.johnston@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Add musl testing to have qemuarm-secureboot match qemuarm64-secureboot.
Since the Arm GCC binary toolchain cannot work with musl, move that out
into it's own testing.
Signed-off-by: Jon Mason <jon.mason@arm.com>
Add tc1 ecosystem FVP and bits to enable in the tc1 machine config file
Also, do some hacks to speed things up.
Signed-off-by: Jon Mason <jon.mason@arm.com>
The dev kernel can frequently fail, and is not anything that is used in
production. Allow failure to prevent CI issues but still notify that
there are potential issues.
Signed-off-by: Jon Mason <jon.mason@arm.com>
If the repository reference directory gets corrupted it's not easy to
wipe it, so add a variable CI_CLEAN_REPOS that if set in the pipeline
will clean the clones and re-fetch them.
Also, stop the fetch from detaching during the garbage collection, just
in case it was a long-running GC that got killed that caused the
corruption in the first place.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The infrastructure for edk2 and fvp-base is already present, but not
being used. Make the changes to get it compiling cleanly, and add it to
CI.
Note: testing is not passing because edk2 isn't booting an image
Signed-off-by: Jon Mason <jon.mason@arm.com>
With the removal of fvp-base-arm32, we no longer have test coverage for
the external Arm toolchain. Add this to qemuarm-secureboot CI so that
there is coverage again. Note: it must be a 32bit machine, since there
are currently no aarch64 host toolchains for aarch64
Signed-off-by: Jon Mason <jon.mason@arm.com>
fvp-base-arm32 isn't a real machine and supporting it has become hacky.
Drop support and remove from meta-arm-bsp
Signed-off-by: Jon Mason <jon.mason@arm.com>
