mirror of
https://git.yoctoproject.org/meta-arm
synced 2026-01-11 15:00:39 +00:00
847fd39b25
Encapsulate all UEFI Secure Boot required settings in one Kas configuration file. Introduce SBSIGN_KEYS_DIR variable where UEFI keys will be generated to sign UEFI binaries. Introduce uefi-secureboot machine feature, which is being used to conditionally set the proper UEFI settings in recipes. Replace Grub bootloader with systemd-boot, which it makes easier to enable Secure Boot. Advantages using systemd as Init Manager: - Extending secure boot to userspace is a lot easier with systemd than with sysvinit where custom scripts will need to be written for all use cases. - systemd supports dm-verity and TPM devices for encryption usecases out of the box. Enabling them is a lot easier than writing custom scripts for sysvinit. - systemd also supports EUFI signing the UKI binaries which merge kernel, command line and initrd which helps in bringing secure boot towards rootfs. - systemd offers a modular structure with unit files that are more predictable and easier to manage than the complex and varied scripts used by SysVinit. This modularity allows for better control and customization of the boot process, which is beneficial in Secure Boot environments. - Add CI settings to build and test UEFI Secure Boot. Add one test to verify Secure Boot using OE Testing infraestructure: $ kas build ci/qemuarm64-secureboot.yml:ci/meta-secure-core.yml:ci/uefi-secureboot.yml:ci/testimage.yml ... RESULTS - uefi_secureboot.UEFI_SB_TestSuite.test_uefi_secureboot: PASSED (0.62s) ... SUMMARY: core-image-base () - Ran 73 tests in 28.281s core-image-base - OK - All required tests passed (successes=19, skipped=54, failures=0, errors=0) Signed-off-by: Javier Tia <javier.tia@linaro.org> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> [yml file include fix] Signed-off-by: Jon Mason <jon.mason@arm.com>
348 lines
9.7 KiB
YAML
348 lines
9.7 KiB
YAML
image: ${MIRROR_GHCR}/siemens/kas/kas:4.4
|
|
|
|
variables:
|
|
# These are needed as the k8s executor doesn't respect the container
|
|
# entrypoint by default
|
|
FF_KUBERNETES_HONOR_ENTRYPOINT: 1
|
|
FF_USE_LEGACY_KUBERNETES_EXECUTION_STRATEGY: 0
|
|
# The default value for KUBERNETES_CPU_REQUEST
|
|
CPU_REQUEST: ""
|
|
# The default machine tag for the build jobs
|
|
DEFAULT_TAG: ""
|
|
# The machine tag for the ACS test jobs
|
|
ACS_TAG: ""
|
|
# The directory to use as the persistent cache (the root for DL_DIR, SSTATE_DIR, etc)
|
|
CACHE_DIR: $CI_BUILDS_DIR/persist
|
|
# The container mirror to use
|
|
MIRROR_GHCR: ghcr.io
|
|
# Whether to run the SystemReady ACS tests
|
|
ACS_TEST: 0
|
|
# The list of extra Kas fragments to be used when building
|
|
EXTRA_KAS_FILES: ""
|
|
# The NVD API key to use when fetching CVEs
|
|
NVDCVE_API_KEY: ""
|
|
|
|
stages:
|
|
- prep
|
|
- build
|
|
|
|
# Common job fragment to get a worker ready
|
|
.setup:
|
|
tags:
|
|
- $DEFAULT_TAG
|
|
stage: build
|
|
interruptible: true
|
|
variables:
|
|
KAS_WORK_DIR: $CI_PROJECT_DIR/work
|
|
KAS_BUILD_DIR: $KAS_WORK_DIR/build
|
|
KAS_REPO_REF_DIR: $CACHE_DIR/repos
|
|
SSTATE_DIR: $CACHE_DIR/sstate
|
|
DL_DIR: $CACHE_DIR/downloads
|
|
BB_LOGCONFIG: $CI_PROJECT_DIR/ci/logging.yml
|
|
TOOLCHAIN_DIR: $CACHE_DIR/toolchains
|
|
IMAGE_DIR: $KAS_BUILD_DIR/tmp/deploy/images
|
|
TOOLCHAIN_LINK_DIR: $KAS_BUILD_DIR/toolchains
|
|
before_script:
|
|
- echo KAS_WORK_DIR = $KAS_WORK_DIR
|
|
- echo SSTATE_DIR = $SSTATE_DIR
|
|
- echo DL_DIR = $DL_DIR
|
|
- rm -rf $KAS_WORK_DIR
|
|
- mkdir --verbose --parents $KAS_WORK_DIR $KAS_REPO_REF_DIR $SSTATE_DIR $DL_DIR $TOOLCHAIN_DIR $TOOLCHAIN_LINK_DIR
|
|
# Must do this here, as it's the only way to make sure the toolchain is installed on the same builder
|
|
- ./ci/get-binary-toolchains $DL_DIR $TOOLCHAIN_DIR $TOOLCHAIN_LINK_DIR
|
|
|
|
# Generalised fragment to do a Kas build
|
|
.build:
|
|
extends: .setup
|
|
variables:
|
|
KUBERNETES_CPU_REQUEST: $CPU_REQUEST
|
|
rules:
|
|
# Don't run MR pipelines
|
|
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
|
|
when: never
|
|
# Don't run pipelines for tags
|
|
- if: $CI_COMMIT_TAG
|
|
when: never
|
|
# Don't run if BUILD_ENABLE_REGEX is set, but the job doesn't match the regex
|
|
- if: '$BUILD_ENABLE_REGEX != null && $CI_JOB_NAME !~ $BUILD_ENABLE_REGEX'
|
|
when: never
|
|
# Allow the dev kernels to fail and not fail the overall build
|
|
- if: '$KERNEL == "linux-yocto-dev"'
|
|
allow_failure: true
|
|
# Catch all for everything else
|
|
- if: '$KERNEL != "linux-yocto-dev"'
|
|
script:
|
|
- KASFILES=$(./ci/jobs-to-kas "$CI_JOB_NAME" $EXTRA_KAS_FILES):lockfile.yml
|
|
- echo KASFILES=$KASFILES
|
|
- kas dump --update --force-checkout --resolve-refs --resolve-env $KASFILES
|
|
- kas build $KASFILES
|
|
- ./ci/check-warnings $KAS_BUILD_DIR/warnings.log
|
|
- kas shell ci/base.yml:lockfile.yml --command "$CI_PROJECT_DIR/ci/junit.sh $KAS_WORK_DIR/build"
|
|
|
|
artifacts:
|
|
name: "logs"
|
|
when: always
|
|
paths:
|
|
- $KAS_BUILD_DIR/tmp*/work*/**/temp/log.do_*.*
|
|
- $KAS_BUILD_DIR/tmp*/work*/**/testimage/*
|
|
reports:
|
|
junit: $KAS_BUILD_DIR/tmp/log/oeqa/junit.xml
|
|
|
|
#
|
|
# Prep stage, update repositories once.
|
|
# Set the CI variable CI_CLEAN_REPOS=1 to refetch the respositories from scratch
|
|
#
|
|
update-repos:
|
|
extends: .setup
|
|
stage: prep
|
|
allow_failure:
|
|
exit_codes: 128
|
|
script:
|
|
- |
|
|
flock --verbose --timeout 60 $KAS_REPO_REF_DIR ./ci/update-repos
|
|
# Only generate if doesn't already exist, to allow feature branches to drop one in.
|
|
if test -f lockfile.yml; then
|
|
echo Using existing lockfile.yml
|
|
else
|
|
# Be sure that this is the complete list of layers being fetched
|
|
kas dump --lock --update ci/qemuarm64.yml:ci/meta-openembedded.yml:ci/clang.yml:ci/meta-virtualization.yml | tee lockfile.yml
|
|
fi
|
|
artifacts:
|
|
name: "lockfile"
|
|
paths:
|
|
- lockfile.yml
|
|
|
|
#
|
|
# Build stage, the actual build jobs
|
|
#
|
|
# Available options for building are
|
|
# DISTRO: [poky, poky-altcfg, poky-tiny]
|
|
# KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
|
|
# TOOLCHAINS: [gcc, clang, external-gccarm]
|
|
# TCLIBC: [glibc, musl]
|
|
# FIRMWARE: [u-boot, edk2]
|
|
# TS: [none, trusted-services]
|
|
# VIRT: [none, xen]
|
|
# TESTING: testimage
|
|
# SECUREDEBUG: [none, secure-debug]
|
|
|
|
arm-systemready-ir-acs:
|
|
extends: .build
|
|
timeout: 12h
|
|
parallel:
|
|
matrix:
|
|
# arm-systemready-ir-acs must be specified after fvp-base for ordering
|
|
# purposes for the jobs-to-kas output. It is not enough to just have it
|
|
# in the job name because fvp-base.yml overwrites the target.
|
|
- PLATFORM: [fvp-base, corstone1000-fvp]
|
|
ARM_SYSTEMREADY_IR_ACS: arm-systemready-ir-acs
|
|
tags:
|
|
- ${ACS_TAG}
|
|
|
|
# Validate layers are Yocto Project Compatible
|
|
check-layers:
|
|
extends: .setup
|
|
script:
|
|
- kas shell --update --force-checkout ci/base.yml:ci/meta-openembedded.yml:lockfile.yml --command \
|
|
"yocto-check-layer-wrapper $CI_PROJECT_DIR/$LAYER --dependency $CI_PROJECT_DIR/meta-* $KAS_WORK_DIR/meta-openembedded/meta-oe --no-auto-dependency"
|
|
parallel:
|
|
matrix:
|
|
- LAYER: [meta-arm, meta-arm-bsp, meta-arm-toolchain]
|
|
|
|
corstone1000-fvp:
|
|
extends: .build
|
|
parallel:
|
|
matrix:
|
|
- FIRMWARE: corstone1000-firmware-only
|
|
TESTING: [testimage, tftf]
|
|
- FIRMWARE: none
|
|
TESTING: testimage
|
|
- SYSTEMREADY_FIRMWARE: arm-systemready-firmware
|
|
|
|
corstone1000-mps3:
|
|
extends: .build
|
|
parallel:
|
|
matrix:
|
|
- FIRMWARE: corstone1000-firmware-only
|
|
TESTING: [none, tftf]
|
|
- FIRMWARE: none
|
|
SECUREDEBUG: [none, secure-debug]
|
|
|
|
documentation:
|
|
extends: .setup
|
|
script:
|
|
- |
|
|
# This can be removed when the kas container has python3-venv installed
|
|
sudo apt-get update && sudo apt-get install --yes python3-venv
|
|
|
|
python3 -m venv venv
|
|
. ./venv/bin/activate
|
|
|
|
pip3 install -r meta-arm-bsp/documentation/requirements.txt
|
|
|
|
for CONF in meta-*/documentation/*/conf.py ; do
|
|
echo Building $CONF...
|
|
SOURCE_DIR=$(dirname $CONF)
|
|
MACHINE=$(basename $SOURCE_DIR)
|
|
sphinx-build -vW $SOURCE_DIR build-docs/$MACHINE
|
|
done
|
|
test -d build-docs/
|
|
artifacts:
|
|
paths:
|
|
- build-docs/
|
|
|
|
fvp-base:
|
|
extends: .build
|
|
parallel:
|
|
matrix:
|
|
- TS: [none, fvp-base-ts]
|
|
TESTING: testimage
|
|
- FIRMWARE: [u-boot, edk2]
|
|
TESTING: testimage
|
|
- SYSTEMREADY_FIRMWARE: arm-systemready-firmware
|
|
|
|
fvps:
|
|
extends: .build
|
|
|
|
genericarm64:
|
|
extends: .build
|
|
parallel:
|
|
matrix:
|
|
- TOOLCHAINS: [gcc, clang]
|
|
TESTING: testimage
|
|
- KERNEL: linux-yocto-dev
|
|
TESTING: testimage
|
|
|
|
juno:
|
|
extends: .build
|
|
parallel:
|
|
matrix:
|
|
- TOOLCHAINS: [gcc, clang]
|
|
FIRMWARE: [u-boot, edk2]
|
|
|
|
# What percentage of machines in the layer do we build
|
|
machine-coverage:
|
|
extends: .setup
|
|
script:
|
|
- ./ci/check-machine-coverage
|
|
coverage: '/Coverage: \d+/'
|
|
|
|
metrics:
|
|
extends: .setup
|
|
artifacts:
|
|
reports:
|
|
metrics: metrics.txt
|
|
script:
|
|
- kas shell --update --force-checkout ci/base.yml --command \
|
|
"$CI_PROJECT_DIR/ci/patchreview $CI_PROJECT_DIR/meta-* --verbose --metrics $CI_PROJECT_DIR/metrics.txt"
|
|
|
|
musca-b1:
|
|
extends: .build
|
|
|
|
musca-s1:
|
|
extends: .build
|
|
|
|
pending-updates:
|
|
extends: .setup
|
|
artifacts:
|
|
paths:
|
|
- update-report
|
|
script:
|
|
- rm -fr update-report
|
|
# This configuration has all of the layers we need enabled
|
|
- kas shell --update --force-checkout ci/qemuarm64.yml:ci/meta-openembedded.yml:ci/meta-secure-core.yml:lockfile.yml --command \
|
|
"$CI_PROJECT_DIR/scripts/machine-summary.py -t report -o $CI_PROJECT_DIR/update-report $($CI_PROJECT_DIR/ci/listmachines.py meta-arm meta-arm-bsp)"
|
|
# Do this on x86 whilst the compilers are x86-only
|
|
tags:
|
|
- x86_64
|
|
|
|
qemuarm64-secureboot:
|
|
extends: .build
|
|
parallel:
|
|
matrix:
|
|
- KERNEL: [linux-yocto, linux-yocto-rt]
|
|
TOOLCHAINS: [gcc, clang]
|
|
TCLIBC: [glibc, musl]
|
|
TS: [none, qemuarm64-secureboot-ts]
|
|
UEFISB: [none, uefi-secureboot]
|
|
TESTING: testimage
|
|
- KERNEL: linux-yocto-dev
|
|
TESTING: testimage
|
|
|
|
qemuarm64:
|
|
extends: .build
|
|
parallel:
|
|
matrix:
|
|
- DISTRO: poky
|
|
KERNEL: [linux-yocto, linux-yocto-rt]
|
|
TOOLCHAINS: [gcc, clang]
|
|
FIRMWARE: [u-boot, edk2]
|
|
TESTING: testimage
|
|
- DISTRO: poky-tiny
|
|
TESTING: testimage
|
|
- VIRT: xen
|
|
- KERNEL: linux-yocto-dev
|
|
TESTING: testimage
|
|
|
|
qemuarm-secureboot:
|
|
extends: .build
|
|
parallel:
|
|
matrix:
|
|
- KERNEL: [linux-yocto, linux-yocto-rt]
|
|
TOOLCHAINS: [gcc, clang]
|
|
TCLIBC: [glibc, musl]
|
|
TESTING: testimage
|
|
- TOOLCHAINS: external-gccarm
|
|
TESTING: testimage
|
|
- KERNEL: linux-yocto-dev
|
|
TESTING: testimage
|
|
|
|
qemuarm:
|
|
extends: .build
|
|
parallel:
|
|
matrix:
|
|
- DISTRO: poky
|
|
KERNEL: [linux-yocto, linux-yocto-rt]
|
|
TOOLCHAINS: [gcc, clang]
|
|
FIRMWARE: [u-boot, edk2]
|
|
TESTING: testimage
|
|
- DISTRO: poky-tiny
|
|
TESTING: testimage
|
|
- VIRT: xen
|
|
- KERNEL: linux-yocto-dev
|
|
TESTING: testimage
|
|
|
|
qemuarmv5:
|
|
extends: .build
|
|
parallel:
|
|
matrix:
|
|
- DISTRO: poky
|
|
KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
|
|
TESTING: testimage
|
|
- DISTRO: poky-tiny
|
|
TESTING: testimage
|
|
|
|
sbsa-ref:
|
|
extends: .build
|
|
parallel:
|
|
matrix:
|
|
- KERNEL: [linux-yocto, linux-yocto-rt]
|
|
TOOLCHAINS: [gcc, clang]
|
|
TESTING: testimage
|
|
- DISTRO: poky-altcfg
|
|
TESTING: testimage
|
|
- KERNEL: linux-yocto-dev
|
|
TESTING: testimage
|
|
|
|
selftest:
|
|
extends: .setup
|
|
script:
|
|
- KASFILES=./ci/qemuarm64.yml:./ci/selftest.yml:lockfile.yml
|
|
- kas shell --update --force-checkout $KASFILES -c 'oe-selftest --num-processes 2 --select-tag meta-arm --run-all-tests'
|
|
|
|
sgi575:
|
|
extends: .build
|
|
|
|
toolchains:
|
|
extends: .build
|