| Message ID | 20230709133326.1015483-8-sughosh.ganu@linaro.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Integrate EFI capsule tasks into u-boot's build flow | expand |
Hi Sughosh, On Sun, 9 Jul 2023 at 07:34, Sughosh Ganu <sughosh.ganu@linaro.org> wrote: > > Support has being added through earlier commits to build capsules > and embed the public key needed for capsule authentication as part of > u-boot build. > > From the testing point-of-view, this means the input files needed for > generating the above have to be setup before invoking the build. Set > this up in the CI configuration files for testing the capsule update > feature. > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > --- > Changes since V2: > * New patch setting up the capsule files needed for CI run > > .azure-pipelines.yml | 21 +++++++++++++++++++++ > .gitlab-ci.yml | 19 +++++++++++++++++++ > 2 files changed, 40 insertions(+) > > diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml > index 96b2ab4d75..75075bbd07 100644 > --- a/.azure-pipelines.yml > +++ b/.azure-pipelines.yml > @@ -398,6 +398,17 @@ stages: > wget -O - https://github.com/riscv/opensbi/releases/download/v0.9/opensbi-0.9-rv-bin.tar.xz | tar -C /tmp -xJ; > export OPENSBI=/tmp/opensbi-0.9-rv-bin/share/opensbi/lp64/generic/firmware/fw_dynamic.bin; > fi > + mkdir -p /tmp/capsules/; > + echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old; > + echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new; > + echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old; > + echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new; > + if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" == "sandbox_flattree" ]]; then > + openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365; > + openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365; > + cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl; > + fi > + Should we put these in a file instead? Or perhaps add this to the Dockerfile? It seems a shame to run this on every build...even though I see we get the opensbi on every build too... +Tom Rini > # the below corresponds to .gitlab-ci.yml "script" > cd ${WORK_DIR} > export UBOOT_TRAVIS_BUILD_DIR=/tmp/${TEST_PY_BD}; > @@ -582,6 +593,16 @@ stages: > cd ${WORK_DIR} > # make environment variables available as tests are running inside a container > export BUILDMAN="${BUILDMAN}" > + if [[ "${BUILDMAN}" == "sandbox" ]] || [[ "${BUILDMAN}" == "sandbox x86" ]]; then > + if [ ! -d "/tmp/capsules/" ]; then > + mkdir -p /tmp/capsules/; > + openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -n > +odes -days 365; > + openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt > +-nodes -days 365; > + cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl; > + fi > + fi > git config --global --add safe.directory ${WORK_DIR} > EOF > cat << "EOF" >> build.sh > diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml > index e6c6ab3586..577eebd678 100644 > --- a/.gitlab-ci.yml > +++ b/.gitlab-ci.yml > @@ -37,6 +37,17 @@ stages: > export OPENSBI=/tmp/opensbi-0.9-rv-bin/share/opensbi/lp64/generic/firmware/fw_dynamic.bin; > fi > > + - mkdir -p /tmp/capsules/; > + - echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old; > + - echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new; > + - echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old; > + - echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new; > + - if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" == "sandbox_flattree" ]]; then > + openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365; > + openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365; > + cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl; > + fi > + > after_script: > - cp -v /tmp/${TEST_PY_BD}/*.{html,css} . > - rm -rf /tmp/uboot-test-hooks /tmp/venv > @@ -131,6 +142,14 @@ build all other platforms: > stage: world build > script: > - ret=0; > + if [ ! -d "/tmp/capsules/" ]; then > + mkdir -p /tmp/capsules/; > + openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days > + 365; > + openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -da > +ys 365; > + cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl; > + fi > git config --global --add safe.directory "${CI_PROJECT_DIR}"; > ./tools/buildman/buildman -o /tmp -PEWM -x arm,powerpc || ret=$?; > if [[ $ret -ne 0 ]]; then > -- > 2.34.1 > Regards, Simon
diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml index 96b2ab4d75..75075bbd07 100644 --- a/.azure-pipelines.yml +++ b/.azure-pipelines.yml @@ -398,6 +398,17 @@ stages: wget -O - https://github.com/riscv/opensbi/releases/download/v0.9/opensbi-0.9-rv-bin.tar.xz | tar -C /tmp -xJ; export OPENSBI=/tmp/opensbi-0.9-rv-bin/share/opensbi/lp64/generic/firmware/fw_dynamic.bin; fi + mkdir -p /tmp/capsules/; + echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old; + echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new; + echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old; + echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new; + if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" == "sandbox_flattree" ]]; then + openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365; + openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365; + cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl; + fi + # the below corresponds to .gitlab-ci.yml "script" cd ${WORK_DIR} export UBOOT_TRAVIS_BUILD_DIR=/tmp/${TEST_PY_BD}; @@ -582,6 +593,16 @@ stages: cd ${WORK_DIR} # make environment variables available as tests are running inside a container export BUILDMAN="${BUILDMAN}" + if [[ "${BUILDMAN}" == "sandbox" ]] || [[ "${BUILDMAN}" == "sandbox x86" ]]; then + if [ ! -d "/tmp/capsules/" ]; then + mkdir -p /tmp/capsules/; + openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -n +odes -days 365; + openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt +-nodes -days 365; + cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl; + fi + fi git config --global --add safe.directory ${WORK_DIR} EOF cat << "EOF" >> build.sh diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index e6c6ab3586..577eebd678 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -37,6 +37,17 @@ stages: export OPENSBI=/tmp/opensbi-0.9-rv-bin/share/opensbi/lp64/generic/firmware/fw_dynamic.bin; fi + - mkdir -p /tmp/capsules/; + - echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old; + - echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new; + - echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old; + - echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new; + - if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" == "sandbox_flattree" ]]; then + openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365; + openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365; + cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl; + fi + after_script: - cp -v /tmp/${TEST_PY_BD}/*.{html,css} . - rm -rf /tmp/uboot-test-hooks /tmp/venv @@ -131,6 +142,14 @@ build all other platforms: stage: world build script: - ret=0; + if [ ! -d "/tmp/capsules/" ]; then + mkdir -p /tmp/capsules/; + openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days + 365; + openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -da +ys 365; + cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl; + fi git config --global --add safe.directory "${CI_PROJECT_DIR}"; ./tools/buildman/buildman -o /tmp -PEWM -x arm,powerpc || ret=$?; if [[ $ret -ne 0 ]]; then
Support has being added through earlier commits to build capsules and embed the public key needed for capsule authentication as part of u-boot build. From the testing point-of-view, this means the input files needed for generating the above have to be setup before invoking the build. Set this up in the CI configuration files for testing the capsule update feature. Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> --- Changes since V2: * New patch setting up the capsule files needed for CI run .azure-pipelines.yml | 21 +++++++++++++++++++++ .gitlab-ci.yml | 19 +++++++++++++++++++ 2 files changed, 40 insertions(+)