diff mbox series

[v4,08/12] CI: capsule: Setup the files needed for capsule update testing

Message ID 20230715134533.2025893-9-sughosh.ganu@linaro.org
State Superseded
Delegated to: Tom Rini
Headers show
Series Integrate EFI capsule tasks into u-boot's build flow | expand

Commit Message

Sughosh Ganu July 15, 2023, 1:45 p.m. UTC 
Support has being added through earlier commits to build capsules
and embed the public key needed for capsule authentication as part of
u-boot build.

From the testing point-of-view, this means the input files needed for
generating the above have to be setup before invoking the build. Set
this up in the CI configuration files for testing the capsule update
feature.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
---
Changes since V3:
* Remove whitespace in the command to generate capsule keys.

 .azure-pipelines.yml | 24 ++++++++++++++++++++++++
 .gitlab-ci.yml       | 22 ++++++++++++++++++++++
 2 files changed, 46 insertions(+)

Comments

Simon Glass July 15, 2023, 11:40 p.m. UTC | #1 
Hi,

On Sat, 15 Jul 2023 at 07:46, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
>
> Support has being added through earlier commits to build capsules
> and embed the public key needed for capsule authentication as part of
> u-boot build.
>
> From the testing point-of-view, this means the input files needed for
> generating the above have to be setup before invoking the build. Set
> this up in the CI configuration files for testing the capsule update
> feature.
>
> Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> ---
> Changes since V3:
> * Remove whitespace in the command to generate capsule keys.
>
>  .azure-pipelines.yml | 24 ++++++++++++++++++++++++
>  .gitlab-ci.yml       | 22 ++++++++++++++++++++++

Can you add this to the Dockerfile instead? It looks like this will
run on each build.

>  2 files changed, 46 insertions(+)
>
> diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
> index 06c46b681c..d732ba443d 100644
> --- a/.azure-pipelines.yml
> +++ b/.azure-pipelines.yml
> @@ -398,6 +398,17 @@ stages:
>                wget -O - https://github.com/riscv-software-src/opensbi/releases/download/v1.2/opensbi-1.2-rv-bin.tar.xz | tar -C /tmp -xJ;
>                export OPENSBI=/tmp/opensbi-1.2-rv-bin/share/opensbi/lp64/generic/firmware/fw_dynamic.bin;
>            fi
> +          mkdir -p /tmp/capsules/;
> +          echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
> +          echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
> +          echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
> +          echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
> +          if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" == "sandbox_flattree" ]]; then
> +              openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
> +              openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365;
> +              cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
> +          fi
> +
>            # the below corresponds to .gitlab-ci.yml "script"
>            cd ${WORK_DIR}
>            export UBOOT_TRAVIS_BUILD_DIR=/tmp/${TEST_PY_BD};
> @@ -582,6 +593,19 @@ stages:
>            cd ${WORK_DIR}
>            # make environment variables available as tests are running inside a container
>            export BUILDMAN="${BUILDMAN}"
> +          if [[ "${BUILDMAN}" == "sandbox" ]] || [[ "${BUILDMAN}" == "sandbox x86" ]]; then
> +              if [ ! -d "/tmp/capsules/" ]; then
> +                  mkdir -p /tmp/capsules/;
> +                  echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
> +                  echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
> +                  echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
> +                  echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
> +
> +                  openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
> +                  openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365;
> +                  cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
> +              fi
> +          fi
>            git config --global --add safe.directory ${WORK_DIR}
>            EOF
>            cat << "EOF" >> build.sh
> diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
> index cfd58513c3..aec6ffaf1c 100644
> --- a/.gitlab-ci.yml
> +++ b/.gitlab-ci.yml
> @@ -37,6 +37,17 @@ stages:
>          export OPENSBI=/tmp/opensbi-1.2-rv-bin/share/opensbi/lp64/generic/firmware/fw_dynamic.bin;
>        fi
>
> +    - mkdir -p /tmp/capsules/;
> +    - echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
> +    - echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
> +    - echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
> +    - echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
> +    - if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" == "sandbox_flattree" ]]; then
> +       openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
> +       openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365;
> +       cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
> +      fi
> +
>    after_script:
>      - cp -v /tmp/${TEST_PY_BD}/*.{html,css} .
>      - rm -rf /tmp/uboot-test-hooks /tmp/venv
> @@ -131,6 +142,17 @@ build all other platforms:
>    stage: world build
>    script:
>      - ret=0;
> +      if [ ! -d "/tmp/capsules/" ]; then
> +        mkdir -p /tmp/capsules/;
> +        echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
> +        echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
> +        echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
> +        echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
> +
> +        openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
> +        openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365;
> +        cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
> +      fi
>        git config --global --add safe.directory "${CI_PROJECT_DIR}";
>        ./tools/buildman/buildman -o /tmp -PEWM -x arm,powerpc || ret=$?;
>        if [[ $ret -ne 0 ]]; then
> --
> 2.34.1
>

Regards,
Simon
Sughosh Ganu July 17, 2023, 11:18 a.m. UTC | #2 
hi Simon,

On Sun, 16 Jul 2023 at 05:12, Simon Glass <sjg@chromium.org> wrote:
>
> Hi,
>
> On Sat, 15 Jul 2023 at 07:46, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
> >
> > Support has being added through earlier commits to build capsules
> > and embed the public key needed for capsule authentication as part of
> > u-boot build.
> >
> > From the testing point-of-view, this means the input files needed for
> > generating the above have to be setup before invoking the build. Set
> > this up in the CI configuration files for testing the capsule update
> > feature.
> >
> > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> > ---
> > Changes since V3:
> > * Remove whitespace in the command to generate capsule keys.
> >
> >  .azure-pipelines.yml | 24 ++++++++++++++++++++++++
> >  .gitlab-ci.yml       | 22 ++++++++++++++++++++++
>
> Can you add this to the Dockerfile instead? It looks like this will
> run on each build.

Okay. Let me try this out.

-sughosh

>
> >  2 files changed, 46 insertions(+)
> >
> > diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
> > index 06c46b681c..d732ba443d 100644
> > --- a/.azure-pipelines.yml
> > +++ b/.azure-pipelines.yml
> > @@ -398,6 +398,17 @@ stages:
> >                wget -O - https://github.com/riscv-software-src/opensbi/releases/download/v1.2/opensbi-1.2-rv-bin.tar.xz | tar -C /tmp -xJ;
> >                export OPENSBI=/tmp/opensbi-1.2-rv-bin/share/opensbi/lp64/generic/firmware/fw_dynamic.bin;
> >            fi
> > +          mkdir -p /tmp/capsules/;
> > +          echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
> > +          echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
> > +          echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
> > +          echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
> > +          if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" == "sandbox_flattree" ]]; then
> > +              openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
> > +              openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365;
> > +              cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
> > +          fi
> > +
> >            # the below corresponds to .gitlab-ci.yml "script"
> >            cd ${WORK_DIR}
> >            export UBOOT_TRAVIS_BUILD_DIR=/tmp/${TEST_PY_BD};
> > @@ -582,6 +593,19 @@ stages:
> >            cd ${WORK_DIR}
> >            # make environment variables available as tests are running inside a container
> >            export BUILDMAN="${BUILDMAN}"
> > +          if [[ "${BUILDMAN}" == "sandbox" ]] || [[ "${BUILDMAN}" == "sandbox x86" ]]; then
> > +              if [ ! -d "/tmp/capsules/" ]; then
> > +                  mkdir -p /tmp/capsules/;
> > +                  echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
> > +                  echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
> > +                  echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
> > +                  echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
> > +
> > +                  openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
> > +                  openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365;
> > +                  cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
> > +              fi
> > +          fi
> >            git config --global --add safe.directory ${WORK_DIR}
> >            EOF
> >            cat << "EOF" >> build.sh
> > diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
> > index cfd58513c3..aec6ffaf1c 100644
> > --- a/.gitlab-ci.yml
> > +++ b/.gitlab-ci.yml
> > @@ -37,6 +37,17 @@ stages:
> >          export OPENSBI=/tmp/opensbi-1.2-rv-bin/share/opensbi/lp64/generic/firmware/fw_dynamic.bin;
> >        fi
> >
> > +    - mkdir -p /tmp/capsules/;
> > +    - echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
> > +    - echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
> > +    - echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
> > +    - echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
> > +    - if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" == "sandbox_flattree" ]]; then
> > +       openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
> > +       openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365;
> > +       cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
> > +      fi
> > +
> >    after_script:
> >      - cp -v /tmp/${TEST_PY_BD}/*.{html,css} .
> >      - rm -rf /tmp/uboot-test-hooks /tmp/venv
> > @@ -131,6 +142,17 @@ build all other platforms:
> >    stage: world build
> >    script:
> >      - ret=0;
> > +      if [ ! -d "/tmp/capsules/" ]; then
> > +        mkdir -p /tmp/capsules/;
> > +        echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
> > +        echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
> > +        echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
> > +        echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
> > +
> > +        openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
> > +        openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365;
> > +        cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
> > +      fi
> >        git config --global --add safe.directory "${CI_PROJECT_DIR}";
> >        ./tools/buildman/buildman -o /tmp -PEWM -x arm,powerpc || ret=$?;
> >        if [[ $ret -ne 0 ]]; then
> > --
> > 2.34.1
> >
>
> Regards,
> Simon
diff mbox series

Patch

diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
index 06c46b681c..d732ba443d 100644
--- a/.azure-pipelines.yml
+++ b/.azure-pipelines.yml
@@ -398,6 +398,17 @@  stages:
               wget -O - https://github.com/riscv-software-src/opensbi/releases/download/v1.2/opensbi-1.2-rv-bin.tar.xz | tar -C /tmp -xJ;
               export OPENSBI=/tmp/opensbi-1.2-rv-bin/share/opensbi/lp64/generic/firmware/fw_dynamic.bin;
           fi
+          mkdir -p /tmp/capsules/;
+          echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
+          echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
+          echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
+          echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
+          if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" == "sandbox_flattree" ]]; then
+              openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
+              openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365;
+              cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
+          fi
+
           # the below corresponds to .gitlab-ci.yml "script"
           cd ${WORK_DIR}
           export UBOOT_TRAVIS_BUILD_DIR=/tmp/${TEST_PY_BD};
@@ -582,6 +593,19 @@  stages:
           cd ${WORK_DIR}
           # make environment variables available as tests are running inside a container
           export BUILDMAN="${BUILDMAN}"
+          if [[ "${BUILDMAN}" == "sandbox" ]] || [[ "${BUILDMAN}" == "sandbox x86" ]]; then
+              if [ ! -d "/tmp/capsules/" ]; then
+                  mkdir -p /tmp/capsules/;
+                  echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
+                  echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
+                  echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
+                  echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
+
+                  openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
+                  openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365;
+                  cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
+              fi
+          fi
           git config --global --add safe.directory ${WORK_DIR}
           EOF
           cat << "EOF" >> build.sh
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index cfd58513c3..aec6ffaf1c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -37,6 +37,17 @@  stages:
         export OPENSBI=/tmp/opensbi-1.2-rv-bin/share/opensbi/lp64/generic/firmware/fw_dynamic.bin;
       fi
 
+    - mkdir -p /tmp/capsules/;
+    - echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
+    - echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
+    - echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
+    - echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
+    - if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" == "sandbox_flattree" ]]; then
+       openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
+       openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365;
+       cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
+      fi
+
   after_script:
     - cp -v /tmp/${TEST_PY_BD}/*.{html,css} .
     - rm -rf /tmp/uboot-test-hooks /tmp/venv
@@ -131,6 +142,17 @@  build all other platforms:
   stage: world build
   script:
     - ret=0;
+      if [ ! -d "/tmp/capsules/" ]; then
+        mkdir -p /tmp/capsules/;
+        echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
+        echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
+        echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
+        echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
+
+        openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
+        openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365;
+        cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
+      fi
       git config --global --add safe.directory "${CI_PROJECT_DIR}";
       ./tools/buildman/buildman -o /tmp -PEWM -x arm,powerpc || ret=$?;
       if [[ $ret -ne 0 ]]; then