[PATCH v3 07/11] CI: capsule: Setup the files needed for capsule update testing

Mon Jul 10 23:38:35 CEST 2023

Hi Sughosh,

On Sun, 9 Jul 2023 at 07:34, Sughosh Ganu <sughosh.ganu at linaro.org> wrote:
>
> Support has being added through earlier commits to build capsules
> and embed the public key needed for capsule authentication as part of
> u-boot build.
>
> From the testing point-of-view, this means the input files needed for
> generating the above have to be setup before invoking the build. Set
> this up in the CI configuration files for testing the capsule update
> feature.
>
> Signed-off-by: Sughosh Ganu <sughosh.ganu at linaro.org>
> ---
> Changes since V2:
> * New patch setting up the capsule files needed for CI run
>
>  .azure-pipelines.yml | 21 +++++++++++++++++++++
>  .gitlab-ci.yml       | 19 +++++++++++++++++++
>  2 files changed, 40 insertions(+)
>
> diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
> index 96b2ab4d75..75075bbd07 100644
> --- a/.azure-pipelines.yml
> +++ b/.azure-pipelines.yml
> @@ -398,6 +398,17 @@ stages:
>                wget -O - https://github.com/riscv/opensbi/releases/download/v0.9/opensbi-0.9-rv-bin.tar.xz | tar -C /tmp -xJ;
>                export OPENSBI=/tmp/opensbi-0.9-rv-bin/share/opensbi/lp64/generic/firmware/fw_dynamic.bin;
>            fi
> +          mkdir -p /tmp/capsules/;
> +          echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
> +          echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
> +          echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
> +          echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
> +          if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" == "sandbox_flattree" ]]; then
> +              openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
> +              openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365;
> +              cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
> +          fi
> +

Should we put these in a file instead? Or perhaps add this to the
Dockerfile? It seems a shame to run this on every build...even though
I see we get the opensbi on every build too...

+Tom Rini

>            # the below corresponds to .gitlab-ci.yml "script"
>            cd ${WORK_DIR}
>            export UBOOT_TRAVIS_BUILD_DIR=/tmp/${TEST_PY_BD};
> @@ -582,6 +593,16 @@ stages:
>            cd ${WORK_DIR}
>            # make environment variables available as tests are running inside a container
>            export BUILDMAN="${BUILDMAN}"
> +          if [[ "${BUILDMAN}" == "sandbox" ]] || [[ "${BUILDMAN}" == "sandbox x86" ]]; then
> +              if [ ! -d "/tmp/capsules/" ]; then
> +                  mkdir -p /tmp/capsules/;
> +                  openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -n
> +odes -days 365;
> +                  openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt
> +-nodes -days 365;
> +                  cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
> +              fi
> +          fi
>            git config --global --add safe.directory ${WORK_DIR}
>            EOF
>            cat << "EOF" >> build.sh
> diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
> index e6c6ab3586..577eebd678 100644
> --- a/.gitlab-ci.yml
> +++ b/.gitlab-ci.yml
> @@ -37,6 +37,17 @@ stages:
>          export OPENSBI=/tmp/opensbi-0.9-rv-bin/share/opensbi/lp64/generic/firmware/fw_dynamic.bin;
>        fi
>
> +    - mkdir -p /tmp/capsules/;
> +    - echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
> +    - echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
> +    - echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
> +    - echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
> +    - if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" == "sandbox_flattree" ]]; then
> +       openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
> +       openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365;
> +       cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
> +      fi
> +
>    after_script:
>      - cp -v /tmp/${TEST_PY_BD}/*.{html,css} .
>      - rm -rf /tmp/uboot-test-hooks /tmp/venv
> @@ -131,6 +142,14 @@ build all other platforms:
>    stage: world build
>    script:
>      - ret=0;
> +      if [ ! -d "/tmp/capsules/" ]; then
> +        mkdir -p /tmp/capsules/;
> +        openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days
> + 365;
> +        openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -da
> +ys 365;
> +        cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
> +      fi
>        git config --global --add safe.directory "${CI_PROJECT_DIR}";
>        ./tools/buildman/buildman -o /tmp -PEWM -x arm,powerpc || ret=$?;
>        if [[ $ret -ne 0 ]]; then
> --
> 2.34.1
>

Regards,
Simon