Commit 7aa1c87d authored by Fabio Utzig's avatar Fabio Utzig Committed by Fabio Utzig
Browse files

ci: add FIH hardening tests to workflows 



Add workflows to run FIH tests using GH actions. Update scripts to add
parsing of FIH parameters from a env matrix and disable docker caching
when running on GH.

Signed-off-by: default avatarFabio Utzig <utzig@apache.org>
parent 712fdb5a

.github/workflows/fih_tests.yaml

0 → 100644
+49 −0
Original line number Diff line number Diff line 
on:

  push:

    branches:

      - main

  pull_request:



name: FIH hardening



jobs:

  config:

    strategy:

      matrix:

        fih_env:

        # FIH environment must use the following space separated format:

        #   BUILD_TYPE SKIP_SIZE DAMAGE_TYPE FIH_LEVEL(optional)

        - "RELEASE 2,4,6,8,10 SIGNATURE"

        - "RELEASE 2,4,6,8,10 SIGNATURE LOW"

        - "RELEASE 2,4,6,8,10 SIGNATURE MEDIUM"

        - "MINSIZEREL 2,4,6 SIGNATURE"

        - "MINSIZEREL 2,4,6 SIGNATURE LOW"

        - "MINSIZEREL 2,4,6 SIGNATURE MEDIUM"

        - "MINSIZEREL 8,10 SIGNATURE"

        - "MINSIZEREL 8,10 SIGNATURE LOW"

        - "MINSIZEREL 8,10 SIGNATURE MEDIUM"

    runs-on: ubuntu-latest

    steps:

    - uses: actions/checkout@v2

      with:

        fetch-depth: 0

        # Uses Mbed TLS from TFM, and nothing else from here.

        submodules: false

    - name: Print the environment

      run: |

        uname -a

        lscpu

        free

        pwd

    - name: Signed commit check

      if: ${{ github.event_name == 'pull_request' }}

      run: |

        ./ci/check-signed-off-by.sh

    - name: FIH hardening test install

      run: |

        ./ci/fih-tests_install.sh

    - name: FIH hardening test run

      env:

        FIH_ENV: ${{ matrix.fih_env }}

      run: |

        ./ci/fih-tests_run.sh

ci/fih-tests_install.sh

+4 −2
Original line number Diff line number Diff line
@@ -26,5 +26,7 @@ CACHED_IMAGE=$DOCKER_DIR/$IMAGE 


if [[ $? -ne 0 ]]; then

    docker pull mcuboot/$IMAGE

    if [[ $GITHUB_ACTIONS != true ]]; then

        docker save mcuboot/$IMAGE | gzip > $CACHED_IMAGE

    fi

fi

ci/fih-tests_run.sh

+22 −0
Original line number Diff line number Diff line
@@ -22,6 +22,28 @@ pushd .. &&\ 
   git checkout TF-Mv1.4.0 &&\

   popd



if [[ $GITHUB_ACTIONS == true ]]; then

    if [[ -z $FIH_ENV ]]; then

        echo "Workflow has found no \$FIH_ENV"

        exit 1

    fi



    args=($FIH_ENV)

    len=${#args[@]}

    if [[ $len < 3 ]]; then

        echo "Invalid number of \$FIH_ENV args"

        exit 1

    fi



    BUILD_TYPE=${args[0]}

    SKIP_SIZE=${args[1]}

    DAMAGE_TYPE=${args[2]}



    if [[ $len > 3 ]]; then

        FIH_LEVEL=${args[3]}

    fi

fi



if test -z "$FIH_LEVEL"; then

    docker run --rm -v $(pwd):/root/work/tfm:rw,z mcuboot/fih-test /bin/sh -c '/root/work/tfm/mcuboot/ci/fih_test_docker/execute_test.sh $0 $1 $2' $SKIP_SIZE $BUILD_TYPE $DAMAGE_TYPE

else

CRA Git | Maintained and supported by SUSTech CRA and CCSE