Introduce jammy-amd64-tf-a-build
With the latest LTS release of Ubuntu 22.04 (Jammy Jellyfish),
a docker image for TF-A should be made available.
This build replicates the bionic setup on jammy.
Notable changes:
* cppcheck upgraded from 1.8.1 to 2.7 due to compiler changes
* PyYAML upgraded from 3.1.2 to 6.0
* clang-tools-6.0 is no longer available from the distro so
install the default version
* python2 packages are no longer available, so the psutil module
is being installed via pip2 instead of apt
* python3-crypto has been removed due to CVE-2020-36242 and
replaced by pycryptodome installed via pip3
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Change-Id: Idb724683350482345e2543b23bfe41b769c0d350
diff --git a/jammy-amd64-tf-a-build/Dockerfile b/jammy-amd64-tf-a-build/Dockerfile
new file mode 100644
index 0000000..3f34daa
--- /dev/null
+++ b/jammy-amd64-tf-a-build/Dockerfile
@@ -0,0 +1,99 @@
+FROM ubuntu:jammy
+
+# Environment variables used by CI scripts
+ENV DEBIAN_FRONTEND=noninteractive
+ENV NVM_DIR=/usr/local/nvm
+ENV TOOLS_DIR=/home/buildslave/tools
+ENV PATH=${TOOLS_DIR}/bin:${PATH}
+ENV PLANTUML_JAR_PATH=/usr/share/plantuml/plantuml.jar
+ENV PKG_DEPS="\
+ bc \
+ bison \
+ build-essential \
+ clang-tools \
+ cpio \
+ curl \
+ default-jre \
+ device-tree-compiler \
+ doxygen \
+ exuberant-ctags \
+ file \
+ flex \
+ g++-multilib \
+ gcc-multilib \
+ gdisk \
+ git \
+ gnuplot \
+ graphviz \
+ jq \
+ lcov \
+ libffi-dev \
+ libyaml-dev \
+ libxml-libxml-perl \
+ lld \
+ locales \
+ openjdk-8-jdk \
+ openssh-server \
+ perl \
+ python3 \
+ python3-pycryptodome \
+ python3-dev \
+ python3-psutil \
+ python3-pyasn1 \
+ python3-venv \
+ python2.7 \
+ srecord \
+ sudo \
+ tree \
+ unzip \
+ util-linux \
+ uuid-runtime \
+ virtualenv \
+ wget \
+ zip \
+"
+
+# Can be overriden at build time
+ARG BUILDSLAVE_PASSWORD=buildslave
+
+COPY requirements_*.txt /opt/
+COPY tf-*.install /tmp/
+COPY setup-sshd /usr/sbin/setup-sshd
+
+RUN set -e ;\
+ echo 'locales locales/locales_to_be_generated multiselect C.UTF-8 UTF-8, en_US.UTF-8 UTF-8 ' | debconf-set-selections ;\
+ echo 'locales locales/default_environment_locale select en_US.UTF-8' | debconf-set-selections ;\
+ # Set Python 3 as default
+ ln -s -f /usr/bin/python3 /usr/bin/python ;\
+ # Set symlink for python2 if not present
+ [ -L /usr/bin/python2 ] || ln -s /usr/bin/python2.7 /usr/bin/python2;\
+ apt update -q=2 ;\
+ apt dist-upgrade -q=2 --yes ;\
+ apt install -q=2 --yes --no-install-recommends ${PKG_DEPS} ;\
+ curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash ;\
+ apt update -q=2 ;\
+ apt install -q=2 --yes --no-install-recommends git-lfs ;\
+ # Install Python requirements
+ curl -s https://bootstrap.pypa.io/pip/3.5/get-pip.py -o /tmp/get-pip.py ;\
+ python2 /tmp/get-pip.py ;\
+ pip2 install --no-cache-dir -r /opt/requirements_python2.txt ;\
+ python3 /tmp/get-pip.py ;\
+ pip3 install --no-cache-dir -r /opt/requirements_python3.txt ;\
+ # Setup buildslave user for Jenkins
+ useradd -m -s /bin/bash buildslave ;\
+ echo "buildslave:$BUILDSLAVE_PASSWORD" | chpasswd ;\
+ echo 'buildslave ALL = NOPASSWD: ALL' > /etc/sudoers.d/jenkins ;\
+ chmod 0440 /etc/sudoers.d/jenkins ;\
+ # FIXME: add /arm as a temporary workaround until ARM CI moves to Open CI paths
+ mkdir -p /var/run/sshd ${TOOLS_DIR} /arm ;\
+ # Run shell script(s) to install files, toolchains, etc...
+ bash -ex /tmp/tf-dependencies.install ;\
+ bash -ex /tmp/tf-environment.install ;\
+ # Fix permissions
+ chown -R buildslave:buildslave ${TOOLS_DIR} /usr/share/plantuml /nfs/downloads/linaro /arm ;\
+ # Cleanup
+ apt clean ;\
+ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+EXPOSE 22
+ENTRYPOINT ["/usr/sbin/setup-sshd"]
diff --git a/jammy-amd64-tf-a-build/build.sh b/jammy-amd64-tf-a-build/build.sh
new file mode 100755
index 0000000..311ec46
--- /dev/null
+++ b/jammy-amd64-tf-a-build/build.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+set -e
+
+trap cleanup_exit INT TERM EXIT
+
+cleanup_exit()
+{
+ rm -f *.list *.key
+}
+
+export LANG=C
+
+DISTRIBUTION=$(basename ${PWD} | cut -f1 -d '-')
+ARCHITECTURE=$(basename ${PWD} | cut -f2 -d '-')
+PROJECT=$(basename ${PWD} | cut -f3 -d '-')-$(basename ${PWD} | cut -f4 -d '-')
+
+cp -a ../setup-sshd .
+
+image=trustedfirmware/ci-${ARCHITECTURE}-${PROJECT}-ubuntu:${DISTRIBUTION}${DOCKER_SUFFIX}
+docker build --pull --no-cache --tag=$image .
+echo $image > .docker-tag
diff --git a/jammy-amd64-tf-a-build/requirements_python2.txt b/jammy-amd64-tf-a-build/requirements_python2.txt
new file mode 100644
index 0000000..a34ca8a
--- /dev/null
+++ b/jammy-amd64-tf-a-build/requirements_python2.txt
@@ -0,0 +1,2 @@
+pygments==2.2.0
+psutil
diff --git a/jammy-amd64-tf-a-build/requirements_python3.txt b/jammy-amd64-tf-a-build/requirements_python3.txt
new file mode 100644
index 0000000..ad012bc
--- /dev/null
+++ b/jammy-amd64-tf-a-build/requirements_python3.txt
@@ -0,0 +1,18 @@
+Jinja2==2.10
+MarkupSafe==1.1.0
+PyYAML==6.0
+Sphinx==2.0.1
+cbor==1.0.0
+configobj==5.0.6
+cryptography==2.7
+docker==4.3.1
+imgtool==1.6.0
+lavacli==1.0
+m2r==0.2.1
+pyasn1==0.1.9
+pycryptodome==3.6.6
+requests==2.22.0
+ruamel.yaml==0.16.12
+sphinx-rtd-theme==0.4.3
+sphinxcontrib-plantuml==0.15
+xmltodict==0.12.0
diff --git a/jammy-amd64-tf-a-build/setup-sshd b/jammy-amd64-tf-a-build/setup-sshd
new file mode 100755
index 0000000..b0a5ed5
--- /dev/null
+++ b/jammy-amd64-tf-a-build/setup-sshd
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+export HOME=/home/buildslave
+
+[ -z "${JENKINS_SLAVE_SSH_PUBKEY}" ] || {
+ mkdir ${HOME}/.ssh
+ echo "${JENKINS_SLAVE_SSH_PUBKEY}" > ${HOME}/.ssh/authorized_keys
+ chown -R buildslave:buildslave ${HOME}/.ssh
+ chmod 0700 -R ${HOME}/.ssh
+}
+
+exec /usr/sbin/sshd -D
diff --git a/jammy-amd64-tf-a-build/tf-dependencies.install b/jammy-amd64-tf-a-build/tf-dependencies.install
new file mode 100755
index 0000000..d0599fd
--- /dev/null
+++ b/jammy-amd64-tf-a-build/tf-dependencies.install
@@ -0,0 +1,100 @@
+#!/bin/sh
+
+set -e
+
+# Install cppcheck
+wget -q https://github.com/danmar/cppcheck/archive/refs/tags/2.7.tar.gz -O /tmp/cppcheck.tar.gz
+tar -xf /tmp/cppcheck.tar.gz -C /opt
+(cd /opt/cppcheck-*; make FILESDIR=/opt/cppcheck-2.7/cfg; make FILESDIR=/opt/cppcheck-2.7/cfg install; make clean)
+
+# Install PlantUML
+curl --connect-timeout 5 --retry 5 --retry-delay 1 --create-dirs -fsSLo ${PLANTUML_JAR_PATH} \
+ https://repo1.maven.org/maven2/net/sourceforge/plantuml/plantuml/1.2019.6/plantuml-1.2019.6.jar
+cat << EOF > /usr/bin/plantuml
+#!/bin/sh
+/usr/bin/java -jar ${PLANTUML_JAR_PATH} \${@}
+EOF
+chmod 0755 /usr/bin/plantuml
+
+# Install CMake
+curl --connect-timeout 5 --retry 5 --retry-delay 1 --create-dirs -fsSLo /tmp/cmake-Linux-x86_64.tar.gz \
+ https://github.com/Kitware/CMake/releases/download/v3.15.7/cmake-3.15.7-Linux-x86_64.tar.gz
+tar -xf /tmp/cmake-Linux-x86_64.tar.gz -C ${TOOLS_DIR} --strip-components=1
+
+# Install Arm GCC toolchain (arm-none-eabi GNU-A)
+curl --connect-timeout 5 --retry 5 --retry-delay 1 --create-dirs -fsSLo /tmp/gcc-arm-x86_64-arm-none-eabi.tar.xz \
+ https://developer.arm.com/-/media/Files/downloads/gnu/11.2-2022.02/binrel/gcc-arm-11.2-2022.02-x86_64-arm-none-eabi.tar.xz
+tar -Jxf /tmp/gcc-arm-x86_64-arm-none-eabi.tar.xz -C ${TOOLS_DIR} --strip-components=1
+
+# Install Arm GCC toolchain (arm-none-eabi GNU-RM)
+curl --connect-timeout 5 --retry 5 --retry-delay 1 --create-dirs -fsSLo /tmp/gcc-arm-x86_64-arm-none-eabi.tar.bz2 \
+ https://developer.arm.com/-/media/Files/downloads/gnu-rm/10-2020q4/gcc-arm-none-eabi-10-2020-q4-major-x86_64-linux.tar.bz2
+mkdir -p ${TOOLS_DIR}/gnu-rm
+tar xjf /tmp/gcc-arm-x86_64-arm-none-eabi.tar.bz2 -C ${TOOLS_DIR}/gnu-rm --strip-components=1
+
+# Install Arm GCC toolchain (aarch64-none-elf)
+curl --connect-timeout 5 --retry 5 --retry-delay 1 --create-dirs -fsSLo /tmp/gcc-arm-x86_64-aarch64-none-elf.tar.xz \
+ https://developer.arm.com/-/media/Files/downloads/gnu/11.2-2022.02/binrel/gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf.tar.xz
+tar -Jxf /tmp/gcc-arm-x86_64-aarch64-none-elf.tar.xz -C ${TOOLS_DIR} --strip-components=1
+
+# Install Linaro GCC 6.2.1 toolchain (aarch64-none-elf), which is required by some platforms, i.e. marvell
+# NOTE: Toolchain is not available through PATH so to use it, CROSS_COMPILE should point to
+# CROSS_COMPILE=${TOOLS_DIR}/gcc-linaro-6.2.1-2016.11-x86_64_aarch64-linux-gnu/bin/aarch64-linux-gnu-
+curl --connect-timeout 5 --retry 5 --retry-delay 1 --create-dirs -fsSLo /tmp/gcc-linaro-x86_64_aarch64-linux-gnu.tar.xz \
+ https://releases.linaro.org/components/toolchain/binaries/6.2-2016.11/aarch64-linux-gnu/gcc-linaro-6.2.1-2016.11-x86_64_aarch64-linux-gnu.tar.xz
+tar -Jxf /tmp/gcc-linaro-x86_64_aarch64-linux-gnu.tar.xz -C ${TOOLS_DIR}
+
+# Install Arm Clang 6.8 toolchain (armclang)
+# NOTE: Toolchain is not available through PATH so to use it, CC should point to
+# CC=${TOOLS_DIR}/armclang-6.8/bin/armclang
+mkdir -p /tmp/armclang-6.8
+wget -O /tmp/DS500-BN-00026-r5p0-10rel0.tgz \
+ -q https://developer.arm.com/-/media/Files/downloads/compiler/DS500-BN-00026-r5p0-10rel0.tgz
+tar -xf /tmp/DS500-BN-00026-r5p0-10rel0.tgz -C /tmp/armclang-6.8
+/tmp/armclang-6.8/install_x86_64.sh --no-interactive --i-agree-to-the-contained-eula -d ${TOOLS_DIR}/armclang-6.8
+
+# Install Arm Clang 6.13 (armclang)
+mkdir -p /tmp/armclang-6.13
+wget -O /tmp/DS500-BN-00026-r5p0-15rel0.tgz \
+ -q https://developer.arm.com/-/media/Files/downloads/compiler/DS500-BN-00026-r5p0-15rel0.tgz
+tar -xf /tmp/DS500-BN-00026-r5p0-15rel0.tgz -C /tmp/armclang-6.13
+/tmp/armclang-6.13/install_x86_64.sh --no-interactive --i-agree-to-the-contained-eula -d ${TOOLS_DIR}
+
+# Install LLVM Clang toolchain (clang)
+curl --connect-timeout 5 --retry 5 --retry-delay 1 --create-dirs -fsSLo /tmp/clang+llvm-10.0.0-x86_64-linux-gnu-ubuntu-18.04.tar.xz \
+ https://github.com/llvm/llvm-project/releases/download/llvmorg-10.0.0/clang+llvm-10.0.0-x86_64-linux-gnu-ubuntu-18.04.tar.xz
+tar -xf /tmp/clang+llvm-10.0.0-x86_64-linux-gnu-ubuntu-18.04.tar.xz -C ${TOOLS_DIR} --strip-components=1
+
+# Additional binaries required
+mkdir -p nfs/downloads/linaro/20.01
+cd nfs/downloads/linaro/20.01
+wget -q -c -m -A .zip -np -nd https://releases.linaro.org/members/arm/platforms/20.01/
+rm -f fvp*-android-*.zip sg*.zip
+for file in *.zip; do
+ unzip -q ${file} -d $(basename ${file} .zip)
+done
+rm -f *.zip
+
+# Install NVM
+mkdir -p ${NVM_DIR}
+curl -s https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash
+echo ". ${NVM_DIR}/nvm.sh" >> /home/buildslave/.bashrc
+chown -R buildslave:buildslave /home/buildslave/.bashrc
+. ${NVM_DIR}/nvm.sh
+nvm install 14
+
+# Install OpenSSL 3.0
+OPENSSL_VER="3.0.2"
+OPENSSL_DIRNAME="openssl-${OPENSSL_VER}"
+OPENSSL_FILENAME="openssl-${OPENSSL_VER}"
+OPENSSL_CHECKSUM="98e91ccead4d4756ae3c9cde5e09191a8e586d9f4d50838e7ec09d6411dfdb63"
+curl --connect-timeout 5 --retry 5 --retry-delay 1 --create-dirs -fsSLo /tmp/${OPENSSL_FILENAME}.tar.gz \
+ https://www.openssl.org/source/${OPENSSL_FILENAME}.tar.gz
+echo "${OPENSSL_CHECKSUM} /tmp/${OPENSSL_FILENAME}.tar.gz" | sha256sum -c
+mkdir -p ${TOOLS_DIR}/${OPENSSL_DIRNAME} && tar -xzf /tmp/${OPENSSL_FILENAME}.tar.gz -C ${TOOLS_DIR}/${OPENSSL_DIRNAME} --strip-components=1
+cd ${TOOLS_DIR}/${OPENSSL_DIRNAME}
+./Configure --libdir=lib --prefix=/usr --api=1.0.1
+cd ${TOOLS_DIR}
+make -C ${TOOLS_DIR}/${OPENSSL_DIRNAME}
+make -C ${TOOLS_DIR}/${OPENSSL_DIRNAME} install
+
diff --git a/jammy-amd64-tf-a-build/tf-environment.install b/jammy-amd64-tf-a-build/tf-environment.install
new file mode 100755
index 0000000..3c73724
--- /dev/null
+++ b/jammy-amd64-tf-a-build/tf-environment.install
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -e
+
+env | grep NVM_DIR >> /etc/environment
+env | grep PLANTUML_JAR_PATH >> /etc/environment
+env | grep TOOLS_DIR >> /etc/environment
+env | grep PATH >> /etc/environment