xenial|bionic-amd64-mbedtls-build: create mbedtls ubuntu dockerfiles
The docker files, and their resulting docker image, are consumed by the
MbedTLS Open CI [1]; the corresponding files were taken
as-it-is from [2], so future changes on these definitions should be
done in this repository instead of [3]
[1] https://linaro.atlassian.net/browse/TFC-4
[2]
https://github.com/ARMmbed/mbedtls-test/blob/master/resources/docker_files/
[3] https://github.com/ARMmbed/mbedtls-test
Signed-off-by: Leonardo Sandoval <leonardo.sandoval@linaro.org>
Change-Id: I977bda679cc36f97b0467c938f479ed8ae31810c
diff --git a/bionic-amd64-mbedtls-build/Dockerfile b/bionic-amd64-mbedtls-build/Dockerfile
new file mode 100644
index 0000000..aa636ae
--- /dev/null
+++ b/bionic-amd64-mbedtls-build/Dockerfile
@@ -0,0 +1,283 @@
+# ubuntu-18.04/Dockerfile
+#
+# Copyright (c) 2018-2021, ARM Limited, All Rights Reserved
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# This file is part of Mbed TLS (https://www.trustedfirmware.org/projects/mbed-tls/)
+
+
+
+################################################################
+#### Documentation
+################################################################
+
+# Purpose
+# -------
+#
+# This docker file is for creating a ubuntu-18.04 platform container. It
+# contains setup and installation of tools for executing same set of Mbed TLS
+# tests as there are in the CI. This conatiner can be used for reproducing and
+# testing failures found in the CI.
+
+
+#Start with basic Ubuntu 18.04 image
+FROM ubuntu:18.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Install necessary apt tools
+RUN apt-get update > /dev/null && \
+ apt-get install -y apt-transport-https \
+ apt-utils \
+ software-properties-common > /dev/null && \
+ apt-get clean && rm -rf /var/lib/apt/lists/
+
+# set the working directory to /opt/slave
+WORKDIR /opt/slave
+
+# Pre-approve Oracle Java license
+RUN echo debconf shared/accepted-oracle-license-v1-1 select true | debconf-set-selections && \
+ echo debconf shared/accepted-oracle-license-v1-1 seen true | debconf-set-selections
+
+# Install source control tools
+RUN apt-get update > /dev/null && \
+ apt-get install -y git > /dev/null && \
+ apt-get clean && rm -rf /var/lib/apt/lists/
+
+# Install Python 2.7
+RUN apt-get update > /dev/null && \
+ apt-get install -y python2.7 \
+ libffi-dev \
+ python-dev \
+ python-pip \
+ python-setuptools \
+ python-distutils-extra > /dev/null && \
+ apt-get clean && rm -rf /var/lib/apt/lists/
+
+# Install Python 3 pip
+RUN apt-get update > /dev/null && \
+ apt-get install -y python3-pip > /dev/null && \
+ apt-get clean && rm -rf /var/lib/apt/lists/
+
+# Install build tools
+RUN apt-get update > /dev/null && \
+ apt-get install -y cmake \
+ make \
+ valgrind \
+ doxygen \
+ graphviz \
+ lcov \
+ abi-dumper \
+ gcc-mingw-w64-i686 \
+ clang \
+ wget \
+ lsof > /dev/null && \
+ apt-get clean && rm -rf /var/lib/apt/lists/
+
+# Install ARM Compiler 5.06
+RUN dpkg --add-architecture i386 && \
+ apt-get update > /dev/null && \
+ apt-get install -y libc6-i386 \
+ libc6:i386 \
+ libstdc++6:i386 > /dev/null && \
+ apt-get clean && rm -rf /var/lib/apt/lists/
+
+RUN wget -q https://developer.arm.com/-/media/Files/downloads/compiler/DS500-PA-00003-r5p0-22rel0.tgz && \
+ tar -zxf DS500-PA-00003-r5p0-22rel0.tgz && \
+ ./Installer/setup.sh --i-agree-to-the-contained-eula --no-interactive -d /usr/local/ARM_Compiler_5.06u3 --quiet && \
+ rm -rf DS500-PA-00003-r5p0-22rel0.tgz releasenotes.html Installer/
+
+ENV ARMC5_BIN_DIR=/usr/local/ARM_Compiler_5.06u3/bin/
+ENV PATH=$PATH:/usr/local/ARM_Compiler_5.06u3/bin
+ENV ARMLMD_LICENSE_FILE=27000@flexnet.trustedfirmware.org
+
+# Install ARM Compiler 6.6
+RUN mkdir temp && cd temp && \
+ wget -q --no-check-certificate https://developer.arm.com/-/media/Files/downloads/compiler/DS500-BN-00026-r5p0-07rel0.tgz?revision=8f0d9fb0-9616-458c-b2f5-d0dac83ea93c?product=Downloads,64-bit,,Linux,6.6 -O arm6.tgz && \
+ tar -zxf arm6.tgz && ls -ltr && \
+ ./install_x86_64.sh --i-agree-to-the-contained-eula --no-interactive -d /usr/local/ARM_Compiler_6.6 --quiet && \
+ cd .. && rm -rf temp/
+
+ENV ARMC6_BIN_DIR=/usr/local/ARM_Compiler_6.6/bin/
+
+# Install arm-none-eabi-gcc
+RUN wget -q https://developer.arm.com/-/media/Files/downloads/gnu-rm/5_4-2016q3/gcc-arm-none-eabi-5_4-2016q3-20160926-linux.tar.bz2 -O gcc-arm-none-eabi-5_4-2016q3-20160926-linux.tar.bz2 && \
+ tar -xjf gcc-arm-none-eabi-5_4-2016q3-20160926-linux.tar.bz2 -C /opt
+
+ENV PATH=/opt/gcc-arm-none-eabi-5_4-2016q3/bin:$PATH
+
+# Install openssl 1.0.2g
+RUN apt-get update > /dev/null && \
+ apt-get install -y gcc-multilib \
+ p11-kit \
+ libgmp10 \
+ libgmp-dev \
+ pkg-config \
+ m4 \
+ libp11-kit-dev > /dev/null && \
+ apt-get clean && rm -rf /var/lib/apt/lists/
+
+RUN wget -q https://www.openssl.org/source/old/1.0.2/openssl-1.0.2g.tar.gz && \
+ tar -zxf openssl-1.0.2g.tar.gz && cd openssl-1.0.2g && \
+ ./config --openssldir=/usr/local/openssl-1.0.2g && \
+ make clean && make && make install && cd .. && \
+ rm -rf openssl-1.0.2g*
+
+ENV OPENSSL=/usr/local/openssl-1.0.2g/bin/openssl
+ENV PATH=/usr/local/openssl-1.0.2g/bin:$PATH
+
+# Install openssl 1.0.1j for legacy testing
+RUN wget -q https://www.openssl.org/source/old/1.0.1/openssl-1.0.1j.tar.gz && \
+ tar -zxf openssl-1.0.1j.tar.gz && cd openssl-1.0.1j && \
+ ./config --openssldir=/usr/local/openssl-1.0.1j && \
+ make clean && make && make install && cd .. && \
+ rm -rf openssl-1.0.1j*
+
+ENV OPENSSL_LEGACY=/usr/local/openssl-1.0.1j/bin/openssl
+
+# Install openssl 1.1.1a for ARIA cipher testing
+RUN wget -q https://www.openssl.org/source/openssl-1.1.1a.tar.gz && \
+ tar -zxf openssl-1.1.1a.tar.gz && cd openssl-1.1.1a && \
+ ./config --prefix=/usr/local/openssl-1.1.1a -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)' && \
+ make clean && make && make install && cd .. && \
+ rm -rf openssl-1.1.1a*
+
+ENV OPENSSL_NEXT=/usr/local/openssl-1.1.1a/bin/openssl
+
+# Install Gnu TLS 3.4.10
+RUN wget -q https://ftp.gnu.org/gnu/nettle/nettle-3.1.tar.gz && \
+ tar -zxf nettle-3.1.tar.gz && cd nettle-3.1 && \
+ ./configure --prefix=/usr/local/libnettle-3.1 --exec_prefix=/usr/local/libnettle-3.1 --disable-shared && \
+ make && make install && cd .. && rm -rf nettle-3.1*
+
+ENV PKG_CONFIG_PATH=/usr/local/libnettle-3.1/lib/pkgconfig:/usr/local/libnettle-3.1/lib64/pkgconfig:/usr/local/lib/pkgconfig
+
+RUN wget -q https://ftp.gnu.org/gnu/libtasn1/libtasn1-4.13.tar.gz && \
+ tar -zxf libtasn1-4.13.tar.gz && cd libtasn1-4.13 && \
+ ./configure && make && make install && \
+ cd .. && rm -rf libtasn1-4.13*
+
+RUN wget -q https://github.com/p11-glue/p11-kit/releases/download/0.23.10/p11-kit-0.23.10.tar.gz && \
+ tar -zxf p11-kit-0.23.10.tar.gz && cd p11-kit-0.23.10 && \
+ ./configure --prefix=/usr/local/libp11-kit-0.23.10 && make && make install && \
+ cd .. && rm -rf p11-kit-0.23.10*
+
+ENV PKG_CONFIG_PATH=/usr/local/lib/libp11-kit-0.23.10/lib/pkgconfig:/usr/local/lib/libp11-kit-0.23.10/lib64/pkgconfig:$PKG_CONFIG_PATH
+
+RUN wget -q https://www.gnupg.org/ftp/gcrypt/gnutls/v3.4/gnutls-3.4.10.tar.xz && \
+ tar -xJf gnutls-3.4.10.tar.xz && cd gnutls-3.4.10 && \
+ ./configure --prefix=/usr/local/gnutls-3.4.10 --exec_prefix=/usr/local/gnutls-3.4.10 --disable-shared && \
+ make && make install && cat config.log && cd .. && \
+ rm -rf gnutls-3.4.10*
+
+ENV GNUTLS_CLI=/usr/local/gnutls-3.4.10/bin/gnutls-cli
+ENV GNUTLS_SERV=/usr/local/gnutls-3.4.10/bin/gnutls-serv
+ENV PATH=/usr/local/gnutls-3.4.10/bin:$PATH
+
+# Install Gnu TLS 3.3.8 for legacy testing
+RUN wget -q https://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz && \
+ tar -zxf nettle-2.7.1.tar.gz && cd nettle-2.7.1 && \
+ ./configure --prefix=/usr/local/libnettle-2.7.1 --exec_prefix=/usr/local/libnettle-2.7.1 --disable-shared && \
+ make && make install && cd .. && rm -rf nettle-2.7.1*
+
+ENV PKG_CONFIG_PATH=/usr/local/libnettle-2.7.1/lib/pkgconfig:/usr/local/libnettle-2.7.1/lib64/pkgconfig:/usr/local/lib/pkgconfig
+
+RUN wget -q https://www.gnupg.org/ftp/gcrypt/gnutls/v3.3/gnutls-3.3.8.tar.xz && \
+ tar -xJf gnutls-3.3.8.tar.xz && cd gnutls-3.3.8 && \
+ ./configure --prefix=/usr/local/gnutls-3.3.8 --exec_prefix=/usr/local/gnutls-3.3.8 --disable-shared && \
+ make && make install && cat config.log && cd .. && \
+ rm -rf gnutls-3.3.8*
+
+ENV GNUTLS_LEGACY_CLI=/usr/local/gnutls-3.3.8/bin/gnutls-cli
+ENV GNUTLS_LEGACY_SERV=/usr/local/gnutls-3.3.8/bin/gnutls-serv
+
+# Instal GNU TLS 3.6.5 for broader interoperability testing
+RUN wget -q https://ftp.gnu.org/gnu/nettle/nettle-3.4.1.tar.gz && \
+ tar -zxf nettle-3.4.1.tar.gz && cd nettle-3.4.1 && \
+ ./configure --prefix=/usr/local/libnettle-3.4.1 --exec_prefix=/usr/local/libnettle-3.4.1 --disable-shared && \
+ make && make install && cd .. && rm -rf nettle-3.4.1*
+
+ENV PKG_CONFIG_PATH=/usr/local/libnettle-3.4.1/lib/pkgconfig:/usr/local/libnettle-3.4.1/lib64/pkgconfig:/usr/local/lib/pkgconfig
+
+RUN apt-get update > /dev/null && \
+ apt-get install -y libunistring-dev > /dev/null && \
+ apt-get clean && rm -rf /var/lib/apt/lists/
+
+RUN wget -q https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.5.tar.xz && \
+ tar -xJf gnutls-3.6.5.tar.xz && cd gnutls-3.6.5 && \
+ ./configure --prefix=/usr/local/gnutls-3.6.5 --exec_prefix=/usr/local/gnutls-3.6.5 --disable-shared && \
+ make && make install && cat config.log && cd .. && \
+ rm -rf gnutls-3.6.5*
+
+ENV GNUTLS_NEXT_CLI=/usr/local/gnutls-3.6.5/bin/gnutls-cli
+ENV GNUTLS_NEXT_SERV=/usr/local/gnutls-3.6.5/bin/gnutls-serv
+
+# Remove Ubuntu unattended-upgrades to prevent unwanted changes to system while it is running
+RUN apt-get purge -y unattended-upgrades
+
+
+# Install Python 2 pip packages
+# The pip wrapper scripts can get out of sync with pip due to upgrading it outside the package manager, so invoke the module directly
+RUN python2 -m pip install pip setuptools --upgrade > /dev/null
+
+RUN python2 -m pip install yotta matplotlib > /dev/null
+
+# Install Python pip packages
+#
+# The pip wrapper scripts can get out of sync with pip due to upgrading it
+# outside the package manager, so invoke the module directly.
+#
+# Ubuntu 18.04's pip (9.0.1) doesn't support suppressing the progress bar,
+# which is annoying in CI logs. Install pip<21, same as on Ubuntu 16.04
+# (although we could use a later version if we wanted).
+#
+# Piping to cat suppresses the progress bar, but means that a failure
+# won't be caught (`stuff | cat` succeeds if cat succeeds, even if `stuff`
+# fails). The subsequent use of "pip config" (which requires pip >=10)
+# will however fail if the installation of a more recent pip failed.
+RUN python3 -m pip install 'pip<21' --upgrade | cat && \
+ python3 -m pip config set global.progress_bar off && \
+ python3 -m pip install setuptools --upgrade && \
+ # For pylint we want a known version, as later versions may add checks at
+ # any time, making CI results unpredictable.
+ python3 -m pip install pylint==2.4.4 && \
+ # For mypy, use the earliest version that works with our code base.
+ # See https://github.com/ARMmbed/mbedtls/pull/3953 .
+ python3 -m pip install mypy==0.780 && \
+ # For jinja2, use the version that's in Ubuntu 20.04.
+ # See https://github.com/ARMmbed/mbedtls/pull/5067#discussion_r738794607 .
+ # Note that Jinja2 3.0 drops support for Python 3.5, so we need 2.x.
+ python3 -m pip install Jinja2==2.10.1 types-Jinja2 && \
+ true
+
+# Set the locale
+RUN apt-get clean && apt-get update && apt-get install -y locales zip python-tk
+RUN locale-gen en_US.UTF-8
+
+# Set locale for ARMCC to work
+RUN locale && locale-gen "en_US.UTF-8" && dpkg-reconfigure locales
+
+# Add user
+RUN useradd -m user
+
+# Create workspace
+ARG AGENT_WORKDIR=/var/lib/builds
+RUN mkdir -p ${AGENT_WORKDIR} && chown user:user ${AGENT_WORKDIR}
+USER user
+ENV AGENT_WORKDIR=${AGENT_WORKDIR}
+
+WORKDIR ${AGENT_WORKDIR}
+
+ENTRYPOINT ["bash"]
diff --git a/bionic-amd64-mbedtls-build/build.sh b/bionic-amd64-mbedtls-build/build.sh
new file mode 100755
index 0000000..969c66c
--- /dev/null
+++ b/bionic-amd64-mbedtls-build/build.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+set -e
+
+trap cleanup_exit INT TERM EXIT
+
+cleanup_exit()
+{
+ rm -f *.list *.key
+}
+
+export LANG=C
+
+DISTRIBUTION=$(basename ${PWD} | cut -f1 -d '-')
+ARCHITECTURE=$(basename ${PWD} | cut -f2 -d '-')
+PROJECT=$(basename ${PWD} | cut -f3 -d '-')-$(basename ${PWD} | cut -f4 -d '-')
+
+image=trustedfirmware/ci-${ARCHITECTURE}-${PROJECT}-ubuntu:${DISTRIBUTION}
+docker build --pull --tag=$image .
+echo $image > .docker-tag
diff --git a/xenial-amd64-mbedtls-build/Dockerfile b/xenial-amd64-mbedtls-build/Dockerfile
new file mode 100644
index 0000000..89c4782
--- /dev/null
+++ b/xenial-amd64-mbedtls-build/Dockerfile
@@ -0,0 +1,285 @@
+# ubuntu-16.04/Dockerfile
+#
+# Copyright (c) 2018-2021, ARM Limited, All Rights Reserved
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# This file is part of Mbed TLS (https://www.trustedfirmware.org/projects/mbed-tls/)
+
+# Purpose
+# -------
+#
+# This docker file is for creating the ubuntu-16.04 image that is used in the
+# CI. It can also be used for reproducing and testing CI failures.
+
+FROM ubuntu:16.04
+
+ARG DEBIAN_FRONTEND=noninteractive
+WORKDIR /opt/src
+
+# Support for i386:
+# - for 32-bit builds+tests of Mbed TLS
+# - required to install Arm Compiler 5.06 (armcc)
+RUN dpkg --add-architecture i386
+
+# Main apt-get call with all packages except those that have conflicts,
+# handled below. One big alphabetised list, in order to avoid duplicates, with
+# comments explaining why each package is needed.
+RUN apt-get update -q && apt-get install -yq \
+ # installed from source, but this installs the dependencies
+ abi-dumper \
+ # to build Mbed TLS: gcc, binutils, make, etc.
+ build-essential \
+ # to build Mbed TLS
+ clang \
+ # to build Mbed TLS
+ cmake \
+ # to build Mbed TLS's documentation
+ doxygen \
+ # to cross-build Mbed TLS
+ gcc-mingw-w64-i686 \
+ # to check out Mbed TLS and others
+ git \
+ # to build Mbed TLS's documentation
+ graphviz \
+ # to measure code coverage of Mbed TLS
+ lcov \
+ # for 32-bit Mbed TLS testing and armcc
+ libc6-i386 \
+ # for 32-bit Mbed TLS testing and armcc
+ libc6:i386 \
+ # to build GnuTLS (nettle with public key support aka hogweed)
+ libgmp-dev \
+ # to build GnuTLS >= 3.6 (could also use --with-included-unistring)
+ libunistring-dev \
+ # for armcc
+ libstdc++6:i386 \
+ # to build GnuTLS (except 3.6 which uses --with-included-libtasn1)
+ libtasn1-6-dev \
+ # needed for armcc (see locale-gen below)
+ locales \
+ # used by compat.sh and ssl-opt.sh
+ lsof \
+ # to build GnuTLS (nettle)
+ m4 \
+ # to build Mbed TLS and others
+ make \
+ # to build GnuTLS with locally-compiled nettle
+ pkg-config \
+ # to install the preferred version of pylint
+ python3-pip \
+ # for Mbed TLS tests
+ valgrind \
+ # to download things installed from other places
+ wget \
+ # to build Mbed TLS with MBEDTLS_ZILIB_SUPPORT (removed in 3.0)
+ zlib1g \
+ # to build Mbed TLS with MBEDTLS_ZILIB_SUPPORT (removed in 3.0)
+ zlib1g-dev \
+ && rm -rf /var/lib/apt/lists/
+
+# Install all the parts of gcc-multilib, which is necessary for 32-bit builds.
+# gcc-multilib conflicts with cross-compiler packages that we'll install later,
+# so don't keep it around. Just let it install its dependencies
+# (gcc-<VERSION>-multilib and libc support), then remove it. Manually create
+# one crucial symlink that's otherwise provided by the gcc-multilib package
+# (without that symlink, 32-bit builds won't find system headers). Note that
+# just installing the dependencies of gcc-multilib also brings in gcc-multilib
+# as a Recommends dependency.
+RUN apt-get update -q && apt-get install -yq \
+ gcc-multilib \
+ && rm -rf /var/lib/apt/lists/ && \
+ dpkg -r gcc-multilib && \
+ ln -s x86_64-linux-gnu/asm /usr/include/asm
+
+# Install arm-linux-gnueabi-gcc - to cross-build Mbed TLS
+RUN apt-get update -q && apt-get install -yq \
+ gcc-arm-linux-gnueabi \
+ libc6-dev-armel-cross \
+ && rm -rf /var/lib/apt/lists/
+
+# Install ARM Compiler 5.06
+RUN wget -q https://developer.arm.com/-/media/Files/downloads/compiler/DS500-PA-00003-r5p0-22rel0.tgz && \
+ tar -zxf DS500-PA-00003-r5p0-22rel0.tgz && \
+ ./Installer/setup.sh --i-agree-to-the-contained-eula --no-interactive -d /usr/local/ARM_Compiler_5.06u3 --quiet && \
+ rm -rf DS500-PA-00003-r5p0-22rel0.tgz releasenotes.html Installer/
+
+ENV ARMC5_BIN_DIR=/usr/local/ARM_Compiler_5.06u3/bin/
+ENV PATH=$PATH:/usr/local/ARM_Compiler_5.06u3/bin
+ENV ARMLMD_LICENSE_FILE=27000@flexnet.trustedfirmware.org
+
+# Install ARM Compiler 6.6
+RUN mkdir temp && cd temp && \
+ wget -q --no-check-certificate https://developer.arm.com/-/media/Files/downloads/compiler/DS500-BN-00026-r5p0-07rel0.tgz?revision=8f0d9fb0-9616-458c-b2f5-d0dac83ea93c?product=Downloads,64-bit,,Linux,6.6 -O arm6.tgz && \
+ tar -zxf arm6.tgz && ls -ltr && \
+ ./install_x86_64.sh --i-agree-to-the-contained-eula --no-interactive -d /usr/local/ARM_Compiler_6.6 --quiet && \
+ cd .. && rm -rf temp/
+
+ENV ARMC6_BIN_DIR=/usr/local/ARM_Compiler_6.6/bin/
+
+# Install arm-none-eabi-gcc
+RUN wget -q https://developer.arm.com/-/media/Files/downloads/gnu-rm/5_4-2016q3/gcc-arm-none-eabi-5_4-2016q3-20160926-linux.tar.bz2 -O gcc-arm-none-eabi-5_4-2016q3-20160926-linux.tar.bz2 && \
+ tar -xjf gcc-arm-none-eabi-5_4-2016q3-20160926-linux.tar.bz2 -C /opt && \
+ rm gcc-arm-none-eabi-5_4-2016q3-20160926-linux.tar.bz2
+
+ENV PATH=/opt/gcc-arm-none-eabi-5_4-2016q3/bin:$PATH
+
+# Install exact upstream versions of OpenSSL and GnuTLS
+#
+# Distro packages tend to include patches that disrupt our testing scripts,
+# and such patches may be added at any time. Avoid surprises by using fixed
+# versions.
+#
+# GnuTLS has a number of (optional) dependencies:
+# - nettle (crypto library): quite tighly coupled, so build one for each
+# version of GnuTLS that we want.
+# - libtasn1: can use the Ubuntu version, except for GnuTLS 3.7 which needs
+# libtasn1 4.9 (Ubuntu 16.04 has 4.6); an config option
+# --with-included-libtasn1 is available, so use it for GnuTLS 3.7.
+# - p11-kit: optional, for smart-card support - configure it out
+# - libunistring: since 3.6 - the Ubuntu package works; if it didn't a config
+# option --with-included-libunistring is available.
+
+# Install openssl 1.0.2g - main version, in the PATH
+RUN wget -q https://www.openssl.org/source/old/1.0.2/openssl-1.0.2g.tar.gz && \
+ tar -zxf openssl-1.0.2g.tar.gz && cd openssl-1.0.2g && \
+ ./config --openssldir=/usr/local/openssl-1.0.2g enable-ssl-trace && \
+ make clean && make && make install && cd .. && \
+ rm -rf openssl-1.0.2g*
+
+ENV OPENSSL=/usr/local/openssl-1.0.2g/bin/openssl
+ENV PATH=/usr/local/openssl-1.0.2g/bin:$PATH
+
+# Install openssl 1.0.1j - "legacy" version
+RUN wget -q https://www.openssl.org/source/old/1.0.1/openssl-1.0.1j.tar.gz && \
+ tar -zxf openssl-1.0.1j.tar.gz && cd openssl-1.0.1j && \
+ ./config --openssldir=/usr/local/openssl-1.0.1j && \
+ make clean && make && make install && cd .. && \
+ rm -rf openssl-1.0.1j*
+
+ENV OPENSSL_LEGACY=/usr/local/openssl-1.0.1j/bin/openssl
+
+# Install openssl 1.1.1a - "next" version
+RUN wget -q https://www.openssl.org/source/openssl-1.1.1a.tar.gz && \
+ tar -zxf openssl-1.1.1a.tar.gz && cd openssl-1.1.1a && \
+ ./config --prefix=/usr/local/openssl-1.1.1a -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)' enable-ssl-trace && \
+ make clean && make && make install && cd .. && \
+ rm -rf openssl-1.1.1a*
+
+ENV OPENSSL_NEXT=/usr/local/openssl-1.1.1a/bin/openssl
+
+# Install Gnu TLS 3.4.10 (nettle 3.1) - main version, in the PATH
+RUN wget -q https://ftp.gnu.org/gnu/nettle/nettle-3.1.tar.gz && \
+ tar -zxf nettle-3.1.tar.gz && cd nettle-3.1 && \
+ ./configure --prefix=/usr/local/libnettle-3.1 --exec_prefix=/usr/local/libnettle-3.1 --disable-shared --disable-openssl && \
+ make && make install && cd .. && rm -rf nettle-3.1* && \
+ export PKG_CONFIG_PATH=/usr/local/libnettle-3.1/lib/pkgconfig:/usr/local/libnettle-3.1/lib64/pkgconfig:/usr/local/lib/pkgconfig && \
+ wget -q https://www.gnupg.org/ftp/gcrypt/gnutls/v3.4/gnutls-3.4.10.tar.xz && \
+ tar -xJf gnutls-3.4.10.tar.xz && cd gnutls-3.4.10 && \
+ ./configure --prefix=/usr/local/gnutls-3.4.10 --exec_prefix=/usr/local/gnutls-3.4.10 --disable-shared --without-p11-kit && \
+ make && make install && cat config.log && cd .. && \
+ rm -rf gnutls-3.4.10*
+
+ENV GNUTLS_CLI=/usr/local/gnutls-3.4.10/bin/gnutls-cli
+ENV GNUTLS_SERV=/usr/local/gnutls-3.4.10/bin/gnutls-serv
+ENV PATH=/usr/local/gnutls-3.4.10/bin:$PATH
+
+# Install Gnu TLS 3.3.8 (nettle 2.7) - "legacy" version
+RUN wget -q https://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz && \
+ tar -zxf nettle-2.7.1.tar.gz && cd nettle-2.7.1 && \
+ ./configure --prefix=/usr/local/libnettle-2.7.1 --exec_prefix=/usr/local/libnettle-2.7.1 --disable-shared --disable-openssl && \
+ make && make install && cd .. && rm -rf nettle-2.7.1* && \
+ export PKG_CONFIG_PATH=/usr/local/libnettle-2.7.1/lib/pkgconfig:/usr/local/libnettle-2.7.1/lib64/pkgconfig:/usr/local/lib/pkgconfig && \
+ wget -q https://www.gnupg.org/ftp/gcrypt/gnutls/v3.3/gnutls-3.3.8.tar.xz && \
+ tar -xJf gnutls-3.3.8.tar.xz && cd gnutls-3.3.8 && \
+ ./configure --prefix=/usr/local/gnutls-3.3.8 --exec_prefix=/usr/local/gnutls-3.3.8 --disable-shared --without-p11-kit && \
+ make && make install && cat config.log && cd .. && \
+ rm -rf gnutls-3.3.8*
+
+ENV GNUTLS_LEGACY_CLI=/usr/local/gnutls-3.3.8/bin/gnutls-cli
+ENV GNUTLS_LEGACY_SERV=/usr/local/gnutls-3.3.8/bin/gnutls-serv
+
+# Instal GNU TLS 3.7.2 (nettle 3.7) - "next" version
+RUN wget -q https://ftp.gnu.org/gnu/nettle/nettle-3.7.3.tar.gz && \
+ tar -zxf nettle-3.7.3.tar.gz && cd nettle-3.7.3 && \
+ ./configure --prefix=/usr/local/libnettle-3.7.3 --exec_prefix=/usr/local/libnettle-3.7.3 --disable-shared --disable-openssl && \
+ make && make install && cd .. && rm -rf nettle-3.7.3* && \
+ export PKG_CONFIG_PATH=/usr/local/libnettle-3.7.3/lib/pkgconfig:/usr/local/libnettle-3.7.3/lib64/pkgconfig:/usr/local/lib/pkgconfig && \
+ wget -q https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.2.tar.xz && \
+ tar -xJf gnutls-3.7.2.tar.xz && cd gnutls-3.7.2 && \
+ ./configure --prefix=/usr/local/gnutls-3.7.2 --exec_prefix=/usr/local/gnutls-3.7.2 --disable-shared --with-included-libtasn1 --without-p11-kit && \
+ make && make install && cat config.log && cd .. && \
+ rm -rf gnutls-3.7.2*
+
+ENV GNUTLS_NEXT_CLI=/usr/local/gnutls-3.7.2/bin/gnutls-cli
+ENV GNUTLS_NEXT_SERV=/usr/local/gnutls-3.7.2/bin/gnutls-serv
+
+# Install abi-compliance-checker
+# The version in Ubuntu 16.04 is too old, we want at least the version below
+RUN wget -q https://github.com/lvc/abi-compliance-checker/archive/2.3.tar.gz && \
+ tar -zxf 2.3.tar.gz && cd abi-compliance-checker-2.3 && \
+ make clean && make && make install prefix=/usr && cd .. && \
+ rm -rf abi-compliance-checker* && rm 2.3.tar.gz
+
+# Install abi-dumper
+# The version in Ubuntu 16.04 is too old, we want at least the version below
+RUN git clone --branch 1.1 https://github.com/lvc/abi-dumper.git && \
+ cd abi-dumper && make install prefix=/usr && cd .. && rm -rf abi-dumper
+
+# Install Python pip packages
+#
+# The pip wrapper scripts can get out of sync with pip due to upgrading it
+# outside the package manager, so invoke the module directly.
+#
+# Ubuntu 16.04's pip (8.1) doesn't understand the Requires-Python
+# directive (introduced in pip 9.0), and tries to install the wrong versions
+# of pip and setuptools. Version 21 of pip drops support for Python 3.5 (the
+# latest in 16.04), so pick an earlier version.
+#
+# Piping to cat suppresses the progress bar, but means that a failure
+# won't be caught (`stuff | cat` succeeds if cat succeeds, even if `stuff`
+# fails). The subsequent use of "pip config" (which requires pip >=10)
+# will however fail if the installation of a more recent pip failed.
+RUN python3 -m pip install 'pip<21' --upgrade | cat && \
+ python3 -m pip config set global.progress_bar off && \
+ python3 -m pip install setuptools --upgrade && \
+ # For pylint we want a known version, as later versions may add checks at
+ # any time, making CI results unpredictable.
+ python3 -m pip install pylint==2.4.4 && \
+ # For mypy, use the earliest version that works with our code base.
+ # See https://github.com/ARMmbed/mbedtls/pull/3953 .
+ python3 -m pip install mypy==0.780 && \
+ # For jinja2, use the version that's in Ubuntu 20.04.
+ # See https://github.com/ARMmbed/mbedtls/pull/5067#discussion_r738794607 .
+ # Note that Jinja2 3.0 drops support for Python 3.5, so we need 2.x.
+ python3 -m pip install Jinja2==2.10.1 types-Jinja2 && \
+ true
+
+# Set locale for ARMCC to work
+RUN locale && \
+ locale-gen "en_US.UTF-8" && \
+ dpkg-reconfigure locales
+
+# Add user
+RUN useradd -m user
+
+# Create workspace
+ARG AGENT_WORKDIR=/var/lib/builds
+RUN mkdir -p ${AGENT_WORKDIR} && chown user:user ${AGENT_WORKDIR}
+USER user
+ENV AGENT_WORKDIR=${AGENT_WORKDIR}
+
+WORKDIR ${AGENT_WORKDIR}
+
+ENTRYPOINT ["bash"]
diff --git a/xenial-amd64-mbedtls-build/build.sh b/xenial-amd64-mbedtls-build/build.sh
new file mode 100755
index 0000000..969c66c
--- /dev/null
+++ b/xenial-amd64-mbedtls-build/build.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+set -e
+
+trap cleanup_exit INT TERM EXIT
+
+cleanup_exit()
+{
+ rm -f *.list *.key
+}
+
+export LANG=C
+
+DISTRIBUTION=$(basename ${PWD} | cut -f1 -d '-')
+ARCHITECTURE=$(basename ${PWD} | cut -f2 -d '-')
+PROJECT=$(basename ${PWD} | cut -f3 -d '-')-$(basename ${PWD} | cut -f4 -d '-')
+
+image=trustedfirmware/ci-${ARCHITECTURE}-${PROJECT}-ubuntu:${DISTRIBUTION}
+docker build --pull --tag=$image .
+echo $image > .docker-tag