feat(ci): Measured boot hash verification scripts
Move away from dependency on external fTPM and OP-TEE binaries through
using our own scripts to validate the hashes in the TF-A event log
during measured boot tests.
Change-Id: Ifd1fa8ce7d2091510b4c8242e25438e4d9aa61bb
Signed-off-by: Slava Andrianov <slava.andrianov@arm.com>
diff --git a/script/build_package.sh b/script/build_package.sh
index 535b7e3..b3b1b1e 100755
--- a/script/build_package.sh
+++ b/script/build_package.sh
@@ -314,6 +314,13 @@
set +a
fi
+ if [ "$(get_tf_opt MEASURED_BOOT)" = 1 ]; then
+ # These are needed for accurate hash verification
+ local build_args_path="${workspace}/fip_build_args"
+ echo $@ > $build_args_path
+ archive_file $build_args_path
+ fi
+
make -C "$tf_root" $make_j_opts $(cat "$tf_config_file") DEBUG="$DEBUG" BUILD_BASE=$tf_build_root V=1 "$@" \
${fip_targets:-fip} &>>"$build_log" || fail_build
)
@@ -530,6 +537,16 @@
not_upon "${QCBOR_DIR}"; then
emit_env "QCBOR_DIR" "$WORKSPACE/qcbor"
fi
+
+ # Hash verification only occurs if there is a sufficient amount of
+ # information in the event log, which is as long as EVENT_LOG_LEVEL
+ # is set to at least 20 or if it is a debug build
+ if [[ ("$(get_tf_opt MEASURED_BOOT)" -eq 1) &&
+ (($bin_mode == "debug") || ("$(get_tf_opt EVENT_LOG_LEVEL)" -ge 20)) ]]; then
+ # This variable is later exported to the expect scripts so
+ # the hashes in the TF-A event log can be verified
+ set_run_env "verify_hashes" "1"
+ fi
if [ -f "$env_file" ]; then
set -a
source "$env_file"