blob: f9ac52e101a3a7c6b405b3fda32ef09a0d5b061b [file] [log] [blame]
#!/usr/bin/env bash
#
# Copyright (c) 2019-2025 Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
# Builds a package with Trusted Firwmare and other payload binaries. The package
# is meant to be executed by run_package.sh
set -e
ci_root="$(readlink -f "$(dirname "$0")/..")"
source "$ci_root/utils.sh"
if [ ! -d "$workspace" ]; then
die "Directory $workspace doesn't exist"
fi
# Directory to where the source code e.g. for Trusted Firmware is checked out.
export tf_root="${tf_root:-$workspace/trusted_firmware}"
export tftf_root="${tftf_root:-$workspace/trusted_firmware_tf}"
export tfut_root="${tfut_root:-$workspace/tfut}"
cc_root="${cc_root:-$ccpathspec}"
spm_root="${spm_root:-$workspace/spm}"
rmm_root="${rmm_root:-$workspace/tf-rmm}"
# Refspecs
tf_refspec="$TF_REFSPEC"
tftf_refspec="$TFTF_REFSPEC"
spm_refspec="$SPM_REFSPEC"
rmm_refspec="$RMM_REFSPEC"
tfut_gerrit_refspec="$TFUT_GERRIT_REFSPEC"
test_config="${TEST_CONFIG:?}"
test_group="${TEST_GROUP:?}"
build_configs="${BUILD_CONFIG:?}"
run_config="${RUN_CONFIG:?}"
cc_config="${CC_ENABLE:-}"
export archive="$artefacts"
build_log="$artefacts/build.log"
fiptool_path() {
echo $tf_build_root/$(get_tf_opt PLAT)/${bin_mode}/tools/fiptool/fiptool
}
cert_create_path() {
echo $tf_build_root/$(get_tf_opt PLAT)/${bin_mode}/tools/cert_create/cert_create
}
# Validate $bin_mode
case "$bin_mode" in
"" | debug | release)
;;
*)
die "Invalid value for bin_mode: $bin_mode"
;;
esac
# File to save any environem
hook_env_file="$(mktempfile)"
# Echo from a build wrapper. Print to descriptor 3 that's opened by the build
# function.
echo_w() {
echo $echo_flags "$@" >&3
}
# Print a separator to the log file. Intended to be used at the tail end of a pipe
log_separator() {
{
echo
echo "----------"
} >> "$build_log"
tee -a "$build_log"
{
echo "----------"
echo
} >> "$build_log"
}
# Call function $1 if it's defined
call_func() {
if type "${1:?}" &>/dev/null; then
echo
echo "> ${2:?}:$1()"
eval "$1"
echo "< $2:$1()"
fi
}
# Retry a command a number of times if it fails. Intended for I/O commands
# in a CI environment which may be flaky.
function retry() {
for i in $(seq 1 3); do
if "$@"; then
return 0
fi
sleep $(( i * 5 ))
done
return 1
}
# Call hook $1 in all chosen fragments if it's defined. Hooks are invoked from
# within a subshell, so any variables set within a hook are lost. Should a
# variable needs to be set from within a hook, the function 'set_hook_var'
# should be used
call_hook() {
local func="$1"
local config_fragment
[ -z "$func" ] && return 0
echo "=== Calling hooks: $1 ==="
: >"$hook_env_file"
if [ "$run_config_candidates" ]; then
for config_fragment in $run_config_candidates; do
(
source "$ci_root/run_config/$config_fragment"
call_func "$func" "$config_fragment"
) || fail_build
done
fi
if [ "$run_config_tfut_candidates" ]; then
for config_fragment in $run_config_tfut_candidates; do
(
source "$ci_root/run_config_tfut/$config_fragment"
call_func "$func" "$config_fragment"
) || fail_build
done
fi
# Also source test config file
(
unset "$func"
source "$test_config_file"
call_func "$func" "$(basename $test_config_file)"
) || fail_build
# Have any variables set take effect
source "$hook_env_file"
echo "=== End calling hooks: $1 ==="
}
# Set a variable from within a hook
set_hook_var() {
echo "export $1=\"${2?}\"" >> "$hook_env_file"
}
# Append to an array from within a hook
append_hook_var() {
echo "export $1+=\"${2?}\"" >> "$hook_env_file"
}
# Have the main build script source a file
source_later() {
echo "source ${1?}" >> "$hook_env_file"
}
# Setup TF build wrapper function by pointing to a script containing a function
# that will be called with the TF build commands.
setup_tf_build_wrapper() {
source_later "$ci_root/script/${wrapper?}_wrapper.sh"
set_hook_var "tf_build_wrapper" "${wrapper}_wrapper"
echo "Setup $wrapper build wrapper."
}
# Collect .bin files for archiving
collect_build_artefacts() {
if [ ! -d "${from:?}" ]; then
return
fi
if ! find "$from" \( -name "*.bin" -o -name '*.elf' -o -name '*.dtb' -o -name '*.axf' -o -name '*.stm32' -o -name '*.img' \) -exec cp -t "${to:?}" '{}' +; then
echo "You probably are running local CI on local repositories."
echo "Did you set 'dont_clean' but forgot to run 'distclean'?"
die
fi
}
# Collect SPM/hafnium artefacts with "secure_" appended to the files
# generated for SPM(secure hafnium).
collect_spm_artefacts() {
if [ -d "${non_secure_from:?}" ]; then
find "$non_secure_from" \( -name "*.bin" -o -name '*.elf' \) -exec cp -t "${to:?}" '{}' +
fi
if [ -d "${secure_from:?}" ]; then
for f in $(find "$secure_from" \( -name "*.bin" -o -name '*.elf' \)); do cp -- "$f" "${to:?}"/secure_$(basename $f); done
fi
}
collect_tfut_artefacts() {
if [ ! -d "${from:?}" ]; then
return
fi
pushd "$tfut_root/build"
artefact_list=$(python3 "$ci_root/script/get_ut_test_list.py")
for artefact in $artefact_list; do
cp -t "${to:?}" "$from/$artefact"
done
echo "$artefact_list" | tr ' ' '\n' > "${to:?}/tfut_artefacts.txt"
popd
}
collect_tfut_coverage() {
if [ "$coverage" != "ON" ]; then
return
fi
pushd "$tfut_root/build"
touch "${to:?}/tfut_coverage.txt"
popd
}
# Map the UART ID used for expect with the UART descriptor and port
# used by the FPGA automation tools.
map_uart() {
local port="${port:?}"
local descriptor="${descriptor:?}"
local baudrate="${baudrate:?}"
local run_root="${archive:?}/run"
local uart_dir="$run_root/uart${uart:?}"
mkdir -p "$uart_dir"
echo "$port" > "$uart_dir/port"
echo "$descriptor" > "$uart_dir/descriptor"
echo "$baudrate" > "$uart_dir/baudrate"
echo "UART${uart} mapped to port ${port} with descriptor ${descriptor} and baudrate ${baudrate}"
}
# Arrange environment varibles to be set when expect scripts are launched
set_expect_variable() {
local var="${1:?}"
local val="${2?}"
local run_root="${archive:?}/run"
local uart_dir="$run_root/uart${uart:?}"
mkdir -p "$uart_dir"
env_file="$uart_dir/env" quote="1" emit_env "$var" "$val"
echo "UART$uart: env has $@"
}
# Place the binary package a pointer to expect script, and its parameters
track_expect() {
local file="${file:?}"
local timeout="${timeout-600}"
local run_root="${archive:?}/run"
local uart_dir="$run_root/uart${uart:?}"
mkdir -p "$uart_dir"
echo "$file" > "$uart_dir/expect"
echo "$timeout" > "$uart_dir/timeout"
if [ -n "$lava_timeout" ]; then
set_run_env "lava_timeout" "$lava_timeout"
fi
echo "UART$uart to be tracked with $file; timeout ${timeout}s; lava_timeout ${lava_timeout:-N/A}s"
if [ ! -z "${port}" ]; then
echo "${port}" > "$uart_dir/port"
fi
# The run script assumes UART0 to be primary. If we're asked to set any
# other UART to be primary, set a run environment variable to signal
# that to the run script
if upon "$set_primary"; then
echo "Primary UART set to UART$uart."
set_run_env "primary_uart" "$uart"
fi
# UART used by payload(such as tftf, Linux) may not be the same as the
# primary UART. Set a run environment variable to track the payload
# UART which is tracked to check if the test has finished sucessfully.
if upon "$set_payload_uart"; then
echo "Payload uses UART$uart."
set_run_env "payload_uart" "$uart"
fi
}
# Extract a FIP in $1 using fiptool
extract_fip() {
local fip="$1"
if is_url "$1"; then
url="$1" fetch_file
fip="$(basename "$1")"
fi
fiptool=$(fiptool_path)
"$fiptool" unpack "$fip"
echo "Extracted FIP: $fip"
}
# Report build failure by printing a the tail end of build log. Archive the
# build log for later inspection
fail_build() {
local log_path
if upon "$jenkins_run"; then
log_path="$BUILD_URL/artifact/artefacts/build.log"
else
log_path="$build_log"
fi
echo
echo "Build failed!"
echo
echo "See $log_path for full output"
echo
cp -t "$archive" "$build_log"
exit 1;
}
# Build a FIP with supplied arguments
build_fip() {
(
echo "Building FIP with arguments: $@"
local tf_env="$workspace/tf.env"
if [ -f "$tf_env" ]; then
set -a
source "$tf_env"
set +a
fi
if [ "$(get_tf_opt MEASURED_BOOT)" = 1 ]; then
# These are needed for accurate hash verification
local build_args_path="${workspace}/fip_build_args"
echo $@ > $build_args_path
archive_file $build_args_path
fi
make -C "$tf_root" $make_j_opts $(cat "$tf_config_file") DEBUG="$DEBUG" BUILD_BASE=$tf_build_root V=1 "$@" \
${fip_targets:-fip} 2>&1 | tee -a "$build_log" || fail_build
) 2>&1 | tee -a "$build_log" || fail_build
}
# Build any extra rule from TF-A makefile with supplied arguments.
#
# This is useful in case you need to build something else than firmware binaries
# or the FIP.
build_tf_extra() {
(
tf_extra_rules=${tf_extra_rules:?}
echo "Building extra TF rule(s): $tf_extra_rules"
echo " Arguments: $@"
local tf_env="$workspace/tf.env"
if [ -f "$tf_env" ]; then
set -a
source "$tf_env"
set +a
fi
make -C "$tf_root" $make_j_opts $(cat "$tf_config_file") DEBUG="$DEBUG" V=1 BUILD_BASE=$tf_build_root "$@" \
${tf_extra_rules} 2>&1 | tee -a "$build_log" || fail_build
)
}
fip_update() {
fiptool=$(fiptool_path)
# Before the update process, check if the given image is supported by
# the fiptool. It's assumed that both fiptool and cert_create move in
# tandem, and therefore, if one has support, the other has it too.
if ! ("$fiptool" update 2>&1 || true) | grep -qe "\s\+--${bin_name:?}"; then
return 1
fi
if not_upon "$(get_tf_opt TRUSTED_BOARD_BOOT)"; then
echo "Updating FIP image: $bin_name"
# Update HW config. Without TBBR, it's only a matter of using
# the update sub-command of fiptool
"$fiptool" update "--$bin_name" "${src:-}" \
"$archive/fip.bin"
else
echo "Updating FIP image (TBBR): $bin_name"
# With TBBR, we need to unpack, re-create certificates, and then
# recreate the FIP.
local fip_dir="$(mktempdir)"
local bin common_args stem
local rot_key="$(get_tf_opt ROT_KEY)"
rot_key="${rot_key:?}"
if ! is_abs "$rot_key"; then
rot_key="$tf_root/$rot_key"
fi
# Arguments only for cert_create
local cert_args="-n"
cert_args+=" --tfw-nvctr ${nvctr:-31}"
cert_args+=" --ntfw-nvctr ${nvctr:-223}"
cert_args+=" --key-alg ${KEY_ALG:-rsa}"
cert_args+=" --rot-key $rot_key"
local dyn_config_opts=(
"fw-config"
"hw-config"
"tb-fw-config"
"nt-fw-config"
"soc-fw-config"
"tos-fw-config"
)
# Binaries without key certificates
declare -A has_no_key_cert
for bin in "tb-fw" "${dyn_config_opts[@]}"; do
has_no_key_cert["$bin"]="1"
done
# Binaries without certificates
declare -A has_no_cert
for bin in "hw-config" "${dyn_config_opts[@]}"; do
has_no_cert["$bin"]="1"
done
pushd "$fip_dir"
# Unpack FIP
"$fiptool" unpack "$archive/fip.bin" 2>&1 | tee -a "$build_log"
# Remove all existing certificates
rm -f *-cert.bin
# Copy the binary to be updated
cp -f "$src" "${bin_name}.bin"
# FIP unpack dumps binaries with the same name as the option
# used to pack it; likewise for certificates. Reverse-engineer
# the command line from the binary output.
common_args="--trusted-key-cert trusted_key.crt"
for bin in *.bin; do
stem="${bin%%.bin}"
common_args+=" --$stem $bin"
if not_upon "${has_no_cert[$stem]}"; then
common_args+=" --$stem-cert $stem.crt"
fi
if not_upon "${has_no_key_cert[$stem]}"; then
common_args+=" --$stem-key-cert $stem-key.crt"
fi
done
# Create certificates
cert_create=$(cert_create_path)
"$cert_create" $cert_args $common_args 2>&1 | tee -a "$build_log"
# Recreate and archive FIP
"$fiptool" create $common_args "fip.bin" 2>&1 | tee -a "$build_log"
archive_file "fip.bin"
popd
fi
}
# Update hw-config in FIP, and remove the original DTB afterwards.
update_fip_hw_config() {
# The DTB needs to be loaded by the model (and not updated in the FIP)
# in configs:
# 1. Where BL2 isn't present
# 2. Where we boot to Linux directly as BL33
case "1" in
"$(get_tf_opt RESET_TO_BL31)" | \
"$(get_tf_opt ARM_LINUX_KERNEL_AS_BL33)" | \
"$(get_tf_opt RESET_TO_SP_MIN)" | \
"$(get_tf_opt RESET_TO_BL2)")
return 0;;
esac
if bin_name="hw-config" src="$archive/dtb.bin" fip_update; then
# Remove the DTB so that model won't load it
rm -f "$archive/dtb.bin"
fi
}
get_tftf_opt() {
(
name="${1:?}"
if config_valid "$tftf_config_file"; then
source "$tftf_config_file"
echo "${!name}"
fi
)
}
get_tf_opt() {
(
name="${1:?}"
if config_valid "$tf_config_file"; then
source "$tf_config_file"
echo "${!name}"
fi
)
}
get_rmm_opt() {
(
name="${1:?}"
default="$2"
if config_valid "$rmm_config_file"; then
source "$rmm_config_file"
# If !name is not defined, go with the default
# value (if defined)
if [ -z "${!name}" ]; then
echo "$default"
else
echo "${!name}"
fi
fi
)
}
build_tf() {
(
env_file="$workspace/tf.env"
config_file="${tf_build_config:-$tf_config_file}"
# Build fiptool and all targets by default
build_targets="${tf_build_targets:-fiptool all}"
source "$config_file" || fail_build
# If it is a TBBR build, extract the MBED TLS library from archive
if [ "$(get_tf_opt TRUSTED_BOARD_BOOT)" = 1 ] ||
[ "$(get_tf_opt MEASURED_BOOT)" = 1 ] ||
[ "$(get_tf_opt DRTM_SUPPORT)" = 1 ]; then
mbedtls_dir="$workspace/mbedtls"
if [ ! -d "$mbedtls_dir" ]; then
mbedtls_ar="$workspace/mbedtls.tar.gz"
url="$mbedtls_archive" saveas="$mbedtls_ar" fetch_file
mkdir "$mbedtls_dir"
extract_tarball $mbedtls_ar $mbedtls_dir --strip-components=1
fi
emit_env "MBEDTLS_DIR" "$mbedtls_dir"
fi
if [ "$(get_tf_opt PLATFORM_TEST)" = "tfm-testsuite" ] &&
not_upon "${TF_M_TESTS_PATH}"; then
emit_env "TF_M_TESTS_PATH" "$WORKSPACE/tf-m-tests"
fi
if [ "$(get_tf_opt PLATFORM_TEST)" = "tfm-testsuite" ] &&
not_upon "${TF_M_EXTRAS_PATH}"; then
emit_env "TF_M_EXTRAS_PATH" "$WORKSPACE/tf-m-extras"
fi
if [ "$(get_tf_opt DICE_PROTECTION_ENVIRONMENT)" = 1 ] &&
not_upon "${QCBOR_DIR}"; then
emit_env "QCBOR_DIR" "$WORKSPACE/qcbor"
fi
# Hash verification only occurs if there is a sufficient amount of
# information in the event log, which is as long as EVENT_LOG_LEVEL
# is set to at least 20 or if it is a debug build
if [[ ("$(get_tf_opt MEASURED_BOOT)" -eq 1) &&
(($bin_mode == "debug") || ("$(get_tf_opt EVENT_LOG_LEVEL)" -ge 20)) ]]; then
# This variable is later exported to the expect scripts so
# the hashes in the TF-A event log can be verified
set_run_env "verify_hashes" "1"
fi
if [ -f "$env_file" ]; then
set -a
source "$env_file"
set +a
fi
if is_arm_jenkins_env || upon "$local_ci"; then
path_list=(
"$llvm_dir/bin"
)
extend_path "PATH" "path_list"
fi
pushd "$tf_root"
# Always distclean when running on Jenkins. Skip distclean when running
# locally and explicitly requested.
if upon "$jenkins_run" || not_upon "$dont_clean"; then
make distclean BUILD_BASE=$tf_build_root 2>&1 | tee -a "$build_log" || fail_build
fi
# Log build command line. It is left unfolded on purpose to assist
# copying to clipboard.
cat <<EOF | log_separator
Build command line:
$tf_build_wrapper make $make_j_opts $(cat "$config_file" | tr '\n' ' ') DEBUG=$DEBUG V=1 BUILD_BASE=$tf_build_root $build_targets
CC version:
$(${CC-${CROSS_COMPILE}gcc} -v 2>&1)
EOF
if not_upon "$local_ci"; then
connect_debugger=0
fi
# Build TF. Since build output is being directed to the build log, have
# descriptor 3 point to the current terminal for build wrappers to vent.
$tf_build_wrapper poetry run make $make_j_opts $(cat "$config_file") \
DEBUG="$DEBUG" V=1 BUILD_BASE="$tf_build_root" SPIN_ON_BL1_EXIT="$connect_debugger" \
$build_targets 3>&1 2>&1 | tee -a "$build_log" || fail_build
if [ "$build_targets" != "doc" ]; then
(poetry run memory --root "$tf_build_root" symbols 2>&1 || true) | tee -a "${build_log}"
for map in $(find "${tf_build_root}" -name '*.map'); do
(poetry run memory --root "${tf_build_root}" summary "${map}" 2>&1 || true) | tee -a "${build_log}"
done
fi
popd
)
}
build_tftf() {
(
config_file="${tftf_build_config:-$tftf_config_file}"
# Build tftf target by default
build_targets="${tftf_build_targets:-all}"
source "$config_file" || fail_build
cd "$tftf_root"
# Always distclean when running on Jenkins. Skip distclean when running
# locally and explicitly requested.
if upon "$jenkins_run" || not_upon "$dont_clean"; then
make distclean BUILD_BASE="$tftf_build_root" 2>&1 | tee -a "$build_log" || fail_build
fi
# TFTF build system cannot reliably deal with -j option, so we avoid
# using that.
# Log build command line
cat <<EOF | log_separator
Build command line:
make $make_j_opts $(cat "$config_file" | tr '\n' ' ') DEBUG=$DEBUG V=1 BUILD_BASE="$tftf_build_root" $build_targets
EOF
make $make_j_opts $(cat "$config_file") DEBUG="$DEBUG" V=1 BUILD_BASE="$tftf_build_root" \
$build_targets 2>&1 | tee -a "$build_log" || fail_build
)
}
build_cc() {
# Building code coverage plugin
ARM_DIR=/arm
pvlibversion=$(/arm/devsys-tools/abs/detag "SysGen:PVModelLib:$model_version::trunk")
PVLIB_HOME=$warehouse/SysGen/PVModelLib/$model_version/${pvlibversion}/external
if [ -n "$(find "$ARM_DIR" -maxdepth 0 -type d -empty 2>/dev/null)" ]; then
echo "Error: Arm warehouse not mounted. Please mount the Arm warehouse to your /arm local folder"
exit -1
fi # Error if arm warehouse not found
cd "$ccpathspec/scripts/tools/code_coverage/fastmodel_baremetal/bmcov"
make -C model-plugin PVLIB_HOME=$PVLIB_HOME 2>&1 | tee -a "$build_log"
}
build_spm() {
(
env_file="$workspace/spm.env"
config_file="${spm_build_config:-$spm_config_file}"
source "$config_file" || fail_build
if [ -f "$env_file" ]; then
set -a
source "$env_file"
set +a
fi
cd "$spm_root"
# Always clean when running on Jenkins. Skip clean when running
# locally and explicitly requested.
if upon "$jenkins_run" || not_upon "$dont_clean"; then
# make clean fails on a fresh repo where the project has not
# yet been built. Hence only clean if out/reference directory
# already exists.
if [ -d "out/reference" ]; then
make clean 2>&1 | tee -a "$build_log" || fail_build
fi
fi
# Log build command line. It is left unfolded on purpose to assist
# copying to clipboard.
cat <<EOF | log_separator
Build command line:
make $make_j_opts OUT=$spm_build_root $(cat "$config_file" | tr '\n' ' ')
EOF
# Build SPM. Since build output is being directed to the build log, have
# descriptor 3 point to the current terminal for build wrappers to vent.
make $make_j_opts OUT=$spm_build_root $(cat "$config_file") 3>&1 2>&1 | tee -a "$build_log" \
|| fail_build
)
}
build_rmm() {
(
env_file="$workspace/rmm.env"
config_file="${rmm_build_config:-$rmm_config_file}"
# Build fiptool and all targets by default
export CROSS_COMPILE="aarch64-none-elf-"
source "$config_file" || fail_build
if [ -f "$env_file" ]; then
set -a
source "$env_file"
set +a
fi
cd "$rmm_root"
if [ -f "$rmm_root/requirements.txt" ]; then
export PATH="$HOME/.local/bin:$PATH"
python3 -m pip install --upgrade pip
python3 -m pip install -r "$rmm_root/requirements.txt"
fi
# Always distclean when running on Jenkins. Skip distclean when running
# locally and explicitly requested.
if upon "$jenkins_run" || not_upon "$dont_clean"; then
# Remove 'rmm\build' folder
echo "Removing $rmm_build_root..."
rm -rf $rmm_build_root
fi
if not_upon "$local_ci"; then
connect_debugger=0
fi
# Log build command line. It is left unfolded on purpose to assist
# copying to clipboard.
cat <<EOF | log_separator
Build command line:
cmake -DRMM_CONFIG=${plat}_defcfg "$cmake_gen" -S $rmm_root -B $rmm_build_root -DRMM_TOOLCHAIN=$rmm_toolchain -DRMM_FPU_USE_AT_REL2=$rmm_fpu_use_at_rel2 -DATTEST_EL3_TOKEN_SIGN=$rmm_attest_el3_token_sign -DRMM_V1_1=$rmm_v1_1 ${extra_options}
cmake --build $rmm_build_root --config $cmake_build_type $make_j_opts -v ${extra_targets+-- $extra_targets}
EOF
cmake \
-DRMM_CONFIG=${plat}_defcfg $cmake_gen \
-S $rmm_root -B $rmm_build_root \
-DRMM_TOOLCHAIN=$rmm_toolchain \
-DRMM_FPU_USE_AT_REL2=$rmm_fpu_use_at_rel2 \
-DATTEST_EL3_TOKEN_SIGN=$rmm_attest_el3_token_sign \
-DRMM_V1_1=$rmm_v1_1 \
${extra_options}
cmake --build $rmm_build_root --config $cmake_build_type $make_j_opts -v ${extra_targets+-- $extra_targets} 3>&1 2>&1 | tee -a "$build_log" || fail_build
)
}
build_tfut() {
(
config_file="${tfut_build_config:-$tfut_config_file}"
# Build tfut target by default
build_targets="${tfut_build_targets:-all}"
source "$config_file" || fail_build
mkdir -p "$tfut_root/build"
cd "$tfut_root/build"
# Always distclean when running on Jenkins. Skip distclean when running
# locally and explicitly requested.
if upon "$jenkins_run" || not_upon "$dont_clean"; then
#make clean &>>"$build_log" || fail_build
rm -Rf * || fail_build
fi
#Override build targets only if the run config did not set them.
if [ $build_targets == "all" ]; then
tests_line=$(cat "$config_file" | { grep "tests=" || :; })
if [ -z "$tests_line" ]; then
build_targets=$(echo "$tests_line" | awk -F= '{ print $NF }')
fi
fi
#TODO: extract vars from env to use them for cmake
test -f "$config_file"
config=$(cat "$config_file" | grep -v "tests=") \
&& cmake_config=$(echo "$config" | sed -e 's/^/\-D/')
# Check if cmake is installed
if ! command -v cmake &> /dev/null
then
echo "cmake could not be found"
exit 1
fi
# Log build command line
cat <<EOF | log_separator
Build command line:
cmake $(echo "$cmake_config") -G"Unix Makefiles" --debug-output -DCMAKE_VERBOSE_MAKEFILE -DCOVERAGE="$COVERAGE" -DUNIT_TEST_PROJECT_PATH="$tf_root" ..
make $(echo "$config" | tr '\n' ' ') DEBUG=$DEBUG V=1 $build_targets
EOF
cmake $(echo "$cmake_config") -G"Unix Makefiles" --debug-output \
-DCMAKE_VERBOSE_MAKEFILE=ON \
-DCOVERAGE="$COVERAGE" \
-DUNIT_TEST_PROJECT_PATH="$tf_root" \
.. 2>&1 | tee -a "$build_log" || fail_build
echo "Done with cmake" | tee -a "$build_log"
make $(echo "$config") VERBOSE=1 \
$build_targets 2>&1 | tee -a "$build_log" || fail_build
)
}
# Set metadata for the whole package so that it can be used by both Jenkins and
# shell
set_package_var() {
env_file="$artefacts/env" emit_env "$@"
}
set_tf_build_targets() {
echo "Set build target to '${targets:?}'"
set_hook_var "tf_build_targets" "$targets"
}
set_tftf_build_targets() {
echo "Set build target to '${targets:?}'"
set_hook_var "tftf_build_targets" "$targets"
}
set_spm_build_targets() {
echo "Set build target to '${targets:?}'"
set_hook_var "spm_build_targets" "$targets"
}
add_tfut_build_targets() {
echo "Add TFUT build targets '${targets:?}'"
append_hook_var "tfut_build_targets" "$targets "
}
set_spm_out_dir() {
echo "Set SPMC binary build to '${out_dir:?}'"
set_hook_var "spm_secure_out_dir" "$out_dir"
}
# Look under $archive directory for known files such as blX images, kernel, DTB,
# initrd etc. For each known file foo, if foo.bin exists, then set variable
# foo_bin to the path of the file. Make the path relative to the workspace so as
# to remove any @ characters, which Jenkins inserts for parallel runs. If the
# file doesn't exist, unset its path.
set_default_bin_paths() {
local image image_name image_path path
local archive="${archive:?}"
local set_vars
local var
pushd "$archive"
for file in *.bin; do
# Get a shell variable from the file's stem
var_name="${file%%.*}_bin"
var_name="$(echo "$var_name" | sed -r 's/[^[:alnum:]]/_/g')"
# Skip setting the variable if it's already
if [ "${!var_name}" ]; then
echo "Note: not setting $var_name; already set to ${!var_name}"
continue
else
set_vars+="$var_name "
fi
eval "$var_name=$file"
done
echo "Binary paths set for: "
{
for var in $set_vars; do
echo -n "\$$var "
done
} | fmt -80 | sed 's/^/ /'
echo
popd
}
gen_model_params() {
local model_param_file="$archive/model_params"
[ "$connect_debugger" ] && [ "$connect_debugger" -eq 1 ] && wait_debugger=1
set_default_bin_paths
echo "Generating model parameter for $model..."
source "$ci_root/model/${model:?}.sh"
archive_file "$model_param_file"
}
set_model_path() {
local input_path="${1:?}"
if upon "$retain_paths"; then
set_run_env "model_path" "$(basename "$input_path")"
return
fi
set_run_env "model_path" "$input_path"
}
set_model_env() {
local var="${1:?}"
local val="${2?}"
local run_root="${archive:?}/run"
mkdir -p "$run_root"
echo "export $var=$val" >> "$run_root/model_env"
}
set_run_env() {
local var="${1:?}"
local val="${2?}"
local run_root="${archive:?}/run"
mkdir -p "$run_root"
env_file="$run_root/env" quote="1" emit_env "$var" "$val"
}
show_head() {
# Display HEAD descripton
pushd "$1"
git show --quiet --no-color | sed 's/^/ > /g'
echo
popd
}
# Choose debug binaries to run; by default, release binaries are chosen to run
use_debug_bins() {
local run_root="${archive:?}/run"
echo "Choosing debug binaries for execution"
set_package_var "BIN_MODE" "debug"
}
assert_can_git_clone() {
local name="${1:?}"
local dir="${!name}"
# If it doesn't exist, it can be cloned into
if [ ! -e "$dir" ]; then
return 0
fi
# If it's a directory, it must be a Git clone already
if [ -d "$dir" ] && [ -d "$dir/.git" ]; then
# No need to clone again
echo "Using existing git clone for $name: $dir"
return 1
fi
die "Path $dir exists but is not a git clone"
}
clone_repo() {
if ! is_url "${clone_url?}"; then
# For --depth to take effect on local paths, it needs to use the
# file:// scheme.
clone_url="file://$clone_url"
fi
git clone -q --depth 1 "$clone_url" "${where?}"
if [ "$refspec" ]; then
pushd "$where"
git fetch -q --depth 1 origin "$refspec"
git checkout -q FETCH_HEAD
popd
fi
}
build_unstable() {
echo "--BUILD UNSTABLE--" | tee -a "$build_log"
}
undo_patch_record() {
if [ ! -f "${patch_record:?}" ]; then
return
fi
# Undo patches in reverse
echo
for patch_name in $(tac "$patch_record"); do
echo "Undoing $patch_name..."
if ! git apply -R "$ci_root/patch/$patch_name"; then
if upon "$local_ci"; then
echo
echo "Your local directory may have been dirtied."
echo
fi
fail_build
fi
done
rm -f "$patch_record"
}
undo_local_patches() {
pushd "$tf_root"
patch_record="$tf_patch_record" undo_patch_record
popd
if [ -d "$tftf_root" ]; then
pushd "$tftf_root"
patch_record="$tftf_patch_record" undo_patch_record
popd
fi
}
undo_tftf_patches() {
pushd "$tftf_root"
patch_record="$tftf_patch_record" undo_patch_record
popd
}
undo_tf_patches() {
pushd "$tf_root"
patch_record="$tf_patch_record" undo_patch_record
popd
}
apply_patch() {
# If skip_patches is set, the developer has applied required patches
# manually. They probably want to keep them applied for debugging
# purposes too. This means we don't have to apply/revert them as part of
# build process.
if upon "$skip_patches"; then
echo "Skipped applying ${1:?}..."
return 0
else
echo "Applying ${1:?}..."
fi
if git apply --reverse --check < "$ci_root/patch/$1" 2> /dev/null; then
echo "Skipping already applied ${1:?}"
return 0
fi
if git apply < "$ci_root/patch/$1"; then
echo "$1" >> "${patch_record:?}"
else
if upon "$local_ci"; then
undo_local_patches
fi
fail_build
fi
}
apply_tf_patch() {
root="$tf_root"
new_root="$archive/tfa_mirror"
# paralell builds are only used locally. Don't do for CI since this will
# have a speed penalty. Also skip if this was already done as a single
# job may apply many patches.
if upon "$local_ci" && [[ ! -d $new_root ]]; then
root=$new_root
diff=$(mktempfile)
# get anything still uncommitted
pushd $tf_root
git diff HEAD > $diff
popd
# git will hard link when cloning locally, no need for --depth=1
git clone "$tf_root" $root --shallow-submodules --recurse-submodules
tf_root=$root # next apply_tf_patch will run in the same hook
set_hook_var "tf_root" "$root" # for anyone outside the hook
# apply uncommited changes so they are picked up in the build
pushd $tf_root
git apply $diff &> /dev/null || true
popd
fi
pushd "$root"
patch_record="$tf_patch_record" apply_patch "$1"
popd
}
mkdir -p "$workspace"
mkdir -p "$archive"
set_package_var "TEST_CONFIG" "$test_config"
{
echo
echo "CONFIGURATION: $test_group/$test_config"
echo
} |& log_separator
tf_config="$(echo "$build_configs" | awk -F, '{print $1}')"
tftf_config="$(echo "$build_configs" | awk -F, '{print $2}')"
spm_config="$(echo "$build_configs" | awk -F, '{print $3}')"
rmm_config="$(echo "$build_configs" | awk -F, '{print $4}')"
tfut_config="$(echo "$build_configs" | awk -F, '{print $5}')"
test_config_file="$ci_root/group/$test_group/$test_config"
tf_config_file="$ci_root/tf_config/$tf_config"
tftf_config_file="$ci_root/tftf_config/$tftf_config"
spm_config_file="$ci_root/spm_config/$spm_config"
rmm_config_file="$ci_root/rmm_config/$rmm_config"
tfut_config_file="$ci_root/tfut_config/$tfut_config"
# File that keeps track of applied patches
tf_patch_record="$workspace/tf_patches"
tftf_patch_record="$workspace/tftf_patches"
# Split run config into TF and TFUT components
run_config_tfa="$(echo "$run_config" | awk -F, '{print $1}')"
run_config_tfut="$(echo "$run_config" | awk -F, '{print $2}')"
pushd "$workspace"
if ! config_valid "$tf_config"; then
tf_config=
else
echo "Trusted Firmware config:"
echo
sort "$tf_config_file" | sed '/^\s*$/d;s/^/\t/'
echo
fi
if ! config_valid "$tftf_config"; then
tftf_config=
else
echo "Trusted Firmware TF config:"
echo
sort "$tftf_config_file" | sed '/^\s*$/d;s/^/\t/'
echo
fi
if ! config_valid "$spm_config"; then
spm_config=
else
echo "SPM config:"
echo
sort "$spm_config_file" | sed '/^\s*$/d;s/^/\t/'
echo
fi
# File that keeps track of applied patches
rmm_patch_record="$workspace/rmm_patches"
if ! config_valid "$rmm_config"; then
rmm_config=
else
echo "Trusted Firmware RMM config:"
echo
sort "$rmm_config_file" | sed '/^\s*$/d;s/^/\t/'
echo
fi
if ! config_valid "$tfut_config"; then
tfut_config=
else
echo "TFUT config:"
echo
sort "$tfut_config_file" | sed '/^\s*$/d;s/^/\t/'
echo
fi
if ! config_valid "$run_config_tfa"; then
run_config_tfa=
fi
if { [ "$tf_config" ] || [ "$tfut_config" ]; } && assert_can_git_clone "tf_root"; then
# If the Trusted Firmware repository has already been checked out, use
# that location. Otherwise, clone one ourselves.
echo "Cloning Trusted Firmware..."
clone_url="${TF_CHECKOUT_LOC:-$tf_src_repo_url}" where="$tf_root" \
refspec="$TF_REFSPEC" clone_repo 2>&1 | tee -a "$build_log"
show_head "$tf_root"
fi
if [ "$tftf_config" ] && assert_can_git_clone "tftf_root"; then
# If the Trusted Firmware TF repository has already been checked out,
# use that location. Otherwise, clone one ourselves.
echo "Cloning Trusted Firmware TF..."
clone_url="${TFTF_CHECKOUT_LOC:-$tftf_src_repo_url}" where="$tftf_root" \
refspec="$TFTF_REFSPEC" clone_repo 2>&1 | tee -a "$build_log"
show_head "$tftf_root"
fi
if [ -n "$cc_config" ] ; then
if [ "$cc_config" -eq 1 ] && assert_can_git_clone "cc_root"; then
# Copy code coverage repository
echo "Cloning Code Coverage..."
git clone -q $cc_src_repo_url cc_plugin --depth 1 -b $cc_src_repo_tag > /dev/null
show_head "$cc_root"
fi
fi
if [ "$spm_config" ] ; then
if assert_can_git_clone "spm_root"; then
# If the SPM repository has already been checked out, use
# that location. Otherwise, clone one ourselves.
echo "Cloning SPM..."
clone_url="${SPM_CHECKOUT_LOC:-$spm_src_repo_url}" \
where="$spm_root" refspec="$SPM_REFSPEC" \
clone_repo 2>&1 | tee -a "$build_log"
fi
# Query git submodules
pushd "$spm_root"
# Check if submodules need initialising
# This handling is needed to reliably fetch submodules
# in CI environment.
for subm in $(git submodule status | awk '/^-/ {print $2}'); do
for i in $(seq 1 7); do
git submodule init $subm
if git submodule update $subm; then
break
fi
git submodule deinit --force $subm
echo "Retrying $subm"
sleep $((RANDOM % 10 + 5))
done
done
git submodule status
popd
show_head "$spm_root"
fi
if [ "$rmm_config" ] && assert_can_git_clone "rmm_root"; then
# If the RMM repository has already been checked out,
# use that location. Otherwise, clone one ourselves.
echo "Cloning TF-RMM..."
clone_url="${RMM_CHECKOUT_LOC:-$rmm_src_repo_url}" where="$rmm_root" \
refspec="$RMM_REFSPEC" clone_repo 2>&1 | tee -a "$build_log"
show_head "$rmm_root"
fi
if [ "$tfut_config" ] && assert_can_git_clone "tfut_root"; then
# If the Trusted Firmware UT repository has already been checked out,
# use that location. Otherwise, clone one ourselves.
echo "Cloning Trusted Firmware UT..."
clone_url="${TFUT_CHECKOUT_LOC:-$tfut_src_repo_url}" where="$tfut_root" \
refspec="$TFUT_GERRIT_REFSPEC" clone_repo 2>&1 | tee -a "$build_log"
show_head "$tfut_root"
fi
if [ "$run_config_tfa" ]; then
# Get candidates for TF-A run config
run_config_candidates="$("$ci_root/script/gen_run_config_candidates.py" \
"$run_config_tfa")"
if [ -z "$run_config_candidates" ]; then
die "No run config candidates!"
else
echo
echo "Chosen fragments:"
echo
echo "$run_config_candidates" | sed 's/^\|\n/\t/g'
echo
if [ ! -n "$bin_mode" ]; then
if echo $run_config_candidates | grep -wq "debug"; then
bin_mode="debug"
else
bin_mode="release"
fi
fi
fi
fi
if [ "$run_config_tfut" ]; then
# Get candidates for run TFUT config
run_config_tfut_candidates="$("$ci_root/script/gen_run_config_candidates.py" \
"--unit-testing" "$run_config_tfut")"
if [ -z "$run_config_tfut_candidates" ]; then
die "No run TFUT config candidates!"
else
echo
echo "Chosen fragments:"
echo
echo "$run_config_tfut_candidates" | sed 's/^\|\n/\t/g'
fi
fi
call_hook "test_setup"
echo
if upon "$local_ci"; then
# For local runs, since each config is tried in sequence, it's
# advantageous to run jobs in parallel
if [ "$make_j" ]; then
make_j_opts="-j $make_j"
else
n_cores="$(getconf _NPROCESSORS_ONLN)" 2>/dev/null || true
if [ "$n_cores" ]; then
make_j_opts="-j $n_cores"
fi
fi
fi
# Install python build dependencies
if is_arm_jenkins_env; then
source "$ci_root/script/install_python_deps.sh"
fi
# Install c-picker dependency
if config_valid "$tfut_config"; then
echo "started building"
python3 -m venv .venv
source .venv/bin/activate
if ! python3 -m pip show c-picker &> /dev/null; then
echo "Installing c-picker"
pip install git+https://git.trustedfirmware.org/TS/trusted-services.git@topics/c-picker || {
echo "c-picker was not installed!"
exit 1
}
echo "c-picker was installed"
else
echo "c-picker is already installed"
fi
fi
# Print CMake version
cmake_ver=$(echo `cmake --version | sed -n '1p'`)
echo "Using $cmake_ver"
# Check for Ninja
if [ -x "$(command -v ninja)" ]; then
# Print Ninja version
ninja_ver=$(echo `ninja --version | sed -n '1p'`)
echo "Using ninja $ninja_ver"
export cmake_gen="-G Ninja"
else
echo 'Ninja is not installed'
export cmake_gen=""
fi
undo_rmm_patches() {
pushd "$rmm_root"
patch_record="$rmm_patch_record" undo_patch_record
popd
}
modes="${bin_mode:-debug release}"
for mode in $modes; do
echo "===== Building package in mode: $mode ====="
# Build with a temporary archive
build_archive="$archive/$mode"
mkdir -p "$build_archive"
if [ "$mode" = "debug" ]; then
export bin_mode="debug"
cmake_build_type="Debug"
DEBUG=1
else
export bin_mode="release"
cmake_build_type="Release"
DEBUG=0
fi
# Perform builds in a subshell so as not to pollute the current and
# subsequent builds' environment
if config_valid "$cc_config"; then
# Build code coverage plugin
build_cc
fi
# TFTF build
if config_valid "$tftf_config"; then
(
echo "##########"
plat_utils="$(get_tf_opt PLAT_UTILS)"
if [ -z ${plat_utils} ]; then
# Source platform-specific utilities.
plat="$(get_tftf_opt PLAT)"
plat_utils="$ci_root/${plat}_utils.sh"
else
# Source platform-specific utilities by
# using plat_utils name.
plat_utils="$ci_root/${plat_utils}.sh"
fi
if [ -f "$plat_utils" ]; then
source "$plat_utils"
fi
archive="$build_archive"
tftf_build_root="$archive/build/tftf"
mkdir -p ${tftf_build_root}
echo "Building Trusted Firmware TF ($mode) ..." |& log_separator
# Call pre-build hook
call_hook pre_tftf_build
build_tftf
from="$tftf_build_root" to="$archive" collect_build_artefacts
# Clear any local changes made by applied patches
undo_tftf_patches
echo "##########"
echo
)
fi
# SPM build
if config_valid "$spm_config"; then
(
echo "##########"
# Get platform name from spm_config file
plat="$(echo "$spm_config" | awk -F- '{print $1}')"
plat_utils="$ci_root/${plat}_utils.sh"
if [ -f "$plat_utils" ]; then
source "$plat_utils"
fi
# Call pre-build hook
call_hook pre_spm_build
# SPM build generates two sets of binaries, one for normal and other
# for Secure world. We need both set of binaries for CI.
archive="$build_archive"
spm_build_root="$archive/build/spm"
spm_secure_build_root="$spm_build_root/$spm_secure_out_dir"
spm_ns_build_root="$spm_build_root/$spm_non_secure_out_dir"
echo "spm_build_root is $spm_build_root"
echo "Building SPM ($mode) ..." |& log_separator
# NOTE: mode has no effect on SPM build (for now), hence debug
# mode is built but subsequent build using release mode just
# goes through with "nothing to do".
build_spm
# Show SPM/Hafnium binary details
cksum $spm_secure_build_root/hafnium.bin
# Some platforms only have secure configuration enabled. Hence,
# non secure hanfnium binary might not be built.
if [ -f $spm_ns_build_root/hafnium.bin ]; then
cksum $spm_ns_build_root/hafnium.bin
fi
secure_from="$spm_secure_build_root" non_secure_from="$spm_ns_build_root" to="$archive" collect_spm_artefacts
echo "##########"
echo
)
fi
# TF RMM build
if config_valid "$rmm_config"; then
(
echo "##########"
plat_utils="$(get_rmm_opt PLAT_UTILS)"
if [ -z ${plat_utils} ]; then
# Source platform-specific utilities.
plat="$(get_rmm_opt PLAT)"
extra_options="$(get_rmm_opt EXTRA_OPTIONS)"
extra_targets="$(get_rmm_opt EXTRA_TARGETS "")"
rmm_toolchain="$(get_rmm_opt TOOLCHAIN gnu)"
rmm_fpu_use_at_rel2="$(get_rmm_opt RMM_FPU_USE_AT_REL2 OFF)"
rmm_attest_el3_token_sign="$(get_rmm_opt ATTEST_EL3_TOKEN_SIGN OFF)"
rmm_v1_1="$(get_rmm_opt RMM_V1_1 ON)"
plat_utils="$ci_root/${plat}_utils.sh"
else
# Source platform-specific utilities by
# using plat_utils name.
plat_utils="$ci_root/${plat_utils}.sh"
fi
if [ -f "$plat_utils" ]; then
source "$plat_utils"
fi
archive="$build_archive"
rmm_build_root="$rmm_root/build"
echo "Building Trusted Firmware RMM ($mode) ..." |& log_separator
#call_hook pre_rmm_build
build_rmm
# Collect all rmm.* files: rmm.img, rmm.elf, rmm.dump, rmm.map
from="$rmm_build_root" to="$archive" collect_build_artefacts
# Clear any local changes made by applied patches
undo_rmm_patches
echo "##########"
)
fi
# TF build
if config_valid "$tf_config"; then
(
echo "##########"
plat_utils="$(get_tf_opt PLAT_UTILS)"
export plat_variant="$(get_tf_opt TARGET_PLATFORM)"
if [ -z ${plat_utils} ]; then
# Source platform-specific utilities.
plat="$(get_tf_opt PLAT)"
plat_utils="$ci_root/${plat}_utils.sh"
else
# Source platform-specific utilities by
# using plat_utils name.
plat_utils="$ci_root/${plat_utils}.sh"
fi
if [ -f "$plat_utils" ]; then
source "$plat_utils"
fi
fvp_tsram_size="$(get_tf_opt FVP_TRUSTED_SRAM_SIZE)"
fvp_tsram_size="${fvp_tsram_size:-256}"
poetry -C "$tf_root" install --no-root --without docs
archive="$build_archive"
tf_build_root="$archive/build/tfa"
mkdir -p ${tf_build_root}
echo "Building Trusted Firmware ($mode) ..." |& log_separator
# Call pre-build hook
call_hook pre_tf_build
build_tf
# Call post-build hook
call_hook post_tf_build
# Pre-archive hook
call_hook pre_tf_archive
from="$tf_build_root" to="$archive" collect_build_artefacts
# Post-archive hook
call_hook post_tf_archive
call_hook fetch_tf_resource
call_hook post_fetch_tf_resource
# Generate LAVA job files if necessary
call_hook generate_lava_job_template
call_hook generate_lava_job
# Clear any local changes made by applied patches
undo_tf_patches
echo "##########"
)
fi
# TFUT build
if config_valid "$tfut_config"; then
(
echo "##########"
archive="$build_archive"
tfut_build_root="$tfut_root/build"
echo "Building Trusted Firmware UT ($mode) ..." |& log_separator
# Clean TFUT build targets
set_hook_var "tfut_build_targets" ""
# Call pre-build hook
call_hook pre_tfut_build
build_tfut
from="$tfut_build_root" to="$archive" collect_tfut_artefacts
to="$archive" coverage="$COVERAGE" collect_tfut_coverage
echo "##########"
echo
)
fi
echo
echo
done
if config_valid "$tfut_config"; then
deactivate
fi
call_hook pre_package
call_hook post_package
if upon "$jenkins_run" && upon "$artefacts_receiver" && [ -d "artefacts" ]; then
source "$CI_ROOT/script/send_artefacts.sh" "artefacts"
fi
echo
echo "Done"