|  | #!/usr/bin/env bash | 
|  | # | 
|  | # Copyright (c) 2019-2025 Arm Limited. All rights reserved. | 
|  | # | 
|  | # SPDX-License-Identifier: BSD-3-Clause | 
|  | # | 
|  |  | 
|  | # Builds a package with Trusted Firwmare and other payload binaries. The package | 
|  | # is meant to be executed by run_package.sh | 
|  |  | 
|  | set -e | 
|  |  | 
|  | ci_root="$(readlink -f "$(dirname "$0")/..")" | 
|  | source "$ci_root/utils.sh" | 
|  |  | 
|  | if [ ! -d "$workspace" ]; then | 
|  | die "Directory $workspace doesn't exist" | 
|  | fi | 
|  |  | 
|  | # Directory to where the source code e.g. for Trusted Firmware is checked out. | 
|  | export tf_root="${tf_root:-$workspace/trusted_firmware}" | 
|  | export tftf_root="${tftf_root:-$workspace/trusted_firmware_tf}" | 
|  | export tfut_root="${tfut_root:-$workspace/tfut}" | 
|  | cc_root="${cc_root:-$ccpathspec}" | 
|  | spm_root="${spm_root:-$workspace/spm}" | 
|  | rmm_root="${rmm_root:-$workspace/tf-rmm}" | 
|  |  | 
|  | # Refspecs | 
|  | tf_refspec="$TF_REFSPEC" | 
|  | tftf_refspec="$TFTF_REFSPEC" | 
|  | spm_refspec="$SPM_REFSPEC" | 
|  | rmm_refspec="$RMM_REFSPEC" | 
|  | tfut_gerrit_refspec="$TFUT_GERRIT_REFSPEC" | 
|  |  | 
|  | test_config="${TEST_CONFIG:?}" | 
|  | test_group="${TEST_GROUP:?}" | 
|  | build_configs="${BUILD_CONFIG:?}" | 
|  | run_config="${RUN_CONFIG:?}" | 
|  | cc_config="${CC_ENABLE:-}" | 
|  |  | 
|  | export archive="$artefacts" | 
|  | build_log="$artefacts/build.log" | 
|  |  | 
|  | fiptool_path() { | 
|  | echo $tf_build_root/$(get_tf_opt PLAT)/${bin_mode}/tools/fiptool/fiptool | 
|  | } | 
|  |  | 
|  | cert_create_path() { | 
|  | echo $tf_build_root/$(get_tf_opt PLAT)/${bin_mode}/tools/cert_create/cert_create | 
|  | } | 
|  |  | 
|  | # Validate $bin_mode | 
|  | case "$bin_mode" in | 
|  | "" | debug | release) | 
|  | ;; | 
|  | *) | 
|  | die "Invalid value for bin_mode: $bin_mode" | 
|  | ;; | 
|  | esac | 
|  |  | 
|  | # File to save any environem | 
|  | hook_env_file="$(mktempfile)" | 
|  |  | 
|  | # Echo from a build wrapper. Print to descriptor 3 that's opened by the build | 
|  | # function. | 
|  | echo_w() { | 
|  | echo $echo_flags "$@" >&3 | 
|  | } | 
|  |  | 
|  | # Print a separator to the log file. Intended to be used at the tail end of a pipe | 
|  | log_separator() { | 
|  | { | 
|  | echo | 
|  | echo "----------" | 
|  | } >> "$build_log" | 
|  |  | 
|  | tee -a "$build_log" | 
|  |  | 
|  | { | 
|  | echo "----------" | 
|  | echo | 
|  | } >> "$build_log" | 
|  | } | 
|  |  | 
|  | # Call function $1 if it's defined | 
|  | call_func() { | 
|  | if type "${1:?}" &>/dev/null; then | 
|  | echo | 
|  | echo "> ${2:?}:$1()" | 
|  | eval "$1" | 
|  | echo "< $2:$1()" | 
|  | fi | 
|  | } | 
|  |  | 
|  | # Retry a command a number of times if it fails. Intended for I/O commands | 
|  | # in a CI environment which may be flaky. | 
|  | function retry() { | 
|  | for i in $(seq 1 3); do | 
|  | if "$@"; then | 
|  | return 0 | 
|  | fi | 
|  | sleep $(( i * 5 )) | 
|  | done | 
|  | return 1 | 
|  | } | 
|  |  | 
|  | # Call hook $1 in all chosen fragments if it's defined. Hooks are invoked from | 
|  | # within a subshell, so any variables set within a hook are lost. Should a | 
|  | # variable needs to be set from within a hook, the function 'set_hook_var' | 
|  | # should be used | 
|  | call_hook() { | 
|  | local func="$1" | 
|  | local config_fragment | 
|  |  | 
|  | [ -z "$func" ] && return 0 | 
|  |  | 
|  | echo "=== Calling hooks: $1 ===" &>>"$build_log" | 
|  |  | 
|  | : >"$hook_env_file" | 
|  |  | 
|  | if [ "$run_config_candidates" ]; then | 
|  | for config_fragment in $run_config_candidates; do | 
|  | ( | 
|  | source "$ci_root/run_config/$config_fragment" | 
|  | call_func "$func" "$config_fragment" | 
|  | ) &>>"$build_log" || fail_build | 
|  | done | 
|  | fi | 
|  |  | 
|  | if [ "$run_config_tfut_candidates" ]; then | 
|  | for config_fragment in $run_config_tfut_candidates; do | 
|  | ( | 
|  | source "$ci_root/run_config_tfut/$config_fragment" | 
|  | call_func "$func" "$config_fragment" | 
|  | ) &>>"$build_log" || fail_build | 
|  | done | 
|  | fi | 
|  |  | 
|  | # Also source test config file | 
|  | ( | 
|  | unset "$func" | 
|  | source "$test_config_file" | 
|  | call_func "$func" "$(basename $test_config_file)" | 
|  | ) | 
|  |  | 
|  | # Have any variables set take effect | 
|  | source "$hook_env_file" | 
|  |  | 
|  | echo "=== End calling hooks: $1 ===" &>>"$build_log" | 
|  | } | 
|  |  | 
|  | # Set a variable from within a hook | 
|  | set_hook_var() { | 
|  | echo "export $1=\"${2?}\"" >> "$hook_env_file" | 
|  | } | 
|  |  | 
|  | # Append to an array from within a hook | 
|  | append_hook_var() { | 
|  | echo "export $1+=\"${2?}\"" >> "$hook_env_file" | 
|  | } | 
|  |  | 
|  | # Have the main build script source a file | 
|  | source_later() { | 
|  | echo "source ${1?}" >> "$hook_env_file" | 
|  | } | 
|  |  | 
|  | # Setup TF build wrapper function by pointing to a script containing a function | 
|  | # that will be called with the TF build commands. | 
|  | setup_tf_build_wrapper() { | 
|  | source_later "$ci_root/script/${wrapper?}_wrapper.sh" | 
|  | set_hook_var "tf_build_wrapper" "${wrapper}_wrapper" | 
|  | echo "Setup $wrapper build wrapper." | 
|  | } | 
|  |  | 
|  | # Collect .bin files for archiving | 
|  | collect_build_artefacts() { | 
|  | if [ ! -d "${from:?}" ]; then | 
|  | return | 
|  | fi | 
|  |  | 
|  | if ! find "$from" \( -name "*.bin" -o -name '*.elf' -o -name '*.dtb' -o -name '*.axf' -o -name '*.stm32' -o -name '*.img' \) -exec cp -t "${to:?}" '{}' +; then | 
|  | echo "You probably are running local CI on local repositories." | 
|  | echo "Did you set 'dont_clean' but forgot to run 'distclean'?" | 
|  | die | 
|  | fi | 
|  | } | 
|  |  | 
|  | # Collect SPM/hafnium artefacts with "secure_" appended to the files | 
|  | # generated for SPM(secure hafnium). | 
|  | collect_spm_artefacts() { | 
|  | if [ -d "${non_secure_from:?}" ]; then | 
|  | find "$non_secure_from" \( -name "*.bin" -o -name '*.elf' \) -exec cp -t "${to:?}" '{}' + | 
|  | fi | 
|  |  | 
|  | if [ -d "${secure_from:?}" ]; then | 
|  | for f in $(find "$secure_from" \( -name "*.bin" -o -name '*.elf' \)); do cp -- "$f" "${to:?}"/secure_$(basename $f); done | 
|  | fi | 
|  | } | 
|  |  | 
|  | collect_tfut_artefacts() { | 
|  | if [ ! -d "${from:?}" ]; then | 
|  | return | 
|  | fi | 
|  |  | 
|  | pushd "$tfut_root/build" | 
|  | artefact_list=$(python3 "$ci_root/script/get_ut_test_list.py") | 
|  | for artefact in $artefact_list; do | 
|  | cp -t "${to:?}" "$from/$artefact" | 
|  | done | 
|  | echo "$artefact_list" | tr ' ' '\n' > "${to:?}/tfut_artefacts.txt" | 
|  | popd | 
|  | } | 
|  |  | 
|  | collect_tfut_coverage() { | 
|  | if [ "$coverage" != "ON" ]; then | 
|  | return | 
|  | fi | 
|  |  | 
|  | pushd "$tfut_root/build" | 
|  | touch "${to:?}/tfut_coverage.txt" | 
|  | popd | 
|  | } | 
|  |  | 
|  | # Map the UART ID used for expect with the UART descriptor and port | 
|  | # used by the FPGA automation tools. | 
|  | map_uart() { | 
|  | local port="${port:?}" | 
|  | local descriptor="${descriptor:?}" | 
|  | local baudrate="${baudrate:?}" | 
|  | local run_root="${archive:?}/run" | 
|  |  | 
|  | local uart_dir="$run_root/uart${uart:?}" | 
|  | mkdir -p "$uart_dir" | 
|  |  | 
|  | echo "$port" > "$uart_dir/port" | 
|  | echo "$descriptor" > "$uart_dir/descriptor" | 
|  | echo "$baudrate" > "$uart_dir/baudrate" | 
|  |  | 
|  | echo "UART${uart} mapped to port ${port} with descriptor ${descriptor} and baudrate ${baudrate}" | 
|  | } | 
|  |  | 
|  | # Arrange environment varibles to be set when expect scripts are launched | 
|  | set_expect_variable() { | 
|  | local var="${1:?}" | 
|  | local val="${2?}" | 
|  |  | 
|  | local run_root="${archive:?}/run" | 
|  | local uart_dir="$run_root/uart${uart:?}" | 
|  | mkdir -p "$uart_dir" | 
|  |  | 
|  | env_file="$uart_dir/env" quote="1" emit_env "$var" "$val" | 
|  | echo "UART$uart: env has $@" | 
|  | } | 
|  |  | 
|  | # Place the binary package a pointer to expect script, and its parameters | 
|  | track_expect() { | 
|  | local file="${file:?}" | 
|  | local timeout="${timeout-600}" | 
|  | local run_root="${archive:?}/run" | 
|  |  | 
|  | local uart_dir="$run_root/uart${uart:?}" | 
|  | mkdir -p "$uart_dir" | 
|  |  | 
|  | echo "$file" > "$uart_dir/expect" | 
|  | echo "$timeout" > "$uart_dir/timeout" | 
|  | if [ -n "$lava_timeout" ]; then | 
|  | set_run_env "lava_timeout" "$lava_timeout" | 
|  | fi | 
|  |  | 
|  | echo "UART$uart to be tracked with $file; timeout ${timeout}s; lava_timeout ${lava_timeout:-N/A}s" | 
|  |  | 
|  | if [ ! -z "${port}" ]; then | 
|  | echo "${port}" > "$uart_dir/port" | 
|  | fi | 
|  |  | 
|  | # The run script assumes UART0 to be primary. If we're asked to set any | 
|  | # other UART to be primary, set a run environment variable to signal | 
|  | # that to the run script | 
|  | if upon "$set_primary"; then | 
|  | echo "Primary UART set to UART$uart." | 
|  | set_run_env "primary_uart" "$uart" | 
|  | fi | 
|  |  | 
|  | # UART used by payload(such as tftf, Linux) may not be the same as the | 
|  | # primary UART. Set a run environment variable to track the payload | 
|  | # UART which is tracked to check if the test has finished sucessfully. | 
|  | if upon "$set_payload_uart"; then | 
|  | echo "Payload uses UART$uart." | 
|  | set_run_env "payload_uart" "$uart" | 
|  | fi | 
|  | } | 
|  |  | 
|  | # Extract a FIP in $1 using fiptool | 
|  | extract_fip() { | 
|  | local fip="$1" | 
|  |  | 
|  | if is_url "$1"; then | 
|  | url="$1" fetch_file | 
|  | fip="$(basename "$1")" | 
|  | fi | 
|  |  | 
|  | fiptool=$(fiptool_path) | 
|  | "$fiptool" unpack "$fip" | 
|  | echo "Extracted FIP: $fip" | 
|  | } | 
|  |  | 
|  | # Report build failure by printing a the tail end of build log. Archive the | 
|  | # build log for later inspection | 
|  | fail_build() { | 
|  | local log_path | 
|  |  | 
|  | if upon "$jenkins_run"; then | 
|  | log_path="$BUILD_URL/artifact/artefacts/build.log" | 
|  | else | 
|  | log_path="$build_log" | 
|  | fi | 
|  |  | 
|  | echo | 
|  | echo "Build failed!" | 
|  | echo | 
|  | echo "See $log_path for full output" | 
|  | echo | 
|  | cp -t "$archive" "$build_log" | 
|  | exit 1; | 
|  | } | 
|  |  | 
|  | # Build a FIP with supplied arguments | 
|  | build_fip() { | 
|  | ( | 
|  | echo "Building FIP with arguments: $@" | 
|  | local tf_env="$workspace/tf.env" | 
|  |  | 
|  | if [ -f "$tf_env" ]; then | 
|  | set -a | 
|  | source "$tf_env" | 
|  | set +a | 
|  | fi | 
|  |  | 
|  | if [ "$(get_tf_opt MEASURED_BOOT)" = 1 ]; then | 
|  | # These are needed for accurate hash verification | 
|  | local build_args_path="${workspace}/fip_build_args" | 
|  | echo $@ > $build_args_path | 
|  | archive_file $build_args_path | 
|  | fi | 
|  |  | 
|  | make -C "$tf_root" $make_j_opts $(cat "$tf_config_file") DEBUG="$DEBUG" BUILD_BASE=$tf_build_root V=1 "$@" \ | 
|  | ${fip_targets:-fip} &>>"$build_log" || fail_build | 
|  | ) | 
|  | } | 
|  |  | 
|  | # Build any extra rule from TF-A makefile with supplied arguments. | 
|  | # | 
|  | # This is useful in case you need to build something else than firmware binaries | 
|  | # or the FIP. | 
|  | build_tf_extra() { | 
|  | ( | 
|  | tf_extra_rules=${tf_extra_rules:?} | 
|  | echo "Building extra TF rule(s): $tf_extra_rules" | 
|  | echo "  Arguments: $@" | 
|  |  | 
|  | local tf_env="$workspace/tf.env" | 
|  |  | 
|  | if [ -f "$tf_env" ]; then | 
|  | set -a | 
|  | source "$tf_env" | 
|  | set +a | 
|  | fi | 
|  |  | 
|  | make -C "$tf_root" $make_j_opts $(cat "$tf_config_file") DEBUG="$DEBUG" V=1 BUILD_BASE=$tf_build_root "$@" \ | 
|  | ${tf_extra_rules} &>>"$build_log" || fail_build | 
|  | ) | 
|  | } | 
|  |  | 
|  | fip_update() { | 
|  | fiptool=$(fiptool_path) | 
|  | # Before the update process, check if the given image is supported by | 
|  | # the fiptool. It's assumed that both fiptool and cert_create move in | 
|  | # tandem, and therefore, if one has support, the other has it too. | 
|  | if ! ("$fiptool" update 2>&1 || true) | grep -qe "\s\+--${bin_name:?}"; then | 
|  | return 1 | 
|  | fi | 
|  |  | 
|  | if not_upon "$(get_tf_opt TRUSTED_BOARD_BOOT)"; then | 
|  | echo "Updating FIP image: $bin_name" | 
|  | # Update HW config. Without TBBR, it's only a matter of using | 
|  | # the update sub-command of fiptool | 
|  | "$fiptool" update "--$bin_name" "${src:-}" \ | 
|  | "$archive/fip.bin" | 
|  | else | 
|  | echo "Updating FIP image (TBBR): $bin_name" | 
|  | # With TBBR, we need to unpack, re-create certificates, and then | 
|  | # recreate the FIP. | 
|  | local fip_dir="$(mktempdir)" | 
|  | local bin common_args stem | 
|  | local rot_key="$(get_tf_opt ROT_KEY)" | 
|  |  | 
|  | rot_key="${rot_key:?}" | 
|  | if ! is_abs "$rot_key"; then | 
|  | rot_key="$tf_root/$rot_key" | 
|  | fi | 
|  |  | 
|  | # Arguments only for cert_create | 
|  | local cert_args="-n" | 
|  | cert_args+=" --tfw-nvctr ${nvctr:-31}" | 
|  | cert_args+=" --ntfw-nvctr ${nvctr:-223}" | 
|  | cert_args+=" --key-alg ${KEY_ALG:-rsa}" | 
|  | cert_args+=" --rot-key $rot_key" | 
|  |  | 
|  | local dyn_config_opts=( | 
|  | "fw-config" | 
|  | "hw-config" | 
|  | "tb-fw-config" | 
|  | "nt-fw-config" | 
|  | "soc-fw-config" | 
|  | "tos-fw-config" | 
|  | ) | 
|  |  | 
|  | # Binaries without key certificates | 
|  | declare -A has_no_key_cert | 
|  | for bin in "tb-fw" "${dyn_config_opts[@]}"; do | 
|  | has_no_key_cert["$bin"]="1" | 
|  | done | 
|  |  | 
|  | # Binaries without certificates | 
|  | declare -A has_no_cert | 
|  | for bin in "hw-config" "${dyn_config_opts[@]}"; do | 
|  | has_no_cert["$bin"]="1" | 
|  | done | 
|  |  | 
|  | pushd "$fip_dir" | 
|  |  | 
|  | # Unpack FIP | 
|  | "$fiptool" unpack "$archive/fip.bin" &>>"$build_log" | 
|  |  | 
|  | # Remove all existing certificates | 
|  | rm -f *-cert.bin | 
|  |  | 
|  | # Copy the binary to be updated | 
|  | cp -f "$src" "${bin_name}.bin" | 
|  |  | 
|  | # FIP unpack dumps binaries with the same name as the option | 
|  | # used to pack it; likewise for certificates. Reverse-engineer | 
|  | # the command line from the binary output. | 
|  | common_args="--trusted-key-cert trusted_key.crt" | 
|  | for bin in *.bin; do | 
|  | stem="${bin%%.bin}" | 
|  | common_args+=" --$stem $bin" | 
|  | if not_upon "${has_no_cert[$stem]}"; then | 
|  | common_args+=" --$stem-cert $stem.crt" | 
|  | fi | 
|  | if not_upon "${has_no_key_cert[$stem]}"; then | 
|  | common_args+=" --$stem-key-cert $stem-key.crt" | 
|  | fi | 
|  | done | 
|  |  | 
|  | # Create certificates | 
|  | cert_create=$(cert_create_path) | 
|  | "$cert_create" $cert_args $common_args &>>"$build_log" | 
|  |  | 
|  | # Recreate and archive FIP | 
|  | "$fiptool" create $common_args "fip.bin" &>>"$build_log" | 
|  | archive_file "fip.bin" | 
|  |  | 
|  | popd | 
|  | fi | 
|  | } | 
|  |  | 
|  | # Update hw-config in FIP, and remove the original DTB afterwards. | 
|  | update_fip_hw_config() { | 
|  | # The DTB needs to be loaded by the model (and not updated in the FIP) | 
|  | # in configs: | 
|  | #            1. Where BL2 isn't present | 
|  | #            2. Where we boot to Linux directly as BL33 | 
|  | case "1" in | 
|  | "$(get_tf_opt RESET_TO_BL31)" | \ | 
|  | "$(get_tf_opt ARM_LINUX_KERNEL_AS_BL33)" | \ | 
|  | "$(get_tf_opt RESET_TO_SP_MIN)" | \ | 
|  | "$(get_tf_opt RESET_TO_BL2)") | 
|  | return 0;; | 
|  | esac | 
|  |  | 
|  | if bin_name="hw-config" src="$archive/dtb.bin" fip_update; then | 
|  | # Remove the DTB so that model won't load it | 
|  | rm -f "$archive/dtb.bin" | 
|  | fi | 
|  | } | 
|  |  | 
|  | get_tftf_opt() { | 
|  | ( | 
|  | name="${1:?}" | 
|  | if config_valid "$tftf_config_file"; then | 
|  | source "$tftf_config_file" | 
|  | echo "${!name}" | 
|  | fi | 
|  | ) | 
|  | } | 
|  |  | 
|  | get_tf_opt() { | 
|  | ( | 
|  | name="${1:?}" | 
|  | if config_valid "$tf_config_file"; then | 
|  | source "$tf_config_file" | 
|  | echo "${!name}" | 
|  | fi | 
|  | ) | 
|  | } | 
|  |  | 
|  | get_rmm_opt() { | 
|  | ( | 
|  | name="${1:?}" | 
|  | default="$2" | 
|  | if config_valid "$rmm_config_file"; then | 
|  | source "$rmm_config_file" | 
|  | # If !name is not defined, go with the default | 
|  | # value (if defined) | 
|  | if [ -z "${!name}" ]; then | 
|  | echo "$default" | 
|  | else | 
|  | echo "${!name}" | 
|  | fi | 
|  | fi | 
|  | ) | 
|  | } | 
|  |  | 
|  | build_tf() { | 
|  | ( | 
|  | env_file="$workspace/tf.env" | 
|  | config_file="${tf_build_config:-$tf_config_file}" | 
|  |  | 
|  | # Build fiptool and all targets by default | 
|  | build_targets="${tf_build_targets:-fiptool all}" | 
|  |  | 
|  | source "$config_file" | 
|  |  | 
|  | # If it is a TBBR build, extract the MBED TLS library from archive | 
|  | if [ "$(get_tf_opt TRUSTED_BOARD_BOOT)" = 1 ] || | 
|  | [ "$(get_tf_opt MEASURED_BOOT)" = 1 ] || | 
|  | [ "$(get_tf_opt DRTM_SUPPORT)" = 1 ]; then | 
|  | mbedtls_dir="$workspace/mbedtls" | 
|  | if [ ! -d "$mbedtls_dir" ]; then | 
|  | mbedtls_ar="$workspace/mbedtls.tar.gz" | 
|  |  | 
|  | url="$mbedtls_archive" saveas="$mbedtls_ar" fetch_file | 
|  | mkdir "$mbedtls_dir" | 
|  | extract_tarball $mbedtls_ar $mbedtls_dir --strip-components=1 | 
|  | fi | 
|  |  | 
|  | emit_env "MBEDTLS_DIR" "$mbedtls_dir" | 
|  | fi | 
|  | if [ "$(get_tf_opt PLATFORM_TEST)" = "tfm-testsuite" ] && | 
|  | not_upon "${TF_M_TESTS_PATH}"; then | 
|  | emit_env "TF_M_TESTS_PATH" "$WORKSPACE/tf-m-tests" | 
|  | fi | 
|  | if [ "$(get_tf_opt PLATFORM_TEST)" = "tfm-testsuite" ] && | 
|  | not_upon "${TF_M_EXTRAS_PATH}"; then | 
|  | emit_env "TF_M_EXTRAS_PATH" "$WORKSPACE/tf-m-extras" | 
|  | fi | 
|  | if [ "$(get_tf_opt DICE_PROTECTION_ENVIRONMENT)" = 1 ] && | 
|  | not_upon "${QCBOR_DIR}"; then | 
|  | emit_env "QCBOR_DIR" "$WORKSPACE/qcbor" | 
|  | fi | 
|  |  | 
|  | # Hash verification only occurs if there is a sufficient amount of | 
|  | # information in the event log, which is as long as EVENT_LOG_LEVEL | 
|  | # is set to at least 20 or if it is a debug build | 
|  | if [[ ("$(get_tf_opt MEASURED_BOOT)" -eq 1) && | 
|  | (($bin_mode == "debug") || ("$(get_tf_opt EVENT_LOG_LEVEL)" -ge 20)) ]]; then | 
|  | # This variable is later exported to the expect scripts so | 
|  | # the hashes in the TF-A event log can be verified | 
|  | set_run_env "verify_hashes" "1" | 
|  | fi | 
|  | if [ -f "$env_file" ]; then | 
|  | set -a | 
|  | source "$env_file" | 
|  | set +a | 
|  | fi | 
|  |  | 
|  | if is_arm_jenkins_env || upon "$local_ci"; then | 
|  | path_list=( | 
|  | "$llvm_dir/bin" | 
|  | ) | 
|  | extend_path "PATH" "path_list" | 
|  | fi | 
|  |  | 
|  | pushd "$tf_root" | 
|  |  | 
|  | # Always distclean when running on Jenkins. Skip distclean when running | 
|  | # locally and explicitly requested. | 
|  | if upon "$jenkins_run" || not_upon "$dont_clean"; then | 
|  | make distclean BUILD_BASE=$tf_build_root &>>"$build_log" || fail_build | 
|  | fi | 
|  |  | 
|  | # Log build command line. It is left unfolded on purpose to assist | 
|  | # copying to clipboard. | 
|  | cat <<EOF | log_separator >/dev/null | 
|  |  | 
|  | Build command line: | 
|  | $tf_build_wrapper make $make_j_opts $(cat "$config_file" | tr '\n' ' ') DEBUG=$DEBUG V=1 BUILD_BASE=$tf_build_root $build_targets | 
|  |  | 
|  | CC version: | 
|  | $(${CC-${CROSS_COMPILE}gcc} -v 2>&1) | 
|  | EOF | 
|  |  | 
|  | if not_upon "$local_ci"; then | 
|  | connect_debugger=0 | 
|  | fi | 
|  |  | 
|  | # Build TF. Since build output is being directed to the build log, have | 
|  | # descriptor 3 point to the current terminal for build wrappers to vent. | 
|  | $tf_build_wrapper poetry run make $make_j_opts $(cat "$config_file") \ | 
|  | DEBUG="$DEBUG" V=1 BUILD_BASE="$tf_build_root" SPIN_ON_BL1_EXIT="$connect_debugger" \ | 
|  | $build_targets 3>&1 &>>"$build_log" || fail_build | 
|  |  | 
|  | if [ "$build_targets" != "doc" ]; then | 
|  | (poetry run memory --root "$tf_build_root" symbols 2>&1 || true) | tee -a "${build_log}" | 
|  |  | 
|  | for map in $(find "${tf_build_root}" -name '*.map'); do | 
|  | (poetry run memory --root "${tf_build_root}" summary "${map}" 2>&1 || true) | tee -a "${build_log}" | 
|  | done | 
|  | fi | 
|  | popd | 
|  | ) | 
|  | } | 
|  |  | 
|  | build_tftf() { | 
|  | ( | 
|  | config_file="${tftf_build_config:-$tftf_config_file}" | 
|  |  | 
|  | # Build tftf target by default | 
|  | build_targets="${tftf_build_targets:-all}" | 
|  |  | 
|  | source "$config_file" | 
|  |  | 
|  | cd "$tftf_root" | 
|  |  | 
|  | # Always distclean when running on Jenkins. Skip distclean when running | 
|  | # locally and explicitly requested. | 
|  | if upon "$jenkins_run" || not_upon "$dont_clean"; then | 
|  | make distclean BUILD_BASE="$tftf_build_root" &>>"$build_log" || fail_build | 
|  | fi | 
|  |  | 
|  | # TFTF build system cannot reliably deal with -j option, so we avoid | 
|  | # using that. | 
|  |  | 
|  | # Log build command line | 
|  | cat <<EOF | log_separator >/dev/null | 
|  |  | 
|  | Build command line: | 
|  | make $make_j_opts $(cat "$config_file" | tr '\n' ' ') DEBUG=$DEBUG V=1 BUILD_BASE="$tftf_build_root" $build_targets | 
|  |  | 
|  | EOF | 
|  |  | 
|  | make $make_j_opts $(cat "$config_file") DEBUG="$DEBUG" V=1 BUILD_BASE="$tftf_build_root" \ | 
|  | $build_targets &>>"$build_log" || fail_build | 
|  | ) | 
|  | } | 
|  |  | 
|  | build_cc() { | 
|  | # Building code coverage plugin | 
|  | ARM_DIR=/arm | 
|  | pvlibversion=$(/arm/devsys-tools/abs/detag "SysGen:PVModelLib:$model_version::trunk") | 
|  | PVLIB_HOME=$warehouse/SysGen/PVModelLib/$model_version/${pvlibversion}/external | 
|  | if [ -n "$(find "$ARM_DIR" -maxdepth 0 -type d -empty 2>/dev/null)" ]; then | 
|  | echo "Error: Arm warehouse not mounted. Please mount the Arm warehouse to your /arm local folder" | 
|  | exit -1 | 
|  | fi  # Error if arm warehouse not found | 
|  | cd "$ccpathspec/scripts/tools/code_coverage/fastmodel_baremetal/bmcov" | 
|  |  | 
|  | make -C model-plugin PVLIB_HOME=$PVLIB_HOME &>>"$build_log" | 
|  | } | 
|  |  | 
|  | build_spm() { | 
|  | ( | 
|  | env_file="$workspace/spm.env" | 
|  | config_file="${spm_build_config:-$spm_config_file}" | 
|  |  | 
|  | source "$config_file" | 
|  |  | 
|  | if [ -f "$env_file" ]; then | 
|  | set -a | 
|  | source "$env_file" | 
|  | set +a | 
|  | fi | 
|  |  | 
|  | cd "$spm_root" | 
|  |  | 
|  | # Always clean when running on Jenkins. Skip clean when running | 
|  | # locally and explicitly requested. | 
|  | if upon "$jenkins_run" || not_upon "$dont_clean"; then | 
|  | # make clean fails on a fresh repo where the project has not | 
|  | # yet been built. Hence only clean if out/reference directory | 
|  | # already exists. | 
|  | if [ -d "out/reference" ]; then | 
|  | make clean &>>"$build_log" || fail_build | 
|  | fi | 
|  | fi | 
|  |  | 
|  | # Log build command line. It is left unfolded on purpose to assist | 
|  | # copying to clipboard. | 
|  | cat <<EOF | log_separator >/dev/null | 
|  |  | 
|  | Build command line: | 
|  | make $make_j_opts OUT=$spm_build_root $(cat "$config_file" | tr '\n' ' ') | 
|  |  | 
|  | EOF | 
|  |  | 
|  | # Build SPM. Since build output is being directed to the build log, have | 
|  | # descriptor 3 point to the current terminal for build wrappers to vent. | 
|  | make $make_j_opts OUT=$spm_build_root $(cat "$config_file") 3>&1 &>>"$build_log" \ | 
|  | || fail_build | 
|  | ) | 
|  | } | 
|  |  | 
|  | build_rmm() { | 
|  | ( | 
|  | env_file="$workspace/rmm.env" | 
|  | config_file="${rmm_build_config:-$rmm_config_file}" | 
|  |  | 
|  | # Build fiptool and all targets by default | 
|  | export CROSS_COMPILE="aarch64-none-elf-" | 
|  |  | 
|  | source "$config_file" | 
|  |  | 
|  | if [ -f "$env_file" ]; then | 
|  | set -a | 
|  | source "$env_file" | 
|  | set +a | 
|  | fi | 
|  |  | 
|  | cd "$rmm_root" | 
|  |  | 
|  | if [ -f "$rmm_root/requirements.txt" ]; then | 
|  | export PATH="$HOME/.local/bin:$PATH" | 
|  | python3 -m pip install --upgrade pip | 
|  | python3 -m pip install -r "$rmm_root/requirements.txt" | 
|  | fi | 
|  |  | 
|  | # Always distclean when running on Jenkins. Skip distclean when running | 
|  | # locally and explicitly requested. | 
|  | if upon "$jenkins_run" || not_upon "$dont_clean"; then | 
|  | # Remove 'rmm\build' folder | 
|  | echo "Removing $rmm_build_root..." | 
|  | rm -rf $rmm_build_root | 
|  | fi | 
|  |  | 
|  | if not_upon "$local_ci"; then | 
|  | connect_debugger=0 | 
|  | fi | 
|  |  | 
|  | # Log build command line. It is left unfolded on purpose to assist | 
|  | # copying to clipboard. | 
|  | cat <<EOF | log_separator >/dev/null | 
|  |  | 
|  | Build command line: | 
|  | cmake -DRMM_CONFIG=${plat}_defcfg "$cmake_gen" -S $rmm_root -B $rmm_build_root -DRMM_TOOLCHAIN=$rmm_toolchain -DRMM_FPU_USE_AT_REL2=$rmm_fpu_use_at_rel2 -DATTEST_EL3_TOKEN_SIGN=$rmm_attest_el3_token_sign -DRMM_V1_1=$rmm_v1_1 ${extra_options} | 
|  | cmake --build $rmm_build_root --config $cmake_build_type $make_j_opts -v ${extra_targets+-- $extra_targets} | 
|  |  | 
|  | EOF | 
|  | cmake \ | 
|  | -DRMM_CONFIG=${plat}_defcfg $cmake_gen \ | 
|  | -S $rmm_root -B $rmm_build_root \ | 
|  | -DRMM_TOOLCHAIN=$rmm_toolchain \ | 
|  | -DRMM_FPU_USE_AT_REL2=$rmm_fpu_use_at_rel2 \ | 
|  | -DATTEST_EL3_TOKEN_SIGN=$rmm_attest_el3_token_sign \ | 
|  | -DRMM_V1_1=$rmm_v1_1 \ | 
|  | ${extra_options} | 
|  | cmake --build $rmm_build_root --config $cmake_build_type $make_j_opts -v ${extra_targets+-- $extra_targets} 3>&1 &>>"$build_log" || fail_build | 
|  | ) | 
|  | } | 
|  |  | 
|  | build_tfut() { | 
|  | ( | 
|  | config_file="${tfut_build_config:-$tfut_config_file}" | 
|  |  | 
|  | # Build tfut target by default | 
|  | build_targets="${tfut_build_targets:-all}" | 
|  |  | 
|  | source "$config_file" | 
|  |  | 
|  | mkdir -p "$tfut_root/build" | 
|  | cd "$tfut_root/build" | 
|  |  | 
|  | # Always distclean when running on Jenkins. Skip distclean when running | 
|  | # locally and explicitly requested. | 
|  | if upon "$jenkins_run" || not_upon "$dont_clean"; then | 
|  | #make clean &>>"$build_log" || fail_build | 
|  | rm -Rf * || fail_build | 
|  | fi | 
|  |  | 
|  | #Override build targets only if the run config did not set them. | 
|  | if [ $build_targets == "all" ]; then | 
|  | tests_line=$(cat "$config_file" | { grep "tests=" || :; }) | 
|  | if [ -z "$tests_line" ]; then | 
|  | build_targets=$(echo "$tests_line" | awk -F= '{ print $NF }') | 
|  | fi | 
|  | fi | 
|  |  | 
|  | #TODO: extract vars from env to use them for cmake | 
|  |  | 
|  | test -f "$config_file" | 
|  |  | 
|  | config=$(cat "$config_file" | grep -v "tests=") \ | 
|  | && cmake_config=$(echo "$config" | sed -e 's/^/\-D/') | 
|  |  | 
|  | # Check if cmake is installed | 
|  | if ! command -v cmake &> /dev/null | 
|  | then | 
|  | echo "cmake could not be found" | 
|  | exit 1 | 
|  | fi | 
|  |  | 
|  | # Log build command line | 
|  | cat <<EOF | log_separator >/dev/null | 
|  |  | 
|  | Build command line: | 
|  | cmake $(echo "$cmake_config") -G"Unix Makefiles" --debug-output -DCMAKE_VERBOSE_MAKEFILE -DCOVERAGE="$COVERAGE" -DUNIT_TEST_PROJECT_PATH="$tf_root" .. | 
|  | make $(echo "$config" | tr '\n' ' ') DEBUG=$DEBUG V=1 $build_targets | 
|  |  | 
|  | EOF | 
|  | cmake $(echo "$cmake_config") -G"Unix Makefiles" --debug-output \ | 
|  | -DCMAKE_VERBOSE_MAKEFILE=ON 				\ | 
|  | -DCOVERAGE="$COVERAGE" 					\ | 
|  | -DUNIT_TEST_PROJECT_PATH="$tf_root" 			\ | 
|  | .. &>> "$build_log" || fail_build | 
|  | echo "Done with cmake" >> "$build_log" | 
|  | make $(echo "$config") VERBOSE=1 \ | 
|  | $build_targets &>> "$build_log" || fail_build | 
|  | ) | 
|  |  | 
|  | } | 
|  |  | 
|  | # Set metadata for the whole package so that it can be used by both Jenkins and | 
|  | # shell | 
|  | set_package_var() { | 
|  | env_file="$artefacts/env" emit_env "$@" | 
|  | } | 
|  |  | 
|  | set_tf_build_targets() { | 
|  | echo "Set build target to '${targets:?}'" | 
|  | set_hook_var "tf_build_targets" "$targets" | 
|  | } | 
|  |  | 
|  | set_tftf_build_targets() { | 
|  | echo "Set build target to '${targets:?}'" | 
|  | set_hook_var "tftf_build_targets" "$targets" | 
|  | } | 
|  |  | 
|  | set_spm_build_targets() { | 
|  | echo "Set build target to '${targets:?}'" | 
|  | set_hook_var "spm_build_targets" "$targets" | 
|  | } | 
|  |  | 
|  | add_tfut_build_targets() { | 
|  | echo "Add TFUT build targets '${targets:?}'" | 
|  | append_hook_var "tfut_build_targets" "$targets " | 
|  | } | 
|  |  | 
|  | set_spm_out_dir() { | 
|  | echo "Set SPMC binary build to '${out_dir:?}'" | 
|  | set_hook_var "spm_secure_out_dir" "$out_dir" | 
|  | } | 
|  | # Look under $archive directory for known files such as blX images, kernel, DTB, | 
|  | # initrd etc. For each known file foo, if foo.bin exists, then set variable | 
|  | # foo_bin to the path of the file. Make the path relative to the workspace so as | 
|  | # to remove any @ characters, which Jenkins inserts for parallel runs. If the | 
|  | # file doesn't exist, unset its path. | 
|  | set_default_bin_paths() { | 
|  | local image image_name image_path path | 
|  | local archive="${archive:?}" | 
|  | local set_vars | 
|  | local var | 
|  |  | 
|  | pushd "$archive" | 
|  |  | 
|  | for file in *.bin; do | 
|  | # Get a shell variable from the file's stem | 
|  | var_name="${file%%.*}_bin" | 
|  | var_name="$(echo "$var_name" | sed -r 's/[^[:alnum:]]/_/g')" | 
|  |  | 
|  | # Skip setting the variable if it's already | 
|  | if [ "${!var_name}" ]; then | 
|  | echo "Note: not setting $var_name; already set to ${!var_name}" | 
|  | continue | 
|  | else | 
|  | set_vars+="$var_name " | 
|  | fi | 
|  |  | 
|  | eval "$var_name=$file" | 
|  | done | 
|  |  | 
|  | echo "Binary paths set for: " | 
|  | { | 
|  | for var in $set_vars; do | 
|  | echo -n "\$$var " | 
|  | done | 
|  | } | fmt -80 | sed 's/^/  /' | 
|  | echo | 
|  |  | 
|  | popd | 
|  | } | 
|  |  | 
|  | gen_model_params() { | 
|  | local model_param_file="$archive/model_params" | 
|  | [ "$connect_debugger" ] && [ "$connect_debugger" -eq 1 ] && wait_debugger=1 | 
|  |  | 
|  | set_default_bin_paths | 
|  | echo "Generating model parameter for $model..." | 
|  | source "$ci_root/model/${model:?}.sh" | 
|  | archive_file "$model_param_file" | 
|  | } | 
|  |  | 
|  | set_model_path() { | 
|  | local input_path="${1:?}" | 
|  |  | 
|  | if upon "$retain_paths"; then | 
|  | set_run_env "model_path" "$(basename "$input_path")" | 
|  | return | 
|  | fi | 
|  |  | 
|  | set_run_env "model_path" "$input_path" | 
|  | } | 
|  |  | 
|  | set_model_env() { | 
|  | local var="${1:?}" | 
|  | local val="${2?}" | 
|  | local run_root="${archive:?}/run" | 
|  |  | 
|  | mkdir -p "$run_root" | 
|  | echo "export $var=$val" >> "$run_root/model_env" | 
|  | } | 
|  | set_run_env() { | 
|  | local var="${1:?}" | 
|  | local val="${2?}" | 
|  | local run_root="${archive:?}/run" | 
|  |  | 
|  | mkdir -p "$run_root" | 
|  | env_file="$run_root/env" quote="1" emit_env "$var" "$val" | 
|  | } | 
|  |  | 
|  | show_head() { | 
|  | # Display HEAD descripton | 
|  | pushd "$1" | 
|  | git show --quiet --no-color | sed 's/^/  > /g' | 
|  | echo | 
|  | popd | 
|  | } | 
|  |  | 
|  | # Choose debug binaries to run; by default, release binaries are chosen to run | 
|  | use_debug_bins() { | 
|  | local run_root="${archive:?}/run" | 
|  |  | 
|  | echo "Choosing debug binaries for execution" | 
|  | set_package_var "BIN_MODE" "debug" | 
|  | } | 
|  |  | 
|  | assert_can_git_clone() { | 
|  | local name="${1:?}" | 
|  | local dir="${!name}" | 
|  |  | 
|  | # If it doesn't exist, it can be cloned into | 
|  | if [ ! -e "$dir" ]; then | 
|  | return 0 | 
|  | fi | 
|  |  | 
|  | # If it's a directory, it must be a Git clone already | 
|  | if [ -d "$dir" ] && [ -d "$dir/.git" ]; then | 
|  | # No need to clone again | 
|  | echo "Using existing git clone for $name: $dir" | 
|  | return 1 | 
|  | fi | 
|  |  | 
|  | die "Path $dir exists but is not a git clone" | 
|  | } | 
|  |  | 
|  | clone_repo() { | 
|  | if ! is_url "${clone_url?}"; then | 
|  | # For --depth to take effect on local paths, it needs to use the | 
|  | # file:// scheme. | 
|  | clone_url="file://$clone_url" | 
|  | fi | 
|  |  | 
|  | git clone -q --depth 1 "$clone_url" "${where?}" | 
|  | if [ "$refspec" ]; then | 
|  | pushd "$where" | 
|  | git fetch -q --depth 1 origin "$refspec" | 
|  | git checkout -q FETCH_HEAD | 
|  | popd | 
|  | fi | 
|  | } | 
|  |  | 
|  | build_unstable() { | 
|  | echo "--BUILD UNSTABLE--" | tee -a "$build_log" | 
|  | } | 
|  |  | 
|  | undo_patch_record() { | 
|  | if [ ! -f "${patch_record:?}" ]; then | 
|  | return | 
|  | fi | 
|  |  | 
|  | # Undo patches in reverse | 
|  | echo | 
|  | for patch_name in $(tac "$patch_record"); do | 
|  | echo "Undoing $patch_name..." | 
|  | if ! git apply -R "$ci_root/patch/$patch_name"; then | 
|  | if upon "$local_ci"; then | 
|  | echo | 
|  | echo "Your local directory may have been dirtied." | 
|  | echo | 
|  | fi | 
|  | fail_build | 
|  | fi | 
|  | done | 
|  |  | 
|  | rm -f "$patch_record" | 
|  | } | 
|  |  | 
|  | undo_local_patches() { | 
|  | pushd "$tf_root" | 
|  | patch_record="$tf_patch_record" undo_patch_record | 
|  | popd | 
|  |  | 
|  | if [ -d "$tftf_root" ]; then | 
|  | pushd "$tftf_root" | 
|  | patch_record="$tftf_patch_record" undo_patch_record | 
|  | popd | 
|  | fi | 
|  | } | 
|  |  | 
|  | undo_tftf_patches() { | 
|  | pushd "$tftf_root" | 
|  | patch_record="$tftf_patch_record" undo_patch_record | 
|  | popd | 
|  | } | 
|  |  | 
|  | undo_tf_patches() { | 
|  | pushd "$tf_root" | 
|  | patch_record="$tf_patch_record" undo_patch_record | 
|  | popd | 
|  | } | 
|  |  | 
|  | apply_patch() { | 
|  | # If skip_patches is set, the developer has applied required patches | 
|  | # manually. They probably want to keep them applied for debugging | 
|  | # purposes too. This means we don't have to apply/revert them as part of | 
|  | # build process. | 
|  | if upon "$skip_patches"; then | 
|  | echo "Skipped applying ${1:?}..." | 
|  | return 0 | 
|  | else | 
|  | echo "Applying ${1:?}..." | 
|  | fi | 
|  |  | 
|  | if git apply --reverse --check < "$ci_root/patch/$1" 2> /dev/null; then | 
|  | echo "Skipping already applied ${1:?}" | 
|  | return 0 | 
|  | fi | 
|  |  | 
|  | if git apply < "$ci_root/patch/$1"; then | 
|  | echo "$1" >> "${patch_record:?}" | 
|  | else | 
|  | if upon "$local_ci"; then | 
|  | undo_local_patches | 
|  | fi | 
|  | fail_build | 
|  | fi | 
|  | } | 
|  |  | 
|  | apply_tf_patch() { | 
|  | root="$tf_root" | 
|  | new_root="$archive/tfa_mirror" | 
|  |  | 
|  | # paralell builds are only used locally. Don't do for CI since this will | 
|  | # have a speed penalty. Also skip if this was already done as a single | 
|  | # job may apply many patches. | 
|  | if upon "$local_ci" && [[ ! -d $new_root ]]; then | 
|  | root=$new_root | 
|  | diff=$(mktempfile) | 
|  |  | 
|  | # get anything still uncommitted | 
|  | pushd  $tf_root | 
|  | git diff HEAD > $diff | 
|  | popd | 
|  |  | 
|  | # git will hard link when cloning locally, no need for --depth=1 | 
|  | git clone "$tf_root" $root --shallow-submodules --recurse-submodules | 
|  |  | 
|  | tf_root=$root # next apply_tf_patch will run in the same hook | 
|  | set_hook_var "tf_root" "$root" # for anyone outside the hook | 
|  |  | 
|  | # apply uncommited changes so they are picked up in the build | 
|  | pushd  $tf_root | 
|  | git apply $diff &> /dev/null || true | 
|  | popd | 
|  |  | 
|  | fi | 
|  |  | 
|  | pushd "$root" | 
|  | patch_record="$tf_patch_record" apply_patch "$1" | 
|  | popd | 
|  | } | 
|  |  | 
|  | mkdir -p "$workspace" | 
|  | mkdir -p "$archive" | 
|  | set_package_var "TEST_CONFIG" "$test_config" | 
|  |  | 
|  | { | 
|  | echo | 
|  | echo "CONFIGURATION: $test_group/$test_config" | 
|  | echo | 
|  | } |& log_separator | 
|  |  | 
|  | tf_config="$(echo "$build_configs" | awk -F, '{print $1}')" | 
|  | tftf_config="$(echo "$build_configs" | awk -F, '{print $2}')" | 
|  | spm_config="$(echo "$build_configs" | awk -F, '{print $3}')" | 
|  | rmm_config="$(echo "$build_configs" | awk -F, '{print $4}')" | 
|  | tfut_config="$(echo "$build_configs" | awk -F, '{print $5}')" | 
|  |  | 
|  | test_config_file="$ci_root/group/$test_group/$test_config" | 
|  |  | 
|  | tf_config_file="$ci_root/tf_config/$tf_config" | 
|  | tftf_config_file="$ci_root/tftf_config/$tftf_config" | 
|  | spm_config_file="$ci_root/spm_config/$spm_config" | 
|  | rmm_config_file="$ci_root/rmm_config/$rmm_config" | 
|  | tfut_config_file="$ci_root/tfut_config/$tfut_config" | 
|  |  | 
|  | # File that keeps track of applied patches | 
|  | tf_patch_record="$workspace/tf_patches" | 
|  | tftf_patch_record="$workspace/tftf_patches" | 
|  |  | 
|  | # Split run config into TF and TFUT components | 
|  | run_config_tfa="$(echo "$run_config" | awk -F, '{print $1}')" | 
|  | run_config_tfut="$(echo "$run_config" | awk -F, '{print $2}')" | 
|  |  | 
|  | pushd "$workspace" | 
|  |  | 
|  | if ! config_valid "$tf_config"; then | 
|  | tf_config= | 
|  | else | 
|  | echo "Trusted Firmware config:" | 
|  | echo | 
|  | sort "$tf_config_file" | sed '/^\s*$/d;s/^/\t/' | 
|  | echo | 
|  | fi | 
|  |  | 
|  | if ! config_valid "$tftf_config"; then | 
|  | tftf_config= | 
|  | else | 
|  | echo "Trusted Firmware TF config:" | 
|  | echo | 
|  | sort "$tftf_config_file" | sed '/^\s*$/d;s/^/\t/' | 
|  | echo | 
|  | fi | 
|  |  | 
|  | if ! config_valid "$spm_config"; then | 
|  | spm_config= | 
|  | else | 
|  | echo "SPM config:" | 
|  | echo | 
|  | sort "$spm_config_file" | sed '/^\s*$/d;s/^/\t/' | 
|  | echo | 
|  | fi | 
|  |  | 
|  | # File that keeps track of applied patches | 
|  | rmm_patch_record="$workspace/rmm_patches" | 
|  |  | 
|  | if ! config_valid "$rmm_config"; then | 
|  | rmm_config= | 
|  | else | 
|  | echo "Trusted Firmware RMM config:" | 
|  | echo | 
|  | sort "$rmm_config_file" | sed '/^\s*$/d;s/^/\t/' | 
|  | echo | 
|  | fi | 
|  |  | 
|  | if ! config_valid "$tfut_config"; then | 
|  | tfut_config= | 
|  | else | 
|  | echo "TFUT config:" | 
|  | echo | 
|  | sort "$tfut_config_file" | sed '/^\s*$/d;s/^/\t/' | 
|  | echo | 
|  | fi | 
|  |  | 
|  | if ! config_valid "$run_config_tfa"; then | 
|  | run_config_tfa= | 
|  | fi | 
|  |  | 
|  | if { [ "$tf_config" ] || [ "$tfut_config" ]; } && assert_can_git_clone "tf_root"; then | 
|  | # If the Trusted Firmware repository has already been checked out, use | 
|  | # that location. Otherwise, clone one ourselves. | 
|  | echo "Cloning Trusted Firmware..." | 
|  | clone_url="${TF_CHECKOUT_LOC:-$tf_src_repo_url}" where="$tf_root" \ | 
|  | refspec="$TF_REFSPEC" clone_repo &>>"$build_log" | 
|  | show_head "$tf_root" | 
|  | fi | 
|  |  | 
|  | if [ "$tftf_config" ] && assert_can_git_clone "tftf_root"; then | 
|  | # If the Trusted Firmware TF repository has already been checked out, | 
|  | # use that location. Otherwise, clone one ourselves. | 
|  | echo "Cloning Trusted Firmware TF..." | 
|  | clone_url="${TFTF_CHECKOUT_LOC:-$tftf_src_repo_url}" where="$tftf_root" \ | 
|  | refspec="$TFTF_REFSPEC" clone_repo &>>"$build_log" | 
|  | show_head "$tftf_root" | 
|  | fi | 
|  |  | 
|  | if [ -n "$cc_config" ] ; then | 
|  | if [ "$cc_config" -eq 1 ] && assert_can_git_clone "cc_root"; then | 
|  | # Copy code coverage repository | 
|  | echo "Cloning Code Coverage..." | 
|  | git clone -q $cc_src_repo_url cc_plugin --depth 1 -b $cc_src_repo_tag > /dev/null | 
|  | show_head "$cc_root" | 
|  | fi | 
|  | fi | 
|  |  | 
|  | if [ "$spm_config" ] ; then | 
|  | if assert_can_git_clone "spm_root"; then | 
|  | # If the SPM repository has already been checked out, use | 
|  | # that location. Otherwise, clone one ourselves. | 
|  | echo "Cloning SPM..." | 
|  | clone_url="${SPM_CHECKOUT_LOC:-$spm_src_repo_url}" \ | 
|  | where="$spm_root" refspec="$SPM_REFSPEC" \ | 
|  | clone_repo &>>"$build_log" | 
|  | fi | 
|  |  | 
|  | # Query git submodules | 
|  | pushd "$spm_root" | 
|  | # Check if submodules need initialising | 
|  |  | 
|  | # This handling is needed to reliably fetch submodules | 
|  | # in CI environment. | 
|  | for subm in $(git submodule status | awk '/^-/ {print $2}'); do | 
|  | for i in $(seq 1 7); do | 
|  | git submodule init $subm | 
|  | if git submodule update $subm; then | 
|  | break | 
|  | fi | 
|  | git submodule deinit --force $subm | 
|  | echo "Retrying $subm" | 
|  | sleep $((RANDOM % 10 + 5)) | 
|  | done | 
|  | done | 
|  |  | 
|  | git submodule status | 
|  | popd | 
|  |  | 
|  | show_head "$spm_root" | 
|  | fi | 
|  |  | 
|  | if [ "$rmm_config" ] && assert_can_git_clone "rmm_root"; then | 
|  | # If the RMM repository has already been checked out, | 
|  | # use that location. Otherwise, clone one ourselves. | 
|  | echo "Cloning TF-RMM..." | 
|  | clone_url="${RMM_CHECKOUT_LOC:-$rmm_src_repo_url}" where="$rmm_root" \ | 
|  | refspec="$RMM_REFSPEC" clone_repo &>>"$build_log" | 
|  | show_head "$rmm_root" | 
|  | fi | 
|  |  | 
|  | if [ "$tfut_config" ] && assert_can_git_clone "tfut_root"; then | 
|  | # If the Trusted Firmware UT repository has already been checked out, | 
|  | # use that location. Otherwise, clone one ourselves. | 
|  | echo "Cloning Trusted Firmware UT..." | 
|  | clone_url="${TFUT_CHECKOUT_LOC:-$tfut_src_repo_url}" where="$tfut_root" \ | 
|  | refspec="$TFUT_GERRIT_REFSPEC" clone_repo &>>"$build_log" | 
|  | show_head "$tfut_root" | 
|  | fi | 
|  |  | 
|  | if [ "$run_config_tfa" ]; then | 
|  | # Get candidates for TF-A run config | 
|  | run_config_candidates="$("$ci_root/script/gen_run_config_candidates.py" \ | 
|  | "$run_config_tfa")" | 
|  | if [ -z "$run_config_candidates" ]; then | 
|  | die "No run config candidates!" | 
|  | else | 
|  | echo | 
|  | echo "Chosen fragments:" | 
|  | echo | 
|  | echo "$run_config_candidates" | sed 's/^\|\n/\t/g' | 
|  | echo | 
|  |  | 
|  | if [ ! -n "$bin_mode" ]; then | 
|  | if echo $run_config_candidates | grep -wq "debug"; then | 
|  | bin_mode="debug" | 
|  | else | 
|  | bin_mode="release" | 
|  | fi | 
|  | fi | 
|  | fi | 
|  | fi | 
|  |  | 
|  | if [ "$run_config_tfut" ]; then | 
|  | # Get candidates for run TFUT config | 
|  | run_config_tfut_candidates="$("$ci_root/script/gen_run_config_candidates.py" \ | 
|  | "--unit-testing" "$run_config_tfut")" | 
|  | if [ -z "$run_config_tfut_candidates" ]; then | 
|  | die "No run TFUT config candidates!" | 
|  | else | 
|  | echo | 
|  | echo "Chosen fragments:" | 
|  | echo | 
|  | echo "$run_config_tfut_candidates" | sed 's/^\|\n/\t/g' | 
|  | fi | 
|  | fi | 
|  |  | 
|  | call_hook "test_setup" | 
|  | echo | 
|  |  | 
|  | if upon "$local_ci"; then | 
|  | # For local runs, since each config is tried in sequence, it's | 
|  | # advantageous to run jobs in parallel | 
|  | if [ "$make_j" ]; then | 
|  | make_j_opts="-j $make_j" | 
|  | else | 
|  | n_cores="$(getconf _NPROCESSORS_ONLN)" 2>/dev/null || true | 
|  | if [ "$n_cores" ]; then | 
|  | make_j_opts="-j $n_cores" | 
|  | fi | 
|  | fi | 
|  | fi | 
|  |  | 
|  | # Install python build dependencies | 
|  | if is_arm_jenkins_env; then | 
|  | source "$ci_root/script/install_python_deps.sh" | 
|  | fi | 
|  |  | 
|  | # Install c-picker dependency | 
|  | if config_valid "$tfut_config"; then | 
|  | echo "started building" | 
|  | python3 -m venv .venv | 
|  | source .venv/bin/activate | 
|  |  | 
|  | if ! python3 -m pip show c-picker &> /dev/null; then | 
|  | echo "Installing c-picker" | 
|  | pip install git+https://git.trustedfirmware.org/TS/trusted-services.git@topics/c-picker || { | 
|  | echo "c-picker was not installed!" | 
|  | exit 1 | 
|  | } | 
|  | echo "c-picker was installed" | 
|  | else | 
|  | echo "c-picker is already installed" | 
|  | fi | 
|  | fi | 
|  |  | 
|  | # Print CMake version | 
|  | cmake_ver=$(echo `cmake --version | sed -n '1p'`) | 
|  | echo "Using $cmake_ver" | 
|  |  | 
|  | # Check for Ninja | 
|  | if [ -x "$(command -v ninja)" ]; then | 
|  | # Print Ninja version | 
|  | ninja_ver=$(echo `ninja --version | sed -n '1p'`) | 
|  | echo "Using ninja $ninja_ver" | 
|  | export cmake_gen="-G Ninja" | 
|  | else | 
|  | echo 'Ninja is not installed' | 
|  | export cmake_gen="" | 
|  | fi | 
|  |  | 
|  | undo_rmm_patches() { | 
|  | pushd "$rmm_root" | 
|  | patch_record="$rmm_patch_record" undo_patch_record | 
|  | popd | 
|  | } | 
|  |  | 
|  | modes="${bin_mode:-debug release}" | 
|  | for mode in $modes; do | 
|  | echo "===== Building package in mode: $mode =====" | 
|  | # Build with a temporary archive | 
|  | build_archive="$archive/$mode" | 
|  | mkdir "$build_archive" | 
|  |  | 
|  | if [ "$mode" = "debug" ]; then | 
|  | export bin_mode="debug" | 
|  | cmake_build_type="Debug" | 
|  | DEBUG=1 | 
|  | else | 
|  | export bin_mode="release" | 
|  | cmake_build_type="Release" | 
|  | DEBUG=0 | 
|  | fi | 
|  |  | 
|  | # Perform builds in a subshell so as not to pollute the current and | 
|  | # subsequent builds' environment | 
|  |  | 
|  | if config_valid "$cc_config"; then | 
|  | # Build code coverage plugin | 
|  | build_cc | 
|  | fi | 
|  |  | 
|  | # TFTF build | 
|  | if config_valid "$tftf_config"; then | 
|  | ( | 
|  | echo "##########" | 
|  |  | 
|  | plat_utils="$(get_tf_opt PLAT_UTILS)" | 
|  | if [ -z ${plat_utils} ]; then | 
|  | # Source platform-specific utilities. | 
|  | plat="$(get_tftf_opt PLAT)" | 
|  | plat_utils="$ci_root/${plat}_utils.sh" | 
|  | else | 
|  | # Source platform-specific utilities by | 
|  | # using plat_utils name. | 
|  | plat_utils="$ci_root/${plat_utils}.sh" | 
|  | fi | 
|  |  | 
|  | if [ -f "$plat_utils" ]; then | 
|  | source "$plat_utils" | 
|  | fi | 
|  |  | 
|  | archive="$build_archive" | 
|  | tftf_build_root="$archive/build/tftf" | 
|  | mkdir -p ${tftf_build_root} | 
|  |  | 
|  | echo "Building Trusted Firmware TF ($mode) ..." |& log_separator | 
|  |  | 
|  | # Call pre-build hook | 
|  | call_hook pre_tftf_build | 
|  |  | 
|  | build_tftf | 
|  |  | 
|  | from="$tftf_build_root" to="$archive" collect_build_artefacts | 
|  |  | 
|  | # Clear any local changes made by applied patches | 
|  | undo_tftf_patches | 
|  |  | 
|  | echo "##########" | 
|  | echo | 
|  | ) | 
|  | fi | 
|  |  | 
|  | # SPM build | 
|  | if config_valid "$spm_config"; then | 
|  | ( | 
|  | echo "##########" | 
|  |  | 
|  | # Get platform name from spm_config file | 
|  | plat="$(echo "$spm_config" | awk -F- '{print $1}')" | 
|  | plat_utils="$ci_root/${plat}_utils.sh" | 
|  | if [ -f "$plat_utils" ]; then | 
|  | source "$plat_utils" | 
|  | fi | 
|  |  | 
|  | # Call pre-build hook | 
|  | call_hook pre_spm_build | 
|  |  | 
|  | # SPM build generates two sets of binaries, one for normal and other | 
|  | # for Secure world. We need both set of binaries for CI. | 
|  | archive="$build_archive" | 
|  | spm_build_root="$archive/build/spm" | 
|  |  | 
|  | spm_secure_build_root="$spm_build_root/$spm_secure_out_dir" | 
|  | spm_ns_build_root="$spm_build_root/$spm_non_secure_out_dir" | 
|  |  | 
|  | echo "spm_build_root is $spm_build_root" | 
|  | echo "Building SPM ($mode) ..." |& log_separator | 
|  |  | 
|  | # NOTE: mode has no effect on SPM build (for now), hence debug | 
|  | # mode is built but subsequent build using release mode just | 
|  | # goes through with "nothing to do". | 
|  | build_spm | 
|  |  | 
|  | # Show SPM/Hafnium binary details | 
|  | cksum $spm_secure_build_root/hafnium.bin | 
|  |  | 
|  | # Some platforms only have secure configuration enabled. Hence, | 
|  | # non secure hanfnium binary might not be built. | 
|  | if [ -f $spm_ns_build_root/hafnium.bin ]; then | 
|  | cksum $spm_ns_build_root/hafnium.bin | 
|  | fi | 
|  |  | 
|  | secure_from="$spm_secure_build_root" non_secure_from="$spm_ns_build_root" to="$archive" collect_spm_artefacts | 
|  |  | 
|  | echo "##########" | 
|  | echo | 
|  | ) | 
|  | fi | 
|  |  | 
|  | # TF RMM build | 
|  | if  config_valid "$rmm_config"; then | 
|  | ( | 
|  | echo "##########" | 
|  |  | 
|  | plat_utils="$(get_rmm_opt PLAT_UTILS)" | 
|  | if [ -z ${plat_utils} ]; then | 
|  | # Source platform-specific utilities. | 
|  | plat="$(get_rmm_opt PLAT)" | 
|  | extra_options="$(get_rmm_opt EXTRA_OPTIONS)" | 
|  | extra_targets="$(get_rmm_opt EXTRA_TARGETS "")" | 
|  | rmm_toolchain="$(get_rmm_opt TOOLCHAIN gnu)" | 
|  | rmm_fpu_use_at_rel2="$(get_rmm_opt RMM_FPU_USE_AT_REL2 OFF)" | 
|  | rmm_attest_el3_token_sign="$(get_rmm_opt ATTEST_EL3_TOKEN_SIGN OFF)" | 
|  | rmm_v1_1="$(get_rmm_opt RMM_V1_1 ON)" | 
|  | plat_utils="$ci_root/${plat}_utils.sh" | 
|  | else | 
|  | # Source platform-specific utilities by | 
|  | # using plat_utils name. | 
|  | plat_utils="$ci_root/${plat_utils}.sh" | 
|  | fi | 
|  |  | 
|  | if [ -f "$plat_utils" ]; then | 
|  | source "$plat_utils" | 
|  | fi | 
|  |  | 
|  | archive="$build_archive" | 
|  | rmm_build_root="$rmm_root/build" | 
|  |  | 
|  | echo "Building Trusted Firmware RMM ($mode) ..." |& log_separator | 
|  |  | 
|  | #call_hook pre_rmm_build | 
|  | build_rmm | 
|  |  | 
|  | # Collect all rmm.* files: rmm.img, rmm.elf, rmm.dump, rmm.map | 
|  | from="$rmm_build_root" to="$archive" collect_build_artefacts | 
|  |  | 
|  | # Clear any local changes made by applied patches | 
|  | undo_rmm_patches | 
|  |  | 
|  | echo "##########" | 
|  | ) | 
|  | fi | 
|  |  | 
|  | # TF build | 
|  | if config_valid "$tf_config"; then | 
|  | ( | 
|  | echo "##########" | 
|  |  | 
|  | plat_utils="$(get_tf_opt PLAT_UTILS)" | 
|  | export plat_variant="$(get_tf_opt TARGET_PLATFORM)" | 
|  |  | 
|  | if [ -z ${plat_utils} ]; then | 
|  | # Source platform-specific utilities. | 
|  | plat="$(get_tf_opt PLAT)" | 
|  | plat_utils="$ci_root/${plat}_utils.sh" | 
|  | else | 
|  | # Source platform-specific utilities by | 
|  | # using plat_utils name. | 
|  | plat_utils="$ci_root/${plat_utils}.sh" | 
|  | fi | 
|  |  | 
|  | if [ -f "$plat_utils" ]; then | 
|  | source "$plat_utils" | 
|  | fi | 
|  |  | 
|  | fvp_tsram_size="$(get_tf_opt FVP_TRUSTED_SRAM_SIZE)" | 
|  | fvp_tsram_size="${fvp_tsram_size:-256}" | 
|  |  | 
|  | poetry -C "$tf_root" install --without docs | 
|  |  | 
|  | archive="$build_archive" | 
|  | tf_build_root="$archive/build/tfa" | 
|  | mkdir -p ${tf_build_root} | 
|  |  | 
|  | echo "Building Trusted Firmware ($mode) ..." |& log_separator | 
|  |  | 
|  | # Call pre-build hook | 
|  | call_hook pre_tf_build | 
|  |  | 
|  | build_tf | 
|  |  | 
|  | # Call post-build hook | 
|  | call_hook post_tf_build | 
|  |  | 
|  | # Pre-archive hook | 
|  | call_hook pre_tf_archive | 
|  |  | 
|  | from="$tf_build_root" to="$archive" collect_build_artefacts | 
|  |  | 
|  | # Post-archive hook | 
|  | call_hook post_tf_archive | 
|  |  | 
|  | call_hook fetch_tf_resource | 
|  | call_hook post_fetch_tf_resource | 
|  |  | 
|  | # Generate LAVA job files if necessary | 
|  | call_hook generate_lava_job_template | 
|  | call_hook generate_lava_job | 
|  |  | 
|  | # Clear any local changes made by applied patches | 
|  | undo_tf_patches | 
|  |  | 
|  | echo "##########" | 
|  | ) | 
|  | fi | 
|  |  | 
|  | # TFUT build | 
|  | if config_valid "$tfut_config"; then | 
|  | ( | 
|  | echo "##########" | 
|  |  | 
|  | archive="$build_archive" | 
|  | tfut_build_root="$tfut_root/build" | 
|  |  | 
|  | echo "Building Trusted Firmware UT ($mode) ..." |& log_separator | 
|  |  | 
|  | # Clean TFUT build targets | 
|  | set_hook_var "tfut_build_targets" "" | 
|  |  | 
|  | # Call pre-build hook | 
|  | call_hook pre_tfut_build | 
|  |  | 
|  | build_tfut | 
|  |  | 
|  | from="$tfut_build_root" to="$archive" collect_tfut_artefacts | 
|  |  | 
|  | to="$archive" coverage="$COVERAGE" collect_tfut_coverage | 
|  |  | 
|  | echo "##########" | 
|  | echo | 
|  | ) | 
|  | fi | 
|  | echo | 
|  | echo | 
|  | done | 
|  |  | 
|  | if config_valid "$tfut_config"; then | 
|  | deactivate | 
|  | fi | 
|  |  | 
|  | call_hook pre_package | 
|  |  | 
|  | call_hook post_package | 
|  |  | 
|  | if upon "$jenkins_run" && upon "$artefacts_receiver" && [ -d "artefacts" ]; then | 
|  | source "$CI_ROOT/script/send_artefacts.sh" "artefacts" | 
|  | fi | 
|  |  | 
|  | echo | 
|  | echo "Done" |