Skip to content
GitLab
Commit c344e762 authored by Jean Alinei's avatar Jean Alinei
Browse files

Merge branch 'develop' into 'main' 

First working example with STM32G474RE USB DFU

See merge request !2
parents 8cf1045b a62560cd
Expand all Hide whitespace changes
Inline Side-by-side
.github/workflows/espressif.yaml 0 → 100644
View file @ c344e762
# SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
# SPDX-License-Identifier: Apache-2.0
# For development, trigger this on any push.
on:
push:
branches:
- main
pull_request:
name: Espressif
concurrency:
group: espressif-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
environment:
strategy:
matrix:
targets: [esp32, esp32s2, esp32s3, esp32c3]
features:
- "sign-rsa2048,sign-rsa3072,sign-ec256,sign-ed25519"
runs-on: ubuntu-latest
env:
MCUBOOT_TARGETS: ${{ matrix.targets }}
MCUBOOT_FEATURES: ${{ matrix.features }}
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
submodules: recursive
- name: Print the environment
run: |
uname -a
lscpu
free
pwd
- name: Signed commit check
if: ${{ github.event_name == 'pull_request' }}
run: |
./ci/check-signed-off-by.sh
- name: Espressif install
run: |
./ci/espressif_install.sh
- name: Espressif run
run: |
./ci/espressif_run.sh
.github/workflows/fih_tests.yaml 0 → 100644
View file @ c344e762
on:
push:
branches:
- main
pull_request:
name: FIH hardening
concurrency:
group: fih-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
config:
strategy:
matrix:
fih_env:
# FIH environment must use the following space separated format:
# BUILD_TYPE SKIP_SIZE DAMAGE_TYPE FIH_LEVEL(optional)
- "RELEASE 2,4,6,8,10 SIGNATURE"
- "RELEASE 2,4,6,8,10 SIGNATURE LOW"
- "RELEASE 2,4,6,8,10 SIGNATURE MEDIUM"
- "MINSIZEREL 2,4,6 SIGNATURE"
- "MINSIZEREL 2,4,6 SIGNATURE LOW"
- "MINSIZEREL 2,4,6 SIGNATURE MEDIUM"
- "MINSIZEREL 8,10 SIGNATURE"
- "MINSIZEREL 8,10 SIGNATURE LOW"
- "MINSIZEREL 8,10 SIGNATURE MEDIUM"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
# Uses Mbed TLS from TFM, and nothing else from here.
submodules: false
- name: Print the environment
run: |
uname -a
lscpu
free
pwd
- name: Signed commit check
if: ${{ github.event_name == 'pull_request' }}
run: |
./ci/check-signed-off-by.sh
- name: FIH hardening test install
run: |
./ci/fih-tests_install.sh
- name: FIH hardening test run
env:
FIH_ENV: ${{ matrix.fih_env }}
run: |
./ci/fih-tests_run.sh
.github/workflows/imgtool.yaml 0 → 100644
View file @ c344e762
on:
push:
branches:
- main
- v*-branch
name: imgtool
concurrency:
group: imgtool-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
environment:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Cache pip
uses: actions/cache@v1
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip
- name: Install packages
run: |
export PATH="$HOME/.local/bin:$PATH"
./ci/imgtool_install.sh
- name: Publish
env:
TWINE_TOKEN: ${{ secrets.TWINE_TOKEN }}
run: |
export PATH="$HOME/.local/bin:$PATH"
./ci/imgtool_run.sh
.github/workflows/mynewt.yaml 0 → 100644
View file @ c344e762
# For development, trigger this on any push.
on:
push:
branches:
- main
pull_request:
name: Mynewt
concurrency:
group: mynewt-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
environment:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Print the environment
run: |
uname -a
lscpu
free
pwd
- name: Signed commit check
if: ${{ github.event_name == 'pull_request' }}
run: |
./ci/check-signed-off-by.sh
- name: Mynewt install
run: |
./ci/mynewt_install.sh
- name: Mynewt run
run: |
./ci/mynewt_run.sh
.github/workflows/sim.yaml 0 → 100644
View file @ c344e762
# For development, trigger this on any push.
on:
push:
branches:
- main
pull_request:
name: Sim
concurrency:
group: sim-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
environment:
strategy:
matrix:
features:
- "sig-ecdsa,sig-ecdsa-mbedtls,sig-ed25519,enc-kw,bootstrap"
- "sig-rsa,sig-rsa3072,overwrite-only,validate-primary-slot,swap-move"
- "enc-rsa,enc-rsa max-align-32"
- "enc-aes256-rsa,enc-aes256-rsa max-align-32"
- "enc-ec256,enc-ec256 max-align-32"
- "enc-aes256-ec256,enc-aes256-ec256 max-align-32"
- "enc-x25519,enc-x25519 max-align-32"
- "enc-aes256-x25519,enc-aes256-x25519 max-align-32"
- "sig-rsa overwrite-only,sig-ecdsa overwrite-only,sig-ecdsa-mbedtls overwrite-only,multiimage overwrite-only"
- "sig-rsa validate-primary-slot,sig-ecdsa validate-primary-slot,sig-ecdsa-mbedtls validate-primary-slot,sig-rsa multiimage validate-primary-slot"
- "enc-kw overwrite-only,enc-kw overwrite-only max-align-32"
- "enc-rsa overwrite-only,enc-rsa overwrite-only max-align-32"
- "enc-aes256-kw overwrite-only,enc-aes256-kw overwrite-only max-align-32"
- "sig-rsa enc-rsa validate-primary-slot,swap-move enc-rsa sig-rsa validate-primary-slot bootstrap"
- "sig-rsa enc-kw validate-primary-slot bootstrap,sig-ed25519 enc-x25519 validate-primary-slot"
- "sig-ecdsa enc-kw validate-primary-slot"
- "sig-ecdsa-mbedtls enc-kw validate-primary-slot"
- "sig-rsa validate-primary-slot overwrite-only,sig-rsa validate-primary-slot overwrite-only max-align-32"
- "sig-ecdsa enc-ec256 validate-primary-slot"
- "sig-ecdsa-mbedtls enc-ec256-mbedtls validate-primary-slot"
- "sig-ecdsa-mbedtls enc-aes256-ec256 validate-primary-slot"
- "sig-rsa validate-primary-slot overwrite-only downgrade-prevention"
- "sig-rsa validate-primary-slot ram-load"
- "sig-rsa enc-rsa validate-primary-slot ram-load"
- "sig-rsa validate-primary-slot direct-xip"
- "sig-rsa validate-primary-slot ram-load multiimage"
- "sig-rsa validate-primary-slot direct-xip multiimage"
runs-on: ubuntu-latest
env:
MULTI_FEATURES: ${{ matrix.features }}
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
submodules: recursive
- name: Print the environment
run: |
uname -a
lscpu
free
pwd
- name: Signed commit check
if: ${{ github.event_name == 'pull_request' }}
run: |
./ci/check-signed-off-by.sh
- name: Install stable Rust
uses: actions-rs/toolchain@v1
with:
toolchain: stable
- name: Sim install
run: |
./ci/sim_install.sh
- name: Sim run
run: |
./ci/sim_run.sh
.github/workflows/stale_issue.yml 0 → 100644
View file @ c344e762
name: "Close stale pull requests/issues"
on:
schedule:
- cron: "16 00 * * *"
jobs:
stale:
name: Find Stale issues and PRs
runs-on: ubuntu-latest
if: github.repository == 'mcu-tools/mcuboot'
steps:
- uses: actions/stale@v3
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-pr-message: 'This pull request has been marked as stale because it has been open (more than) 60 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this pull request will automatically be closed in 14 days. Note, that you can always re-open a closed pull request at any time.'
stale-issue-message: 'This issue has been marked as stale because it has been open (more than) 60 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this issue will automatically be closed in 14 days. Note, that you can always re-open a closed issue at any time.'
days-before-stale: 180
days-before-close: 14
stale-issue-label: 'stale'
stale-pr-label: 'stale'
exempt-issue-labels: 'someday'
# exempt-pr-labels: 'Blocked,In progress'
# exempt-issue-labels: 'In progress,Enhancement,Feature,Feature Request,RFC,Meta'
operations-per-run: 400
.github/workflows/zephyr_build.yaml 0 → 100644
View file @ c344e762
# Copyright (c) 2022 Nordic Semiconductor ASA
# SPDX-License-Identifier: Apache-2.0
name: Build Zephyr samples with Twister
# Workflow triggers on PRs, pushes to main, once per day at midnight and can be started manually.
on:
# By default, pull_request includes: opened, synchronize, or reopened
pull_request:
branches:
- main
push:
branches:
- main
schedule:
- cron: 0 0 * * *
# When triggered manually, ask for Zephyr and MCUBoot versions to check out
workflow_dispatch:
inputs:
version_zephyr:
description: 'Which Zephyr version to checkout?'
required: true
default: 'main'
version_mcuboot:
description: 'Which MCUBoot version to checkout?'
required: true
default: 'main'
env:
ZEPHYR_VERSION: 'main'
MCUBOOT_VERSION: 'main'
# Only cancel ongoing runs for PRs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
build_zephyr_with_twister:
runs-on: ubuntu-latest
# Docker image from the zephyr upstream. Includes SDK and other required tools
container:
image: zephyrprojectrtos/ci:v0.21.0
options: '--entrypoint /bin/bash'
volumes:
- /home/runners/zephyrproject:/github/cache/zephyrproject
env:
ZEPHYR_SDK_INSTALL_DIR: /opt/toolchains/zephyr-sdk-0.13.2
steps:
- name: Set versions when workflow_dispatch
if: github.event_name == 'workflow_dispatch'
run: |
echo "ZEPHYR_VERSION=${{ github.event.inputs.version_zephyr }}" >> $GITHUB_ENV
echo "MCUBOOT_VERSION=${{ github.event.inputs.version_mcuboot }}" >> $GITHUB_ENV
- name: Set versions when pull_request
if: github.event_name == 'pull_request'
run: |
echo "MCUBOOT_VERSION=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
- name: Checkout Zephyr
uses: actions/checkout@v2
with:
repository: 'zephyrproject-rtos/zephyr'
ref: ${{ env.ZEPHYR_VERSION }}
path: 'repos/zephyr'
- name: Setup Zephyr
working-directory: repos/zephyr
run: |
west init -l .
west update
- name: Checkout MCUBoot
uses: actions/checkout@v2
with:
repository: 'mcu-tools/mcuboot'
ref: ${{ env.MCUBOOT_VERSION }}
path: 'repos/bootloader/mcuboot'
- name: Run Twister tests
working-directory: repos/zephyr
env:
test_paths: >
-T ../bootloader/mcuboot/boot/zephyr
-T ./tests/subsys/dfu
-T ./samples/subsys/mgmt/mcumgr/smp_svr
run: |
export ZEPHYR_BASE=${PWD}
export ZEPHYR_TOOLCHAIN_VARIANT=zephyr
echo "Using Zephyr version: ${{ env.ZEPHYR_VERSION }}"
echo "Using Mcuboot version: ${{ env.MCUBOOT_VERSION }}"
./scripts/twister --inline-logs -v -N -M --integration --overflow-as-errors --retry-failed 2 ${test_paths}
- name: Upload Tests Results
uses: actions/upload-artifact@v2
if: always()
with:
name: Tests Results
if-no-files-found: ignore
path: |
repos/zephyr/twister-out/twister.xml
.gitignore 0 → 100644
View file @ c344e762
outdir/
.*.swp
target.sh
*.pyc
tags
rusty-tags.*
# mynewt
/repos/
/project.state
/bin/
/targets/
**/build/**/*
#Eclipse project files
.cproject
.project
# Compiled python modules.
*.pyc
# Setuptools distribution folder.
/scripts/dist/
# Python egg metadata, regenerated from source files by setuptools.
/scripts/*.egg-info
/scripts/*.egg
# The target directory from Rust development
/target/
.gitmodules 0 → 100644
View file @ c344e762
[submodule "sim/mbedtls"]
path = ext/mbedtls
url = https://github.com/ARMmbed/mbedtls
[submodule "boot/cypress/libs/mtb-pdl-cat1"]
path = boot/cypress/libs/mtb-pdl-cat1
url = https://github.com/cypresssemiconductorco/mtb-pdl-cat1.git
[submodule "boot/cypress/libs/pdl/psoc6pdl"]
path = boot/cypress/libs/pdl/psoc6pdl
url = https://github.com/cypresssemiconductorco/psoc6pdl.git
[submodule "boot/cypress/libs/retarget-io"]
path = boot/cypress/libs/retarget-io
url = https://github.com/cypresssemiconductorco/retarget-io.git
[submodule "boot/cypress/libs/core-lib"]
path = boot/cypress/libs/core-lib
url = https://github.com/cypresssemiconductorco/core-lib.git
[submodule "boot/cypress/libs/psoc6hal"]
path = boot/cypress/libs/psoc6hal
url = https://github.com/cypresssemiconductorco/psoc6hal.git
[submodule "boot/cypress/libs/cy-mbedtls-acceleration"]
path = boot/cypress/libs/cy-mbedtls-acceleration
url = https://github.com/cypresssemiconductorco/cy-mbedtls-acceleration.git
[submodule "boot/espressif/hal/esp-idf"]
path = boot/espressif/hal/esp-idf
url = https://github.com/espressif/esp-idf.git
branch = release/v4.4
.mbedignore 0 → 100644
View file @ c344e762
boot/boot_serial/*
boot/mynewt/*
boot/zephyr/*
boot/cypress/*
boot/espressif/*
boot/nuttx/*
ci/*
docs/*
ptest/*
samples/*
scripts/*
sim/*
testplan/*
ext/fiat/*
ext/mbedtls/*
ext/mbedtls-asn1/*
ext/nrf/*
ext/tinycrypt/tests/*
ext/tinycrypt/*
ext/tinycrypt-sha512/*
.travis.yml-disabled 0 → 100644
View file @ c344e762
# Travis configuration. Run FI hardening tests.
language: minimal
services:
- docker
matrix:
include:
- os: linux
language: minimal
env: BUILD_TYPE=RELEASE SKIP_SIZE=2,4,6,8,10 TEST=fih-tests DAMAGE_TYPE=SIGNATURE
- os: linux
language: minimal
env: BUILD_TYPE=RELEASE SKIP_SIZE=2,4,6,8,10 FIH_LEVEL=LOW TEST=fih-tests DAMAGE_TYPE=SIGNATURE
- os: linux
language: minimal
env: BUILD_TYPE=RELEASE SKIP_SIZE=2,4,6,8,10 FIH_LEVEL=MEDIUM TEST=fih-tests DAMAGE_TYPE=SIGNATURE
- os: linux
language: minimal
env: BUILD_TYPE=MINSIZEREL SKIP_SIZE=2,4,6 TEST=fih-tests DAMAGE_TYPE=SIGNATURE
- os: linux
language: minimal
env: BUILD_TYPE=MINSIZEREL SKIP_SIZE=2,4,6 FIH_LEVEL=LOW TEST=fih-tests DAMAGE_TYPE=SIGNATURE
- os: linux
language: minimal
env: BUILD_TYPE=MINSIZEREL SKIP_SIZE=2,4,6 FIH_LEVEL=MEDIUM TEST=fih-tests DAMAGE_TYPE=SIGNATURE
- os: linux
language: minimal
env: BUILD_TYPE=MINSIZEREL SKIP_SIZE=8,10 TEST=fih-tests DAMAGE_TYPE=SIGNATURE
- os: linux
language: minimal
env: BUILD_TYPE=MINSIZEREL SKIP_SIZE=8,10 FIH_LEVEL=LOW TEST=fih-tests DAMAGE_TYPE=SIGNATURE
- os: linux
language: minimal
env: BUILD_TYPE=MINSIZEREL SKIP_SIZE=8,10 FIH_LEVEL=MEDIUM TEST=fih-tests DAMAGE_TYPE=SIGNATURE
## Corrupt image hash is not tested as it is in the unprotected TLV section
## and is easy to calculate a valid hash for a changed image
#- os: linux
# language: minimal
# env: BUILD_TYPE=MINSIZEREL SKIP_SIZE=2,4,6 TEST=fih-tests DAMAGE_TYPE=IMAGE_HASH
## Max profile is not tested as it requires HW entropy source which is not
## present in the QEMU system being used for the tests.
#- os: linux
# language: minimal
# env: FIH_LEVEL=MAX TEST=fih-tests
before_install:
- |
if [ "$TRAVIS_PULL_REQUEST" != "false" ]; then
./ci/check-signed-off-by.sh
if [ $? -ne 0 ]; then
exit 1
fi
fi
install:
- ./ci/${TEST}_install.sh
script:
- ./ci/${TEST}_run.sh
cache:
directories:
- docker
notifications:
slack:
rooms:
- secure: "Tg9ZvJfb6e4QSEsxUvwW2MIqbuNRxD4nAOkgs8eopj/fRtqN6Zk06NVSeMmYcZunDFJXUSzYANBsF98OtaaUlm4WVt2T0ZFBJZrOYfIv18/zXCjYa04sDxur57F1ZYTYKyRpdUkfzPd/rGE4jKLQNcia+r/BTQbJkcZbXeg5/6cUeMP1so8/o0oMhSQP+GH0fLbyLzx3VPE8zu6+j2fCFC7R3idxtfO9VtsKlubfi3HgPgXTs+DEAAA8aoOku2esjFSFXTtdUFGz90YzyShZvtMcRg3Grp9+PZAsJwWk4eKSonKCO0DScfPUlMZbJcV7VsmyTxYKLLsGRZae6ZBH+XLfx5XeqgtgCor3FYx2dUXYfV9y8VvERDdossB0gZ/V2OUGePctDefiORytV6dMa7X3AfSdosgs/tjG4kbf+PMaVULzwF6dd3CdsxdClSl68UQPWA6wC2TEyo1EQea8jgZU6heLustZaQZhBkFkr/6j75XeGBjPw2fgVRkgg/OnTOYmo7N8181wOU+xORIEO1BtYmgRpc0cgpm4H9457diSHG1D2SoNy4tiQPCW2enN00QNGK5pZSL/FGA/ReUcALgAW0QcOljjU2bUSGPxo/VAi5ZyljWgVAGQ5qHJ4jgdfPf7VJUzCVH64G1S5+0gZPpO6vvvPdZtqeXrfBZMOBw="
on_success: always
CODE_OF_CONDUCT.md 0 → 100644
View file @ c344e762
# Contributor Covenant Code of Conduct
## Our Pledge
We as members, contributors, and leaders pledge to make participation in our
community a harassment-free experience for everyone, regardless of age, body
size, visible or invisible disability, ethnicity, sex characteristics, gender
identity and expression, level of experience, education, socio-economic status,
nationality, personal appearance, race, caste, color, religion, or sexual identity
and orientation.
We pledge to act and interact in ways that contribute to an open, welcoming,
diverse, inclusive, and healthy community.
## Our Standards
Examples of behavior that contributes to a positive environment for our
community include:
* Demonstrating empathy and kindness toward other people
* Being respectful of differing opinions, viewpoints, and experiences
* Giving and gracefully accepting constructive feedback
* Accepting responsibility and apologizing to those affected by our mistakes,
and learning from the experience
* Focusing on what is best not just for us as individuals, but for the
overall community
Examples of unacceptable behavior include:
* The use of sexualized language or imagery, and sexual attention or
advances of any kind
* Trolling, insulting or derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or email
address, without their explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting
## Enforcement Responsibilities
Community leaders are responsible for clarifying and enforcing our standards of
acceptable behavior and will take appropriate and fair corrective action in
response to any behavior that they deem inappropriate, threatening, offensive,
or harmful.
Community leaders have the right and responsibility to remove, edit, or reject
comments, commits, code, wiki edits, issues, and other contributions that are
not aligned to this Code of Conduct, and will communicate reasons for moderation
decisions when appropriate.
## Scope
This Code of Conduct applies within all community spaces, and also applies when
an individual is officially representing the community in public spaces.
Examples of representing our community include using an official e-mail address,
posting via an official social media account, or acting as an appointed
representative at an online or offline event.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported to the community leaders responsible for enforcement at
mcuboot@groups.io.
All complaints will be reviewed and investigated promptly and fairly.
All community leaders are obligated to respect the privacy and security of the
reporter of any incident.
## Enforcement Guidelines
Community leaders will follow these Community Impact Guidelines in determining
the consequences for any action they deem in violation of this Code of Conduct:
### 1. Correction
**Community Impact**: Use of inappropriate language or other behavior deemed
unprofessional or unwelcome in the community.
**Consequence**: A private, written warning from community leaders, providing
clarity around the nature of the violation and an explanation of why the
behavior was inappropriate. A public apology may be requested.
### 2. Warning