commit 7aa1c87dd8b84ad66a186bb813d5dd881faaf830
author Fabio Utzig <utzig@apache.org> Thu Sep 23 18:56:40 2021 -0300
committer Fabio Utzig <utzig@utzig.org> Mon Sep 27 14:23:19 2021 -0300
tree 3e91c23ceab7f676e1642fea858caea2ad57ef96
parent 712fdb5ad0c05b3e431a13832e33f92336a3c471

ci: add FIH hardening tests to workflows

Add workflows to run FIH tests using GH actions. Update scripts to add
parsing of FIH parameters from a env matrix and disable docker caching
when running on GH.

Signed-off-by: Fabio Utzig <utzig@apache.org>

.github/workflows/fih_tests.yaml

diff --git a/.github/workflows/fih_tests.yaml b/.github/workflows/fih_tests.yaml
new file mode 100644
index 0000000..d2fef8b
--- /dev/null
+++ b/.github/workflows/fih_tests.yaml
@@ -0,0 +1,49 @@
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+name: FIH hardening
+
+jobs:
+  config:
+    strategy:
+      matrix:
+        fih_env:
+        # FIH environment must use the following space separated format:
+        #   BUILD_TYPE SKIP_SIZE DAMAGE_TYPE FIH_LEVEL(optional)
+        - "RELEASE 2,4,6,8,10 SIGNATURE"
+        - "RELEASE 2,4,6,8,10 SIGNATURE LOW"
+        - "RELEASE 2,4,6,8,10 SIGNATURE MEDIUM"
+        - "MINSIZEREL 2,4,6 SIGNATURE"
+        - "MINSIZEREL 2,4,6 SIGNATURE LOW"
+        - "MINSIZEREL 2,4,6 SIGNATURE MEDIUM"
+        - "MINSIZEREL 8,10 SIGNATURE"
+        - "MINSIZEREL 8,10 SIGNATURE LOW"
+        - "MINSIZEREL 8,10 SIGNATURE MEDIUM"
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        fetch-depth: 0
+        # Uses Mbed TLS from TFM, and nothing else from here.
+        submodules: false
+    - name: Print the environment
+      run: |
+        uname -a
+        lscpu
+        free
+        pwd
+    - name: Signed commit check
+      if: ${{ github.event_name == 'pull_request' }}
+      run: |
+        ./ci/check-signed-off-by.sh
+    - name: FIH hardening test install
+      run: |
+        ./ci/fih-tests_install.sh
+    - name: FIH hardening test run
+      env:
+        FIH_ENV: ${{ matrix.fih_env }}
+      run: |
+        ./ci/fih-tests_run.sh

ci/fih-tests_install.sh

diff --git a/ci/fih-tests_install.sh b/ci/fih-tests_install.sh
index fb6e0fb..4e38627 100755
--- a/ci/fih-tests_install.sh
+++ b/ci/fih-tests_install.sh
@@ -25,6 +25,8 @@
 [[ -f $CACHED_IMAGE ]] && (gzip -dc $CACHED_IMAGE | docker load)
 
 if [[ $? -ne 0 ]]; then
-  docker pull mcuboot/$IMAGE
-  docker save mcuboot/$IMAGE | gzip > $CACHED_IMAGE
+    docker pull mcuboot/$IMAGE
+    if [[ $GITHUB_ACTIONS != true ]]; then
+        docker save mcuboot/$IMAGE | gzip > $CACHED_IMAGE
+    fi
 fi

ci/fih-tests_run.sh

diff --git a/ci/fih-tests_run.sh b/ci/fih-tests_run.sh
index efe33a0..5b975d3 100755
--- a/ci/fih-tests_run.sh
+++ b/ci/fih-tests_run.sh
@@ -22,6 +22,28 @@
    git checkout TF-Mv1.4.0 &&\
    popd
 
+if [[ $GITHUB_ACTIONS == true ]]; then
+    if [[ -z $FIH_ENV ]]; then
+        echo "Workflow has found no \$FIH_ENV"
+        exit 1
+    fi
+
+    args=($FIH_ENV)
+    len=${#args[@]}
+    if [[ $len < 3 ]]; then
+        echo "Invalid number of \$FIH_ENV args"
+        exit 1
+    fi
+
+    BUILD_TYPE=${args[0]}
+    SKIP_SIZE=${args[1]}
+    DAMAGE_TYPE=${args[2]}
+
+    if [[ $len > 3 ]]; then
+        FIH_LEVEL=${args[3]}
+    fi
+fi
+
 if test -z "$FIH_LEVEL"; then
     docker run --rm -v $(pwd):/root/work/tfm:rw,z mcuboot/fih-test /bin/sh -c '/root/work/tfm/mcuboot/ci/fih_test_docker/execute_test.sh $0 $1 $2' $SKIP_SIZE $BUILD_TYPE $DAMAGE_TYPE
 else