diff --git a/.github/workflows/footprint.yml b/.github/workflows/footprint.yml index 1e33fb598d..763429e80a 100644 --- a/.github/workflows/footprint.yml +++ b/.github/workflows/footprint.yml @@ -8,7 +8,9 @@ on: jobs: footprint_test: - runs-on: ubuntu-24.04 + runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-arm:v1.0 timeout-minutes: 15 steps: @@ -16,19 +18,13 @@ jobs: with: submodules: true - # Get the arm-non-eabi-gcc toolchain - - name: Install arm-none-eabi-gcc - run : | - sudo apt-get install -y gcc-arm-none-eabi + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: make clean run: | make keysclean && rm -f include/target.h - - name: Install wolfSSL - run: | - sudo apt-get install --no-install-recommends -y -q make libwolfssl-dev - - name: Select config run: | cp config/examples/stm32f407-discovery.config .config && make include/target.h @@ -40,4 +36,3 @@ jobs: - name: Build wolfboot and test footprint run: | make test-size-all - diff --git a/.github/workflows/test-build-cmake-dot-config.yml b/.github/workflows/test-build-cmake-dot-config.yml index 31a288bff3..65661f1964 100644 --- a/.github/workflows/test-build-cmake-dot-config.yml +++ b/.github/workflows/test-build-cmake-dot-config.yml @@ -9,6 +9,8 @@ jobs: wolfboot_dot_config_test: name: cmake .config test (${{ matrix.target }}) runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-arm:v1.0 timeout-minutes: 15 strategy: @@ -36,56 +38,8 @@ jobs: with: submodules: true - - name: Workaround for sources.list - run: | - # Replace sources - - set -euxo pipefail - - # Peek (what repos are active now) - apt-cache policy - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - - # Enable nullglob so *.list/*.sources that don't exist don't break sed - shopt -s nullglob - - echo "Replace sources.list (legacy)" - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - /etc/apt/sources.list || true - - echo "Replace sources.list.d/*.list (legacy)" - for f in /etc/apt/sources.list.d/*.list; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - "$f" - done - - echo "Replace sources.list.d/*.sources (deb822)" - for f in /etc/apt/sources.list.d/*.sources; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - -e "s|https\?://azure\.archive\.ubuntu\.com|http://mirror.arizona.edu|g" \ - "$f" - done - - echo "Fix /etc/apt/apt-mirrors.txt (used by URIs: mirror+file:...)" - if grep -qE '^[[:space:]]*https?://azure\.archive\.ubuntu\.com/ubuntu/?' /etc/apt/apt-mirrors.txt; then - # Replace azure with our mirror (idempotent) - sudo sed -i 's|https\?://azure\.archive\.ubuntu\.com/ubuntu/|http://mirror.arizona.edu/ubuntu/|g' /etc/apt/apt-mirrors.txt - fi - - # Peek (verify changes) - grep -RIn "azure.archive.ubuntu.com" /etc/apt || true - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - echo "--- apt-mirrors.txt ---" - cat /etc/apt/apt-mirrors.txt || true - - - name: Install requirements - run: | - # Run system updates and install toolchain - sudo apt-get update - sudo apt-get install -y gcc-arm-none-eabi gcc-powerpc-linux-gnu cmake + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: Run dot-config examples run: | diff --git a/.github/workflows/test-build-cmake-presets.yml b/.github/workflows/test-build-cmake-presets.yml index 5910f0bbf6..901e03f666 100644 --- a/.github/workflows/test-build-cmake-presets.yml +++ b/.github/workflows/test-build-cmake-presets.yml @@ -8,11 +8,14 @@ on: permissions: contents: read + packages: read jobs: ubuntu-cmake: name: Build on Ubuntu runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-arm:v1.0 timeout-minutes: 20 defaults: run: @@ -53,15 +56,8 @@ jobs: with: submodules: true - # Lock down network/runner - # See https://github.com/step-security/harden-runner/releases - # Currently only supported on Ubuntu - - # ARM GCC toolchain (adds the bin dir to PATH) - - name: Set up ARM none-eabi GCC - run: | - sudo apt update - sudo apt install -y gcc-arm-none-eabi + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: List all environment variables run: | diff --git a/.github/workflows/test-build-cmake-script.yml b/.github/workflows/test-build-cmake-script.yml index dfe34ab5d3..c8d4f8b72b 100644 --- a/.github/workflows/test-build-cmake-script.yml +++ b/.github/workflows/test-build-cmake-script.yml @@ -13,6 +13,8 @@ jobs: wolfboot_build_script_test: name: Build wolfBoot (target=${{ matrix.target }}) runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-arm:v1.0 timeout-minutes: 15 strategy: @@ -42,55 +44,8 @@ jobs: with: submodules: true - - name: Workaround for sources.list - run: | - # Replace sources - - set -euxo pipefail - - # Peek (what repos are active now) - apt-cache policy - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - - # Enable nullglob so *.list/*.sources that don't exist don't break sed - shopt -s nullglob - - echo "Replace sources.list (legacy)" - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - /etc/apt/sources.list || true - - echo "Replace sources.list.d/*.list (legacy)" - for f in /etc/apt/sources.list.d/*.list; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - "$f" - done - - echo "Replace sources.list.d/*.sources (deb822)" - for f in /etc/apt/sources.list.d/*.sources; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - -e "s|https\?://azure\.archive\.ubuntu\.com|http://mirror.arizona.edu|g" \ - "$f" - done - - echo "Fix /etc/apt/apt-mirrors.txt (used by URIs: mirror+file:...)" - if grep -qE '^[[:space:]]*https?://azure\.archive\.ubuntu\.com/ubuntu/?' /etc/apt/apt-mirrors.txt; then - # Replace azure with our mirror (idempotent) - sudo sed -i 's|https\?://azure\.archive\.ubuntu\.com/ubuntu/|http://mirror.arizona.edu/ubuntu/|g' /etc/apt/apt-mirrors.txt - fi - - # Peek (verify changes) - grep -RIn "azure.archive.ubuntu.com" /etc/apt || true - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - echo "--- apt-mirrors.txt ---" - cat /etc/apt/apt-mirrors.txt || true - - - name: Install requirements - run: | - sudo apt-get update - sudo apt-get install -y gcc-arm-none-eabi gcc-powerpc-linux-gnu cmake + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: View Presets run: | diff --git a/.github/workflows/test-build-cmake.yml b/.github/workflows/test-build-cmake.yml index 9b52fcac6d..7c1e6091f9 100644 --- a/.github/workflows/test-build-cmake.yml +++ b/.github/workflows/test-build-cmake.yml @@ -7,6 +7,8 @@ on: jobs: cmake_automated_test: runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-arm:v1.0 timeout-minutes: 15 steps: @@ -14,56 +16,8 @@ jobs: with: submodules: true - - name: Workaround for sources.list - run: | - # Replace sources - - set -euxo pipefail - - # Peek (what repos are active now) - apt-cache policy - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - - # Enable nullglob so *.list/*.sources that don't exist don't break sed - shopt -s nullglob - - echo "Replace sources.list (legacy)" - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - /etc/apt/sources.list || true - - echo "Replace sources.list.d/*.list (legacy)" - for f in /etc/apt/sources.list.d/*.list; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - "$f" - done - - echo "Replace sources.list.d/*.sources (deb822)" - for f in /etc/apt/sources.list.d/*.sources; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - -e "s|https\?://azure\.archive\.ubuntu\.com|http://mirror.arizona.edu|g" \ - "$f" - done - - echo "Fix /etc/apt/apt-mirrors.txt (used by URIs: mirror+file:...)" - if grep -qE '^[[:space:]]*https?://azure\.archive\.ubuntu\.com/ubuntu/?' /etc/apt/apt-mirrors.txt; then - # Replace azure with our mirror (idempotent) - sudo sed -i 's|https\?://azure\.archive\.ubuntu\.com/ubuntu/|http://mirror.arizona.edu/ubuntu/|g' /etc/apt/apt-mirrors.txt - fi - - # Peek (verify changes) - grep -RIn "azure.archive.ubuntu.com" /etc/apt || true - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - echo "--- apt-mirrors.txt ---" - cat /etc/apt/apt-mirrors.txt || true - - - - name: Install requirements - run: | - sudo apt-get update - sudo apt-get install -y gcc-arm-none-eabi gcc-powerpc-linux-gnu cmake + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: Run CMake build for STM32U5 run: | diff --git a/.github/workflows/test-build-lms.yml b/.github/workflows/test-build-lms.yml index 5d2cffa86a..1553e96c87 100644 --- a/.github/workflows/test-build-lms.yml +++ b/.github/workflows/test-build-lms.yml @@ -18,6 +18,8 @@ jobs: build: runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-arm:v1.0 timeout-minutes: 30 steps: @@ -25,57 +27,8 @@ jobs: with: submodules: true - - name: Workaround for sources.list - run: | - # Replace sources - - set -euxo pipefail - - # Peek (what repos are active now) - apt-cache policy - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - - # Enable nullglob so *.list/*.sources that don't exist don't break sed - shopt -s nullglob - - echo "Replace sources.list (legacy)" - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - /etc/apt/sources.list || true - - echo "Replace sources.list.d/*.list (legacy)" - for f in /etc/apt/sources.list.d/*.list; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - "$f" - done - - echo "Replace sources.list.d/*.sources (deb822)" - for f in /etc/apt/sources.list.d/*.sources; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - -e "s|https\?://azure\.archive\.ubuntu\.com|http://mirror.arizona.edu|g" \ - "$f" - done - - echo "Fix /etc/apt/apt-mirrors.txt (used by URIs: mirror+file:...)" - if grep -qE '^[[:space:]]*https?://azure\.archive\.ubuntu\.com/ubuntu/?' /etc/apt/apt-mirrors.txt; then - # Replace azure with our mirror (idempotent) - sudo sed -i 's|https\?://azure\.archive\.ubuntu\.com/ubuntu/|http://mirror.arizona.edu/ubuntu/|g' /etc/apt/apt-mirrors.txt - fi - - # Peek (verify changes) - grep -RIn "azure.archive.ubuntu.com" /etc/apt || true - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - echo "--- apt-mirrors.txt ---" - cat /etc/apt/apt-mirrors.txt || true - - - name: Update repository - run: sudo apt-get update - - - name: Install cross compilers - run: | - sudo apt-get install -y gcc-arm-none-eabi gcc-aarch64-linux-gnu gcc-powerpc-linux-gnu gnu-efi + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: make clean run: | diff --git a/.github/workflows/test-build-mcux-sdk-manifests.yml b/.github/workflows/test-build-mcux-sdk-manifests.yml index 50b785cf62..b57d4bbd78 100644 --- a/.github/workflows/test-build-mcux-sdk-manifests.yml +++ b/.github/workflows/test-build-mcux-sdk-manifests.yml @@ -21,6 +21,8 @@ jobs: build: runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-arm:v1.0 timeout-minutes: 30 steps: @@ -33,57 +35,8 @@ jobs: repository: nxp-mcuxpresso/CMSIS_5 path: CMSIS_5 - - name: Workaround for sources.list - run: | - # Replace sources - - set -euxo pipefail - - # Peek (what repos are active now) - apt-cache policy - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - - # Enable nullglob so *.list/*.sources that don't exist don't break sed - shopt -s nullglob - - echo "Replace sources.list (legacy)" - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - /etc/apt/sources.list || true - - echo "Replace sources.list.d/*.list (legacy)" - for f in /etc/apt/sources.list.d/*.list; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - "$f" - done - - echo "Replace sources.list.d/*.sources (deb822)" - for f in /etc/apt/sources.list.d/*.sources; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - -e "s|https\?://azure\.archive\.ubuntu\.com|http://mirror.arizona.edu|g" \ - "$f" - done - - echo "Fix /etc/apt/apt-mirrors.txt (used by URIs: mirror+file:...)" - if grep -qE '^[[:space:]]*https?://azure\.archive\.ubuntu\.com/ubuntu/?' /etc/apt/apt-mirrors.txt; then - # Replace azure with our mirror (idempotent) - sudo sed -i 's|https\?://azure\.archive\.ubuntu\.com/ubuntu/|http://mirror.arizona.edu/ubuntu/|g' /etc/apt/apt-mirrors.txt - fi - - # Peek (verify changes) - grep -RIn "azure.archive.ubuntu.com" /etc/apt || true - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - echo "--- apt-mirrors.txt ---" - cat /etc/apt/apt-mirrors.txt || true - - - name: Update repository - run: sudo apt-get update - - - name: Install software - run: | - sudo apt-get install -y gcc-arm-none-eabi + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: Cache MCUXpresso SDK id: cache-mcuxpresso diff --git a/.github/workflows/test-build-mcux-sdk.yml b/.github/workflows/test-build-mcux-sdk.yml index 8dd92f6af6..b6547b649b 100644 --- a/.github/workflows/test-build-mcux-sdk.yml +++ b/.github/workflows/test-build-mcux-sdk.yml @@ -18,6 +18,8 @@ jobs: build: runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-arm:v1.0 timeout-minutes: 30 steps: @@ -35,57 +37,8 @@ jobs: repository: nxp-mcuxpresso/CMSIS_5 path: CMSIS_5 - - name: Workaround for sources.list - run: | - # Replace sources - - set -euxo pipefail - - # Peek (what repos are active now) - apt-cache policy - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - - # Enable nullglob so *.list/*.sources that don't exist don't break sed - shopt -s nullglob - - echo "Replace sources.list (legacy)" - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - /etc/apt/sources.list || true - - echo "Replace sources.list.d/*.list (legacy)" - for f in /etc/apt/sources.list.d/*.list; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - "$f" - done - - echo "Replace sources.list.d/*.sources (deb822)" - for f in /etc/apt/sources.list.d/*.sources; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - -e "s|https\?://azure\.archive\.ubuntu\.com|http://mirror.arizona.edu|g" \ - "$f" - done - - echo "Fix /etc/apt/apt-mirrors.txt (used by URIs: mirror+file:...)" - if grep -qE '^[[:space:]]*https?://azure\.archive\.ubuntu\.com/ubuntu/?' /etc/apt/apt-mirrors.txt; then - # Replace azure with our mirror (idempotent) - sudo sed -i 's|https\?://azure\.archive\.ubuntu\.com/ubuntu/|http://mirror.arizona.edu/ubuntu/|g' /etc/apt/apt-mirrors.txt - fi - - # Peek (verify changes) - grep -RIn "azure.archive.ubuntu.com" /etc/apt || true - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - echo "--- apt-mirrors.txt ---" - cat /etc/apt/apt-mirrors.txt || true - - - name: Update repository - run: sudo apt-get update - - - name: Install cross compilers - run: | - sudo apt-get install -y gcc-arm-none-eabi + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: make distclean run: | diff --git a/.github/workflows/test-build-pico-sdk.yml b/.github/workflows/test-build-pico-sdk.yml index e5d362ee78..c7cc0bef2f 100644 --- a/.github/workflows/test-build-pico-sdk.yml +++ b/.github/workflows/test-build-pico-sdk.yml @@ -21,10 +21,12 @@ jobs: build: runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-arm:v1.0 timeout-minutes: 30 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true @@ -33,25 +35,15 @@ jobs: repository: raspberrypi/pico-sdk path: pico-sdk + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: pico-sdk submodules initialization run: | cd pico-sdk + git config --global --add safe.directory "$GITHUB_WORKSPACE/pico-sdk" git submodule update --init --recursive - - name: Workaround for sources.list - run: | - # workaround disabled, splitting the load between azure and arizona.edu to avoid timeouts - - # See reference code in test-build.yml for various sources that may be updated. Enable as needed here. - echo "Workaround for sources.list disabled for this workflow" - - - name: Update repository - run: sudo apt-get update - - - name: Install cross compilers - run: | - sudo apt-get install -y gcc-arm-none-eabi - - name: make distclean run: | make distclean diff --git a/.github/workflows/test-build-powerpc.yml b/.github/workflows/test-build-powerpc.yml new file mode 100644 index 0000000000..9924b53c73 --- /dev/null +++ b/.github/workflows/test-build-powerpc.yml @@ -0,0 +1,47 @@ +name: Wolfboot Reusable Build Workflow (PowerPC) + +on: + + workflow_call: + inputs: + arch: + required: true + type: string + config-file: + required: true + type: string + make-args: + required: false + type: string + +jobs: + + build: + runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-powerpc:v1.0 + timeout-minutes: 30 + + steps: + - uses: actions/checkout@v4 + with: + submodules: true + + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + + - name: make clean + run: | + make distclean + + - name: Select config + run: | + cp ${{inputs.config-file}} .config + + - name: Build tools + run: | + make -C tools/keytools && make -C tools/bin-assemble + + - name: Build wolfboot + run: | + make ${{inputs.make-args}} diff --git a/.github/workflows/test-build-psoc6.yml b/.github/workflows/test-build-psoc6.yml index f647bec04c..1a89e7c698 100644 --- a/.github/workflows/test-build-psoc6.yml +++ b/.github/workflows/test-build-psoc6.yml @@ -18,6 +18,8 @@ jobs: build: runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-arm:v1.0 timeout-minutes: 30 steps: @@ -40,6 +42,9 @@ jobs: repository: Infineon/core-lib path: lib/core-lib + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: Patch cy_syslib.c to declare cy_delay32kMs run: | # Add extern declaration for cy_delay32kMs directly in cy_syslib.c @@ -48,58 +53,6 @@ jobs: lib/psoc6pdl/drivers/source/cy_syslib.c > /tmp/cy_syslib_patched.c mv /tmp/cy_syslib_patched.c lib/psoc6pdl/drivers/source/cy_syslib.c - - name: Workaround for sources.list - run: | - # Replace sources - - set -euxo pipefail - - # Peek (what repos are active now) - apt-cache policy - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - - # Enable nullglob so *.list/*.sources that don't exist don't break sed - shopt -s nullglob - - echo "Replace sources.list (legacy)" - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - /etc/apt/sources.list || true - - echo "Replace sources.list.d/*.list (legacy)" - for f in /etc/apt/sources.list.d/*.list; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - "$f" - done - - echo "Replace sources.list.d/*.sources (deb822)" - for f in /etc/apt/sources.list.d/*.sources; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - -e "s|https\?://azure\.archive\.ubuntu\.com|http://mirror.arizona.edu|g" \ - "$f" - done - - echo "Fix /etc/apt/apt-mirrors.txt (used by URIs: mirror+file:...)" - if grep -qE '^[[:space:]]*https?://azure\.archive\.ubuntu\.com/ubuntu/?' /etc/apt/apt-mirrors.txt; then - # Replace azure with our mirror (idempotent) - sudo sed -i 's|https\?://azure\.archive\.ubuntu\.com/ubuntu/|http://mirror.arizona.edu/ubuntu/|g' /etc/apt/apt-mirrors.txt - fi - - # Peek (verify changes) - grep -RIn "azure.archive.ubuntu.com" /etc/apt || true - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - echo "--- apt-mirrors.txt ---" - cat /etc/apt/apt-mirrors.txt || true - - - name: Update repository - run: sudo apt-get update - - - name: Install cross compilers - run: | - sudo apt-get install -y gcc-arm-none-eabi - - name: make distclean run: | make distclean @@ -115,5 +68,3 @@ jobs: - name: Build wolfboot run: | make ${{inputs.make-args}} V=1 - - diff --git a/.github/workflows/test-build-stm32cube.yml b/.github/workflows/test-build-stm32cube.yml index 0556adb5b8..2d7d94a6be 100644 --- a/.github/workflows/test-build-stm32cube.yml +++ b/.github/workflows/test-build-stm32cube.yml @@ -22,6 +22,8 @@ jobs: build: runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-arm:v1.0 timeout-minutes: 30 steps: @@ -35,57 +37,8 @@ jobs: path: STM32Cube submodules: true - - name: Workaround for sources.list - run: | - # Replace sources - - set -euxo pipefail - - # Peek (what repos are active now) - apt-cache policy - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - - # Enable nullglob so *.list/*.sources that don't exist don't break sed - shopt -s nullglob - - echo "Replace sources.list (legacy)" - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - /etc/apt/sources.list || true - - echo "Replace sources.list.d/*.list (legacy)" - for f in /etc/apt/sources.list.d/*.list; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - "$f" - done - - echo "Replace sources.list.d/*.sources (deb822)" - for f in /etc/apt/sources.list.d/*.sources; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - -e "s|https\?://azure\.archive\.ubuntu\.com|http://mirror.arizona.edu|g" \ - "$f" - done - - echo "Fix /etc/apt/apt-mirrors.txt (used by URIs: mirror+file:...)" - if grep -qE '^[[:space:]]*https?://azure\.archive\.ubuntu\.com/ubuntu/?' /etc/apt/apt-mirrors.txt; then - # Replace azure with our mirror (idempotent) - sudo sed -i 's|https\?://azure\.archive\.ubuntu\.com/ubuntu/|http://mirror.arizona.edu/ubuntu/|g' /etc/apt/apt-mirrors.txt - fi - - # Peek (verify changes) - grep -RIn "azure.archive.ubuntu.com" /etc/apt || true - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - echo "--- apt-mirrors.txt ---" - cat /etc/apt/apt-mirrors.txt || true - - - name: Update repository - run: sudo apt-get update - - - name: Install cross compilers - run: | - sudo apt-get install -y gcc-arm-none-eabi + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: make distclean run: | @@ -102,4 +55,3 @@ jobs: - name: Build wolfboot run: | make STM32CUBE="$GITHUB_WORKSPACE/STM32Cube" ${{inputs.make-args}} V=1 - diff --git a/.github/workflows/test-build.yml b/.github/workflows/test-build.yml index 42f15f68ac..1553e96c87 100644 --- a/.github/workflows/test-build.yml +++ b/.github/workflows/test-build.yml @@ -17,7 +17,9 @@ on: jobs: build: - runs-on: ubuntu-24.04 + runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-arm:v1.0 timeout-minutes: 30 steps: @@ -25,57 +27,8 @@ jobs: with: submodules: true - - name: Workaround for sources.list - run: | - # Replace sources - - set -euxo pipefail - - # Peek (what repos are active now) - apt-cache policy - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - - # Enable nullglob so *.list/*.sources that don't exist don't break sed - shopt -s nullglob - - echo "Replace sources.list (legacy)" - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - /etc/apt/sources.list || true - - echo "Replace sources.list.d/*.list (legacy)" - for f in /etc/apt/sources.list.d/*.list; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - "$f" - done - - echo "Replace sources.list.d/*.sources (deb822)" - for f in /etc/apt/sources.list.d/*.sources; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - -e "s|https\?://azure\.archive\.ubuntu\.com|http://mirror.arizona.edu|g" \ - "$f" - done - - echo "Fix /etc/apt/apt-mirrors.txt (used by URIs: mirror+file:...)" - if grep -qE '^[[:space:]]*https?://azure\.archive\.ubuntu\.com/ubuntu/?' /etc/apt/apt-mirrors.txt; then - # Replace azure with our mirror (idempotent) - sudo sed -i 's|https\?://azure\.archive\.ubuntu\.com/ubuntu/|http://mirror.arizona.edu/ubuntu/|g' /etc/apt/apt-mirrors.txt - fi - - # Peek (verify changes) - grep -RIn "azure.archive.ubuntu.com" /etc/apt || true - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - echo "--- apt-mirrors.txt ---" - cat /etc/apt/apt-mirrors.txt || true - - - name: Update repository - run: sudo apt-get update -o Acquire::Retries=3 - - - name: Install cross compilers - run: | - sudo apt-get install -y gcc-arm-none-eabi gcc-aarch64-linux-gnu gcc-powerpc-linux-gnu gnu-efi + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: make clean run: | diff --git a/.github/workflows/test-configs.yml b/.github/workflows/test-configs.yml index c3367da677..11159bf3c2 100644 --- a/.github/workflows/test-configs.yml +++ b/.github/workflows/test-configs.yml @@ -194,19 +194,19 @@ jobs: config-file: ./config/examples/nrf54l15-wolfcrypt-tz.config nxp_p1021_test: - uses: ./.github/workflows/test-build.yml + uses: ./.github/workflows/test-build-powerpc.yml with: arch: ppc config-file: ./config/examples/nxp-p1021.config nxp_t1024_test: - uses: ./.github/workflows/test-build.yml + uses: ./.github/workflows/test-build-powerpc.yml with: arch: ppc config-file: ./config/examples/nxp-t1024.config nxp_t2080_test: - uses: ./.github/workflows/test-build.yml + uses: ./.github/workflows/test-build-powerpc.yml with: arch: ppc config-file: ./config/examples/nxp-t2080.config diff --git a/.github/workflows/test-cppcheck.yml b/.github/workflows/test-cppcheck.yml index 002ece5a28..35436c512b 100644 --- a/.github/workflows/test-cppcheck.yml +++ b/.github/workflows/test-cppcheck.yml @@ -9,6 +9,8 @@ on: jobs: cppcheck: runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-arm:v1.0 timeout-minutes: 15 steps: @@ -16,9 +18,6 @@ jobs: with: submodules: false - - name: install cppcheck - run: sudo apt-get install --no-install-recommends -y -q cppcheck - - name: Run cppcheck static analysis run: | make cppcheck diff --git a/.github/workflows/test-custom-tlv-simulator.yml b/.github/workflows/test-custom-tlv-simulator.yml index b257fa03ac..be94d6d000 100644 --- a/.github/workflows/test-custom-tlv-simulator.yml +++ b/.github/workflows/test-custom-tlv-simulator.yml @@ -9,6 +9,8 @@ on: jobs: custom_tlv_simulator_tests: runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-sim:v1.0 timeout-minutes: 15 steps: @@ -16,6 +18,9 @@ jobs: with: submodules: true + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: make clean run: | make distclean diff --git a/.github/workflows/test-elf-scattered.yml b/.github/workflows/test-elf-scattered.yml index 4445016985..d47d904660 100644 --- a/.github/workflows/test-elf-scattered.yml +++ b/.github/workflows/test-elf-scattered.yml @@ -9,6 +9,8 @@ on: jobs: elf_scattered_test: runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-sim:v1.0 timeout-minutes: 15 steps: @@ -16,6 +18,9 @@ jobs: with: submodules: true + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: make clean run: | make keysclean diff --git a/.github/workflows/test-external-library-paths.yml b/.github/workflows/test-external-library-paths.yml index 7d11c471ba..4d437547cb 100644 --- a/.github/workflows/test-external-library-paths.yml +++ b/.github/workflows/test-external-library-paths.yml @@ -10,6 +10,8 @@ on: jobs: test_external_libs: runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-sim:v1.0 timeout-minutes: 15 # Matrix to test multiple configurations @@ -38,6 +40,9 @@ jobs: with: submodules: true + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + # Move libraries outside the wolfBoot tree - name: Relocate libraries to external path run: | @@ -74,12 +79,6 @@ jobs: WOLFBOOT_LIB_WOLFPKCS11="$(realpath ../external-libs/wolfPKCS11)" \ WOLFBOOT_LIB_WOLFHSM="$(realpath ../external-libs/wolfHSM)" - # If building unit tests, install libcheck - - name: install libcheck - if: matrix.test-config.is-unit-test == true - run: sudo apt-get install --no-install-recommends -y -q check - - # Build unit tests with external paths - name: Build unit tests with external library paths if: matrix.test-config.is-unit-test == true diff --git a/.github/workflows/test-filesystem.yml b/.github/workflows/test-filesystem.yml index 3cd1ae25db..3e481c85fe 100644 --- a/.github/workflows/test-filesystem.yml +++ b/.github/workflows/test-filesystem.yml @@ -9,14 +9,16 @@ on: jobs: build-lib-fs-example: runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-sim:v1.0 steps: - name: Checkout repository uses: actions/checkout@v4 with: submodules: true - - name: Install build dependencies - run: sudo apt-get update && sudo apt-get install -y build-essential + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: Set simulation config and build signed boot partition run: | diff --git a/.github/workflows/test-hooks-simulator.yml b/.github/workflows/test-hooks-simulator.yml index ae4571361c..23f385ac70 100644 --- a/.github/workflows/test-hooks-simulator.yml +++ b/.github/workflows/test-hooks-simulator.yml @@ -9,6 +9,8 @@ on: jobs: hooks_test: runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-sim:v1.0 timeout-minutes: 30 strategy: fail-fast: false @@ -43,47 +45,8 @@ jobs: with: submodules: true - - name: Workaround for sources.list - run: | - set -euxo pipefail - - apt-cache policy - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - - shopt -s nullglob - - echo "Replace sources.list (legacy)" - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - /etc/apt/sources.list || true - - echo "Replace sources.list.d/*.list (legacy)" - for f in /etc/apt/sources.list.d/*.list; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - "$f" - done - - echo "Replace sources.list.d/*.sources (deb822)" - for f in /etc/apt/sources.list.d/*.sources; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - -e "s|https\?://azure\.archive\.ubuntu\.com|http://mirror.arizona.edu|g" \ - "$f" - done - - echo "Fix /etc/apt/apt-mirrors.txt (used by URIs: mirror+file:...)" - if grep -qE '^[[:space:]]*https?://azure\.archive\.ubuntu\.com/ubuntu/?' /etc/apt/apt-mirrors.txt; then - sudo sed -i 's|https\?://azure\.archive\.ubuntu\.com/ubuntu/|http://mirror.arizona.edu/ubuntu/|g' /etc/apt/apt-mirrors.txt - fi - - grep -RIn "azure.archive.ubuntu.com" /etc/apt || true - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - echo "--- apt-mirrors.txt ---" - cat /etc/apt/apt-mirrors.txt || true - - - name: Update repository - run: sudo apt-get update -o Acquire::Retries=3 + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: Create test_hooks.c run: | diff --git a/.github/workflows/test-keytools.yml b/.github/workflows/test-keytools.yml index 958f86b8c0..5d6848f226 100644 --- a/.github/workflows/test-keytools.yml +++ b/.github/workflows/test-keytools.yml @@ -10,6 +10,8 @@ jobs: build: runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-sim:v1.0 timeout-minutes: 15 steps: @@ -17,6 +19,9 @@ jobs: with: submodules: true + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + # ECC - name: make clean run: | @@ -289,5 +294,3 @@ jobs: run: | ./tools/keytools/sign --ecc256 --sha256 --custom-tlv-string 0x46 "Hello world" test-app/image.elf wolfboot_signing_private_key.der 3 grep "Hello world" test-app/image_v3_signed.bin - - diff --git a/.github/workflows/test-library.yml b/.github/workflows/test-library.yml index f2257dedc2..ee7417b7d4 100644 --- a/.github/workflows/test-library.yml +++ b/.github/workflows/test-library.yml @@ -8,12 +8,9 @@ on: jobs: test-lib: - # If jobs cancel, consider pinning to ubuntu-24.04 - # The ubuntu-latest alias can point to different images during migrations (and sometimes be extra busy), - # while ubuntu-24.04 always targets the 24.04 pool runs-on: ubuntu-latest - - # The timeout is run time after a runner starts, not time in queue + container: + image: ghcr.io/wolfssl/wolfboot-ci-sim:v1.0 timeout-minutes: 15 strategy: @@ -39,6 +36,9 @@ jobs: clean: true submodules: true + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: make clean run: | make keysclean && make -C tools/keytools clean && rm -f include/target.h diff --git a/.github/workflows/test-parse-tools.yml b/.github/workflows/test-parse-tools.yml index 2d20224aa6..01c4977d5c 100644 --- a/.github/workflows/test-parse-tools.yml +++ b/.github/workflows/test-parse-tools.yml @@ -10,6 +10,8 @@ jobs: build: runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-powerpc:v1.0 timeout-minutes: 15 steps: @@ -17,11 +19,8 @@ jobs: with: submodules: true - - name: Install cross compilers - run: | - sudo sed -i 's|http://azure.archive.ubuntu.com/ubuntu/|http://mirror.arizona.edu/ubuntu/|g' /etc/apt/sources.list - sudo apt-get update - sudo apt-get install -y gcc-arm-none-eabi gcc-powerpc-linux-gnu + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: make distclean run: | diff --git a/.github/workflows/test-powerfail-simulator.yml b/.github/workflows/test-powerfail-simulator.yml index 1428b18077..43b6f5a34a 100644 --- a/.github/workflows/test-powerfail-simulator.yml +++ b/.github/workflows/test-powerfail-simulator.yml @@ -9,6 +9,8 @@ on: jobs: powerfail_simulator_tests: runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-sim:v1.0 timeout-minutes: 15 steps: @@ -16,6 +18,9 @@ jobs: with: submodules: true + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: make clean run: | make keysclean @@ -578,5 +583,3 @@ jobs: - name: Run emergency fallback test (FLASH_MULTI_SECTOR_ERASE=1) run: | tools/scripts/sim-update-emergency-fallback.sh - - diff --git a/.github/workflows/test-sim-self-update.yml b/.github/workflows/test-sim-self-update.yml index 0a78ccd3f4..3726de44fb 100644 --- a/.github/workflows/test-sim-self-update.yml +++ b/.github/workflows/test-sim-self-update.yml @@ -9,6 +9,8 @@ on: jobs: self_update_simulator_test: runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-sim:v1.0 timeout-minutes: 15 steps: @@ -16,50 +18,8 @@ jobs: with: submodules: true - - name: Workaround for sources.list - run: | - # Replace sources - - set -euxo pipefail - - # Peek (what repos are active now) - apt-cache policy - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - - # Enable nullglob so *.list/*.sources that don't exist don't break sed - shopt -s nullglob - - echo "Replace sources.list (legacy)" - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - /etc/apt/sources.list || true - - echo "Replace sources.list.d/*.list (legacy)" - for f in /etc/apt/sources.list.d/*.list; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - "$f" - done - - echo "Replace sources.list.d/*.sources (deb822)" - for f in /etc/apt/sources.list.d/*.sources; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - -e "s|https\?://azure\.archive\.ubuntu\.com|http://mirror.arizona.edu|g" \ - "$f" - done - - echo "Fix /etc/apt/apt-mirrors.txt (used by URIs: mirror+file:...)" - if grep -qE '^[[:space:]]*https?://azure\.archive\.ubuntu\.com/ubuntu/?' /etc/apt/apt-mirrors.txt; then - # Replace azure with our mirror (idempotent) - sudo sed -i 's|https\?://azure\.archive\.ubuntu\.com/ubuntu/|http://mirror.arizona.edu/ubuntu/|g' /etc/apt/apt-mirrors.txt - fi - - # Peek (verify changes) - grep -RIn "azure.archive.ubuntu.com" /etc/apt || true - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - echo "--- apt-mirrors.txt ---" - cat /etc/apt/apt-mirrors.txt || true + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: Run self-update test (internal flash) run: | diff --git a/.github/workflows/test-sunnyday-simulator.yml b/.github/workflows/test-sunnyday-simulator.yml index b537b51e14..f8b3dd4b73 100644 --- a/.github/workflows/test-sunnyday-simulator.yml +++ b/.github/workflows/test-sunnyday-simulator.yml @@ -9,6 +9,8 @@ on: jobs: simulator_tests: runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-sim:v1.0 timeout-minutes: 30 steps: @@ -16,57 +18,8 @@ jobs: with: submodules: true - - name: Workaround for sources.list - run: | - # Replace sources - - set -euxo pipefail - - # Peek (what repos are active now) - apt-cache policy - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - - # Enable nullglob so *.list/*.sources that don't exist don't break sed - shopt -s nullglob - - echo "Replace sources.list (legacy)" - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - /etc/apt/sources.list || true - - echo "Replace sources.list.d/*.list (legacy)" - for f in /etc/apt/sources.list.d/*.list; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - "$f" - done - - echo "Replace sources.list.d/*.sources (deb822)" - for f in /etc/apt/sources.list.d/*.sources; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - -e "s|https\?://azure\.archive\.ubuntu\.com|http://mirror.arizona.edu|g" \ - "$f" - done - - echo "Fix /etc/apt/apt-mirrors.txt (used by URIs: mirror+file:...)" - if grep -qE '^[[:space:]]*https?://azure\.archive\.ubuntu\.com/ubuntu/?' /etc/apt/apt-mirrors.txt; then - # Replace azure with our mirror (idempotent) - sudo sed -i 's|https\?://azure\.archive\.ubuntu\.com/ubuntu/|http://mirror.arizona.edu/ubuntu/|g' /etc/apt/apt-mirrors.txt - fi - - # Peek (verify changes) - grep -RIn "azure.archive.ubuntu.com" /etc/apt || true - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - echo "--- apt-mirrors.txt ---" - cat /etc/apt/apt-mirrors.txt || true - - - name: Update repository - run: sudo apt-get update -o Acquire::Retries=3 - - - name: Install 32-bit libc - run: | - sudo apt-get install -y libc6-dev-i386 + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" # 32 Bit simulator, SP_MATH # diff --git a/.github/workflows/test-units.yml b/.github/workflows/test-units.yml index d066f1d2e8..7841f1a8be 100644 --- a/.github/workflows/test-units.yml +++ b/.github/workflows/test-units.yml @@ -9,6 +9,8 @@ on: jobs: unit_tests: runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-sim:v1.0 timeout-minutes: 15 steps: @@ -16,8 +18,8 @@ jobs: with: submodules: true - - name: install libcheck - run: sudo apt-get install --no-install-recommends -y -q check + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: make clean run: | diff --git a/.github/workflows/test-vscode.yml b/.github/workflows/test-vscode.yml index 1808a04c3c..c2e28247cb 100644 --- a/.github/workflows/test-vscode.yml +++ b/.github/workflows/test-vscode.yml @@ -20,6 +20,8 @@ on: jobs: check: runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-arm:v1.0 # Provide fallbacks when not workflow_dispatch env: WORKSPACE_PATH: ${{ github.event_name == 'workflow_dispatch' && inputs.workspace_path || 'IDE/VSCode/wolfBoot.code-workspace' }} @@ -28,13 +30,6 @@ jobs: - name: Checkout uses: actions/checkout@v4 - - name: Install Python and CMake deps - run: | - sudo apt-get update - sudo apt-get install -y python3 python3-pip ninja-build - cmake --version - ninja --version - - name: Validate workspace JSONC and folder paths shell: python3 {0} env: diff --git a/.github/workflows/test-wolfhsm-simulator.yml b/.github/workflows/test-wolfhsm-simulator.yml index afbc47a07f..a5646d1ac1 100644 --- a/.github/workflows/test-wolfhsm-simulator.yml +++ b/.github/workflows/test-wolfhsm-simulator.yml @@ -48,6 +48,8 @@ jobs: fail-fast: false runs-on: ubuntu-latest + container: + image: ghcr.io/wolfssl/wolfboot-ci-sim:v1.0 timeout-minutes: 30 steps: @@ -55,53 +57,8 @@ jobs: with: submodules: true - - name: Workaround for sources.list - run: | - # Replace sources - - set -euxo pipefail - - # Peek (what repos are active now) - apt-cache policy - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - - # Enable nullglob so *.list/*.sources that don't exist don't break sed - shopt -s nullglob - - echo "Replace sources.list (legacy)" - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - /etc/apt/sources.list || true - - echo "Replace sources.list.d/*.list (legacy)" - for f in /etc/apt/sources.list.d/*.list; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - "$f" - done - - echo "Replace sources.list.d/*.sources (deb822)" - for f in /etc/apt/sources.list.d/*.sources; do - sudo sed -i \ - -e "s|https\?://azure\.archive\.ubuntu\.com/ubuntu/?|http://mirror.arizona.edu/ubuntu/|g" \ - -e "s|https\?://azure\.archive\.ubuntu\.com|http://mirror.arizona.edu|g" \ - "$f" - done - - echo "Fix /etc/apt/apt-mirrors.txt (used by URIs: mirror+file:...)" - if grep -qE '^[[:space:]]*https?://azure\.archive\.ubuntu\.com/ubuntu/?' /etc/apt/apt-mirrors.txt; then - # Replace azure with our mirror (idempotent) - sudo sed -i 's|https\?://azure\.archive\.ubuntu\.com/ubuntu/|http://mirror.arizona.edu/ubuntu/|g' /etc/apt/apt-mirrors.txt - fi - - # Peek (verify changes) - grep -RIn "azure.archive.ubuntu.com" /etc/apt || true - grep -RInE '^(deb|Types|URIs)' /etc/apt || true - echo "--- apt-mirrors.txt ---" - cat /etc/apt/apt-mirrors.txt || true - - - name: Update repository - run: sudo apt-get update + - name: Trust workspace + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: make clean run: | diff --git a/.github/workflows/trustzone-emulator-tests.yml b/.github/workflows/trustzone-emulator-tests.yml index 2cd626047d..18744bbac2 100644 --- a/.github/workflows/trustzone-emulator-tests.yml +++ b/.github/workflows/trustzone-emulator-tests.yml @@ -8,7 +8,7 @@ jobs: trustzone-emulator-tests: runs-on: ubuntu-latest container: - image: ghcr.io/wolfssl/m33mu-ci:1.9 + image: ghcr.io/wolfssl/wolfboot-ci-m33mu:v1.0 steps: - uses: actions/checkout@v4 diff --git a/Makefile b/Makefile index 5456c03dc4..a5a81c18b5 100644 --- a/Makefile +++ b/Makefile @@ -318,7 +318,7 @@ wolfboot.efi: wolfboot.elf $(Q)$(OBJCOPY) -j .rodata -j .text -j .sdata -j .data \ -j .dynamic -j .dynsym -j .rel \ -j .rela -j .reloc -j .eh_frame \ - --target=efi-app-x86_64 --subsystem=10 $^ $@ + -O pei-x86-64 --subsystem=10 $^ $@ @echo @echo "\t[SIZE]" $(Q)$(SIZE) wolfboot.efi @@ -661,8 +661,21 @@ image-header-size: wolfboot.bin cppcheck: cppcheck -f --enable=warning --enable=portability \ + -Iinclude -I. \ + -D'XALIGNED(x)=' -D'TZ_SECURE()=0' -D'__has_attribute(x)=0' \ --suppress="ctunullpointer" --suppress="nullPointer" \ --suppress="objectIndex" --suppress="comparePointers" \ + --suppress="bufferAccessOutOfBounds" \ + --suppress="internalAstError" \ + --suppress="invalidPrintfArgType_s" \ + --suppress="invalidPrintfArgType_sint" \ + --suppress="invalidPrintfArgType_uint" \ + --suppress="invalidTestForOverflow" \ + --suppress="preprocessorErrorDirective" \ + --suppress="shiftTooManyBitsSigned" \ + --suppress="syntaxError" \ + --suppress="uninitvar" \ + --suppress="zerodiv" \ --check-level=exhaustive \ --error-exitcode=89 --std=c89 src/*.c hal/*.c hal/spi/*.c hal/uart/*.c diff --git a/hal/stm32h5.c b/hal/stm32h5.c index 3f0d1651d1..69bac84a3c 100644 --- a/hal/stm32h5.c +++ b/hal/stm32h5.c @@ -129,14 +129,14 @@ int RAMFUNCTION hal_flash_write(uint32_t address, const uint8_t *data, int len) #endif while (i < len) { uint32_t cur_addr = (uint32_t)dst + i; - uint32_t *dst_aligned = (uint32_t *)(cur_addr & ~0xf); + uint32_t *dst_aligned = (uint32_t *)(cur_addr & 0xFFFFFFF0U); int byte_offset = cur_addr - (uint32_t)dst_aligned; int i_aligned = i - byte_offset; int j; if (byte_offset == 0 && i + 16 <= len) { /* Full aligned 128 bits */ for (j = 0; j < 4; j++) { - qword[j] = src[(i >> 2) + j]; + qword[j] = src[((unsigned int)i >> 2) + j]; } } else { /* Non-aligned / non-full 128 bits */ diff --git a/hal/va416x0.c b/hal/va416x0.c index d3c638f291..19304fc4a7 100644 --- a/hal/va416x0.c +++ b/hal/va416x0.c @@ -425,7 +425,7 @@ static int test_ext_flash(void) { int ret; uint32_t i; - uint8_t pageData[WOLFBOOT_SECTOR_SIZE]; + uint8_t pageData[WOLFBOOT_SECTOR_SIZE] = { 0 }; #ifndef READONLY /* Erase sector */ diff --git a/src/boot_x86_fsp.c b/src/boot_x86_fsp.c index 0a1d289f6a..02a0b9b667 100644 --- a/src/boot_x86_fsp.c +++ b/src/boot_x86_fsp.c @@ -169,12 +169,18 @@ static int range_overlaps(uint32_t start1, uint32_t end1, uint32_t start2, return !(end1 <= start2 || end2 <= start1); } +static size_t linker_range_size(const void *start, const void *end) +{ + return (size_t)((uintptr_t)end - (uintptr_t)start); +} + static int check_memory_ranges() { uint32_t wb_start, wb_end; wb_start = (uint32_t)WOLFBOOT_LOAD_BASE - IMAGE_HEADER_SIZE; - wb_end = wb_start + (_wolfboot_flash_end - _wolfboot_flash_start); + wb_end = wb_start + (uint32_t)linker_range_size(_wolfboot_flash_start, + _wolfboot_flash_end); if (range_overlaps(wb_start, wb_end, (uint32_t)_start_data, (uint32_t)_end_data)) return -1; @@ -210,11 +216,12 @@ static void load_wolfboot(void) } wolfboot_start = (uint32_t)WOLFBOOT_LOAD_BASE - IMAGE_HEADER_SIZE; - wolfboot_size = _wolfboot_flash_end - _wolfboot_flash_start; + wolfboot_size = linker_range_size(_wolfboot_flash_start, + _wolfboot_flash_end); x86_log_memory_load(wolfboot_start, wolfboot_start + wolfboot_size, "wolfboot"); memcpy((uint8_t*)wolfboot_start,_wolfboot_flash_start, wolfboot_size); - bss_size = wb_end_bss - wb_start_bss; + bss_size = linker_range_size(wb_start_bss, wb_end_bss); x86_log_memory_load((uint32_t)(uintptr_t)wb_start_bss, (uint32_t)(uintptr_t)(wb_start_bss + bss_size), "wolfboot .bss"); @@ -338,7 +345,7 @@ static inline void memory_init_data_bss(void) } x86_log_memory_load((uint32_t)(uintptr_t)_start_bss, (uint32_t)(uintptr_t)_end_bss, "stage1 .bss"); - memset(_start_bss, 0, (_end_bss - _start_bss)); + memset(_start_bss, 0, linker_range_size(_start_bss, _end_bss)); } static int pci_get_capability(uint8_t bus, uint8_t dev, uint8_t fun, @@ -656,7 +663,8 @@ void start(uint32_t stack_base, uint32_t stack_top, uint64_t timestamp, stage2_params->tpm_policy = (uint32_t)_start_policy; stage2_params->tpm_policy_size = *_policy_size_u32; - if (stage2_params->tpm_policy_size > _end_policy - _start_policy) + if (stage2_params->tpm_policy_size > + linker_range_size(_start_policy, _end_policy)) stage2_params->tpm_policy_size = 0; wolfBoot_printf("setting policy @%x (%d bytes)\r\n", (uint32_t)(uintptr_t)stage2_params->tpm_policy, diff --git a/src/update_ram.c b/src/update_ram.c index c1dbb2a3e1..7f2beb5a73 100644 --- a/src/update_ram.c +++ b/src/update_ram.c @@ -167,7 +167,7 @@ void RAMFUNCTION wolfBoot_start(void) #endif #ifdef WOLFBOOT_USE_RAMBOOT - load_address = (uint32_t*)(WOLFBOOT_LOAD_ADDRESS - + load_address = (uint32_t *)(uintptr_t)(WOLFBOOT_LOAD_ADDRESS - IMAGE_HEADER_SIZE); #if defined(EXT_ENCRYPTED) && defined(MMU) ret = wolfBoot_ram_decrypt((uint8_t*)source_address,