Skip to content

Split test_psa_compliance.py #209

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 14 commits into from
Sep 30, 2025
Merged

Split test_psa_compliance.py #209

Changes from 1 commit
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
3008a4a
Put the command line entry point in a function
gilles-peskine-arm Sep 11, 2025
26cb1a1
Move the bulk of test_psa_compliance.py to a module
gilles-peskine-arm Sep 11, 2025
43c6cbc
Move branch-dependent defaults to the calling script
gilles-peskine-arm Sep 11, 2025
4ff6a49
Support applying a patch to the compliance suite
gilles-peskine-arm Sep 11, 2025
af6b189
Teach crypto_knowledge the categories of SP800_100 and SPAKE2P algori…
gilles-peskine-arm Sep 11, 2025
565b4c3
Skip all knowledge of SPAKE2+ keys for now
gilles-peskine-arm Sep 11, 2025
b4035db
Fix [] used as a default argument value (mutable default values are d…
gilles-peskine-arm Sep 12, 2025
954783c
macro_collector: be stricter about unusual macros
gilles-peskine-arm Sep 12, 2025
ca98305
Treat xxx_HAS_xxx as not a constructor, like xxx_IS_xxx etc.
gilles-peskine-arm Sep 12, 2025
1295140
Read patch files instead of taking a single patch as input
gilles-peskine-arm Sep 12, 2025
088a99e
Allow framework and consuming branch to have Python scripts with the …
gilles-peskine-arm Sep 12, 2025
581da21
Allow patch files to have trailing whitespace
gilles-peskine-arm Sep 12, 2025
aebb1fa
Sort patch files for reproducibility
gilles-peskine-arm Sep 12, 2025
44ea713
Simplify passing a file to subprocess stdin
gilles-peskine-arm Sep 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 19 additions & 9 deletions scripts/mbedtls_framework/psa_compliance.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,10 @@
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later

import argparse
import glob
import os
import re
import shlex
import shutil
import subprocess
import sys
Expand All @@ -25,7 +27,7 @@
#pylint: disable=too-many-branches,too-many-statements,too-many-locals
def test_compliance(library_build_dir: str,
psa_arch_tests_ref: str,
patch: str,
patch_files: List[str],
expected_failures: List[int]) -> int:
"""Check out and run compliance tests.

Expand Down Expand Up @@ -59,12 +61,12 @@ def test_compliance(library_build_dir: str,
subprocess.check_call(['git', 'fetch', PSA_ARCH_TESTS_REPO, psa_arch_tests_ref])
subprocess.check_call(['git', 'checkout', '--force', 'FETCH_HEAD'])

if patch:
if patch_files:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand the logic behind running git reset only if we have a patch to apply. It seems to me that git reset is needed if we had a patch to apply the last time we ran this script (and we are re-using the repo), which might not be the same as we have one now. Also, I don't think calling git reset when not strictly needed does any harm. So, I'd be inclined to just call it unconditionally. Am I missing something?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to minimize changes in 3.6 which doesn't need any of the new fancy stuff. Also, arguably, it makes things worse for local debugging where you might want to edit the cached psa-arch-test tree until you get it right. On the other hand, I agree with you that I would have made git reset unconditional if I was doing this from scratch. I'll defer to Bence's preference on that since he know this script's history a lot better than we do.

Copy link
Contributor Author

@gilles-peskine-arm gilles-peskine-arm Sep 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my local copy, I've now changed this to be controlled by the psa-arch-tests ref specification:

  • With no argument or --tests-ref=REFSPEC, check that out, reset, and apply patches.
  • With --tests-ref=, reuse whatever is in the working tree: no git checkout, no reset, no patches. (To do reset+patch but not checkout, you can use --tests-ref=HEAD.)

Does that seem sensible?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good!

subprocess.check_call(['git', 'reset', '--hard'])
subprocess.run(['patch', '-p1'],
check=True,
encoding='utf-8',
input=patch)
for patch_file in patch_files:
abs_path = os.path.abspath(os.path.join(root_dir, patch_file))
subprocess.check_call(['patch -p1 <' + shlex.quote(abs_path)],
shell=True)

build_dir = 'api-tests/build'
try:
Expand Down Expand Up @@ -143,15 +145,15 @@ def test_compliance(library_build_dir: str,
os.chdir(root_dir)

def main(psa_arch_tests_ref: str,
patch: str = '',
expected_failures: Optional[List[int]] = None) -> None:
"""Command line entry point.

psa_arch_tests_ref: tag or sha to use for the arch-tests.
patch: patch to apply to the arch-tests with ``patch -p1``.
expected_failures: default list of expected failures.
"""
build_dir = 'out_of_source_build'
default_patch_directory = os.path.join(build_tree.guess_project_root(),
'scripts/data_files/psa-arch-tests')

# pylint: disable=invalid-name
parser = argparse.ArgumentParser()
Expand All @@ -161,6 +163,9 @@ def main(psa_arch_tests_ref: str,
help='''set the list of test codes which are expected to fail
from the command line. If omitted the list given by
EXPECTED_FAILURES (inside the script) is used.''')
parser.add_argument('--patch-directory', nargs=1,
default=default_patch_directory,
help='Directory containing patches (*.patch) to apply to psa-arch-tests')
args = parser.parse_args()

if args.build_dir is not None:
Expand All @@ -173,7 +178,12 @@ def main(psa_arch_tests_ref: str,
else:
expected_failures_list = expected_failures

if args.patch_directory:
patch_files = glob.glob(os.path.join(args.patch_directory, '*.patch'))
else:
patch_files = []

sys.exit(test_compliance(build_dir,
psa_arch_tests_ref,
patch,
patch_files,
expected_failures_list))