travis: Build MCUBoot for Armv8-M

Build MCUBoot with TF-M build system for AN521 platform, and run it in
QEMU. The result of the test run is not evaluated yet.

Change-Id: I5fbfef8e6d8dec99a8e3e00d659a07ccfcaf0b5b
Signed-off-by: Mate Toth-Pal <[email protected]>

Author: matetothpal

.travis.yml

@@ -0,0 +1,33 @@
+# Travis configuration. Run FI hardening tests.
+
+language: minimal
+
+services:
+  - docker
+
+matrix:
+  include:
+    - os: linux
+      language: minimal
+      env: TEST=fih-tests
+
+before_install:
+  - |
+    if [ "$TRAVIS_PULL_REQUEST" != "false" ]; then
+      ./ci/check-signed-off-by.sh
+      if [ $? -ne 0 ]; then
+        exit 1
+      fi
+    fi
+
+install:
+  - ./ci/${TEST}_install.sh
+
+script:
+  - ./ci/${TEST}_run.sh
+
+notifications:
+  slack:
+    rooms:
+      - secure: "Tg9ZvJfb6e4QSEsxUvwW2MIqbuNRxD4nAOkgs8eopj/fRtqN6Zk06NVSeMmYcZunDFJXUSzYANBsF98OtaaUlm4WVt2T0ZFBJZrOYfIv18/zXCjYa04sDxur57F1ZYTYKyRpdUkfzPd/rGE4jKLQNcia+r/BTQbJkcZbXeg5/6cUeMP1so8/o0oMhSQP+GH0fLbyLzx3VPE8zu6+j2fCFC7R3idxtfO9VtsKlubfi3HgPgXTs+DEAAA8aoOku2esjFSFXTtdUFGz90YzyShZvtMcRg3Grp9+PZAsJwWk4eKSonKCO0DScfPUlMZbJcV7VsmyTxYKLLsGRZae6ZBH+XLfx5XeqgtgCor3FYx2dUXYfV9y8VvERDdossB0gZ/V2OUGePctDefiORytV6dMa7X3AfSdosgs/tjG4kbf+PMaVULzwF6dd3CdsxdClSl68UQPWA6wC2TEyo1EQea8jgZU6heLustZaQZhBkFkr/6j75XeGBjPw2fgVRkgg/OnTOYmo7N8181wOU+xORIEO1BtYmgRpc0cgpm4H9457diSHG1D2SoNy4tiQPCW2enN00QNGK5pZSL/FGA/ReUcALgAW0QcOljjU2bUSGPxo/VAi5ZyljWgVAGQ5qHJ4jgdfPf7VJUzCVH64G1S5+0gZPpO6vvvPdZtqeXrfBZMOBw="
+    on_success: always

ci/fih-tests_install.sh

@@ -0,0 +1,28 @@
+#!/bin/bash -x
+
+# Copyright (c) 2020 Arm Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+# get mcuboot root; assumes running script is stored under REPO_DIR/ci/
+REPO_DIR=$(dirname $(dirname $(realpath $0)))
+pushd $(mktemp -d)
+
+# copy mcuboot so that it is part of the docker build context
+cp -r $REPO_DIR .
+cp -r $REPO_DIR/ci/fih_test_docker/execute_test.sh .
+cp -r $REPO_DIR/ci/fih_test_docker/Dockerfile .
+./mcuboot/ci/fih_test_docker/build.sh
+popd

ci/fih-tests_run.sh

@@ -0,0 +1,19 @@
+#!/bin/bash -x
+
+# Copyright (c) 2020 Arm Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+docker run mcuboot/fih-test /bin/sh -c '/root/execute_test.sh'

ci/fih_test_docker/Dockerfile

@@ -0,0 +1,51 @@
+# Copyright (c) 2020 Arm Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM ubuntu:focal
+
+# get dependencies for retrieving and building TF-M with MCUBoot, and QEMU.
+RUN apt-get update && \
+    DEBIAN_FRONTEND="noninteractive" \
+    apt-get install -y \
+    cmake \
+    curl \
+    gcc-arm-none-eabi \
+    gdb-multiarch \
+    git \
+    libncurses5 \
+    python3 \
+    python3-pip \
+    qemu-system-arm
+
+RUN \
+    # installing python packages
+    python3 -m pip install \
+        imgtool==1.6.0 \
+        Jinja2==2.10 \
+        PyYAML==3.12 \
+        pyasn1==0.1.9
+
+# Clone TF-M and dependencies
+RUN mkdir -p /root/work/tfm &&\
+    cd /root/work/tfm  &&\
+    git clone https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git -b TF-Mv1.2-RC1 &&\
+    mkdir mcuboot
+
+# Copy the test execution script to the image
+COPY execute_test.sh /root
+# copy the MCUBoot under test to the image
+COPY mcuboot /root/work/tfm/mcuboot
+
+# run the command
+CMD ["bash"]

ci/fih_test_docker/build.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+
+# Copyright (c) 2020 Arm Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+trap cleanup_exit INT TERM EXIT
+
+cleanup_exit()
+{
+  rm -f *.list *.key
+}
+
+export LANG=C
+
+image=mcuboot/fih-test
+docker build --pull --tag=$image .
+echo $image > .docker-tag

ci/fih_test_docker/execute_test.sh

@@ -0,0 +1,60 @@
+#!/bin/bash -x
+
+# Copyright (c) 2020 Arm Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+WORKING_DIRECTORY=/root/work/tfm
+MCUBOOT_PATH=$WORKING_DIRECTORY/mcuboot
+
+TFM_DIR=/root/work/tfm/trusted-firmware-m
+TFM_BUILD_DIR=$TFM_DIR/build
+MCUBOOT_AXF=install/outputs/MPS2/AN521/bl2.axf
+SIGNED_TFM_BIN=install/outputs/MPS2/AN521/tfm_s_ns_signed.bin
+QEMU_LOG_FILE=qemu.log
+QEMU_PID_FILE=qemu_pid.txt
+
+source ~/.bashrc
+
+# build TF-M with MCUBoot
+mkdir -p $TFM_BUILD_DIR
+cd $TFM_DIR
+cmake -B $TFM_BUILD_DIR \
+    -DCMAKE_BUILD_TYPE=Release \
+    -DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake \
+    -DTFM_PLATFORM=mps2/an521 \
+    -DTEST_NS=ON \
+    -DTEST_S=ON \
+    -DTFM_PSA_API=ON \
+    -DMCUBOOT_PATH=$MCUBOOT_PATH \
+    -DMCUBOOT_LOG_LEVEL=INFO \
+    .
+cd $TFM_BUILD_DIR
+make -j install
+
+# Run MCUBoot and TF-M in QEMU
+/usr/bin/qemu-system-arm \
+    -M mps2-an521 \
+    -kernel $MCUBOOT_AXF \
+    -device loader,file=$SIGNED_TFM_BIN,addr=0x10080000 \
+    -chardev file,id=char0,path=$QEMU_LOG_FILE \
+    -serial chardev:char0 \
+    -display none \
+    -pidfile $QEMU_PID_FILE \
+    -daemonize
+
+sleep 7
+
+cat $QEMU_LOG_FILE