-
Notifications
You must be signed in to change notification settings - Fork 46
467 lines (398 loc) · 17.2 KB
/
fpga.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
name: FPGA Build
on:
push:
branches: ["main"]
pull_request:
workflow_call:
inputs:
artifact-suffix:
type: string
required: false
extra-features:
default:
type: string
rom-logging:
default: true
type: boolean
fpga-itrng:
default: true
type: boolean
hw-version:
default: "latest"
type: string
workflow_call:
description: 'Set true for workflow_call'
default: true
type: boolean
workflow_dispatch:
inputs:
fpga-itrng:
default: true
type: boolean
jobs:
check_cache:
runs-on: ubuntu-22.04
env:
CACHE_BUSTER: 79cee50b6134
outputs:
rtl_cache_key: ${{ steps.cache_key.outputs.rtl_cache_key }}
kmod_cache_key: ${{ steps.cache_key.outputs.kmod_cache_key}}
rtl_cache_hit: ${{ steps.restore_rtl_cache.outputs.cache-hit }}
kmod_cache_hit: ${{ steps.restore_kmod_cache.outputs.cache-hit }}
steps:
- name: Checkout repo
uses: actions/checkout@v3
with:
submodules: 'true'
- name: Compute cache-keys
id: cache_key
run: |
# Compute the key from the tree hash of the fpga directory and the rtl
# root directory.
if [ "${{ inputs.workflow_call }}" ]; then
RTL_VERSION="${{ inputs.hw-version }}"
else
RTL_VERSION="latest"
fi
echo "rtl_cache_key=$(git rev-parse HEAD:hw/fpga/src)-$(git hash-object hw/fpga/fpga_configuration.tcl)-$(cd hw/${RTL_VERSION}/rtl && git rev-parse HEAD)-${{ inputs.fpga-itrng }}-${{ env.CACHE_BUSTER }}" >> $GITHUB_OUTPUT
echo "kmod_cache_key=fpga-kernel-modules-$(git rev-parse HEAD:hw/fpga/io_module)-$(git rev-parse HEAD:hw/fpga/rom_backdoor)-${{ env.CACHE_BUSTER }}" >> $GITHUB_OUTPUT
- name: Restore FPGA bitstream from cache
uses: actions/cache/restore@v3
id: restore_rtl_cache
with:
path: /tmp/caliptra-fpga-bitstream/caliptra_fpga.bin
key: ${{ steps.cache_key.outputs.rtl_cache_key }}
- name: Restore kernel modules from cache
uses: actions/cache/restore@v3
id: restore_kmod_cache
with:
path: /tmp/caliptra-fpga-kmod/
key: ${{ steps.cache_key.outputs.kmod_cache_key}}
- name: 'Upload FPGA bitstream artifact'
if: steps.restore_rtl_cache.outputs.cache-hit
uses: actions/upload-artifact@v4
with:
name: caliptra-fpga-bitstream${{ inputs.artifact-suffix }}
path: /tmp/caliptra-fpga-bitstream/caliptra_fpga.bin
retention-days: 7
- name: 'Upload kernel module artifacts'
if: steps.restore_kmod_cache.outputs.cache-hit
uses: actions/upload-artifact@v4
with:
name: caliptra-fpga-kmod${{ inputs.artifact-suffix }}
path: /tmp/caliptra-fpga-kmod/
retention-days: 1
build_test_binaries:
runs-on: [e2-standard-16]
timeout-minutes: 60
env:
# Change this to a new random value if you suspect the cache is corrupted
CACHE_BUSTER: 9ff0db888988
steps:
- name: Checkout repo
uses: actions/checkout@v3
with:
submodules: 'true'
- name: Restore sysroot from cache
uses: actions/cache/restore@v3
id: restore_sysroot_cache
with:
path: /tmp/caliptra-fpga-sysroot.tar
key: sysroot-v9-${{ env.CACHE_BUSTER }}
- name: Extract sysroot
if: "steps.restore_sysroot_cache.outputs.cache-hit"
run: |
sudo tar xvf /tmp/caliptra-fpga-sysroot.tar
- name: Install sysroot pre-requisites
if: "!steps.restore_sysroot_cache.outputs.cache-hit"
run: |
sudo apt-get update -qy && sudo apt-get -y install debootstrap binfmt-support qemu-user-static u-boot-tools
- name: build sysroot
# Note: This is the sysroot for the tiny debian installation we run on the FPGA;
# it is missing xilinx-provided kernel headers needed to build kernel modules
if: "!steps.restore_sysroot_cache.outputs.cache-hit"
run: |
sudo mkdir /tmp/caliptra-fpga-sysroot
sudo debootstrap --include linux-libc-dev --arch arm64 --foreign bookworm /tmp/caliptra-fpga-sysroot
sudo chroot /tmp/caliptra-fpga-sysroot /debootstrap/debootstrap --second-stage
# Remove unnecesary files
sudo find /tmp/caliptra-fpga-sysroot/ \( -type d -and ! -perm -o=r \) -prune -exec rm -rf {} \;
sudo find /tmp/caliptra-fpga-sysroot/ \( -type d -and ! -perm -o=x \) -prune -exec rm -rf {} \;
sudo find /tmp/caliptra-fpga-sysroot/ \( ! -perm -o=r \) -exec rm -f {} \;
sudo find /tmp/caliptra-fpga-sysroot/ \( -type c -or -type b -or -type p -or -type s \) -exec rm -f {} \;
sudo tar cvf /tmp/caliptra-fpga-sysroot.tar /tmp/caliptra-fpga-sysroot
- name: Save FPGA sysroot to cache
if: "!steps.restore_sysroot_cache.outputs.cache-hit"
uses: actions/cache/save@v3
with:
path: /tmp/caliptra-fpga-sysroot.tar
key: sysroot-v9-${{ env.CACHE_BUSTER }}
- name: Install cross compiler
run: |
sudo apt-get update -qy && sudo apt-get install -y gcc-aarch64-linux-gnu squashfs-tools
rustup target add aarch64-unknown-linux-gnu
- name: Build test binaries
run: |
export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER="aarch64-linux-gnu-gcc"
export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_RUSTFLAGS="-C link-arg=--sysroot=$FARGO_SYSROOT"
if [ "${{ inputs.workflow_call }}" ]; then
FEATURES=fpga_realtime,${{ inputs.extra-features }}
else
FEATURES=fpga_realtime,itrng
fi
if [[ "${{ inputs.workflow_call }}" && "${{ inputs.hw-version }}" != "latest" ]]; then
FEATURES=$FEATURES,hw-${{ inputs.hw-version }}
fi
cargo nextest archive \
--features=${FEATURES} \
--release \
--target=aarch64-unknown-linux-gnu \
--archive-file=/tmp/caliptra-test-binaries.tar.zst
mkdir /tmp/caliptra-test-binaries/
tar xvf /tmp/caliptra-test-binaries.tar.zst -C /tmp/caliptra-test-binaries/
mksquashfs /tmp/caliptra-test-binaries /tmp/caliptra-test-binaries.sqsh -comp zstd
- name: 'Upload test binaries artifact'
uses: actions/upload-artifact@v4
with:
name: caliptra-test-binaries${{ inputs.artifact-suffix }}
path: /tmp/caliptra-test-binaries.sqsh
retention-days: 1
- name: Build test firmware
run: |
mkdir /tmp/caliptra-test-firmware
FEATURES=""
if [[ "${{ inputs.workflow_call }}" && "${{ inputs.hw-version }}" != "latest" ]]; then
FEATURES=hw-${{ inputs.hw-version }}
fi
cargo run --release -p caliptra-builder --features=${FEATURES} -- --all_elfs /tmp/caliptra-test-firmware
- name: 'Upload test firmware artifact'
uses: actions/upload-artifact@v4
with:
name: caliptra-test-firmware${{ inputs.artifact-suffix }}
path: /tmp/caliptra-test-firmware
retention-days: 1
build_kernel_modules:
runs-on: ubuntu-22.04
needs: check_cache
if: "!needs.check_cache.outputs.kmod_cache_hit"
steps:
- name: Install sysroot pre-requisites
run: |
sudo apt-get update
sudo apt-get -y install debootstrap binfmt-support qemu-user-static u-boot-tools
- name: Setup xilinx sysroot
run: |
echo I am ${USER}
# NOTE: I would prefer to use
# iot-limerick-zcu-classic-desktop-2204-x05-2-20221123-58-sysroot.tar.xz,
# but it has source for kernel version 5.15.0-1014-xilinx-zynqmp
# instead of 5.15.0-1015-xilinx-zynqmp used by the pre-built kernel.
curl -o /tmp/sysroot.tar.gz https://people.canonical.com/~platform/images/xilinx/zcu-ubuntu-22.04/iot-limerick-zcu-classic-desktop-2204-x05-2-20221123-58-rootfs.tar.gz
SYSROOT="${GITHUB_WORKSPACE}/sysroot"
mkdir "${SYSROOT}"
sudo tar xf /tmp/sysroot.tar.gz -C "${SYSROOT}"
ls -l "${SYSROOT}"
sudo cp -L --remove-destination /etc/resolv.conf "${SYSROOT}/etc/"
sudo chroot "${SYSROOT}" mount -t proc proc /proc
sudo chroot "${SYSROOT}" mount -t devtmpfs devtmpfs /dev
sudo chroot "${SYSROOT}" mount -t tmpfs tmpfs /tmp/
sudo mkdir "${SYSROOT}/home/${USER}"
sudo chown "${USER}" "${SYSROOT}/home/${USER}"
#sudo chroot "${SYSROOT}" apt-get update
#sudo chroot "${SYSROOT}" apt-get -y install build-essential
- name: Checkout repo
uses: actions/checkout@v3
with:
path: sysroot/home/runner/caliptra-sw
- name: Build modules
run: |
SYSROOT="${GITHUB_WORKSPACE}/sysroot"
KERNEL=5.15.0-1015-xilinx-zynqmp
sudo chroot "${SYSROOT}" bash -c "cd /home/${USER}/caliptra-sw/hw/fpga/rom_backdoor && make KERNEL=${KERNEL}"
sudo chroot "${SYSROOT}" bash -c "cd /home/${USER}/caliptra-sw/hw/fpga/io_module && make KERNEL=${KERNEL}"
sudo ls -l "${SYSROOT}/home/${USER}/caliptra-sw/hw/fpga/io_module"
sudo ls -l "${SYSROOT}/home/${USER}/caliptra-sw/hw/fpga/rom_backdoor"
mkdir /tmp/caliptra-fpga-kmod
cp "${SYSROOT}/home/${USER}/caliptra-sw/hw/fpga/io_module/io_module.ko" /tmp/caliptra-fpga-kmod/
cp "${SYSROOT}/home/${USER}/caliptra-sw/hw/fpga/rom_backdoor/rom_backdoor.ko" /tmp/caliptra-fpga-kmod/
- name: Save kernel modules to cache
uses: actions/cache/save@v3
with:
path: /tmp/caliptra-fpga-kmod/
key: ${{ needs.check_cache.outputs.kmod_cache_key }}
- name: 'Upload kernel module artifacts'
uses: actions/upload-artifact@v4
with:
name: caliptra-fpga-kmod${{ inputs.artifact-suffix }}
path: /tmp/caliptra-fpga-kmod/
retention-days: 1
build_bitstream:
runs-on: [e2-standard-8, fpga-tools]
timeout-minutes: 180
needs: check_cache
if: "!needs.check_cache.outputs.rtl_cache_hit"
steps:
- name: Checkout repo
uses: actions/checkout@v3
with:
submodules: 'true'
- name: Mount FPGA tools
run: |
# This is an installation of Vivado 22.2 with support for Zynq Ultrascale+
sudo mkdir /fpga-tools
sudo mount UUID=be18f242-fb8d-4d99-971e-a8ae390ad620 /fpga-tools/
- name: Build FPGA bitstream
run: |
cd hw/fpga
mkdir caliptra_build
if [ "${{ inputs.fpga-itrng }}" == "false" ]; then
ITRNG=FALSE
else
ITRNG=TRUE
fi
if [ "${{ inputs.workflow_call }}" ]; then
RTL_VERSION="${{ inputs.hw-version }}"
else
RTL_VERSION="latest"
fi
/fpga-tools/Xilinx/Vivado/2022.2/bin/vivado -mode batch -source fpga_configuration.tcl -tclargs BUILD=TRUE ITRNG=${ITRNG} RTL_VERSION=${RTL_VERSION}
if [ ! -f caliptra_build/caliptra_fpga.bin ]; then
echo "Output file was not found; failing script"
exit 1
fi
- name: 'Upload FPGA bitstream artifact'
uses: actions/upload-artifact@v4
with:
name: caliptra-fpga-bitstream${{ inputs.artifact-suffix }}
path: hw/fpga/caliptra_build/caliptra_fpga.bin
cache_fpga_bitstream_artifact:
runs-on: ubuntu-22.04
needs: [check_cache, build_bitstream]
if: "!needs.check_cache.outputs.rtl_cache_hit"
# If we write to the cache from the self-hosted runner, the result is
# usually not accessible from GitHub-hosted runners. So cache the artifact
# instead.
steps:
- name: 'Download FPGA Bitstream Artifact'
uses: actions/download-artifact@v4
with:
name: caliptra-fpga-bitstream${{ inputs.artifact-suffix }}
path: /tmp/caliptra-fpga-bitstream
- name: Save FPGA bitstream to cache
uses: actions/cache/save@v3
with:
path: /tmp/caliptra-fpga-bitstream/caliptra_fpga.bin
key: ${{ needs.check_cache.outputs.rtl_cache_key }}
test_artifacts:
runs-on: caliptra-fpga
needs: [check_cache, build_bitstream, build_test_binaries, build_kernel_modules]
if: |
!cancelled() &&
needs.check_cache.result == 'success' &&
(needs.build_bitstream.result == 'success' || needs.build_bitstream.result == 'skipped') &&
(needs.build_test_binaries.result == 'success' || needs.build_test_binaries.result == 'skipped') &&
(needs.build_kernel_modules.result == 'success' || needs.build_kernel_modules.result == 'skipped')
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Pull dpe submodule
run: |
git submodule update --init dpe
- name: 'Download FPGA Bitstream Artifact'
uses: actions/download-artifact@v4
with:
name: caliptra-fpga-bitstream${{ inputs.artifact-suffix }}
path: /tmp/caliptra-fpga-bitstream
- name: 'Download kernel driver artifacts'
uses: actions/download-artifact@v4
with:
name: caliptra-fpga-kmod${{ inputs.artifact-suffix }}
path: /tmp/caliptra-fpga-kmod/
- name: 'Download Test Binaries Artifact'
uses: actions/download-artifact@v4
with:
name: caliptra-test-binaries${{ inputs.artifact-suffix }}
path: /tmp/caliptra-test-binaries.sqsh
- name: 'Download Test Firmware Artifact'
uses: actions/download-artifact@v4
with:
name: caliptra-test-firmware${{ inputs.artifact-suffix }}
path: /tmp/caliptra-test-firmware
- name: Mount binaries
run: |
# We don't have enough DRAM on the FPGA board to extract a tarball
# into the overlaid tmpfs, so use squashfs instead
echo mkdir
sudo mkdir /tmp/caliptra-test-binaries
echo mount squashfs
sudo mount /tmp/caliptra-test-binaries.sqsh/caliptra-test-binaries.sqsh /tmp/caliptra-test-binaries -t squashfs -o loop
find /tmp/caliptra-test-binaries
- name: Load FPGA Bitstream
run: |
# sha256sum /tmp/caliptra-fpga/caliptra_fpga.bin
sudo mkdir -p /lib/firmware
sudo cp /tmp/caliptra-fpga-bitstream/caliptra_fpga.bin /lib/firmware/caliptra_fpga.bin
sudo bash -c 'echo 0 > /sys/class/fpga_manager/fpga0/flags'
echo "Uploading bitstream"
sudo bash -c 'echo caliptra_fpga.bin > /sys/class/fpga_manager/fpga0/firmware'
echo "Upload complete"
state="$(sudo cat /sys/class/fpga_manager/fpga0/state)"
echo FPGA state is "${state}"
if [ "$state" = "operating" ]; then
exit 0
else
exit 1
fi
- name: Install kernel modules
run: |
ls -l /tmp/caliptra-fpga-kmod
sudo insmod /tmp/caliptra-fpga-kmod/io_module.ko
sudo insmod /tmp/caliptra-fpga-kmod/rom_backdoor.ko
- name: Set clock rate
run: |
sudo bash -c 'echo 20000000 > /sys/bus/platform/drivers/xilinx_fclk/fclk0/set_rate'
- name: Execute tests
run: |
export RUST_TEST_THREADS=1
TEST_BIN=/tmp/caliptra-test-binaries
VARS="CPTRA_UIO_NUM=4 CALIPTRA_PREBUILT_FW_DIR=/tmp/caliptra-test-firmware CALIPTRA_IMAGE_NO_GIT_REVISION=1"
if [[ "${{ inputs.workflow_call }}" && "${{ inputs.hw-version }}" != "latest" ]]; then
VARS+=" FIPS_TEST_HW_EXP_VERSION=1_0_0"
VARS+=" FIPS_TEST_ROM_EXP_VERSION=1_0_1"
fi
if [ "${{ inputs.rom-logging }}" == "true" ] || [ -z "${{ inputs.rom-logging }}" ]; then
VARS+=" CPTRA_ROM_TYPE=ROM_WITH_UART"
elif [ "${{ inputs.rom-logging }}" == false ]; then
VARS+=" CPTRA_ROM_TYPE=ROM_WITHOUT_UART"
else
echo "Unexpected inputs.rom-logging: ${{ inputs.rom-logging }}"
exit 1
fi
echo CPTRA_ROM_TYPE=${CPTRA_ROM_TYPE}
COMMON_ARGS=(
--cargo-metadata="${TEST_BIN}/target/nextest/cargo-metadata.json"
--binaries-metadata="${TEST_BIN}/target/nextest/binaries-metadata.json"
--target-dir-remap="${TEST_BIN}/target"
--workspace-remap=.
-E 'not (package(/caliptra-emu-.*/) |
package(caliptra-builder) |
package(caliptra-cfi-derive) |
package(caliptra-file-header-fix) |
package(compliance-test))'
)
cargo-nextest nextest list \
"${COMMON_ARGS[@]}" \
--message-format json > /tmp/nextest-list.json
sudo ${VARS} cargo-nextest nextest run \
"${COMMON_ARGS[@]}" \
--test-threads=1 \
--no-fail-fast \
--profile=nightly
- name: 'Upload test results'
uses: actions/upload-artifact@v4
if: success() || failure()
with:
name: caliptra-test-results${{ inputs.artifact-suffix }}
path: |
/tmp/junit.xml
/tmp/nextest-list.json