[ci] Add note about triggering CI for backports (earlgrey_1.0.0)
#26769
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is a manual cherry-pick of 8d0e999 to the `earlgrey_1.0.0` branch. This originated from lowRISC#24605. Signed-off-by: Tim Trippel <ttrippel@google.com>
This avoids a DeprecationWarning when running with a recent version of Python. Signed-off-by: Rupert Swarbrick <rswarbrick@lowrisc.org> (cherry picked from commit a755874)
We now depend on >= 3.8 in tool_requirements.py. Signed-off-by: Rupert Swarbrick <rswarbrick@lowrisc.org> (cherry picked from commit 30b7d8a)
distutils is deprecated and will generate warnings when used. Replace it with packaging.version instead. pip3 command line invocation is replaced with importlib.metadata, which removes dependency on pip3 being present. Signed-off-by: Gary Guo <gary.guo@lowrisc.org> (cherry picked from commit b7c43e8)
This re-adds the ability to generate an external Bazel repository that contains all Python wheels for used as dependencies for this project. This capability was originally added to workaround a rules_python shortcoming that prevented Python wheels from being downloaded and cached through the bazel third party dependency caching mechanism (specifically, the repository cache). This issue caused airgapped builds to fail. This issue was believed to solved in newer versions of rules_python, so this wheel caching mechanism we removed in lowRISC#24361. However, after further testing, we found that newer rules_python version suffer the same issue, i.e., the default to downloading Python wheels through Python, rather than the bazel download/caching mechanism, as shown here: https://github.com/bazelbuild/rules_python/blob/466da1d9710289bfb01061b9be7bb124132996e0/python/private/pypi/whl_installer/wheel_installer.py#L169 As a result, airgapped builds were broken. Signed-off-by: Tim Trippel <ttrippel@google.com>
Since rules_python was updated, airgapped bazel builds were broken. Re-enabling them required patching rules_python to use the pre-cached python wheels. Signed-off-by: Tim Trippel <ttrippel@google.com>
The airgapped build test failed to clean out the bazel cache before attempting a build with the pre-populated repository cache. This caused the test to pass even when it should not have. Signed-off-by: Tim Trippel <ttrippel@google.com>
This is required to support airgapped builds. Signed-off-by: Tim Trippel <ttrippel@google.com>
rules_fuzzing uses rules_python to pull in python packages. This required patching to work in airgapped mode, similar to the patching that was done for rules_python: we needed to disable hash requirements and enable pull packages from a pre-cached wheels repo. Signed-off-by: Tim Trippel <ttrippel@google.com>
Make the host to wait for the ottf to print the "running" message before start the test. Signed-off-by: Douglas Reis <doreis@lowrisc.org> (cherry picked from commit 2538a0a)
Using a signed integer (int64_t) to store the parsed integer value could lead to an undefined behavior when parsing large numbers due to signed integer overflow. To address this issue, the parsed value is now stored in an unsigned integer (uint64_t). The updated implementation also includes a check to ensure that the parsed value can be safely converted back to a signed integer before copying it into the `result`. Signed-off-by: Anthony Chen <antchen@google.com> (cherry picked from commit 67b2fe4)
This adds buffer size checks in `perso_tlv_data.c` to prevent potential memory access vulnerabilities. Signed-off-by: Anthony Chen <antchen@google.com> (cherry picked from commit 78f1dc3)
This removes the unused `cert_size` output parameter in the `dice_cert_check_valid` function. Also, the original implementation caused a clang compiler error due to incompatible pointer types by passing `&cert_size` (size_t *) to the `cert_x509_asn1_check_serial_number` function (expects a uint32_t * type). Signed-off-by: Anthony Chen <antchen@google.com> (cherry picked from commit 58e6fca)
Some HSMs distribute SPX pub keys as PEM encoded ANS.1 objects. The approach so far has been to manually extract the 32 byte key material from the object. This patch adds parsing code for processing the ANS.1 key files. The supported algorithm is slh-dsa-sha2-128s-with-sha256, its OID is defined in https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration#heading1725030685275_13 Tested on an opentitatn owner's firmware by passing to --spx-key first the raw SPX key and then the HSM generated PEM file, and observing the unchanged contents of the resulting image. Signed-off-by: Vadim Bendebury <vbendeb@chromium.org> (cherry picked from commit fb326fc)
I did not write correct test cases that would check a flash configuration similar to the owner config already deployed in some skus. This oversight could cause ownership initialization to fail on devies with such a configuration. 1. Permit a maximum of 3 regions per side in the flash configuration. The regions must be fully within the bounds of SlotA or SlotB and may not overlap the ROM_EXT region. 2. Apply the region configuration in order. Previously, there was a correspondence between the index of the region in the owner config and the MP_REGION register that it would land in, but this makes ownership transfers prone to configuration clashes. 3. Flash configuration is done in two passes to configure each side independently (the reason for this is to allow next_owner's flash config to apply to the non-primary side during ownership transfer). The flash_apply function now takex an index parameter to manage the desination MP_REGION register between passes. 4. Create a unittest case with a flash configuration similar to the already-deployed configuration. Include the ROM_EXT, application, filesystem and reserved segments. 5. Update the existing test cases to accomodate the new configuration scheme (e.g. applying in order rather than by index). Signed-off-by: Chris Frantz <cfrantz@google.com>
We are developing a downstream provisioning test flow harness in the `lowRISC/opentitan-provisioning` repo that makes use of opentitanlib. We need to expose backend function structs to enable programs to configuring these settings outside of a CLI-like environment. Signed-off-by: Tim Trippel <ttrippel@google.com>
Introduce Integrator Specific Firmware Binding (ISFB) data structures used to implement integrator-device specific binding as well as anti-rollback based on ownership configuration. Data structures: 1. `manifest_ext_isfb_t`: Integration specific firmware binding manifest extension. Contains anti-rollback strike mask as well as device expecific product expression. 2. `manifest_ext_isfb_erase_t`: ISFB erase policy manifest extension. This extension is used to authorize erasing of the ISFB region. Intended for testing purposes. The implementation will require node-locking for this policy to be effective. 3. `owner_isfb_config`: ISFB owner configuration. Defines the ISFB info flash page configuration as well as its erase policy. Signed-off-by: Miguel Osorio <miguelosorio@google.com> (cherry picked from commit 3c72c0e)
This dependency is only used to log an error message which is already covered by a specific error code anyway. Also since `log` only compiles on OT, it prevents the unittests from being runnable on host. Signed-off-by: Amaury Pouly <amaury.pouly@lowrisc.org> (cherry picked from commit 1fd9ddb)
Signed-off-by: Ramesh Prakash <rprakas@google.com> Add HMAC endian test as per chip_hmac_testplan.hjson Incorporated suggested changes from PR feedback
Signed-off-by: James Wainwright <james.wainwright@lowrisc.org> Co-authored-by: Amaury Pouly <amaury.pouly@lowrisc.org> (cherry picked from commit 2fce0c7)
Signed-off-by: James Wainwright <james.wainwright@lowrisc.org> Co-authored-by: Amaury Pouly <amaury.pouly@lowrisc.org> (cherry picked from commit 6b31d1b)
Include the runfiles of harnesses with the test so that the harness can find them. Signed-off-by: James Wainwright <james.wainwright@lowrisc.org> (cherry picked from commit a01e130)
Signed-off-by: James Wainwright <james.wainwright@lowrisc.org> Co-authored-by: Amaury Pouly <amaury.pouly@lowrisc.org> (cherry picked from commit 6129184)
This allows us to run any test in QEMU to help with bringing up the emaulator. Most will fail so we won't run these in CI. Signed-off-by: James Wainwright <james.wainwright@lowrisc.org> (cherry picked from commit 40d7c5e)
These are required to make them pass. Signed-off-by: James Wainwright <james.wainwright@lowrisc.org> (cherry picked from commit af0e35c)
Signed-off-by: James Wainwright <james.wainwright@lowrisc.org> (cherry picked from commit 49a2d1b)
Signed-off-by: James Wainwright <james.wainwright@lowrisc.org> (cherry picked from commit 42a371f)
These canonical paths are different between Bazel 6, 7, and 8. The `rules_python` runfiles library will perform repository mappings before using this path, so we can use `qemu_opentitan` instead of the canonical name. Signed-off-by: James Wainwright <james.wainwright@lowrisc.org> (commit is original to earlgrey_1.0.0)
This updates the individualization firmware to enable patching a single AST config CSR based on an address and value stored in flash info page 0. This is activated by a CLI arg `--patch-ast` passed to the orchestrator script. Signed-off-by: Tim Trippel <ttrippel@google.com>
The problems were highlighted when running pre-submission check on an unrelated patch. Signed-off-by: Vadim Bendebury <vbendeb@google.com>
This updates the FT individualization FW to add GPIO signalling for: - test start on IOA4, - test done on IOA1, and - test error on IOA0. Additionally, this removes more noisy message logs from the FW. Signed-off-by: Tim Trippel <ttrippel@google.com>
Add opentitantool image manifest support for Integrator Specfic Firmware Binding (ISFB) extensions. The following manifest extensions were added: 1. isfb: Integration specific firmware binding manifest extension. Contains anti-rollback strike mask as well as device expecific product expression. 2. isfb_erase_policy: This extension is used to authorize erasing of the ISFB region. Intended for testing purposes. The implementation will require node-locking for this policy to be effective. This change does not integrate the extensions into the build system. This will be done in a separate commit. Signed-off-by: Miguel Osorio <miguelosorio@google.com> (cherry picked from commit 6eab159)
Update `opentitanlib` and `opentitantool` to support manifest extension configuration parameters in the main manifest JSON file. 1. Discontinue support for the `--manifest_ext` flag in the image manifest update command. Most extensions are manipulated directly by the command, and other extension parameters are now included in the main manifest JSON configuration file. 2. Update `ManifestExtEntrySpec` to add an attribute to determine if a given manifest extension should be signed. The OpenTitan specifications defines whether a extension should be signed or not. Capturing this information in `opentitanlib` makes the implementation less prone to user configuration errors. 3. Make `ManifestExtEntrySpec` serialization use named attributes to make the configuration easier to read. 4. Remove support for relative paths from various `manifest_ext` methods and structs. `opentitantool` loads files directly before calling any `manifest_ext` methods, and it does no rely on the spx extension params provided by `ManifestExtEntrySpec:Spx` and `ManifestExtEntrySpec::SpxSignature`. These are the only extensions that were previously supporting relative paths. 5. Add support for `integrator_specific_firmware_binding` and `isfb_erase_policy` manifest extensions to the Bazel manifest.bzl infrastructure. Signed-off-by: Miguel Osorio <miguelosorio@google.com> (cherry picked from commit 1fdee2d)
Fix a logic error in handling the `--update-length` argument for `image manifest update`. Signed-off-by: Chris Frantz <cfrantz@google.com>
Signed-off-by: Chris Frantz <cfrantz@google.com>
Create a small USB driver meant to be used in silicon_creator code. 1. Implement a basic no-interrupts driver for the OpenTitan USB peripheral. The driver manages the USB peripheral buffers, endpoint transfers and SETUPDATA on the control endpoint. Higher level protocols register a callback function with the endpoints. 2. Implement a standard USB control endpoint handler. This handler should be called in response to any SETUPDATA requests on endpoint zero. 3. Add a basic test to check device enumeration and configuration and data transfers. Signed-off-by: Chris Frantz <cfrantz@google.com>
Signed-off-by: Chris Frantz <cfrantz@google.com>
This change adds support for the Integration Specific Firmware Binding (ISFB) configuration, which describes the configuration parameters of the ISFB region. This owner blob TLV entry is optional and not required for regular ownership operation. Signed-off-by: Miguel Osorio <miguelosorio@google.com> (cherry picked from commit 27c0914) (cherry picked from commit b933dbc)
Implements Integrator Specific FW Binding (ISFB) functionality to provide anti-rollback and product binding functionality to application firmware. The following changes are included: 1. Add flash_ctrl helper function to generate the info flash page configuration based on the ownership ISFB config. 2. Implement isfb logic as a separate module to simplify ROM_EXT integration. 3. Add unittest cases to verify anti-rollback and product association functionality. 4. Add minimum level of hardening against FI. The ROM_EXT integration and e2e test cases will be implemented in a follow up commit. Signed-off-by: Miguel Osorio <miguelosorio@google.com> (cherry picked from commit e5bd02c) Signed-off-by: Miguel Osorio <miguelosorio@google.com>
Traditionally, we placed the RvDm region in ePMP entry 13 and the memory-mapped flash in region 12. This was reversed because it would allow for one more ToR region when RvDM is not in use, however downstream customers applications may depend on a specific ePMP configuration when their firmware starts. The customer is free to re-arrange ePMP as they wish, so a configuration with an extra ToR entry is still possible as long as the customer programs the proper ePMP arragement. Signed-off-by: Chris Frantz <cfrantz@google.com>
This is to be able to maintained an ordered list of alert parameters matching the layout of the alert_handler configuration. Otherwise buildifier will want to sort the parameters if set via `kwargs`. Signed-off-by: Miguel Osorio <miguelosorio@google.com>
This was checking the AST patch address regardless if it was set or not. Signed-off-by: Tim Trippel <ttrippel@google.com>
Rescue mode should not automatically reboot the chip after processing a data transfer. Instead, the chip should wait for a subsequent command or a reboot request via the `REBO` command. This mode of operation is more aligned with how alternate rescue protocols (like USB-DFU) work. Making this behavior consistent among the supported protocols allows for easier test automation and configuration flows. Addresses: lowRISC#26481 Signed-off-by: Chris Frantz <cfrantz@google.com>
Signed-off-by: Chris Frantz <cfrantz@google.com>
The current implementation assumes the filename contains at least three characaters. Although it's rarely to have filename's length be less than three, we don't have this kind of check. The commits checks the filename's length and use 'und' when the filename is less than three. Signed-off-by: cehann <shihhanchang@google.com>
During status serialization, when the module identifier contains "\\"
character, it will be serialized as "\\" instead of "\\\\".
For example, when the module id is {'\\', '\\', 'C'}, the
deserialized result will be {'\\', 'C', 0}, which makes the
deserialization failed.
Signed-off-by: cehann <shihhanchang@google.com>
Enabling scrambling and ECC for the boot data info pages during individualization was causing perso bootstrap to fail. This is because ROM attempts to read the boot data before it has been initialized, causing integrity errors. The solution is to skip boot data during individualization and apply it during perso, which is when the boot data is written for the first time. Signed-off-by: Miguel Osorio <miguelosorio@google.com>
Signed-off-by: James Wainwright <james.wainwright@lowrisc.org> (cherry picked from commit 19a7e0d)
jwnrt
requested review from
a team,
cfrantz,
milesdai,
msfschaffner,
mundaym,
rswarbrick and
vogelpi
as code owners
Contributor
Author
|
Sorry, wrong branch! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Manual cherry-pick of #26768