Verify ECC and PQC digests from key descriptor #8438
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# docs: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions | |
name: Build and Test | |
on: | |
push: | |
branches: ["main"] | |
pull_request: | |
workflow_call: | |
workflow_dispatch: | |
jobs: | |
build_and_test: | |
runs-on: ubuntu-20.04 | |
env: | |
CARGO_INCREMENTAL: 0 | |
SCCACHE_VERSION: 0.3.3 | |
SCCACHE_GHA_CACHE_TO: sccache-caliptra-sw | |
SCCACHE_GHA_CACHE_FROM: sccache-caliptra-sw | |
# CPTRA_COVERAGE_PATH: /tmp | |
# Change this to a new random value if you suspect the cache is corrupted | |
SCCACHE_C_CUSTOM_CACHE_BUSTER: 8b42a6e70ec4 | |
# Compiler warnings should fail to compile | |
EXTRA_CARGO_CONFIG: "target.'cfg(all())'.rustflags = [\"-Dwarnings\"]" | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v3 | |
- name: Test commit name | |
run: | | |
echo "Build-Test: release_ref=$(git rev-parse HEAD)" | |
- name: Pull dpe submodule | |
run: | | |
git submodule update --init dpe | |
- name: Install required packages | |
run: | | |
sudo apt-get update -qy && sudo apt-get install libftdi1-dev libusb-1.0-0-dev golang-1.20-go | |
- name: Restore sccache binary | |
uses: actions/cache/restore@v3 | |
id: sccache_bin_restore | |
with: | |
path: ~/.cargo/bin/sccache | |
key: sccache-bin-${{ env.SCCACHE_VERSION }}-${{ env.SCCACHE_C_CUSTOM_CACHE_BUSTER }} | |
- name: Install sccache | |
if: steps.sccache_bin_restore.outputs.cache-hit != 'true' | |
run: | | |
cargo install sccache --version ${SCCACHE_VERSION} --no-default-features --features=gha --locked | |
# Save the sccache binary immediately so we can reuse it in future runs | |
# even if the rest of the current run fails. | |
- name: Save sccache binary | |
uses: actions/cache/save@v3 | |
if: steps.sccache_bin_restore.outputs.cache-hit != 'true' | |
with: | |
path: ~/.cargo/bin/sccache | |
key: ${{ steps.sccache_bin_restore.outputs.cache-primary-key }} | |
- name: Configure sccache | |
uses: actions/github-script@v6 | |
with: | |
script: | | |
core.exportVariable('RUSTC_WRAPPER', process.env.HOME + '/.cargo/bin/sccache'); | |
core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || ''); | |
core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || ''); | |
- name: Check that Cargo.lock doesn't need to be updated | |
# Note: this isn't the same as checking that Cargo.lock is up to date | |
# (cargo update --locked), which makes sure that every package is the | |
# latest published version. This is just ensuring that every | |
# dependency has an entry in Cargo.lock that is compatible with the | |
# version requirements in all Cargo.toml files. | |
run: | | |
# This works because cargo tree requires a Cargo.lock with no required updates | |
cargo tree --locked > /dev/null || ( | |
echo "Please include required changes to Cargo.lock in your pull request" | |
# Without the --locked flag, cargo will do the minimal possible update to Cargo.lock | |
cargo tree > /dev/null 2> /dev/null | |
# Print out the differences to ease debugging | |
git diff Cargo.lock | |
exit 1 | |
) | |
- name: Check source-code formatting (run "cargo fmt" if this fails) | |
run: | | |
cargo fmt --check --all | |
- name: Check license headers | |
run: | | |
cargo run -p caliptra-file-header-fix --locked -- --check | |
- name: Build | |
run: | | |
cargo --config "$EXTRA_CARGO_CONFIG" build --locked | |
CARGO_TARGET_DIR=target cargo --config "$EXTRA_CARGO_CONFIG" build --locked --manifest-path ci-tools/fpga-boss/Cargo.toml | |
drivers/test-fw/build.sh | |
(cd fmc && ./build.sh) | |
(cd runtime && ./build.sh) | |
(cd rom/dev && ./build.sh) | |
sccache --show-stats | |
# Clippy needs to build crates as part of the check, so do it after the | |
# build. | |
- name: Clippy lint check | |
run: | | |
# Clippy doesn't look at --config, so manually set RUSTFLAGS to the | |
# same as the build steps to avoid invalidating the cargo cache. | |
RUSTFLAGS="-Dwarnings" cargo clippy --locked --all-targets -- -D warnings | |
CARGO_TARGET_DIR=target RUSTFLAGS="-Dwarnings" cargo clippy --locked --all-targets --manifest-path ci-tools/fpga-boss/Cargo.toml -- -D warnings | |
# As fuzzing targets are not part of the workspace, perform their tests explicitly. | |
- name: Build test fuzzing targets | |
# Intermittently fails and is too slow | |
if: false | |
run: | | |
rustup toolchain install nightly-2023-04-15 | |
cargo +nightly-2023-04-15 install cargo-fuzz cargo-afl | |
for target in dpe/dpe/fuzz/ drivers/fuzz/ image/verify/fuzz/ x509/fuzz/; do | |
pushd $target; \ | |
cargo fmt --check; \ | |
# TODO: Depends on https://github.com/chipsalliance/caliptra-sw/issues/681 | |
#cargo clippy; \ | |
cargo +nightly-2023-04-15 fuzz build --features libfuzzer-sys; \ | |
cargo +nightly-2023-04-15 afl build --features afl; \ | |
popd; \ | |
done | |
for target in drivers/fuzz/ image/verify/fuzz/; do | |
pushd $target; \ | |
cargo +nightly-2023-04-15 fuzz build --features libfuzzer-sys,struct-aware; \ | |
cargo +nightly-2023-04-15 afl build --features afl,struct-aware; \ | |
popd; \ | |
done | |
- name: Run tests | |
run: | | |
CPTRA_COVERAGE_PATH=/tmp cargo --config "$EXTRA_CARGO_CONFIG" test --locked | |
CPTRA_COVERAGE_PATH=/tmp cargo --config "$EXTRA_CARGO_CONFIG" run --manifest-path ./coverage/Cargo.toml | |
CARGO_TARGET_DIR=target cargo --config "$EXTRA_CARGO_CONFIG" test --locked --manifest-path ci-tools/fpga-boss/Cargo.toml | |
sccache --show-stats | |
- name: Run emulator conformance tests | |
run: | | |
sudo apt-get install gcc-riscv64-unknown-elf binutils-riscv64-unknown-elf | |
(cd /tmp/ && git clone --depth 1 --branch old-framework-2.x https://github.com/riscv-non-isa/riscv-arch-test) | |
cargo --config "$EXTRA_CARGO_CONFIG" run --locked -p compliance-test -- --test_root_path /tmp/riscv-arch-test | |
- name: ROM Makefile | |
run: | | |
(cd rom/dev && make run) | |
- name: Caliptra HW-Model C Binding Smoke Test | |
run: | | |
git submodule update --init | |
(cd hw-model/c-binding/examples && make run) | |
- name: Caliptra C API Hwmodel Integration Test | |
run: | | |
(cd libcaliptra/examples/hwmodel && make && ./hwmodel) | |
- name: DPE Verification Tests | |
run: | | |
(cd test/dpe_verification && make run) | |