-
Notifications
You must be signed in to change notification settings - Fork 16
139 lines (123 loc) · 6.11 KB
/
Copy pathdfu_check.yml
File metadata and controls
139 lines (123 loc) · 6.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
name: DFU image compatibility check
on:
workflow_call:
inputs:
artifact_fw_version:
type: string
required: true
artifact_run_id:
type: string
required: true
workflow_dispatch:
inputs:
artifact_fw_version:
type: string
required: true
artifact_run_id:
type: string
required: true
jobs:
setup:
runs-on: ubuntu-24.04
outputs:
toolchain-version: ${{ steps.setup.outputs.toolchain-version }}
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/toolchain
id: setup
analyze:
name: Static analysis
needs: setup
runs-on: ubuntu-24.04
container: ghcr.io/nrfconnect/sdk-nrf-toolchain:${{ needs.setup.outputs.toolchain-version }}
env:
BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory
defaults:
run:
shell: bash
steps:
- name: Checkout
uses: actions/checkout@v4
with:
path: thingy91x-oob
- name: Initialize
working-directory: thingy91x-oob
run: |
west init -l .
west config manifest.group-filter +bsec
west config build.sysbuild True
west update -o=--depth=1 -n
- name: Download artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: firmware-*
merge-multiple: true
path: thingy91x-oob/artifacts
run-id: ${{ inputs.artifact_run_id }}
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Unzip update ZIPs
working-directory: thingy91x-oob/artifacts
run: |
unzip_file() {
python3 -c "import zipfile, sys; zipfile.ZipFile(sys.argv[1]).extractall(sys.argv[2])" "$1" "$2"
}
unzip_file hello.nrfcloud.com-${{ inputs.artifact_fw_version }}-thingy91x-nrf91-dfu.zip nrf91-app
unzip_file hello.nrfcloud.com-${{ inputs.artifact_fw_version }}-thingy91x-nrf91-bootloader.zip nrf91-bootloader
unzip_file connectivity-bridge-${{ inputs.artifact_fw_version }}-thingy91x-nrf53-dfu.zip nrf53-app
unzip_file connectivity-bridge-${{ inputs.artifact_fw_version }}-thingy91x-nrf53-bootloader.zip nrf53-bootloader
- name: Install dependencies
run: |
pip install -r nrf/scripts/requirements-build.txt
- name: Save paths
run: |
echo "CI_PROJECT_DIR=$(pwd)/thingy91x-oob" >> $GITHUB_ENV
echo "CI_NRF_DIR=$(pwd)/nrf" >> $GITHUB_ENV
echo "CI_ZEPHYR_DIR=$(pwd)/zephyr" >> $GITHUB_ENV
echo "CI_MCUBOOT_DIR=$(pwd)/bootloader/mcuboot" >> $GITHUB_ENV
- name: 'generate nsib verifying keys'
working-directory: thingy91x-oob
run: |
python3 ${CI_NRF_DIR}/scripts/bootloader/keygen.py --public --in ${CI_NRF_DIR}/boards/nordic/thingy91x/nsib_signing_key.pem --out verifying_key_nrf91.pem
python3 ${CI_NRF_DIR}/scripts/bootloader/keygen.py --public --in ${CI_NRF_DIR}/boards/nordic/thingy91x/nsib_signing_key_nrf5340.pem --out verifying_key_nrf53.pem
- name: 'nrf91: check partition layout'
working-directory: thingy91x-oob/artifacts
run: |
diff --ignore-all-space --ignore-blank-lines pmr-nrf91-default-${{ inputs.artifact_fw_version }}.txt ${CI_PROJECT_DIR}/scripts/pmr_nrf91.txt
- name: 'nrf91: check app image signature'
working-directory: thingy91x-oob
run: |
python3 ${CI_MCUBOOT_DIR}/scripts/imgtool.py verify -k ${CI_MCUBOOT_DIR}/root-ec-p256.pem artifacts/hello.nrfcloud.com-${{ inputs.artifact_fw_version }}-thingy91x-nrf91-update-signed.bin
- name: 'nrf91: check bootloader image signature'
working-directory: thingy91x-oob
run: |
# python3 scripts/nsib_signature_check.py -i twister-out/thingy91x_nrf9151_ns/app/app.build/signed_by_mcuboot_and_b0_mcuboot.hex -p verifying_key_nrf91.pem -a 0x00008200 -v 2
python3 scripts/nsib_signature_check.py -i artifacts/nrf91-bootloader/signed_by_mcuboot_and_b0_mcuboot.bin -p verifying_key_nrf91.pem -a 0x00008200 -v 3
python3 scripts/nsib_signature_check.py -i artifacts/nrf91-bootloader/signed_by_mcuboot_and_b0_s1_image.bin -p verifying_key_nrf91.pem -a 0x0001c200 -v 3
- name: 'nrf91: check manifest slot indices'
working-directory: thingy91x-oob/artifacts
run: |
grep '"slot_index_primary": "1"' nrf91-app/manifest.json
grep '"slot_index_secondary": "2"' nrf91-app/manifest.json
- name: 'nrf53: check partition layout'
working-directory: thingy91x-oob/artifacts
run: |
diff --ignore-all-space --ignore-blank-lines pmr-nrf53-default-${{ inputs.artifact_fw_version }}.txt ${CI_PROJECT_DIR}/scripts/pmr_nrf53.txt
- name: 'nrf53: check app image signature'
working-directory: thingy91x-oob/artifacts
run: |
python3 ${CI_MCUBOOT_DIR}/scripts/imgtool.py verify -k ${CI_MCUBOOT_DIR}/root-ec-p256.pem nrf53-app/connectivity_bridge.signed.bin
- name: 'nrf53: check bootloader image signature'
working-directory: thingy91x-oob
run: |
# python3 scripts/nsib_signature_check.py -i ../nrf/applications/connectivity_bridge/build/signed_by_mcuboot_and_b0_mcuboot.hex -p verifying_key_nrf53.pem -a 0x00008200 -v 3
python3 scripts/nsib_signature_check.py -i artifacts/nrf53-bootloader/signed_by_mcuboot_and_b0_mcuboot.bin -p verifying_key_nrf53.pem -a 0x00008200 -v 4
python3 scripts/nsib_signature_check.py -i artifacts/nrf53-bootloader/signed_by_mcuboot_and_b0_s1_image.bin -p verifying_key_nrf53.pem -a 0x0001c200 -v 4
- name: 'nrf53: check manifest slot indices'
working-directory: thingy91x-oob/artifacts
run: |
grep '"slot_index_primary": "1"' nrf53-app/manifest.json
grep '"slot_index_secondary": "2"' nrf53-app/manifest.json
# check that there is also a second image for the network core
grep '"image_index": "1"' nrf53-app/manifest.json
grep '"slot_index_primary": "3"' nrf53-app/manifest.json
grep '"slot_index_secondary": "4"' nrf53-app/manifest.json