-
Notifications
You must be signed in to change notification settings - Fork 911
100 lines (97 loc) · 5.05 KB
/
sim.yaml
File metadata and controls
100 lines (97 loc) · 5.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# For development, trigger this on any push.
on:
push:
branches:
- main
pull_request:
name: Sim
concurrency:
group: sim-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
environment:
strategy:
matrix:
features:
- "sig-ecdsa,sig-ecdsa-mbedtls,sig-ed25519,enc-kw,bootstrap"
- "sig-rsa,sig-rsa3072,overwrite-only,validate-primary-slot,swap-move,swap-offset"
- "enc-rsa,enc-rsa max-align-32"
- "enc-aes256-rsa,enc-aes256-rsa max-align-32"
- "enc-ec256,enc-ec256 overwrite-only validate-primary-slot max-align-16,enc-ec256 max-align-32"
- "enc-aes256-ec256,enc-aes256-ec256 max-align-32"
- "enc-x25519,enc-x25519 max-align-32"
- "enc-aes256-x25519,enc-aes256-x25519 max-align-32"
- "sig-rsa overwrite-only,sig-ecdsa overwrite-only,sig-ecdsa-mbedtls overwrite-only,multiimage overwrite-only"
- "sig-rsa validate-primary-slot,sig-ecdsa validate-primary-slot,sig-ecdsa-mbedtls validate-primary-slot,sig-rsa multiimage validate-primary-slot"
- "enc-kw overwrite-only,enc-kw overwrite-only max-align-32"
- "enc-rsa overwrite-only,enc-rsa overwrite-only max-align-32"
- "enc-aes256-kw overwrite-only,enc-aes256-kw overwrite-only max-align-32"
- "sig-rsa enc-rsa validate-primary-slot,swap-move enc-rsa sig-rsa validate-primary-slot bootstrap,swap-offset enc-rsa sig-rsa validate-primary-slot bootstrap"
- "sig-rsa enc-kw validate-primary-slot bootstrap,sig-ed25519 enc-x25519 validate-primary-slot"
- "sig-ecdsa enc-kw validate-primary-slot"
- "sig-ecdsa-mbedtls enc-kw validate-primary-slot"
- "sig-rsa validate-primary-slot overwrite-only,sig-rsa validate-primary-slot overwrite-only max-align-32"
- "sig-ecdsa enc-ec256 validate-primary-slot"
- "sig-ecdsa-mbedtls enc-ec256-mbedtls validate-primary-slot"
- "sig-ecdsa-mbedtls enc-aes256-ec256 validate-primary-slot"
- "sig-rsa validate-primary-slot overwrite-only downgrade-prevention"
- "sig-rsa validate-primary-slot ram-load"
- "sig-rsa enc-rsa validate-primary-slot ram-load"
- "sig-rsa validate-primary-slot direct-xip"
- "sig-rsa validate-primary-slot ram-load multiimage"
- "sig-rsa validate-primary-slot direct-xip multiimage"
- "sig-ecdsa hw-rollback-protection multiimage"
- "sig-ecdsa-psa,sig-ecdsa-psa sig-p384,sig-ecdsa-psa swap-move bootstrap max-align-16"
- "sig-ecdsa-psa enc-ec256 max-align-16, sig-ecdsa-psa enc-ec256 swap-offset validate-primary-slot max-align-16"
# Same set, routed through Mbed TLS 4.1 via the mbedtls-v4
# feature. These mirror the 3.6 path above and should behave
# identically — the crypto config is the same shape (ECDSA
# P-256/P-384 + SHA-256).
- "sig-ecdsa-psa mbedtls-v4,sig-ecdsa-psa sig-p384 mbedtls-v4,sig-ecdsa-psa swap-move bootstrap max-align-16 mbedtls-v4"
# Orthogonal feature combinations untested on the 3.6
# sig-ecdsa-psa path but expected to work — swap/align/
# multiimage/validate don't touch crypto. Good shakedown for
# the CMake-driven build surface.
- "sig-ecdsa-psa swap-offset mbedtls-v4,sig-ecdsa-psa validate-primary-slot mbedtls-v4,sig-ecdsa-psa overwrite-only mbedtls-v4,sig-ecdsa-psa multiimage mbedtls-v4"
# Reset/XIP/rollback combinations. Higher risk of surfacing
# PSA-specific assumptions baked into these code paths; run
# and triage.
- "sig-ecdsa-psa ram-load mbedtls-v4,sig-ecdsa-psa direct-xip mbedtls-v4,sig-ecdsa-psa overwrite-only downgrade-prevention mbedtls-v4,sig-ecdsa-psa hw-rollback-protection multiimage mbedtls-v4"
# Genuine PSA encryption via encrypted_psa.c (vs. the 3.6
# stub path above, which leaves PSA init as a no-op and uses
# TinyCrypt). Mirrors the 3.6 enc-ec256 row.
- "sig-ecdsa-psa enc-ec256 mbedtls-v4,sig-ecdsa-psa enc-ec256 swap-offset validate-primary-slot max-align-16 mbedtls-v4"
# AES-256 variant. Same ECIES-P256 machinery, larger
# BOOT_ENC_KEY_SIZE. PSA_KEY_TYPE_AES covers all AES key
# sizes so no config delta.
- "sig-ecdsa-psa enc-aes256-ec256 mbedtls-v4,sig-ecdsa-psa enc-aes256-ec256 swap-offset validate-primary-slot max-align-16 mbedtls-v4"
- "ram-load enc-aes256-kw multiimage"
- "ram-load enc-aes256-kw sig-ecdsa-mbedtls multiimage"
runs-on: ubuntu-latest
env:
MULTI_FEATURES: ${{ matrix.features }}
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
submodules: recursive
- name: Print the environment
run: |
uname -a
lscpu
free
pwd
- name: Signed commit check
if: ${{ github.event_name == 'pull_request' }}
run: |
./ci/check-signed-off-by.sh
- name: Install stable Rust
uses: actions-rs/toolchain@v1
with:
toolchain: stable
- name: Sim install
run: |
./ci/sim_install.sh
- name: Sim run
run: |
./ci/sim_run.sh