-
Notifications
You must be signed in to change notification settings - Fork 8
107 lines (92 loc) · 5.05 KB
/
dfu_check.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
name: DFU image compatibility check
on:
workflow_call:
push:
branches:
- main
pull_request:
paths:
- '**/*.c'
- '**/*.h'
- west.yml
- '**/CMakelists.txt'
- '**/Kconfig*'
- '**/prj.conf'
jobs:
build:
name: Build and analyze
runs-on: ubuntu-latest
container: ghcr.io/zephyrproject-rtos/ci:v0.26.14
env:
BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory
CMAKE_PREFIX_PATH: /opt/toolchains
steps:
- name: Checkout
uses: actions/checkout@v4
with:
path: thingy91x-oob
- name: Initialize
working-directory: thingy91x-oob
run: |
west init -l .
west config manifest.group-filter +bsec
west config build.sysbuild True
west update -o=--depth=1 -n
- name: Install dependencies
run: |
pip install -r nrf/scripts/requirements-build.txt
- name: Save paths
run: |
echo "CI_PROJECT_DIR=$(pwd)/thingy91x-oob" >> $GITHUB_ENV
echo "CI_NRF_DIR=$(pwd)/nrf" >> $GITHUB_ENV
echo "CI_ZEPHYR_DIR=$(pwd)/zephyr" >> $GITHUB_ENV
echo "CI_MCUBOOT_DIR=$(pwd)/bootloader/mcuboot" >> $GITHUB_ENV
- name: 'generate nsib verifying keys'
working-directory: thingy91x-oob
run: |
python3 ${CI_NRF_DIR}/scripts/bootloader/keygen.py --public --in ${CI_NRF_DIR}/boards/nordic/thingy91x/nsib_signing_key.pem --out verifying_key_nrf91.pem
python3 ${CI_NRF_DIR}/scripts/bootloader/keygen.py --public --in ${CI_NRF_DIR}/boards/nordic/thingy91x/nsib_signing_key_nrf5340.pem --out verifying_key_nrf53.pem
- name: Build OOB FW
working-directory: thingy91x-oob
run: |
west twister -T . -v -p thingy91x/nrf9151/ns --inline-logs
- name: 'nrf91: check partition layout'
working-directory: thingy91x-oob/twister-out/thingy91x_nrf9151_ns/app/app.build/
run: |
ninja partition_manager_report # need to run this twice
ninja partition_manager_report > partition_manager_report.txt
sed -i '1d' partition_manager_report.txt
diff --ignore-all-space --ignore-blank-lines partition_manager_report.txt ${CI_PROJECT_DIR}/scripts/pmr_nrf91.txt
- name: 'nrf91: check app image signature'
working-directory: thingy91x-oob
run: |
python3 ${CI_MCUBOOT_DIR}/scripts/imgtool.py verify -k ${CI_MCUBOOT_DIR}/root-ec-p256.pem twister-out/thingy91x_nrf9151_ns/app/app.build/app/zephyr/zephyr.signed.bin
- name: 'nrf91: check bootloader image signature'
working-directory: thingy91x-oob
run: |
python3 scripts/nsib_signature_check.py -i twister-out/thingy91x_nrf9151_ns/app/app.build/signed_by_mcuboot_and_b0_mcuboot.hex -p verifying_key_nrf91.pem -a 0x00008200 -v 2
python3 scripts/nsib_signature_check.py -i twister-out/thingy91x_nrf9151_ns/app/app.build.bootloader_update/signed_by_mcuboot_and_b0_mcuboot.hex -p verifying_key_nrf91.pem -a 0x00008200 -v 3
python3 scripts/nsib_signature_check.py -i twister-out/thingy91x_nrf9151_ns/app/app.build.bootloader_update/signed_by_mcuboot_and_b0_s1_image.hex -p verifying_key_nrf91.pem -a 0x0001c200 -v 3
- name: Apply Connectivity Bridge patch for bootloader update
run: git apply thingy91x-oob/scripts/nrf53_bl_update.patch --directory=nrf
- name: Build Connectivity Bridge
working-directory: thingy91x-oob
run: |
west twister -T ${CI_NRF_DIR}/applications/connectivity_bridge -v -p thingy91x/nrf5340/cpuapp --inline-logs
- name: 'nrf53: check partition layout'
working-directory: thingy91x-oob/twister-out/thingy91x_nrf5340_cpuapp/applications.connectivity_bridge/
run: |
ninja partition_manager_report # need to run this twice
ninja partition_manager_report > partition_manager_report.txt
sed -i '1d' partition_manager_report.txt
diff partition_manager_report.txt ${CI_PROJECT_DIR}/scripts/pmr_nrf53.txt
- name: 'nrf53: check app image signature'
working-directory: thingy91x-oob
run: |
python3 ${CI_MCUBOOT_DIR}/scripts/imgtool.py verify -k ${CI_MCUBOOT_DIR}/root-ec-p256.pem twister-out/thingy91x_nrf5340_cpuapp/applications.connectivity_bridge/connectivity_bridge/zephyr/zephyr.signed.bin
- name: 'nrf53: check bootloader image signature'
working-directory: thingy91x-oob
run: |
python3 scripts/nsib_signature_check.py -i twister-out/thingy91x_nrf5340_cpuapp/applications.connectivity_bridge/signed_by_mcuboot_and_b0_mcuboot.hex -p verifying_key_nrf53.pem -a 0x00008200 -v 1
python3 scripts/nsib_signature_check.py -i twister-out/thingy91x_nrf5340_cpuapp/applications.connectivity_bridge.bootloader_update/signed_by_mcuboot_and_b0_mcuboot.hex -p verifying_key_nrf53.pem -a 0x00008200 -v 2
python3 scripts/nsib_signature_check.py -i twister-out/thingy91x_nrf5340_cpuapp/applications.connectivity_bridge.bootloader_update/signed_by_mcuboot_and_b0_s1_image.hex -p verifying_key_nrf53.pem -a 0x0001c200 -v 2