-
Notifications
You must be signed in to change notification settings - Fork 8
125 lines (109 loc) · 5.64 KB
/
dfu_check.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
name: DFU image compatibility check
on:
workflow_call:
inputs:
artifact_fw_version:
type: string
required: true
artifact_run_id:
type: string
required: true
workflow_dispatch:
inputs:
artifact_fw_version:
type: string
required: true
artifact_run_id:
type: string
required: true
jobs:
analyze:
name: Static analysis
runs-on: ubuntu-latest
container: ghcr.io/zephyrproject-rtos/ci:v0.27.4
env:
BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory
CMAKE_PREFIX_PATH: /opt/toolchains
steps:
- name: Checkout
uses: actions/checkout@v4
with:
path: thingy91x-oob
- name: Initialize
working-directory: thingy91x-oob
run: |
west init -l .
west config manifest.group-filter +bsec
west config build.sysbuild True
west update -o=--depth=1 -n
- name: Download artifacts
uses: actions/download-artifact@v4
with:
pattern: firmware-*
merge-multiple: true
path: thingy91x-oob/artifacts
run-id: ${{ inputs.artifact_run_id }}
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Unzip update ZIPs
working-directory: thingy91x-oob/artifacts
run: |
unzip -o -d nrf91-app hello.nrfcloud.com-${{ inputs.artifact_fw_version }}-thingy91x-nrf91-dfu.zip
unzip -o -d nrf91-bootloader hello.nrfcloud.com-${{ inputs.artifact_fw_version }}-thingy91x-nrf91-bootloader.zip
unzip -o -d nrf53-app connectivity-bridge-${{ inputs.artifact_fw_version }}-thingy91x-nrf53-dfu.zip
unzip -o -d nrf53-bootloader connectivity-bridge-${{ inputs.artifact_fw_version }}-thingy91x-nrf53-bootloader.zip
- name: Install dependencies
run: |
pip install -r nrf/scripts/requirements-build.txt
- name: Save paths
run: |
echo "CI_PROJECT_DIR=$(pwd)/thingy91x-oob" >> $GITHUB_ENV
echo "CI_NRF_DIR=$(pwd)/nrf" >> $GITHUB_ENV
echo "CI_ZEPHYR_DIR=$(pwd)/zephyr" >> $GITHUB_ENV
echo "CI_MCUBOOT_DIR=$(pwd)/bootloader/mcuboot" >> $GITHUB_ENV
- name: 'generate nsib verifying keys'
working-directory: thingy91x-oob
run: |
python3 ${CI_NRF_DIR}/scripts/bootloader/keygen.py --public --in ${CI_NRF_DIR}/boards/nordic/thingy91x/nsib_signing_key.pem --out verifying_key_nrf91.pem
python3 ${CI_NRF_DIR}/scripts/bootloader/keygen.py --public --in ${CI_NRF_DIR}/boards/nordic/thingy91x/nsib_signing_key_nrf5340.pem --out verifying_key_nrf53.pem
- name: 'nrf91: check partition layout'
working-directory: thingy91x-oob/artifacts
run: |
diff --ignore-all-space --ignore-blank-lines pmr-nrf91-default-${{ inputs.artifact_fw_version }}.txt ${CI_PROJECT_DIR}/scripts/pmr_nrf91.txt
- name: 'nrf91: check app image signature'
working-directory: thingy91x-oob
run: |
python3 ${CI_MCUBOOT_DIR}/scripts/imgtool.py verify -k ${CI_MCUBOOT_DIR}/root-ec-p256.pem artifacts/hello.nrfcloud.com-${{ inputs.artifact_fw_version }}-thingy91x-nrf91-update-signed.bin
- name: 'nrf91: check bootloader image signature'
working-directory: thingy91x-oob
run: |
# python3 scripts/nsib_signature_check.py -i twister-out/thingy91x_nrf9151_ns/app/app.build/signed_by_mcuboot_and_b0_mcuboot.hex -p verifying_key_nrf91.pem -a 0x00008200 -v 2
python3 scripts/nsib_signature_check.py -i artifacts/nrf91-bootloader/signed_by_mcuboot_and_b0_mcuboot.bin -p verifying_key_nrf91.pem -a 0x00008200 -v 3
python3 scripts/nsib_signature_check.py -i artifacts/nrf91-bootloader/signed_by_mcuboot_and_b0_s1_image.bin -p verifying_key_nrf91.pem -a 0x0001c200 -v 3
- name: 'nrf91: check manifest slot indices'
working-directory: thingy91x-oob/artifacts
run: |
grep '"slot_index_primary": "1"' nrf91-app/manifest.json
grep '"slot_index_secondary": "2"' nrf91-app/manifest.json
- name: 'nrf53: check partition layout'
working-directory: thingy91x-oob/artifacts
run: |
diff --ignore-all-space --ignore-blank-lines pmr-nrf53-default-${{ inputs.artifact_fw_version }}.txt ${CI_PROJECT_DIR}/scripts/pmr_nrf53.txt
- name: 'nrf53: check app image signature'
working-directory: thingy91x-oob/artifacts
run: |
python3 ${CI_MCUBOOT_DIR}/scripts/imgtool.py verify -k ${CI_MCUBOOT_DIR}/root-ec-p256.pem nrf53-app/connectivity_bridge.signed.bin
- name: 'nrf53: check bootloader image signature'
working-directory: thingy91x-oob
run: |
# python3 scripts/nsib_signature_check.py -i ../nrf/applications/connectivity_bridge/build/signed_by_mcuboot_and_b0_mcuboot.hex -p verifying_key_nrf53.pem -a 0x00008200 -v 3
python3 scripts/nsib_signature_check.py -i artifacts/nrf53-bootloader/signed_by_mcuboot_and_b0_mcuboot.bin -p verifying_key_nrf53.pem -a 0x00008200 -v 4
python3 scripts/nsib_signature_check.py -i artifacts/nrf53-bootloader/signed_by_mcuboot_and_b0_s1_image.bin -p verifying_key_nrf53.pem -a 0x0001c200 -v 4
- name: 'nrf53: check manifest slot indices'
working-directory: thingy91x-oob/artifacts
run: |
grep '"slot_index_primary": "1"' nrf53-app/manifest.json
grep '"slot_index_secondary": "2"' nrf53-app/manifest.json
# check that there is also a second image for the network core
grep '"image_index": "1"' nrf53-app/manifest.json
grep '"slot_index_primary": "3"' nrf53-app/manifest.json
grep '"slot_index_secondary": "4"' nrf53-app/manifest.json