Fixing release CI failures and adding frozen 1.1 ROM (#1809)

* Fixing release CI failures and adding frozen 1.1 ROM * Changing CI ROM version from rust feature to environment variable * Removing reference to main branch in release flow Prevents a release being made from main when tests were actuall run on a different branch/commit (cherry picked from commit 5daf1b4)
chipsalliance · Dec 16, 2024 · c60c3f6 · c60c3f6
1 parent 0001d50
commit c60c3f6
Show file tree

Hide file tree

Showing 10 changed files with 106 additions and 29 deletions.
diff --git a/.github/workflows/fpga.yml b/.github/workflows/fpga.yml
@@ -23,6 +23,9 @@ on:
       hw-version:
         default: "latest"
         type: string
+      rom-version:
+        default: "latest"
+        type: string
       workflow_call:
         description: 'Set true for workflow_call'
         default: true
@@ -162,6 +165,9 @@ jobs:
         run: |
           export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER="aarch64-linux-gnu-gcc"
           export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_RUSTFLAGS="-C link-arg=--sysroot=$FARGO_SYSROOT"
+          if [ "${{ inputs.rom-version }}" != "latest" ]; then
+            export CPTRA_CI_ROM_VERSION="${{ inputs.rom-version }}"
+          fi
 
           if [ "${{ inputs.workflow_call }}" ]; then
             FEATURES=fpga_realtime,${{ inputs.extra-features }}
@@ -429,7 +435,12 @@ jobs:
   #           echo "Unexpected inputs.rom-logging: ${{ inputs.rom-logging }}"
   #           exit 1
   #         fi
-  #         echo CPTRA_ROM_TYPE=${CPTRA_ROM_TYPE}
+
+#           if [[ "${{ inputs.workflow_call }}" && "${{ inputs.rom-version }}" != "latest" ]]; then
+#             VARS+=" CPTRA_CI_ROM_VERSION="${{ inputs.rom-version }}""
+#           fi
+
+  #         echo VARS=${VARS}
 
   #         COMMON_ARGS=(
   #             --cargo-metadata="${TEST_BIN}/target/nextest/cargo-metadata.json"

diff --git a/.github/workflows/fw-test-emu.yml b/.github/workflows/fw-test-emu.yml
@@ -13,6 +13,9 @@ on:
       rom-logging:
         default: true
         type: boolean
+      rom-version:
+        default: "latest"
+        type: string
 
 jobs:
   build_and_test:
@@ -57,6 +60,9 @@ jobs:
       - name: Run tests
         run: |
           export CALIPTRA_PREBUILT_FW_DIR=/tmp/caliptra-test-firmware
+          if [ "${{ inputs.rom-version }}" != "latest" ]; then
+            export CPTRA_CI_ROM_VERSION="${{ inputs.rom-version }}"
+          fi
 
           if [ "${{ inputs.rom-logging }}" == "true" ] || [ -z "${{ inputs.rom-logging }}" ]; then
             export CPTRA_ROM_TYPE=ROM_WITH_UART

diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml
@@ -23,7 +23,6 @@ jobs:
       - uses: actions/checkout@v3
         with:
           submodules: 'true'
-          ref: 'main'
           fetch-depth: 0
 
       - name: Find latest release
@@ -100,7 +99,7 @@ jobs:
     with:
       artifact-suffix: -fpga-realtime-latest-itrng-nolog
       extra-features: slow_tests,itrng
-      hw-version: latest
+      hw-version: "latest"
       rom-logging: false
       fpga-itrng: true
 

diff --git a/builder/src/lib.rs b/builder/src/lib.rs
@@ -35,6 +35,11 @@ use once_cell::sync::Lazy;
 
 pub const THIS_WORKSPACE_DIR: &str = concat!(env!("CARGO_MANIFEST_DIR"), "/..");
 
+#[derive(Debug, PartialEq)]
+pub enum CiRomVersion {
+    Latest,
+}
+
 fn other_err(e: impl Into<Box<dyn std::error::Error + Send + Sync>>) -> io::Error {
     io::Error::new(ErrorKind::Other, e)
 }
@@ -355,11 +360,22 @@ pub fn build_firmware_elf(id: &FwId<'static>) -> io::Result<Arc<Vec<u8>>> {
     Ok(result)
 }
 
+// Returns the ROM version to be used for CI testing specified in the environment variable "CPTRA_CI_ROM_VERSION"
+// Default is Latest
+pub fn get_ci_rom_version() -> CiRomVersion {
+    match std::env::var("CPTRA_CI_ROM_VERSION").as_deref() {
+        Ok(version) => panic!("Unknown CI ROM version \'{}\'", version),
+        Err(_) => CiRomVersion::Latest,
+    }
+}
+
 /// Returns the most appropriate ROM for use when testing non-ROM code against
 /// a particular hardware version. DO NOT USE this for ROM-only tests.
 pub fn rom_for_fw_integration_tests() -> io::Result<Cow<'static, [u8]>> {
     let rom_from_env = firmware::rom_from_env();
-    Ok(build_firmware_rom(rom_from_env)?.into())
+    match get_ci_rom_version() {
+        CiRomVersion::Latest => Ok(build_firmware_rom(rom_from_env)?.into()),
+    }
 }
 
 pub fn build_firmware_rom(id: &FwId<'static>) -> io::Result<Vec<u8>> {

diff --git a/runtime/Cargo.toml b/runtime/Cargo.toml
@@ -64,4 +64,4 @@ verilator = ["caliptra-hw-model/verilator"]
 fips_self_test=[]
 no-cfi = ["caliptra-image-verify/no-cfi", "caliptra-drivers/no-cfi"]
 fpga_realtime = ["caliptra-drivers/fpga_realtime"]
-fips-test-hooks = ["caliptra-drivers/fips-test-hooks"]
+fips-test-hooks = ["caliptra-drivers/fips-test-hooks"]
diff --git a/runtime/tests/runtime_integration_tests/test_get_idev_csr.rs b/runtime/tests/runtime_integration_tests/test_get_idev_csr.rs
@@ -1,6 +1,7 @@
 // Licensed under the Apache-2.0 license
 
 use caliptra_api::SocManager;
+use caliptra_builder::{get_ci_rom_version, CiRomVersion};
 use caliptra_common::mailbox_api::{CommandId, GetIdevCsrResp, MailboxReqHeader};
 use caliptra_drivers::{IdevIdCsr, MfgFlags};
 use caliptra_error::CaliptraError;
@@ -25,20 +26,23 @@ fn test_get_csr() {
         chksum: caliptra_common::checksum::calc_checksum(u32::from(CommandId::GET_IDEV_CSR), &[]),
     };
 
-    let response = model
-        .mailbox_execute(CommandId::GET_IDEV_CSR.into(), payload.as_bytes())
-        .unwrap()
-        .unwrap();
+    let result = model.mailbox_execute(CommandId::GET_IDEV_CSR.into(), payload.as_bytes());
+
+    match get_ci_rom_version() {
+        CiRomVersion::Latest => {
+            let response = result.unwrap().unwrap();
 
-    let get_idv_csr_resp = GetIdevCsrResp::read_from(response.as_bytes()).unwrap();
+            let get_idv_csr_resp = GetIdevCsrResp::read_from(response.as_bytes()).unwrap();
 
-    assert_ne!(IdevIdCsr::UNPROVISIONED_CSR, get_idv_csr_resp.data_size);
-    assert_ne!(0, get_idv_csr_resp.data_size);
+            assert_ne!(IdevIdCsr::UNPROVISIONED_CSR, get_idv_csr_resp.data_size);
+            assert_ne!(0, get_idv_csr_resp.data_size);
 
-    let csr_bytes = &get_idv_csr_resp.data[..get_idv_csr_resp.data_size as usize];
-    assert_ne!([0; 512], csr_bytes);
+            let csr_bytes = &get_idv_csr_resp.data[..get_idv_csr_resp.data_size as usize];
+            assert_ne!([0; 512], csr_bytes);
 
-    assert!(X509Req::from_der(csr_bytes).is_ok());
+            assert!(X509Req::from_der(csr_bytes).is_ok());
+        }
+    };
 }
 
 #[test]
@@ -56,8 +60,11 @@ fn test_missing_csr() {
     let response = model
         .mailbox_execute(CommandId::GET_IDEV_CSR.into(), payload.as_bytes())
         .unwrap_err();
-    assert_eq!(
-        response,
-        ModelError::MailboxCmdFailed(CaliptraError::RUNTIME_GET_IDEV_ID_UNPROVISIONED.into())
-    );
+
+    match get_ci_rom_version() {
+        CiRomVersion::Latest => assert_eq!(
+            response,
+            ModelError::MailboxCmdFailed(CaliptraError::RUNTIME_GET_IDEV_ID_UNPROVISIONED.into())
+        ),
+    };
 }
diff --git a/test/tests/caliptra_integration_tests/smoke_test.rs b/test/tests/caliptra_integration_tests/smoke_test.rs
@@ -26,6 +26,36 @@ use regex::Regex;
 use std::mem;
 use zerocopy::AsBytes;
 
+// Support testing against older versions of ROM in CI
+// More constants may need to be added here as the ROMs further diverge
+struct RomTestParams<'a> {
+    #[allow(dead_code)]
+    testdata_path: &'a str,
+    fmc_alias_cert_redacted_txt: &'a str,
+    fmc_alias_cert_redacted_der: &'a [u8],
+    tcb_info_vendor: Option<&'a str>,
+    tcb_device_info_model: Option<&'a str>,
+    tcb_fmc_info_model: Option<&'a str>,
+    tcb_info_flags: Option<u32>,
+}
+const ROM_LATEST_TEST_PARAMS: RomTestParams = RomTestParams {
+    testdata_path: "tests/caliptra_integration_tests/smoke_testdata/rom-latest",
+    fmc_alias_cert_redacted_txt: include_str!(
+        "smoke_testdata/rom-latest/fmc_alias_cert_redacted.txt"
+    ),
+    fmc_alias_cert_redacted_der: include_bytes!(
+        "smoke_testdata/rom-latest/fmc_alias_cert_redacted.der"
+    ),
+    tcb_info_vendor: None,
+    tcb_device_info_model: None,
+    tcb_fmc_info_model: None,
+    tcb_info_flags: Some(0x00000001),
+};
+
+fn get_rom_test_params() -> RomTestParams<'static> {
+    ROM_LATEST_TEST_PARAMS
+}
+
 #[track_caller]
 fn assert_output_contains(haystack: &str, needle: &str) {
     assert!(
@@ -276,22 +306,24 @@ fn smoke_test() {
         dice_tcb_info,
         [
             DiceTcbInfo {
-                vendor: None,
-                model: None,
+                vendor: get_rom_test_params().tcb_info_vendor.map(String::from),
+                model: get_rom_test_params()
+                    .tcb_device_info_model
+                    .map(String::from),
                 // This is from the SVN in the fuses (7 bits set)
                 svn: Some(0x107),
                 fwids: vec![DiceFwid {
                     hash_alg: asn1::oid!(2, 16, 840, 1, 101, 3, 4, 2, 2),
                     digest: device_info_hash.to_vec(),
                 },],
 
-                flags: Some(0x00000001),
+                flags: get_rom_test_params().tcb_info_flags,
                 ty: Some(b"DEVICE_INFO".to_vec()),
                 ..Default::default()
             },
             DiceTcbInfo {
-                vendor: None,
-                model: None,
+                vendor: get_rom_test_params().tcb_info_vendor.map(String::from),
+                model: get_rom_test_params().tcb_fmc_info_model.map(String::from),
                 // This is from the SVN in the image (9)
                 svn: Some(0x109),
                 fwids: vec![DiceFwid {
@@ -402,16 +434,16 @@ fn smoke_test() {
             String::from_utf8(fmc_alias_cert_redacted.to_text().unwrap()).unwrap();
 
         // To update the alias-cert golden-data:
-        // std::fs::write("tests/caliptra_integration_tests/smoke_testdata/fmc_alias_cert_redacted.txt", &fmc_alias_cert_redacted_txt).unwrap();
-        // std::fs::write("tests/caliptra_integration_tests/smoke_testdata/fmc_alias_cert_redacted.der", &fmc_alias_cert_redacted_der).unwrap();
+        // std::fs::write(format!("{}/fmc_alias_cert_redacted.txt", get_rom_test_params().testdata_path), &fmc_alias_cert_redacted_txt).unwrap();
+        // std::fs::write(format!("{}/fmc_alias_cert_redacted.der", get_rom_test_params().testdata_path), &fmc_alias_cert_redacted_der).unwrap();
 
         assert_eq!(
             fmc_alias_cert_redacted_txt.as_str(),
-            include_str!("smoke_testdata/fmc_alias_cert_redacted.txt")
+            get_rom_test_params().fmc_alias_cert_redacted_txt
         );
         assert_eq!(
             fmc_alias_cert_redacted_der,
-            include_bytes!("smoke_testdata/fmc_alias_cert_redacted.der")
+            get_rom_test_params().fmc_alias_cert_redacted_der
         );
     }
 

diff --git a/...moke_testdata/fmc_alias_cert_redacted.der → ...ta/rom-latest/fmc_alias_cert_redacted.der b/...moke_testdata/fmc_alias_cert_redacted.der → ...ta/rom-latest/fmc_alias_cert_redacted.der
diff --git a/...moke_testdata/fmc_alias_cert_redacted.txt → ...ta/rom-latest/fmc_alias_cert_redacted.txt b/...moke_testdata/fmc_alias_cert_redacted.txt → ...ta/rom-latest/fmc_alias_cert_redacted.txt
diff --git a/test/tests/fips_test_suite/common.rs b/test/tests/fips_test_suite/common.rs
@@ -50,9 +50,14 @@ const ROM_EXP_1_0_1: RomExpVals = RomExpVals {
     ],
 };
 
+const ROM_EXP_1_0_3: RomExpVals = RomExpVals {
+    rom_version: 0x803, // 1.0.3
+    ..ROM_EXP_1_0_1
+};
+
 const ROM_EXP_1_1_0: RomExpVals = RomExpVals {
     rom_version: 0x840, // 1.1.0
-    ..ROM_EXP_1_0_1
+    ..ROM_EXP_1_0_3
 };
 
 const ROM_EXP_CURRENT: RomExpVals = RomExpVals { ..ROM_EXP_1_1_0 };
@@ -101,6 +106,7 @@ impl RomExpVals {
             match version.as_str() {
                 // Add more versions here
                 "1_0_1" => ROM_EXP_1_0_1,
+                "1_0_3" => ROM_EXP_1_0_3,
                 _ => panic!(
                     "FIPS Test: Unknown version for expected ROM values ({})",
                     version