ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
46cad549ef
heads/.circleci/config.yml
Thierry Laurion 46cad549ef
WiP flake.nix: make docker image usable for testing as well, target: qemu-coreboot-whiptail-tpm2 with swtpm and canokey for smartcard 
- include nix tools inside of the docker to be able to call the garbage collector prior of creating docker.
- protect roots from garbage collection (WiP)
  - Requires external preparation call so that nix (the binary) is not wiped as well. See NIX_REPRO_NOTES at the end of the file for repro notes
   - Could probably be improved. Works as of now and created a 4Gb vs 3.02Gb docker image I'm uploading now.
- CircleCI bumped to use v0.0.9 version including this
- CircleCI now depending on flake.lock for all cache layers. Will rebuild clean once again

So now we have qemu with canokey support in image, nix basic tools inside of container. Possible to call docker with DISPLAY, see NIX_REPRO_NOTES as of now.
That feels nice. No need of USB security dongle to have TPM based TPMTOTP nor detach sign? Not tested but feature is there

TODO:
- make docker creating nicer in the Nix way.
- Add canokey support under targets/qemu.mk
- add canokey board version

At least we have reproducible stack and testing stack being in same docker image. Docker image moved from 991.18MB (v0.0.8) to 1.18GB (v0.0.9)
- And I tried to clean binaries of symbols here! Seems like I do not know enough of the Nix way here.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 20:51:18 -04:00

496 lines
15 KiB
YAML
Raw Blame History

version: 2.1
commands:
build_board:
parameters:
arch:
type: string
target:
type: string
subcommand:
type: string
steps:
- run:
name: Make Board (console logs not contiguous because multiple CPUS used to build under CircleCI, see logs in artifacts or Output build failing logs below in case of failed step)
command: |
echo "Sourcing /devenv.sh since docker entrypoint doesn't do it as expected"
source /devenv.sh
rm -rf build/<<parameters.arch>>/<<parameters.target>>/* build/<<parameters.arch>>/log/*
make V=1 BOARD=<<parameters.target>> <<parameters.subcommand>> || touch ./tmpDir/failed_build
no_output_timeout: 3h
- run:
name: Output hashes
command: |
cat build/<<parameters.arch>>/<<parameters.target>>/hashes.txt || echo "No hashes.txt for this build step..."
- run:
name: Output sizes
command: |
cat build/<<parameters.arch>>/<<parameters.target>>/sizes.txt || echo "No sizes.txt for this build step..."
- run:
name: Archiving build logs.
command: |
tar zcvf build/<<parameters.arch>>/<<parameters.target>>/logs.tar.gz $(find build/ -name "*.log")
- run:
name: Output build failing logs
command: |
if [[ -f ./tmpDir/failed_build ]]; then
find "./build/<<parameters.arch>>/" -name "*.log" -type f -mmin -1 -exec tail -n +1 '{}' +
exit 1
else
echo "Step hasn't failed. Continuing with next step..."
fi
- store_artifacts:
path: build/<<parameters.arch>>/<<parameters.target>>
jobs:
prep_env:
docker:
- image: tlaurion/heads-dev-env:v0.0.9
resource_class: large
working_directory: ~/heads
steps:
- checkout
- run:
name: git reset
command: |
git reset --hard "$CIRCLE_SHA1"
- run:
name: Make tmp dir
command: |
mkdir ./tmpDir
- run:
name: Creating all modules and patches digest (All modules cache digest)
command: |
find ./Makefile ./flake.lock ./patches/ ./modules/ -type f | sort -h |xargs sha256sum > ./tmpDir/all_modules_and_patches.sha256sums
- run:
name: Creating coreboot (and associated patches) and musl-cross-make modules digest (musl-cross-make and coreboot cache digest)
command: |
find ./Makefile ./flake.lock ./modules/coreboot ./modules/musl-cross* ./patches/coreboot* -type f | sort -h | xargs sha256sum > ./tmpDir/coreboot_musl-cross.sha256sums
- run:
name: Creating musl-cross-make and musl-cross-make patches digest (musl-cross-make cache digest)
command: |
find ./Makefile ./flake.lock modules/musl-cross* -type f | sort -h | xargs sha256sum > ./tmpDir/musl-cross.sha256sums
- restore_cache:
# First matched/found key wins and following keys are not tried
keys:
# Cache for matching modules digest, validated to be exactly the same as in github current commit.
# This cache was made on top of below caches, if previously existing.
# If no module definition changed, we reuse this one
- nix-docker-heads-modules-and-patches-{{ checksum "./tmpDir/all_modules_and_patches.sha256sums" }}{{ .Environment.CACHE_VERSION }}
# Cache for coreboot module (and patches) and musl-cross-make digests (coreboot: triannual release)
- nix-docker-heads-coreboot-musl-cross-{{ checksum "./tmpDir/coreboot_musl-cross.sha256sums" }}{{ .Environment.CACHE_VERSION }}
# Cache for musl-cross-make module digest (rarely modified).
- nix-docker-heads-musl-cross-{{ checksum "./tmpDir/musl-cross.sha256sums" }}{{ .Environment.CACHE_VERSION }}
- run:
name: Download and neuter xx20 ME (keep generated GBE and extracted IFD in tree)
command: |
./blobs/xx20/download_parse_me.sh
- run:
# me_cleaner.py present under heads xx30 blobs dir comes from https://github.com/corna/me_cleaner/blob/43612a630c79f3bc6f2653bfe90dfe0b7b137e08/me_cleaner.py
name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree)
command: |
./blobs/xx30/download_clean_me_manually.sh -m $(readlink -f ./blobs/xx30/me_cleaner.py)
- run:
name: Download and extract t530 vbios roms for dgpu boards
command: |
echo skipping for now
exit 0
./blobs/xx30/vbios_t530.sh
- run:
name: Download and extract w530 vbios roms for dgpu boards
command: |
echo skipping for now
exit 0
./blobs/xx30/vbios_w530.sh
- persist_to_workspace:
root: ~/heads
paths:
- .
build_and_persist:
docker:
- image: tlaurion/heads-dev-env:v0.0.9
resource_class: large
working_directory: ~/heads
parameters:
arch:
type: string
default: x86
target:
type: string
subcommand:
type: string
steps:
- attach_workspace:
at: ~/heads
- build_board:
arch: <<parameters.arch>>
target: <<parameters.target>>
subcommand: <<parameters.subcommand>>
- persist_to_workspace:
root: ~/heads
paths:
- packages/<<parameters.arch>>
- build/<<parameters.arch>>
- crossgcc/<<parameters.arch>>
- install/<<parameters.arch>>
build:
docker:
- image: tlaurion/heads-dev-env:v0.0.9
resource_class: large
working_directory: ~/heads
parameters:
arch:
type: string
default: x86
target:
type: string
subcommand:
type: string
steps:
- attach_workspace:
at: ~/heads
- build_board:
arch: <<parameters.arch>>
target: <<parameters.target>>
subcommand: <<parameters.subcommand>>
save_cache:
docker:
- image: tlaurion/heads-dev-env:v0.0.9
resource_class: large
working_directory: ~/heads
steps:
- attach_workspace:
at: ~/heads
- save_cache:
# Generate cache for the same musl-cross module definition if hash is not previously existing
# CircleCI removed their wildcard support, so we have to list precise versions to cache in directory names
key: nix-docker-heads-musl-cross-{{ checksum "./tmpDir/musl-cross.sha256sums" }}{{ .Environment.CACHE_VERSION }}
paths:
- build/ppc64/musl-cross-38e52db8358c043ae82b346a2e6e66bc86a53bc1
- build/x86/musl-cross-38e52db8358c043ae82b346a2e6e66bc86a53bc1
- crossgcc
- packages
- save_cache:
# Generate cache for the same coreboot mnd musl-cross-make modules definition if hash is not previously existing
# CircleCI removed their wildcard support, so we have to list precise versions to cache in directory names
key: nix-docker-heads-coreboot-musl-cross-{{ checksum "./tmpDir/coreboot_musl-cross.sha256sums" }}{{ .Environment.CACHE_VERSION }}
paths:
- build/ppc64/coreboot-talos_2
- build/ppc64/musl-cross-38e52db8358c043ae82b346a2e6e66bc86a53bc1
- build/x86/coreboot-4.11
- build/x86/coreboot-4.13
- build/x86/coreboot-4.14
- build/x86/coreboot-4.15
- build/x86/coreboot-4.17
- build/x86/coreboot-4.22.01
- build/x86/coreboot-nitrokey
- build/x86/coreboot-purism
- build/x86/musl-cross-38e52db8358c043ae82b346a2e6e66bc86a53bc1
- crossgcc
- packages
- save_cache:
#Generate cache for the exact same modules definitions if hash is not previously existing
key: nix-docker-heads-modules-and-patches-{{ checksum "./tmpDir/all_modules_and_patches.sha256sums" }}{{ .Environment.CACHE_VERSION }}
paths:
- build
- crossgcc
- install
- packages
workflows:
version: 2
build_and_test:
jobs:
- prep_env
# Below, sequentially build one board for each coreboot version.
# The last board in the sequence is the dependency for the parallel boards built at the end, and also save_cache.
# coreboot 4.22.01
- build_and_persist:
name: x230-hotp-maximized
target: x230-hotp-maximized
subcommand: ""
requires:
- prep_env
# coreboot purism
- build_and_persist:
name: librem_14
target: librem_14
subcommand: ""
requires:
- x230-hotp-maximized
# coreboot nitropad
# Nitropads depending on x230-hotp-maximized cache since kernel is 6.x and coreboot is git is unshared
# We use nitropad's coreboot's fork crossgcc
# No need to wait further for other board's cache
# We reuse built modules from x230-hotp-maximized cache only
- build_and_persist:
name: nitropad-nv41
target: nitropad-nv41
subcommand: ""
requires:
- prep_env
# coreboot talos_2
- build_and_persist:
name: talos-2
arch: ppc64
target: talos-2
subcommand: ""
requires:
- prep_env
# Cache one workspace per architecture
# Make sure workspace caches are chainloaded and the last in chain for an arch is saved
- save_cache:
requires:
- talos-2
- librem_14
#
# Those onboarding new boards should add their entries below.
#
# coreboot 4.22.01 boards
- build:
name: x220-hotp-maximized
target: x220-hotp-maximized
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: x220-maximized
target: x220-maximized
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: t420-hotp-maximized
target: t420-hotp-maximized
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: t420-maximized
target: t420-maximized
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: x230-legacy-flash
target: x230-legacy-flash
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: x230-legacy
target: x230-legacy
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: x230-hotp-legacy
target: x230-hotp-legacy
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: x230-hotp-maximized_usb-kb
target: x230-hotp-maximized_usb-kb
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: t430-hotp-maximized
target: t430-hotp-maximized
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: x230-maximized
target: x230-maximized
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: x230-maximized-fhd_edp
target: x230-maximized-fhd_edp
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: x230-hotp-maximized-fhd_edp
target: x230-hotp-maximized-fhd_edp
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: w530-hotp-maximized
target: w530-hotp-maximized
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: t430-maximized
target: t430-maximized
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: w530-maximized
target: w530-maximized
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: t440p-maximized
target: t440p-maximized
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: t440p-hotp-maximized
target: t440p-hotp-maximized
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: w541-maximized
target: w541-maximized
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: w541-hotp-maximized
target: w541-hotp-maximized
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: qemu-coreboot-fbwhiptail-tpm2-hotp
target: qemu-coreboot-fbwhiptail-tpm2-hotp
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: z220-cmt-maximized
target: z220-cmt-maximized
subcommand: ""
requires:
- x230-hotp-maximized
- build:
name: z220-cmt-hotp-maximized
target: z220-cmt-hotp-maximized
subcommand: ""
requires:
- x230-hotp-maximized
# coreboot purism
# librem boards
- build:
name: librem_13v2
target: librem_13v2
subcommand: ""
requires:
- librem_14
- build:
name: librem_15v3
target: librem_15v3
subcommand: ""
requires:
- librem_14
- build:
name: librem_13v4
target: librem_13v4
subcommand: ""
requires:
- librem_14
- build:
name: librem_15v4
target: librem_15v4
subcommand: ""
requires:
- librem_14
- build:
name: librem_mini
target: librem_mini
subcommand: ""
requires:
- librem_14
- build:
name: librem_mini_v2
target: librem_mini_v2
subcommand: ""
requires:
- librem_14
# coreboot purism
# dasharo clevo_release + staging IASL patch
- build:
name: nitropad-ns50
target: nitropad-ns50
subcommand: ""
requires:
- nitropad-nv41
# - build:
# name: UNMAINTAINED_kgpe-d16_workstation-usb_keyboard
# target: UNMAINTAINED_kgpe-d16_workstation-usb_keyboard
# subcommand: ""
# requires:
# - UNMAINTAINED_kgpe-d16_workstation
# - build:
# name: UNMAINTAINED_kgpe-d16_server
# target: UNMAINTAINED_kgpe-d16_server
# subcommand: ""
# requires:
# - UNMAINTAINED_kgpe-d16_workstation
# - build:
# name: UNMAINTAINED_kgpe-d16_server-whiptail
# target: UNMAINTAINED_kgpe-d16_server-whiptail
# subcommand: ""
# requires:
# - UNMAINTAINED_kgpe-d16_workstation
# - build:
# name: librem_l1um
# target: librem_l1um
# subcommand: ""
# requires:
# - librem_14
Reference in New Issue View Git Blame Copy Permalink