[isar-cip-core][PATCH 00/14] CI changes to move testing to trixie

[isar-cip-core][PATCH 00/14] CI changes to move testing to trixie

[Jan Kiszka]

Quite a lot of changes were needed to finally get us to trixie by
default for testing isar-cip-core.

Along that, I also looked into how to generate lava test images (patches
9 and 10) and refactored the artifact deployment a bit (patch 11).
Please double-check if those changes make sense and are fully correct.

Jan

Jan Kiszka (14):
  tests: Avoid hard-coding distribution in M-COM test
  ci: Prepare for running non-bookworm secure boot tests
  ci: Select qemu-amd64 OVMF according to target release
  ci: Raise qemu x86 CPU model
  qemu-amd64: Raise boot watchdog timeout to 120 seconds
  ci: Inject image version into common cip-core-image.inc
  ci: Clean up no-kernel deployment
  Kconfig: Do not offer swupdate or security options without a kernel
  kas: Auto-enable targz format for kernelci images
  ci: Combine targz with no_kernel option
  ci: Make deployment opt-in
  ci: submit_lava.sh: Reduce number of sed calls
  ci: Build and deploy kernel-panic update artifact
  ci: Switch to trixie based builds and tests

 .gitlab-ci.yml                                | 141 ++++++++++--------
 .reproducible-check-ci.yml                    |   5 +-
 Kconfig                                       |   2 +-
 conf/machine/qemu-amd64.conf                  |   3 +
 kas/opt/kernelci.yml                          |   3 +
 scripts/deploy-cip-core.sh                    |  20 +--
 scripts/submit_lava.sh                        | 102 +++++++------
 .../templates/swupdate-test-action-M-COM.yml  |   2 +-
 8 files changed, 153 insertions(+), 125 deletions(-)

-- 
2.51.0

[isar-cip-core][PATCH 01/14] tests: Avoid hard-coding distribution in M-COM test

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Suggested-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 tests/templates/swupdate-test-action-M-COM.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/templates/swupdate-test-action-M-COM.yml b/tests/templates/swupdate-test-action-M-COM.yml
index 02b0b036..56ff1061 100644
--- a/tests/templates/swupdate-test-action-M-COM.yml
+++ b/tests/templates/swupdate-test-action-M-COM.yml
@@ -11,7 +11,7 @@
           description: "Test software update"
         run:
           steps:
-            - curl -v --trace-time http://$LAVA_DISPATCHER_IP/tmp/$LAVA_JOB_ID/downloads/common/cip-core-image-security-cip-core-bookworm-x86-uefi.swu --output test.swu
+            - curl -v --trace-time http://$LAVA_DISPATCHER_IP/tmp/$LAVA_JOB_ID/downloads/common/cip-core-image-security-cip-core-#distribution#-x86-uefi.swu --output test.swu
             - if swupdate -i test.swu; then echo software update is successful!!; else lava-test-raise "Fail job"; fi
       from: inline
       name: sample-test-1
-- 
2.51.0

[isar-cip-core][PATCH 02/14] ci: Prepare for running non-bookworm secure boot tests

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Do no hard-code the release which provides alternative keys for the
mismatch test. This allows for testing trixie as well.

While at it, consolidate over OVMF_CODE_4M.secboot.fd which is actually
identical to OVMF_CODE_4M.snakeoil.fd and is used elsewhere already.
Will allow to deploy less with the lava-worker container.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 scripts/submit_lava.sh | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/scripts/submit_lava.sh b/scripts/submit_lava.sh
index ea733748..f7da99c3 100755
--- a/scripts/submit_lava.sh
+++ b/scripts/submit_lava.sh
@@ -178,8 +178,13 @@ create_job_qemu () {
 	sed -i -e "s@#architecture#@${2}@g" -e "s@#imageargs#@${image_args[$2]}@g" "${job_dir}"/*.yml
 
 	if [ "$1" = "secure-boot-mismatch-keys" ]; then
-		sed -i "s@/usr/share/OVMF/OVMF_CODE_4M.secboot.fd@/root/keys/trixie-ovmf/OVMF_CODE_4M.snakeoil.fd@g" "${job_dir}/${1}_mismatch_keys_${2}.yml"
-		sed -i "s@/usr/share/OVMF/OVMF_VARS_4M.snakeoil.fd@/root/keys/trixie-ovmf/OVMF_VARS_4M.snakeoil.fd@g" "${job_dir}/${1}_mismatch_keys_${2}.yml"
+		if [ "${RELEASE}" = "trixie" ]; then
+			KEYS_DISTRO=bookworm
+		else
+			KEYS_DISTRO=trixie
+		fi
+		sed -i "s@/usr/share/OVMF/OVMF_CODE_4M.secboot.fd@/root/keys/${KEYS_DISTRO}-ovmf/OVMF_CODE_4M.secboot.fd@g" "${job_dir}/${1}_mismatch_keys_${2}.yml"
+		sed -i "s@/usr/share/OVMF/OVMF_VARS_4M.snakeoil.fd@/root/keys/${KEYS_DISTRO}-ovmf/OVMF_VARS_4M.snakeoil.fd@g" "${job_dir}/${1}_mismatch_keys_${2}.yml"
 	fi
 
 	# Target is recieved from gitlab job in form of qemu-"architecture"
-- 
2.51.0

[isar-cip-core][PATCH 03/14] ci: Select qemu-amd64 OVMF according to target release

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Perform the OVMF binary and key vars selection according to the Debian
release of the test image so that we can also check non-bookworm
versions.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 scripts/submit_lava.sh | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/scripts/submit_lava.sh b/scripts/submit_lava.sh
index f7da99c3..a2d2e080 100755
--- a/scripts/submit_lava.sh
+++ b/scripts/submit_lava.sh
@@ -33,7 +33,7 @@ if [ -z "$SUBMIT_ONLY" ]; then SUBMIT_ONLY=false; fi
 
 # Create a dictionary to handle image arguments based on architecture
 declare -A image_args
-image_args[qemu-amd64]="-cpu qemu64 -machine q35,accel=tcg -smp 4 -global ICH9-LPC.noreboot=off -device ide-hd,drive=disk -drive if=pflash,format=raw,unit=0,readonly=on,file=/usr/share/OVMF/OVMF_CODE_4M.secboot.fd -device virtio-net-pci,netdev=net -drive if=pflash,format=raw,file=/usr/share/OVMF/OVMF_VARS_4M.snakeoil.fd  -global ICH9-LPC.disable_s3=1 -global isa-fdc.driveA= -device tpm-tis,tpmdev=tpm0"
+image_args[qemu-amd64]="-cpu qemu64 -machine q35,accel=tcg -smp 4 -global ICH9-LPC.noreboot=off -device ide-hd,drive=disk -drive if=pflash,format=raw,unit=0,readonly=on,file=/root/keys/${RELEASE}-ovmf/OVMF_CODE_4M.secboot.fd -device virtio-net-pci,netdev=net -drive if=pflash,format=raw,file=/root/keys/${RELEASE}-ovmf/OVMF_VARS_4M.snakeoil.fd  -global ICH9-LPC.disable_s3=1 -global isa-fdc.driveA= -device tpm-tis,tpmdev=tpm0"
 image_args[qemu-arm64]="-cpu cortex-a57 -machine virt -smp 4 -device virtio-serial-device -device virtconsole,chardev=con -chardev vc,id=con -device virtio-blk-device,drive=disk -device virtio-net-device,netdev=net -device tpm-tis-device,tpmdev=tpm0"
 image_args[qemu-arm]="-cpu cortex-a15 -machine virt -smp 2 -device virtio-serial-device -device virtconsole,chardev=con -chardev vc,id=con -device virtio-blk-device,drive=disk -device virtio-net-device,netdev=net -device tpm-tis-device,tpmdev=tpm0"
 
@@ -183,8 +183,7 @@ create_job_qemu () {
 		else
 			KEYS_DISTRO=trixie
 		fi
-		sed -i "s@/usr/share/OVMF/OVMF_CODE_4M.secboot.fd@/root/keys/${KEYS_DISTRO}-ovmf/OVMF_CODE_4M.secboot.fd@g" "${job_dir}/${1}_mismatch_keys_${2}.yml"
-		sed -i "s@/usr/share/OVMF/OVMF_VARS_4M.snakeoil.fd@/root/keys/${KEYS_DISTRO}-ovmf/OVMF_VARS_4M.snakeoil.fd@g" "${job_dir}/${1}_mismatch_keys_${2}.yml"
+		sed -i "s@${RELEASE}-ovmf@${KEYS_DISTRO}-ovmf@g" "${job_dir}/${1}_mismatch_keys_${2}.yml"
 	fi
 
 	# Target is recieved from gitlab job in form of qemu-"architecture"
-- 
2.51.0

[isar-cip-core][PATCH 04/14] ci: Raise qemu x86 CPU model

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

For running the x64 6.12-cip kernel, we need a more advanced CPU model
in qemu. A lot of features found in recent CPUs are not supported under
tcg, but Haswell minus unsupported flags work fine so far. Not the final
solution, also because we use kvm locally already.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 scripts/submit_lava.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/submit_lava.sh b/scripts/submit_lava.sh
index a2d2e080..c00b59ad 100755
--- a/scripts/submit_lava.sh
+++ b/scripts/submit_lava.sh
@@ -33,7 +33,7 @@ if [ -z "$SUBMIT_ONLY" ]; then SUBMIT_ONLY=false; fi
 
 # Create a dictionary to handle image arguments based on architecture
 declare -A image_args
-image_args[qemu-amd64]="-cpu qemu64 -machine q35,accel=tcg -smp 4 -global ICH9-LPC.noreboot=off -device ide-hd,drive=disk -drive if=pflash,format=raw,unit=0,readonly=on,file=/root/keys/${RELEASE}-ovmf/OVMF_CODE_4M.secboot.fd -device virtio-net-pci,netdev=net -drive if=pflash,format=raw,file=/root/keys/${RELEASE}-ovmf/OVMF_VARS_4M.snakeoil.fd  -global ICH9-LPC.disable_s3=1 -global isa-fdc.driveA= -device tpm-tis,tpmdev=tpm0"
+image_args[qemu-amd64]="-cpu Haswell,-pcid,-x2apic,-tsc-deadline,-hle,-invpcid,-rtm -machine q35,accel=tcg -smp 4 -global ICH9-LPC.noreboot=off -device ide-hd,drive=disk -drive if=pflash,format=raw,unit=0,readonly=on,file=/root/keys/${RELEASE}-ovmf/OVMF_CODE_4M.secboot.fd -device virtio-net-pci,netdev=net -drive if=pflash,format=raw,file=/root/keys/${RELEASE}-ovmf/OVMF_VARS_4M.snakeoil.fd  -global ICH9-LPC.disable_s3=1 -global isa-fdc.driveA= -device tpm-tis,tpmdev=tpm0"
 image_args[qemu-arm64]="-cpu cortex-a57 -machine virt -smp 4 -device virtio-serial-device -device virtconsole,chardev=con -chardev vc,id=con -device virtio-blk-device,drive=disk -device virtio-net-device,netdev=net -device tpm-tis-device,tpmdev=tpm0"
 image_args[qemu-arm]="-cpu cortex-a15 -machine virt -smp 2 -device virtio-serial-device -device virtconsole,chardev=con -chardev vc,id=con -device virtio-blk-device,drive=disk -device virtio-net-device,netdev=net -device tpm-tis-device,tpmdev=tpm0"
 
-- 
2.51.0

[isar-cip-core][PATCH 05/14] qemu-amd64: Raise boot watchdog timeout to 120 seconds

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

As the CI setup currently still uses tcg rather than kvm, waiting for
"only" 60 s can be too short on busy hosts.

This should be reverted once we moved also with CI to kvm.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 conf/machine/qemu-amd64.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/conf/machine/qemu-amd64.conf b/conf/machine/qemu-amd64.conf
index d8f5453c..748aaa33 100644
--- a/conf/machine/qemu-amd64.conf
+++ b/conf/machine/qemu-amd64.conf
@@ -12,3 +12,6 @@ IMAGE_FSTYPES ?= "ext4"
 USE_CIP_KERNEL_CONFIG = "1"
 
 PREFERRED_PROVIDER_factory-reset-helper:swupdate = "factory-reset-helper-efi"
+
+# when running without kvm (as in CI so far), 60 seconds might be to short
+WDOG_TIMEOUT = "120"
-- 
2.51.0

[isar-cip-core][PATCH 06/14] ci: Inject image version into common cip-core-image.inc

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This allows to use "build_swu_v2" also for other images than security.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .gitlab-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 28b235d1..697de681 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -83,7 +83,7 @@ default:
               cp build/tmp/deploy/images/${target}/*.squashfs build/previous-image;
           fi;
           cp build/tmp/deploy/images/${target}/linux.efi build/previous-image;
-          echo "PV = \"2.0\"" >> recipes-core/images/cip-core-image-security.bb;
+          echo "PV = \"2.0\"" >> recipes-core/images/cip-core-image.inc;
           kas build ${base_yaml}:kas/opt/delta-update.yml;
           scripts/deploy-cip-core.sh ${release} ${target} ${extension} ${no_kernel} ${dtb} ${CI_COMMIT_REF_SLUG} swu;
       fi
-- 
2.51.0

[isar-cip-core][PATCH 07/14] ci: Clean up no-kernel deployment

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

No-kernel only make sense for a tarball with a raw rootfs. Drop any
other, unused logic.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 scripts/deploy-cip-core.sh | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

diff --git a/scripts/deploy-cip-core.sh b/scripts/deploy-cip-core.sh
index e6a7dc7c..5b2615be 100755
--- a/scripts/deploy-cip-core.sh
+++ b/scripts/deploy-cip-core.sh
@@ -38,20 +38,11 @@ if [ -n "${RB_BUILD_NUM}" ]; then
 fi
 
 if [ "${NO_KERNEL}" = "enable" ]; then
-	__BASE_PATH=${BASE_PATH}
-	BASE_PATH="${BASE_PATH}-nokernel"
-
-	echo "Rename from ${BASE_FILENAME}.* to ${BASE_FILENAME}-nokernel.*"
-
-	if [ -f "${__BASE_PATH}.tar.gz" ]; then
-		mv "${__BASE_PATH}.tar.gz" "${BASE_PATH}.tar.gz"
-	fi
-	if [ -f "${__BASE_PATH}.swu" ]; then
-		mv "${__BASE_PATH}.swu" "${BASE_PATH}.swu"
-	fi
-	if [ -f "${__BASE_PATH}.wic" ]; then
-		mv "${__BASE_PATH}.wic" "${BASE_PATH}.wic"
+	if [ -f "${BASE_PATH}.tar.gz" ]; then
+		echo "Rename from ${BASE_FILENAME}.tar.gz to ${BASE_FILENAME}-nokernel.tar.gz"
+		mv "${BASE_PATH}.tar.gz" "${BASE_PATH}-nokernel.tar.gz"
 	fi
+	BASE_PATH="${BASE_PATH}-nokernel"
 fi
 
 if [ -f "${BASE_PATH}.wic" ]; then
-- 
2.51.0

[isar-cip-core][PATCH 08/14] Kconfig: Do not offer swupdate or security options without a kernel

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Those variants only make sense for full images with a kernel.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Kconfig b/Kconfig
index deb6044d..f8a93c2d 100644
--- a/Kconfig
+++ b/Kconfig
@@ -258,7 +258,7 @@ config KAS_INCLUDE_TESTING
 	string
 	default "kas/opt/test.yml" if IMAGE_TESTING
 
-if !KERNEL_4_4 && !KERNEL_4_19
+if !KERNEL_4_4 && !KERNEL_4_19 &&!NO_KERNEL
 
 config IMAGE_SECURITY
 	bool "Security extensions"
-- 
2.51.0

[isar-cip-core][PATCH 09/14] kas: Auto-enable targz format for kernelci images

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This is the only supported format for that scenario, so hard-code this.
Will simplify the CI pipeline configuration.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 kas/opt/kernelci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kas/opt/kernelci.yml b/kas/opt/kernelci.yml
index ec907929..517e7410 100644
--- a/kas/opt/kernelci.yml
+++ b/kas/opt/kernelci.yml
@@ -10,7 +10,10 @@
 #
 # SPDX-License-Identifier: MIT
 #
+
 header:
   version: 14
+  includes:
+    - kas/opt/targz.yml
 
 target: cip-core-image-kernelci
-- 
2.51.0

[isar-cip-core][PATCH 10/14] ci: Combine targz with no_kernel option

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

It's already auto-selected for kernelci builds, and the only other
reasonable scenario for it are no_kernel images. So let's simplify the
configuration.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .gitlab-ci.yml | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 697de681..1042bc62 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -18,7 +18,6 @@ variables:
   extension: none
   use_rt: enable
   encrypt: disable
-  targz: enable
   dtb: none
   deploy: enable
   deploy_kernelci: disable
@@ -60,7 +59,6 @@ default:
   script:
     - if [ "${use_rt}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/rt.yml"; fi
     - if [ "${extension}" != "none" ]; then base_yaml="${base_yaml}:kas/opt/${extension}.yml"; fi
-    - if [ "${targz}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/targz.yml"; fi
     - if [ "${separate_home_partition}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/separate-home-partition.yml"; fi
     - if [ "${release}" = "buster" ]; then base_yaml="${base_yaml}:kas/opt/buster.yml"; fi
     - if [ "${release}" = "bullseye" ]; then base_yaml="${base_yaml}:kas/opt/bullseye.yml"; fi
@@ -71,7 +69,7 @@ default:
     - if [ "${watchdog}" = "disable" ]; then base_yaml="${base_yaml}:kas/opt/disable-watchdog.yml"; fi
     - if [ "${security_test}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/security_test.yml"; fi
     - if [ "${swupdate_version}" = "2022.12" ]; then base_yaml="${base_yaml}:kas/opt/swupdate-2022.12.yaml"; fi
-    - if [ "${no_kernel}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/no_kernel.yml"; fi
+    - if [ "${no_kernel}" = "enable" ]; then base_yaml="${base_yaml}:kas/opt/no_kernel.yml:kas/opt/targz.yml"; fi
     - echo "Building ${base_yaml}"
     - kas build ${base_yaml}
     - if [ "${deploy}" = "enable" ]; then scripts/deploy-cip-core.sh ${release} ${target} ${extension} ${no_kernel} ${dtb} ${CI_COMMIT_REF_SLUG} wic; fi
@@ -263,7 +261,6 @@ build:x86-uefi-secure-boot:
     target: x86-uefi
     extension: security
     use_rt: disable
-    targz: disable
     watchdog: disable
     security_test: enable
     build_swu_v2: enable
@@ -276,7 +273,6 @@ build:qemu-amd64-swupdate:
     target: qemu-amd64
     extension: ebg-swu
     use_rt: disable
-    targz: disable
     deploy: disable
     factory_reset: enable
 
@@ -306,7 +302,6 @@ build:qemu-amd64-secure-boot-bullseye:
     target: qemu-amd64
     extension: ebg-secure-boot-snakeoil
     use_rt: disable
-    targz: disable
     deploy: disable
     swupdate_version: "2022.12"
 
@@ -336,7 +331,6 @@ build:qemu-amd64-secure-boot-buster:
     target: qemu-amd64
     extension: ebg-secure-boot-snakeoil
     use_rt: disable
-    targz: disable
     deploy: disable
     encrypt: enable
 
@@ -348,7 +342,6 @@ build:qemu-riscv64:
     target: qemu-riscv64
     release: trixie
     use_rt: disable
-    targz: disable
     deploy: disable
 
 build:ti-am62px-sk-secure-boot:
@@ -359,7 +352,6 @@ build:ti-am62px-sk-secure-boot:
     release: trixie
     extension: ebg-secure-boot-snakeoil
     use_rt: disable
-    targz: disable
     deploy: disable
     encrypt: enable
 
-- 
2.51.0

[isar-cip-core][PATCH 11/14] ci: Make deployment opt-in

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

For now, this only deploys to s3 what we need for the test stage. We can
re-enable further deployments if they are still used.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .gitlab-ci.yml             | 14 +++++---------
 .reproducible-check-ci.yml |  1 -
 2 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 1042bc62..3b0c9239 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -19,7 +19,7 @@ variables:
   use_rt: enable
   encrypt: disable
   dtb: none
-  deploy: enable
+  deploy: disable
   deploy_kernelci: disable
   build_swu_v2: disable
   swupdate_version: default
@@ -132,6 +132,7 @@ build:qemu-amd64-base:
     use_rt: disable
     build_swu_v2: enable
     separate_home_partition: enable
+    deploy: enable
 
 build:qemu-amd64-base-kernelci:
   extends:
@@ -140,7 +141,6 @@ build:qemu-amd64-base-kernelci:
     target: qemu-amd64
     extension: kernelci
     use_rt: disable
-    deploy: disable
     #deploy_kernelci: enable
 
 build:qemu-arm64-base:
@@ -153,6 +153,7 @@ build:qemu-arm64-base:
     use_rt: disable
     build_swu_v2: enable
     separate_home_partition: enable
+    deploy: enable
 
 build:qemu-arm64-base-kernelci:
   extends:
@@ -161,7 +162,6 @@ build:qemu-arm64-base-kernelci:
     target: qemu-arm64
     extension: kernelci
     use_rt: disable
-    deploy: disable
     #deploy_kernelci: enable
 
 build:qemu-arm-base:
@@ -174,6 +174,7 @@ build:qemu-arm-base:
     use_rt: disable
     build_swu_v2: enable
     separate_home_partition: enable
+    deploy: enable
 
 build:qemu-arm-base-kernelci:
   extends:
@@ -182,7 +183,6 @@ build:qemu-arm-base-kernelci:
     target: qemu-arm
     extension: kernelci
     use_rt: disable
-    deploy: disable
     #deploy_kernelci: enable
 
 # test
@@ -265,6 +265,7 @@ build:x86-uefi-secure-boot:
     security_test: enable
     build_swu_v2: enable
     separate_home_partition: enable
+    deploy: enable
 
 build:qemu-amd64-swupdate:
   extends:
@@ -273,7 +274,6 @@ build:qemu-amd64-swupdate:
     target: qemu-amd64
     extension: ebg-swu
     use_rt: disable
-    deploy: disable
     factory_reset: enable
 
 # bullseye images
@@ -302,7 +302,6 @@ build:qemu-amd64-secure-boot-bullseye:
     target: qemu-amd64
     extension: ebg-secure-boot-snakeoil
     use_rt: disable
-    deploy: disable
     swupdate_version: "2022.12"
 
 # buster images
@@ -331,7 +330,6 @@ build:qemu-amd64-secure-boot-buster:
     target: qemu-amd64
     extension: ebg-secure-boot-snakeoil
     use_rt: disable
-    deploy: disable
     encrypt: enable
 
 # trixie images
@@ -342,7 +340,6 @@ build:qemu-riscv64:
     target: qemu-riscv64
     release: trixie
     use_rt: disable
-    deploy: disable
 
 build:ti-am62px-sk-secure-boot:
   extends:
@@ -352,7 +349,6 @@ build:ti-am62px-sk-secure-boot:
     release: trixie
     extension: ebg-secure-boot-snakeoil
     use_rt: disable
-    deploy: disable
     encrypt: enable
 
 .test-cip-core:
diff --git a/.reproducible-check-ci.yml b/.reproducible-check-ci.yml
index 4db760c1..8b02ccc1 100644
--- a/.reproducible-check-ci.yml
+++ b/.reproducible-check-ci.yml
@@ -13,7 +13,6 @@
 .repro-build:
   variables:
     use_rt: disable
-    deploy: disable
     base_yaml: "kas-cip.yml:kas/board/${target}.yml:kas/opt/reproducible.yml"
     release: bookworm
     # This target include base + swupdate + secureboot + security
-- 
2.51.0

[isar-cip-core][PATCH 12/14] ci: submit_lava.sh: Reduce number of sed calls

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Avoids parameter repetition and reduces the number process invocations.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 scripts/submit_lava.sh | 85 +++++++++++++++++++++++++-----------------
 1 file changed, 50 insertions(+), 35 deletions(-)

diff --git a/scripts/submit_lava.sh b/scripts/submit_lava.sh
index c00b59ad..f63a9973 100755
--- a/scripts/submit_lava.sh
+++ b/scripts/submit_lava.sh
@@ -47,9 +47,10 @@ clean_up () {
 
 # This method is called only for arm64 and arm targets while building job definitions
 add_firmware_artifacts () {
-	sed -i "s@#Firmware#@firmware:@g" "$1"
-	sed -i "s@#Firmware_args#@image_arg: '-bios {firmware}'@g" "$1"
-	sed -i "s@#Firmware_url#@url: ${PROJECT_URL}/${COMMIT_BRANCH}/${2}/firmware.bin@g" "$1"
+	sed -e "s@#Firmware#@firmware:@g" \
+	    -e "s@#Firmware_args#@image_arg: '-bios {firmware}'@g" \
+	    -e "s@#Firmware_url#@url: ${PROJECT_URL}/${COMMIT_BRANCH}/${2}/firmware.bin@g" \
+	    -i "$1"
 }
 
 # This method creates LAVA job definitions for QEMU amd64, arm64 and armhf
@@ -64,14 +65,17 @@ create_job_qemu () {
 
 	elif [ "$1" = "kernel-panic" ] || [ "$1" = "initramfs-crash" ]; then
 		cp $LAVA_TEMPLATES/swupdate_template.yml "${job_dir}/${1}.yml"
-		sed -i "s@software update testing@${1}_rollback_testing@g" "${job_dir}"/*.yml
-		sed -i -e "s@#updatestate#@3@g" -e "s@) = 2@) = 3@g" "${job_dir}"/*.yml
+		sed -e "s@software update testing@${1}_rollback_testing@g" \
+		    -e "s@#updatestate#@3@g" -e "s@) = 2@) = 3@g" \
+		    -i "${job_dir}"/*.yml
 		if [ "$1" = "kernel-panic" ]; then
-			sed -i "s@kernel: C:BOOT1:linux.efi@Kernel panic - not syncing: sysrq triggered crash@g" "${job_dir}"/*.yml
-			sed -i "s@#branch#@maintain-lava-artifact@g" "${job_dir}"/*.yml
+			sed -e "s@kernel: C:BOOT1:linux.efi@Kernel panic - not syncing: sysrq triggered crash@g" \
+			    -e "s@#branch#@maintain-lava-artifact@g" \
+			    -i "${job_dir}"/*.yml
 		else
-			sed -i "s@kernel: C:BOOT1:linux.efi@Can't open verity rootfs - continuing will lead to a broken trust chain!@g" "${job_dir}"/*.yml
-			sed -i "s@echo software update is successful!!@dd if=/dev/urandom of=/dev/sda5 bs=512 count=1@g" "${job_dir}"/*.yml
+			sed -e "s@kernel: C:BOOT1:linux.efi@Can't open verity rootfs - continuing will lead to a broken trust chain!@g" \
+			    -e "s@echo software update is successful!!@dd if=/dev/urandom of=/dev/sda5 bs=512 count=1@g" \
+			    -i "${job_dir}"/*.yml
 		fi
 	elif [ "$1" = "secure-boot-unsigned-kernel" ]; then
 		cp $LAVA_TEMPLATES/secureboot_negative_test.yml "${job_dir}/${1}_unsigned_kernel_${2}.yml"
@@ -79,16 +83,18 @@ create_job_qemu () {
 		sed -e '/#POSTPROCESS_STEPS#/ {' -e 'r secureboot_unsigned_kernel_steps.yml' -e 'd' -e '}' -i "${job_dir}/${1}_unsigned_kernel_${2}.yml"
 		cd -
 		if [ "$2" = "qemu-amd64" ]; then
-			sed -i "s@#END_MONITOR#@Access Denied@g" "${job_dir}/${1}_unsigned_kernel_${2}.yml"
-			sed -i "s@#START_MONITOR#@Cannot load specified kernel image@g" "${job_dir}/${1}_unsigned_kernel_${2}.yml"
-			sed -i "s@#ARTIFACT#@linux@g" "${job_dir}/${1}_unsigned_kernel_${2}.yml"
+			sed -e "s@#END_MONITOR#@Access Denied@g" \
+			    -e "s@#START_MONITOR#@Cannot load specified kernel image@g" \
+			    -e "s@#ARTIFACT#@linux@g" \
+			    -i "${job_dir}/${1}_unsigned_kernel_${2}.yml"
 		fi
 
 		if [ "$2" = "qemu-arm64" ] || [ "$2" = "qemu-arm" ]; then
-			sed -i "s@sda@vda@g" "${job_dir}/${1}_unsigned_kernel_${2}.yml"
-			sed -i "s@#END_MONITOR#@Application failed@g" "${job_dir}/${1}_unsigned_kernel_${2}.yml"
-			sed -i "s@#START_MONITOR#@Image not authenticated@g" "${job_dir}/${1}_unsigned_kernel_${2}.yml"
-			sed -i "s@#ARTIFACT#@linux@g" "${job_dir}/${1}_unsigned_kernel_${2}.yml"
+			sed -e "s@sda@vda@g" \
+			    -e "s@#END_MONITOR#@Application failed@g" \
+			    -e "s@#START_MONITOR#@Image not authenticated@g" \
+			    -e "s@#ARTIFACT#@linux@g" \
+			    -i "${job_dir}/${1}_unsigned_kernel_${2}.yml"
 		fi
 	elif [ "$1" = "secure-boot-unsigned-bootloader" ]; then
 		cp $LAVA_TEMPLATES/secureboot_negative_test.yml "${job_dir}/${1}_unsigned_bootloader_${2}.yml"
@@ -97,17 +103,18 @@ create_job_qemu () {
 		cd -
 
 		if [ "$2" = "qemu-amd64" ]; then
-			sed -i "s@#END_MONITOR#@BdsDxe: failed to load Boot@g" "${job_dir}/${1}_unsigned_bootloader_${2}.yml"
-			sed -i "s@#START_MONITOR#@Access Denied@g" "${job_dir}/${1}_unsigned_bootloader_${2}.yml"
-			sed -i "s@#ARTIFACT#@bootloader@g" "${job_dir}/${1}_unsigned_bootloader_${2}.yml"
+			sed -e "s@#END_MONITOR#@BdsDxe: failed to load Boot@g" \
+			    -e "s@#START_MONITOR#@Access Denied@g" \
+			    -e "s@#ARTIFACT#@bootloader@g" \
+			    -i "${job_dir}/${1}_unsigned_bootloader_${2}.yml"
 		fi
 
 		if [ "$2" = "qemu-arm64" ] || [ "$2" = "qemu-arm" ]; then
-			sed -i "s@sda@vda@g" "${job_dir}/${1}_unsigned_bootloader_${2}.yml"
-
-			sed -i "s@#END_MONITOR#@EFI Boot failed!@g" "${job_dir}/${1}_unsigned_bootloader_${2}.yml"
-			sed -i "s@#START_MONITOR#@Image not authenticated@g" "${job_dir}/${1}_unsigned_bootloader_${2}.yml"
-			sed -i "s@#ARTIFACT#@bootloader@g" "${job_dir}/${1}_unsigned_bootloader_${2}.yml"
+			sed -e "s@sda@vda@g" \
+			    -e "s@#END_MONITOR#@EFI Boot failed!@g" \
+			    -e "s@#START_MONITOR#@Image not authenticated@g" \
+			    -e "s@#ARTIFACT#@bootloader@g" \
+			    -i "${job_dir}/${1}_unsigned_bootloader_${2}.yml"
 		fi
 
 		if [ "$2" = "qemu-arm64" ]; then
@@ -122,9 +129,10 @@ create_job_qemu () {
 		sed -e '/#POSTPROCESS_STEPS#/ {' -e 'r secureboot_corrupt_rootfs_steps.yml' -e 'd' -e '}' -i "${job_dir}/${1}_corrupt_rootfs_${2}.yml"
 		cd -
 
-		sed -i "s@#END_MONITOR#@reboot: Restarting system with command 'dm-verity device corrupted'@g" "${job_dir}/${1}_corrupt_rootfs_${2}.yml"
-		sed -i "s@#START_MONITOR#@EFI stub: UEFI Secure Boot is enabled.@g" "${job_dir}/${1}_corrupt_rootfs_${2}.yml"
-		sed -i "s@#ARTIFACT#@rootfs@g" "${job_dir}/${1}_corrupt_rootfs_${2}.yml"
+		sed -e "s@#END_MONITOR#@reboot: Restarting system with command 'dm-verity device corrupted'@g" \
+		    -e "s@#START_MONITOR#@EFI stub: UEFI Secure Boot is enabled.@g" \
+		    -e "s@#ARTIFACT#@rootfs@g" \
+		    -i "${job_dir}/${1}_corrupt_rootfs_${2}.yml"
 
 		if [ "$2" = "qemu-arm64" ]; then
 			sed -i "s@bootx64.efi@bootaa64.efi@g" "${job_dir}/${1}_corrupt_rootfs_${2}.yml"
@@ -136,10 +144,11 @@ create_job_qemu () {
 		if [ "$2" = "qemu-amd64" ]; then
 			cp $LAVA_TEMPLATES/secureboot_negative_test.yml "${job_dir}/${1}_mismatch_keys_${2}.yml"
 
-			sed -i "s@#END_MONITOR#@BdsDxe: failed to load Boot@g" "${job_dir}/${1}_mismatch_keys_${2}.yml"
-			sed -i "s@#START_MONITOR#@Access Denied@g" "${job_dir}/${1}_mismatch_keys_${2}.yml"
-			sed -i "s@#ARTIFACT#@keys@g" "${job_dir}/${1}_mismatch_keys_${2}.yml"
-			sed -i "s@#POSTPROCESS_STEPS#@- echo 'no postprocess steps'@g" "${job_dir}/${1}_mismatch_keys_${2}.yml"
+			sed -e "s@#END_MONITOR#@BdsDxe: failed to load Boot@g" \
+			    -e "s@#START_MONITOR#@Access Denied@g" \
+			    -e "s@#ARTIFACT#@keys@g" \
+			    -e "s@#POSTPROCESS_STEPS#@- echo 'no postprocess steps'@g" \
+			    -i "${job_dir}/${1}_mismatch_keys_${2}.yml"
 		fi
 	elif [ "$1" = "swupdate-corrupt-swu" ]; then
 		cp $LAVA_TEMPLATES/swupdate_negative_test.yml "${job_dir}/${1}_corrupt_swu_${2}.yml"
@@ -174,8 +183,11 @@ create_job_qemu () {
 		add_firmware_artifacts "${job_dir}"/*.yml "$2"
 	fi
 
-	sed -i -e "s@#distribution#@${RELEASE}@g" -e "s@#project_url#@${PROJECT_URL}@g" "${job_dir}"/*.yml
-	sed -i -e "s@#architecture#@${2}@g" -e "s@#imageargs#@${image_args[$2]}@g" "${job_dir}"/*.yml
+	sed -e "s@#distribution#@${RELEASE}@g" \
+	    -e "s@#project_url#@${PROJECT_URL}@g" \
+	    -e "s@#architecture#@${2}@g" \
+	    -e "s@#imageargs#@${image_args[$2]}@g" \
+	    -i "${job_dir}"/*.yml
 
 	if [ "$1" = "secure-boot-mismatch-keys" ]; then
 		if [ "${RELEASE}" = "trixie" ]; then
@@ -216,8 +228,11 @@ create_job_mcom () {
 		grep -A 16 "# TEST BLOCK 2" "$LAVA_TEMPLATES/$1_template.yml" >> "${job_dir}/${1}_${2}.yml"
 		sed -i -e "s@#updatestate#@2@g" -e "s@overlay-1.1.1.4@overlay-2.1.1.4@g" "${job_dir}/${1}_${2}.yml"
 	fi
-	sed -i -e "s@#test_function#@${1}@g" -e "s@#branch#@${COMMIT_BRANCH}@g" "${job_dir}/${1}_${2}.yml"
-	sed -i -e "s@#distribution#@${RELEASE}@g" -e "s@#project_url#@${PROJECT_URL}@g" "${job_dir}/${1}_${2}.yml"
+	sed -e "s@#test_function#@${1}@g" \
+	    -e "s@#branch#@${COMMIT_BRANCH}@g" \
+	    -e "s@#distribution#@${RELEASE}@g" \
+	    -e "s@#project_url#@${PROJECT_URL}@g" \
+	    -i "${job_dir}/${1}_${2}.yml"
 }
 
 # This method attaches SQUAD watch job to the submitted LAVA job
-- 
2.51.0

[isar-cip-core][PATCH 13/14] ci: Build and deploy kernel-panic update artifact

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This was so far fetched from a stale branch which will no longer work
when starting to support multiple Debian releases. Another issue of the
previous approach was that it never updated the artifact to that
potentially required changes prior to the intentional crash were not
included.

Closes: #143
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .gitlab-ci.yml             | 22 +++++++++++++++-------
 scripts/deploy-cip-core.sh |  3 ++-
 scripts/submit_lava.sh     | 11 ++++-------
 3 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3b0c9239..b01daae2 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -21,7 +21,7 @@ variables:
   dtb: none
   deploy: disable
   deploy_kernelci: disable
-  build_swu_v2: disable
+  build_updates: disable
   swupdate_version: default
   test_function: swupdate
   separate_home_partition: disable
@@ -73,7 +73,7 @@ default:
     - echo "Building ${base_yaml}"
     - kas build ${base_yaml}
     - if [ "${deploy}" = "enable" ]; then scripts/deploy-cip-core.sh ${release} ${target} ${extension} ${no_kernel} ${dtb} ${CI_COMMIT_REF_SLUG} wic; fi
-    - if [ "${build_swu_v2}" = "enable" ]; then
+    - if [ "${build_updates}" = "enable" ]; then
           mkdir build/previous-image;
           if [ "${extension}" = "security" ] || [ "${extension}" = "ebg-secure-boot-snakeoil" ]; then
               cp build/tmp/deploy/images/${target}/*.verity build/previous-image;
@@ -82,8 +82,16 @@ default:
           fi;
           cp build/tmp/deploy/images/${target}/linux.efi build/previous-image;
           echo "PV = \"2.0\"" >> recipes-core/images/cip-core-image.inc;
+          kas build ${base_yaml}:kas/opt/delta-update.yml:kas/opt/kernel-panic.yml;
+          for swu in build/tmp/deploy/images/${target}/*.swu; do
+              mv "$swu" build/previous-image/$(basename "${swu%.swu}-broken.swu");
+          done;
+          echo "PV = \"2.1\"" >> recipes-core/images/cip-core-image.inc;
           kas build ${base_yaml}:kas/opt/delta-update.yml;
-          scripts/deploy-cip-core.sh ${release} ${target} ${extension} ${no_kernel} ${dtb} ${CI_COMMIT_REF_SLUG} swu;
+          for swu in build/previous-image/*-broken.swu; do
+              mv "$swu" build/tmp/deploy/images/${target};
+          done;
+          scripts/deploy-cip-core.sh ${release} ${target} ${extension} ${no_kernel} ${dtb} ${CI_COMMIT_REF_SLUG} swus;
       fi
     - if [ "${deploy_kernelci}" = "enable" ]; then scripts/deploy-kernelci.py ${release} ${target} ${extension} ${dtb}; fi
 
@@ -130,7 +138,7 @@ build:qemu-amd64-base:
     extension: security
     security_test: enable
     use_rt: disable
-    build_swu_v2: enable
+    build_updates: enable
     separate_home_partition: enable
     deploy: enable
 
@@ -151,7 +159,7 @@ build:qemu-arm64-base:
     extension: security
     security_test: enable
     use_rt: disable
-    build_swu_v2: enable
+    build_updates: enable
     separate_home_partition: enable
     deploy: enable
 
@@ -172,7 +180,7 @@ build:qemu-arm-base:
     extension: security
     security_test: enable
     use_rt: disable
-    build_swu_v2: enable
+    build_updates: enable
     separate_home_partition: enable
     deploy: enable
 
@@ -263,7 +271,7 @@ build:x86-uefi-secure-boot:
     use_rt: disable
     watchdog: disable
     security_test: enable
-    build_swu_v2: enable
+    build_updates: enable
     separate_home_partition: enable
     deploy: enable
 
diff --git a/scripts/deploy-cip-core.sh b/scripts/deploy-cip-core.sh
index 5b2615be..e623f27b 100755
--- a/scripts/deploy-cip-core.sh
+++ b/scripts/deploy-cip-core.sh
@@ -47,8 +47,9 @@ fi
 
 if [ -f "${BASE_PATH}.wic" ]; then
 	echo "Uploading artifacts..."
-	if [ "$DEPLOY" = "swu" ]; then
+	if [ "$DEPLOY" = "swus" ]; then
 		aws s3 cp --no-progress --acl public-read "${BASE_PATH}.swu" "${S3_TARGET}"
+		aws s3 cp --no-progress --acl public-read "${BASE_PATH}-broken.swu" "${S3_TARGET}"
 	elif [ "$DEPLOY" = "wic-partitions" ]; then
 		# deploy individual wic partitions, helpful for RB tests
 		cd build/tmp/deploy/images/"$TARGET"
diff --git a/scripts/submit_lava.sh b/scripts/submit_lava.sh
index f63a9973..b3180a14 100755
--- a/scripts/submit_lava.sh
+++ b/scripts/submit_lava.sh
@@ -70,7 +70,7 @@ create_job_qemu () {
 		    -i "${job_dir}"/*.yml
 		if [ "$1" = "kernel-panic" ]; then
 			sed -e "s@kernel: C:BOOT1:linux.efi@Kernel panic - not syncing: sysrq triggered crash@g" \
-			    -e "s@#branch#@maintain-lava-artifact@g" \
+			    -e "s@\.swu@-broken.swu@" \
 			    -i "${job_dir}"/*.yml
 		else
 			sed -e "s@kernel: C:BOOT1:linux.efi@Can't open verity rootfs - continuing will lead to a broken trust chain!@g" \
@@ -175,15 +175,12 @@ create_job_qemu () {
 		cp $LAVA_TEMPLATES/secureboot_template.yml "${job_dir}/${1}_${2}.yml"
 	fi
 
-	if [ "$1" != "kernel-panic" ]; then
-		sed -i "s@#branch#@${COMMIT_BRANCH}@g" "${job_dir}"/*.yml
-	fi
-
 	if [ "$2" != "qemu-amd64" ]; then
 		add_firmware_artifacts "${job_dir}"/*.yml "$2"
 	fi
 
-	sed -e "s@#distribution#@${RELEASE}@g" \
+	sed -e "s@#branch#@${COMMIT_BRANCH}@g" \
+	    -e "s@#distribution#@${RELEASE}@g" \
 	    -e "s@#project_url#@${PROJECT_URL}@g" \
 	    -e "s@#architecture#@${2}@g" \
 	    -e "s@#imageargs#@${image_args[$2]}@g" \
@@ -198,7 +195,7 @@ create_job_qemu () {
 		sed -i "s@${RELEASE}-ovmf@${KEYS_DISTRO}-ovmf@g" "${job_dir}/${1}_mismatch_keys_${2}.yml"
 	fi
 
-	# Target is recieved from gitlab job in form of qemu-"architecture"
+	# Target is received from gitlab job in form of qemu-"architecture"
 	# In the template context field needs only architecture excepting the device type
 	local arch
 	arch=$(echo "$2" | cut -d '-' -f 2)
-- 
2.51.0

[isar-cip-core][PATCH 14/14] ci: Switch to trixie based builds and tests

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Only keep a qemu-amd64 and a hihope-rzg2m build target. The former is
used to continue running the IEC tests also for bookworm as those are
currently under certification using that release.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .gitlab-ci.yml             | 93 +++++++++++++++++++++++---------------
 .reproducible-check-ci.yml |  4 +-
 2 files changed, 58 insertions(+), 39 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b01daae2..fa372e0d 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -14,7 +14,7 @@
 
 variables:
   GIT_STRATEGY: clone
-  release: bookworm
+  release: trixie
   extension: none
   use_rt: enable
   encrypt: disable
@@ -116,13 +116,6 @@ build:de0-nano-soc-base:
     target: de0-nano-soc
     dtb: socfpga_cyclone5_de0_nano_soc.dtb
 
-build:iwg20m-base:
-  extends:
-    - .build_base
-  variables:
-    target: iwg20m
-    dtb: r8a7743-iwg20d-q7-dbcm-ca.dtb
-
 build:hihope-rzg2m-base:
   extends:
     - .build_base
@@ -193,7 +186,14 @@ build:qemu-arm-base-kernelci:
     use_rt: disable
     #deploy_kernelci: enable
 
-# test
+build:qemu-riscv64:
+  extends:
+    - .build_base
+  variables:
+    target: qemu-riscv64
+    use_rt: disable
+
+# test images
 build:x86-uefi-test:
   extends:
     - .build_base
@@ -209,14 +209,6 @@ build:bbb-test:
     extension: test
     dtb: am335x-boneblack.dtb
 
-build:iwg20m-test:
-  extends:
-    - .build_base
-  variables:
-    target: iwg20m
-    extension: test
-    dtb: r8a7743-iwg20d-q7-dbcm-ca.dtb
-
 build:hihope-rzg2m-test:
   extends:
     - .build_base
@@ -257,7 +249,6 @@ build:qemu-riscv64-test-nokernel:
     - .build_base
   variables:
     target:  qemu-riscv64
-    release: trixie
     extension: test
     use_rt: disable
     no_kernel: enable
@@ -284,6 +275,43 @@ build:qemu-amd64-swupdate:
     use_rt: disable
     factory_reset: enable
 
+build:ti-am62px-sk-secure-boot:
+  extends:
+    - .build_base
+  variables:
+    target: ti-am62px-sk
+    extension: ebg-secure-boot-snakeoil
+    use_rt: disable
+    encrypt: enable
+
+# bookworm images
+build:qemu-amd64-bookworm:
+  extends:
+    - .build_base
+  variables:
+    target: qemu-amd64
+    extension: security
+    security_test: enable
+    use_rt: disable
+    release: bookworm
+
+build:iwg20m-bookworm-test:
+  extends:
+    - .build_base
+  variables:
+    target: iwg20m
+    extension: test
+    dtb: r8a7743-iwg20d-q7-dbcm-ca.dtb
+    release: bookworm
+
+build:hihope-rzg2m-bookworm:
+  extends:
+    - .build_base
+  variables:
+    target: hihope-rzg2m
+    dtb: r8a774a1-hihope-rzg2m-ex.dtb
+    release: bookworm
+
 # bullseye images
 build:iwg20m-bullseye:
   extends:
@@ -340,25 +368,6 @@ build:qemu-amd64-secure-boot-buster:
     use_rt: disable
     encrypt: enable
 
-# trixie images
-build:qemu-riscv64:
-  extends:
-    - .build_base
-  variables:
-    target: qemu-riscv64
-    release: trixie
-    use_rt: disable
-
-build:ti-am62px-sk-secure-boot:
-  extends:
-    - .build_base
-  variables:
-    target: ti-am62px-sk
-    release: trixie
-    extension: ebg-secure-boot-snakeoil
-    use_rt: disable
-    encrypt: enable
-
 .test-cip-core:
   stage: test
   image: $CI_REGISTRY_IMAGE/lavacli
@@ -470,6 +479,16 @@ test:qemu-amd64-IEC:
     test_function: IEC
     iec_test_timeout: 40
 
+test:qemu-amd64-IEC-bookworm:
+  extends:
+   - .test-cip-core
+  needs: ["build:qemu-amd64-bookworm"]
+  variables:
+    target: qemu-amd64
+    release: bookworm
+    test_function: IEC
+    iec_test_timeout: 40
+
 test:qemu-arm64-IEC:
   extends:
    - .test-cip-core
diff --git a/.reproducible-check-ci.yml b/.reproducible-check-ci.yml
index 8b02ccc1..a545b0d9 100644
--- a/.reproducible-check-ci.yml
+++ b/.reproducible-check-ci.yml
@@ -14,7 +14,7 @@
   variables:
     use_rt: disable
     base_yaml: "kas-cip.yml:kas/board/${target}.yml:kas/opt/reproducible.yml"
-    release: bookworm
+    release: trixie
     # This target include base + swupdate + secureboot + security
     extension: security
   stage: build
@@ -59,7 +59,7 @@
   variables:
     GIT_STRATEGY: none
     BASE_S3_URL: "https://s3.eu-central-1.amazonaws.com/download2.cip-project.org/cip-core"
-    release: bookworm
+    release: trixie
     extension: security
     image_base: "cip-core-image-cip-core"
   before_script:
-- 
2.51.0

Re: [cip-dev] [isar-cip-core][PATCH 02/14] ci: Prepare for running non-bookworm secure boot tests

[Florian Bezdeka]

On Tue Dec 2, 2025 at 10:21 AM CET, Jan Kiszka via lists.cip-project.org wrote:
> From: Jan Kiszka <jan.kiszka@siemens.com>
>
> Do no hard-code the release which provides alternative keys for the
> mismatch test. This allows for testing trixie as well.
>
> While at it, consolidate over OVMF_CODE_4M.secboot.fd which is actually
> identical to OVMF_CODE_4M.snakeoil.fd and is used elsewhere already.
> Will allow to deploy less with the lava-worker container.
>
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> ---
>  scripts/submit_lava.sh | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/scripts/submit_lava.sh b/scripts/submit_lava.sh
> index ea733748..f7da99c3 100755
> --- a/scripts/submit_lava.sh
> +++ b/scripts/submit_lava.sh
> @@ -178,8 +178,13 @@ create_job_qemu () {
>  	sed -i -e "s@#architecture#@${2}@g" -e "s@#imageargs#@${image_args[$2]}@g" "${job_dir}"/*.yml
>  
>  	if [ "$1" = "secure-boot-mismatch-keys" ]; then
> -		sed -i "s@/usr/share/OVMF/OVMF_CODE_4M.secboot.fd@/root/keys/trixie-ovmf/OVMF_CODE_4M.snakeoil.fd@g" "${job_dir}/${1}_mismatch_keys_${2}.yml"
> -		sed -i "s@/usr/share/OVMF/OVMF_VARS_4M.snakeoil.fd@/root/keys/trixie-ovmf/OVMF_VARS_4M.snakeoil.fd@g" "${job_dir}/${1}_mismatch_keys_${2}.yml"
> +		if [ "${RELEASE}" = "trixie" ]; then
> +			KEYS_DISTRO=bookworm
> +		else
> +			KEYS_DISTRO=trixie
> +		fi

Really? That looks flipped, no?

> +		sed -i "s@/usr/share/OVMF/OVMF_CODE_4M.secboot.fd@/root/keys/${KEYS_DISTRO}-ovmf/OVMF_CODE_4M.secboot.fd@g" "${job_dir}/${1}_mismatch_keys_${2}.yml"
> +		sed -i "s@/usr/share/OVMF/OVMF_VARS_4M.snakeoil.fd@/root/keys/${KEYS_DISTRO}-ovmf/OVMF_VARS_4M.snakeoil.fd@g" "${job_dir}/${1}_mismatch_keys_${2}.yml"
>  	fi
>  
>  	# Target is recieved from gitlab job in form of qemu-"architecture"

Re: [cip-dev] [isar-cip-core][PATCH 02/14] ci: Prepare for running non-bookworm secure boot tests

[Jan Kiszka]

On 02.12.25 10:44, Florian Bezdeka wrote:
> On Tue Dec 2, 2025 at 10:21 AM CET, Jan Kiszka via lists.cip-project.org wrote:
>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>
>> Do no hard-code the release which provides alternative keys for the
>> mismatch test. This allows for testing trixie as well.
>>
>> While at it, consolidate over OVMF_CODE_4M.secboot.fd which is actually
>> identical to OVMF_CODE_4M.snakeoil.fd and is used elsewhere already.
>> Will allow to deploy less with the lava-worker container.
>>
>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>> ---
>>  scripts/submit_lava.sh | 9 +++++++--
>>  1 file changed, 7 insertions(+), 2 deletions(-)
>>
>> diff --git a/scripts/submit_lava.sh b/scripts/submit_lava.sh
>> index ea733748..f7da99c3 100755
>> --- a/scripts/submit_lava.sh
>> +++ b/scripts/submit_lava.sh
>> @@ -178,8 +178,13 @@ create_job_qemu () {
>>  	sed -i -e "s@#architecture#@${2}@g" -e "s@#imageargs#@${image_args[$2]}@g" "${job_dir}"/*.yml
>>  
>>  	if [ "$1" = "secure-boot-mismatch-keys" ]; then
>> -		sed -i "s@/usr/share/OVMF/OVMF_CODE_4M.secboot.fd@/root/keys/trixie-ovmf/OVMF_CODE_4M.snakeoil.fd@g" "${job_dir}/${1}_mismatch_keys_${2}.yml"
>> -		sed -i "s@/usr/share/OVMF/OVMF_VARS_4M.snakeoil.fd@/root/keys/trixie-ovmf/OVMF_VARS_4M.snakeoil.fd@g" "${job_dir}/${1}_mismatch_keys_${2}.yml"
>> +		if [ "${RELEASE}" = "trixie" ]; then
>> +			KEYS_DISTRO=bookworm
>> +		else
>> +			KEYS_DISTRO=trixie
>> +		fi
> 
> Really? That looks flipped, no?
> 

That's by intention: The test validates that a singed image is rejected
if there is a key mismatch.

Jan

>> +		sed -i "s@/usr/share/OVMF/OVMF_CODE_4M.secboot.fd@/root/keys/${KEYS_DISTRO}-ovmf/OVMF_CODE_4M.secboot.fd@g" "${job_dir}/${1}_mismatch_keys_${2}.yml"
>> +		sed -i "s@/usr/share/OVMF/OVMF_VARS_4M.snakeoil.fd@/root/keys/${KEYS_DISTRO}-ovmf/OVMF_VARS_4M.snakeoil.fd@g" "${job_dir}/${1}_mismatch_keys_${2}.yml"
>>  	fi
>>  
>>  	# Target is recieved from gitlab job in form of qemu-"architecture"
> 

-- 
Siemens AG, Foundational Technologies
Linux Expert Center

Re: [cip-dev] [isar-cip-core][PATCH 08/14] Kconfig: Do not offer swupdate or security options without a kernel

[Florian Bezdeka]

On Tue Dec 2, 2025 at 10:21 AM CET, Jan Kiszka via lists.cip-project.org wrote:
> From: Jan Kiszka <jan.kiszka@siemens.com>
>
> Those variants only make sense for full images with a kernel.
>
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> ---
>  Kconfig | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/Kconfig b/Kconfig
> index deb6044d..f8a93c2d 100644
> --- a/Kconfig
> +++ b/Kconfig
> @@ -258,7 +258,7 @@ config KAS_INCLUDE_TESTING
>  	string
>  	default "kas/opt/test.yml" if IMAGE_TESTING
>  
> -if !KERNEL_4_4 && !KERNEL_4_19
> +if !KERNEL_4_4 && !KERNEL_4_19 &&!NO_KERNEL
                                   ^^^
Missing space.

>  
>  config IMAGE_SECURITY
>  	bool "Security extensions"

Re: [cip-dev] [isar-cip-core][PATCH 08/14] Kconfig: Do not offer swupdate or security options without a kernel

[Jan Kiszka]

On 02.12.25 10:55, Florian Bezdeka wrote:
> On Tue Dec 2, 2025 at 10:21 AM CET, Jan Kiszka via lists.cip-project.org wrote:
>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>
>> Those variants only make sense for full images with a kernel.
>>
>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>> ---
>>  Kconfig | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/Kconfig b/Kconfig
>> index deb6044d..f8a93c2d 100644
>> --- a/Kconfig
>> +++ b/Kconfig
>> @@ -258,7 +258,7 @@ config KAS_INCLUDE_TESTING
>>  	string
>>  	default "kas/opt/test.yml" if IMAGE_TESTING
>>  
>> -if !KERNEL_4_4 && !KERNEL_4_19
>> +if !KERNEL_4_4 && !KERNEL_4_19 &&!NO_KERNEL
>                                    ^^^
> Missing space.
> 

Thanks, fixed locally.

Jan

-- 
Siemens AG, Foundational Technologies
Linux Expert Center