Merge pull request #28 from edhay/main

SystemReady IR ACS v2.0.0_BETA-0 updates
ARM-software · Jun 29, 2022 · e7ba875 · e7ba875
2 parents 503a11b + deb2e50
commit e7ba875
Show file tree

Hide file tree

Showing 44 changed files with 1,550 additions and 20 deletions.
diff --git a/IR/README.md b/IR/README.md
@@ -1,5 +1,7 @@
 # SystemReady IR ACS
 
+**_Note_**: Refer to [Yocto README](Yocto/README.md) for the details on the SystemReady IR ACS v2.0.0 **Beta-0** version and instructions to build using Yocto.
+
 ## Introduction to SystemReady IR
 SystemReady IoT Ready (IR) is a band of system certification in the Arm SystemReady program. This certification is for devices in the IoT edge sector that are built around SoCs based on the Arm A-profile architecture. It ensures interoperability with embedded Linux and other embedded operating systems.
 

diff --git a/IR/Yocto/README.md b/IR/Yocto/README.md
@@ -0,0 +1,147 @@
+# SystemReady IR ACS
+
+## Introduction to SystemReady IR
+SystemReady IoT Ready (IR) is a band of system certification in the Arm SystemReady program. This certification is for devices in the IoT edge sector that are built around SoCs based on the Arm A-profile architecture. It ensures interoperability with embedded Linux and other embedded operating systems.
+
+SystemReady IR-certified platforms implement a minimum set of hardware and firmware features that an operating system can depend on to deploy the operating system image. Compliant systems must conform to the:
+* [Base System Architecture (BSA) specification](https://developer.arm.com/documentation/den0094/latest)
+* [Embedded Base Boot Requirements (EBBR)](https://developer.arm.com/architectures/platform-design/embedded-systems)
+* EBBR recipe of the [Arm Base Boot Requirements (BBR) specification](https://developer.arm.com/documentation/den0044/latest)
+
+This section of the repository contains the build scripts and the live-images for the SystemReady IR Band.
+
+## Release details
+ - Code Quality: IR ACS v2.0.0 Beta-0
+ - The latest pre-built release of IR ACS is available for download here: [v22.06_2.0.0_BETA-0](prebuilt_images/v22.06_2.0.0_BETA-0)
+ - The BSA tests are written for version 1.0 of the BSA specification.
+ - The BBR tests are written for version 1.0 of the BBR specification.
+ - The compliance suite is not a substitute for design verification.
+ - To review the ACS logs, Arm licensees can contact Arm directly through their partner managers.
+
+
+
+## Steps to build SystemReady IR ACS live image using the Yocto build system
+
+## Code download
+- To build a release version of the code, checkout the main branch with the appropriate release tag.
+- To build the latest version of the code with bug fixes and new features, use the main branch.
+
+## ACS build steps
+
+### Prebuilt images
+- Prebuilt images for each release are available in the prebuilt_images folder. You can either choose to use these images or build your own image by following the build steps.
+- To access the prebuilt_images, click : [prebuilt_images](prebuilt_images/)
+- The prebuilt images are archived after compression to the .xz format. On Linux, use the xz utility to uncompress the image `xz -d ir-acs-live-image-generic-arm64.wic.xz`. On Windows, use the 7zip or a similar utility.
+- If you choose to use the prebuilt image, skip the build steps, and navigate to the "Verification" section below.
+
+
+### Prerequisites
+Before starting the ACS build, ensure that the following requirements are met:
+ - Ubuntu 18.04 or 20.04 LTS with at least 32GB of free disk space.
+ - Availability of the Bash shell.
+ - **sudo** privilege to install tools required for the build.
+ - `git` installed using `sudo apt install git`.
+ - Configuration of email using the commands `git config --global user.name "Your Name"` and `git config --global user.email "Your Email"`.
+
+### Steps to build SystemReady IR ACS live image
+1. Clone the arm-systemready repository <br />
+ `git clone "https://github.com/ARM-software/arm-systemready.git"`
+
+2. Navigate to the IR/Yocto directory <br />
+ `cd arm-systemready/IR/Yocto`
+
+3. Run get_source.sh to download all the related sources and tools for the build. Provide sudo permission when prompted <br />
+ `./build-scripts/get_source.sh` <br />
+
+4. To start the build of the IR ACS live image, execute the below step <br />
+ `./build-scripts/build-ir-live-image.sh`
+
+5. If the above steps are successful, the bootable image will be available at <br />
+  **/path-to-arm-systemready/IR/Yocto/meta-woden/build/tmp/deploy/images/generic-arm64/ir-acs-live-image-generic-arm64.wic.xz**
+
+Note: The image is generated in a compressed (.xz) format. The image must be uncompressed before using the same for verification.<br />
+
+## Build output
+This image comprises of two FAT file system partitions recognized by UEFI: <br />
+- 'results' <br />
+  Stores logs of the automated execution of ACS. (Approximate size: 50 MB) <br/>
+- '/' <br />
+  Root partition for Linux which contains test-suites to run in Linux environment. <br/>
+- 'boot' <br />
+  Contains bootable applications and test suites. (Approximate size: 100 MB)
+
+## Verification
+
+Note: The default UEFI EDK2 setting for "Console Preference" is "Graphical". In this default setting, the Linux output goes only to the graphical console (HDMI monitor). To force serial console output, you may change "Console Preference" to "Serial".
+
+### Verification of the IR image on QEMU Arm machine
+
+#### Follow the Build instructions mentioned in [qemu download page](https://www.qemu.org/download/#source) to build latest QEMU model.
+
+NOTE: Download the toolchain from [arm developer page](https://developer.arm.com/tools-and-software/open-source-software/developer-tools/gnu-toolchain/gnu-a/downloads/10-2-2020-11) <br />
+NOTE: If repo sync fails due to incorrect repo version , please update repo using the below steps.<br />
+```
+mkdir -p ~/.bin
+PATH="${HOME}/.bin:${PATH}"
+curl https://storage.googleapis.com/git-repo-downloads/repo > ~/.bin/repo
+chmod a+rx ~/.bin/repo
+```
+
+#### To build the firmware image, follow the below steps
+
+```
+mkdir working_directory
+cd working_directory
+repo init -u https://github.com/glikely/u-boot-manifest
+repo sync
+export CROSS_COMPILE=<path to gcc-arm-10.2-2020.11-x86_64-aarch64-none-elf/bin/aarch64-none-elf->
+make qemu_arm64_defconfig
+make
+```
+nor_flash.bin is generated once the build is completed.
+
+
+#### Verifying the ACS-IR pre-built image
+Launch the model with the below command
+
+```
+<path to qemu-system-aarch64> -bios <path to nor_flash.bin>  -drive file=<path to ir-acs-live-image-generic-arm64.wic>,if=virtio,format=raw  -cpu cortex-a57 -smp 2 -m 2048 -M virt,secure=on -monitor null -no-acpi -nodefaults -nographic -rtc base=utc,clock=host -serial stdio -d unimp,guest_errors -machine virtualization=on
+```
+
+### Automation
+The test suite execution can be automated or manual. Automated execution is the default execution method when no key is pressed during boot. <br />
+The live image boots to UEFI Shell. The different test applications can be run in the following order:
+
+1. [SCT tests](https://github.com/ARM-software/bbr-acs/blob/main/README.md) for BBR compliance.
+2. [UEFI Shell application](https://github.com/ARM-software/bsa-acs/blob/main/README.md) for BSA compliance.
+3. [FWTS tests](https://github.com/ARM-software/bbr-acs/blob/main/README.md) for BBR compliance.
+
+## Baselines for Open Source Software in this release:
+
+- [Firmware Test Suite (FWTS)](http://kernel.ubuntu.com/git/hwe/fwts.git) TAG: v22.05.00
+
+- [Base System Architecture (BSA)](https://github.com/ARM-software/bsa-acs) TAG: v22.06_IR_2.0.0_BETA-0
+
+- [Base Boot Requirements (BBR)](https://github.com/ARM-software/bbr-acs) TAG: v22.06_IR_2.0.0_BETA-0
+
+- [UEFI Self Certification Tests (UEFI-SCT)](https://github.com/tianocore/edk2-test) TAG: dedfd87f76a9b48bfc03511c19beba285c4f5a81
+
+
+
+## Security Implication
+Arm SystemReady IR ACS test suite may run at higher privilege level. An attacker may utilize these tests as a means to elevate privilege which can potentially reveal the platform security assets. To prevent the leakage of Secure information, it is strongly recommended that the ACS test suite is run only on development platforms. If it is run on production systems, the system should be scrubbed after running the test suite.
+
+## License
+System Ready ACS is distributed under Apache v2.0 License.
+
+## Feedback, contributions, and support
+
+ - For feedback, use the GitHub Issue Tracker that is associated with this repository.
+ - For support, send an email to "support-systemready-acs@arm.com" with details.
+ - Arm licensees can contact Arm directly through their partner managers.
+ - Arm welcomes code contributions through GitHub pull requests.
+
+--------------
+
+*Copyright (c) 2022, Arm Limited and Contributors. All rights reserved.*
+
diff --git a/IR/Yocto/build-scripts/build-ir-live-image.sh b/IR/Yocto/build-scripts/build-ir-live-image.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2022, ARM Limited and Contributors. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# Redistributions of source code must retain the above copyright notice, this
+# list of conditions and the following disclaimer.
+#
+# Redistributions in binary form must reproduce the above copyright notice,
+# this list of conditions and the following disclaimer in the documentation
+# and/or other materials provided with the distribution.
+#
+# Neither the name of ARM nor the names of its contributors may be used
+# to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+set -x
+TOP_DIR=`pwd`
+pushd $TOP_DIR/meta-woden
+kas build kas/woden.yml
+if [ $? -eq 0 ]; then
+    if [ -f $TOP_DIR/meta-woden/build/tmp/deploy/images/generic-arm64/woden-image-generic-arm64.wic ]; then
+      cd $TOP_DIR/meta-woden/build/tmp/deploy/images/generic-arm64
+      rm ir-acs-live-image-generic-arm64.wic.xz 2> /dev/null
+      cp woden-image-generic-arm64.wic ir-acs-live-image-generic-arm64.wic
+      xz -z ir-acs-live-image-generic-arm64.wic
+      echo "The built image is at $TOP_DIR/meta-woden/build/tmp/deploy/images/generic-arm64/ir-acs-live-image-generic-arm64.wic.xz"
+    fi
+fi
+popd
+
diff --git a/IR/Yocto/build-scripts/get_source.sh b/IR/Yocto/build-scripts/get_source.sh
@@ -0,0 +1,133 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2022, ARM Limited and Contributors. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# Redistributions of source code must retain the above copyright notice, this
+# list of conditions and the following disclaimer.
+#
+# Redistributions in binary form must reproduce the above copyright notice,
+# this list of conditions and the following disclaimer in the documentation
+# and/or other materials provided with the distribution.
+#
+# Neither the name of ARM nor the names of its contributors may be used
+# to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+set -x
+TOP_DIR=`pwd`
+
+#Get the band run from automatically
+pushd ../..
+BAND_PATH=`pwd`
+BAND=`basename $BAND_PATH`
+popd
+
+echo "Getting the sources for $BAND "
+
+. $TOP_DIR/../../common/config/common_config.cfg
+
+#The shell variables use in this file are defined in common_config.cfg
+
+export GIT_SSL_NO_VERIFY=1
+
+
+sudo apt install git curl mtools gdisk gcc liblz4-tool zstd \
+ openssl automake autotools-dev libtool bison flex \
+ bc uuid-dev python3 libglib2.0-dev libssl-dev autopoint \
+ make gcc g++ python
+
+sudo pip3 install kas
+
+pushd $TOP_DIR/meta-woden
+git init
+kas checkout kas/woden.yml
+popd
+
+customise_image()
+{
+    #Remove the root login prompt after the startup
+    sed -i 's/ExecStart=.*/ExecStart=\-\/sbin\/agetty \-a root \-8 \-L \%I \@BAUDRATE\@ \$TERM/' $TOP_DIR/meta-woden/poky/meta/recipes-core/systemd/systemd-serialgetty/serial-getty@.service
+
+}
+
+
+copy_recipes()
+{
+
+    #woden.conf will be changed
+    #sed -i 's/PREFERRED_VERSION_linux-yocto ?= \"[0-9]\.[0-9][0-9]\%\"/PREFERRED_VERSION_linux-yocto ?= \"'${YOCTO_LINUX_KERNEL_VERSION}'\%\"/' $TOP_DIR/meta-woden/poky/meta-poky/conf/distro/poky.conf
+
+    #Remove the existing recipe
+    rm $TOP_DIR/meta-woden/poky/meta/recipes-kernel/linux/linux-yocto_5.15.bb 
+
+    #copy linux_yocto.bbappend with empty defconfig
+    cp $TOP_DIR/config/linux-yocto_%.bbappend $TOP_DIR/meta-woden/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto_%.bbappend
+
+    # check whether common_config.cfg specifies tag for related source(s) and update
+    # recipes accordingly
+    if [ ! -z "$ARM_BSA_TAG" ]; then
+        sed -i -E 's/SRCREV_bsa-acs\s+=\s+"\$\{AUTOREV\}"/SRCREV_bsa-acs = \"'${ARM_BSA_TAG}'"/g' $TOP_DIR/meta-woden/recipes-acs/bsa-acs-uefi/bsa-acs.bb
+        sed -i -E 's/SRCREV_bsa-acs\s+=\s+"\$\{AUTOREV\}"/SRCREV_bsa-acs = \"'${ARM_BSA_TAG}'"/g' $TOP_DIR/meta-woden/recipes-acs/bsa-acs-app/bsa-acs-app.bb
+        sed -i -E 's/SRCREV_bsa-acs\s+=\s+"\$\{AUTOREV\}"/SRCREV_bsa-acs = \"'${ARM_BSA_TAG}'"/g' $TOP_DIR/meta-woden/recipes-acs/bsa-acs-drv/bsa-acs-drv.bb
+    fi
+
+    if [ ! -z "$EDK2_SRC_TAG" ]; then
+        sed -i -E 's/SRCREV_edk2\s+=\s+"\$\{AUTOREV\}"/SRCREV_edk2 = \"'${EDK2_SRC_TAG}'"/g' $TOP_DIR/meta-woden/recipes-acs/ebbr-sct/ebbr-sct.bb
+        sed -i -E 's/SRCREV_edk2\s+\?=\s+"\$\{AUTOREV\}"/SRCREV_edk2 = \"'${EDK2_SRC_TAG}'"/g' $TOP_DIR/meta-woden/recipes-acs/edk2-firmware/edk2-firmware-rev.bb
+    fi
+
+    if [ ! -z "$ARM_BBR_TAG" ]; then
+        sed -i -E 's/SRCREV_bbr-acs\s+=\s+"\$\{AUTOREV\}"/SRCREV_bbr-acs = \"'${ARM_BBR_TAG}'"/g' $TOP_DIR/meta-woden/recipes-acs/ebbr-sct/ebbr-sct.bb
+    fi
+
+    if [ ! -z "$EDK2_LIBC_SRC_TAG" ]; then
+        sed -i -E 's/SRCREV_edk2-libc\s+=\s+"\$\{AUTOREV\}"/SRCREV_edk2-libc = \"'${EDK2_LIBC_SRC_TAG}'"/g' $TOP_DIR/meta-woden/recipes-acs/bsa-acs-uefi/bsa-acs.bb
+    fi
+
+    if [ ! -z "$SCT_SRC_TAG" ]; then
+        sed -i -E 's/SRCREV_edk2-test\s+=\s+"\$\{AUTOREV\}"/SRCREV_edk2-test = \"'${SCT_SRC_TAG}'"/g' $TOP_DIR/meta-woden/recipes-acs/ebbr-sct/ebbr-sct.bb
+    fi
+
+    if [ ! -z "$ARM_LINUX_ACS_TAG" ]; then
+        sed -i -E 's/SRCREV_linux-acs\s+=\s+"\$\{AUTOREV\}"/SRCREV_linux-acs = \"'${ARM_LINUX_ACS_TAG}'"/g' $TOP_DIR/meta-woden/recipes-acs/bsa-acs-drv/bsa-acs-drv.bb
+    fi
+
+    # create a bsa-acs patches directory in meta-woden/recipes-acs/bsa-acs-uefi and copy requires BSA patches
+    mkdir $TOP_DIR/meta-woden/recipes-acs/bsa-acs-uefi/bsa-acs
+    cp $TOP_DIR/../patches/* $TOP_DIR/meta-woden/recipes-acs/bsa-acs-uefi/bsa-acs/.
+
+    # copy .nsh files to meta-woden/recipes-acs/bootfs-files/files
+    COMMON_DIR_PATH=`git rev-parse --show-toplevel`"/common"
+    mkdir $TOP_DIR/meta-woden/recipes-acs/bootfs-files/files
+    cp $COMMON_DIR_PATH/config/*.nsh $TOP_DIR/meta-woden/recipes-acs/bootfs-files/files/.
+
+    #update run-time scripts with ACS version
+    pushd $TOP_DIR/meta-woden/recipes-acs/bootfs-files/files
+    if [ ! -z "$ACS_VERSION" ] && [ ! -z "$ARM_BSA_VERSION" ]; then
+        sed -i 's/#BSA_VERSION_PRINT_PLACEHOLDER/echo '"${ACS_VERSION}"'\necho BSA '"${ARM_BSA_VERSION}"' /g' bsa.nsh
+    fi
+
+    # remove connect -r from startup.nsh, since it is not required for IR systems
+    sed -i 's/connect -r//g' startup.nsh
+
+    popd
+
+}
+
+copy_recipes
+customise_image
+
diff --git a/IR/Yocto/config/linux-yocto_%.bbappend b/IR/Yocto/config/linux-yocto_%.bbappend
@@ -0,0 +1,16 @@
+ARMFILESPATHS := "${THISDIR}/${PN}:"
+
+COMPATIBLE_MACHINE:generic-arm64 = "generic-arm64"
+FILESEXTRAPATHS:prepend:generic-arm64 = "${ARMFILESPATHS}"
+SRC_URI:append:generic-arm64 = " "
+
+FILESEXTRAPATHS:prepend:qemuarm64-sbsa = "${ARMFILESPATHS}"
+SRC_URI:append:qemuarm64-sbsa = " \
+    file://defconfig.patch \
+    "
+
+FILESEXTRAPATHS:prepend:qemuarm64-secureboot = "${ARMFILESPATHS}"
+SRC_URI:append:qemuarm64-secureboot = " \
+    file://zone_dma_revert.patch \
+    file://tee.cfg \
+    "
diff --git a/IR/Yocto/meta-woden/conf/distro/woden.conf b/IR/Yocto/meta-woden/conf/distro/woden.conf
@@ -0,0 +1,38 @@
+DISTRO = "woden"
+DISTRO_NAME = "Woden"
+DISTRO_VERSION = "0.0"
+DISTRO_CODENAME = "master"
+
+INIT_MANAGER = "systemd"
+DISTRO_FEATURES = "acl argp ext2 ipv4 ipv6 largefile usbhost wifi xattr pci vfat seccomp"
+DISTRO_FEATURES_BACKFILL_CONSIDERED = "pulseaudio gobject-introspection-data"
+
+# TODO remove?
+DISTRO_EXTRA_RDEPENDS += "packagegroup-core-boot"
+DISTRO_EXTRA_RRECOMMENDS += "kernel-module-af-packet"
+
+PREMIRRORS ??= "\
+bzr://.*/.*   https://downloads.yoctoproject.org/mirror/sources/ \n \
+cvs://.*/.*   https://downloads.yoctoproject.org/mirror/sources/ \n \
+git://.*/.*   https://downloads.yoctoproject.org/mirror/sources/ \n \
+gitsm://.*/.* https://downloads.yoctoproject.org/mirror/sources/ \n \
+hg://.*/.*    https://downloads.yoctoproject.org/mirror/sources/ \n \
+osc://.*/.*   https://downloads.yoctoproject.org/mirror/sources/ \n \
+p4://.*/.*    https://downloads.yoctoproject.org/mirror/sources/ \n \
+svn://.*/.*   https://downloads.yoctoproject.org/mirror/sources/ \n"
+
+require conf/distro/include/no-static-libs.inc
+require conf/distro/include/yocto-uninative.inc
+require conf/distro/include/security_flags.inc
+INHERIT += "uninative"
+
+BB_SIGNATURE_HANDLER ?= "OEEquivHash"
+BB_HASHSERVE ??= "auto"
+
+#grub-efi
+EFI_PROVIDER = "grub-efi"
+
+# Suffixing the build directory with the libc is pointless
+TCLIBCAPPEND = ""
+PREFERRED_VERSION_linux-yocto = "5.15%"
+PREFERRED_VERSION_fwts = "22.05.00"