All.sh add support for tf-psa-crypto components #9720
Conversation
In preparation for adding tf-psa-crypto/test/scripts/all.sh which will run from tf-psa-crypto. Use paths relative to the currently sourced file when including common files (ie, those that will soon be moved to the framework). Otherwise, use paths relative to the current directory, aka project's root. Document that test/script/all.sh must be invoked from the project's root (that was already the case, but implicit so far). Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The existing check only took care of CONFIG_H. This was both not enough and too much: - not enough because config.py can also modify CRYPTO_CONFIG_H and we want to know about it just as much as CONFIG_H; - too much because CONFIG_H does not exist in tf-psa-crypto. Check a list of files instead of a single one, and adjust that list. Also update an outdated comment about Makefiles Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
With a first component. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
In order to avoid changing the CI job's definition (which fewer team members understand, compared to shell scripts), just have a wrapper so that all.sh does both mbedtls and tf-psa-crypto under the hood for now. When tf-psa-crypto has its own CI running its own all.sh (with enough components migrated to get sufficient coverage) we can remove this hack. Rejected strategy: modify all-core.sh so that when running in mbedtls, it also sources components-*.sh from tf-psa-crypto, remembers which components come from Mbed TLS and which come from crypto, and magically adjust the environment for each component it runs. Rejected because it's hard to be confident we're adjusting everything that needs adjusting in the environment. Having separate processes seems much safer. The downside is we get more complexity around error handling (check for components requested but not available, --keep-going). When using --keep-going with failing component(s) in mbedtls and some components in tf-psa-crypto, the output is not satisfying for humans as we don't have a nice summary of all errors at the end like we normally would. IMO this is acceptable since: - this wrapper is transitional and should be removed in a few months; - it is mainly for the benefit of the CI; humans can always invoke the underlying commands directly. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
mpg
added
enhancement
needs-review
There was a problem hiding this comment.
It looks promising to me. However ./tests/scripts/all.sh test_cmake_tf_psa_crypto_out_of_source does not seem to work (list of arguments empty for mbedtls-all.sh thus running all the components?). As I said in a comment, it would be more convenient if possible to support components with the same name in Mbed TLS and TF-PSA-Crypto. Thinking about it, we would probably need to change something in outcome.csv to differentiate the test results of such components.
| @@ -1,15 +1,96 @@ | |||
| #! /usr/bin/env bash | |||
|
|
|||
There was a problem hiding this comment.
Note that this conflicts with #9293, which I hope we can merge soon since all it's missing is one approval on one backport.
There was a problem hiding this comment.
This also conflicts with #9286, but that's not quite ready yet, so I suggest that we go 9293, then 9720, then 9286.
There was a problem hiding this comment.
Sorry, I'm not seeing the conflict with 9293 - it seems to me that the two PRs are not touching the same files. What am I missing?
There was a problem hiding this comment.
My bad, there's no merge conflict with 9293 and I don't think there's a semantic conflict either. There's a potential semantic conflict with #9286 since it will error out if a component name is duplicated between mbedtls and tf-psa-crypto.
I ran a merge of something that conflicted but that must have been some different branches or with a non-up-to-date local copy and I can't find exactly what I ran yesterday anymore. I have a conflict checker script and it reports no conflict between the current state of this PR and any other PR opened in the last 6 months. #9293 only conflicts in .gitignore with a priority-medium PR.
There was a problem hiding this comment.
There's a potential semantic conflict with #9286 since it will error out if a component name is duplicated between mbedtls and tf-psa-crypto.
Well, currently my PR also forbids component names that are duplicated between mbedtls and tf-psa-crypto, so that shouldn't be a problem. As I said earlier, I don't think we should allow components with the same name on both sides until the sides are completely separated.
Presumably Note that #9286 (which we plan to merge this quarter) will make it an error to run use the same value of |
Aw, silly me, forgot to test the simple case of a single component. Will fix. |
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
|
Internal CI fully passed, and OpenCI only failed the armcc components which are a known temporary issue. |
|
The component that was moved to tf-psa-crypto is not showing up in |
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The last commit seems to have fixed this. I downloaded the outcomes file from the Open CI run (Internal CI has not completed yet) then extracted the list of components with |
mpg
requested review from
Harry-Ramsey
and removed request for
davidhorstmann-arm
tests/scripts/all.sh
Outdated
| fi | ||
| fi | ||
|
|
||
| if [ "$#" -ne 4 -o "$1" != '--seed' -o "$3" != '--keep-going' ]; then |
There was a problem hiding this comment.
If I attempt to run the script using the following command ./tests/scripts/all.sh test_cmake_tf_psa_crypto_out_of_source I encounter the following error:
./tests/scripts/all.sh: line 58: $3: unbound variable
I believe this is incorrect and I should either be greeted with the error or the command executes?
There was a problem hiding this comment.
Ah right, good point, that's poor error handling. I'll fix it.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
ronald-cron-arm
removed
the
needs-reviewer
eleuzi01
added
approved
| mkdir "$OUT_OF_SOURCE_DIR" | ||
| cd "$OUT_OF_SOURCE_DIR" | ||
| # Note: Explicitly generate files as these are turned off in releases | ||
| cmake -D CMAKE_BUILD_TYPE:String=Check -D GEN_FILES=ON "$TF_PSA_CRYPTO_ROOT_DIR" |
There was a problem hiding this comment.
Echoing Harry's concern in #9755 (comment) : we currently prevent component_test_cmake_out_of_source from running on Ubuntu 16.04, but now component_test_cmake_tf_psa_crypto_out_of_source will run on Ubuntu 16.04. Why is this not a problem? I don't see it discussed in the review here.
The problem is a race condition. Just having a small number of successful CI runs is not enough to gain confidence.
Maybe the cmake file in tf-psa-crypto is better written and is not susceptible to the race condition. That's quite plausible, but do we actually know that?
There was a problem hiding this comment.
The component component_test_cmake_tf_psa_crypto_out_of_source is not added by this PR. This PR moves it from tests/scripts/components-build-system.sh to tf-psa-crypto/tests/scripts/components-build-system.sh. The component was added by the PR 9445 without protection against Ubuntu 16.04 (we just missed that point I think) which was merged October the 3rd. Thus it has been around for more that a month now. Enough to gain confidence?
There was a problem hiding this comment.
@gilles-peskine-arm I think your concern is valid in general, but quite unrelated to this PR, as Ronald explained.
Feel free to override my change request if my concern is invalid.
Since you offered, I'm gonna do just that. I'm also going to start a discussion on slack about the potential issue and things we could do about it.
There was a problem hiding this comment.
Ok, I'd missed that it was a move and not new. I agree that a month of CI is enough to have confidence that this isn't a problem with the tf-psa-crypto cmake scripts.
gilles-peskine-arm
added
needs-work
needs-backports
mpg
removed
needs-work
needs-backports
mpg
added
needs-work
and removed
approved
mpg
dismissed
gilles-peskine-arm’s stale review
The point raised is pre-existing and not made any worse by this PR; if we do something about it there's not reason it should be in this PR.
mpg
added
approved
Description
tf-psa-crypto/tests/scripts/all.shthat can be invoked independently and will source components fromtf-psa-crypto/tests/scripts/component-*.sh. Ultimately this is going to be the main entry point for tf-psa-crypto's CI when all relevant components have been migrated.tests/scripts/all.shinto a wrapper that handles both mbedtls and tf-psa-crypto. This is a transitional wapper so that the CI can just keep calling the same single entry point, and still get all components, while we move relevant components to tf-psa-crypto, and until tf-psa-crypto gets its own autonomous CI.PR checklist
Manual testing