Merge pull request #3 from jumpstarter-dev/add-raspbian

Add raspbian-lite job and move fedora-rawhide

.github/workflows/jumpstarter-gh-actions.yaml

@@ -11,8 +11,37 @@ permissions:
   pull-requests: read
 
 jobs:
-  test-in-hardware:
+  test-in-hardware-raspbian-lite:
     runs-on: [self-hosted, linux, jumpstarter-rpi4]
+    defaults:
+      run:
+        working-directory: ./raspbian-lite
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Worker local cache
+        run: |
+          mkdir -p $HOME/.cache/downloads.raspberrypi.org
+          ln -s $HOME/.cache/downloads.raspberrypi.org images/downloads.raspberrypi.org
+
+      - name: List devices
+        run: jumpstarter list-devices
+
+      - name: Download images
+        run: make download-image
+
+      - name: Prepare image
+        run: make prepare-image
+
+      - name: Test in Hardware
+        run: make test-in-hardware
+
+  test-in-hardware-fedora-rawhide:
+    runs-on: [self-hosted, linux, jumpstarter-rpi4]
+    defaults:
+      run:
+        working-directory: ./fedora-rawhide
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -33,3 +62,4 @@ jobs:
 
       - name: Test in Hardware
         run: make test-in-hardware
+

.gitignore

@@ -1,4 +1,9 @@
-images/latest.raw
-images/latest.raw.xz
-images/.prepared
-images/dl.fedoraproject.org/**
+fedora-rawhide/images/latest.raw
+fedora-rawhide/images/latest.raw.xz
+fedora-rawhide/images/.prepared
+fedora-rawhide/images/dl.fedoraproject.org/**
+
+raspbian-lite/images/latest.raw
+raspbian-lite/images/latest.raw.xz
+raspbian-lite/images/.prepared
+raspbian-lite/images/downloads.raspberrypi.org/**

raspbian-lite/Makefile

@@ -0,0 +1,78 @@
+DEVICE=rpi4-00
+
+###############################################################################
+# Targets that interact with the DUT via Jumpstarter
+###############################################################################
+
+test-in-hardware: umount images/latest.raw images/.prepared
+	sudo -E jumpstarter run-script test-tpm-on-latest-raw.yaml
+
+write-image: umount images/latest.raw images/.prepared
+	sudo -E jumpstarter run-script setup-latest-raw.yaml
+
+power-on:
+	jumpstarter power on -a $(DEVICE)
+
+console:
+	jumpstarter console $(DEVICE)
+
+power-off:
+	jumpstarter detach-storage $(DEVICE)
+	jumpstarter power off $(DEVICE)
+
+###############################################################################
+# Image preparation targets
+###############################################################################
+
+download-image:
+	scripts/download-latest-raspbian
+
+prepare-image: images/latest.raw mount
+	scripts/prepare-latest-raw
+	touch images/.prepared
+	umount mnt
+
+images/.prepared:
+	make prepare-image
+
+images/latest.raw.xz:
+	make download-image
+
+images/latest.raw: images/latest.raw.xz
+	xz -d -v -T0 -k $^
+	touch images/latest.raw
+	rm -f images/.prepared
+
+clean-image:
+	rm -f images/.prepared
+	rm -f images/latest.raw
+
+clean-images: clean-image
+	rm -rf images/download.raspberrypi.org
+	rm -rf images/latest.raw.xz
+
+###############################################################################
+# Image manipulation targets
+###############################################################################
+
+mnt:
+	mkdir -p $@
+
+umount:
+	umount mnt || true
+
+mount: umount images/latest.raw mnt
+	guestmount -a images/latest.raw -m /dev/sda2 -m /dev/sda1:/boot/firmware -o allow_other --rw mnt  
+
+
+###############################################################################
+# phony targets are targets which don't produce files, just for utility
+###############################################################################
+
+
+.PHONY: download-image prepare-image
+.PHONY: test-in-hardware
+.PHONY: write-image
+.PHONY: power-on power-off
+.PHONY: console
+.PHONY: mount umount

raspbian-lite/scripts/download-latest-raspbian

@@ -0,0 +1,20 @@
+#!/bin/bash
+set -e
+LATEST_URL=$(wget -O /dev/null -o - --max-redirect=0 https://downloads.raspberrypi.org/raspios_lite_armhf_latest 2>/dev/null| sed -n "s/^Location: \(.*\) \[following\]$/\1/p")
+CACHE="./images"
+wget "${LATEST_URL}" -np -m -A '*img.xz' -c -P "${CACHE}"
+# use the latest compose image
+LATEST_IMG=$(ls -Art "${CACHE}/downloads.raspberrypi.org/raspios_lite_armhf/images"/*/*.img.xz | tail -n 1)
+
+echo "Latest image: ${LATEST_IMG}"
+
+# calculate full path to LATEST_IMG
+LATEST_IMG_FULLPATH=$(readlink -f ${LATEST_IMG})
+EXISTING_LINK=$(readlink "${CACHE}/latest.raw.xz" || true )
+# if the link has changed, update the link
+if [[ "${LATEST_IMG_FULLPATH}" != "${EXISTING_LINK}" ]]; then
+    echo "Updating link from latest.raw.xz -> ${LATEST_IMG}"
+    ln -fs "${LATEST_IMG_FULLPATH}" "${CACHE}/latest.raw.xz"
+else
+    echo "We are up-to-date."
+fi

raspbian-lite/scripts/prepare-latest-raw

@@ -0,0 +1,33 @@
+#!/bin/sh
+set -x
+# all output to serial port
+sudo sed -i 's/console=serial0,115200 console=tty1/console=serial0,115200/g' mnt/boot/firmware/cmdline.txt
+cat mnt/boot/firmware/cmdline.txt
+
+cat << EOF | sudo tee mnt/boot/firmware/custom.toml
+# Raspberry Pi First Boot Setup
+[system]
+hostname = "rpitest"
+
+[user]
+name = "root"
+password = "changeme"
+password_encrypted = false
+
+[ssh]
+enabled = false
+
+[wlan]
+country = "es"
+
+[locale]
+keymap = "es"
+timezone = "Europe/Madrid"
+EOF
+
+cat << EOF | sudo tee -a mnt/boot/firmware/config.txt
+dtparam=spi=on
+dtoverlay=tpm-slb9670
+enable_uart=1
+EOF
+

raspbian-lite/setup-latest-raw.yaml

@@ -0,0 +1,9 @@
+name: "Setup latest.raw in DUT disk"
+selector:
+  - rpi4
+
+steps:
+  - power: "off"
+  - set-disk-image:
+      image: "images/latest.raw"
+  - storage: "attach"

raspbian-lite/test-tpm-on-latest-raw.yaml

@@ -0,0 +1,71 @@
+name: "Setup latest.raw in DUT disk"
+selector:
+  - rpi4
+
+expect-timeout: 100
+
+steps:
+  - power: "off"
+  - set-disk-image:
+      image: "images/latest.raw"
+  - storage: "attach"
+  - power: "on"
+  - expect:
+      this: "Booting"
+
+  - expect:
+      timeout: 600
+      this: "rpitest login:"
+
+  - send:
+      this:
+        - "root\n"
+      echo: false
+
+  - expect:
+      this: "Password:"
+
+  - send:
+      this:
+        - "changeme\n"
+
+  - expect:
+      timeout: 60
+      this: "@rpitest:~#"
+
+  - send:
+      this:
+        - "apt-get install -y tpm2-tools\n"
+
+  - expect:
+      timeout: 200
+      this: "@rpitest:~#"
+
+  - comment: "Verifying TPM interactions via tpm2 tools"
+  - send:
+      this:
+        - "tpm2_createprimary -C e -c primary.ctx\n"
+        - "tpm2_create -G rsa -u key.pub -r key.priv -C primary.ctx\n"
+        - "tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx\n"
+        - "echo my message > message.dat\n"
+        - "tpm2_sign -c key.ctx -g sha256 -o sig.rssa message.dat\n"
+        - "tpm2_verifysignature -c key.ctx -g sha256 -s sig.rssa -m message.dat\n"
+        - "echo result: $?\n"
+
+  - expect:
+      this: "value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt"
+  - expect:
+      this: "fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign"
+  - expect:
+      this: "name: "
+  - expect:
+      this: "result: 0"
+  - expect:
+      this: "@rpitest:~#"
+cleanup:
+  - send:
+      this:
+        - "poweroff\n"
+  - pause: 10
+  - power: "off"
+