TF-M: Python script to clone TF-M #11651
Conversation
|
@Devran01, thank you for your changes. |
|
Is this breaking any sort of convention as to how external repositories are synced into Mbed OS? I want to start seeing a standard tool used for maintaining external dependencies. |
| Current version of the script only clones TF-M git repo and dependencies | ||
| and creates a VERSION.TXT file under 'components/TARGET_PSA/TARGET_TFM' | ||
| """ | ||
| if not isdir(TF_M_BUILD_DIR): |
There was a problem hiding this comment.
It would be ideal to delete all the files if the TF_M_BUILD_DIR is present. Because we are not checking which version of cloned repo is present when calling check_clone_repo
There was a problem hiding this comment.
@jainvikas8 It might be possible that users might have changes in the tf-m build directory. So it is not safe to assume that it can be deleted. Added a check to verify the version of cloned repos with the expected ones if the tf-m build directory already exists and warn the user if the versions don't match.
There was a problem hiding this comment.
Well, this would imply users can only have their changes saved locally, but can't pull in their git branches as the tag/version would change to a different HEAD. Is my understanding right?
tools/psa/build_tfm.py
Outdated
| import sys | ||
| import subprocess | ||
| import logging | ||
| import argparse |
There was a problem hiding this comment.
Do we need this import?
| sys.path.insert(0, ROOT) | ||
| from tools.targets import Target, TARGET_MAP, TARGET_NAMES | ||
|
|
||
| TF_M_BUILD_DIR = join(ROOT, os.pardir, 'tfm_build_dir') |
There was a problem hiding this comment.
Wouldn't it be good to use the mbed-os/BUILD directory to have everything there, as it is a dedicated build folder?
There was a problem hiding this comment.
We are planning to use the mbed-os importer to bring in TF-M PSA APIs for non-secure side. Therefore we cannot use mbed-os/BUILD directory. The importer script expects the source to be outside of mbed-os.
Another reason is not be interfere with mbed-cli building non-secure side (mbed-os). If we use mbed-os/BUILD then mbed-cli will try to compie tf-m sources when non-secure side is being built.
tools/psa/build_tfm.py
Outdated
| """ | ||
| cmd = ['git', '-C', tfm_dir, 'describe', '--tags', '--abbrev=12', '--dirty', '--always'] | ||
| tfm_version = run_cmd_return_output(cmd) | ||
| logger.debug('TF-M version: %s', tfm_version) |
There was a problem hiding this comment.
Please make it logger.info
Not that I am aware of, no. |
| sys.path.insert(0, ROOT) | ||
|
|
||
| TF_M_BUILD_DIR = join(ROOT, os.pardir, 'tfm_build_dir') | ||
| VERSION_FILE_PATH = join(ROOT, 'features/FEATURE_PSA/FEATURE_TFM') |
There was a problem hiding this comment.
The commit message needs updating. It still says "components".
| ['https://git.trustedfirmware.org/trusted-firmware-m.git', | ||
| 'feature-twincpu'], | ||
| "mbedtls": ['https://github.com/ARMmbed/mbedtls.git', | ||
| 'mbedtls-2.7.9'], |
There was a problem hiding this comment.
Wow, that's a really old Mbed TLS.
| Clone TF-M git repos and it's dependencies | ||
| """ | ||
| check_and_clone_repo('trusted-firmware-m', dependencies) | ||
| check_and_clone_repo('mbedtls', dependencies) |
There was a problem hiding this comment.
So, this puts tf-m and all dependencies side by side into a single directly. How does TF-M pick up the dependencies and use them?
There was a problem hiding this comment.
Yeah, that's the preferred way of building TF-M. The dependencies are cloned outside the TF-M source tree and the cmake scripts handle the inclusion of dependent modules.
There was a problem hiding this comment.
OK, so we can point TF-M's build system to any filesystem location for the dependencies.
There was a problem hiding this comment.
I need to check the cmake files but I think it is parent folder of tf-m is where the cmake will look for dependencies.
urutva
force-pushed
the
feature-twincpu-build
branch
from
57469a2 to
70194f3
Compare
| _out.strip('\n'), deps.get(name)[1]) | ||
| logger.error('check and remove folder %s', | ||
| join(basedir, name)) | ||
| sys.exit(1) |
There was a problem hiding this comment.
Do not call sys.exit(1). This will crash out of the program and will do no cleanup. It also will fail in the online system.
There was a problem hiding this comment.
@mark-edgeworth In this case we need to exit from the script without doing any cleanup since the cloned repos might contain user changes. Therefore, the only thing we do here is to warn the user and let them take the action.
Having said that, this path will never be triggered in the online system as there won't be any changes done by it.
tools/psa/build_tfm.py
Outdated
| except subprocess.CalledProcessError as e: | ||
| logger.error("The command %s failed with return code: %s", | ||
| (' '.join(command)), e.returncode) | ||
| sys.exit(1) |
There was a problem hiding this comment.
Do not call sys.exit(1).
tools/psa/build_tfm.py
Outdated
| output = '' | ||
| logger.debug('[Exec] %s', ' '.join(command)) | ||
| try: | ||
| fnull = open(os.devnull, 'w') |
There was a problem hiding this comment.
fnull is not closed; use with open() as fnull: instead
| basedir = TF_M_BUILD_DIR | ||
| if not isdir(join(basedir, name)): | ||
| logger.info('Cloning %s repo', name) | ||
| cmd = ['git', '-C', basedir, 'clone', '-b', |
There was a problem hiding this comment.
This (and other command calls to git) make assumptions that git is installed on the user's machine. None of this will work in the online build system either.
There was a problem hiding this comment.
Added is_git_installed() and is_git_lfs_installed() method to check the availability of required tools.
| cmd = ['git', '-C', join(basedir, name), | ||
| 'describe', '--tags'] | ||
| _out = run_cmd_and_return_output(cmd) | ||
| if _out.strip('\n') != deps.get(name)[1]: |
There was a problem hiding this comment.
Getting an error when executing this script
mbed-os$ /usr/bin/python3 /mbed-os/tools/psa/build_tfm.py [TF-M-Builder] 12:44:27: trusted-firmware-m repo exists, checking git version.... Traceback (most recent call last): File "/mbed-os/tools/psa/build_tfm.py", line 181, in <module> main() File "/mbed-os/tools/psa/build_tfm.py", line 173, in main clone_tfm_repo() File "/mbed-os/tools/psa/build_tfm.py", line 149, in clone_tfm_repo check_and_clone_repo('trusted-firmware-m', dependencies) File "/mbed-os/tools/psa/build_tfm.py", line 143, in check_and_clone_repo check_repo_version(name, deps) File "/mbed-os/tools/psa/build_tfm.py", line 119, in check_repo_version if _out.strip('\n') != deps.get(name)[1]: TypeError: a bytes-like object is required, not 'str'
Is it related to python3, if yes are we not supporting Python 3 as Python 2.7 support will be ending soon?
There was a problem hiding this comment.
@jainvikas8 Added support for python3
urutva
force-pushed
the
feature-twincpu-build
branch
2 times, most recently
from
3135d0f to
a27c877
Compare
0xc0170
added
needs: review
release-version: 6.0.0-alpha-1
|
One question: how this scripts are being tested? |
@0xc0170 Currently only manual validation, from mbed-os root folder |
|
It can't checkout the branch. @jamesbeyond Is this related to the changes to master to examples? If yes, would rebase help ? |
|
@0xc0170 The issue is related to python3 and examples scripts. It looks like the python version in CI is python3 and the example script in this feature branch is not compatible with it. This feature branch is created from a commit which is older and had the support for PSoC62 which is required to validate TF-M integration. Therefore rebasing to master is not an option. I can push a patch to resolve this error. But I'm not sure if we'll encounter other issues. @Patater Thoughts? |
If you can patch it on this branch, will be cleaned once this is rebased (needs to be before the integration to master). |
|
@0xc0170 Cherry picked @jamesbeyond's changes from master. |
|
@0xc0170 All travis checks have passed. Can you please start the CI? |
|
Ci started |
urutva
force-pushed
the
feature-twincpu-build
branch
from
2b72d27 to
ab1ac95
Compare
|
@0xc0170 The required patch was added before the merge commit I cherry picked. So the CI failed again. Fixed it now. Can you please restart the CI? |
|
CI Started |
Test run: FAILEDSummary: 3 of 4 test jobs failed Failed test jobs:
|
Test run: FAILEDSummary: 3 of 4 test jobs failed Failed test jobs:
|
urutva
force-pushed
the
feature-twincpu-build
branch
from
ab1ac95 to
bd51999
Compare
Test run: FAILEDSummary: 3 of 4 test jobs failed Failed test jobs:
|
urutva
force-pushed
the
feature-twincpu-build
branch
from
bd51999 to
1c0796b
Compare
|
@Devran01 you should rebase feature branch rather than your fork (your branch now contains all commits from rebase) |
Create a script (tools/psa/build_tfm.py) to build Trusted Firmware M (TF-M) image. Current version of the script only clones the TF-M git repo and its dependencies and computes the version information of TF-M repo and write it to 'features/FEATURE_PSA/FEATURE_TFM/VERSION.txt' Signed-off-by: Devaraj Ranganna <[email protected]>
urutva
force-pushed
the
feature-twincpu-build
branch
from
1c0796b to
dfe5351
Compare
|
@0xc0170 Done. Can you please start the CI? |
|
CI restarted |
Test run: SUCCESSSummary: 11 of 11 test jobs passed |
Description
We are working on automating building TF-M for multiple targets. This PR is first step towards that and implements cloning TF-M repository and its dependencies.
The script also creates
components/TARGET_PSA/TARGET_TFM/VERSION.TXTwhich contains the git version of cloned TF-M repository.Pull request type
Reviewers
@Patater @jainvikas8
Release Notes