feat: add Bootguard Integration Test #37
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Test | |
on: | |
push: | |
tags: | |
- v* | |
branches: | |
- main | |
- feat/addBtGTests | |
pull_request: | |
jobs: | |
build: | |
strategy: | |
matrix: | |
go-arch: [amd64, arm64] | |
runs-on: ubuntu-latest | |
env: | |
CGO_ENABLED: 0 | |
GOARCH: ${{ matrix.go-arch }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Build txt-suite | |
run: go build -ldflags '-X main.gitcommit=${GITHUB_SHA} -X main.gittag=${github.ref_name} -w -extldflags "-static"' -o txt-suite cmd/txt-suite/*.go | |
- name: Build txt-prov | |
run: go build -ldflags '-X main.gitcommit=${GITHUB_SHA} -X main.gittag=${github.ref_name} -w -extldflags "-static"' -o txt-prov cmd/txt-prov/*.go | |
- name: Build bg-suite | |
run: go build -ldflags '-X main.gitcommit=${GITHUB_SHA} -X main.gittag=${github.ref_name} -w -extldflags "-static"' -o bg-suite cmd/bg-suite/*.go | |
- name: Build bg-prov | |
run: go build -ldflags '-X main.gitcommit=${GITHUB_SHA} -X main.gittag=${github.ref_name} -w -extldflags "-static"' -o bg-prov cmd/bg-prov/*.go | |
- name: Build pcr0tool | |
run: go build -ldflags '-X main.gitcommit=${GITHUB_SHA} -X main.gittag=${github.ref_name} -w -extldflags "-static"' -o pcr0tool cmd/pcr0tool/*.go | |
- name: Build amd-suite | |
run: go build -ldflags '-X main.gitcommit=${GITHUB_SHA} -X main.gittag=${github.ref_name} -w -extldflags "-static"' -o amd-suite cmd/amd-suite/*.go | |
- name: Save artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: artifacts-${{ matrix.go-arch }} | |
path: | | |
./txt-suite | |
./txt-prov | |
./bg-suite | |
./bg-prov | |
./pcr0tool | |
./amd-suite | |
test: | |
needs: build | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: go test | |
run: go test -v ./pkg/... | |
ValidationTestBootguard: | |
needs: build | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Download file | |
run: | | |
wget "https://download.asrock.com/BIOS/4677/W790%20WS(4.04)ROM.zip" | |
unzip W790\ WS\(4.04\)ROM.zip | |
mv W790-WS_4.04.ROM firmware.bin | |
- name: Download Artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: artifacts-amd64 | |
path: ./artifacts | |
- name: Make artifacts executable | |
run: chmod +x ./artifacts/* | |
- name: Check FIT | |
run: | | |
./artifacts/bg-prov fit-show ./firmware.bin >> fit.log | |
- name: Check FIT entries | |
run: | | |
cat fit.log | grep -s "KeyManifestRecord" | |
cat fit.log | grep -s "BootPolicyManifestRecord" | |
- name: Extract and Verify BPM and KM | |
run: | | |
./artifacts/bg-prov bpm-export ./firmware.bin bpm.bin | |
./artifacts/bg-prov km-export ./firmware.bin km.bin | |
./artifacts/bg-prov bpm-verify ./bpm.bin | |
./artifacts/bg-prov km-verify ./km.bin | |
generateTemplates: | |
needs: build | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install dependencies | |
run: sudo apt-get install jq | |
- name: Download Artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: artifacts-amd64 | |
path: ./artifacts | |
- name: Make artifacts executable | |
run: chmod +x ./artifacts/* | |
- name: Generate Template-v-1 (bg-prov) | |
run: | | |
./artifacts/bg-prov template-v-1 --svn=1 --acmsvn=1 --nems=2 \ | |
--pbet=12 --ibbflags=1 --mchbar=123456 --vdtbar=120000 --dmabase0=130000 \ | |
--dmasize0=2048 --entrypoint=140000 --ibbhash=SHA256 config.json | |
cat ./config.json | jq | |
- name: Generate Template-v-2 (bg-prov) | |
run: | | |
./artifacts/bg-prov template-v-1 --svn=1 --acmsvn=1 --nems=2 \ | |
--pbet=12 --ibbflags=1 --mchbar=123456 --vdtbar=120000 --dmabase0=130000 \ | |
--dmasize0=2048 --entrypoint=140000 --ibbhash=SHA256 config.json | |
cat ./config.json | jq |