xref: /optee_os/.github/workflows/ci.yml (revision 574b1b2dbced9a237dd07e64d5b5e2bc31fbf28d)

name: CI
on: [push, pull_request]
permissions:
  contents: read
concurrency:
  group: ci-${{ github.ref }}  # unique per branch
  cancel-in-progress: true     # cancel previous runs on the same branch
jobs:
  code_style:
    name: Code style
    runs-on: ubuntu-latest
    container: jforissier/optee_os_ci
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0 # full history so checkpatch can check commit IDs in commit messages
      - name: Update Git config
        run: git config --global --add safe.directory ${GITHUB_WORKSPACE}
      - name: Run checkpatch
        shell: bash
        run: |
          # checkpatch task
          set -e
          pushd . >/dev/null
          mkdir -p /tmp/linux/scripts
          cd /tmp/linux/scripts
          wget --quiet https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/plain/scripts/checkpatch.pl
          chmod +x checkpatch.pl
          wget --quiet https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/plain/scripts/spelling.txt
          echo "invalid.struct.name" >const_structs.checkpatch
          export PATH=/tmp/linux/scripts:$PATH
          popd >/dev/null
          source scripts/checkpatch_inc.sh
          function _do() { echo '>>' $*; $*; }
          # Run checkpatch.pl:
          # - on the tip of the branch only if we're not in a pull request
          # - otherwise:
          #   * on each commit in the development branch that is not in the target (merge to) branch
          #   * on the global diff if the PR contains more than one commit (useful to check if fixup
          #     commits do solve previous checkpatch errors)
          if [ "${GITHUB_EVENT_NAME}" = "push" ]; then \
            _do checkpatch HEAD || failed=1; \
          else \
            for c in $(git rev-list HEAD^1..HEAD^2); do \
              _do checkpatch $c || failed=1; \
            done; \
            if [ "$(git rev-list --count HEAD^1..HEAD^2)" -gt 1 ]; then \
              _do checkdiff $(git rev-parse HEAD^1) $(git rev-parse HEAD^2) || failed=1; \
            fi; \
          fi
          [ -z "$failed" ]
      - name: Run pycodestyle
        if: success() || failure()
        run: |
          # pycodestyle task
          sudo -E bash -c "apt update -qq -y && apt install -qq -y pycodestyle"
          pycodestyle scripts/*.py core/arch/arm/plat-stm32mp1/scripts/stm32image.py
  builds:
    name: Build (${{ matrix.name }})
    runs-on: ubuntu-latest
    container: jforissier/optee_os_ci
    strategy:
      fail-fast: false
      matrix:
        include:
          - name: arm hikey
            make_commands: |
              _make PLATFORM=hikey
              _make PLATFORM=hikey CFG_ARM64_core=y
          - name: arm hikey-hikey960
            make_commands: |
              _make PLATFORM=hikey-hikey960
              _make PLATFORM=hikey-hikey960 COMPILER=clang
              _make PLATFORM=hikey-hikey960 CFG_ARM64_core=y
              _make PLATFORM=hikey-hikey960 CFG_ARM64_core=y COMPILER=clang
              _make PLATFORM=hikey-hikey960 CFG_SECURE_DATA_PATH=n
          - name: arm imx-imx6* 1
            make_commands: |
              _make PLATFORM=imx-mx6ulevk
              _make PLATFORM=imx-mx6ulevk CFG_NXP_CAAM=y CFG_CRYPTO_DRIVER=y
              _make PLATFORM=imx-mx6ul9x9evk
              _make PLATFORM=imx-mx6ullevk CFG_WITH_SOFTWARE_PRNG=n CFG_IMX_RNGB=y
              _make PLATFORM=imx-mx6ulzevk
              _make PLATFORM=imx-mx6slevk
              _make PLATFORM=imx-mx6sllevk
              _make PLATFORM=imx-mx6sxsabreauto
              _make PLATFORM=imx-mx6sxsabresd
              _make PLATFORM=imx-mx6sxsabresd CFG_NXP_CAAM=y CFG_CRYPTO_DRIVER=y
              _make PLATFORM=imx-mx6solosabresd
              _make PLATFORM=imx-mx6solosabreauto
              _make PLATFORM=imx-mx6sxsabreauto
          - name: arm imx-imx6* 2
            make_commands: |
              _make PLATFORM=imx-mx6qsabrelite
              _make PLATFORM=imx-mx6qsabresd
              _make PLATFORM=imx-mx6qsabresd CFG_RPMB_FS=y
              _make PLATFORM=imx-mx6qsabreauto
              _make PLATFORM=imx-mx6qsabreauto CFG_NXP_CAAM=y CFG_CRYPTO_DRIVER=y
              _make PLATFORM=imx-mx6qpsabreauto
              _make PLATFORM=imx-mx6qpsabresd
              _make PLATFORM=imx-mx6dlsabresd
              _make PLATFORM=imx-mx6dlsabreauto
              _make PLATFORM=imx-mx6dapalis
              _make PLATFORM=imx-mx6qapalis
          - name: arm imx-mx7*
            make_commands: |
              _make PLATFORM=imx-mx7dsabresd
              _make PLATFORM=imx-mx7dsabresd CFG_NXP_CAAM=y CFG_CRYPTO_DRIVER=y
              _make PLATFORM=imx-mx7ulpevk
          - name: arm imx-mx8*
            make_commands: |
              _make PLATFORM=imx-mx8mmevk
              _make PLATFORM=imx-mx8mmevk CFG_NXP_CAAM=y CFG_CRYPTO_DRIVER=y
              _make PLATFORM=imx-mx8mnevk
              _make PLATFORM=imx-mx8mqevk
              _make PLATFORM=imx-mx8mpevk
              _make PLATFORM=imx-mx8qxpmek
              _make PLATFORM=imx-mx8dxmek
              _make PLATFORM=imx-mx8qmmek
              _make PLATFORM=imx-mx8dxlevk
              _make PLATFORM=imx-mx8ulpevk
              _make PLATFORM=imx-mx8ulpevk CFG_NXP_CAAM=y CFG_CRYPTO_DRIVER=y
          - name: arm imx-mx9*
            make_commands: |
              _make PLATFORM=imx-mx91evk
              _make PLATFORM=imx-mx93evk
              _make PLATFORM=imx-mx95evk
          - name: arm k3
            make_commands: |
              _make PLATFORM=k3-j721e
              _make PLATFORM=k3-j721e CFG_ARM64_core=y
              _make PLATFORM=k3-j784s4
              _make PLATFORM=k3-j784s4 CFG_ARM64_core=y
              _make PLATFORM=k3-am65x
              _make PLATFORM=k3-am65x CFG_ARM64_core=y
              _make PLATFORM=k3-am64x
              _make PLATFORM=k3-am64x CFG_ARM64_core=y
              _make PLATFORM=k3-am62x
              _make PLATFORM=k3-am62x CFG_ARM64_core=y
              _make PLATFORM=k3-am62lx
              _make PLATFORM=k3-am62lx CFG_ARM64_core=y
          - name: arm ls
            make_commands: |
              _make PLATFORM=ls-ls1043ardb
              _make PLATFORM=ls-ls1046ardb
              _make PLATFORM=ls-ls1012ardb
              _make PLATFORM=ls-ls1028ardb
              _make PLATFORM=ls-ls1088ardb
              _make PLATFORM=ls-ls2088ardb
              _make PLATFORM=ls-lx2160ardb
              _make PLATFORM=ls-lx2160aqds
          - name: arm marvell
            make_commands: |
              _make PLATFORM=marvell-armada7k8k
              _make PLATFORM=marvell-armada3700
              _make PLATFORM=marvell-otx2t96
              _make PLATFORM=marvell-otx2f95
              _make PLATFORM=marvell-otx2t98
              _make PLATFORM=marvell-cn10ka
              _make PLATFORM=marvell-cn10kb
              _make PLATFORM=marvell-cnf10ka
              _make PLATFORM=marvell-cnf10kb
              _make PLATFORM=marvell-cn20ka
          - name: arm mediatek
            make_commands: |
              _make PLATFORM=mediatek-mt8173
              _make PLATFORM=mediatek-mt8175
              _make PLATFORM=mediatek-mt8183
              _make PLATFORM=mediatek-mt8516
          - name: arm misc 1
            make_commands: |
              _make PLATFORM=d02
              _make PLATFORM=d02 CFG_ARM64_core=y
              _make PLATFORM=poplar
              _make PLATFORM=poplar CFG_ARM64_core=y
              _make PLATFORM=rcar
              _make PLATFORM=rzg
              _make PLATFORM=rzg CFG_ARM64_core=y
              _make PLATFORM=rpi3
              _make PLATFORM=rpi3 CFG_ARM64_core=y
              _make PLATFORM=rpi5
              _make PLATFORM=zynq7k-zc702
              _make PLATFORM=marvell-cnf20ka
              _make PLATFORM=synquacer
              _make PLATFORM=sunxi-bpi_zero
              _make PLATFORM=sunxi-sun50i_a64
          - name: arm misc 2
            make_commands: |
              _make PLATFORM=bcm-ns3 CFG_ARM64_core=y
              _make PLATFORM=hisilicon-hi3519av100_demo
              _make PLATFORM=amlogic
              _make PLATFORM=rzn1
              _make PLATFORM=versal CFG_VERSAL_FPGA_DDR_ADDR=0x40000000
              _make PLATFORM=corstone1000
              _make PLATFORM=nuvoton
              _make PLATFORM=d06
              _make PLATFORM=d06 CFG_HISILICON_ACC_V3=y
              _make PLATFORM=telechips-tcc805x
              _make PLATFORM=versal2
              _make PLATFORM=versal2 CFG_AMD_PS_GPIO=y
              _make PLATFORM=sprd-sc9860
              _make PLATFORM=sprd-sc9860 CFG_ARM64_core=y
          - name: arm Plug and Trust
            make_commands: |
              function download_plug_and_trust() { mkdir -p $HOME/se050 && git clone --single-branch -b v0.4.2 https://github.com/foundriesio/plug-and-trust $HOME/se050/plug-and-trust || (rm -rf $HOME/se050 ; echo Nervermind); }
              download_plug_and_trust

              if [ -d $HOME/se050/plug-and-trust ]; then _make PLATFORM=imx-mx6ullevk CFG_NXP_SE05X=y CFG_IMX_I2C=y CFG_STACK_{THREAD,TMP}_EXTRA=8192 CFG_CRYPTO_DRV_{CIPHER,ACIPHER}=y CFG_WITH_SOFTWARE_PRNG=n CFG_NXP_SE05X_{DIEID,RNG,RSA,ECC,CTR}_DRV=y CFG_NXP_SE05X_RSA_DRV_FALLBACK=y CFG_NXP_SE05X_ECC_DRV_FALLBACK=y CFG_NXP_SE05X_PLUG_AND_TRUST=$HOME/se050/plug-and-trust ; fi
              if [ -d $HOME/se050/plug-and-trust ]; then _make PLATFORM=imx-mx8mmevk CFG_NXP_CAAM=y CFG_NXP_CAAM_AE_{GCM,CCM}_DRV=y CFG_NXP_CAAM_RNG_DRV=y CFG_NXP_SE05X=y CFG_IMX_I2C=y CFG_STACK_{THREAD,TMP}_EXTRA=8192 CFG_CRYPTO_DRV_{CIPHER,ACIPHER,AUTHENC}=y CFG_NXP_SE05X_RNG_DRV=n CFG_WITH_SOFTWARE_PRNG=n CFG_NXP_SE05X_{DIEID,RSA,ECC,CTR}_DRV=y CFG_NXP_SE05X_RSA_DRV_FALLBACK=y CFG_NXP_SE05X_ECC_DRV_FALLBACK=y CFG_NXP_SE05X_PLUG_AND_TRUST=$HOME/se050/plug-and-trust ; fi
          - name: arm qcom
            make_commands: |
              _make PLATFORM=qcom-kodiak
          - name: arm rockchip
            make_commands: |
              _make PLATFORM=rockchip-rk322x
              _make PLATFORM=rockchip-rk3399
              _make PLATFORM=rockchip-rk3588
          - name: arm sam
            make_commands: |
              _make PLATFORM=sam
              _make PLATFORM=sam-sama5d2_xplained
              _make PLATFORM=sam-sama5d27_som1_ek
              _make PLATFORM=sam-sama5d27_wlsom1_ek
          - name: arm SCP firmware
            make_commands: |
              function download_scp_firmware() { git clone --single-branch https://git.gitlab.arm.com/firmware/SCP-firmware.git $HOME/scp-firmware &&  git -C $HOME/scp-firmware checkout 0d48080449e3bd3e5218a31c5f24a6068004c5af || (rm -rf $HOME/scp-firmware ; echo Nervermind); }
              download_scp_firmware

              if [ -d $HOME/scp-firmware ]; then _make PLATFORM=vexpress-qemu_armv8a CFG_SCMI_SCPFW=y CFG_SCP_FIRMWARE=$HOME/scp-firmware; fi
              if [ -d $HOME/scp-firmware ]; then _make PLATFORM=stm32mp2 CFG_SCP_FIRMWARE=$HOME/scp-firmware; fi
              if [ -d $HOME/scp-firmware ]; then _make PLATFORM=stm32mp2-235F_DK CFG_SCP_FIRMWARE=$HOME/scp-firmware; fi
              if [ -d $HOME/scp-firmware ]; then _make PLATFORM=stm32mp2-215F_DK CFG_SCP_FIRMWARE=$HOME/scp-firmware; fi
              if [ -d $HOME/scp-firmware ]; then _make PLATFORM=vexpress-fvp CFG_SCMI_SCPFW=y CFG_SCP_FIRMWARE=$HOME/scp-firmware; fi
              # if [ -d $HOME/scp-firmware ]; then _make PLATFORM=stm32mp1-157C_DK2 CFG_SCMI_SCPFW=y CFG_SCP_FIRMWARE=$HOME/scp-firmware; fi
          - name: arm stm
            make_commands: |
              _make PLATFORM=stm-b2260
              _make PLATFORM=stm-cannes
          - name: arm stm32mp1
            make_commands: |
              _make PLATFORM=stm32mp1
              _make PLATFORM=stm32mp1-135F_DK CFG_DRIVERS_CLK_PRINT_TREE=y CFG_DRIVERS_REGULATOR_PRINT_TREE=y
              _make PLATFORM=stm32mp1-135F_DK COMPILER=clang
              _make PLATFORM=stm32mp1 CFG_STM32MP1_OPTEE_IN_SYSRAM=y CFG_STM32MP_REMOTEPROC=y
          - name: arm ti
            make_commands: |
              _make PLATFORM=ti-dra7xx out/core/tee{,-pager,-pageable}.bin
              _make PLATFORM=ti-am57xx
              _make PLATFORM=ti-am43xx
          - name: arm vexpress-fvp
            make_commands: |
              _make PLATFORM=vexpress-fvp
              _make PLATFORM=vexpress-fvp CFG_ARM64_core=y
              _make PLATFORM=vexpress-fvp CFG_ARM64_core=y CFG_CORE_SEL1_SPMC=y CFG_SECURE_PARTITION=y
          - name: arm vexpress-juno
            make_commands: |
              _make PLATFORM=vexpress-juno
              _make PLATFORM=vexpress-juno CFG_ARM64_core=y
          - name: arm vexpress-qemu_armv8a 1
            make_commands: |
              _make PLATFORM=vexpress-qemu_armv8a
              _make PLATFORM=vexpress-qemu_armv8a COMPILER=clang
              _make PLATFORM=vexpress-qemu_armv8a CFG_TEE_CORE_LOG_LEVEL=0 CFG_TEE_CORE_DEBUG=n CFG_TEE_TA_LOG_LEVEL=0 CFG_DEBUG_INFO=n
              _make PLATFORM=vexpress-qemu_armv8a CFG_TEE_CORE_LOG_LEVEL=4 CFG_TEE_CORE_DEBUG=y CFG_TEE_TA_LOG_LEVEL=4 CFG_CC_OPT_LEVEL=0 CFG_DEBUG_INFO=y
              _make PLATFORM=vexpress-qemu_armv8a CFG_WITH_PAGER=y
              _make PLATFORM=vexpress-qemu_armv8a CFG_FTRACE_SUPPORT=y CFG_ULIBS_MCOUNT=y CFG_ULIBS_SHARED=y
              _make PLATFORM=vexpress-qemu_armv8a CFG_TA_GPROF_SUPPORT=y CFG_FTRACE_SUPPORT=y CFG_SYSCALL_FTRACE=y CFG_ULIBS_MCOUNT=y
              _make PLATFORM=vexpress-qemu_armv8a CFG_NS_VIRTUALIZATION=y
          - name: arm vexpress-qemu_armv8a 2
            make_commands: |
              _make PLATFORM=vexpress-qemu_armv8a CFG_CORE_PREALLOC_EL0_TBLS=y
              _make PLATFORM=vexpress-qemu_armv8a CFG_TRANSFER_LIST=y CFG_MAP_EXT_DT_SECURE=y
              _make PLATFORM=vexpress-qemu_armv8a CFG_CORE_SEL1_SPMC=y
              _make PLATFORM=vexpress-qemu_armv8a CFG_CORE_SEL2_SPMC=y CFG_CORE_PHYS_RELOCATABLE=y CFG_TZDRAM_START=0x0d304000 CFG_TZDRAM_SIZE=0x00cfc000
              _make PLATFORM=vexpress-qemu_armv8a CFG_{ATTESTATION,DEVICE_ENUM,RTC,SCMI,SECSTOR_TA_MGT,VERAISON_ATTESTATION}_PTA=y CFG_WITH_STATS=y CFG_TA_STATS=y
              _make PLATFORM=vexpress-qemu_armv8a CFG_CORE_SEL1_SPMC=y CFG_NS_VIRTUALIZATION=y
              _make PLATFORM=vexpress-qemu_armv8a CFG_CRYPTO_WITH_CE=y CFG_CRYPTOLIB_NAME=mbedtls CFG_CRYPTOLIB_DIR=lib/libmbedtls
              _make PLATFORM=vexpress-qemu_armv8a CFG_CORE_SANITIZE_UNDEFINED=y CFG_TA_SANITIZE_UNDEFINED=y CFG_TEE_RAM_VA_SIZE=0x00400000
              dd if=/dev/urandom of=BL32_AP_MM.fd bs=2621440 count=1 && _make PLATFORM=vexpress-qemu_armv8a CFG_STMM_PATH=BL32_AP_MM.fd CFG_RPMB_FS=y CFG_CORE_HEAP_SIZE=524288 CFG_TEE_RAM_VA_SIZE=0x00400000
              _make PLATFORM=vexpress-qemu_armv8a CFG_SECURE_DATA_PATH=y CFG_CORE_DYN_PROTMEM=y
              _make PLATFORM=vexpress-qemu_armv8a CFG_SECURE_DATA_PATH=y CFG_CORE_DYN_PROTMEM=y CFG_CORE_SEL1_SPMC=y
          - name: arm vexpress-qemu_sbsa
            make_commands: |
              _make PLATFORM=vexpress-qemu_sbsa CFG_CORE_SEL1_SPMC=y CFG_TZDRAM_START=0x20002000 CFG_TZDRAM_SIZE=0x1fbcf000
          - name: arm vexpress-qemu_virt 1
            make_commands: |
              _make
              _make COMPILER=clang
              _make CFG_TEE_CORE_LOG_LEVEL=4 CFG_TEE_CORE_DEBUG=y CFG_TEE_TA_LOG_LEVEL=4 CFG_CC_OPT_LEVEL=0 CFG_DEBUG_INFO=y
              _make CFG_TEE_CORE_LOG_LEVEL=0 CFG_TEE_CORE_DEBUG=n CFG_TEE_TA_LOG_LEVEL=0 CFG_DEBUG_INFO=n CFG_ENABLE_EMBEDDED_TESTS=n
              _make CFG_TEE_CORE_MALLOC_DEBUG=y CFG_CORE_DEBUG_CHECK_STACKS=y
              _make CFG_CORE_SANITIZE_KADDRESS=y CFG_CORE_ASLR=n
              _make CFG_LOCKDEP=y
              _make CFG_CRYPTO=n
              _make CFG_CRYPTO_{AES,DES}=n
              _make CFG_CRYPTO_{DSA,RSA,DH}=n
          - name: arm vexpress-qemu_virt 2
            make_commands: |
              _make CFG_CRYPTO_{DSA,RSA,DH,ECC}=n
              _make CFG_CRYPTO_{H,C,CBC_}MAC=n
              _make CFG_CRYPTO_{G,C}CM=n
              _make CFG_CRYPTO_{MD5,SHA{1,224,256,384,512,512_256}}=n
              _make CFG_WITH_PAGER=y out/core/tee{,-pager,-pageable}.bin
              _make CFG_WITH_PAGER=y CFG_CRYPTOLIB_NAME=mbedtls CFG_CRYPTOLIB_DIR=lib/libmbedtls
              _make CFG_WITH_PAGER=y CFG_WITH_LPAE=y
              _make CFG_WITH_LPAE=y
              _make CFG_CORE_PREALLOC_EL0_TBLS=y
              _make CFG_RPMB_FS=y
          - name: arm vexpress-qemu_virt 3
            make_commands: |
              _make CFG_RPMB_FS=y CFG_RPMB_TESTKEY=y
              _make CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y
              _make CFG_REE_FS=n CFG_RPMB_FS=y
              _make CFG_WITH_PAGER=y CFG_WITH_LPAE=y CFG_RPMB_FS=y CFG_DT=y CFG_TEE_CORE_LOG_LEVEL=1 CFG_TEE_CORE_DEBUG=y CFG_CC_OPT_LEVEL=0 CFG_DEBUG_INFO=y
              _make CFG_WITH_PAGER=y CFG_WITH_LPAE=y CFG_RPMB_FS=y CFG_DT=y CFG_TEE_CORE_LOG_LEVEL=0 CFG_TEE_CORE_DEBUG=n DEBUG=0
              _make CFG_BUILT_IN_ARGS=y CFG_PAGEABLE_ADDR=0 CFG_NS_ENTRY_ADDR=0 CFG_DT_ADDR=0 CFG_DT=y
              _make CFG_FTRACE_SUPPORT=y CFG_ULIBS_MCOUNT=y CFG_ULIBS_SHARED=y
              _make CFG_TA_GPROF_SUPPORT=y CFG_FTRACE_SUPPORT=y CFG_SYSCALL_FTRACE=y CFG_ULIBS_MCOUNT=y
              _make CFG_SECURE_DATA_PATH=y
              _make CFG_REE_FS_TA_BUFFERED=y
              _make CFG_WITH_USER_TA=n
              _make CFG_{ATTESTATION,DEVICE_ENUM,RTC,SCMI,SECSTOR_TA_MGT,VERAISON_ATTESTATION}_PTA=y CFG_WITH_STATS=y CFG_TA_STATS=y
          - name: arm zynqmp
            make_commands: |
              _make PLATFORM=zynqmp-zcu102
              _make PLATFORM=zynqmp-zcu102 CFG_ARM64_core=y
              _make PLATFORM=zynqmp-zcu102 CFG_ARM64_core=y CFG_WITH_SOFTWARE_PRNG=n CFG_XIPHERA_TRNG=y CFG_ZYNQMP_HUK=y
          - name: riscv
            make_commands: |
              export ARCH=riscv
              unset CROSS_COMPILE32
              export CROSS_COMPILE64="ccache riscv64-linux-gnu-"
              _make PLATFORM=virt
              _make PLATFORM=virt CFG_RISCV_PLIC=n CFG_RISCV_APLIC=y
              _make PLATFORM=virt CFG_RISCV_PLIC=n CFG_RISCV_APLIC_MSI=y CFG_RISCV_IMSIC=y
              _make PLATFORM=sifive
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Update Git config
        run: git config --global --add safe.directory ${GITHUB_WORKSPACE}
      - name: Generate cache key
        run: |
          HASH=$(echo -n "${{ matrix.name }}" | sha256sum | cut -c1-16)
          echo "CACHE_KEY=builds-cache-${HASH}-${GITHUB_SHA}" >> ${GITHUB_ENV}
          echo "CACHE_RESTORE_KEY=builds-cache-${HASH}" >> ${GITHUB_ENV}
      - name: Restore build cache
        uses: actions/cache@v4
        with:
          path: /github/home/.cache/ccache
          key: ${{ env.CACHE_KEY }}
          restore-keys: |
            ${{ env.CACHE_RESTORE_KEY }}
      - name: Build
        shell: bash
        env:
          MAKE_COMMANDS: ${{ matrix.make_commands }}
        run: |
          set -e -v

          export LC_ALL=C
          export PATH=/usr/local/bin:$PATH  # clang
          export FORCE_UNSAFE_CONFIGURE=1 # Prevent Buildroot error when building as root
          export CFG_DEBUG_INFO=n
          export CFG_WERROR=y
          export CROSS_COMPILE32="ccache arm-linux-gnueabihf-"
          export CROSS_COMPILE64="ccache aarch64-linux-gnu-"


          function _make() { make -j$(nproc) -s O=out $*; }

          ccache -s -v
          eval "$MAKE_COMMANDS"
          ccache -s -v
  QEMUv7_checks_image_build:
    name: Build QEMUv7 image
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Create Dockerfile
        run: |
          cat > Dockerfile <<'EOF'
          FROM jforissier/optee_os_ci:qemu_check
          RUN /root/get_optee.sh default /root/optee_repo_qemu
          EOF
      - name: Build Docker image
        run: |
          docker build -t qemuv7_image .
          docker save qemuv7_image | zstd -T0 -o qemuv7_image.tar.zst
      - name: Upload Docker image
        uses: actions/upload-artifact@v4
        with:
          name: qemuv7_image
          path: qemuv7_image.tar.zst
          retention-days: 5
  QEMUv7_checks:
    name: Run (QEMUv7) (${{ matrix.name }})
    needs: QEMUv7_checks_image_build
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        include:
          - name: 1
            make_commands: |
              make -j$(nproc) check CFG_LOCKDEP=y CFG_LOCKDEP_RECORD_STACK=n CFG_IN_TREE_EARLY_TAS=pkcs11/fd02c9da-306c-48c7-a49c-bbd827ae86ee CFG_PKCS11_TA=y CFG_CORE_UNSAFE_MODEXP=y XTEST_ARGS="-x pkcs11_1007"
          - name: 2
            make_commands: |
              make -j$(nproc) check CFG_CORE_SANITIZE_KADDRESS=y CFG_CORE_ASLR=n CFG_ATTESTATION_PTA=n XTEST_ARGS="n_1001 n_1003 n_1004"
          - name: 3
            make_commands: |
              make -j$(nproc) check CFG_CORE_SANITIZE_KADDRESS=y CFG_CORE_ASLR=n CFG_ATTESTATION_PTA=n CFG_DYN_CONFIG=n XTEST_ARGS="n_1001 n_1003 n_1004"
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Update Git config
        run: git config --global --add safe.directory /home/runner/work/optee_os/optee_os
      - name: Download Docker image
        uses: actions/download-artifact@v4
        with:
          name: qemuv7_image
          path: .
      - name: Load Docker image
        run: |
          zstd -d qemuv7_image.tar.zst -c | docker load
      - name: Generate cache key
        run: |
          HASH=$(echo -n "${{ matrix.name }}" | sha256sum | cut -c1-16)
          echo "CACHE_KEY=qemuv7_check-cache-${HASH}-${GITHUB_SHA}" >> $GITHUB_ENV
          echo "CACHE_RESTORE_KEY=qemuv7_check-cache-${HASH}" >> ${GITHUB_ENV}
      - name: Restore build cache
        uses: actions/cache@v4
        with:
          path: /home/runner/work/ccache
          key: ${{ env.CACHE_KEY }}
          restore-keys: |
            ${{ env.CACHE_RESTORE_KEY }}
      - name: Host setup
        run: bash /home/runner/work/optee_os/optee_os/scripts/ci-host-cleanup.sh
      - name: Run 'make check' tasks in container
        env:
          MAKE_COMMANDS: "${{ matrix.make_commands }}"
        run: |
          docker run --rm \
            -v /home/runner/work/optee_os/optee_os:/runner/optee_os \
            -v /home/runner/work/ccache:/root/.cache/ccache \
            -w /root \
            -e MAKE_COMMANDS="$MAKE_COMMANDS" \
            qemuv7_image \
            bash -c '
              set -e -v

              export BR2_CCACHE_DIR=/root/.cache/ccache
              export FORCE_UNSAFE_CONFIGURE=1
              export CFG_TEE_CORE_LOG_LEVEL=2

              TOP=/root/optee_repo_qemu
              mv $TOP/optee_os $TOP/optee_os_old
              ln -s /runner/optee_os $TOP/optee_os
              cd $TOP/build

              ccache -s -v
              eval "$MAKE_COMMANDS"
              ccache -s -v
            '
  QEMUv8_checks_image_build:
    name: Build QEMUv8 image
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Create Dockerfile
        run: |
          cat > Dockerfile <<'EOF'
          FROM jforissier/optee_os_ci:qemu_check
          RUN /root/get_optee.sh qemu_v8 /root/optee_repo_qemu_v8
          EOF
      - name: Build Docker image
        run: |
          docker build -t qemuv8_image .
          docker save qemuv8_image | zstd -T0 -o qemuv8_image.tar.zst
      - name: Upload Docker image
        uses: actions/upload-artifact@v4
        with:
          name: qemuv8_image
          path: qemuv8_image.tar.zst
          retention-days: 5
  QEMUv8_checks:
    name: Run (QEMUv8) (${{ matrix.name }})
    needs: QEMUv8_checks_image_build
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        include:
          - name: BTI+MTE+PAC
            make_commands: |
              # The BTI-enabled toolchain is aarch64-unknown-linux-uclibc-gcc in /usr/local/bin
              export PATH=/usr/local/bin:$PATH
              export AARCH64_CROSS_COMPILE=aarch64-unknown-linux-uclibc-

              # xtest 1031 is excluded because 1031.4 (C++ exception from shared library) fails with this cross-compiler
              # Rust is disabled because of a link error in the examples with this toolchain
              make -j$(nproc) CFG_CORE_BTI=y CFG_TA_BTI=y SEL0_SPS=y MEMTAG=y PAUTH=y RUST_ENABLE=n XTEST_ARGS="-x n_1031" check
          - name: CE82
            make_commands: |
              make -j$(nproc) check CFG_CRYPTO_WITH_CE82=y
          - name: Clang
            make_commands: |
              export COMPILER=clang
              make -j$(nproc) check
          - name: Clang ULIBS_SHARED=y
            make_commands: |
              export COMPILER=clang
              make -j$(nproc) check CFG_ULIBS_SHARED=y
          - name: default
            make_commands: |
              make -j$(nproc) check
          - name: DYN_CONFIG=n
            make_commands: |
              make -j$(nproc) check CFG_DYN_CONFIG=n
          - name: ftrace
            make_commands: |
              make -j$(nproc) check CFG_FTRACE_SUPPORT=y CFG_SYSCALL_FTRACE=y XTEST_ARGS=regression_1001 RUST_ENABLE=n MEASURED_BOOT_FTPM=n
          - name: FW handoff
            make_commands: |
              make -j$(nproc) check ARM_FIRMWARE_HANDOFF=y
          - name: KASAN
            make_commands: |
              make -j$(nproc) check CFG_CORE_SANITIZE_KADDRESS=y CFG_CORE_ASLR=n CFG_ATTESTATION_PTA=n RUST_ENABLE=n MEASURED_BOOT_FTPM=n XTEST_ARGS="n_1001 n_1003 n_1004"
          - name: pager
            make_commands: |
              make -j$(nproc) check CFG_WITH_PAGER=y MEASURED_BOOT_FTPM=n
          - name: PAN=y
            make_commands: |
              make -j$(nproc) check CFG_PAN=y
          - name: SPMC_AT_EL=1
            make_commands: |
              make -j$(nproc) check SPMC_AT_EL=1 CFG_SECURE_PARTITION=y CFG_SPMC_TESTS=y
          - name: SPMC_AT_EL=2
            make_commands: |
              make -j$(nproc) check SPMC_AT_EL=2
          - name: SPMC_AT_EL=3
            make_commands: |
              make -j$(nproc) check SPMC_AT_EL=3
          - name: ULIBS_SHARED=y
            make_commands: |
              make -j$(nproc) check CFG_ULIBS_SHARED=y
          - name: Xen
            make_commands: |
              make -j$(nproc) check XEN_BOOT=y
          - name: Xen + SPMC_AT_EL=1
            make_commands: |
              make -j$(nproc) check XEN_BOOT=y SPMC_AT_EL=1
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Update Git config
        run: git config --global --add safe.directory /home/runner/work/optee_os/optee_os
      - name: Download Docker image
        uses: actions/download-artifact@v4
        with:
          name: qemuv8_image
          path: .
      - name: Load Docker image
        run: |
          zstd -d qemuv8_image.tar.zst -c | docker load
      - name: Generate cache key
        run: |
          HASH=$(echo -n "${{ matrix.name }}" | sha256sum | cut -c1-16)
          echo "CACHE_KEY=qemuv8_check-cache-${HASH}-${GITHUB_SHA}" >> $GITHUB_ENV
          echo "CACHE_RESTORE_KEY=qemuv8_check-cache-${HASH}" >> ${GITHUB_ENV}
      - name: Restore build cache
        uses: actions/cache@v4
        with:
          path: /home/runner/work/ccache
          key: ${{ env.CACHE_KEY }}
          restore-keys: |
            ${{ env.CACHE_RESTORE_KEY }}
      - name: Host setup
        run: bash /home/runner/work/optee_os/optee_os/scripts/ci-host-cleanup.sh
      - name: Run 'make check' tasks in container
        env:
          MAKE_COMMANDS: "${{ matrix.make_commands }}"
        run: |
          docker run --rm \
            -v /home/runner/work/optee_os/optee_os:/runner/optee_os \
            -v /home/runner/work/ccache:/root/.cache/ccache \
            -w /root \
            -e MAKE_COMMANDS="$MAKE_COMMANDS" \
            qemuv8_image \
            bash -c '
              set -e -v

              export BR2_CCACHE_DIR=/root/.cache/ccache
              export FORCE_UNSAFE_CONFIGURE=1
              export CFG_TEE_CORE_LOG_LEVEL=2
              export CFG_ATTESTATION_PTA=y
              export CFG_ATTESTATION_PTA_KEY_SIZE=1024

              TOP=/root/optee_repo_qemu_v8
              mv $TOP/optee_os $TOP/optee_os_old
              ln -s /runner/optee_os $TOP/optee_os
              cd $TOP/build

              ccache -s -v
              eval "$MAKE_COMMANDS"
              ccache -s -v
            '
  QEMUv8_arm64_image_build:
    name: Build QEMUv8 arm64 image
    runs-on: ubuntu-24.04-arm
    steps:
      - uses: actions/checkout@v4
      - name: Create Dockerfile
        run: |
          cat > Dockerfile <<'EOF'
          FROM jforissier/optee_os_ci:qemu_check_arm64
          RUN /root/get_optee.sh qemu_v8 /root/optee_repo_qemu_v8
          EOF
      - name: Build Docker image
        run: |
          docker build -t qemuv8_arm64_image .
          docker save qemuv8_arm64_image | zstd -T0 -o qemuv8_arm64_image.tar.zst
      - name: Upload Docker image
        uses: actions/upload-artifact@v4
        with:
          name: qemuv8_arm64_image
          path: qemuv8_arm64_image.tar.zst
          retention-days: 5
  QEMUv8_checks_arm64:
    name: Run (QEMUv8 on arm64) (${{ matrix.name }})
    needs: QEMUv8_arm64_image_build
    runs-on: ubuntu-24.04-arm
    strategy:
      fail-fast: false
      matrix:
        include:
          - name: CFG_CORE_UNSAFE_MODEXP=y
            make_commands: |
              # CFG_CORE_UNSAFE_MODEXP=y to speed up regression_4011
              make -j$(nproc) check CFG_CORE_UNSAFE_MODEXP=y
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Update Git config
        run: git config --global --add safe.directory /home/runner/work/optee_os/optee_os
      - name: Download Docker image
        uses: actions/download-artifact@v4
        with:
          name: qemuv8_arm64_image
          path: .
      - name: Load Docker image
        run: |
          zstd -d qemuv8_arm64_image.tar.zst -c | docker load
      - name: Generate cache key
        run: |
          HASH=$(echo -n "${{ matrix.name }}" | sha256sum | cut -c1-16)
          echo "CACHE_KEY=qemuv8_arm64_check-cache-${HASH}-${GITHUB_SHA}" >> ${GITHUB_ENV}
          echo "CACHE_RESTORE_KEY=qemuv8_arm64_check-cache-${HASH}" >> ${GITHUB_ENV}
      - name: Restore build cache
        uses: actions/cache@v4
        with:
          path: /home/runner/work/ccache
          key: ${{ env.CACHE_KEY }}
          restore-keys: |
            ${{ env.CACHE_RESTORE_KEY }}
      - name: Host setup
        run: bash /home/runner/work/optee_os/optee_os/scripts/ci-host-cleanup.sh
      - name: Run 'make check' tasks in container
        env:
          MAKE_COMMANDS: "${{ matrix.make_commands }}"
        run: |
          docker run --rm \
            -v /home/runner/work/optee_os/optee_os:/runner/optee_os \
            -v /home/runner/work/ccache:/root/.cache/ccache \
            -w /root \
            -e MAKE_COMMANDS="$MAKE_COMMANDS" \
            qemuv8_arm64_image \
            bash -c '
              set -e -v

              export BR2_CCACHE_DIR=/root/.cache/ccache
              export FORCE_UNSAFE_CONFIGURE=1
              export CFG_TEE_CORE_LOG_LEVEL=2
              export CFG_ATTESTATION_PTA=y
              export CFG_ATTESTATION_PTA_KEY_SIZE=1024

              TOP=/root/optee_repo_qemu_v8
              mv $TOP/optee_os $TOP/optee_os_old
              ln -s /runner/optee_os $TOP/optee_os
              cd $TOP/build

              ccache -s -v
              eval "$MAKE_COMMANDS"
              ccache -s -v
            '