1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-11-18 13:38:12 +00:00
trezor-firmware/build-docker.sh
Martin Milata 233a292fd2 Merge branch 'master' into secfix/23.03
Conflicts:
	core/Makefile
	core/SConscript.firmware
	core/embed/firmware/bootloader.bin
	core/embed/firmware/bootloaders/bootloader_T.bin
	core/embed/firmware/bootloaders/bootloader_T2T1.bin
	python/src/trezorlib/firmware/core.py
	python/src/trezorlib/firmware/models.py
2023-02-28 15:20:36 +01:00

268 lines
6.3 KiB
Bash
Executable File

#!/usr/bin/env bash
set -e -o pipefail
cd "$(dirname "${BASH_SOURCE[0]}")"
if [ -z "$ALPINE_ARCH" ]; then
arch="$(uname -m)"
case "$arch" in
aarch64|arm64)
ALPINE_ARCH="aarch64"
;;
x86_64)
ALPINE_ARCH="x86_64"
;;
*)
echo "Unsupported arch"
exit
esac
fi
if [ -z "$ALPINE_CHECKSUM" ]; then
case "$ALPINE_ARCH" in
aarch64)
ALPINE_CHECKSUM="1be50ae27c8463d005c4de16558d239e11a88ac6b2f8721c47e660fbeead69bf"
;;
x86_64)
ALPINE_CHECKSUM="ec7ec80a96500f13c189a6125f2dbe8600ef593b87fc4670fe959dc02db727a2"
;;
*)
exit
esac
fi
DOCKER=${DOCKER:-docker}
CONTAINER_NAME=${CONTAINER_NAME:-trezor-firmware-env.nix}
ALPINE_CDN=${ALPINE_CDN:-https://dl-cdn.alpinelinux.org/alpine}
ALPINE_RELEASE=${ALPINE_RELEASE:-3.15}
ALPINE_VERSION=${ALPINE_VERSION:-3.15.0}
ALPINE_TARBALL=${ALPINE_FILE:-alpine-minirootfs-$ALPINE_VERSION-$ALPINE_ARCH.tar.gz}
NIX_VERSION=${NIX_VERSION:-2.4}
CONTAINER_FS_URL=${CONTAINER_FS_URL:-"$ALPINE_CDN/v$ALPINE_RELEASE/releases/$ALPINE_ARCH/$ALPINE_TARBALL"}
function help_and_die() {
echo "Usage: $0 [options] tag"
echo "Options:"
echo " --skip-bitcoinonly"
echo " --skip-normal"
echo " --skip-core"
echo " --skip-legacy"
echo " --repository path/to/repo"
echo " --help"
echo
echo "Set PRODUCTION=0 to run non-production builds."
exit 0
}
OPT_BUILD_CORE=1
OPT_BUILD_LEGACY=1
OPT_BUILD_NORMAL=1
OPT_BUILD_BITCOINONLY=1
REPOSITORY="/local"
while true; do
case "$1" in
-h|--help)
help_and_die
;;
--skip-bitcoinonly)
OPT_BUILD_BITCOINONLY=0
shift
;;
--skip-normal)
OPT_BUILD_NORMAL=0
shift
;;
--skip-core)
OPT_BUILD_CORE=0
shift
;;
--skip-legacy)
OPT_BUILD_LEGACY=0
shift
;;
--repository)
REPOSITORY="$2"
shift 2
;;
*)
break
;;
esac
done
if [ -z "$1" ]; then
help_and_die
fi
variants=()
if [ "$OPT_BUILD_NORMAL" -eq 1 ]; then
variants+=(0)
fi
if [ "$OPT_BUILD_BITCOINONLY" -eq 1 ]; then
variants+=(1)
fi
VARIANTS_core=()
VARIANTS_legacy=()
if [ "$OPT_BUILD_CORE" -eq 1 ]; then
VARIANTS_core=("${variants[@]}")
fi
if [ "$OPT_BUILD_LEGACY" -eq 1 ]; then
VARIANTS_legacy=("${variants[@]}")
fi
TAG="$1"
PRODUCTION=${PRODUCTION:-1}
if which wget > /dev/null ; then
wget --no-config -nc -P ci/ "$CONTAINER_FS_URL"
else
if ! [ -f "ci/$ALPINE_TARBALL" ]; then
curl -L -o "ci/$ALPINE_TARBALL" "$CONTAINER_FS_URL"
fi
fi
# check alpine checksum
if command -v sha256sum &> /dev/null ; then
echo "${ALPINE_CHECKSUM} ci/${ALPINE_TARBALL}" | sha256sum -c
else
echo "${ALPINE_CHECKSUM} ci/${ALPINE_TARBALL}" | shasum -a 256 -c
fi
echo
echo ">>> DOCKER BUILD ALPINE_VERSION=$ALPINE_VERSION ALPINE_ARCH=$ALPINE_ARCH NIX_VERSION=$NIX_VERSION -t $CONTAINER_NAME"
echo
$DOCKER build \
--network=host \
--build-arg ALPINE_VERSION="$ALPINE_VERSION" \
--build-arg ALPINE_ARCH="$ALPINE_ARCH" \
--build-arg NIX_VERSION="$NIX_VERSION" \
-t "$CONTAINER_NAME" \
ci/
# stat under macOS has slightly different cli interface
USER=$(stat -c "%u" . 2>/dev/null || stat -f "%u" .)
GROUP=$(stat -c "%g" . 2>/dev/null || stat -f "%g" .)
mkdir -p build/core build/legacy
mkdir -p build/core-bitcoinonly build/legacy-bitcoinonly
DIR=$(pwd)
# build core
for BITCOIN_ONLY in ${VARIANTS_core[@]}; do
DIRSUFFIX=${BITCOIN_ONLY/1/-bitcoinonly}
DIRSUFFIX=${DIRSUFFIX/0/}
SCRIPT_NAME=".build_core_$BITCOIN_ONLY.sh"
cat <<EOF > "build/$SCRIPT_NAME"
# DO NOT MODIFY!
# this file was generated by ${BASH_SOURCE[0]}
# variant: core build BITCOIN_ONLY=$BITCOIN_ONLY
set -e -o pipefail
cd /tmp
git clone "$REPOSITORY" trezor-firmware
cd trezor-firmware/core
ln -s /build build
git checkout "$TAG"
git submodule update --init --recursive
poetry install
poetry run make clean vendor build_firmware
poetry run ../python/tools/firmware-fingerprint.py \
-o build/firmware/firmware.bin.fingerprint \
build/firmware/firmware.bin
chown -R $USER:$GROUP /build
EOF
echo
echo ">>> DOCKER RUN core BITCOIN_ONLY=$BITCOIN_ONLY PRODUCTION=$PRODUCTION"
echo
$DOCKER run \
--network=host \
-it \
--rm \
-v "$DIR:/local" \
-v "$DIR/build/core$DIRSUFFIX":/build:z \
--env BITCOIN_ONLY="$BITCOIN_ONLY" \
--env PRODUCTION="$PRODUCTION" \
--init \
"$CONTAINER_NAME" \
/nix/var/nix/profiles/default/bin/nix-shell --run "bash /local/build/$SCRIPT_NAME"
done
# build legacy
for BITCOIN_ONLY in ${VARIANTS_legacy[@]}; do
DIRSUFFIX=${BITCOIN_ONLY/1/-bitcoinonly}
DIRSUFFIX=${DIRSUFFIX/0/}
SCRIPT_NAME=".build_legacy_$BITCOIN_ONLY.sh"
cat <<EOF > "build/$SCRIPT_NAME"
# DO NOT MODIFY!
# this file was generated by ${BASH_SOURCE[0]}
# variant: legacy build BITCOIN_ONLY=$BITCOIN_ONLY
set -e -o pipefail
cd /tmp
git clone "$REPOSITORY" trezor-firmware
cd trezor-firmware/legacy
ln -s /build build
git checkout "$TAG"
git submodule update --init --recursive
poetry install
poetry run script/cibuild
mkdir -p build/bootloader build/firmware build/intermediate_fw
cp bootloader/bootloader.bin build/bootloader/bootloader.bin
cp intermediate_fw/trezor.bin build/intermediate_fw/inter.bin
cp firmware/trezor.bin build/firmware/firmware.bin
cp firmware/trezor.elf build/firmware/firmware.elf
poetry run ../python/tools/firmware-fingerprint.py \
-o build/firmware/firmware.bin.fingerprint \
build/firmware/firmware.bin
chown -R $USER:$GROUP /build
EOF
echo
echo ">>> DOCKER RUN legacy BITCOIN_ONLY=$BITCOIN_ONLY PRODUCTION=$PRODUCTION"
echo
$DOCKER run \
--network=host \
-it \
--rm \
-v "$DIR:/local" \
-v "$DIR/build/legacy$DIRSUFFIX":/build:z \
--env BITCOIN_ONLY="$BITCOIN_ONLY" \
--env PRODUCTION="$PRODUCTION" \
--init \
"$CONTAINER_NAME" \
/nix/var/nix/profiles/default/bin/nix-shell --run "bash /local/build/$SCRIPT_NAME"
done
# all built, show fingerprints
echo "Fingerprints:"
for VARIANT in core legacy; do
VARIANTS="VARIANTS_$VARIANT[@]"
for BITCOIN_ONLY in ${!VARIANTS}; do
DIRSUFFIX=${BITCOIN_ONLY/1/-bitcoinonly}
DIRSUFFIX=${DIRSUFFIX/0/}
FWPATH=build/${VARIANT}${DIRSUFFIX}/firmware/firmware.bin
FINGERPRINT=$(tr -d '\n' < $FWPATH.fingerprint)
echo "$FINGERPRINT $FWPATH"
done
done