From 2ddd523c29ddac6013cb9c61709dc67504c4b7fa Mon Sep 17 00:00:00 2001
From: Daniel Lublin <daniel@lublin.se>
Date: Fri, 31 Mar 2023 10:18:35 +0200
Subject: [PATCH] Use tkey-builder:2; add hashes & checks for bitstream & fw
 bins

Signed-off-by: Daniel Lublin <daniel@lublin.se>
---
 .github/workflows/ci.yaml                       | 6 +++++-
 LICENSES/spdx-ensure                            | 3 +++
 hw/application_fpga/Makefile                    | 5 +++++
 hw/application_fpga/application_fpga.bin.sha256 | 1 +
 hw/application_fpga/firmware.bin.sha512         | 1 +
 5 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 hw/application_fpga/application_fpga.bin.sha256
 create mode 100644 hw/application_fpga/firmware.bin.sha512

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index d21f610..11ba8af 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -13,7 +13,7 @@ jobs:
   ci:
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/tillitis/tkey-builder:1
+      image: ghcr.io/tillitis/tkey-builder:2
     steps:
       - name: checkout
         uses: actions/checkout@v3
@@ -53,6 +53,10 @@ jobs:
         working-directory: hw/application_fpga
         run: make all
 
+      - name: check matching hashes for firmware.bin & application_fpga.bin
+        working-directory: hw/application_fpga
+        run: make check-binary-hashes
+
       # TODO? first deal with hw/boards/ and hw/production_test/
       # - name: check for SPDX tags
       #   run: ./LICENSES/spdx-ensure
diff --git a/LICENSES/spdx-ensure b/LICENSES/spdx-ensure
index 93bcabc..ece9e26 100755
--- a/LICENSES/spdx-ensure
+++ b/LICENSES/spdx-ensure
@@ -28,6 +28,8 @@ contrib/99-tillitis.rules
 contrib/Dockerfile
 contrib/Makefile
 dco.md
+hw/application_fpga/application_fpga.bin.sha256
+hw/application_fpga/config.vlt
 hw/application_fpga/core/timer/README.md
 hw/application_fpga/core/tk1/README.md
 hw/application_fpga/core/touch_sense/README.md
@@ -35,6 +37,7 @@ hw/application_fpga/core/trng/README.md
 hw/application_fpga/core/uds/README.txt
 hw/application_fpga/data/udi.hex
 hw/application_fpga/data/uds.hex
+hw/application_fpga/firmware.bin.sha512
 hw/application_fpga/fw/.clang-format
 hw/application_fpga/fw/testfw/Makefile
 hw/application_fpga/fw/tk1/Makefile
diff --git a/hw/application_fpga/Makefile b/hw/application_fpga/Makefile
index eac56b5..0446a33 100644
--- a/hw/application_fpga/Makefile
+++ b/hw/application_fpga/Makefile
@@ -157,6 +157,11 @@ firmware.hex: firmware.bin firmware_size_mismatch
 testfw.hex: testfw.bin testfw_size_mismatch
 	python3 $(P)/tools/makehex/makehex.py $< $(BRAM_FW_SIZE) > $@
 
+.PHONY: check-binary-hashes
+check-binary-hashes:
+	sha512sum -c firmware.bin.sha512
+	sha256sum -c application_fpga.bin.sha256
+
 %.bin: %.elf
 	$(SIZE) $<
 	@test "$$($(SIZE) $< | awk 'NR==2{print $$2, $$3}')" = "0 0" \
diff --git a/hw/application_fpga/application_fpga.bin.sha256 b/hw/application_fpga/application_fpga.bin.sha256
new file mode 100644
index 0000000..e048558
--- /dev/null
+++ b/hw/application_fpga/application_fpga.bin.sha256
@@ -0,0 +1 @@
+d2970828269b3ba7f09fb73b8592b08814dfe8c8087b00b0659feb516bb00f33  application_fpga.bin
diff --git a/hw/application_fpga/firmware.bin.sha512 b/hw/application_fpga/firmware.bin.sha512
new file mode 100644
index 0000000..71e2a45
--- /dev/null
+++ b/hw/application_fpga/firmware.bin.sha512
@@ -0,0 +1 @@
+3769540390ee3d990ea3f9e4cc9a0d1af5bcaebb82218185a78c39c6bf01d9cdc305ba253a1fb9f3f9fcc63d97c8e5f34bbb1f7bec56a8f246f1d2239867b623  firmware.bin