Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tfm-post-build: Don't capture subprocess stdout #14783

Merged
merged 1 commit into from
Jul 6, 2021
Merged

tfm-post-build: Don't capture subprocess stdout #14783

merged 1 commit into from
Jul 6, 2021

Conversation

rwalton-arm
Copy link
Contributor

Summary of changes

subprocess.PIPE is used to enable the parent process to communicate with
the subprocess via pipes, which mean all stdout and stderr messages are
captured and returned as part of Popen.communicate's result tuple.

In our case, we want to display the error messages on the console, so we
don't need to capture the output from stdout.

Example of a typical error message before this change:

Traceback (most recent call last):
  File "platform/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_TFM/TARGET_TFM_LATEST/scripts/generate_mbed_image.py", line 197, in <module>
    sign_and_merge_tfm_bin(args.tfm_target, args.target_path, args.non_secure_bin, args.secure_bin)
  File "platform/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_TFM/TARGET_TFM_LATEST/scripts/generate_mbed_image.py", line 81, in sign_and_merge_tfm_bin
    " secure binary, Error code: " + str(retcode))
Exception: Unable to sign musca_b1 secure binary, Error code: 1

Example of the error message after this change:

Traceback (most recent call last):
  File "/mbed-os/tools/psa/tfm/bin_utils/wrapper.py", line 13, in <module>
    import click
ModuleNotFoundError: No module named 'click'
Traceback (most recent call last):
  File "platform/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_TFM/TARGET_TFM_LATEST/scripts/generate_mbed_image.py", line 194, in <module>
    sign_and_merge_tfm_bin(args.tfm_target, args.target_path, args.non_secure_bin, args.secure_bin)
  File "platform/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_TFM/TARGET_TFM_LATEST/scripts/generate_mbed_image.py", line 80, in sign_and_merge_tfm_bin
    raise Exception("Unable to sign " + target_name +
Exception: Unable to sign musca_b1 secure binary, Error code: 1

Impact of changes

Migration actions required

Documentation

Pull request type 

[x] Patch update (Bug fix / Target update / Docs update / Test update / Refactor)
[] Feature update (New feature / Functionality change / New API)
[] Major update (Breaking change E.g. Return code change / API behaviour change)

Test results 

[] No Tests required for this change (E.g docs only update)
[x] Covered by existing mbed-os tests (Greentea or Unittest)
[] Tests / results supplied as part of this PR

Reviewers

LDong-Arm
LDong-Arm suggested changes Jun 16, 2021
View reviewed changes
Copy link
Contributor

@LDong-Arm LDong-Arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rwalton-arm Thanks for the change.

Please also make the same change to the script for CLI 1:

mbed-os/tools/targets/ARM_MUSCA.py

Lines 161 to 171 in 3cf5f8e

def run_cmd(cmd, directory):
POPEN_INSTANCE = subprocess.Popen(
cmd,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
cwd=directory,
)
POPEN_INSTANCE.communicate()
return POPEN_INSTANCE.returncode

@ciarmcom ciarmcom added the release-type: patch Indentifies a PR as containing just a patch label Jun 16, 2021
@ciarmcom ciarmcom requested a review from a team June 16, 2021 13:30
@ciarmcom
Copy link
Member

@rwalton-arm, thank you for your changes.
@ARMmbed/mbed-os-maintainers please review.

@rwalton-arm
Copy link
Contributor Author

@rwalton-arm Thanks for the change.

Please also make the same change to the script for CLI 1:

mbed-os/tools/targets/ARM_MUSCA.py

Lines 161 to 171 in 3cf5f8e

def run_cmd(cmd, directory):
POPEN_INSTANCE = subprocess.Popen(
cmd,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
cwd=directory,
)
POPEN_INSTANCE.communicate()
return POPEN_INSTANCE.returncode

Thanks. I'll add it there, too. I didn't realise we had a different script for CLI 1. Good catch.

@LDong-Arm
Copy link
Contributor

LDong-Arm commented Jun 16, 2021
edited
Loading

Thanks. I'll add it there, too. I didn't realise we had a different script for CLI 1. Good catch.

No problem. Yea the scripts are slightly different but the CLI 2 script was derived from the CLI 1 one.

The idea was to make the CLI 2 script + CMake hook general purpose enough for all TF-M (not just Musca), but Nuvoton told us our script took too few arguments so they ended up making their own for their TF-M target. A future improvement would be extending our generic TF-M signing script to support that too. (Slightly off topic here.)

@LDong-Arm
Copy link
Contributor

^ Speaking of this, actually Nuvoton's script dumps the stdout only when there's an error:

mbed-os/targets/TARGET_NUVOTON/scripts/NUVOTON.py

Lines 178 to 201 in 3cf5f8e

def run_cmd(cmd, directory):
# Redirect stdout/stderr to pipe, text mode
POPEN_INSTANCE = subprocess.Popen(
cmd,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
cwd=directory,
universal_newlines=True
)
# Command line
print("COMMAND: {}".format(POPEN_INSTANCE.args))
stdout_data, stderr_data = POPEN_INSTANCE.communicate()
# stdout/stderr messages
if (stdout_data):
print(stdout_data)
if (stderr_data):
print(stderr_data)
# Return code
return POPEN_INSTANCE.returncode

However, the signing script isn't particularly verbose - it doesn't print anything unless an error occurs. So I'm okay with not capturing stdout.

LDong-Arm
LDong-Arm previously approved these changes Jun 16, 2021
View reviewed changes
Copy link
Contributor

@LDong-Arm LDong-Arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

0xc0170
0xc0170 previously approved these changes Jun 16, 2021
View reviewed changes
@rwalton-arm
Copy link
Contributor Author

Looks like travis failed due to an apt-get connection error.

Err:36 http://archive.ubuntu.com/ubuntu focal InRelease

  Could not connect to archive.ubuntu.com:80 (91.189.88.152), connection timed out Could not connect to archive.ubuntu.com:80 (91.189.88.142), connection timed out

Err:37 http://archive.ubuntu.com/ubuntu focal-updates InRelease

  Unable to connect to archive.ubuntu.com:http:

Err:38 http://archive.ubuntu.com/ubuntu focal-backports InRelease

  Unable to connect to archive.ubuntu.com:http:

Fetched 4,078 kB in 31s (133 kB/s)

Reading package lists...

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal/InRelease  Could not connect to archive.ubuntu.com:80 (91.189.88.152), connection timed out Could not connect to archive.ubuntu.com:80 (91.189.88.142), connection timed out

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-updates/InRelease  Unable to connect to archive.ubuntu.com:http:

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-backports/InRelease  Unable to connect to archive.ubuntu.com:http:

W: Some index files failed to download. They have been ignored, or old ones used instead.

The command "sudo -E apt-get -yq --no-install-suggests --no-install-recommends $(travis_apt_get_options) install cmake ninja-build gcovr libncursesw5 g++-7" failed and exited with 100 during .

Your build has been stopped.

@ciarmcom
Copy link
Member

This pull request has automatically been marked as stale because it has had no recent activity. @rwalton-arm, please carry out any necessary work to get the changes merged. Thank you for your contributions.

@ciarmcom ciarmcom added the stale Stale Pull Request label Jun 28, 2021
@LDong-Arm
Copy link
Contributor

Same failure when I manually reran Travis on this PR. I don't think the error is related to the change though.

@0xc0170
Copy link
Contributor

0xc0170 commented Jun 29, 2021

Same failure when I manually reran Travis on this PR. I don't think the error is related to the change though.

@rwalton-arm Let's rebase and that will retrigger the Travis, it should pass.

@rwalton-arm
tfm-post-build: Don't capture subprocess stdout
6d78f93 
subprocess.PIPE is used to enable the parent process to communicate with
the subprocess via pipes, which mean all stdout and stderr messages are
captured and returned as part of Popen.communicate's result tuple.

In our case, we want to display the error messages on the console, so we
don't need to capture the output from stdout.

Example of a typical error message before this change:
```
Traceback (most recent call last):
  File "platform/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_TFM/TARGET_TFM_LATEST/scripts/generate_mbed_image.py", line 197, in <module>
    sign_and_merge_tfm_bin(args.tfm_target, args.target_path, args.non_secure_bin, args.secure_bin)
  File "platform/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_TFM/TARGET_TFM_LATEST/scripts/generate_mbed_image.py", line 81, in sign_and_merge_tfm_bin
    " secure binary, Error code: " + str(retcode))
Exception: Unable to sign musca_b1 secure binary, Error code: 1
```

Example of the error message after this change:
```
Traceback (most recent call last):
  File "/mbed-os/tools/psa/tfm/bin_utils/wrapper.py", line 13, in <module>
    import click
ModuleNotFoundError: No module named 'click'
Traceback (most recent call last):
  File "platform/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_TFM/TARGET_TFM_LATEST/scripts/generate_mbed_image.py", line 194, in <module>
    sign_and_merge_tfm_bin(args.tfm_target, args.target_path, args.non_secure_bin, args.secure_bin)
  File "platform/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_TFM/TARGET_TFM_LATEST/scripts/generate_mbed_image.py", line 80, in sign_and_merge_tfm_bin
    raise Exception("Unable to sign " + target_name +
Exception: Unable to sign musca_b1 secure binary, Error code: 1
```

This is a significant improvement as now you can see what the reason for
the failure was.
@mergify mergify bot dismissed stale reviews from LDong-Arm and 0xc0170 June 29, 2021 14:39

Pull request has been modified.

@ciarmcom ciarmcom removed the stale Stale Pull Request label Jun 29, 2021
@rwalton-arm rwalton-arm linked an issue Jun 30, 2021 that may be closed by this pull request
TF-M post build hooks produce opaque error messages #14781
Closed
@rwalton-arm
Copy link
Contributor Author

Frozen tools check is failing because I modified https://github.com/ARMmbed/mbed-os/blob/master/tools/targets/ARM_MUSCA.py

@Patater can we ignore the frozen tools check for this?

@rwalton-arm
Copy link
Contributor Author

Thanks. I'll add it there, too. I didn't realise we had a different script for CLI 1. Good catch.

No problem. Yea the scripts are slightly different but the CLI 2 script was derived from the CLI 1 one.

The idea was to make the CLI 2 script + CMake hook general purpose enough for all TF-M (not just Musca), but Nuvoton told us our script took too few arguments so they ended up making their own for their TF-M target. A future improvement would be extending our generic TF-M signing script to support that too. (Slightly off topic here.)

We should really wrap the TF-M post build scripts up into a python package; rather than a collection of similar scripts that spin up subprocesses to reuse some "common" python code, with hard coded file paths. If we make this a pypi package, we can reuse common code easily using the python import system, manage dependencies properly, and make the interface generic enough to handle the various use cases. Maybe we could then even add some unit tests to prove it all works as expected.

@jeromecoutant
Copy link
Collaborator

Frozen tools check is failing because I modified https://github.com/ARMmbed/mbed-os/blob/master/tools/targets/ARM_MUSCA.py

@Patater can we ignore the frozen tools check for this?

Move script in targets/TARGET_ARM_SSG...

@0xc0170 0xc0170 requested a review from Patater July 1, 2021 09:07
Patater
Patater approved these changes Jul 1, 2021
View reviewed changes
Copy link
Contributor

@Patater Patater left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tools changes only to files used by targets not supported in the online compiler.

This was referenced Jul 6, 2021
Closed
Closed
@Patater
Copy link
Contributor

Patater commented Jul 6, 2021

CI started

@mbed-ci
Copy link

mbed-ci commented Jul 6, 2021

Jenkins CI Test : ✔️ SUCCESS

Build Number: 1 | 🔒 Jenkins CI Job | 🌐 Logs & Artifacts

CLICK for Detailed Summary

jobs Status
jenkins-ci/mbed-os-ci_unittests ✔️
jenkins-ci/mbed-os-ci_cmake-cloud-example-ARM ✔️
jenkins-ci/mbed-os-ci_build-cloud-example-ARM ✔️
jenkins-ci/mbed-os-ci_cmake-cloud-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-cloud-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-greentea-ARM ✔️
jenkins-ci/mbed-os-ci_cmake-example-ARM ✔️
jenkins-ci/mbed-os-ci_build-greentea-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_cmake-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-example-ARM ✔️
jenkins-ci/mbed-os-ci_greentea-test ✔️
jenkins-ci/mbed-os-ci_tfm-integration ✔️

@Patater Patater merged commit 75808ea into ARMmbed:master Jul 6, 2021
@mbedmain mbedmain added release-version: 6.13.0 Release-pending and removed release-type: patch Indentifies a PR as containing just a patch Release-pending labels Jul 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Patater Patater Patater approved these changes

@0xc0170 0xc0170 0xc0170 approved these changes

@LDong-Arm LDong-Arm LDong-Arm approved these changes

Assignees
No one assigned
Labels
component: core component: security needs: review release-version: 6.13.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

TF-M post build hooks produce opaque error messages
8 participants
@rwalton-arm @ciarmcom @LDong-Arm @0xc0170 @jeromecoutant @Patater @mbed-ci @mbedmain