build px4 custom signed binaries

- build custom signed px4
- package fpga binaries to px4 container
- bootloader is now included in fpga bitstream so no need to package it anymore
- build from added tag: v1.14.0-*

.github/workflows/tiiuae-pixhawk-and-saluki-builder.yaml

@@ -4,6 +4,9 @@ on:
       product:
         required: true
         type: string
+      keys:
+        required: true
+        type: string
       enabled:
         required: false
         type: boolean
@@ -27,6 +30,9 @@ jobs:
       - name: Run px4-firmware ${{ inputs.product }} build
         run: |
           set -eux
+          if [ -n ${{ inputs.keys }} ]; then
+            export SIGNING_ARGS=${{ inputs.keys }}
+          fi
           mkdir -p bin
           cd px4-firmware/
           # run clone_public.sh if clone_public flag is provided

.github/workflows/tiiuae-pixhawk-and-saluki.yaml

@@ -3,6 +3,8 @@ name: tiiuae-pixhawk-and-saluki
 on:
   push:
     branches: [ main ]
+    tags:
+      - 'v1.14.0-*'
   pull_request:
     branches: [ main ]
   # Allows you to run this workflow manually from the Actions tab
@@ -19,21 +21,28 @@ permissions:
   packages: write
 
 env:
-  saluki_pi_fpga_version: "sha-6dc384d"
-  saluki_v2_fpga_version: "sha-6dc384d"
-  saluki_v3_fpga_version: "sha-6dc384d"
-  bootloader_v2_version: "master"
+  saluki_pi_fpga_version: "sha-d4ab4c3"
+  saluki_v2_fpga_version: "sha-d4ab4c3"
+  saluki_v3_fpga_version: "sha-d4ab4c3"
 
 jobs:
   fc_matrix:
     strategy:
       fail-fast: false
       matrix:
         product: [pixhawk, saluki-v2_default, saluki-v2_amp, saluki-v2_protected, saluki-v2_kernel, saluki-pi_default, saluki-pi_amp, saluki-pi_protected, saluki-v3_default, saluki-v3_amp]
+        include:
+          - product: saluki-v2_custom_keys
+            keys: Tools/saluki-sec-scripts/custom_keys/saluki-v2/px4_bin_ed25519_private.pem
+          - product: saluki-v3_custom_keys
+            keys: Tools/saluki-sec-scripts/custom_keys/saluki-v3/px4_bin_ed25519_private.pem
+          - product: saluki-pi_custom_keys
+            keys: Tools/saluki-sec-scripts/custom_keys/saluki-pi/px4_bin_ed25519_private.pem
 
     uses: ./.github/workflows/tiiuae-pixhawk-and-saluki-builder.yaml
     with:
       product: ${{ matrix.product }}
+      keys: ${{ matrix.keys }}
       # old workflow had condition to run only if PR is done to current repo (or triggered with other event)
       enabled: ${{ github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
     secrets: inherit
@@ -113,7 +122,6 @@ jobs:
             "saluki_pi_fpga_version=${{ env.saluki_pi_fpga_version }}"
             "saluki_v2_fpga_version=${{ env.saluki_v2_fpga_version }}"
             "saluki_v3_fpga_version=${{ env.saluki_v3_fpga_version }}"
-            "bootloader_v2_version=${{ env.bootloader_v2_version }}"
 
   upload-px4fwupdater-uae:
     name: upload px4fwupdater to UAE docker registry
@@ -166,7 +174,6 @@ jobs:
             "saluki_pi_fpga_version=${{ env.saluki_pi_fpga_version }}"
             "saluki_v2_fpga_version=${{ env.saluki_v2_fpga_version }}"
             "saluki_v3_fpga_version=${{ env.saluki_v3_fpga_version }}"
-            "bootloader_v2_version=${{ env.bootloader_v2_version }}"
 
   artifactory:
     name: upload builds to artifactory

Tools/px_uploader.Dockerfile

@@ -1,12 +1,10 @@
 ARG saluki_pi_fpga_version
 ARG saluki_v2_fpga_version
 ARG saluki_v3_fpga_version
-ARG bootloader_v2_version
 
 FROM ghcr.io/tiiuae/saluki-pi-fpga:$saluki_pi_fpga_version AS SALUKI_PI
 FROM ghcr.io/tiiuae/saluki-pi-fpga:$saluki_v2_fpga_version AS SALUKI_V2
 FROM ghcr.io/tiiuae/saluki-pi-fpga:$saluki_v3_fpga_version AS SALUKI_V3
-FROM ghcr.io/tiiuae/saluki_bootloader_v2:$bootloader_v2_version AS BOOTLOADER_V2
 
 FROM python:alpine3.14
 
@@ -30,7 +28,6 @@ FROM python:alpine3.14
 COPY --from=SALUKI_PI /firmware/saluki_pi-fpga /firmware/fpga/saluki_pi
 COPY --from=SALUKI_V2 /firmware/saluki_v2-fpga /firmware/fpga/saluki_v2
 COPY --from=SALUKI_V3 /firmware/saluki_v3-fpga /firmware/fpga/saluki_v3
-COPY --from=BOOTLOADER_V2 firmware/bootloader_v2 /firmware/bootloader_v2
 
 WORKDIR /firmware
 

build.sh

@@ -23,6 +23,11 @@ usage() {
   echo
   exit 1
 }
+if [ -z ${SIGNING_ARGS+x} ]; then
+  SIGNING_ARGS=""
+else
+  echo "using custom signing keys: ${SIGNING_ARGS}"
+fi
 
 dest_dir="${1:-}"
 target="${2:-}"
@@ -40,7 +45,7 @@ mkdir -p ${dest_dir}
 pushd ${script_dir}
 
 build_env="docker build --build-arg UID=$(id -u) --build-arg GID=$(id -g) --pull -f ./packaging/Dockerfile.build_env -t ${iname_env} ."
-build_cmd_fw="docker run --rm -v ${script_dir}:/px4-firmware/sources ${iname_env} ./packaging/build_px4fw.sh"
+build_cmd_fw="docker run --rm -e SIGNING_ARGS=${SIGNING_ARGS} -v ${script_dir}:/px4-firmware/sources ${iname_env} ./packaging/build_px4fw.sh"
 build_cmd_px4fwupdater="${script_dir}/packaging/build_px4fwupdater.sh -v ${version} -i ${dest_dir}"
 
 # Generate build_env
@@ -86,6 +91,12 @@ case $target in
     cp ${script_dir}/build/ssrc_saluki-v2_kernel/ssrc_saluki-v2_kernel.bin ${dest_dir}/ssrc_saluki-v2_kernel-${version}.bin
     cp ${script_dir}/build/ssrc_saluki-v2_kernel/ssrc_saluki-v2_kernel_kernel.elf ${dest_dir}/ssrc_saluki-v2_kernel-${version}.elf
     ;;
+  "saluki-v2_custom_keys")
+    # on custom keys case we build _default target but SIGNING_ARGS env variable is set above in build_cmd_fw
+    $build_cmd_fw ssrc_saluki-v2_default
+    cp ${script_dir}/build/ssrc_saluki-v2_default/ssrc_saluki-v2_default.px4 ${dest_dir}/ssrc_saluki-v2_custom_keys-${version}.px4
+    ;;
+
   "saluki-v3_default")
     $build_cmd_fw ssrc_saluki-v3_default
     cp ${script_dir}/build/ssrc_saluki-v3_default/ssrc_saluki-v3_default.px4 ${dest_dir}/ssrc_saluki-v3_default-${version}.px4
@@ -94,6 +105,11 @@ case $target in
     $build_cmd_fw ssrc_saluki-v3_amp
     cp ${script_dir}/build/ssrc_saluki-v3_amp/ssrc_saluki-v3_amp.bin ${dest_dir}/ssrc_saluki-v3_amp-${version}.bin
     ;;
+  "saluki-v3_custom_keys")
+    # on custom keys case we build _default target but SIGNING_ARGS env variable is set above in build_cmd_fw
+    $build_cmd_fw ssrc_saluki-v3_default
+    cp ${script_dir}/build/ssrc_saluki-v3_default/ssrc_saluki-v3_default.px4 ${dest_dir}/ssrc_saluki-v3_custom_keys-${version}.px4
+    ;;
   "saluki-pi_default")
     $build_cmd_fw ssrc_saluki-pi_default
     cp ${script_dir}/build/ssrc_saluki-pi_default/ssrc_saluki-pi_default.px4 ${dest_dir}/ssrc_saluki-pi_default-${version}.px4
@@ -106,6 +122,12 @@ case $target in
     $build_cmd_fw ssrc_saluki-pi_amp
     cp ${script_dir}/build/ssrc_saluki-pi_amp/ssrc_saluki-pi_amp.bin ${dest_dir}/ssrc_saluki-pi_amp-${version}.bin
     ;;
+  "saluki-pi_custom_keys")
+    # on custom keys case we build _default target but SIGNING_ARGS env variable is set above in build_cmd_fw
+    $build_cmd_fw ssrc_saluki-pi_default
+    cp ${script_dir}/build/ssrc_saluki-pi_default/ssrc_saluki-pi_default.px4 ${dest_dir}/ssrc_saluki-pi_custom_keys-${version}.px4
+    ;;
+
    *)
     usage
     ;;