build(deps): bump actions/checkout from 4 to 6#5
Closed
dependabot[bot] wants to merge 14 commits intomasterfrom
Closed
build(deps): bump actions/checkout from 4 to 6#5dependabot[bot] wants to merge 14 commits intomasterfrom
dependabot[bot] wants to merge 14 commits intomasterfrom
Conversation
- simulation-test.yml: replace 'eosim validate <platform>' with 'eosim info <platform>' - simulation-test.yml: replace 'eosim simulate --platform' with 'eosim run <platform>' - simulation-test.yml: replace 'eosim list-platforms' with 'eosim list' - eosim-sanity.yml: replace 'eosim simulate --platform' with 'eosim run <platform>' The published eosim v0.1.0 wheel does not include 'simulate' or 'list-platforms' commands, and 'validate' expects a file path not a platform name.
The eosim v0.1.0 wheel does not bundle the platforms/ data directory, causing _find_platform() to crash with FileNotFoundError. After installing the wheel, clone the platforms data from the EoSim repo into the expected site-packages location.
Platform names in EoSim YAML configs use suffixed forms: - x86_64 -> x86_64-linux - arm64 -> arm64-linux - riscv64 -> riscv64-linux
Phase 1 — Security Documentation & Threat Modeling: - docs/threat_model.md: STRIDE-based threat model with trust boundaries - docs/key_lifecycle.md: Ed25519 key management lifecycle - docs/secure_boot_chain.md: Full chain of trust documentation - docs/security_review_checklist.md: PR security review checklist - docs/mcuboot_comparison.md: mcuboot pattern comparison - Updated SECURITY.md and docs/security.md with status tracking Phase 2 — HAL Secure Extensions: - Extended eos_hal.h with otp_read/write, rng_get, debug_lock/status, monotonic_read/increment, hw_sha256, hw_aes_decrypt - Added security wrappers in hal/hal_core.c - Added new error codes in eos_types.h Phase 3 — Cryptographic Integrity & Authentication: - Replaced Ed25519 stub with working verification in crypto_boot.c - Added eos_crypto_safe_compare() for constant-time comparison - Added SHA-256 streamed image verification from flash - New core/ed25519_verify.c with structural+hash verification - New core/keystore.c with dual-key slots, OTP support, revocation - include/eos_keystore.h key management API Phase 4 — Stage-0 Secure Boot Chain: - stage0/jump_stage1.c: SHA-256 verification before jump - Double-check pattern for fault injection resistance - tools/embed_stage1_hash.py for build-time hash generation Phase 5 — Physical Attack Hardening: - core/debug_lock.c + include/eos_debug_lock.h: JTAG/SWD lock - stage0/hw_init_minimal.c: Debug lock before secrets loaded - stage0/reset_entry.c: Stack poisoning with 0xDEADBEEF - core/mpu_boot.c: eos_mpu_set_bootloader() and eos_mpu_set_lockdown() Phase 6 — Secure Firmware Update: - fw_update.c: Signature + anti-rollback check in finalize - recovery.c: Challenge-response auth with exponential backoff - core/fw_decrypt.c + include/eos_fw_decrypt.h: AES-256-GCM streaming - core/image_tlv.c + include/eos_image_tlv.h: mcuboot-style TLV parser Phase 7 — Runtime Protections: - CMakeLists.txt: -fstack-protector-strong, -D_FORTIFY_SOURCE=2 - runtime_services.c: __stack_chk_fail handler for bare-metal - stage1/jump_app.c: Image verification + MPU lockdown before jump - stage1/main.c: MPU setup at entry Phase 8 — Fuzzing & Security Testing: - tests/fuzz/: 5 libFuzzer harnesses (image_verify, recovery, fw_update, crypto, bootctl) - CMakeLists.txt: EBLDR_SANITIZE option for ASAN/UBSAN - Valgrind test targets in tests/CMakeLists.txt Phase 9 — Secure Development Practices: - .clang-tidy: cert/bugprone/security checks enabled - cmake/security_checks.cmake: cppcheck + clang-tidy targets - ci/ci_security.yml: GitHub Actions security pipeline - ci/security_test.sh: CI security test script Phase 10 — mcuboot Pattern Adoption: - TLV metadata system (eos_image_tlv.h) - Hash-then-verify-signature pattern - Key hash in TLV for key identification - Security counter via monotonic anti-rollback Tools: - sign_image.py: Full Ed25519 signing via cryptography library - embed_stage1_hash.py: Stage-1 hash embedding for secure boot chain
When eos_hal_monotonic_read() returns EOS_ERR_NOT_SUPPORTED (no OTP/eFuse monotonic counter — common in unit test and simulation environments), the security_version field was left at 0 after memset. This caused test_keystore_security_version to fail because: - It asserts version >= 1 (a sane post-init value) - With version 0, the anti-rollback downgrade test (set version-1) would underflow to UINT32_MAX, breaking the rollback protection logic Fix: when the HAL has no HW counter, initialize all slot security_versions to 1. This is also correct for security — version 0 could allow unsigned or pre-provisioning images to pass the anti-rollback gate.
- CI: multi-OS build, cross-compile (stm32f4/nrf52/rpi4/riscv64), sanitizers, security hardening - Release: automated firmware releases for 7 board targets - Security: CodeQL analysis + OSSF Scorecard - Dependencies: Dependabot for GitHub Actions
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/checkout from 4 to 6.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
de0fac2Fix tag handling: preserve annotations and explicit fetch-tags (#2356)064fe7fAdd orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...8e8c483Clarify v6 README (#2328)033fa0dAdd worktree support for persist-credentials includeIf (#2327)c2d88d3Update all references from v5 and v4 to v6 (#2314)1af3b93update readme/changelog for v6 (#2311)71cf226v6-beta (#2298)069c695Persist creds to a separate file (#2286)ff7abcdUpdate README to include Node.js 24 support details and requirements (#2248)08c6903Prepare v5.0.0 release (#2238)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)