Initial commit

Initial commit.
2026-03-23 14:40:39 -05:00
parent e84b2b4166
commit 4e2a5258a5
872 changed files with 165227 additions and 0 deletions
--- a/bootloader/mcuboot/ci/check-signed-off-by.sh
+++ b/bootloader/mcuboot/ci/check-signed-off-by.sh
@@ -0,0 +1,81 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+DEPENDABOT_COMMITER='GitHub <noreply@github.com>'
+DEPENDABOT_AUTHOR='dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>'
+
+if [[ -n "$1" ]]; then
+    commits=$(git show -s --format=%h ${1}~..HEAD)
+else
+    parents=(`git log -n 1 --format=%p HEAD`)
+    if [[ "${#parents[@]}" -ne 2 ]]; then
+        echo "HEAD is not a merge commit, please supply the oldest SHA"
+        exit 1
+    fi
+    commits=$(git show -s --format=%h ${parents[0]}..${parents[1]})
+fi
+
+if [[ -z "${commits}" ]]; then
+  echo "No commits found in this PR!"
+  exit 1
+fi
+
+for sha in $commits; do
+  author="$(git show -s --format="%an <%ae>" ${sha})"
+  committer="$(git show -s --format="%cn <%ce>" ${sha})"
+
+  if [[ "${committer}" == "${DEPENDABOT_COMMITER}" ]] &&
+     [[ "${author}" == "${DEPENDABOT_AUTHOR}" ]]; then
+    continue
+  fi
+
+  author="Signed-off-by: ${author}"
+  committer="Signed-off-by: ${committer}"
+
+  lines="$(git show -s --format=%B ${sha})"
+
+  found_author=false
+  # Don't enforce committer email on forks; this primarily avoids issues
+  # running workflows on the zephyr fork, because rebases done in the GH UX
+  # use the primary email of the committer, which might not match the one
+  # used in git CLI.
+  if [[ $GITHUB_REPOSITORY == mcu-tools/* ]]; then
+    found_committer=false
+  else
+    found_committer=true
+  fi
+
+  IFS=$'\n'
+  for line in ${lines}; do
+    stripped=$(echo $line | sed -e 's/^\s*//' | sed -e 's/\s*$//')
+    if [[ "${stripped}" == "${author}" ]]; then
+      found_author=true
+    fi
+    if [[ "${stripped}" == "${committer}" ]]; then
+      found_committer=true
+    fi
+
+    [[ ${found_author} == true && ${found_committer} == true ]] && break
+  done
+
+  if [[ ${found_author} == false ]]; then
+    echo -e "Missing \"${author}\" in commit ${sha}"
+  fi
+  if [[ ${found_committer} == false ]]; then
+    echo -e "Missing \"${committer}\" in commit ${sha}"
+  fi
+  if [[ ${found_author} == false || ${found_committer} == false ]]; then
+    exit 1
+  fi
+done
--- a/bootloader/mcuboot/ci/compare_versions.py
+++ b/bootloader/mcuboot/ci/compare_versions.py
@@ -0,0 +1,65 @@
+#!/usr/bin/env python3
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from packaging.version import parse, InvalidVersion
+import argparse
+import sys
+
+try:
+    from packaging.version import LegacyVersion
+except ImportError:
+    LegacyVersion = ()  # trick isinstance!
+
+# exit with 0 if --new is equal to --old
+# exit with 1 on errors
+# exit with 2 if --new is newer than --old
+# exit with 3 if --new is older than --old
+
+parser = argparse.ArgumentParser()
+parser.add_argument('--old', help='Version currently in use')
+parser.add_argument('--new', help='New version to publish')
+
+args = parser.parse_args()
+if args.old is None or args.new is None:
+    parser.print_help()
+    exit(1)
+
+# packaging>=22 only supports PEP-440 version numbers, and a non-valid version
+# will throw InvalidVersion. Previous packaging releases would create a
+# LegacyVersion object if the given version string failed to parse as PEP-440,
+# and since we use versions closer to semver, we want to fail in that case.
+
+versions = []
+for version in [args.old, args.new]:
+    try:
+        versions.append(parse(version))
+    except InvalidVersion:
+        print("Invalid version parsed: {}".format(version))
+        sys.exit(1)
+
+old, new = versions[0], versions[1]
+for version in [old, new]:
+    if isinstance(version, LegacyVersion):
+        print("Invalid version parsed: {}".format(version))
+        sys.exit(1)
+
+if new == old:
+    print("No version change")
+    sys.exit(0)
+elif new > old:
+    print("Upgrade detected ({} > {})".format(new, old))
+    sys.exit(2)
+
+print("Downgrade detected ({} < {})".format(new, old))
+sys.exit(3)
--- a/bootloader/mcuboot/ci/espressif_install.sh
+++ b/bootloader/mcuboot/ci/espressif_install.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+# SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
+# SPDX-License-Identifier: Apache-2.0
+
+set -eo pipefail
+
+install_imgtool() {
+    pip install imgtool
+}
+
+install_idf() {
+    pushd $HOME
+    git clone --depth=1 https://github.com/espressif/esp-idf.git --branch release/v5.1
+    [[ $? -ne 0 ]] && exit 1
+
+    $HOME/esp-idf/install.sh
+    [[ $? -ne 0 ]] && exit 1
+
+    popd
+}
+
+install_imgtool
+install_idf
--- a/bootloader/mcuboot/ci/espressif_run.sh
+++ b/bootloader/mcuboot/ci/espressif_run.sh
@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+# SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
+# SPDX-License-Identifier: Apache-2.0
+
+SCRIPT_ROOTDIR=$(dirname "$(realpath "${BASH_SOURCE[0]}")")
+MCUBOOT_ROOTDIR=$(realpath "${SCRIPT_ROOTDIR}/..")
+ESPRESSIF_ROOT="${MCUBOOT_ROOTDIR}/boot/espressif"
+IDF_PATH="${HOME}/esp-idf"
+
+set -eo pipefail
+
+prepare_environment() {
+  # Prepare the environment for ESP-IDF
+
+  . "${IDF_PATH}"/export.sh
+}
+
+build_mcuboot() {
+  local target=${1}
+  local feature=${2}
+  local img_num=${3}
+  local build_dir=".build-${target}"
+  local toolchain_file="${ESPRESSIF_ROOT}/tools/toolchain-${target}.cmake"
+
+  if [ -n "$img_num" ]; then
+    img_num="-${img_num}"
+  fi
+  local mcuboot_config="${ESPRESSIF_ROOT}/port/${target}/bootloader${img_num}.conf"
+
+  if [ -n "${feature}" ]; then
+    mcuboot_config="${mcuboot_config};${ESPRESSIF_ROOT}/ci_configs/${feature}.conf"
+    build_dir=".build-${target}-${feature}"
+  fi
+
+  # Build MCUboot for selected target
+
+  cd "${MCUBOOT_ROOTDIR}" &>/dev/null
+  cmake -DCMAKE_TOOLCHAIN_FILE="${toolchain_file}"  \
+        -DMCUBOOT_TARGET="${target}"                \
+        -DMCUBOOT_CONFIG_FILE="${mcuboot_config}"   \
+        -DESP_HAL_PATH="${IDF_PATH}"                \
+        -B "${build_dir}"                           \
+        "${ESPRESSIF_ROOT}"
+  cmake --build "${build_dir}"/
+}
+
+prepare_environment
+
+if [ -n "${MCUBOOT_FEATURES}" ]; then
+  IFS=','
+  read -ra target_list <<< "${MCUBOOT_TARGETS}"
+  read img_num <<< "${MCUBOOT_IMG_NUM}"
+  for target in "${target_list[@]}"; do
+    read -ra feature_list <<< "${MCUBOOT_FEATURES}"
+    for feature in "${feature_list[@]}"; do
+      echo "Building MCUboot for \"${target}\" with support for \"${feature}\""
+      build_mcuboot "${target}" "${feature}" "${img_num}"
+    done
+  done
+fi
--- a/bootloader/mcuboot/ci/fih-tests_install.sh
+++ b/bootloader/mcuboot/ci/fih-tests_install.sh
@@ -0,0 +1,34 @@
+#!/bin/bash -x
+
+# Copyright (c) 2020 Arm Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+source $(dirname "$0")/fih-tests_version.sh
+
+DOCKER_DIR=docker
+
+IMAGE=fih-test:$FIH_IMAGE_VERSION
+
+CACHED_IMAGE=$DOCKER_DIR/$IMAGE
+
+[[ -f $CACHED_IMAGE ]] && (gzip -dc $CACHED_IMAGE | docker load)
+
+if [[ $? -ne 0 ]]; then
+    docker pull mcuboot/$IMAGE
+    if [[ $GITHUB_ACTIONS != true ]]; then
+        docker save mcuboot/$IMAGE | gzip > $CACHED_IMAGE
+    fi
+fi
--- a/bootloader/mcuboot/ci/fih-tests_run.sh
+++ b/bootloader/mcuboot/ci/fih-tests_run.sh
@@ -0,0 +1,58 @@
+#!/bin/bash -x
+
+# Copyright (c) 2020-2024 Arm Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+source $(dirname "$0")/fih-tests_version.sh
+
+pushd .. &&\
+   git clone https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git &&\
+   pushd trusted-firmware-m &&\
+   git checkout eb8ff0db7d657b77abcd0262d5bf7f38eb1e1cdc &&\
+   source lib/ext/tf-m-tests/version.txt &&\
+   popd &&\
+   git clone https://git.trustedfirmware.org/TF-M/tf-m-tests.git &&\
+   pushd tf-m-tests &&\
+   git checkout $version &&\
+   popd
+
+if [[ $GITHUB_ACTIONS == true ]]; then
+    if [[ -z $FIH_ENV ]]; then
+        echo "Workflow has found no \$FIH_ENV"
+        exit 1
+    fi
+
+    args=($FIH_ENV)
+    len=${#args[@]}
+    if [[ $len < 3 ]]; then
+        echo "Invalid number of \$FIH_ENV args"
+        exit 1
+    fi
+
+    BUILD_TYPE=${args[0]}
+    SKIP_SIZE=${args[1]}
+    DAMAGE_TYPE=${args[2]}
+
+    if [[ $len > 3 ]]; then
+        FIH_LEVEL=${args[3]}
+    fi
+fi
+
+if test -z "$FIH_LEVEL"; then
+    docker run --rm -v $(pwd):/root/work/tfm:rw,z mcuboot/fih-test:$FIH_IMAGE_VERSION /bin/sh -c '/root/work/tfm/mcuboot/ci/fih_test_docker/execute_test.sh $0 $1 $2' $SKIP_SIZE $BUILD_TYPE $DAMAGE_TYPE
+else
+    docker run --rm -v $(pwd):/root/work/tfm:rw,z mcuboot/fih-test:$FIH_IMAGE_VERSION /bin/sh -c '/root/work/tfm/mcuboot/ci/fih_test_docker/execute_test.sh $0 $1 $2 $3' $SKIP_SIZE $BUILD_TYPE $DAMAGE_TYPE $FIH_LEVEL
+fi
--- a/bootloader/mcuboot/ci/fih-tests_version.sh
+++ b/bootloader/mcuboot/ci/fih-tests_version.sh
@@ -0,0 +1 @@
+FIH_IMAGE_VERSION=0.0.3
--- a/bootloader/mcuboot/ci/fih_test_docker/damage_image.py
+++ b/bootloader/mcuboot/ci/fih_test_docker/damage_image.py
@@ -0,0 +1,211 @@
+# Copyright (c) 2020 Arm Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+import logging
+import struct
+import sys
+
+from imgtool.image import (IMAGE_HEADER_SIZE, IMAGE_MAGIC,
+                           TLV_INFO_MAGIC, TLV_PROT_INFO_MAGIC, TLV_VALUES)
+from shutil import copyfile
+
+
+def get_tlv_type_string(tlv_type):
+    tlvs = {v: f"IMAGE_TLV_{k}" for k, v in TLV_VALUES.items()}
+    return tlvs.get(tlv_type, "UNKNOWN({:d})".format(tlv_type))
+
+
+class ImageHeader:
+
+    def __init__(self):
+        self.ih_magic = 0
+        self.ih_load_addr = 0
+        self.ih_hdr_size = 0
+        self.ih_protect_tlv_size = 0
+        self.ih_img_size = 0
+        self.ih_flags = 0
+        self.iv_major = 0
+        self.iv_minor = 0
+        self.iv_revision = 0
+        self.iv_build_num = 0
+        self._pad1 = 0
+
+    @staticmethod
+    def read_from_binary(in_file):
+        h = ImageHeader()
+
+        (h.ih_magic, h.ih_load_addr, h.ih_hdr_size, h.ih_protect_tlv_size, h.ih_img_size,
+            h.ih_flags, h.iv_major, h.iv_minor, h.iv_revision, h.iv_build_num, h._pad1
+         ) = struct.unpack('<IIHHIIBBHII', in_file.read(IMAGE_HEADER_SIZE))
+        return h
+
+    def __repr__(self):
+        return "\n".join([
+            "    ih_magic = 0x{:X}".format(self.ih_magic),
+            "    ih_load_addr = " + str(self.ih_load_addr),
+            "    ih_hdr_size = " + str(self.ih_hdr_size),
+            "    ih_protect_tlv_size = " + str(self.ih_protect_tlv_size),
+            "    ih_img_size = " + str(self.ih_img_size),
+            "    ih_flags = " + str(self.ih_flags),
+            "    iv_major = " + str(self.iv_major),
+            "    iv_minor = " + str(self.iv_minor),
+            "    iv_revision = " + str(self.iv_revision),
+            "    iv_build_num = " + str(self.iv_build_num),
+            "    _pad1 = " + str(self._pad1)])
+
+
+class ImageTLVInfo:
+    def __init__(self):
+        self.format_string = '<HH'
+
+        self.it_magic = 0
+        self.it_tlv_tot = 0
+
+    @staticmethod
+    def read_from_binary(in_file):
+        i = ImageTLVInfo()
+
+        (i.it_magic, i.it_tlv_tot) = struct.unpack('<HH', in_file.read(4))
+        return i
+
+    def __repr__(self):
+        return "\n".join([
+            "    it_magic = 0x{:X}".format(self.it_magic),
+            "    it_tlv_tot = " + str(self.it_tlv_tot)])
+
+    def __len__(self):
+        return struct.calcsize(self.format_string)
+
+
+class ImageTLV:
+    def __init__(self):
+        self.it_value = 0
+        self.it_type = 0
+        self.it_len = 0
+
+    @staticmethod
+    def read_from_binary(in_file):
+        tlv = ImageTLV()
+        (tlv.it_type, _, tlv.it_len) = struct.unpack('<BBH', in_file.read(4))
+        (tlv.it_value) = struct.unpack('<{:d}s'.format(tlv.it_len), in_file.read(tlv.it_len))
+        return tlv
+
+    def __len__(self):
+        round_to = 1
+        return int((4 + self.it_len + round_to - 1) // round_to) * round_to
+
+
+def get_arguments():
+    parser = argparse.ArgumentParser(description='Corrupt an MCUBoot image')
+    parser.add_argument("-i", "--in-file", required=True, help='The input image to be corrupted (read only)')
+    parser.add_argument("-o", "--out-file", required=True, help='the corrupted image')
+    parser.add_argument('-a', '--image-hash',
+                        default=False,
+                        action="store_true",
+                        required=False,
+                        help='Corrupt the image hash')
+    parser.add_argument('-s', '--signature',
+                        default=False,
+                        action="store_true",
+                        required=False,
+                        help='Corrupt the signature of the image')
+    return parser.parse_args()
+
+
+def damage_tlv(image_offset, tlv_off, tlv, out_file_content):
+    damage_offset = image_offset + tlv_off + 4
+    logging.info("        Damaging TLV at offset 0x{:X}...".format(damage_offset))
+    value = bytearray(tlv.it_value[0])
+    value[0] = (value[0] + 1) % 256
+    out_file_content[damage_offset] = value[0]
+
+
+def is_valid_signature(tlv):
+    return tlv.it_type == TLV_VALUES['RSA2048'] or tlv.it_type == TLV_VALUES['RSA3072']
+
+
+def damage_image(args, in_file, out_file_content, image_offset):
+    in_file.seek(image_offset, 0)
+
+    # Find the Image header
+    image_header = ImageHeader.read_from_binary(in_file)
+    if image_header.ih_magic != IMAGE_MAGIC:
+        raise Exception("Invalid magic in image_header: 0x{:X} instead of 0x{:X}".format(image_header.ih_magic, IMAGE_MAGIC))
+
+    # Find the TLV header
+    tlv_info_offset = image_header.ih_hdr_size + image_header.ih_img_size
+    in_file.seek(image_offset + tlv_info_offset, 0)
+
+    tlv_info = ImageTLVInfo.read_from_binary(in_file)
+    if tlv_info.it_magic == TLV_PROT_INFO_MAGIC:
+        logging.debug("Protected TLV found at offset 0x{:X}".format(tlv_info_offset))
+        if image_header.ih_protect_tlv_size != tlv_info.it_tlv_tot:
+            raise Exception("Invalid prot TLV len ({:d} vs. {:d})".format(image_header.ih_protect_tlv_size, tlv_info.it_tlv_tot))
+
+        # seek to unprotected TLV
+        tlv_info_offset += tlv_info.it_tlv_tot
+        in_file.seek(image_offset + tlv_info_offset)
+        tlv_info = ImageTLVInfo.read_from_binary(in_file)
+
+    else:
+        if image_header.ih_protect_tlv_size != 0:
+            raise Exception("No prot TLV was found.")
+
+    logging.debug("Unprotected TLV found at offset 0x{:X}".format(tlv_info_offset))
+    if tlv_info.it_magic != TLV_INFO_MAGIC:
+        raise Exception("Invalid magic in tlv info: 0x{:X} instead of 0x{:X}".format(tlv_info.it_magic, TLV_INFO_MAGIC))
+
+    tlv_off = tlv_info_offset + len(ImageTLVInfo())
+    tlv_end = tlv_info_offset + tlv_info.it_tlv_tot
+
+    # iterate over the TLV entries
+    while tlv_off < tlv_end:
+        in_file.seek(image_offset + tlv_off, 0)
+        tlv = ImageTLV.read_from_binary(in_file)
+
+        logging.debug("    tlv {:24s} len = {:4d}, len = {:4d}".format(get_tlv_type_string(tlv.it_type), tlv.it_len, len(tlv)))
+
+        if is_valid_signature(tlv) and args.signature:
+            damage_tlv(image_offset, tlv_off, tlv, out_file_content)
+        elif tlv.it_type == TLV_VALUES['SHA256'] and args.image_hash:
+            damage_tlv(image_offset, tlv_off, tlv, out_file_content)
+
+        tlv_off += len(tlv)
+
+
+def main():
+    args = get_arguments()
+
+    logging.debug("The script was started")
+
+    copyfile(args.in_file, args.out_file)
+    in_file = open(args.in_file, 'rb')
+
+    out_file_content = bytearray(in_file.read())
+
+    damage_image(args, in_file, out_file_content, 0)
+
+    in_file.close()
+
+    file_to_damage = open(args.out_file, 'wb')
+    file_to_damage.write(out_file_content)
+    file_to_damage.close()
+
+
+if __name__ == "__main__":
+    logging.basicConfig(format='%(levelname)5s: %(message)s',
+                        level=logging.DEBUG, stream=sys.stdout)
+
+    main()
--- a/bootloader/mcuboot/ci/fih_test_docker/docker-build/Dockerfile
+++ b/bootloader/mcuboot/ci/fih_test_docker/docker-build/Dockerfile
@@ -0,0 +1,45 @@
+# Copyright (c) 2020 Arm Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM ubuntu:jammy
+
+# Get dependencies for retrieving and building TF-M with MCUBoot, and QEMU.
+RUN apt-get update && \
+    DEBIAN_FRONTEND="noninteractive" \
+    apt-get install -y \
+    cmake \
+    curl \
+    gcc-arm-none-eabi \
+    gdb-multiarch \
+    git \
+    libncurses5 \
+    python3 \
+    python3-pip \
+    qemu-system-arm \
+    file &&\
+    apt-get clean all
+
+# Installing python packages
+RUN python3 -m pip install \
+    imgtool>=1.9.0 \
+    Jinja2>=2.10.3 \
+    PyYAML \
+    pyasn1
+
+# Add tfm work directory && get rid of spurious git ownership errors
+RUN mkdir -p /root/work/tfm &&\
+    git config --global --add safe.directory '*'
+
+# run the command
+CMD ["bash"]
--- a/bootloader/mcuboot/ci/fih_test_docker/docker-build/build.sh
+++ b/bootloader/mcuboot/ci/fih_test_docker/docker-build/build.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# Copyright (c) 2020 Arm Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+trap cleanup_exit INT TERM EXIT
+
+cleanup_exit()
+{
+  rm -f *.list *.key
+}
+
+export LANG=C
+
+image=mcuboot/fih-test
+docker build --pull --tag=$image .
--- a/bootloader/mcuboot/ci/fih_test_docker/execute_test.sh
+++ b/bootloader/mcuboot/ci/fih_test_docker/execute_test.sh
@@ -0,0 +1,68 @@
+#!/bin/bash -x
+
+# Copyright (c) 2020-2023 Arm Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+source $(dirname "$0")/paths.sh
+
+SKIP_SIZE=$1
+BUILD_TYPE=$2
+DAMAGE_TYPE=$3
+FIH_LEVEL=$4
+
+if test -z "$FIH_LEVEL"; then
+    # Use the default level
+    CMAKE_FIH_LEVEL=""
+else
+    CMAKE_FIH_LEVEL="-DMCUBOOT_FIH_PROFILE=\"$FIH_LEVEL\""
+fi
+
+# build TF-M with MCUBoot
+mkdir -p $TFM_BUILD_PATH $TFM_SPE_BUILD_PATH
+
+cmake -S $TFM_TESTS_PATH/tests_reg/spe \
+    -B $TFM_SPE_BUILD_PATH \
+    -DTFM_PLATFORM=arm/mps2/an521 \
+    -DCONFIG_TFM_SOURCE_PATH=$TFM_PATH \
+    -DCMAKE_BUILD_TYPE=$BUILD_TYPE \
+    -DTFM_TOOLCHAIN_FILE=$TFM_PATH/toolchain_GNUARM.cmake \
+    -DTEST_S=ON \
+    -DTEST_NS=ON \
+    -DTFM_PSA_API=ON \
+    -DMCUBOOT_PATH=$MCUBOOT_PATH \
+    -DMCUBOOT_LOG_LEVEL=INFO \
+    $CMAKE_FIH_LEVEL
+cmake --build $TFM_SPE_BUILD_PATH -- install
+
+cmake -S $TFM_TESTS_PATH/tests_reg \
+    -B $TFM_BUILD_PATH \
+    -DCONFIG_SPE_PATH=$TFM_SPE_BUILD_PATH/api_ns \
+    -DCMAKE_BUILD_TYPE=$BUILD_TYPE \
+    -DTFM_TOOLCHAIN_FILE=$TFM_SPE_BUILD_PATH/api_ns/cmake/toolchain_ns_GNUARM.cmake
+cmake --build $TFM_BUILD_PATH
+
+cd $TFM_BUILD_PATH
+$MCUBOOT_PATH/ci/fih_test_docker/run_fi_test.sh $BOOTLOADER_AXF_PATH $SKIP_SIZE $DAMAGE_TYPE> fih_test_output.yaml
+
+echo ""
+echo "test finished with"
+echo "    - BUILD_TYPE: $BUILD_TYPE"
+echo "    - FIH_LEVEL: $FIH_LEVEL"
+echo "    - SKIP_SIZE: $SKIP_SIZE"
+echo "    - DAMAGE_TYPE: $DAMAGE_TYPE"
+
+python3 $MCUBOOT_PATH/ci/fih_test_docker/generate_test_report.py fih_test_output.yaml
+python3 $MCUBOOT_PATH/ci/fih_test_docker/validate_output.py fih_test_output.yaml $SKIP_SIZE $FIH_LEVEL
--- a/bootloader/mcuboot/ci/fih_test_docker/fi_make_manifest.sh
+++ b/bootloader/mcuboot/ci/fih_test_docker/fi_make_manifest.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+# Copyright (c) 2020 Arm Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+OBJDUMP=arm-none-eabi-objdump
+GDB=gdb-multiarch
+
+# Check if the ELF file specified is compatible
+if test $# -eq 0 || ! file $1 | grep "ELF" | grep "ARM" | grep "32" &>/dev/null; then
+    echo "Incompatible file: $1" 1>&2
+    exit 1
+fi
+
+# Extract the full path
+AXF_PATH=$(realpath $1)
+#Dump all objects that have a name containing FIH_LABEL
+ADDRESSES=$($OBJDUMP $AXF_PATH -t | grep "FIH_LABEL")
+# strip all data except "address, label_name"
+ADDRESSES=$(echo "$ADDRESSES" | sed "s/\([[:xdigit:]]*\).*\(FIH_LABEL_FIH_CALL_[a-zA-Z]*\)_.*/0x\1, \2/g")
+# Sort by address in ascending order
+ADDRESSES=$(echo "$ADDRESSES" | sort)
+# In the case that there is a START followed by another START take the first one
+ADDRESSES=$(echo "$ADDRESSES" | sed "N;s/\(.*START.*\)\n\(.*START.*\)/\1/;P;D")
+# Same for END except take the second one
+ADDRESSES=$(echo "$ADDRESSES" | sed "N;s/\(.*END.*\)\n\(.*END.*\)/\2/;P;D")
+
+# Output in CSV format with a label
+echo "Address, Type"
+echo "$ADDRESSES"
--- a/bootloader/mcuboot/ci/fih_test_docker/fi_tester_gdb.sh
+++ b/bootloader/mcuboot/ci/fih_test_docker/fi_tester_gdb.sh
@@ -0,0 +1,204 @@
+#!/bin/bash
+
+# Copyright (c) 2020-2022 Arm Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+source $(dirname "$0")/paths.sh
+
+function skip_instruction {
+
+    local SKIP_ADDRESS=$1
+    local SKIP_SIZE=$2
+
+    # Parse the ASM instruction from the address using gdb
+    INSTR=$($GDB $AXF_FILE --batch -ex "disassemble $SKIP_ADDRESS" | grep "^ *$SKIP_ADDRESS" | sed "s/.*:[ \t]*\(.*\)$/\1/g")
+    # Parse the C line from the address using gdb
+    LINE=$($GDB $AXF_FILE --batch -ex "info line *$SKIP_ADDRESS" | sed "s/Line \([0-9]*\).*\"\(.*\)\".*/\2:\1/g")
+
+    # Sometimes an address is in the middle of a 4 byte instruction. In that case
+    # don't run the test
+    if test "$INSTR" == ""; then
+        return
+    fi
+
+    # Print out the meta-info about the test, in YAML
+    echo "- skip_test:"
+    echo "    addr: $SKIP_ADDRESS"
+    echo "    asm:  \"$INSTR\""
+    echo "    line: \"$LINE\""
+    echo "    skip: $SKIP_SIZE"
+    # echo -ne "$SKIP_ADDRESS | $INSTR...\t"
+
+    cat >commands.gdb <<EOF
+target remote localhost: 1234
+file $AXF_FILE
+b boot_go_for_image_id if image_id == 0
+continue
+delete breakpoints 1
+b *$SKIP_ADDRESS
+continue&
+eval "shell sleep 0.5"
+interrupt
+if \$pc == $SKIP_ADDRESS
+    echo "Stopped at breakpoint"
+else
+    echo "Failed to stop at breakpoint"
+end
+echo "PC before increase:"
+print \$pc
+set \$pc += $SKIP_SIZE
+echo "PC after increase:"
+print \$pc
+detach
+eval "shell sleep 0.5"
+EOF
+
+    echo -n '.' 1>&2
+
+    # start qemu, dump the serial output to $QEMU_LOG_FILE
+    QEMU_LOG_FILE=qemu.log
+    QEMU_PID_FILE=qemu_pid.txt
+    rm -f $QEMU_PID_FILE $QEMU_LOG_FILE
+    /usr/bin/qemu-system-arm \
+        -M mps2-an521 \
+        -s -S \
+        -kernel $AXF_FILE \
+        -device loader,file=$TFM_IMAGE_PATH,addr=0x10080000 \
+        -chardev file,id=char0,path=$QEMU_LOG_FILE \
+        -serial chardev:char0 \
+        -display none \
+        -pidfile $QEMU_PID_FILE \
+        -daemonize
+
+    # start qemu, skip the instruction, and continue execution
+    $GDB < ./commands.gdb &>gdb_out.txt
+
+    # kill qemu
+    kill -9 `cat $QEMU_PID_FILE`
+
+    # If "Secure image initializing" is seen the TFM booted, which means that a skip
+    # managed to defeat the signature check. Write out whether the image booted or
+    # not to the log in YAML
+    if cat $QEMU_LOG_FILE | grep -i "Starting bootloader" &>/dev/null; then
+        # bootloader started successfully
+        if cat gdb_out.txt | grep -i "Stopped at breakpoint" &>/dev/null; then
+            # The target was stopped at the desired address
+            if cat $QEMU_LOG_FILE | grep -i "Secure image initializing" &>/dev/null; then
+                echo "    test_exec_ok: True"
+                echo "    skipped: True"
+                echo "    boot: True"
+
+                #print the address that was skipped, and some context to the console
+                echo "" 1>&2
+                echo "Boot success: address: $SKIP_ADDRESS skipped: $SKIP_SIZE" 1>&2
+                arm-none-eabi-objdump -d $AXF_FILE --start-address=$SKIP_ADDRESS -S | tail -n +7 | head -n 14 1>&2
+                echo "" 1>&2
+                echo "" 1>&2
+            else
+                LAST_LINE=`tail -n 1 $QEMU_LOG_FILE | tr -dc '[:print:]'`
+                echo "    test_exec_ok: True"
+                echo "    skipped: True"
+                echo "    boot: False"
+                echo "    last_line: \"$LAST_LINE\" "
+            fi
+        else
+            # The target was not stopped at the desired address.
+            # The most probable reason is that the instruction for that address is
+            # on a call path that is not taken in this run (e.g. error handling)
+            if cat $QEMU_LOG_FILE | grep -i "Secure image initializing" &>/dev/null; then
+                # The image booted, although it shouldn't happen as the test is to
+                # be run with a corrupt image.
+                echo "    test_exec_ok: False"
+                echo "    test_exec_fail_reason: \"No instructions were skipped (e.g. branch was not executed), but booted successfully\""
+            else
+                # the execution didn't stop at the address (e.g. the instruction
+                # is on a branch that is not taken)
+                echo "    test_exec_ok: True"
+                echo "    skipped: False"
+            fi
+        fi
+    else
+        # failed before the first printout
+        echo "    test_exec_ok: True"
+        echo "    skipped: True"
+        echo "    boot: False"
+        echo "    last_line: 'N/A' "
+    fi
+}
+
+# Inform how the script is used
+usage() {
+    echo "$0 <image_dir> <start_addr> [<end_addr>] [(-s | --skip) <skip_len>]"
+}
+
+#defaults
+SKIP=2
+AXF_FILE=${BOOTLOADER_AXF_PATH}
+GDB=gdb-multiarch
+BOOTLOADER=true
+
+# Parse arguments
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        -s|--skip)
+        SKIP="$2"
+        shift
+        shift
+        ;;
+        -h|--help)
+        usage
+        exit 0
+        ;;
+        *)
+        if test -z "$IMAGE_DIR"; then
+            IMAGE_DIR=$1
+        elif test -z "$START"; then
+            START=$1
+        elif test -z "$END"; then
+            END=$1
+        else
+            usage
+            exit 1
+        fi
+        shift
+        ;;
+    esac
+done
+
+# Check that image directory, start and end address have been supplied
+if test -z "$IMAGE_DIR"; then
+    usage
+    exit 2
+fi
+
+if test -z "$START"; then
+    usage
+    exit 2
+fi
+
+if test -z "$END"; then
+    END=$START
+fi
+
+if test -z "$SKIP"; then
+    SKIP='2'
+fi
+
+# Create the start-end address range (step 2)
+ADDRS=$(printf '0x%x\n' $(seq "$START" 2 "$END"))
+
+# For each address run the skip_instruction function on it
+for ADDR in $ADDRS; do
+    skip_instruction $ADDR $SKIP
+done
--- a/bootloader/mcuboot/ci/fih_test_docker/generate_test_report.py
+++ b/bootloader/mcuboot/ci/fih_test_docker/generate_test_report.py
@@ -0,0 +1,47 @@
+# Copyright (c) 2020-2023 Arm Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+from utils import CATEGORIES, parse_yaml_file
+
+
+def print_results(results):
+
+    test_stats, failed_boot_last_lines, exec_fail_reasons = results
+
+    print("{:s}: {:d}.".format(CATEGORIES['TOTAL'], test_stats[CATEGORIES['TOTAL']]))
+    print("{:s} ({:d}):".format(CATEGORIES['SUCCESS'], test_stats[CATEGORIES['SUCCESS']]))
+    print("    {:s}: ({:d}):".format(CATEGORIES['ADDRES_NOEXEC'], test_stats[CATEGORIES['ADDRES_NOEXEC']]))
+    test_with_skip = test_stats[CATEGORIES['SUCCESS']] - test_stats[CATEGORIES['ADDRES_NOEXEC']]
+    print("    {:s}: ({:d}):".format(CATEGORIES['SKIPPED'], test_with_skip))
+    print("    {:s} ({:d}):".format(CATEGORIES['NO_BOOT'], test_with_skip - test_stats[CATEGORIES['BOOT']]))
+    for last_line in failed_boot_last_lines.keys():
+        print("        last line: {:s} ({:d})".format(last_line, failed_boot_last_lines[last_line]))
+    print("    {:s} ({:d})".format(CATEGORIES['BOOT'], test_stats[CATEGORIES['BOOT']]))
+    print("{:s} ({:d}):".format(CATEGORIES['FAILED'], test_stats[CATEGORIES['TOTAL']] - test_stats[CATEGORIES['SUCCESS']]))
+    for reason in exec_fail_reasons.keys():
+        print("    {:s} ({:d})".format(reason, exec_fail_reasons[reason]))
+
+
+def main():
+    parser = argparse.ArgumentParser(description='''Process a FIH test output yaml file, and output a human readable report''')
+    parser.add_argument('filename', help='yaml file to process')
+
+    args = parser.parse_args()
+    results = parse_yaml_file(args.filename)
+    print_results(results)
+
+
+if __name__ == "__main__":
+    main()
--- a/bootloader/mcuboot/ci/fih_test_docker/paths.sh
+++ b/bootloader/mcuboot/ci/fih_test_docker/paths.sh
@@ -0,0 +1,10 @@
+WORK_PATH=/root/work/tfm
+MCUBOOT_PATH=$WORK_PATH/mcuboot
+TFM_PATH=$WORK_PATH/trusted-firmware-m
+TFM_TESTS_PATH=$WORK_PATH/tf-m-tests
+TFM_SPE_BUILD_PATH=$TFM_PATH/build_spe
+TFM_BUILD_PATH=$TFM_PATH/build
+BOOTLOADER_AXF_PATH=$TFM_SPE_BUILD_PATH/bin/bl2.axf
+TFM_IMAGE_NAME=tfm_s_ns_signed.bin
+TFM_IMAGE_OUTPUT_PATH=$TFM_BUILD_PATH
+TFM_IMAGE_PATH=$TFM_IMAGE_OUTPUT_PATH/$TFM_IMAGE_NAME
--- a/bootloader/mcuboot/ci/fih_test_docker/run_fi_test.sh
+++ b/bootloader/mcuboot/ci/fih_test_docker/run_fi_test.sh
@@ -0,0 +1,88 @@
+#!/bin/bash
+
+# Copyright (c) 2020 Arm Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+# Get the dir this is running in and the dir the script is in.
+PWD=$(pwd)
+DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )
+
+# PAD is the amount of extra instructions that should be tested on each side of
+# the critical region
+PAD=6
+
+MCUBOOT_AXF=$1
+SKIP_SIZES=$2
+DAMAGE_TYPE=$3
+
+source $(dirname "$0")/paths.sh
+
+# Take an image and make it unbootable. This is done by replacing one of the
+# strings in the image with a different string. This causes the signature check
+# to fail
+function damage_image
+{
+    local IMAGE_NAME=${TFM_IMAGE_NAME}
+    local BACKUP_IMAGE_NAME=${TFM_IMAGE_NAME}.orig
+    local IMAGE=$TFM_IMAGE_OUTPUT_PATH/$IMAGE_NAME
+    mv $IMAGE $TFM_IMAGE_OUTPUT_PATH/$BACKUP_IMAGE_NAME
+
+    if [ "$DAMAGE_TYPE" = "SIGNATURE" ]; then
+        DAMAGE_PARAM="--signature"
+    elif [ "$DAMAGE_TYPE" = "IMAGE_HASH" ]; then
+        DAMAGE_PARAM="--image-hash"
+    else
+        echo "Failed to damage image $IMAGE with param $DAMAGE_TYPE" 1>&2
+        exit -1
+    fi
+
+    python3 $DIR/damage_image.py -i $TFM_IMAGE_OUTPUT_PATH/$BACKUP_IMAGE_NAME -o $IMAGE $DAMAGE_PARAM 1>&2
+}
+
+function run_test
+{
+    local SKIP_SIZE=$1
+
+    $DIR/fi_make_manifest.sh $MCUBOOT_AXF > $PWD/fih_manifest.csv
+
+    # Load the CSV FI manifest file, and output in START, END lines. Effectively
+    # join START and END lines together with a comma seperator.
+    REGIONS=$(sed "N;s/\(0x[[:xdigit:]]*\).*START\n\(0x[[:xdigit:]]*\).*END.*/\1,\2/g;P;D" $PWD/fih_manifest.csv)
+    # Ignore the first line, which includes the CSV header
+    REGIONS=$(echo "$REGIONS" | tail -n+2)
+
+    for REGION in $REGIONS; do
+        #Split the START,END pairs into the two variables
+        START=$(echo $REGION | cut -d"," -f 1)
+        END=$(echo $REGION | cut -d"," -f 2)
+
+        # Apply padding, converting back to hex
+        START=$(printf "0x%X" $((START - PAD)))
+        END=$(printf "0x%X" $((END + PAD)))
+
+        # Invoke the fi tester script
+        $DIR/fi_tester_gdb.sh $TFM_IMAGE_OUTPUT_PATH $START $END --skip $SKIP_SIZE
+    done
+}
+
+damage_image $MCUBOOT_AXF
+# Run the run_test function with each skip length between min and max in turn.
+
+IFS=', ' read -r -a sizes <<< "$SKIP_SIZES"
+for size in "${sizes[@]}"; do
+    echo "Run tests with skip size $size" 1>&2
+    run_test $size
+done
--- a/bootloader/mcuboot/ci/fih_test_docker/utils.py
+++ b/bootloader/mcuboot/ci/fih_test_docker/utils.py
@@ -0,0 +1,63 @@
+# Copyright (c) 2023 Arm Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import collections
+import yaml
+
+CATEGORIES = {
+        'TOTAL': 'Total tests run',
+        'SUCCESS': 'Tests executed successfully',
+        'FAILED': 'Tests failed to execute successfully',
+        # the execution never reached the address
+        'ADDRES_NOEXEC': 'Address was not executed',
+        # The address was successfully skipped by the debugger
+        'SKIPPED': 'Address was skipped',
+        'NO_BOOT': 'System not booted (desired behaviour)',
+        'BOOT': 'System booted (undesired behaviour)'
+}
+
+
+def parse_yaml_file(filepath):
+    with open(filepath) as f:
+        results = yaml.safe_load(f)
+
+    if not results:
+        raise ValueError("Failed to parse output yaml file.")
+
+    test_stats = collections.Counter()
+    failed_boot_last_lines = collections.Counter()
+    exec_fail_reasons = collections.Counter()
+
+    for test in results:
+        test = test["skip_test"]
+
+        test_stats.update([CATEGORIES['TOTAL']])
+
+        if test["test_exec_ok"]:
+            test_stats.update([CATEGORIES['SUCCESS']])
+
+            if "skipped" in test.keys() and not test["skipped"]:
+                # The debugger didn't stop at this address
+                test_stats.update([CATEGORIES['ADDRES_NOEXEC']])
+                continue
+
+            if test["boot"]:
+                test_stats.update([CATEGORIES['BOOT']])
+                continue
+
+            failed_boot_last_lines.update([test["last_line"]])
+        else:
+            exec_fail_reasons.update([test["test_exec_fail_reason"]])
+
+    return test_stats, failed_boot_last_lines, exec_fail_reasons
--- a/bootloader/mcuboot/ci/fih_test_docker/validate_output.py
+++ b/bootloader/mcuboot/ci/fih_test_docker/validate_output.py
@@ -0,0 +1,39 @@
+# Copyright (c) 2023 Arm Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+from utils import CATEGORIES, parse_yaml_file
+
+
+def validate_output(test_stats, skip_size, fih_level):
+    if (test_stats[CATEGORIES['BOOT']] > 0
+       and skip_size == "2,4,6" and fih_level == "MEDIUM"):
+        raise ValueError("The number of sucessful boots was more than zero")
+
+
+def main():
+    parser = argparse.ArgumentParser(description='''Process a FIH test output yaml file,
+     and validate no sucessfull boots have happened''')
+    parser.add_argument('filename', help='yaml file to process')
+    parser.add_argument('skip_size', help='instruction skip size')
+    parser.add_argument('fih_level', nargs="?",
+                        help='fault injection hardening level')
+
+    args = parser.parse_args()
+    test_stats = parse_yaml_file(args.filename)[0]
+    validate_output(test_stats, args.skip_size, args.fih_level)
+
+
+if __name__ == "__main__":
+    main()
--- a/bootloader/mcuboot/ci/get_features.py
+++ b/bootloader/mcuboot/ci/get_features.py
@@ -0,0 +1,43 @@
+#!/usr/bin/env python3
+
+# Copyright 2020 JUUL Labs
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+import os.path
+try:
+    import tomllib
+except ModuleNotFoundError:
+    import tomli as tomllib
+
+parser = argparse.ArgumentParser(description='Print features from a Cargo.toml.')
+parser.add_argument('infile', help='Input file to parse')
+
+args = parser.parse_args()
+if not os.path.isfile(args.infile):
+    print("File not found")
+    exit(1)
+
+try:
+    cargo_toml = open(args.infile).read()
+except Exception:
+    print("Error reading \"{}\"".format(args.infile))
+    exit(1)
+
+config = tomllib.loads(cargo_toml)
+if 'features' not in config:
+    print("Missing \"[features]\" section")
+    exit(1)
+
+print(" ".join([k for k in config['features'] if k != 'default']))
--- a/bootloader/mcuboot/ci/imgtool_install.sh
+++ b/bootloader/mcuboot/ci/imgtool_install.sh
@@ -0,0 +1,23 @@
+#!/bin/bash -x
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [[ $TRAVIS == "true" ]]; then
+    if [[ $TRAVIS_PULL_REQUEST != "false" || $TRAVIS_BRANCH != "main" ]]; then
+        echo "Either a PR or not \"main\" branch, exiting"
+        exit 0
+    fi
+fi
+
+pip install setuptools twine packaging wheel
+pip install --pre imgtool
--- a/bootloader/mcuboot/ci/imgtool_run.sh
+++ b/bootloader/mcuboot/ci/imgtool_run.sh
@@ -0,0 +1,53 @@
+#!/bin/bash -x
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [[ $TRAVIS == "true" ]]; then
+    if [[ $TRAVIS_PULL_REQUEST != "false" || $TRAVIS_BRANCH != "main" ]]; then
+        echo "Either a PR or not \"main\" branch, exiting"
+        exit 0
+    fi
+fi
+
+IMGTOOL_VER_PREFIX="\+imgtool_version = "
+IMGTOOL_VER_FILE="imgtool/__init__.py"
+DIST_DIR="dist"
+
+if [[ -z "$TWINE_TOKEN" ]]; then
+    echo "\$TWINE_TOKEN must be set in Travis or GH settings"
+    exit 0
+fi
+
+cd scripts/
+
+last_release=$(pip show imgtool | grep "Version: " | cut -d" " -f2)
+repo_version=$(grep "imgtool_version = " imgtool/__init__.py | sed 's/^.* = "\(.*\)"/\1/g')
+
+python ../ci/compare_versions.py --old $last_release --new $repo_version
+rc=$?
+
+if [[ $rc -eq 0 ]]; then
+    echo "Imgtool version not changed; will not publish"
+    exit 0
+elif [[ $rc -eq 1 ]]; then
+    echo "Error parsing versions"
+    exit 1
+elif [[ $rc -eq 3 ]]; then
+    echo "Imgtool downgrade detected!"
+    exit 1
+fi
+
+rm -rf $DIST_DIR
+python setup.py sdist bdist_wheel
+
+twine upload --username __token__ --password "${TWINE_TOKEN}" "${DIST_DIR}/*"
--- a/bootloader/mcuboot/ci/mynewt_install.sh
+++ b/bootloader/mcuboot/ci/mynewt_install.sh
@@ -0,0 +1,83 @@
+#!/bin/bash -x
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+install_newt() {
+    pushd $HOME
+    git clone --depth=1 https://github.com/apache/mynewt-newt
+    [[ $? -ne 0 ]] && exit 1
+
+    pushd mynewt-newt && ./build.sh
+    [[ $? -ne 0 ]] && exit 1
+
+    cp newt/newt $HOME/bin
+    popd
+    popd
+}
+
+shallow_clone_mynewt() {
+    mkdir -p repos/apache-mynewt-core
+    git clone --depth=1 https://github.com/apache/mynewt-core repos/apache-mynewt-core
+    [[ $? -ne 0 ]] && exit 1
+
+    # nrfx is now taken from original repository
+    git clone --depth=1 --branch v3.3.0 https://github.com/NordicSemiconductor/nrfx.git repos/nordic-nrfx
+    [[ $? -ne 0 ]] && exit 1
+
+    # Mbed-TLS is now taken from original repository
+    git clone --depth=1 --branch v2.28.4 https://github.com/Mbed-TLS/mbedtls.git repos/mbedtls
+    [[ $? -ne 0 ]] && exit 1
+
+    # CMSIS is now taken from original repository
+    git clone --depth=1 --branch 5.4.0 https://github.com/ARM-software/CMSIS_5.git repos/arm-CMSIS_5
+    [[ $? -ne 0 ]] && exit 1
+}
+
+arm_toolchain_install() {
+    TOOLCHAIN_PATH=$HOME/TOOLCHAIN
+
+    GCC_URL=https://developer.arm.com/-/media/Files/downloads/gnu-rm/7-2017q4/gcc-arm-none-eabi-7-2017-q4-major-linux.tar.bz2
+    GCC_BASE=gcc-arm-none-eabi-7-2017-q4-major
+
+    mkdir -p $TOOLCHAIN_PATH
+
+    if [ ! -s ${TOOLCHAIN_PATH}/$GCC_BASE/bin/arm-none-eabi-gcc ]; then
+      wget -O ${TOOLCHAIN_PATH}/${GCC_BASE}.tar.bz2 $GCC_URL
+      [[ $? -ne 0 ]] && exit 1
+
+      tar xfj ${TOOLCHAIN_PATH}/${GCC_BASE}.tar.bz2 -C $TOOLCHAIN_PATH
+    fi
+
+    for i in ${TOOLCHAIN_PATH}/${GCC_BASE}/bin/arm-none-eabi-* ; do
+        rm -f  $HOME/bin/${i##*/}
+        ln -s $i $HOME/bin/${i##*/}
+    done
+}
+
+native_test_setup() {
+    sudo apt-get update
+    sudo apt-get install -y gcc-multilib
+}
+
+mkdir -p $HOME/bin
+export PATH=$HOME/bin:$PATH
+
+install_newt
+shallow_clone_mynewt
+arm_toolchain_install
+native_test_setup
--- a/bootloader/mcuboot/ci/mynewt_keys/enc_kw/pkg.yml
+++ b/bootloader/mcuboot/ci/mynewt_keys/enc_kw/pkg.yml
@@ -0,0 +1,22 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+pkg.name: keys/enc_kw
+pkg.author: "Apache Mynewt <dev@mynewt.apache.org>"
+pkg.homepage: "http://mynewt.apache.org/"
--- a/bootloader/mcuboot/ci/mynewt_keys/enc_kw/src/keys.c
+++ b/bootloader/mcuboot/ci/mynewt_keys/enc_kw/src/keys.c
@@ -0,0 +1,30 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#include <bootutil/sign_key.h>
+#include <bootutil/enc_key.h>
+unsigned char enc_key[] = {
+  0x96, 0x69, 0xd2, 0xcf, 0x0e, 0xb1, 0xc6, 0x56, 0xf2, 0xa0, 0x1f, 0x46,
+  0x06, 0xd3, 0x49, 0x31,
+};
+static unsigned int enc_key_len = 16;
+const struct bootutil_key bootutil_enc_key = {
+    .key = enc_key,
+    .len = &enc_key_len,
+};
--- a/bootloader/mcuboot/ci/mynewt_keys/enc_rsa/pkg.yml
+++ b/bootloader/mcuboot/ci/mynewt_keys/enc_rsa/pkg.yml
@@ -0,0 +1,25 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+pkg.name: keys/enc_rsa
+pkg.author: "Apache Mynewt <dev@mynewt.apache.org>"
+pkg.homepage: "http://mynewt.apache.org/"
+
+pkg.cflags:
+    - '-DMBEDTLS_USER_CONFIG_FILE="mbedtls/config_mynewt.h"'
--- a/bootloader/mcuboot/ci/mynewt_keys/enc_rsa/src/keys.c
+++ b/bootloader/mcuboot/ci/mynewt_keys/enc_rsa/src/keys.c
@@ -0,0 +1,128 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#include <bootutil/sign_key.h>
+#include <bootutil/enc_key.h>
+unsigned char enc_key[] = {
+  0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,
+  0xb4, 0x26, 0x14, 0x49, 0x3d, 0x16, 0x13, 0x3a, 0x6d, 0x9c, 0x84, 0xa9,
+  0x8b, 0x6a, 0x10, 0x20, 0x61, 0xef, 0x48, 0x04, 0xa4, 0x4b, 0x24, 0xf3,
+  0x00, 0x32, 0xac, 0x22, 0xe0, 0x30, 0x27, 0x70, 0x18, 0xe5, 0x55, 0xc8,
+  0xb8, 0x05, 0x34, 0x03, 0xb0, 0xf8, 0xa5, 0x96, 0xd2, 0x48, 0x58, 0xef,
+  0x70, 0xb0, 0x09, 0xdb, 0xe3, 0x58, 0x62, 0xef, 0x99, 0x63, 0x01, 0xb2,
+  0x89, 0xc4, 0xb3, 0xf6, 0x9e, 0x62, 0xbf, 0x4d, 0xc2, 0x8a, 0xd0, 0xc9,
+  0x4d, 0x43, 0xa3, 0xd8, 0xe5, 0x1d, 0xec, 0x62, 0x63, 0x08, 0xe2, 0x20,
+  0xa5, 0xfc, 0x78, 0xd0, 0x3e, 0x74, 0xc8, 0xa4, 0x1b, 0x36, 0xad, 0x7b,
+  0xf5, 0x06, 0xae, 0x4d, 0x51, 0x9b, 0x40, 0xce, 0x30, 0x4f, 0x6c, 0xea,
+  0xf9, 0xe9, 0x74, 0xea, 0x06, 0xee, 0x9c, 0xe4, 0x14, 0x68, 0x20, 0xb9,
+  0x3d, 0xe7, 0x11, 0x14, 0x8b, 0x25, 0xa3, 0xff, 0x4c, 0x8a, 0xf3, 0x53,
+  0xee, 0x6b, 0x3e, 0xef, 0x34, 0xcd, 0x6a, 0x3f, 0x62, 0x68, 0xc0, 0xff,
+  0x78, 0x4c, 0xb0, 0xc3, 0xe6, 0x96, 0x61, 0xfc, 0x1f, 0x18, 0xf1, 0x7a,
+  0x82, 0xe2, 0x8f, 0x35, 0xa8, 0x2b, 0x86, 0x16, 0xa4, 0x46, 0xfb, 0xac,
+  0x7e, 0x41, 0xdb, 0x02, 0x05, 0x91, 0x6d, 0xdf, 0xc1, 0xde, 0x13, 0x95,
+  0x9c, 0xf9, 0x9e, 0x5e, 0x72, 0xba, 0xa7, 0x25, 0x93, 0xfb, 0xdc, 0xe8,
+  0xab, 0x86, 0x45, 0x88, 0x47, 0x2d, 0xed, 0xee, 0xee, 0x97, 0x9e, 0xce,
+  0x5d, 0x9b, 0x04, 0x04, 0x40, 0x7c, 0xcb, 0x7c, 0x3d, 0x2c, 0x74, 0xab,
+  0xa4, 0xcc, 0x64, 0xa3, 0x5c, 0x95, 0x3d, 0xd4, 0xa2, 0xdc, 0x92, 0xb2,
+  0xc8, 0x18, 0xcb, 0xf9, 0x00, 0x39, 0x81, 0x8f, 0x8f, 0x40, 0xc2, 0xdf,
+  0x99, 0x29, 0xac, 0x8a, 0xc2, 0x3b, 0xd8, 0xa4, 0xf2, 0xad, 0xaf, 0x74,
+  0xc0, 0x11, 0xc7, 0x99, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01,
+  0x00, 0x42, 0x47, 0x80, 0x4f, 0x31, 0xda, 0x5d, 0x58, 0xb1, 0xdb, 0x54,
+  0x33, 0xcc, 0xc7, 0x49, 0x07, 0xa1, 0x00, 0x98, 0x4e, 0x9c, 0xe3, 0xc8,
+  0xc4, 0x5e, 0xde, 0x45, 0xd6, 0xcf, 0x04, 0xe8, 0x7d, 0xa5, 0xab, 0x3a,
+  0xd4, 0x8e, 0x5f, 0xdb, 0xb3, 0x3f, 0xf9, 0x3b, 0x73, 0x32, 0x0a, 0xcc,
+  0x2d, 0xcc, 0x17, 0xf8, 0x88, 0x9e, 0x2c, 0x76, 0xba, 0x10, 0x85, 0x0c,
+  0xaa, 0xd3, 0x65, 0x3b, 0x91, 0x10, 0xd4, 0xe3, 0xed, 0x88, 0x15, 0xea,
+  0x9b, 0x25, 0x82, 0x2d, 0x56, 0x2f, 0x75, 0xc2, 0xf2, 0xaf, 0xdd, 0x24,
+  0xd5, 0x3e, 0x3c, 0x95, 0x76, 0x88, 0x84, 0x0f, 0x0d, 0xd1, 0xb5, 0x5c,
+  0x3e, 0xae, 0xf7, 0xb6, 0x49, 0x5c, 0x2c, 0xf2, 0xba, 0xe9, 0xab, 0x4f,
+  0x37, 0x64, 0x9b, 0x30, 0x18, 0xaa, 0x54, 0x40, 0x04, 0xea, 0x3d, 0x25,
+  0x4d, 0x02, 0x29, 0x71, 0x6f, 0x4d, 0x82, 0x9b, 0xc3, 0x44, 0x2a, 0x9d,
+  0x0c, 0x98, 0xd3, 0xc8, 0x15, 0x0d, 0x04, 0x93, 0x60, 0x30, 0xc7, 0x5e,
+  0x79, 0xea, 0x53, 0x9d, 0xc0, 0x0e, 0x81, 0xac, 0x90, 0xbc, 0x9e, 0x1e,
+  0xd2, 0x28, 0x0f, 0x10, 0xf5, 0x1f, 0xdf, 0x38, 0x7f, 0x8a, 0x90, 0x8d,
+  0x49, 0x07, 0x7d, 0x78, 0xcb, 0xa7, 0xef, 0x92, 0x6d, 0x3b, 0x13, 0x95,
+  0x9b, 0xba, 0x83, 0xc6, 0xb3, 0x71, 0x25, 0x27, 0x07, 0x99, 0x54, 0x82,
+  0x3d, 0xec, 0xc5, 0xf8, 0xb4, 0xa0, 0x38, 0x7a, 0x59, 0x6a, 0x0b, 0xca,
+  0x69, 0x6c, 0x17, 0xa4, 0x18, 0xe0, 0xb4, 0xaa, 0x89, 0x99, 0x8f, 0xcb,
+  0x71, 0x34, 0x09, 0x1b, 0x6e, 0xe6, 0x87, 0x00, 0xb5, 0xba, 0x70, 0x8a,
+  0x29, 0x3d, 0x9a, 0x06, 0x18, 0x2d, 0x66, 0x5e, 0x61, 0x37, 0xeb, 0xdd,
+  0x5e, 0xc8, 0x28, 0x92, 0x05, 0x30, 0xfd, 0xb8, 0x65, 0xb1, 0x7f, 0xbf,
+  0x2d, 0x55, 0x12, 0x91, 0xc1, 0x02, 0x81, 0x81, 0x00, 0xda, 0x65, 0xda,
+  0x38, 0x7c, 0x18, 0xfb, 0x00, 0x11, 0x60, 0xeb, 0x37, 0x65, 0xb8, 0x83,
+  0x62, 0x88, 0xc4, 0x3a, 0x4e, 0x64, 0x6a, 0xf3, 0x3e, 0x4e, 0xc0, 0x34,
+  0x19, 0x8a, 0xcb, 0x4a, 0xca, 0x2f, 0x5d, 0x50, 0x7a, 0xac, 0xf7, 0x9e,
+  0x87, 0x5a, 0xfc, 0x4d, 0x49, 0xd7, 0xf9, 0x21, 0xf5, 0x0b, 0x6f, 0x57,
+  0x41, 0x3d, 0x8f, 0xb8, 0xec, 0x7f, 0xcc, 0x92, 0x09, 0xbe, 0xd3, 0xa4,
+  0xc3, 0x14, 0x85, 0x21, 0x5d, 0x05, 0xa3, 0xaa, 0x20, 0xf6, 0x62, 0x44,
+  0x50, 0x03, 0x5e, 0x53, 0x4a, 0xcd, 0x6a, 0xb6, 0x65, 0x8e, 0x4e, 0x4b,
+  0x3f, 0x25, 0xc6, 0x16, 0x31, 0xf5, 0x99, 0x13, 0x77, 0x42, 0xda, 0xdc,
+  0x70, 0x4d, 0x65, 0xb0, 0x99, 0x0f, 0xdf, 0x5a, 0xb1, 0x45, 0xf0, 0xb9,
+  0x8e, 0xa0, 0xae, 0x4f, 0x4d, 0x65, 0x09, 0x84, 0xb5, 0x38, 0x29, 0xbf,
+  0x69, 0xe0, 0x88, 0x1f, 0x27, 0x02, 0x81, 0x81, 0x00, 0xd3, 0x2a, 0x59,
+  0xec, 0x28, 0xc3, 0x0d, 0x4f, 0x92, 0x96, 0xca, 0x67, 0x94, 0xfc, 0x2e,
+  0xa6, 0x86, 0x68, 0x45, 0x53, 0x92, 0xcc, 0x86, 0x7f, 0x8a, 0xe1, 0x5d,
+  0xe8, 0x1d, 0x9e, 0xbb, 0x1e, 0x00, 0x26, 0x1d, 0x80, 0x12, 0xff, 0x9c,
+  0x11, 0x0a, 0xbd, 0xa6, 0xc3, 0x8d, 0x48, 0xda, 0xfc, 0x10, 0xf7, 0x7a,
+  0x16, 0x07, 0x15, 0xa0, 0x3a, 0xd3, 0x94, 0xfb, 0x52, 0x87, 0x39, 0xee,
+  0xe7, 0xc4, 0x26, 0x49, 0x16, 0xc6, 0xc0, 0x83, 0x25, 0xbf, 0x6a, 0x4e,
+  0x8c, 0x0b, 0x10, 0x85, 0x66, 0xab, 0x7e, 0xae, 0xac, 0x4c, 0x69, 0x3c,
+  0x44, 0xeb, 0xcd, 0xe9, 0xf6, 0x64, 0x8b, 0x4a, 0xd8, 0x6a, 0x4d, 0x6d,
+  0x47, 0xa9, 0xb8, 0x55, 0x72, 0xc1, 0xfd, 0xf4, 0x81, 0x4c, 0x66, 0xbe,
+  0x49, 0xf2, 0x75, 0x4f, 0x80, 0xf1, 0x20, 0x38, 0xb8, 0x6a, 0x1b, 0x75,
+  0x41, 0x30, 0x0f, 0x1b, 0x3f, 0x02, 0x81, 0x80, 0x09, 0x35, 0xfa, 0x7a,
+  0x1f, 0x61, 0xbe, 0x54, 0x46, 0x67, 0x5c, 0x04, 0x3e, 0x1a, 0x06, 0x10,
+  0x85, 0xcc, 0x20, 0xd9, 0x65, 0x8a, 0xcd, 0x2f, 0x77, 0x8a, 0xcb, 0xa7,
+  0xb8, 0x1e, 0xd2, 0xcc, 0xac, 0x2a, 0xb7, 0x56, 0x35, 0x2d, 0x4c, 0x56,
+  0x51, 0x14, 0x0a, 0xfe, 0x6e, 0x49, 0x67, 0x91, 0x3a, 0x26, 0x3b, 0xfb,
+  0xd8, 0x68, 0xd3, 0x57, 0xc6, 0x1c, 0x0e, 0x9c, 0xb2, 0x9b, 0xa2, 0x7b,
+  0x47, 0xc6, 0x45, 0x9d, 0xf2, 0xba, 0xf0, 0x55, 0xeb, 0x8e, 0x41, 0x6b,
+  0x4e, 0x79, 0x0f, 0xf2, 0x3b, 0xaf, 0xa0, 0x79, 0xb0, 0x02, 0xc5, 0x51,
+  0xa8, 0x7a, 0x2e, 0x3d, 0x75, 0x2a, 0x3b, 0x93, 0xf0, 0x11, 0xe2, 0xf2,
+  0x29, 0x91, 0x7c, 0x5d, 0x38, 0x3a, 0x27, 0x4d, 0x0a, 0xb2, 0x18, 0x61,
+  0x57, 0x8d, 0x82, 0x72, 0xb5, 0x2c, 0x2d, 0x98, 0xa7, 0x01, 0xbb, 0xbc,
+  0xef, 0x67, 0x4e, 0x49, 0x02, 0x81, 0x81, 0x00, 0xb2, 0x70, 0x53, 0x54,
+  0x70, 0x8d, 0x82, 0xad, 0xff, 0x1d, 0x55, 0x24, 0x7a, 0x8d, 0x2f, 0x8e,
+  0xa0, 0x7d, 0x74, 0x37, 0xcf, 0x10, 0xed, 0x86, 0xd1, 0x80, 0xe7, 0xad,
+  0xc1, 0x79, 0xe4, 0x7c, 0xd1, 0x7b, 0x63, 0xea, 0x5a, 0x23, 0x8d, 0x6a,
+  0x09, 0x3d, 0x81, 0xb2, 0x35, 0xad, 0x9e, 0xfe, 0xea, 0x07, 0x76, 0x2f,
+  0x2f, 0x05, 0x63, 0x44, 0xd2, 0x8e, 0x4e, 0x61, 0xca, 0xcb, 0x75, 0xca,
+  0x7b, 0xc2, 0x2e, 0x79, 0x04, 0xb2, 0xa1, 0x20, 0x40, 0xc4, 0x40, 0x63,
+  0xae, 0xe5, 0xe3, 0x14, 0x83, 0x4e, 0xa5, 0xa4, 0x0b, 0x5d, 0xd2, 0x04,
+  0x1b, 0x8f, 0x01, 0x69, 0xa8, 0x44, 0xdc, 0x96, 0x4c, 0x1d, 0xe9, 0x7e,
+  0x69, 0x38, 0xcf, 0x5c, 0x0d, 0xf9, 0xdf, 0xa7, 0x73, 0x3c, 0x4f, 0x08,
+  0x85, 0xce, 0x03, 0xc4, 0xdd, 0xfd, 0x70, 0x70, 0xc5, 0x99, 0x36, 0x58,
+  0x43, 0x98, 0x40, 0x59, 0x02, 0x81, 0x81, 0x00, 0xd5, 0xaa, 0xfb, 0xec,
+  0x8d, 0xc6, 0xdd, 0xfa, 0x2b, 0x5a, 0x24, 0xd0, 0xda, 0x58, 0xbd, 0x87,
+  0x92, 0x1a, 0x29, 0x62, 0x13, 0x1d, 0x4b, 0x79, 0x1b, 0xbe, 0x79, 0x7d,
+  0xad, 0x79, 0xca, 0x17, 0x75, 0xda, 0xe8, 0x32, 0xe8, 0xa0, 0x9e, 0xa8,
+  0x77, 0x53, 0xac, 0x38, 0xd6, 0xeb, 0xe6, 0x22, 0x65, 0xc4, 0xaa, 0x4c,
+  0xc8, 0xd0, 0x33, 0x1a, 0x1e, 0xbe, 0xbd, 0x73, 0x09, 0x4a, 0xfa, 0x85,
+  0x5c, 0xf3, 0x0c, 0x9c, 0x81, 0x56, 0x30, 0xa7, 0xf7, 0x9b, 0xf4, 0x92,
+  0x9c, 0x6b, 0x93, 0x6a, 0x00, 0x33, 0xdc, 0x2f, 0x54, 0x1e, 0x78, 0xd4,
+  0x97, 0xec, 0x24, 0xa2, 0xdb, 0x3d, 0x03, 0x33, 0x09, 0xb2, 0x2c, 0x03,
+  0x05, 0x40, 0xde, 0x52, 0xf2, 0x9b, 0xfa, 0x00, 0x8d, 0x4b, 0xfe, 0x5b,
+  0x9b, 0x9c, 0x73, 0xad, 0xfb, 0x7a, 0x00, 0x42, 0x62, 0x9e, 0xa0, 0x95,
+  0x55, 0x50, 0x32, 0x87
+};
+static unsigned int enc_key_len = 1192;
+const struct bootutil_key bootutil_enc_key = {
+    .key = enc_key,
+    .len = &enc_key_len,
+};
--- a/bootloader/mcuboot/ci/mynewt_run.sh
+++ b/bootloader/mcuboot/ci/mynewt_run.sh
@@ -0,0 +1,33 @@
+#!/bin/bash -x
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+export PATH=$HOME/bin:$PATH
+pwd
+
+for target in $(ls ci/mynewt_targets); do
+    newt build $target
+    [[ $? -ne 0 ]] && exit 1
+done
+
+mkdir targets
+cp -r repos/apache-mynewt-core/targets/unittest targets
+newt test boot/boot_serial
+[[ $? -ne 0 ]] && exit 1
+
+exit 0
--- a/bootloader/mcuboot/ci/mynewt_targets/basic/pkg.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/basic/pkg.yml
@@ -0,0 +1,27 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+pkg.name: "targets/basic"
+pkg.type: "target"
+pkg.description:
+pkg.author:
+pkg.homepage:
+
+pkg.deps:
+    - "@mcuboot/boot/mynewt"
--- a/bootloader/mcuboot/ci/mynewt_targets/basic/syscfg.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/basic/syscfg.yml
@@ -0,0 +1,45 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+syscfg.vals:
+    BOOT_SERIAL: 0
+    BOOT_SERIAL_DETECT_PIN: 11
+    BOOT_SERIAL_DETECT_PIN_VAL: 0
+    BOOT_SERIAL_REPORT_PIN: 13
+    BOOTUTIL_VALIDATE_SLOT0: 0
+    BOOTUTIL_MAX_IMG_SECTORS: 256
+    BOOTUTIL_SIGN_EC256: 0
+    BOOTUTIL_SIGN_RSA: 0
+    BOOTUTIL_ENCRYPT_RSA: 0
+    BOOTUTIL_ENCRYPT_KW: 0
+    BOOTUTIL_USE_MBED_TLS: 0
+    BOOTUTIL_USE_TINYCRYPT: 1
+    BOOTUTIL_OVERWRITE_ONLY: 0
+    BOOTUTIL_OVERWRITE_ONLY_FAST: 1
+    BOOTUTIL_HAVE_LOGGING: 0
+    BOOTUTIL_NO_LOGGING: 1
+    BOOTUTIL_LOG_LEVEL: 'BOOTUTIL_LOG_LEVEL_INFO'
+    CONSOLE_COMPAT: 1
+    CONSOLE_INPUT: 0
+    CONSOLE_UART: 0
+    CONSOLE_RTT: 0
+    OS_CPUTIME_TIMER_NUM: 0
+    TIMER_0: 1
+    UART_0: 0
+    BOOTUTIL_BOOTSTRAP: 0
+    MBEDTLS_NIST_KW_C: 0
--- a/bootloader/mcuboot/ci/mynewt_targets/basic/target.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/basic/target.yml
@@ -0,0 +1,22 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+target.app: "@mcuboot/boot/mynewt"
+target.bsp: "@apache-mynewt-core/hw/bsp/nordic_pca10056"
+target.build_profile: "optimized"
--- a/bootloader/mcuboot/ci/mynewt_targets/bootserial/pkg.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/bootserial/pkg.yml
@@ -0,0 +1,27 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+pkg.name: "targets/bootserial"
+pkg.type: "target"
+pkg.description:
+pkg.author:
+pkg.homepage:
+
+pkg.deps:
+    - "@mcuboot/boot/mynewt"
--- a/bootloader/mcuboot/ci/mynewt_targets/bootserial/syscfg.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/bootserial/syscfg.yml
@@ -0,0 +1,24 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+$import:
+    - '@mcuboot/ci/mynewt_targets/basic/syscfg.yml'
+
+syscfg.vals:
+    BOOT_SERIAL: 1
+    UART_0: 1
--- a/bootloader/mcuboot/ci/mynewt_targets/bootserial/target.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/bootserial/target.yml
@@ -0,0 +1,22 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+target.app: "@mcuboot/boot/mynewt"
+target.bsp: "@apache-mynewt-core/hw/bsp/nordic_pca10056"
+target.build_profile: "optimized"
--- a/bootloader/mcuboot/ci/mynewt_targets/ecdsa/pkg.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/ecdsa/pkg.yml
@@ -0,0 +1,27 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+pkg.name: "targets/ecdsa"
+pkg.type: "target"
+pkg.description:
+pkg.author:
+pkg.homepage:
+
+pkg.deps:
+    - "@mcuboot/boot/mynewt"
--- a/bootloader/mcuboot/ci/mynewt_targets/ecdsa/syscfg.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/ecdsa/syscfg.yml
@@ -0,0 +1,24 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+$import:
+    - '@mcuboot/ci/mynewt_targets/basic/syscfg.yml'
+
+syscfg.vals:
+    BOOTUTIL_VALIDATE_SLOT0: 1
+    BOOTUTIL_SIGN_EC256: 1
--- a/bootloader/mcuboot/ci/mynewt_targets/ecdsa/target.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/ecdsa/target.yml
@@ -0,0 +1,23 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+target.app: "@mcuboot/boot/mynewt"
+target.bsp: "@apache-mynewt-core/hw/bsp/nordic_pca10056"
+target.build_profile: "optimized"
+target.key_file: "@mcuboot/root-ec-p256.pem"
--- a/bootloader/mcuboot/ci/mynewt_targets/ecdsa_kw/pkg.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/ecdsa_kw/pkg.yml
@@ -0,0 +1,28 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+pkg.name: "targets/ecdsa_kw"
+pkg.type: "target"
+pkg.description:
+pkg.author:
+pkg.homepage:
+
+pkg.deps:
+    - "@mcuboot/boot/mynewt"
+    - "@mcuboot/keys/enc_kw"
--- a/bootloader/mcuboot/ci/mynewt_targets/ecdsa_kw/syscfg.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/ecdsa_kw/syscfg.yml
@@ -0,0 +1,25 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+$import:
+    - '@mcuboot/ci/mynewt_targets/basic/syscfg.yml'
+
+syscfg.vals:
+    BOOTUTIL_VALIDATE_SLOT0: 1
+    BOOTUTIL_SIGN_EC256: 1
+    BOOTUTIL_ENCRYPT_KW: 1
--- a/bootloader/mcuboot/ci/mynewt_targets/ecdsa_kw/target.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/ecdsa_kw/target.yml
@@ -0,0 +1,23 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+target.app: "@mcuboot/boot/mynewt"
+target.bsp: "@apache-mynewt-core/hw/bsp/nordic_pca10056"
+target.build_profile: "optimized"
+target.key_file: "@mcuboot/root-ec-p256.pem"
--- a/bootloader/mcuboot/ci/mynewt_targets/rsa/pkg.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/rsa/pkg.yml
@@ -0,0 +1,27 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+pkg.name: "targets/rsa"
+pkg.type: "target"
+pkg.description:
+pkg.author:
+pkg.homepage:
+
+pkg.deps:
+    - "@mcuboot/boot/mynewt"
--- a/bootloader/mcuboot/ci/mynewt_targets/rsa/syscfg.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/rsa/syscfg.yml
@@ -0,0 +1,27 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+$import:
+    - '@mcuboot/ci/mynewt_targets/basic/syscfg.yml'
+
+syscfg.vals:
+    BOOTUTIL_VALIDATE_SLOT0: 1
+    BOOTUTIL_SIGN_EC256: 0
+    BOOTUTIL_SIGN_RSA: 1
+    BOOTUTIL_USE_MBED_TLS: 1
+    BOOTUTIL_USE_TINYCRYPT: 0
--- a/bootloader/mcuboot/ci/mynewt_targets/rsa/target.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/rsa/target.yml
@@ -0,0 +1,23 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+target.app: "@mcuboot/boot/mynewt"
+target.bsp: "@apache-mynewt-core/hw/bsp/nordic_pca10056"
+target.build_profile: "optimized"
+target.key_file: "@mcuboot/root-rsa-2048.pem"
--- a/bootloader/mcuboot/ci/mynewt_targets/rsa_kw/pkg.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/rsa_kw/pkg.yml
@@ -0,0 +1,28 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+pkg.name: "targets/rsa_kw"
+pkg.type: "target"
+pkg.description:
+pkg.author:
+pkg.homepage:
+
+pkg.deps:
+    - "@mcuboot/boot/mynewt"
+    - "@mcuboot/keys/enc_kw"
--- a/bootloader/mcuboot/ci/mynewt_targets/rsa_kw/syscfg.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/rsa_kw/syscfg.yml
@@ -0,0 +1,30 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+$import:
+    - '@mcuboot/ci/mynewt_targets/basic/syscfg.yml'
+
+syscfg.vals:
+    BOOTUTIL_VALIDATE_SLOT0: 1
+    BOOTUTIL_SIGN_EC256: 0
+    BOOTUTIL_SIGN_RSA: 1
+    BOOTUTIL_USE_MBED_TLS: 1
+    BOOTUTIL_USE_TINYCRYPT: 0
+    BOOTUTIL_ENCRYPT_KW: 1
+    MBEDTLS_NIST_KW_C: 1
+    MBEDTLS_CIPHER_MODE_CTR: 1
--- a/bootloader/mcuboot/ci/mynewt_targets/rsa_kw/target.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/rsa_kw/target.yml
@@ -0,0 +1,23 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+target.app: "@mcuboot/boot/mynewt"
+target.bsp: "@apache-mynewt-core/hw/bsp/nordic_pca10056"
+target.build_profile: "optimized"
+target.key_file: "@mcuboot/root-rsa-2048.pem"
--- a/bootloader/mcuboot/ci/mynewt_targets/rsa_overwriteonly/pkg.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/rsa_overwriteonly/pkg.yml
@@ -0,0 +1,27 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+pkg.name: "targets/rsa_overwriteonly"
+pkg.type: "target"
+pkg.description:
+pkg.author:
+pkg.homepage:
+
+pkg.deps:
+    - "@mcuboot/boot/mynewt"
--- a/bootloader/mcuboot/ci/mynewt_targets/rsa_overwriteonly/syscfg.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/rsa_overwriteonly/syscfg.yml
@@ -0,0 +1,28 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+$import:
+    - '@mcuboot/ci/mynewt_targets/basic/syscfg.yml'
+
+syscfg.vals:
+    BOOTUTIL_VALIDATE_SLOT0: 1
+    BOOTUTIL_SIGN_EC256: 0
+    BOOTUTIL_SIGN_RSA: 1
+    BOOTUTIL_USE_MBED_TLS: 1
+    BOOTUTIL_USE_TINYCRYPT: 0
+    BOOTUTIL_OVERWRITE_ONLY: 1
--- a/bootloader/mcuboot/ci/mynewt_targets/rsa_overwriteonly/target.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/rsa_overwriteonly/target.yml
@@ -0,0 +1,23 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+target.app: "@mcuboot/boot/mynewt"
+target.bsp: "@apache-mynewt-core/hw/bsp/nordic_pca10056"
+target.build_profile: "optimized"
+target.key_file: "@mcuboot/root-rsa-2048.pem"
--- a/bootloader/mcuboot/ci/mynewt_targets/rsa_rsaoaep/pkg.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/rsa_rsaoaep/pkg.yml
@@ -0,0 +1,27 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+pkg.name: "targets/rsa_rsaoaep"
+pkg.type: "target"
+pkg.description:
+pkg.author:
+pkg.homepage:
+
+pkg.deps:
+    - "@mcuboot/boot/mynewt"
+    - "@mcuboot/keys/enc_rsa"
--- a/bootloader/mcuboot/ci/mynewt_targets/rsa_rsaoaep/syscfg.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/rsa_rsaoaep/syscfg.yml
@@ -0,0 +1,29 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+$import:
+    - '@mcuboot/ci/mynewt_targets/basic/syscfg.yml'
+
+syscfg.vals:
+    BOOTUTIL_VALIDATE_SLOT0: 1
+    BOOTUTIL_SIGN_EC256: 0
+    BOOTUTIL_SIGN_RSA: 1
+    BOOTUTIL_USE_MBED_TLS: 1
+    BOOTUTIL_USE_TINYCRYPT: 0
+    BOOTUTIL_ENCRYPT_RSA: 1
+    MBEDTLS_CIPHER_MODE_CTR: 1
--- a/bootloader/mcuboot/ci/mynewt_targets/rsa_rsaoaep/target.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/rsa_rsaoaep/target.yml
@@ -0,0 +1,23 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+target.app: "@mcuboot/boot/mynewt"
+target.bsp: "@apache-mynewt-core/hw/bsp/nordic_pca10056"
+target.build_profile: "optimized"
+target.key_file: "@mcuboot/root-rsa-2048.pem"
--- a/bootloader/mcuboot/ci/mynewt_targets/rsa_rsaoaep_bootstrap/pkg.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/rsa_rsaoaep_bootstrap/pkg.yml
@@ -0,0 +1,27 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+pkg.name: "targets/rsa_rsaoaep_bootstrap"
+pkg.type: "target"
+pkg.description:
+pkg.author:
+pkg.homepage:
+
+pkg.deps:
+    - "@mcuboot/boot/mynewt"
+    - "@mcuboot/keys/enc_rsa"
--- a/bootloader/mcuboot/ci/mynewt_targets/rsa_rsaoaep_bootstrap/syscfg.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/rsa_rsaoaep_bootstrap/syscfg.yml
@@ -0,0 +1,30 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+$import:
+    - '@mcuboot/ci/mynewt_targets/basic/syscfg.yml'
+
+syscfg.vals:
+    BOOTUTIL_VALIDATE_SLOT0: 1
+    BOOTUTIL_SIGN_EC256: 0
+    BOOTUTIL_SIGN_RSA: 1
+    BOOTUTIL_USE_MBED_TLS: 1
+    BOOTUTIL_USE_TINYCRYPT: 0
+    BOOTUTIL_ENCRYPT_RSA: 1
+    BOOTUTIL_BOOTSTRAP: 1
+    MBEDTLS_CIPHER_MODE_CTR: 1
--- a/bootloader/mcuboot/ci/mynewt_targets/rsa_rsaoaep_bootstrap/target.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/rsa_rsaoaep_bootstrap/target.yml
@@ -0,0 +1,23 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+target.app: "@mcuboot/boot/mynewt"
+target.bsp: "@apache-mynewt-core/hw/bsp/nordic_pca10056"
+target.build_profile: "optimized"
+target.key_file: "@mcuboot/root-rsa-2048.pem"
--- a/bootloader/mcuboot/ci/mynewt_targets/swap_move/pkg.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/swap_move/pkg.yml
@@ -0,0 +1,27 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+pkg.name: "targets/swap_move"
+pkg.type: "target"
+pkg.description:
+pkg.author:
+pkg.homepage:
+
+pkg.deps:
+    - "@mcuboot/boot/mynewt"
--- a/bootloader/mcuboot/ci/mynewt_targets/swap_move/syscfg.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/swap_move/syscfg.yml
@@ -0,0 +1,46 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+syscfg.vals:
+    BOOT_SERIAL: 0
+    BOOT_SERIAL_DETECT_PIN: 11
+    BOOT_SERIAL_DETECT_PIN_VAL: 0
+    BOOT_SERIAL_REPORT_PIN: 13
+    BOOTUTIL_VALIDATE_SLOT0: 0
+    BOOTUTIL_MAX_IMG_SECTORS: 256
+    BOOTUTIL_SWAP_USING_MOVE: 1
+    BOOTUTIL_SIGN_EC256: 0
+    BOOTUTIL_SIGN_RSA: 0
+    BOOTUTIL_ENCRYPT_RSA: 0
+    BOOTUTIL_ENCRYPT_KW: 0
+    BOOTUTIL_USE_MBED_TLS: 0
+    BOOTUTIL_USE_TINYCRYPT: 1
+    BOOTUTIL_OVERWRITE_ONLY: 0
+    BOOTUTIL_OVERWRITE_ONLY_FAST: 1
+    BOOTUTIL_HAVE_LOGGING: 0
+    BOOTUTIL_NO_LOGGING: 1
+    BOOTUTIL_LOG_LEVEL: 'BOOTUTIL_LOG_LEVEL_INFO'
+    CONSOLE_COMPAT: 1
+    CONSOLE_INPUT: 0
+    CONSOLE_UART: 0
+    CONSOLE_RTT: 0
+    OS_CPUTIME_TIMER_NUM: 0
+    TIMER_0: 1
+    UART_0: 0
+    BOOTUTIL_BOOTSTRAP: 0
+    MBEDTLS_NIST_KW_C: 0
--- a/bootloader/mcuboot/ci/mynewt_targets/swap_move/target.yml
+++ b/bootloader/mcuboot/ci/mynewt_targets/swap_move/target.yml
@@ -0,0 +1,22 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+target.app: "@mcuboot/boot/mynewt"
+target.bsp: "@apache-mynewt-core/hw/bsp/nordic_pca10056"
+target.build_profile: "optimized"
--- a/bootloader/mcuboot/ci/requirements.txt
+++ b/bootloader/mcuboot/ci/requirements.txt
@@ -0,0 +1 @@
+tomli
--- a/bootloader/mcuboot/ci/sim_install.sh
+++ b/bootloader/mcuboot/ci/sim_install.sh
@@ -0,0 +1,19 @@
+#!/bin/bash -x
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+pip3 install --user -r ci/requirements.txt
+
+pushd sim && cargo fetch
+[[ $? -ne 0 ]] && exit 1
+popd
--- a/bootloader/mcuboot/ci/sim_run.sh
+++ b/bootloader/mcuboot/ci/sim_run.sh
@@ -0,0 +1,65 @@
+#!/bin/bash -x
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+GET_FEATURES="$(pwd)/ci/get_features.py"
+CARGO_TOML="$(pwd)/sim/Cargo.toml"
+
+pushd sim
+
+all_features="$(${GET_FEATURES} ${CARGO_TOML})"
+[ $? -ne 0 ] && exit 1
+
+EXIT_CODE=0
+
+if [[ ! -z $SINGLE_FEATURES ]]; then
+  if [[ $SINGLE_FEATURES =~ "none" ]]; then
+    echo "Running cargo with no features"
+    time cargo test --no-run
+    time cargo test
+    rc=$? && [ $rc -ne 0 ] && EXIT_CODE=$rc
+  fi
+
+  for feature in $all_features; do
+    if [[ $SINGLE_FEATURES =~ $feature ]]; then
+      echo "Running cargo for feature=\"${feature}\""
+      time cargo test --no-run --features $feature
+      time cargo test --features $feature
+      rc=$? && [ $rc -ne 0 ] && EXIT_CODE=$rc
+    fi
+  done
+fi
+
+if [[ ! -z $MULTI_FEATURES ]]; then
+  IFS=','
+  read -ra multi_features <<< "$MULTI_FEATURES"
+
+  # psa crypto tests require single thread mode
+  TEST_ARGS=''
+  for features in "${multi_features[@]}"; do
+    if [[ $features =~ "psa" ]]; then
+        TEST_ARGS='--test-threads=1'
+        break
+    fi
+  done
+
+  for features in "${multi_features[@]}"; do
+    echo "Running cargo for features=\"${features}\""
+    time cargo test --no-run --features "$features" -- $TEST_ARGS
+    time cargo test --features "$features" -- $TEST_ARGS
+    rc=$? && [ $rc -ne 0 ] && EXIT_CODE=$rc
+  done
+fi
+
+popd
+exit $EXIT_CODE