| commit | 4fa00cc9586b968195ce3c814588900d8ec58dc9 | [log] [tgz] |
|---|---|---|
| author | pigweed-roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> | Mon Aug 07 00:44:03 2023 +0000 |
| committer | CQ Bot Account <pigweed-scoped@luci-project-accounts.iam.gserviceaccount.com> | Mon Aug 07 00:44:03 2023 +0000 |
| tree | f82d6ff6fe9512dadb01ed7947782b2e21488bae | |
| parent | 4b14e59f6192934d31f5eac4184935de94d050fb [diff] |
[third_party/pigweed/src] Roll 53 commits
34cff3b4e635b2c roll: host_tools
a3acdade0dd7c99 roll: gn
fbb71d6959727ad roll: absolute_uploader, incremental_uploader
c0c8c4d4e8d4abd roll: bazel
8ad58fabee2e2ac pw_tokenizer: Restore info that get lost during th
e0806bd26c98c9e pw_tokenizer: Use the same tagline on every doc
b2c2b855f576c05 OWNERS: Add kayce@
0cebdd79db40e51 pw_alignment: Fix typos
c9d939968ab79b5 docs: Update module items in site nav
b1805f35e6fcd96 pw_toolchain: Prefer start-group over whole-archiv
4d42e3db168bf62 pw_ide: Add command to install prototype extension
0482a529f09500d docs: Add editor support doc
2278b06a38f49b7 pw_ide: Prototype VS Code extension
3ffc5bd7fb215c2 pw_docgen: Remove the navbar from the module docs
873331e5df828b8 pw_console: Set clipboard fallback methods
6f8378943e643ed pw_base64: Finish Doxygenifying the API reference
34e29f5b28f019f pw_rpc: Avoid reflection in Java client
ef1ee1b6af1dcbe pw_presubmit: Exclude vsix files from copyright
d7df784a635e00b pw_presubmit: Clarify unicode errors
83635372ffddbf4 build: Do not allow PATH leakage into Bazel build
f6437da198a4b7f pw_transfer: Fix legacy binary path
a9427aba257f282 pw_{protobuf_compiler,rpc}: Use hermetic protoc
fe310ff138d8643 pw_protobuf_compiler: Move reference to python int
366ca18a149228f docs: Delay nav scrolling to fix main content scro
fa8ffac8edacd71 pw_build: ProjectBuilder log build steps option
6f6d32dbb0b8013 pw_base64: Doxygenify the Encode() functions
4e8d69fcbdf32b2 docs: Suggest editor configuration
d8fa6739708b518 docs: Scroll to the current page in the site nav
62623ec50afa94e pw_thread: Fix test_thread_context typo and presub
4d6620db1bce984 pw_presubmit: Upload coverage json to zoss
a6e8fe16ff79e9b pw_protobuf_compiler: Make nanopb hermetic
537df1014f69621 pw_tokenizer: Replace savings table with flowchart
37b43a85006cfff pw_trace_tokenized: Replace trace callback singlet
358c6172ead8855 pw_rpc: Improve Java client error message for miss
3ac2d484661504e pw_web: Fix TypeScript warnings in transfer.ts
ada1a81d2ce334c pw_env_setup: Pip installs from CIPD
27921c057cf6a7a pw_env_setup: Include Python packages from CIPD
009a0350282c60e pw_presubmit: Add to context tests
a2d674515ffd974 pw_presubmit: Add patchset to LuciTrigger
b59099bc638b6c9 pw_env_setup: Remove unused pep517 package
93549eb6ce67bdd pw_tokenizer: Ignore string nonliteral warnings
4b4f0a763d90d0e pw_web: Fix TypeScript warnings
9231b05b13226c9 pw_transfer: Mark linux-only Bazel tests
5fad39f291a5111 pw_status: Promote Zephyr heading to h2
3ec27c3b91aece9 pw_presubmit: Add helpers to LuciContext
91150a072cc4ea3 SEED: Create Sphinx directive for metadata
797baaed66ab642 pw_env_setup: Use more available Python 3.9
b8c57389bb2e637 pw_analog: Include header files as stopgap API ref
a57b05587b88860 docs: Add changelog
abf8be3fea71793 pw_presubmit: Update Python vendor wheel dir
92c77d8ce303795 pw_presubmit: Add summaries to guard checks
577292f9efca927 pw_presubmit: Copy Python packages
2cd3dee3b9a9b11 pw_spi: Responder interface definition
https://pigweed.googlesource.com/pigweed/pigweed
third_party/pigweed/src Rolled-Commits: cf4291da443f5b2..34cff3b4e635b2c
Roller-URL: https://ci.chromium.org/b/8773465039098669153
GitWatcher: ignore
CQ-Do-Not-Cancel-Tryjobs: true
Change-Id: I6b91fc8baa1ed55d5f8a32eb76183d7431cf6b5c
Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/163244
Bot-Commit: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com>
Commit-Queue: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com>
This repository contains the specification for the Open Profile for DICE along with production-quality code. This profile is a specialization of the Hardware Requirements for a Device Identifier Composition Engine and DICE Layering Architecture specifications published by the Trusted Computing Group (TCG). For readers already familiar with those specs, notable distinctives of this profile include:
You can find us (and join us!) at https://groups.google.com/g/open-profile-for-dice. We're happy to answer questions and discuss proposed changes or features.
The specification can be found here. It is versioned using a major.minor scheme. Compatibility is maintained across minor versions but not necessarily across major versions.
Production quality, portable C code is included. The main code is in dice.h and dice.c. Cryptographic and certificate generation operations are injected via a set of callbacks. Multiple implementations of these operations are provided, all equally acceptable. Integrators should choose just one of these, or write their own.
Tests are included for all code and the build files in this repository can be used to build and run these tests.
Disclaimer: This is not an officially supported Google product.
Different implementations use different third party libraries. The third_party directory contains build files and git submodules for each of these. The bootstrap script will automatically initialize all submodules.
$ source bootstrap.sh $ ninja -C out
The easiest way, and currently the only supported way, to build and run tests is from a Pigweed environment on Linux. Pigweed does support other host platforms so it shouldn't be too hard to get this running on Windows for example, but we use Linux.
There are two scripts to help set this up:
bootstrap.sh will initialize submodules, bootstrap a Pigweed environment, and generate build files. This can take some time and may download on the order of 1GB of dependencies so the normal workflow is to just do this once.
activate.sh quickly reactivates an environment that has been previously bootstrapped.
These scripts must be sourced into the current session: source activate.sh.
In the environment, from the base directory of the dice-profile checkout, run ninja -C out to build everything and run all tests. You can also run pw watch which will build, run tests, and continue to watch for changes.
This will build and run tests on the host using the clang toolchain. Pigweed makes it easy to configure other targets and toolchains. See toolchains/BUILD.gn and the Pigweed documentation.
The code is designed to be portable and should work with a variety of modern toolchains and in a variety of environments. The main code in dice.h and dice.c is C99; it uses uint8_t, size_t, and memcpy from the C standard library. The various ops implementations are as portable as their dependencies (often not C99 but still very portable). Notably, this code uses designated initializers for readability. This is a feature available in C since C99 but missing from C++ until C++20 where it appears in a stricter form.
The Google C++ Style Guide is used. A .clang-format file is provided for convenience.
To incorporate the code into another project, there are a few options:
Copy only the necessary code. For example:
Take the main code as is: include/dice/dice.h, src/dice.c
Choose an implementation for crypto and certificate generation or choose to write your own. If you choose the boringssl implementation, for example, take include/dice/utils.h, include/dice/boringssl_ops.h, src/utils.c, and src/boringssl_ops.c. Taking a look at the library targets in BUILD.gn may be helpful.
Add this repository as a git submodule and integrate into the project build, optionally using the gn library targets provided.
Integrate into a project already using Pigweed using the gn build files provided.
The build reports code size using Bloaty McBloatface via the pw_bloat Pigweed module. There are two reports generated:
Library sizes - This report includes just the library code in this repository. It shows the baseline DICE code with no ops selected, and it shows the delta introduced by choosing various ops implementations. This report does not include the size of the third party dependencies.
Executable sizes - This report includes sizes for the library code in this repository plus all dependencies linked into a simple main function which makes a single DICE call with all-zero input. It shows the baseline DICE code with no ops (and therefore no dependencies other than libc), and it shows the delta introduced by choosing various ops implementations. This report does include the size of the third party dependencies. Note that rows specialized from ‘Boringssl Ops’ use that as a baseline for sizing.
The reports will be in the build output, but you can also find the reports in .txt files in the build output. For example, cat out/host_optimized/gen/*.txt | less will display all reports.
This code does not itself use mutable global variables, or any other type of shared data structure so there is no thread-safety concerns. However, additional care is needed to ensure dependencies are configured to be thread-safe. For example, the current boringssl configuration defines OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED, and that would need to be changed before running in a threaded environment.
This code makes a reasonable effort to clear memory holding sensitive data. This may help with a broader strategy to clear sensitive data but it is not sufficient on its own. Here are a few things to consider.