| commit | 1207c3628e6b8380dc077ef701da954e230850e3 | [log] [tgz] |
|---|---|---|
| author | pigweed-roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> | Sun Apr 20 17:47:02 2025 -0700 |
| committer | CQ Bot Account <pigweed-scoped@luci-project-accounts.iam.gserviceaccount.com> | Sun Apr 20 17:47:02 2025 -0700 |
| tree | da00d9609129bb6dc9a3cd5592ec18b0fb583fc6 | |
| parent | 16719c932568c6fbac50cc287de6fcadca376d65 [diff] |
roll: third_party/pigweed/src f1c1ba7..5e9dd49 (54 commits) 5e9dd49:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/285093 roll: gn 11f0b4d:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/285035 roll: luci 7621c2b:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284748 roll: bazelisk-as-bazel 6b75be9:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/278364 pw_rpc: Add a test for finding a servers max echo packet size bbbdf76:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284853 pw_kernel: Add mps2-an505 specific target 662d5e8:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284688 pw_kernel: Remove obsolete console.rs file 824ffb3:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284684 pw_kernel: Add config KERNEL_STACK_SIZE_BYTES 222ad32:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/283794 pw_kernel: Add SCHEDULER_TICK_HZ to config e5b0af2:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284812 bazel: Propagate rules_rust error_format to exec config e7934a3:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284155 pw_docgen: Start unit tests 2866b2a:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284685 pw_kernel: Split user and kernel exception frames 99d01a3:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284212 pw_ide: Fix presubmit and tests on windows 1f47b42:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/283793 pw_kernel: Add target specific kernel config a8c94ba:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284592 pw_kernel: Add Target::main() 4aaade1:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284374 third_party/chre: Use pw_external_chre in gn bcefbab:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284277 pw_kernel: Remove the timers dependency on the cortex-rt crate 8866349:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284394 pw_flatbuffers: Use STRING for pw_flatbuffers_FLATC_FLAGS a79430f:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284373 third_party/boringssl: Use pw_external_boringssl in gn 6667d2c:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284275 pw_toolchain: Remove Rust WORKSPACE helper 0e9a0e5:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/236932 pw_bluetooth: Add GetHciHeaderSize and GetHciPayloadSize APIs 7ac6cb6:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284692 pw_router: Migrate size report to Bazel cbe119a:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/282753 pw_kernel: Add Process object to scheduler 031db67:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284553 pw_channel: Fix error with private destructor and pw::NoDestructor 37062d4:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284612 docs/style/cpp: Fix typos; update async module link 6dc3d69:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284372 third_party/apollo4: Use pw_external_apollo4 in gn dc95087:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284392 third_party/arduino: Use pw_external_arduino in gn f423d02:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284273 third_party/ambiq: Use pw_external_ambiq in gn 715ba80:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284332 third_party/absiel: Use pw_external_abseil_cpp in gn 351373b:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/282872 pw_bluetooth_sapphire: SCO Offload Index config af9b963:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/282894 pw_toolchain: Enable thread safety warnings for arm-clang toolchain 8e230dd:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/268512 pw_rpc: Create default channel output 4c53c47:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284153 gn: Introduce new variables for 3p dependencies 996359c:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/268874 third_party: Update GN build files for FuzzTest and Abseil 0554f0d:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/282813 pw_tokenizer: C++ detokenization microbenchmark 80512ef:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/284154 pw_tokenizer: Add thread safety to dir creation 6784a0d:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/281855 pw_channel: Document inheritance pattern; discourage SiblingCast df60e9e:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/283973 pw_env_setup: Update CIPD pin edd09be:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/282892 pw_perf_test: Only enable if the timer backend is set 4fa03e9:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/283872 pw_base64: Function for exact Base64 decoded size cb60cea:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/283798 pw_base64: Ignore padding bytes when decoding 69c343a:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/281836 pw_ide: Relocate vscode dependencies from compile commands generator 5ece86a:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/281835 pw_tokenizer: Improve parse_message tool 6b06aa9:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/282939 pw_kernel: Don't ignore GN files in pw_kernel 5b7d443:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/283795 bazel: Roll Fuchsia SDK 59094f8:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/283797 bazel: Move host_platform into MODULE.bazel 10bb8b6:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/279741 pw_ide: Trigger refresh manager on non-bazel compile command refresh baa8c72:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/282936 pw_build: Add helper for Pigweed-specific conditions 67b5300:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/282898 pw_build: Clean up bazel_to_gn workflow for FuzzTest c010093:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/268652 pw_build: Update bazel_to_gn.py to use bzlmod 498df09:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/281934 docs: Update the contributing guide 0c7d46b:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/282897 various: Fix trivial warnings df4204e:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/283212 pw_blob_store: Migrate size reports to Bazel 7c41ce5:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/282899 pw_build: Remove pedantic exceptions fc9ef30:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/268133 pw_fuzzer: Use FuzzTest from the BCR Rolled-Repo: https://pigweed.googlesource.com/pigweed/pigweed Rolled-Commits: f1c1ba7230307b..5e9dd49e6dd2b2 Roll-Count: 1 Roller-URL: https://cr-buildbucket.appspot.com/build/8717023129061721329 GitWatcher: ignore CQ-Do-Not-Cancel-Tryjobs: true Change-Id: I86543476a3972a685df51a4a2ae4a77ccb9ea7ee Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/285041 Commit-Queue: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> Lint: Lint 🤖 <android-build-ayeaye@system.gserviceaccount.com> Bot-Commit: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com>
This repository contains the specification for the Open Profile for DICE along with production-quality code. This profile is a specialization of the Hardware Requirements for a Device Identifier Composition Engine and DICE Layering Architecture specifications published by the Trusted Computing Group (TCG). For readers already familiar with those specs, notable distinctives of this profile include:
You can find us (and join us!) at https://groups.google.com/g/open-profile-for-dice. We're happy to answer questions and discuss proposed changes or features.
The specification can be found here. It is versioned using a major.minor scheme. Compatibility is maintained across minor versions but not necessarily across major versions.
Production quality, portable C code is included. The main code is in dice.h and dice.c. Cryptographic and certificate generation operations are injected via a set of callbacks. Multiple implementations of these operations are provided, all equally acceptable. Integrators should choose just one of these, or write their own.
Tests are included for all code and the build files in this repository can be used to build and run these tests.
Disclaimer: This is not an officially supported Google product.
Different implementations use different third party libraries. The third_party directory contains build files and git submodules for each of these. The submodules must be initialized once after cloning the repo, using git submodule update --init, and updated after pulling commits that roll the submodules using git submodule update.
To setup the build environment the first time:
$ git submodule update --init --recursive $ source bootstrap.sh $ gn gen out
To build and run tests:
$ ninja -C out
The easiest way, and currently the only supported way, to build and run tests is from a Pigweed environment on Linux. Pigweed does support other host platforms so it shouldn't be too hard to get this running on Windows for example, but we use Linux.
There are two scripts to help set this up:
bootstrap.sh will initialize submodules, bootstrap a Pigweed environment, and generate build files. This can take some time and may download on the order of 1GB of dependencies so the normal workflow is to just do this once.
activate.sh quickly reactivates an environment that has been previously bootstrapped.
These scripts must be sourced into the current session: source activate.sh.
In the environment, from the base directory of the dice-profile checkout, run ninja -C out to build everything and run all tests. You can also run pw watch which will build, run tests, and continue to watch for changes.
This will build and run tests on the host using the clang toolchain. Pigweed makes it easy to configure other targets and toolchains. See toolchains/BUILD.gn and the Pigweed documentation.
The code is designed to be portable and should work with a variety of modern toolchains and in a variety of environments. The main code in dice.h and dice.c is C99; it uses uint8_t, size_t, and memcpy from the C standard library. The various ops implementations are as portable as their dependencies (often not C99 but still very portable). Notably, this code uses designated initializers for readability. This is a feature available in C since C99 but missing from C++ until C++20 where it appears in a stricter form.
The Google C++ Style Guide is used. A .clang-format file is provided for convenience.
To incorporate the code into another project, there are a few options:
Copy only the necessary code. For example:
Take the main code as is: include/dice/dice.h, src/dice.c
Choose an implementation for crypto and certificate generation or choose to write your own. If you choose the boringssl implementation, for example, take include/dice/utils.h, include/dice/boringssl_ops.h, src/utils.c, and src/boringssl_ops.c. Taking a look at the library targets in BUILD.gn may be helpful.
Add this repository as a git submodule and integrate into the project build, optionally using the gn library targets provided.
Integrate into a project already using Pigweed using the gn build files provided.
The build reports code size using Bloaty McBloatface via the pw_bloat Pigweed module. There are two reports generated:
Library sizes - This report includes just the library code in this repository. It shows the baseline DICE code with no ops selected, and it shows the delta introduced by choosing various ops implementations. This report does not include the size of the third party dependencies.
Executable sizes - This report includes sizes for the library code in this repository plus all dependencies linked into a simple main function which makes a single DICE call with all-zero input. It shows the baseline DICE code with no ops (and therefore no dependencies other than libc), and it shows the delta introduced by choosing various ops implementations. This report does include the size of the third party dependencies. Note that rows specialized from ‘Boringssl Ops’ use that as a baseline for sizing.
The reports will be in the build output, but you can also find the reports in .txt files in the build output. For example, cat out/host_optimized/gen/*.txt | less will display all reports.
This code does not itself use mutable global variables, or any other type of shared data structure so there is no thread-safety concerns. However, additional care is needed to ensure dependencies are configured to be thread-safe. For example, the current boringssl configuration defines OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED, and that would need to be changed before running in a threaded environment.
This code makes a reasonable effort to clear memory holding sensitive data. This may help with a broader strategy to clear sensitive data but it is not sufficient on its own. Here are a few things to consider.