| commit | 2f0717dd7b3a7865e358949819c23f19003937ea | [log] [tgz] |
|---|---|---|
| author | pigweed-roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> | Mon Jun 10 00:44:25 2024 +0000 |
| committer | CQ Bot Account <pigweed-scoped@luci-project-accounts.iam.gserviceaccount.com> | Mon Jun 10 00:44:25 2024 +0000 |
| tree | c5f413dc6b308644f7e6d796bede6a186887975b | |
| parent | 35cc5769734f5cd8a99786fda9e00bf08f6401c5 [diff] |
[third_party/pigweed/src] Roll 98 commits 737169c0ecf2742 roll: gn 031b9f01df16792 [fuchsia_infra] Roll 13 commits e20b71297bac2ab roll: cmake 06c3c9f97963303 pw_target_runner: Switch to Bazel build b753750344bd59f stm32f429i: Add baremetal bazel build support f1f8d574b1228e8 pw_bluetooth_proxy: Fix const on sendGattNotify pa d8be934be664a47 pw_console: Reload theme when using a config-file f292106ab26479a pw_target_runner: Add module metadata 756c234dfe69d9d pw_build: Add module metadata 6f731832391b57a pw_checksum: Add module metadata e0dd5e7778a97f4 rp2040: Fix test runner scripts to correct check i 3e894b59980e141 bazel: Roll latest rules_libusb 8e2614ad95412e7 io_bazel_rules_go: Update to fork which disables w 7db0eee96bdeb4b pw_bluetooth_profiles: Add module metadata 45fd0510f3a0816 pw_build_info: Add module metadata 1c97f713f41c5ad targets: Make host_device_simulator_binary `bazel 465d99734d3a1b1 pw_bluetooth_proxy: Mark unused parameters with [[ 5f4e108bb91e1d4 pw_channel: Add module metadata bd910367051aa32 pw_chre: Add module metadata f20a2dc6ded67a5 pw_bluetooth: Add module metadata 13815f73d4aa893 pw_bytes: Add module metadata d3fdc8b3a0e8d99 pw_bluetooth_hci: Add module metadata 3d3e59c25557e05 pw_build: Clarify docs on pw_elf_to_bin 1d82b0ff4c571fe pw_uart: Add module metadata ec741c8c94303ff pw_build_mcuxpresso: Add module metadata 03d0423f7f196c8 pw_analog: Add module metadata 8d296361c1f6074 pw_base64: Add module metadata 9ea9ef130481b82 pw_multibuf: AdvanceToData in iterator constructor 98c249943f7a441 pw_blob_store: Add module metadata 30abcad0910ff68 pw_android_toolchain: Add module metadata 732c882e8ec9bfd pw_async: Add module metadata 3fa03cadd9b06a1 pw_cli: Fish shell completion f4da9803f0e4e34 pw_presubmit: Add module metadata e202b0b771cd818 pw_sensor: Add Bazel support for Python package 5cc356c68b27f7f pw_clock_tree_mcuxpresso: Remove unnecessary pw:: 5b69003409b9ff3 pw_clock_tree_mcuxpresso: Add ClockMcuxpressoAudio 96a282aa6437950 pw_rpc: Add module metadata 13062c9ab277595 pw_router: Add module metadata 1dc0c0626a313f1 pw_varint: Add module metadata 243ba33cd5434c7 pw_multisink: Add GetUnreadEntriesSize to Drain 4885f584c9a27aa pw_ring_buffer: Add EntriesSize API to Reader da7ee077f24a9bb pw_bluetooth_proxy: Add maybe_unused to make downs 7ddafaf90088efa pw_bluetooth_proxy: Add ProxyHost::HasSendAclCapab 21bcbe67b4552d1 pw_toolchain: Add IOKit and Security headers to ma 9cb32e34b5e88ff pw_bluetooth_proxy: Update H4HciPacket constructio b68025de8fda296 pw_bluetooth_proxy: Add sendGattNotify stub a4f3e67ade55ec6 pw_clock_tree_mcuxpresso: Configure ClkIn as sourc 1ffc0b72b2cf57d third_party: Add @libusb to bazel workspace e25a26911ac036e pw_protobuf: Add module metadata 1318da19d424a2b pw_log: Add module metadata 5a42d892e61c03c pw_docgen: Add module metadata 5d2f2ae7a1ac085 pw_bloat: Add module metadata 8e598bdc21566ef third_party/freertos: Share common FreeRTOS functi ea3f5729c910f5d pw_system: Move config variables to config.h 508e145f7f9814f pw_containers: Disallow deletion from InlineVarLen 9452c6061de3f1a pw_toolchain_bazel: Add cortex-a32 mcpu value 28a9fb05372696b pw_multisink: Add option to inject a user defined 52fa32ac0d460e0 pw_build: Update intro f8259a3cb161f43 pw_spi_rp2040: Add module metadata 2803e38a0afeb3f pw_arduino_build: Add module metadata 3b855f66736b7a3 pw_ide: Preserve modified editor settings 46a21c419e5561f bazel: No integration tests in wildcard build 83735047f7e90ed pw_transfer: Fix ConcurrentModificationException i 52fcc2ecdab0e05 pw_stream_uart_mcuxpresso: Make dma_stream Write o 04b802b31c9a0ca pw_web: Get icon fonts via Google Fonts URL f63576c7a25f36b pw_grpc: Remove send queue timeout c3bd8feb64c0b7f third_party: Symlink probe-rs binary into common l 28ee5c51dc16057 bazel: Move integration build config in-repo fa03307ca0a1a92 pw_env_setup: Update clang next version a31661c9795660c pw_clock_tree_mcuxpresso: Make Mclk and ClkIn depe 1aa7f44ecb7bf64 pw_clock_tree_mcuxpresso: Move example code out of 21277f94a062107 pw_clock_tree: Introduce ClockSourceNoOp class 65ba1ca17c9d57f pw_spi: Fix sitenav location for RP2040 backend 0f2537e5f13d9fd third_party: Add probe-rs ad079700b6f69ef pw_async2: Fix location of backends in sitenav 4be3dbc86c04e9d pw_presubmit: Remove shellcheck from lintformat pr 81b6bdb4fd457de pigweed.json: Add config for Bazel builders 2c8183903bf9b6e docs: Update homepage tagline 76902e6d4a7fa3c rp2040: Support bazel wildcard build on rp2040 dea891ac18bee92 pw_bluetooth_proxy: Fix compilation errors 5f164749a2bb256 pw_web: Fix last column filling space in log table 9c5ff32b8a7e995 pw_bluetooth_proxy: Pass H4 as event type plus an ee2ddb543cc45ec pw_bluetooth_proxy: Tweak CreateNonInteractingToHo 6618a7d3265639b pw_chrono: Introduce SystemClock backed link time d988f7027fe939e pw_env_setup: Bootstrap fish-shell support d91003238d9cf8b pw_ide: Fix constant Pylance crashes 80a5042814f199d pw_thread_freertos: Expand comment to help when de 9bed7bf6daedb3b pw_channel: Update function documentation 4cf2d05a70b44da pw_multibuf: Fix Truncate(0) on empty MultiBuf fd77c2fe695697c docs: Add "skip to main content" a11y feature f89935d35fb2da6 github: Fix step name 60ae08ad972b93b pw_channel: Remove manual registration from epoll 778137c3b26aea6 github: Add basic workflow and docs ff81e38b61cc14b pw_containers: InlineVarLenEntryQueue::try_push() aee408cfeb5522c targets/rp2040: Support running tests using the de 35450d745f54bdd pw_rpc: Fix hyperlink 61203e8e2b2f9d4 pw_bluetooth: Add HCI StatusCode values 04079093944aab1 zephyr: Fix typo https://pigweed.googlesource.com/pigweed/pigweed third_party/pigweed/src Rolled-Commits: b0b4108bd83aa5a..737169c0ecf2742 Roller-URL: https://ci.chromium.org/b/8745561168213449201 GitWatcher: ignore CQ-Do-Not-Cancel-Tryjobs: true Change-Id: Ia9682c9518226ca5963f1ba56c8988307d031437 Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/215074 Commit-Queue: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> Bot-Commit: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> Lint: Lint 🤖 <android-build-ayeaye@system.gserviceaccount.com>
This repository contains the specification for the Open Profile for DICE along with production-quality code. This profile is a specialization of the Hardware Requirements for a Device Identifier Composition Engine and DICE Layering Architecture specifications published by the Trusted Computing Group (TCG). For readers already familiar with those specs, notable distinctives of this profile include:
You can find us (and join us!) at https://groups.google.com/g/open-profile-for-dice. We're happy to answer questions and discuss proposed changes or features.
The specification can be found here. It is versioned using a major.minor scheme. Compatibility is maintained across minor versions but not necessarily across major versions.
Production quality, portable C code is included. The main code is in dice.h and dice.c. Cryptographic and certificate generation operations are injected via a set of callbacks. Multiple implementations of these operations are provided, all equally acceptable. Integrators should choose just one of these, or write their own.
Tests are included for all code and the build files in this repository can be used to build and run these tests.
Disclaimer: This is not an officially supported Google product.
Different implementations use different third party libraries. The third_party directory contains build files and git submodules for each of these. The submodules must be initialized once after cloning the repo, using git submodule update --init, and updated after pulling commits that roll the submodules using git submodule update.
To setup the build environment the first time:
$ git submodule update --init $ source bootstrap.sh $ gn gen out
To build and run tests:
$ ninja -C out
The easiest way, and currently the only supported way, to build and run tests is from a Pigweed environment on Linux. Pigweed does support other host platforms so it shouldn't be too hard to get this running on Windows for example, but we use Linux.
There are two scripts to help set this up:
bootstrap.sh will initialize submodules, bootstrap a Pigweed environment, and generate build files. This can take some time and may download on the order of 1GB of dependencies so the normal workflow is to just do this once.
activate.sh quickly reactivates an environment that has been previously bootstrapped.
These scripts must be sourced into the current session: source activate.sh.
In the environment, from the base directory of the dice-profile checkout, run ninja -C out to build everything and run all tests. You can also run pw watch which will build, run tests, and continue to watch for changes.
This will build and run tests on the host using the clang toolchain. Pigweed makes it easy to configure other targets and toolchains. See toolchains/BUILD.gn and the Pigweed documentation.
The code is designed to be portable and should work with a variety of modern toolchains and in a variety of environments. The main code in dice.h and dice.c is C99; it uses uint8_t, size_t, and memcpy from the C standard library. The various ops implementations are as portable as their dependencies (often not C99 but still very portable). Notably, this code uses designated initializers for readability. This is a feature available in C since C99 but missing from C++ until C++20 where it appears in a stricter form.
The Google C++ Style Guide is used. A .clang-format file is provided for convenience.
To incorporate the code into another project, there are a few options:
Copy only the necessary code. For example:
Take the main code as is: include/dice/dice.h, src/dice.c
Choose an implementation for crypto and certificate generation or choose to write your own. If you choose the boringssl implementation, for example, take include/dice/utils.h, include/dice/boringssl_ops.h, src/utils.c, and src/boringssl_ops.c. Taking a look at the library targets in BUILD.gn may be helpful.
Add this repository as a git submodule and integrate into the project build, optionally using the gn library targets provided.
Integrate into a project already using Pigweed using the gn build files provided.
The build reports code size using Bloaty McBloatface via the pw_bloat Pigweed module. There are two reports generated:
Library sizes - This report includes just the library code in this repository. It shows the baseline DICE code with no ops selected, and it shows the delta introduced by choosing various ops implementations. This report does not include the size of the third party dependencies.
Executable sizes - This report includes sizes for the library code in this repository plus all dependencies linked into a simple main function which makes a single DICE call with all-zero input. It shows the baseline DICE code with no ops (and therefore no dependencies other than libc), and it shows the delta introduced by choosing various ops implementations. This report does include the size of the third party dependencies. Note that rows specialized from ‘Boringssl Ops’ use that as a baseline for sizing.
The reports will be in the build output, but you can also find the reports in .txt files in the build output. For example, cat out/host_optimized/gen/*.txt | less will display all reports.
This code does not itself use mutable global variables, or any other type of shared data structure so there is no thread-safety concerns. However, additional care is needed to ensure dependencies are configured to be thread-safe. For example, the current boringssl configuration defines OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED, and that would need to be changed before running in a threaded environment.
This code makes a reasonable effort to clear memory holding sensitive data. This may help with a broader strategy to clear sensitive data but it is not sufficient on its own. Here are a few things to consider.