commit | 3774590ea99488f6b3b5a49ce289cb1f5c84753e | [log] [tgz] |
---|---|---|
author | pigweed-roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> | Fri Sep 15 21:57:33 2023 +0000 |
committer | CQ Bot Account <pigweed-scoped@luci-project-accounts.iam.gserviceaccount.com> | Fri Sep 15 21:57:33 2023 +0000 |
tree | 0c2d5a086d59762e7dc59ecf28e80109b79fa7b5 | |
parent | 3af860f127cdfc069609e2a18c3dc6e51e73e70b [diff] |
[third_party/pigweed/src] Roll 55 commits 2f69ffa69701701 pw_env_setup: Add relative_pigweed_root to pigweed 4b9353ebb5ee7ad pw_chre: Write our own version.cc ac288ee6cc1b9f7 docs: Add link to in-progress hardware targets 76a563af60437cc pw_async_basic: `release` outside of lock context 4c94ea527a86966 pw_async_basic: Remove unnecessary 5-second wakeup 0a517b7bbfd7cfe pw_toolchain: Add cortex-m33 support to arm_gcc 745aeaf178edc5a third_party/fuchsia: Copybara import 60d698af2232148 pw_polyfill: Increase __GNUC__ for __constinit eea581a4e8bc4d6 Bazel: Remove bazelembedded dependency a3d2e831199a6ea Bazel: Move cxxopts out of bazelrc cbf4b34fe631834 pw_function: Add configurable Allocator default c13af959bab5cf8 pw_ide: Move VSC extension into npm package dir 9b67bfe7a517681 pw_web: Fix leading white spaces, scrollbar size, 91502177dbf1286 pw_async: Return bool from FakeDispatcher Run*() m 866b77d5f9f2c37 pw_protobuf: Fix "Casting..." heading level b3aeab8644a7071 third_party/fuchsia: Update patch script and patch ab45b0af879939b pw_function: Update example to match guidelines fo fe6f6848f02f4f3 pw_package: Use mirror for zephyrproject-rtos/zeph 058edafab8ef8b4 Bazel: Use the same clang version as in GN 4d5ba83beb9c15b bazel: Add platform-printing aspect 21b27512aa72b95 third_party/fuchsia: Update patch 7ef95e5adb78594 pw_system: Add arm_none_eabi_gcc_support eb6d39c3e24cfc0 docs: Fix link title for pw_log 31df7bd5cc7955d targets: Fix pico_sdk elf2uf2 on Windows d2fc5bdf6c65b61 pw_package: Use Pigweed mirror for google/emboss 05acd6452b65a63 pw_rpc: Support custom response messages in Synchr eb7ded3f1a7c957 SEED-0104: Display Support ded929be2ec1b5b pw_web: NPM version bump to 0.0.12 de3b1ca6a8cae37 pw_presubmit: Additional functions for handling gn e0b85213d6493b7 pw_web: Fix column sizing & toggling, update UI 93a418acb4fa8c0 pw_fuzzer: Refactor conditional GN targets df46ed322724b8a pw_web: Replace Map() with object in proto collect f210a064bf6d67f pw_chre: Add barebones CHRE ef447ae6f95cab0 pw_log: Update Android.bp to generate RPC header f f9b10568994c147 pw_analog: Migrate AnalogInput to Doxygen 0ed9506ccce7c3b pw_presubmit: Include bazel_build in full program 24a9c040ed2218d pw_rpc: Add fuzz tests 177cb2c8c209eeb pw_function: Add Allocator injection 941166245f0def6 pw_env_setup: Roll cipd to 0f08b927516 757048d2f8f3218 pw_{base64,tokenizer}: Add base64 detokenizer hand 8a4325d08343115 pw_bluetooth: Add ReadLocalSupportedCommandsComman b9c896e42d2b7bb pw_bluetooth: Add LEReadLocalSupportedFeaturesComm 5a0cb51b0ae5236 SEED: Update process document 6dc019b67e3e099 SEED-0109: Make link externally accessible 6815514b563270b pw_bluetooth: Add ReadBufferSizeCommandComplete Em 328d99d5847cb38 Bazel: Arm gcc configuration a78feb65e112f12 pw_bluetooth: Add ReadBdAddrCommandCompleteEvent E 31939eacd1819de docs: Update changelog c3e6813bf92479b pw_bluetooth: Add ReadLocalVersionInfoCommandCompl c8044b9f8bdb045 SEED-0110: Claim SEED number f9b95a0050cb99c pw_package: Use mirror for raspberrypi/picotool d17d40c437940d7 pw_work_queue: Migrate API reference to Doxygen 17663e0b05afc4c third_party/fuchsia: Support specifying the Fuchsi 62fe4122773880e third_party/pico_sdk: Fix multicore source filenam 417964a45e2b15a roll: go https://pigweed.googlesource.com/pigweed/pigweed third_party/pigweed/src Rolled-Commits: add86809e72c1c6..2f69ffa69701701 Roller-URL: https://ci.chromium.org/b/8769851759608727505 GitWatcher: ignore CQ-Do-Not-Cancel-Tryjobs: true Change-Id: I3142ef903231ea9128595097d632a7a4aa530fd4 Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/171450 Bot-Commit: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> Commit-Queue: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com>
This repository contains the specification for the Open Profile for DICE along with production-quality code. This profile is a specialization of the Hardware Requirements for a Device Identifier Composition Engine and DICE Layering Architecture specifications published by the Trusted Computing Group (TCG). For readers already familiar with those specs, notable distinctives of this profile include:
You can find us (and join us!) at https://groups.google.com/g/open-profile-for-dice. We're happy to answer questions and discuss proposed changes or features.
The specification can be found here. It is versioned using a major.minor scheme. Compatibility is maintained across minor versions but not necessarily across major versions.
Production quality, portable C code is included. The main code is in dice.h and dice.c. Cryptographic and certificate generation operations are injected via a set of callbacks. Multiple implementations of these operations are provided, all equally acceptable. Integrators should choose just one of these, or write their own.
Tests are included for all code and the build files in this repository can be used to build and run these tests.
Disclaimer: This is not an officially supported Google product.
Different implementations use different third party libraries. The third_party directory contains build files and git submodules for each of these. The submodules must be initialized once after cloning the repo, using git submodule update --init
, and updated after pulling commits that roll the submodules using git submodule update
.
To setup the build environment the first time:
$ git submodule update --init $ source bootstrap.sh $ gn gen out
To build and run tests:
$ ninja -C out
The easiest way, and currently the only supported way, to build and run tests is from a Pigweed environment on Linux. Pigweed does support other host platforms so it shouldn't be too hard to get this running on Windows for example, but we use Linux.
There are two scripts to help set this up:
bootstrap.sh will initialize submodules, bootstrap a Pigweed environment, and generate build files. This can take some time and may download on the order of 1GB of dependencies so the normal workflow is to just do this once.
activate.sh quickly reactivates an environment that has been previously bootstrapped.
These scripts must be sourced into the current session: source activate.sh
.
In the environment, from the base directory of the dice-profile checkout, run ninja -C out
to build everything and run all tests. You can also run pw watch
which will build, run tests, and continue to watch for changes.
This will build and run tests on the host using the clang toolchain. Pigweed makes it easy to configure other targets and toolchains. See toolchains/BUILD.gn and the Pigweed documentation.
The code is designed to be portable and should work with a variety of modern toolchains and in a variety of environments. The main code in dice.h and dice.c is C99; it uses uint8_t, size_t, and memcpy from the C standard library. The various ops implementations are as portable as their dependencies (often not C99 but still very portable). Notably, this code uses designated initializers for readability. This is a feature available in C since C99 but missing from C++ until C++20 where it appears in a stricter form.
The Google C++ Style Guide is used. A .clang-format
file is provided for convenience.
To incorporate the code into another project, there are a few options:
Copy only the necessary code. For example:
Take the main code as is: include/dice/dice.h, src/dice.c
Choose an implementation for crypto and certificate generation or choose to write your own. If you choose the boringssl implementation, for example, take include/dice/utils.h, include/dice/boringssl_ops.h, src/utils.c, and src/boringssl_ops.c. Taking a look at the library targets in BUILD.gn may be helpful.
Add this repository as a git submodule and integrate into the project build, optionally using the gn library targets provided.
Integrate into a project already using Pigweed using the gn build files provided.
The build reports code size using Bloaty McBloatface via the pw_bloat Pigweed module. There are two reports generated:
Library sizes - This report includes just the library code in this repository. It shows the baseline DICE code with no ops selected, and it shows the delta introduced by choosing various ops implementations. This report does not include the size of the third party dependencies.
Executable sizes - This report includes sizes for the library code in this repository plus all dependencies linked into a simple main function which makes a single DICE call with all-zero input. It shows the baseline DICE code with no ops (and therefore no dependencies other than libc), and it shows the delta introduced by choosing various ops implementations. This report does include the size of the third party dependencies. Note that rows specialized from ‘Boringssl Ops’ use that as a baseline for sizing.
The reports will be in the build output, but you can also find the reports in .txt
files in the build output. For example, cat out/host_optimized/gen/*.txt | less
will display all reports.
This code does not itself use mutable global variables, or any other type of shared data structure so there is no thread-safety concerns. However, additional care is needed to ensure dependencies are configured to be thread-safe. For example, the current boringssl configuration defines OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED, and that would need to be changed before running in a threaded environment.
This code makes a reasonable effort to clear memory holding sensitive data. This may help with a broader strategy to clear sensitive data but it is not sufficient on its own. Here are a few things to consider.