| commit | 665e4cc6c906cf6bf16085deac129a72dbbce933 | [log] [tgz] |
|---|---|---|
| author | pigweed-roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> | Mon Nov 13 00:43:35 2023 +0000 |
| committer | CQ Bot Account <pigweed-scoped@luci-project-accounts.iam.gserviceaccount.com> | Mon Nov 13 00:43:35 2023 +0000 |
| tree | a90b599dfdcbd8fdff8f930335d9743e0c3d20b9 | |
| parent | 5c75e31eeb7a543590dae3957502a9e31d43c6ea [diff] |
[third_party/pigweed/src] Roll 52 commits 5eccd87a773568f roll: host_tools 0280acaad36a254 roll: 310, 311, 38, 39 5a48b57f5270aa0 pw_stream: Fix use of shutdown on Windows 29b0e93f0baefa2 bazel: Set --incompatible_default_to_explicit_init e596056be5c19aa pw_perf_test: Reogranize source files 998bcf980e9d1e2 SEED-0113: Add modular Bazel C/C++ toolchain API 50d8c114135f26b pw_rpc_transport: Close sockets when stopping ff3867abc82227b pw_env_setup: Update Bazel to 7.0.0 pre-release 8b0de7e74e763ba pw_transfer: Use project-absolute imports for test 563393f56a8c41b pw_transfer: Prevent accidental timeouts in unit t 83707d83614162f pw_web: Fix LogViewControls responsive behavior 8ac135ecb0b1d47 pw_web: Resume autoscroll with clear logs event 36c1c5f9a2f3c20 pw_presubmit: Add examples showing how to create f 25d2b7fab002019 pw_unit_test: Document ASSERT_ and EXPECT_ macros 2825c77b6864445 docs: Add Contribution Standards section e4b8396799e862b roll: openocd to 0.12.0-2 023d64acda3b975 pw_allocator: Update interface based on final SEED 09c9783126f1324 docs: Add details to codependent docs 4449ac1105bda52 pw_unit_test: Include the right gmock header e9105b356836b05 pw_toolchain: Add objdump 4ee9b5866d17e6a pw_web: Fix clear logs due to error thrown handlin 3ed904b2ecc56c7 pw_unit_test: Mark libs as test only in bazel 7e0fad2cc3790f1 pw_i2c: Mark libs as test only in bazel 996a3479d45a601 pw_unit_test: Support *_NEAR, *_FLOAT_EQ, *_DOUBLE 74ed509bc15e65b pw_allocator: Refactor test support and example al 87636efd044bee2 pw_web: Add manual testing page in docs 4e8c2e22d497e72 pw_fuzzer: Move `Domain` from fuzztest::internal t 666d7adedf73ad8 pw_analog: Mark libs as test only in bazel 74ff2e783600c61 pw_ide: Set 3-space tabs in VS Code 9c0316b7067a011 python: Update constraint.list e2c73889399ce97 pw_trace_tokenized: Add a transfer based trace ser 53027c0a50b85fe pw_ide: Support output to logs 81a298f8e62ec70 build: Update the default C++ standard f5ac6f817e989b0 pw_ide: Remove redundant licence aed1d2dadf39d9a pw_fuzzer: Switch oss-fuzz build to Bazel eead27dc47f8219 pw_ide: Remove clangd auto-restart 7fdc0382b0d4130 python: Upgrade parameterized package 3880f6a72ed1fa5 pw_presubmit: Correct coverage ref 64e91f09a766978 SEED-0110: Correct status 05b7e67802a614b pw_emu: Add support for substitutions in config en 42440ce40b2db3b pw_unit_test: Allow googletest_test_matchers_test 05acad3061c4371 bazel: Make pw_cc_library an alias for cc_library 4e43f63c083bb14 pw_console: Improve SocketClient addressing 1283ffa78740b2c pw_tokenizer: Add Java to supported languages list b6bd4259000151a pw_watch: Remove httpwatcher support 0bdf3800fd79b4b pw_ide: Make Sphinx extensions upstream-only b75cdd5dd322ad8 pw_ide: VSC extension 0.1.1 release eff7ef99b8136d7 targets/stm32f429i_disc1_stm32cube: Update TODO a1d2da971f308ed bazel: Don't disable use_header_modules 741063cb923f579 pw_unit_test: Add more googletest test matchers f84b844862813d4 pw_unit_test: Add googletest test matchers a565608495205e2 pw_emu: Add resume command to CLI https://pigweed.googlesource.com/pigweed/pigweed third_party/pigweed/src Rolled-Commits: 1dc8cfcfe4b2565..5eccd87a773568f Roller-URL: https://ci.chromium.org/b/8764586537425118353 GitWatcher: ignore CQ-Do-Not-Cancel-Tryjobs: true Change-Id: I745fb085248dc4e97c46889d8f4388c92660ffcb Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/180731 Commit-Queue: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> Bot-Commit: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com>
This repository contains the specification for the Open Profile for DICE along with production-quality code. This profile is a specialization of the Hardware Requirements for a Device Identifier Composition Engine and DICE Layering Architecture specifications published by the Trusted Computing Group (TCG). For readers already familiar with those specs, notable distinctives of this profile include:
You can find us (and join us!) at https://groups.google.com/g/open-profile-for-dice. We're happy to answer questions and discuss proposed changes or features.
The specification can be found here. It is versioned using a major.minor scheme. Compatibility is maintained across minor versions but not necessarily across major versions.
Production quality, portable C code is included. The main code is in dice.h and dice.c. Cryptographic and certificate generation operations are injected via a set of callbacks. Multiple implementations of these operations are provided, all equally acceptable. Integrators should choose just one of these, or write their own.
Tests are included for all code and the build files in this repository can be used to build and run these tests.
Disclaimer: This is not an officially supported Google product.
Different implementations use different third party libraries. The third_party directory contains build files and git submodules for each of these. The submodules must be initialized once after cloning the repo, using git submodule update --init, and updated after pulling commits that roll the submodules using git submodule update.
To setup the build environment the first time:
$ git submodule update --init $ source bootstrap.sh $ gn gen out
To build and run tests:
$ ninja -C out
The easiest way, and currently the only supported way, to build and run tests is from a Pigweed environment on Linux. Pigweed does support other host platforms so it shouldn't be too hard to get this running on Windows for example, but we use Linux.
There are two scripts to help set this up:
bootstrap.sh will initialize submodules, bootstrap a Pigweed environment, and generate build files. This can take some time and may download on the order of 1GB of dependencies so the normal workflow is to just do this once.
activate.sh quickly reactivates an environment that has been previously bootstrapped.
These scripts must be sourced into the current session: source activate.sh.
In the environment, from the base directory of the dice-profile checkout, run ninja -C out to build everything and run all tests. You can also run pw watch which will build, run tests, and continue to watch for changes.
This will build and run tests on the host using the clang toolchain. Pigweed makes it easy to configure other targets and toolchains. See toolchains/BUILD.gn and the Pigweed documentation.
The code is designed to be portable and should work with a variety of modern toolchains and in a variety of environments. The main code in dice.h and dice.c is C99; it uses uint8_t, size_t, and memcpy from the C standard library. The various ops implementations are as portable as their dependencies (often not C99 but still very portable). Notably, this code uses designated initializers for readability. This is a feature available in C since C99 but missing from C++ until C++20 where it appears in a stricter form.
The Google C++ Style Guide is used. A .clang-format file is provided for convenience.
To incorporate the code into another project, there are a few options:
Copy only the necessary code. For example:
Take the main code as is: include/dice/dice.h, src/dice.c
Choose an implementation for crypto and certificate generation or choose to write your own. If you choose the boringssl implementation, for example, take include/dice/utils.h, include/dice/boringssl_ops.h, src/utils.c, and src/boringssl_ops.c. Taking a look at the library targets in BUILD.gn may be helpful.
Add this repository as a git submodule and integrate into the project build, optionally using the gn library targets provided.
Integrate into a project already using Pigweed using the gn build files provided.
The build reports code size using Bloaty McBloatface via the pw_bloat Pigweed module. There are two reports generated:
Library sizes - This report includes just the library code in this repository. It shows the baseline DICE code with no ops selected, and it shows the delta introduced by choosing various ops implementations. This report does not include the size of the third party dependencies.
Executable sizes - This report includes sizes for the library code in this repository plus all dependencies linked into a simple main function which makes a single DICE call with all-zero input. It shows the baseline DICE code with no ops (and therefore no dependencies other than libc), and it shows the delta introduced by choosing various ops implementations. This report does include the size of the third party dependencies. Note that rows specialized from ‘Boringssl Ops’ use that as a baseline for sizing.
The reports will be in the build output, but you can also find the reports in .txt files in the build output. For example, cat out/host_optimized/gen/*.txt | less will display all reports.
This code does not itself use mutable global variables, or any other type of shared data structure so there is no thread-safety concerns. However, additional care is needed to ensure dependencies are configured to be thread-safe. For example, the current boringssl configuration defines OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED, and that would need to be changed before running in a threaded environment.
This code makes a reasonable effort to clear memory holding sensitive data. This may help with a broader strategy to clear sensitive data but it is not sufficient on its own. Here are a few things to consider.