| commit | 6f1298ac7746606761c418b529d41e6780e9e3b9 | [log] [tgz] |
|---|---|---|
| author | pigweed-roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> | Mon Aug 28 00:45:12 2023 +0000 |
| committer | CQ Bot Account <pigweed-scoped@luci-project-accounts.iam.gserviceaccount.com> | Mon Aug 28 00:45:12 2023 +0000 |
| tree | ada3fa02fa320c818c3ca02691f97a35608a3e8a | |
| parent | 9ec38a9094ff08d41422558f306b98df25716870 [diff] |
[third_party/pigweed/src] Roll 51 commits 6f78430711b3064 roll: host_tools 234874145c4f4c7 roll: absolute_uploader, incremental_uploader 4d4e11bf9a2dbdf roll: 310, 311, 38, 39 04760cadc928320 roll: cmake b12cf550fd402b9 docs: Use code-block:: instead of code:: everywher 4cee35114281aef pw_web: NPM version bump to 0.0.11 f7350d36ed98746 pw_tokenizer: Move config value check to .cc file 98eda46fd69de65 docs: Add function signature line breaks 50ec0b1aec7605c pw_web: Add basic bundling tests for log viewer bu fce548b1159318d docs: Cleanup indentation 85d51cf6cbed85a pw_rpc: Add request_completion to ServerStreamingC 9c7887720b62b96 pw_docgen: Remove top nav bar b7a3673c074997f pw_env_setup: Upgrade sphinx and dependencies for 21c317d5c139c3f pw_ide: Add cmd to install Py packages as editable ff32f2b64b7179d pw_cli: Default change pw_protobuf default 1aa243cb3dc9df3 pw_tokenizer: Create parent directory as needed ed9acad2b4407b8 targets: Ambiq Apollo4 support 6a8e03c80c84522 pw_toolchain: Link against system libraries using 5382e92723657bf pw_presubmit: Add msan to OTHER_CHECKS a12162bfbe29ced pw_docgen: Parallelize Sphinx 48c5867a2fa81f5 pw_bluetooth: Add SynchronousConnectionCompleteEve 28e1e1bfd9181e0 Build: Make it possible to run MSAN in GN c83de134850989d docs: Remove unused myst-parser d3de25c7558b2eb pw_toolchain: Use %package% for cxx_builtin_includ 5c1e3ada982a41a docs: Use sphinx-design for tabbed content b8a991a6af0e109 pw_env_setup: Upgrade sphinx-design f20703f8eac6ab8 pw_bluetooth: Add all Emboss headers/deps to embos 832d33ebcb31f6d SEED-0109: Claim SEED number 9e0760ff9b75fbd pw_function: Rename template parameter 083d16a55349fd0 pw_bluetooth: Add InquiryResultWithRssiEvent Embos bac2d6ff6dfac86 pw_stm32cube_build: Windows path fixes 96a96793700ac12 pw_tokenizer: Rework pw_tokenizer.detokenize.Prefi 3469faa09655ed2 pw_build: Handle read-only files when deleting ven 074e97de88dbd0d pw_bluetooth: Add DataBufferOverflowEvent Emboss d ab5152e4e542dc1 pw_bluetooth: Add LinkKeyNotificationEvent Emboss 966d3ee89d633f3 pw_env_setup: Copy pigweed_environment.gni to logs 9faab8b4401f0ef pw_unit_test: Add TestRecord of Test Results 275eb88ba2e296d pw_tokenizer: Minor binary database improvements 04e7d41cab220ce pw_web: Limit LogViewer redraws to 100ms 505f0af7f29ef33 pw_tokenizer: Update binary DB docs and convert to ec277a229f5e5b8 pw_tokenizer: Deprecate tokenizer buffer size conf 246c2cdf71d80b0 pw_build: Split build system docs into separate pa 27cbe86b496c980 pw_build: Use pw_toolchain_clang_tools 4284d2ee2350839 SEED-0107: Update status to Accepted 86f3220a1ee6e6b pw_toolchain: Extend documentation for tool prefix 4bb1ae11bb2c956 pw_build: Add missing pw_linker_script flag f829ee789e5c510 SEED-0107: Pigweed communications 3b76ff34aff1e69 pw_bluetooth: Add LinkKeyRequestEvent emboss defin 135cbeee782719b pw_bluetooth: Remove unused hci emboss files 61a73b03b015036 roll: buildifier 9e4bfb92eb5ad74 pw_bluetooth: Add RoleChangeEvent emboss definitio https://pigweed.googlesource.com/pigweed/pigweed third_party/pigweed/src Rolled-Commits: e8a541f8a5f8e10..6f78430711b3064 Roller-URL: https://ci.chromium.org/b/8771562503939795297 GitWatcher: ignore CQ-Do-Not-Cancel-Tryjobs: true Change-Id: I1bc016d81521e5ec59f21a7fc3ef636a3a4e75a3 Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/168580 Bot-Commit: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> Commit-Queue: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com>
This repository contains the specification for the Open Profile for DICE along with production-quality code. This profile is a specialization of the Hardware Requirements for a Device Identifier Composition Engine and DICE Layering Architecture specifications published by the Trusted Computing Group (TCG). For readers already familiar with those specs, notable distinctives of this profile include:
You can find us (and join us!) at https://groups.google.com/g/open-profile-for-dice. We're happy to answer questions and discuss proposed changes or features.
The specification can be found here. It is versioned using a major.minor scheme. Compatibility is maintained across minor versions but not necessarily across major versions.
Production quality, portable C code is included. The main code is in dice.h and dice.c. Cryptographic and certificate generation operations are injected via a set of callbacks. Multiple implementations of these operations are provided, all equally acceptable. Integrators should choose just one of these, or write their own.
Tests are included for all code and the build files in this repository can be used to build and run these tests.
Disclaimer: This is not an officially supported Google product.
Different implementations use different third party libraries. The third_party directory contains build files and git submodules for each of these. The submodules must be initialized once after cloning the repo, using git submodule update --init, and updated after pulling commits that roll the submodules using git submodule update.
To setup the build environment the first time:
$ git submodule update --init $ source bootstrap.sh $ gn gen out
To build and run tests:
$ ninja -C out
The easiest way, and currently the only supported way, to build and run tests is from a Pigweed environment on Linux. Pigweed does support other host platforms so it shouldn't be too hard to get this running on Windows for example, but we use Linux.
There are two scripts to help set this up:
bootstrap.sh will initialize submodules, bootstrap a Pigweed environment, and generate build files. This can take some time and may download on the order of 1GB of dependencies so the normal workflow is to just do this once.
activate.sh quickly reactivates an environment that has been previously bootstrapped.
These scripts must be sourced into the current session: source activate.sh.
In the environment, from the base directory of the dice-profile checkout, run ninja -C out to build everything and run all tests. You can also run pw watch which will build, run tests, and continue to watch for changes.
This will build and run tests on the host using the clang toolchain. Pigweed makes it easy to configure other targets and toolchains. See toolchains/BUILD.gn and the Pigweed documentation.
The code is designed to be portable and should work with a variety of modern toolchains and in a variety of environments. The main code in dice.h and dice.c is C99; it uses uint8_t, size_t, and memcpy from the C standard library. The various ops implementations are as portable as their dependencies (often not C99 but still very portable). Notably, this code uses designated initializers for readability. This is a feature available in C since C99 but missing from C++ until C++20 where it appears in a stricter form.
The Google C++ Style Guide is used. A .clang-format file is provided for convenience.
To incorporate the code into another project, there are a few options:
Copy only the necessary code. For example:
Take the main code as is: include/dice/dice.h, src/dice.c
Choose an implementation for crypto and certificate generation or choose to write your own. If you choose the boringssl implementation, for example, take include/dice/utils.h, include/dice/boringssl_ops.h, src/utils.c, and src/boringssl_ops.c. Taking a look at the library targets in BUILD.gn may be helpful.
Add this repository as a git submodule and integrate into the project build, optionally using the gn library targets provided.
Integrate into a project already using Pigweed using the gn build files provided.
The build reports code size using Bloaty McBloatface via the pw_bloat Pigweed module. There are two reports generated:
Library sizes - This report includes just the library code in this repository. It shows the baseline DICE code with no ops selected, and it shows the delta introduced by choosing various ops implementations. This report does not include the size of the third party dependencies.
Executable sizes - This report includes sizes for the library code in this repository plus all dependencies linked into a simple main function which makes a single DICE call with all-zero input. It shows the baseline DICE code with no ops (and therefore no dependencies other than libc), and it shows the delta introduced by choosing various ops implementations. This report does include the size of the third party dependencies. Note that rows specialized from ‘Boringssl Ops’ use that as a baseline for sizing.
The reports will be in the build output, but you can also find the reports in .txt files in the build output. For example, cat out/host_optimized/gen/*.txt | less will display all reports.
This code does not itself use mutable global variables, or any other type of shared data structure so there is no thread-safety concerns. However, additional care is needed to ensure dependencies are configured to be thread-safe. For example, the current boringssl configuration defines OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED, and that would need to be changed before running in a threaded environment.
This code makes a reasonable effort to clear memory holding sensitive data. This may help with a broader strategy to clear sensitive data but it is not sufficient on its own. Here are a few things to consider.