| commit | 72dc983ea46f1c2bca2bdc22efd30f624f1bb4a8 | [log] [tgz] |
|---|---|---|
| author | pigweed-roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> | Mon Oct 07 00:44:59 2024 +0000 |
| committer | CQ Bot Account <pigweed-scoped@luci-project-accounts.iam.gserviceaccount.com> | Mon Oct 07 00:44:59 2024 +0000 |
| tree | 2a2f408bcf99cc135492d5439911070c5a165848 | |
| parent | 4da1a4c3c225196a7861b7331b312025cf7386bc [diff] |
roll: third_party/pigweed/src 6ad0bec..223c6d9 (47 commits) 223c6d9:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/240453 roll: bazelisk-as-bazel 0563a0b:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/240375 roll: python-wheel 782d65a:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/240374 roll: ninja 61a3cf5:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/240373 roll: fuchsia-infra-bazel-rules b875b81..589d68e (100 commits) 443ee69:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/240353 roll: rust 819e758:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/237877 docs: Introduce Bazel-based docgen 1767a9b:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/239433 pw_env_setup: PyPI version bump to 0.0.19 041755d:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/240136 docs: Update changelog 05e93da:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/239718 pw_rpc: Fix Call not getting reset on default constructor assignment 2e91930:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/240138 pw_rpc: Fix crash on call cleanup e242f7e:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/239940 pw_ide: Fix broken link ace1915:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/239724 pw_assert_tokenized: Consistently use PW_HANDLE_LOG 91d4349:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/216111 docs: Add coroutine blog post b6e84ae:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/239755 pw_build: Support pw_facade without public headers dc99cbc:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/236893 pw_thread: Delete deprecated function pointer constructor 5c30c1e:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/239716 pw_assert_log: Consistently use PW_HANDLE_LOG da49209:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/239912 pw_allocator: Add missing header 8e2fc6c:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/239353 pw_rpc: Add callback writes to raw RPC call objects 02a68bb:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/234413 pw_tokenizer: Support CSV databases with the domain 9a52966:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/238553 pw_env_setup: Upgrade to Sphinx v7.4.7 53b16cd:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/239133 pw_build: Break apart pigweed.bzl 547e058:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/239367 pw_presubmit: Be flexible when checking fixup commits 1fd4ff9:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/239493 docs: Fix the self field in the RSS feed b8605bb:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/239255 pw_build: Make missing module warning better 3ef15ab:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/239452 mbedtls: Updates pigweed config for v3.6.0 79ef295:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/238618 pw_chrono: Remove spammy print statements 4eff319:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/239355 Revert "pw_build: Add pw_copy_and_patch_file" 279ab4a:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/237809 pw_chrono: Properly stamp build time in Bazel 974dd9e:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/239354 Revert "pw_build: Fix build spew for pw_copy_and_patch_file" ff379a0:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/239172 docs: Fix 404ing rss.xml file a388a2a:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/239252 roll: 310, 311 951cb3c:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/239112 SEED-0103: Move into Last Call a298967:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/238914 pw_bluetooth_sapphire: [bt][le] Enable CIS Request, Established in mask b8f9f56:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/239132 pw_build: Fix build spew for pw_copy_and_patch_file 0207806:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/238417 pw_allocator: Add MeasureFragmentation 39f64a7:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/236892 pw_thread: Delete unused constructor implementations 30bdace:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/236435 pw_thread: Make the deprecated Thread constructor private 4f8b0a2:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/237056 pw_build: Add pw_copy_and_patch_file 2ef9913:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/225491 docs: Create RSS feed for blog d35fb2e:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/238934 bazel: Enforce that MODULE.bazel.lock is current bf7078a:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/238816 pw_toolchain: Split out build-system specific docs 06f958a:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/238431 pw_sys_io: Clean up for-migration-only alias 1d143bb:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/238416 pw_allocator: Add hooks to test_harness c25923e:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/238932 pw_spi: Minor enhancements to pw::spi::Config 378689c:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/238933 pw_unit_test: Change _PW_TEST_BOOL to use _pw_ prefix on param names c135bd7:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/238574 pw_perf_test: Clean up for-migration-only alias 3d0fac9:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/238817 pw_toolchain: Move pw_toolchain/args to pw_toolchain/cc/args Rolled-Repo: https://pigweed.googlesource.com/pigweed/pigweed Rolled-Commits: 6ad0bec6ba3e92..223c6d99c503f1 Roller-URL: https://ci.chromium.org/b/8734780137427241153 GitWatcher: ignore CQ-Do-Not-Cancel-Tryjobs: true Change-Id: Ic90746a56c4a1474cfc6c9fd89db3e8f9f877c1e Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/240383 Commit-Queue: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> Lint: Lint 🤖 <android-build-ayeaye@system.gserviceaccount.com> Bot-Commit: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com>
This repository contains the specification for the Open Profile for DICE along with production-quality code. This profile is a specialization of the Hardware Requirements for a Device Identifier Composition Engine and DICE Layering Architecture specifications published by the Trusted Computing Group (TCG). For readers already familiar with those specs, notable distinctives of this profile include:
You can find us (and join us!) at https://groups.google.com/g/open-profile-for-dice. We're happy to answer questions and discuss proposed changes or features.
The specification can be found here. It is versioned using a major.minor scheme. Compatibility is maintained across minor versions but not necessarily across major versions.
Production quality, portable C code is included. The main code is in dice.h and dice.c. Cryptographic and certificate generation operations are injected via a set of callbacks. Multiple implementations of these operations are provided, all equally acceptable. Integrators should choose just one of these, or write their own.
Tests are included for all code and the build files in this repository can be used to build and run these tests.
Disclaimer: This is not an officially supported Google product.
Different implementations use different third party libraries. The third_party directory contains build files and git submodules for each of these. The submodules must be initialized once after cloning the repo, using git submodule update --init, and updated after pulling commits that roll the submodules using git submodule update.
To setup the build environment the first time:
$ git submodule update --init $ source bootstrap.sh $ gn gen out
To build and run tests:
$ ninja -C out
The easiest way, and currently the only supported way, to build and run tests is from a Pigweed environment on Linux. Pigweed does support other host platforms so it shouldn't be too hard to get this running on Windows for example, but we use Linux.
There are two scripts to help set this up:
bootstrap.sh will initialize submodules, bootstrap a Pigweed environment, and generate build files. This can take some time and may download on the order of 1GB of dependencies so the normal workflow is to just do this once.
activate.sh quickly reactivates an environment that has been previously bootstrapped.
These scripts must be sourced into the current session: source activate.sh.
In the environment, from the base directory of the dice-profile checkout, run ninja -C out to build everything and run all tests. You can also run pw watch which will build, run tests, and continue to watch for changes.
This will build and run tests on the host using the clang toolchain. Pigweed makes it easy to configure other targets and toolchains. See toolchains/BUILD.gn and the Pigweed documentation.
The code is designed to be portable and should work with a variety of modern toolchains and in a variety of environments. The main code in dice.h and dice.c is C99; it uses uint8_t, size_t, and memcpy from the C standard library. The various ops implementations are as portable as their dependencies (often not C99 but still very portable). Notably, this code uses designated initializers for readability. This is a feature available in C since C99 but missing from C++ until C++20 where it appears in a stricter form.
The Google C++ Style Guide is used. A .clang-format file is provided for convenience.
To incorporate the code into another project, there are a few options:
Copy only the necessary code. For example:
Take the main code as is: include/dice/dice.h, src/dice.c
Choose an implementation for crypto and certificate generation or choose to write your own. If you choose the boringssl implementation, for example, take include/dice/utils.h, include/dice/boringssl_ops.h, src/utils.c, and src/boringssl_ops.c. Taking a look at the library targets in BUILD.gn may be helpful.
Add this repository as a git submodule and integrate into the project build, optionally using the gn library targets provided.
Integrate into a project already using Pigweed using the gn build files provided.
The build reports code size using Bloaty McBloatface via the pw_bloat Pigweed module. There are two reports generated:
Library sizes - This report includes just the library code in this repository. It shows the baseline DICE code with no ops selected, and it shows the delta introduced by choosing various ops implementations. This report does not include the size of the third party dependencies.
Executable sizes - This report includes sizes for the library code in this repository plus all dependencies linked into a simple main function which makes a single DICE call with all-zero input. It shows the baseline DICE code with no ops (and therefore no dependencies other than libc), and it shows the delta introduced by choosing various ops implementations. This report does include the size of the third party dependencies. Note that rows specialized from ‘Boringssl Ops’ use that as a baseline for sizing.
The reports will be in the build output, but you can also find the reports in .txt files in the build output. For example, cat out/host_optimized/gen/*.txt | less will display all reports.
This code does not itself use mutable global variables, or any other type of shared data structure so there is no thread-safety concerns. However, additional care is needed to ensure dependencies are configured to be thread-safe. For example, the current boringssl configuration defines OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED, and that would need to be changed before running in a threaded environment.
This code makes a reasonable effort to clear memory holding sensitive data. This may help with a broader strategy to clear sensitive data but it is not sufficient on its own. Here are a few things to consider.