| commit | a793c1bc8aee584d4d68631fea265449d018a1a9 | [log] [tgz] |
|---|---|---|
| author | pigweed-roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> | Mon Apr 22 00:44:02 2024 +0000 |
| committer | CQ Bot Account <pigweed-scoped@luci-project-accounts.iam.gserviceaccount.com> | Mon Apr 22 00:44:02 2024 +0000 |
| tree | a879259e6d8bff657c23a184aa11da7f455159b4 | |
| parent | 2052e4417823c9f924712885cb446e72cb2541aa [diff] |
[third_party/pigweed/src] Roll 51 commits
0bfe65d4331f9ee roll: gn
84084ec60dd5d15 roll: clang-next
678e85847484879 roll: 310, 311
4ab4b220f23f968 roll: sysroot
2de4acb67e7e38d roll: cmake
98a790ed35ba482 pw_cli: Handle custom arguments in tools
d5104440ddda303 pw_bluetooth: Correct emboss path in doc example
7d13cb1075da395 pw_cli: Add git_repo.py and test to Bazel build
5da0b7bbfa9736d pw_presubmit: Drop '.' from Bazel symlinks
f7bed9a05a09cf0 docs: Update changelog
4d042f415cfe02e pw_tokenizer: Add missing CMake dep
913b39f93ad35b7 pw_string: Add missing array include
26b0e265ab5836b pw_protobuf: Fix support for import_prefix on prot
393434d3ac16cc8 pw_bluetooth_*: Formatting fixes
b6d694586dbc0cd pw_unit_test: Add IWYU export/private pragmas
68ca4ccac262382 pw_bluetooth: Formatting fixes
e3662e8e52d2799 pw_kvs: Make Key an alias for string_view
463dca050a46608 pw_web: Support creating client without using prot
2ea6211c76a8666 pw_{rpc,protobuf}: Access raw proto values; change
a82ae449503ad71 pw_ide: Fixes to support changing working_dir
bc019dca4f4f1a3 pw_bluetooth: LEGetVendorCapabilitiesCommandComple
0f2396924cd89a6 pw_env_setup: clang
c0fdef4a7e8c34c bazel: Use remote cache in infra
5aa6e0bbb727e1e pw_cli: Fix argument handling for GitRepo.has_unco
f3b08caf413b2a7 docs: Add pw_status table for API references
c4a939e113debc0 pw_bluetooth: Add versions - LEGetVendorCapabiliti
cf33fd5c9cc9b6f pw_bluetooth_sapphire: Iterators
a37b82ee271f61a many: Move maxDiff to be a class attribute
bb28159eee347b2 pw_sensor: Fix Python install
c779ef6691f3de7 pw_build: Disable deprecated pragma warnings
a4dd94c7fc90cf4 pw_sensor: Add attribute support to sensor-desc CL
44ad59124c1a191 pw_sensor: Create a sensor-desc CLI
5b8b84f452c9ced pw_snapshot: Process snapshots based on CPU archit
cfd57d8453d3291 pw_thread_freertos: Use TCB for running stack poin
343cadc83c5ea36 pw_cli: Fix subprocess runner arg concatenation
287a6a668c70176 pw_{presubmit,cli}: Move FileFilter
4ae73f61b725990 pw_{containers,hdlc,build,rpc,transfer}: Iterators
7c73477c547ec68 pw_cpu_exception_risc_v: Add initial backend struc
7ab7b73a3786fc2 pw_presubmit: Add bthost_package step
221767c03aacd1e pw_presubmit: Don't overwrite Bazel stdout files
09c9355f6493ad0 pw_presubmit: Remove cmake_clang from quick presub
5c2f5153571a715 pw_build_android: Update module guidance
ffd7f02f75eec34 pw_cli: Fix commit fallback handling for GitRepo.l
6913460a9bd1bd6 pw_ide: Enable cmake.format.allowOptionalArgumentI
1154ff5dda14d5d pw_build_android: Update cc_defaults guidance
b5b08af769c2a3a pw_rpc_transport: Soong lib names now follow style
b657245b27e28db pw_web: NPM version bump to 0.0.18
53e8f63714ca67b pw_web: Fix string manipulation in download logs
4152b6754ca7a74 pw_allocator: Add missing soong deps
e3c8e94cbffee47 pw_transfer: Implement adaptive windowing in Pytho
79c1f24e16c01c3 pw_web: Use existing col data when adding new View
https://pigweed.googlesource.com/pigweed/pigweed
third_party/pigweed/src Rolled-Commits: 3fbcf41574028ef..0bfe65d4331f9ee
Roller-URL: https://ci.chromium.org/b/8750000425633374657
GitWatcher: ignore
CQ-Do-Not-Cancel-Tryjobs: true
Change-Id: I41b4c6d5cf6fb8f93fb6624b499bdfbcdbe39cab
Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/205531
Bot-Commit: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com>
Commit-Queue: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com>
This repository contains the specification for the Open Profile for DICE along with production-quality code. This profile is a specialization of the Hardware Requirements for a Device Identifier Composition Engine and DICE Layering Architecture specifications published by the Trusted Computing Group (TCG). For readers already familiar with those specs, notable distinctives of this profile include:
You can find us (and join us!) at https://groups.google.com/g/open-profile-for-dice. We're happy to answer questions and discuss proposed changes or features.
The specification can be found here. It is versioned using a major.minor scheme. Compatibility is maintained across minor versions but not necessarily across major versions.
Production quality, portable C code is included. The main code is in dice.h and dice.c. Cryptographic and certificate generation operations are injected via a set of callbacks. Multiple implementations of these operations are provided, all equally acceptable. Integrators should choose just one of these, or write their own.
Tests are included for all code and the build files in this repository can be used to build and run these tests.
Disclaimer: This is not an officially supported Google product.
Different implementations use different third party libraries. The third_party directory contains build files and git submodules for each of these. The submodules must be initialized once after cloning the repo, using git submodule update --init, and updated after pulling commits that roll the submodules using git submodule update.
To setup the build environment the first time:
$ git submodule update --init $ source bootstrap.sh $ gn gen out
To build and run tests:
$ ninja -C out
The easiest way, and currently the only supported way, to build and run tests is from a Pigweed environment on Linux. Pigweed does support other host platforms so it shouldn't be too hard to get this running on Windows for example, but we use Linux.
There are two scripts to help set this up:
bootstrap.sh will initialize submodules, bootstrap a Pigweed environment, and generate build files. This can take some time and may download on the order of 1GB of dependencies so the normal workflow is to just do this once.
activate.sh quickly reactivates an environment that has been previously bootstrapped.
These scripts must be sourced into the current session: source activate.sh.
In the environment, from the base directory of the dice-profile checkout, run ninja -C out to build everything and run all tests. You can also run pw watch which will build, run tests, and continue to watch for changes.
This will build and run tests on the host using the clang toolchain. Pigweed makes it easy to configure other targets and toolchains. See toolchains/BUILD.gn and the Pigweed documentation.
The code is designed to be portable and should work with a variety of modern toolchains and in a variety of environments. The main code in dice.h and dice.c is C99; it uses uint8_t, size_t, and memcpy from the C standard library. The various ops implementations are as portable as their dependencies (often not C99 but still very portable). Notably, this code uses designated initializers for readability. This is a feature available in C since C99 but missing from C++ until C++20 where it appears in a stricter form.
The Google C++ Style Guide is used. A .clang-format file is provided for convenience.
To incorporate the code into another project, there are a few options:
Copy only the necessary code. For example:
Take the main code as is: include/dice/dice.h, src/dice.c
Choose an implementation for crypto and certificate generation or choose to write your own. If you choose the boringssl implementation, for example, take include/dice/utils.h, include/dice/boringssl_ops.h, src/utils.c, and src/boringssl_ops.c. Taking a look at the library targets in BUILD.gn may be helpful.
Add this repository as a git submodule and integrate into the project build, optionally using the gn library targets provided.
Integrate into a project already using Pigweed using the gn build files provided.
The build reports code size using Bloaty McBloatface via the pw_bloat Pigweed module. There are two reports generated:
Library sizes - This report includes just the library code in this repository. It shows the baseline DICE code with no ops selected, and it shows the delta introduced by choosing various ops implementations. This report does not include the size of the third party dependencies.
Executable sizes - This report includes sizes for the library code in this repository plus all dependencies linked into a simple main function which makes a single DICE call with all-zero input. It shows the baseline DICE code with no ops (and therefore no dependencies other than libc), and it shows the delta introduced by choosing various ops implementations. This report does include the size of the third party dependencies. Note that rows specialized from ‘Boringssl Ops’ use that as a baseline for sizing.
The reports will be in the build output, but you can also find the reports in .txt files in the build output. For example, cat out/host_optimized/gen/*.txt | less will display all reports.
This code does not itself use mutable global variables, or any other type of shared data structure so there is no thread-safety concerns. However, additional care is needed to ensure dependencies are configured to be thread-safe. For example, the current boringssl configuration defines OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED, and that would need to be changed before running in a threaded environment.
This code makes a reasonable effort to clear memory holding sensitive data. This may help with a broader strategy to clear sensitive data but it is not sufficient on its own. Here are a few things to consider.