| commit | b0b3a9e3b8c09db4ad8478dcbfc06922df4a9077 | [log] [tgz] |
|---|---|---|
| author | pigweed-roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> | Mon Jul 17 00:43:50 2023 +0000 |
| committer | CQ Bot Account <pigweed-scoped@luci-project-accounts.iam.gserviceaccount.com> | Mon Jul 17 00:43:50 2023 +0000 |
| tree | 4c189b146a4de156132217a51434048e029d076a | |
| parent | e5c47e6a3df853967e6247aaea85ad1b0056d309 [diff] |
[third_party/pigweed/src] Roll 56 commits 24432905b8f8de6 pw_chrono_freertos/SystemTimer: Remove false callb af428466e09e91e pw_interrupt: Remove redundant Bazel targets 40b114cb1771175 pw_trace_tokenized: Remove redundant Bazel targets d55abd1c7119a78 pw_tokenizer: Migrate detokenization docs (SEED-01 6e1e3db7d53834b pw_sys_io: Add chromiumos to alias as host system 550e61225dac26e pw_tokenizer: Migrate masking docs (SEED-0102) 02111c40d505713 pw_perf_test: Remove redundant Bazel targets cd5a6cabd97e7bd pw_env_setup: Add coverage utilities d80eb6af2d30a1c pw_i2c: Add i2c rpc service 629081583deb171 pw_system: Remove redundant Bazel targets f144ed6642a665d pw_protobuf_compiler: Allow external usage of macr 840aa6976c30762 pw_build_mcuxpresso: Fix doc headings e015f8643bce4ad pw_i2c_mcuxpresso: Add test to ensure compilation 5eb0c496fdb2881 pw_digital_io_mcuxpresso: Remove unneeded constrai b7fb6ab2b7b0b9b SEED-0106: Claim SEED number 7834d83c09d9b1d pw_sys_io: Add facade constraint_setting, docs c839cb688a23daf OWNERS: Restrict roller ownership 37542827dd7d533 pw_i2c_mcuxpresso: Fix bazel build 346f7a592cdbf29 pw_build_mcuxpresso: Support outputting Bazel targ 2733d36fdc4a77d pw_thread: Rename test_threads.h, update docs 3f0b2930ebef94b targets/rp2040: Add automated test runner 4e7b642f5260432 pw_tokenizer: Migrate tokenization domain docs (SE ace807001ae3cab pw_build: Add .lib target for Bazel pw_unit_test da22e97c061f05e pw_rpc: Fix Android.bp formatting 236a3082260fd25 pw_rpc: Add source files to pwpb Soong rule 905fadd891dfe5b pw_i2c_mcuxpresso: Update Bazel build to use SDK c 8189388d66a7769 pw_protobuf: Codegen for Find functions c71c11f9619b5b6 pw_unit_test: Add serial test runner 9b3b32c1a006d6f pw_protobuf: Add low-level Find() APIs f0712b6e1be4242 pw_build: Compile requirements for Python venvs 54e90fb786661c6 pw_sync: Move fake lockable types to separate file ef02fc021c86d44 pw_stream: Fix class name in docs d27b49199158414 pw_tokenizer: SEED-0102 migration of token databas ebb2bb9b565c206 pw_sys_io: Doxygenify ReadBytes() 4ee7f0ea9837fbf pw_allocator: Doxygenify FreeList description 122db24ebf2d558 pw_web: Clean up log-viewer component code a29f5419792bc4c pw_rust: Use `z` optimization level for Bazel `opt 33faf6c2a94ebc1 pw_digital_io_mcuxpresso: Fix bazel build fc915894091f7f0 targets: Set pw_async host toolchain defaults e28ed6392daad97 pw_web: Add dark/light mode based on Material3 3a8a0312be38edb pw_presubmit: Ignored disabled tests in parser 2ba2207ec68c1ff targets/rp2040: Enable extra_strict_warnings d8ea08a4b822a16 pw_hdlc: Add Soong rule for pw_hdlc c77cea8b1ce553f docs: Update bazel docs for better method of chang 0aa5b836945a84e pw_package: Update pico_sdk to 1.5.1 089f5a7c299fd4d docs: Indicate in-progress SEEDs better cd7caa4c76d720f pw_checksum: Add Soong rule for pw_checksum 22b1a7ca57b887f pw_stream: Add Soong rule for std_file_stream bd9a7eb032a379a pw_build: Python script for the build_wheel target f7d804f919eb3d4 pw_unit_test: Make Bazel target an alias ade7f345c775595 SEED: Update template header 439a9cd065b8248 pw_rpc_transport: Add missing cstddef include for 85d2d0d07326298 pw_system: Make Optional Device constructor args t c58ca4f0b6dba12 pw_presubmit: Remove passes from ninja summaries 78d602432abaae7 pw_build: Document Bazel facades 0790c0e535f684a pw_presubmit: Cleanup ninja parser https://pigweed.googlesource.com/pigweed/pigweed third_party/pigweed/src Rolled-Commits: b5cec17a34cb411..24432905b8f8de6 Roller-URL: https://ci.chromium.org/b/8775367578639368001 GitWatcher: ignore CQ-Do-Not-Cancel-Tryjobs: true Change-Id: I320e88a0f8079108793d3720b721a463fe627fde Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/156230 Commit-Queue: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> Bot-Commit: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com>
This repository contains the specification for the Open Profile for DICE along with production-quality code. This profile is a specialization of the Hardware Requirements for a Device Identifier Composition Engine and DICE Layering Architecture specifications published by the Trusted Computing Group (TCG). For readers already familiar with those specs, notable distinctives of this profile include:
You can find us (and join us!) at https://groups.google.com/g/open-profile-for-dice. We're happy to answer questions and discuss proposed changes or features.
The specification can be found here. It is versioned using a major.minor scheme. Compatibility is maintained across minor versions but not necessarily across major versions.
Production quality, portable C code is included. The main code is in dice.h and dice.c. Cryptographic and certificate generation operations are injected via a set of callbacks. Multiple implementations of these operations are provided, all equally acceptable. Integrators should choose just one of these, or write their own.
Tests are included for all code and the build files in this repository can be used to build and run these tests.
Disclaimer: This is not an officially supported Google product.
Different implementations use different third party libraries. The third_party directory contains build files and git submodules for each of these. The bootstrap script will automatically initialize all submodules.
$ source bootstrap.sh $ ninja -C out
The easiest way, and currently the only supported way, to build and run tests is from a Pigweed environment on Linux. Pigweed does support other host platforms so it shouldn't be too hard to get this running on Windows for example, but we use Linux.
There are two scripts to help set this up:
bootstrap.sh will initialize submodules, bootstrap a Pigweed environment, and generate build files. This can take some time and may download on the order of 1GB of dependencies so the normal workflow is to just do this once.
activate.sh quickly reactivates an environment that has been previously bootstrapped.
These scripts must be sourced into the current session: source activate.sh.
In the environment, from the base directory of the dice-profile checkout, run ninja -C out to build everything and run all tests. You can also run pw watch which will build, run tests, and continue to watch for changes.
This will build and run tests on the host using the clang toolchain. Pigweed makes it easy to configure other targets and toolchains. See toolchains/BUILD.gn and the Pigweed documentation.
The code is designed to be portable and should work with a variety of modern toolchains and in a variety of environments. The main code in dice.h and dice.c is C99; it uses uint8_t, size_t, and memcpy from the C standard library. The various ops implementations are as portable as their dependencies (often not C99 but still very portable). Notably, this code uses designated initializers for readability. This is a feature available in C since C99 but missing from C++ until C++20 where it appears in a stricter form.
The Google C++ Style Guide is used. A .clang-format file is provided for convenience.
To incorporate the code into another project, there are a few options:
Copy only the necessary code. For example:
Take the main code as is: include/dice/dice.h, src/dice.c
Choose an implementation for crypto and certificate generation or choose to write your own. If you choose the boringssl implementation, for example, take include/dice/utils.h, include/dice/boringssl_ops.h, src/utils.c, and src/boringssl_ops.c. Taking a look at the library targets in BUILD.gn may be helpful.
Add this repository as a git submodule and integrate into the project build, optionally using the gn library targets provided.
Integrate into a project already using Pigweed using the gn build files provided.
The build reports code size using Bloaty McBloatface via the pw_bloat Pigweed module. There are two reports generated:
Library sizes - This report includes just the library code in this repository. It shows the baseline DICE code with no ops selected, and it shows the delta introduced by choosing various ops implementations. This report does not include the size of the third party dependencies.
Executable sizes - This report includes sizes for the library code in this repository plus all dependencies linked into a simple main function which makes a single DICE call with all-zero input. It shows the baseline DICE code with no ops (and therefore no dependencies other than libc), and it shows the delta introduced by choosing various ops implementations. This report does include the size of the third party dependencies. Note that rows specialized from ‘Boringssl Ops’ use that as a baseline for sizing.
The reports will be in the build output, but you can also find the reports in .txt files in the build output. For example, cat out/host_optimized/gen/*.txt | less will display all reports.
This code does not itself use mutable global variables, or any other type of shared data structure so there is no thread-safety concerns. However, additional care is needed to ensure dependencies are configured to be thread-safe. For example, the current boringssl configuration defines OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED, and that would need to be changed before running in a threaded environment.
This code makes a reasonable effort to clear memory holding sensitive data. This may help with a broader strategy to clear sensitive data but it is not sufficient on its own. Here are a few things to consider.