| commit | f118be39a83a7a867e46bdc2087c55cb06c59949 | [log] [tgz] |
|---|---|---|
| author | pigweed-roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> | Mon Jul 29 00:44:02 2024 +0000 |
| committer | CQ Bot Account <pigweed-scoped@luci-project-accounts.iam.gserviceaccount.com> | Mon Jul 29 00:44:02 2024 +0000 |
| tree | 62720ca2aecf61fd7d0666933af4ac6701480c3a | |
| parent | 544df1b3cc77822b3fe74a704e8cfc299c1f6e24 [diff] |
roll: third_party/pigweed/src 58 commits 88f05c77b478b16 roll: rust 6503ea83db78a47 pw_symbolizer: Get llvm-symbolizer path from Bazel 08c4ea4df5a3d2b docs: Update changelog 542cb9290ee366a bazel: Partial revert of http://pwrev.dev/226007 c605a3b205089cd pw_chrono_stl: Move system clock and timer into se 84803f3af2d56dc pw_ide: VSC extension refactoring f73ddb4d76eb9df pw_async2: Mark Task::IsRegistered as const c52c57761a9ba39 pw_async2: Allow coroutine methods f29a915bb5ea870 pw_web: Replace column menu with MWC components 7744b8c3d5710dd bazel: Remove @pigweed from bzl files a99ccb3f20f2d5d emboss: Disable using pw_python_action 050ea7fb96c7f94 bazel: Remove stray @pigweed in load statement cb5ee68a68c2c3c pw_async2: Fix minor doc issues 0792e045ef9cc27 roll: FreeRTOS for upstream a7a84b2e1150d89 pw_toolchain: Select Bazel C++ version with config b38308ca572d185 pw_web: Add icon for info 82dffd7cf457809 docs: Prefer "change" to Google-specific "CL" 479546d9686f3c0 pw_web: Fix keyboard shortcut in repl.rst 16db19b7fd651f5 pw_ide: Support bzlmod projects c05c4487eff0bde pw_ide: Block on spawned refresh process b2c3f8a194b1a03 pw_ide: Status bar item for inactive file disablin c87d13b8c80ab42 pw_ide: Support disabling clangd for inactive file 4f2ff81bb96a02f pw_async2: Add CoroOrElseTask a635512a270241c pw_async2: Add Task::IsRegistered e82bb11ee931b92 pw_console: Fix RPC autocompletion in web kernel 4d38f4611153ced emboss: Update emboss repo to v2024.0718.173957 a158415a5c07e71 pw_system: Enable crash handler in async system 4b3e53050bbc33c pw_ide: Update vendored tools on extension update d04920d78848a69 pw_async2: Add Coro::Empty 1c308d70f947c93 emboss: Run python with optimization on 2cd7928833a7590 pw_web: Add repl intro message and title param 319b183d63d4cd0 pw_ide: Use vendored Bazelisk in recommended confi c369d01270042fc pw_ide: Improve VSC settings interface 54b1551fabecd43 pw_grpc: Fix shadowed variable warning d89b13448d1e07d pw_ide: Add shared settings management c6dd9ada15873e7 pw_string: Add utf_codecs 3eb05cc65bc78e5 pw_channel: Add StreamChannel adapter 4879aeb9c2336a5 pw_async2: Add Task::Deregister 632576cb10a302f pw_system: Improve message when crash snapshot exi 394e830cda04471 pw_web: Increase default log viewer density 362fe9d9a87cd84 pw_web: Move REPL to left, reduce default division 4224d6d0c23cfd4 pw_system: Add crash handling and device service c67d79552acb924 targets/rp2040: Import statement fix 4b5da9dcb374194 roll: FreeRTOS 9aec69f5692da3a pw_console: Set a default config for web console's 9f0c23cb1eca790 pw_ide: Associate target groups with active files 18bd36eb28c85c1 targets/rp2040: Enhance on-device testing instruct 6afbf6deaa1d762 pw_ide: Don't unnecessarily infer working dir 95347e0199c0427 pw_presubmit: Add attributes to docstring 8a4ae70355cd135 pw_console: Pass rpc completions to web_kernel ac64a18ef887e4b bazel: Move toolchain registration to MODULE.bazel 00d99767eb5ad66 bazel: Enable bzlmod 4f0412dae17b20a pw_ide: VSC extension 1.1.1 release 6d21be2f13d7f84 pw_ide: Add missing command stubs 619b022b0c83feb pw_ide: Stream refresh compile commands output 2005f5e8a77fc3e pw_toolchain: Hide toolchain path behind variable a70c899af249bc8 bazel: Remove sanitizers from default program 74bc3cad816843c pw_rpc: Build proto path arg list for Soong https://pigweed.googlesource.com/pigweed/pigweed third_party/pigweed/src Rolled-Commits: dd2720f7c2a5222..88f05c77b478b16 Roller-URL: https://ci.chromium.org/b/8741121921812937393 GitWatcher: ignore CQ-Do-Not-Cancel-Tryjobs: true Change-Id: I9dbe34a1e3c8a56392a1abb4357e4532b7922aa6 Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/226259 Lint: Lint 🤖 <android-build-ayeaye@system.gserviceaccount.com> Bot-Commit: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> Commit-Queue: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com>
This repository contains the specification for the Open Profile for DICE along with production-quality code. This profile is a specialization of the Hardware Requirements for a Device Identifier Composition Engine and DICE Layering Architecture specifications published by the Trusted Computing Group (TCG). For readers already familiar with those specs, notable distinctives of this profile include:
You can find us (and join us!) at https://groups.google.com/g/open-profile-for-dice. We're happy to answer questions and discuss proposed changes or features.
The specification can be found here. It is versioned using a major.minor scheme. Compatibility is maintained across minor versions but not necessarily across major versions.
Production quality, portable C code is included. The main code is in dice.h and dice.c. Cryptographic and certificate generation operations are injected via a set of callbacks. Multiple implementations of these operations are provided, all equally acceptable. Integrators should choose just one of these, or write their own.
Tests are included for all code and the build files in this repository can be used to build and run these tests.
Disclaimer: This is not an officially supported Google product.
Different implementations use different third party libraries. The third_party directory contains build files and git submodules for each of these. The submodules must be initialized once after cloning the repo, using git submodule update --init, and updated after pulling commits that roll the submodules using git submodule update.
To setup the build environment the first time:
$ git submodule update --init $ source bootstrap.sh $ gn gen out
To build and run tests:
$ ninja -C out
The easiest way, and currently the only supported way, to build and run tests is from a Pigweed environment on Linux. Pigweed does support other host platforms so it shouldn't be too hard to get this running on Windows for example, but we use Linux.
There are two scripts to help set this up:
bootstrap.sh will initialize submodules, bootstrap a Pigweed environment, and generate build files. This can take some time and may download on the order of 1GB of dependencies so the normal workflow is to just do this once.
activate.sh quickly reactivates an environment that has been previously bootstrapped.
These scripts must be sourced into the current session: source activate.sh.
In the environment, from the base directory of the dice-profile checkout, run ninja -C out to build everything and run all tests. You can also run pw watch which will build, run tests, and continue to watch for changes.
This will build and run tests on the host using the clang toolchain. Pigweed makes it easy to configure other targets and toolchains. See toolchains/BUILD.gn and the Pigweed documentation.
The code is designed to be portable and should work with a variety of modern toolchains and in a variety of environments. The main code in dice.h and dice.c is C99; it uses uint8_t, size_t, and memcpy from the C standard library. The various ops implementations are as portable as their dependencies (often not C99 but still very portable). Notably, this code uses designated initializers for readability. This is a feature available in C since C99 but missing from C++ until C++20 where it appears in a stricter form.
The Google C++ Style Guide is used. A .clang-format file is provided for convenience.
To incorporate the code into another project, there are a few options:
Copy only the necessary code. For example:
Take the main code as is: include/dice/dice.h, src/dice.c
Choose an implementation for crypto and certificate generation or choose to write your own. If you choose the boringssl implementation, for example, take include/dice/utils.h, include/dice/boringssl_ops.h, src/utils.c, and src/boringssl_ops.c. Taking a look at the library targets in BUILD.gn may be helpful.
Add this repository as a git submodule and integrate into the project build, optionally using the gn library targets provided.
Integrate into a project already using Pigweed using the gn build files provided.
The build reports code size using Bloaty McBloatface via the pw_bloat Pigweed module. There are two reports generated:
Library sizes - This report includes just the library code in this repository. It shows the baseline DICE code with no ops selected, and it shows the delta introduced by choosing various ops implementations. This report does not include the size of the third party dependencies.
Executable sizes - This report includes sizes for the library code in this repository plus all dependencies linked into a simple main function which makes a single DICE call with all-zero input. It shows the baseline DICE code with no ops (and therefore no dependencies other than libc), and it shows the delta introduced by choosing various ops implementations. This report does include the size of the third party dependencies. Note that rows specialized from ‘Boringssl Ops’ use that as a baseline for sizing.
The reports will be in the build output, but you can also find the reports in .txt files in the build output. For example, cat out/host_optimized/gen/*.txt | less will display all reports.
This code does not itself use mutable global variables, or any other type of shared data structure so there is no thread-safety concerns. However, additional care is needed to ensure dependencies are configured to be thread-safe. For example, the current boringssl configuration defines OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED, and that would need to be changed before running in a threaded environment.
This code makes a reasonable effort to clear memory holding sensitive data. This may help with a broader strategy to clear sensitive data but it is not sufficient on its own. Here are a few things to consider.