| commit | e811e078c484d73ade112e64d7b5c37dfb593351 | [log] [tgz] |
|---|---|---|
| author | pigweed-roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> | Mon Jun 17 00:44:10 2024 +0000 |
| committer | CQ Bot Account <pigweed-scoped@luci-project-accounts.iam.gserviceaccount.com> | Mon Jun 17 00:44:10 2024 +0000 |
| tree | 598fb513b742fa0da9303878f92b17b6e2c91f73 | |
| parent | 489465c2450cd7ab3b91ababc7e2a6ea9297f281 [diff] |
roll: third_party/pigweed/src 51 commits
8059f92ef1a93df roll: gn
127b5fe73746c38 roll: bazel
7e33056fe5871aa targets/rp2040: Switch to use upstream develop bra
1d00930758164bb bazel: Stop using deprecated pw_facade aliases, v2
1b2c01eabef514f docs: Update changelog
71bc6ad022d7b1e bazel: Remove testonly_freertos platform
a200b716cd13652 pw_rpc: Restructure Channel / internal::Channel
8a07d9f1ce8b58f pw_allocator: Clean up Block interface
17c1ee08b087155 pw_{chrono,sync,thread}: Group common backends in
c7be3fb2f3c38dd bazel: Stop using deprecated pw_facade aliases
3b4fb527ad75a21 pw_ide: Add module metadata
9b6ab56d09056df pw_containers: Make Vector::at() use size_t
160897b097b64f9 pw_build: Move host_backend_alias (part 1)
446fcc3a5a5a9e0 pw_allocator: Make Layout constructor explicit
a0b08ffac6e3e91 pw_allocator: Remove FreeList and FreeListHeap
c07f0fa93561718 pw_docs: Fix search results increasing in width
7578677cbbc0f09 pw_allocator: Refactor Bucket chunk list
f135cd73cdbbafd targets/rp2040: Add bazel picotool support
9a99d41a5439dd8 docs: Fix Python package dependencies for sphinx
a80029d78185c5a pw_build: Add python.install into the default GN g
5542cfa8150d66a pw_watch: Enable watching from non-PW_ROOT
2755100342651a6 pw_presubmit: Add --fresh to cmake presubmits
946880dfed7ec1f targets/rp2040: Add bazel support for rp2040_utils
d1d6d4327c68da6 pw_toolchain: Enable PIC on host
5b4b97ce8950a92 bazel: Don't use llvm_toolchain for fuchsia_clang
6f7fefe19d86fbb rp2040: Temporarily disable remaining failing rp20
e59a11cf80ef7a8 pw_bloat: Build and run `pw bloat` CLI command in
c9d7fa45896c919 pw_transfer: Remove unused imports
81797a4675c000d pw_toolchain: Add bazel toolchain for cortex-m0plu
efb2fecfa02e3c7 pw_boot_cortex_m: Add module metadata
49b5549c829641d pw_clock_tree_mcuxpresso: Comment clean up
eaff6dedf7b7779 pw_clock_tree_mcuxpresso: Add ClockMcuxpressoRtc s
4495cb241efa07d pw_rpc: Use positional-only arguments in Python cl
9554bf970460e75 bazel: Fix reference to nonexistent file
ce49079e5e8eb3f docs: Auto-generate modules index from metadata
a36670c79ebae18 pw_bluetooth_proxy: Remove H4HciPacketSendFn alias
cd86f4e6e19ca9f pw_docgen: Update module metadata status badge col
5dab2b02e018ab5 pw_multibuf: Contiguous span functions
b6793d4757bc535 pw_multibuf: Functions for copying into and out of
667445792269183 pw_multibuf: Truncate after an iterator
b5068bcebcbf397 pw_build: Introduce pw_py_test to bazel
51e996e5c204e9a pw_system: Console interactive serial port selecti
6b2fe95f4b7a70d pw_toolchain: Add module metadata
e80cd8431b9aac5 docs: Update sitenav
d5a540ce2dea993 pw_assert: Add module metadata
e22d0f09ef92df9 pw_system: Host device simulator entrypoint
8238a71197c1740 pw_presubmit: Add coverage of rp2040 build
7caae4341a12221 pw_digital_io: Remove invalid digital_io_controlle
e5a422617a97261 pw_log_string: Introduce link time assert() wrappe
afc838865bf00de pw_stream: Fix include in mpsc_stream
b68fbb19c4f651c roll: go
https://pigweed.googlesource.com/pigweed/pigweed
third_party/pigweed/src Rolled-Commits: 737169c0ecf2742..8059f92ef1a93df
Roller-URL: https://ci.chromium.org/b/8744926995138103009
GitWatcher: ignore
CQ-Do-Not-Cancel-Tryjobs: true
Change-Id: Iae297a4212dac723a3768f78efb05e423ee0947f
Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/216246
Lint: Lint 🤖 <android-build-ayeaye@system.gserviceaccount.com>
Bot-Commit: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com>
Commit-Queue: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com>
This repository contains the specification for the Open Profile for DICE along with production-quality code. This profile is a specialization of the Hardware Requirements for a Device Identifier Composition Engine and DICE Layering Architecture specifications published by the Trusted Computing Group (TCG). For readers already familiar with those specs, notable distinctives of this profile include:
You can find us (and join us!) at https://groups.google.com/g/open-profile-for-dice. We're happy to answer questions and discuss proposed changes or features.
The specification can be found here. It is versioned using a major.minor scheme. Compatibility is maintained across minor versions but not necessarily across major versions.
Production quality, portable C code is included. The main code is in dice.h and dice.c. Cryptographic and certificate generation operations are injected via a set of callbacks. Multiple implementations of these operations are provided, all equally acceptable. Integrators should choose just one of these, or write their own.
Tests are included for all code and the build files in this repository can be used to build and run these tests.
Disclaimer: This is not an officially supported Google product.
Different implementations use different third party libraries. The third_party directory contains build files and git submodules for each of these. The submodules must be initialized once after cloning the repo, using git submodule update --init, and updated after pulling commits that roll the submodules using git submodule update.
To setup the build environment the first time:
$ git submodule update --init $ source bootstrap.sh $ gn gen out
To build and run tests:
$ ninja -C out
The easiest way, and currently the only supported way, to build and run tests is from a Pigweed environment on Linux. Pigweed does support other host platforms so it shouldn't be too hard to get this running on Windows for example, but we use Linux.
There are two scripts to help set this up:
bootstrap.sh will initialize submodules, bootstrap a Pigweed environment, and generate build files. This can take some time and may download on the order of 1GB of dependencies so the normal workflow is to just do this once.
activate.sh quickly reactivates an environment that has been previously bootstrapped.
These scripts must be sourced into the current session: source activate.sh.
In the environment, from the base directory of the dice-profile checkout, run ninja -C out to build everything and run all tests. You can also run pw watch which will build, run tests, and continue to watch for changes.
This will build and run tests on the host using the clang toolchain. Pigweed makes it easy to configure other targets and toolchains. See toolchains/BUILD.gn and the Pigweed documentation.
The code is designed to be portable and should work with a variety of modern toolchains and in a variety of environments. The main code in dice.h and dice.c is C99; it uses uint8_t, size_t, and memcpy from the C standard library. The various ops implementations are as portable as their dependencies (often not C99 but still very portable). Notably, this code uses designated initializers for readability. This is a feature available in C since C99 but missing from C++ until C++20 where it appears in a stricter form.
The Google C++ Style Guide is used. A .clang-format file is provided for convenience.
To incorporate the code into another project, there are a few options:
Copy only the necessary code. For example:
Take the main code as is: include/dice/dice.h, src/dice.c
Choose an implementation for crypto and certificate generation or choose to write your own. If you choose the boringssl implementation, for example, take include/dice/utils.h, include/dice/boringssl_ops.h, src/utils.c, and src/boringssl_ops.c. Taking a look at the library targets in BUILD.gn may be helpful.
Add this repository as a git submodule and integrate into the project build, optionally using the gn library targets provided.
Integrate into a project already using Pigweed using the gn build files provided.
The build reports code size using Bloaty McBloatface via the pw_bloat Pigweed module. There are two reports generated:
Library sizes - This report includes just the library code in this repository. It shows the baseline DICE code with no ops selected, and it shows the delta introduced by choosing various ops implementations. This report does not include the size of the third party dependencies.
Executable sizes - This report includes sizes for the library code in this repository plus all dependencies linked into a simple main function which makes a single DICE call with all-zero input. It shows the baseline DICE code with no ops (and therefore no dependencies other than libc), and it shows the delta introduced by choosing various ops implementations. This report does include the size of the third party dependencies. Note that rows specialized from ‘Boringssl Ops’ use that as a baseline for sizing.
The reports will be in the build output, but you can also find the reports in .txt files in the build output. For example, cat out/host_optimized/gen/*.txt | less will display all reports.
This code does not itself use mutable global variables, or any other type of shared data structure so there is no thread-safety concerns. However, additional care is needed to ensure dependencies are configured to be thread-safe. For example, the current boringssl configuration defines OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED, and that would need to be changed before running in a threaded environment.
This code makes a reasonable effort to clear memory holding sensitive data. This may help with a broader strategy to clear sensitive data but it is not sufficient on its own. Here are a few things to consider.