| commit | 8033c917e5288ab2718a4d438fb45bab8e152f23 | [log] [tgz] |
|---|---|---|
| author | pigweed-roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> | Sun Aug 31 17:48:04 2025 -0700 |
| committer | CQ Bot Account <pigweed-scoped@luci-project-accounts.iam.gserviceaccount.com> | Sun Aug 31 17:48:04 2025 -0700 |
| tree | df869367bff30d32d02d4d5c4661da27faffbde7 | |
| parent | f43789d715f1c6eadf3378de2fc28043f2d6cf90 [diff] |
roll: third_party/pigweed/src c12f89e..280017c (62 commits) 280017c:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/318066 roll: luci 9bec02c:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/317668 roll: fuchsia-infra-bazel-rules bbe2807..27e1046 (65 commits) cd261e2:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/317667 roll: python-wheel 12d8383:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/317455 pw_allocator: Capture testing dep on metrics 1997348:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316892 doxygen: Migrate pw_tokenizer e3e4e1e:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/317395 pw_env_setup: Fix Bazel CIPD cache directory 9ff268c:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316834 pw_multibuf: Add TryReserveLayers d2b2644:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/317392 pw_build_info: Use correct variable type for git tree dirty var 483df11:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/309816 docs: Add alias for listing sources 1a9d22e:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/317112 doxygen: Migrate pw_sync 7776de1:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/317114 pw_kernel: Add u32 to u64 casting to pw_cast 0467a17:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/317192 doxygen: Migrate pw_multibuf 80b26c4:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/317272 pw_i2c_zephyr: Fix dependencies in Kconfig 1e1f16e:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/317113 pw_rpc_transport: Correctly track the number of total packets 902cb0b:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316619 pw_bluetooth_sapphire: Create IsoGroup 5d550d2:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316618 pw_bluetooth_sapphire: Fake more functionality in FakeIsoStream fcca8df:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316617 pw_bluetooth_sapphire: Add test packet to create CIS 788829b:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316616 pw_bluetooth_sapphire: Add test packet for config CIG event dd63e84:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316615 pw_bluetooth_sapphire: Add test packet to create/config CIG 9e9c54d:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/317172 pw_bluetooth_sapphire: Add static_size() for StaticByteBuffer 5468890:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316614 pw_bluetooth_sapphire: Add OpCodes for creating CIG/CISes 4587c39:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316613 pw_bluetooth_sapphire: Add types for creating CIGs/CISes 0113cf0:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316612 pw_bluetooth_sapphire: Fix warnings in FakeIsoStream b9d4927:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/314273 pw_bluetooth_sapphire: Add interface for creating CIS for CIGs 2202248:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316354 pw_containers: De-macro inline_var_len_entry_queue_test 66c46ac:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316353 pw_ide: Include headers in compile commands 195b391:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/314272 pw_bluetooth: Add LE set CIG complete command event 72673c4:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316352 pw_ide: Move CPP specifics into helper 938d2e5:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/302834 pw_numeric: Move overflow macros 3ad4d16:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/306453 pw_build: Make logging start/finish methods class methods c41b62a:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/292818 pw_malloc: Synchronize access to the system metrics 96e6c26:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/315653 doxygen: Migrate pw_allocator a233146:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316693 pw_transfer: Ensure that a response is always sent to GetResourceState f54e0aa:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316020 pw_bluetooth_sapphire: Fix Android vendor extensions multi advertising a91de40:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316013 pw_unit_test: Add no-op for SCOPED_TRACE ba4fcf9:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/314747 pw_env_setup: Bump cffi pin 552ec4a:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316696 pw_build: Let --dump-build-requests write to a file 6847cb3:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316452 pw_kernel: Fix riscv `mscratch` handling for userspace 52cb5cc:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316113 pw_async2: Cleanup guides.rst further 053ea03:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316114 pw_async2: Terminate codelab when main() exits 99a1be7:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316453 doxygen: Migrate pw_string 6d939d5:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316373 doxygen: Migrate pw_stream 78fce81:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/311136 docs: Fix Sense automation page f45f0c7:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316372 pw_async2: Workaround codelab/solutions/step1:test flake 695a171:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316218 pw_transfer: Don't unncessarily wake the transfer thread 3eef731:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/299725 rust: Apply rustfmt findings, enable enforcement cb3cacf:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316172 pw_trace_tokenized: Fix Zephyr library dependency 0358190:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/315652 pw_ide: Redesign compile commands extractor aspect 6da81fa:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316212 Revert "pw_protobuf_compiler: Remove deprecated pw_proto_library rule" cdeeda5:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/314192 pw_async2: Clean up passing data docs and examples 448b586:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/313495 pw_ide: Ensure compile commands are always collected a461895:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316018 pw_bluetooth: Fix android multiple advertising emboss structures 802d481:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/314748 pw_async2: Write codelab step 3 b073924:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/315117 pw_async2: Clean up codelab through step 2 9cabc01:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/315934 pw_bluetooth_sapphire: Reorder event code switch statement 85e8785:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316014 pw_kernel: Use @bazel_tools//tools:host_platform as host platform 8da4027:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/314675 pw_ide: Handle changed bazel-out dir via symlink_prefix bazel arg a2450e8:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/312472 targets: Disable -ffreestanding for Pigweed targets 4e9abed:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/316032 pw_kernel: Remove obsolete BUILD.gn file 4627b01:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/315000 pw_kernel: Remove GN py lint from kernel 15cf70e:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/315096 pw_kernel: Refactor target directory fb3ce45:https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/315072 pw_kernel: Add userspace ticker test app Rolled-Repo: https://pigweed.googlesource.com/pigweed/pigweed Rolled-Commits: c12f89eb321a9d..280017c367552b Roll-Count: 1 Roller-URL: https://cr-buildbucket.appspot.com/build/8704973732220390545 GitWatcher: ignore CQ-Do-Not-Cancel-Tryjobs: true Change-Id: I9ceb89683702d823ed662e908ed2b3eb032ceaec Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/318315 Commit-Queue: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> Bot-Commit: Pigweed Roller <pigweed-roller@pigweed-service-accounts.iam.gserviceaccount.com> Lint: Lint 🤖 <android-build-ayeaye@system.gserviceaccount.com>
This repository contains the specification for the Open Profile for DICE along with production-quality code. This profile is a specialization of the Hardware Requirements for a Device Identifier Composition Engine and DICE Layering Architecture specifications published by the Trusted Computing Group (TCG). For readers already familiar with those specs, notable distinctives of this profile include:
You can find us (and join us!) at https://groups.google.com/g/open-profile-for-dice. We're happy to answer questions and discuss proposed changes or features.
The specification can be found here. It is versioned using a major.minor scheme. Compatibility is maintained across minor versions but not necessarily across major versions.
Production quality, portable C code is included. The main code is in dice.h and dice.c. Cryptographic and certificate generation operations are injected via a set of callbacks. Multiple implementations of these operations are provided, all equally acceptable. Integrators should choose just one of these, or write their own.
Tests are included for all code and the build files in this repository can be used to build and run these tests.
Disclaimer: This is not an officially supported Google product.
Different implementations use different third party libraries. The third_party directory contains build files and git submodules for each of these. The submodules must be initialized once after cloning the repo, using git submodule update --init, and updated after pulling commits that roll the submodules using git submodule update.
To setup the build environment the first time:
$ git submodule update --init --recursive $ source bootstrap.sh $ gn gen out
To build and run tests:
$ ninja -C out
The easiest way, and currently the only supported way, to build and run tests is from a Pigweed environment on Linux. Pigweed does support other host platforms so it shouldn't be too hard to get this running on Windows for example, but we use Linux.
There are two scripts to help set this up:
bootstrap.sh will initialize submodules, bootstrap a Pigweed environment, and generate build files. This can take some time and may download on the order of 1GB of dependencies so the normal workflow is to just do this once.
activate.sh quickly reactivates an environment that has been previously bootstrapped.
These scripts must be sourced into the current session: source activate.sh.
In the environment, from the base directory of the dice-profile checkout, run ninja -C out to build everything and run all tests. You can also run pw watch which will build, run tests, and continue to watch for changes.
This will build and run tests on the host using the clang toolchain. Pigweed makes it easy to configure other targets and toolchains. See toolchains/BUILD.gn and the Pigweed documentation.
The code is designed to be portable and should work with a variety of modern toolchains and in a variety of environments. The main code in dice.h and dice.c is C99; it uses uint8_t, size_t, and memcpy from the C standard library. The various ops implementations are as portable as their dependencies (often not C99 but still very portable). Notably, this code uses designated initializers for readability. This is a feature available in C since C99 but missing from C++ until C++20 where it appears in a stricter form.
The Google C++ Style Guide is used. A .clang-format file is provided for convenience.
To incorporate the code into another project, there are a few options:
Copy only the necessary code. For example:
Take the main code as is: include/dice/dice.h, src/dice.c
Choose an implementation for crypto and certificate generation or choose to write your own. If you choose the boringssl implementation, for example, take include/dice/utils.h, include/dice/boringssl_ops.h, src/utils.c, and src/boringssl_ops.c. Taking a look at the library targets in BUILD.gn may be helpful.
Add this repository as a git submodule and integrate into the project build, optionally using the gn library targets provided.
Integrate into a project already using Pigweed using the gn build files provided.
The build reports code size using Bloaty McBloatface via the pw_bloat Pigweed module. There are two reports generated:
Library sizes - This report includes just the library code in this repository. It shows the baseline DICE code with no ops selected, and it shows the delta introduced by choosing various ops implementations. This report does not include the size of the third party dependencies.
Executable sizes - This report includes sizes for the library code in this repository plus all dependencies linked into a simple main function which makes a single DICE call with all-zero input. It shows the baseline DICE code with no ops (and therefore no dependencies other than libc), and it shows the delta introduced by choosing various ops implementations. This report does include the size of the third party dependencies. Note that rows specialized from ‘Boringssl Ops’ use that as a baseline for sizing.
The reports will be in the build output, but you can also find the reports in .txt files in the build output. For example, cat out/host_optimized/gen/*.txt | less will display all reports.
This code does not itself use mutable global variables, or any other type of shared data structure so there is no thread-safety concerns. However, additional care is needed to ensure dependencies are configured to be thread-safe. For example, the current boringssl configuration defines OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED, and that would need to be changed before running in a threaded environment.
This code makes a reasonable effort to clear memory holding sensitive data. This may help with a broader strategy to clear sensitive data but it is not sufficient on its own. Here are a few things to consider.