github.com/transparency-dev/armored-witness-boot@v0.1.0/Makefile (about)

     1  # Copyright 2022 The Armored Witness Boot authors. All Rights Reserved.
     2  #
     3  # Licensed under the Apache License, Version 2.0 (the "License");
     4  # you may not use this file except in compliance with the License.
     5  # You may obtain a copy of the License at
     6  #
     7  #     http://www.apache.org/licenses/LICENSE-2.0
     8  #
     9  # Unless required by applicable law or agreed to in writing, software
    10  # distributed under the License is distributed on an "AS IS" BASIS,
    11  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  # See the License for the specific language governing permissions and
    13  # limitations under the License.
    14  
    15  BUILD_EPOCH ?= $(shell /bin/date -u "+%s")
    16  BUILD_DATE ?= $(shell /bin/date -u "+%Y-%m-%d %H:%M:%S")
    17  BUILD_TAGS = linkramsize,linkramstart,linkprintk
    18  REV = $(shell git rev-parse --short HEAD 2> /dev/null)
    19  GIT_SEMVER_TAG ?= $(shell (git describe --tags --exact-match --match 'v*.*.*' 2>/dev/null || git describe --match 'v*.*.*' --tags 2>/dev/null || git describe --tags 2>/dev/null || echo -n v0.0.${BUILD_EPOCH}+`git rev-parse HEAD`) | tail -c +2 )
    20  LOG_VERIFIER = $(shell test ${LOG_PUBLIC_KEY} && cat ${LOG_PUBLIC_KEY})
    21  OS_VERIFIERS = [\"$(shell test ${OS_PUBLIC_KEY1} && cat ${OS_PUBLIC_KEY1})\", \"$(shell test ${OS_PUBLIC_KEY2} && cat ${OS_PUBLIC_KEY2})\"]
    22  
    23  TAMAGO_SEMVER = $(shell [ -n "${TAMAGO}" -a -x "${TAMAGO}" ] && ${TAMAGO} version | sed 's/.*go\([0-9]\.[0-9]*\.[0-9]*\).*/\1/')
    24  MINIMUM_TAMAGO_VERSION=1.22.0
    25  
    26  SHELL = /bin/bash
    27  
    28  ifeq ("${BEE}","1")
    29  	BUILD_TAGS := ${BUILD_TAGS},bee
    30  endif
    31  
    32  ifeq ("${CONSOLE}","on")
    33  	BUILD_TAGS := ${BUILD_TAGS},console
    34  endif
    35  
    36  APP := armored-witness-boot
    37  CMD := armored-witness-image
    38  GOENV := GO_EXTLINK_ENABLED=0 CGO_ENABLED=0 GOOS=tamago GOARM=7 GOARCH=arm
    39  TEXT_START := 0x90010000 # ramStart (defined in imx6/imx6ul/memory.go) + 0x10000
    40  TAMAGOFLAGS := -tags ${BUILD_TAGS} -trimpath -buildvcs=false -buildmode=exe \
    41  	-ldflags "-s -w -T $(TEXT_START) -E _rt0_arm_tamago -R 0x1000 \
    42  			  -X 'main.Revision=${REV}' -X 'main.Version=${GIT_SEMVER_TAG}' \
    43  			  -X 'main.OSLogOrigin=${LOG_ORIGIN}' \
    44  			  -X 'main.OSLogVerifier=${LOG_VERIFIER}' \
    45  			  -X 'main.OSManifestVerifiers=${OS_VERIFIERS}'"
    46  GOFLAGS := -trimpath -buildvcs=false -buildmode=exe -ldflags "-s -w"
    47  
    48  QEMU ?= qemu-system-arm -machine mcimx6ul-evk -cpu cortex-a7 -m 512M \
    49          -nographic -monitor none -serial null -serial stdio \
    50          -net nic,model=imx.enet,netdev=net0 -netdev tap,id=net0,ifname=tap0,script=no,downscript=no \
    51          -semihosting
    52  
    53  .PHONY: clean qemu qemu-gdb
    54  
    55  #### primary targets ####
    56  
    57  all: $(APP)
    58  
    59  imx: $(APP).imx
    60  manifest: $(APP)_manifest
    61  
    62  imx_signed: $(APP)-signed.imx $(APP)_manifest
    63  
    64  elf: $(APP)
    65  
    66  $(CMD):
    67  	@if [ "${TAMAGO}" != "" ]; then \
    68  		${TAMAGO} build $(GOFLAGS) cmd/$(CMD)/*.go; \
    69  	else \
    70  		go build $(GOFLAGS) cmd/$(CMD)/*.go; \
    71  	fi
    72  
    73  ## log_initialise initialises the log stored under ${LOG_STORAGE_DIR}.
    74  log_initialise:
    75  	echo "(Re-)initialising log at ${LOG_STORAGE_DIR}"
    76  	go run github.com/transparency-dev/serverless-log/cmd/integrate@a56a93b5681e5dc231882ac9de435c21cb340846 \
    77  		--storage_dir=${LOG_STORAGE_DIR} \
    78  		--origin=${LOG_ORIGIN} \
    79  		--private_key=${LOG_PRIVATE_KEY} \
    80  		--public_key=${LOG_PUBLIC_KEY} \
    81  		--initialise
    82  
    83  check_log:
    84  	@if [ "${LOG_PRIVATE_KEY}" == "" -o "${LOG_PUBLIC_KEY}" == "" ]; then \
    85  		@echo "You need to set LOG_PRIVATE_KEY and LOG_PUBLIC_KEY variables"; \
    86  		exit 1; \
    87  	fi
    88  	@if [ "${DEV_LOG_DIR}" == "" ]; then \
    89  		@echo "You need to set the DEV_LOG_DIR variable"; \
    90  		exit 1; \
    91  	fi
    92  
    93  ## log_boot adds the manifest.json file created during the build to the dev FT log.
    94  log_boot: LOG_STORAGE_DIR=$(DEV_LOG_DIR)/log
    95  log_boot: LOG_ARTEFACT_DIR=$(DEV_LOG_DIR)/artefacts
    96  log_boot: ARTEFACT_HASH=$(shell sha256sum ${CURDIR}/${APP}.imx | cut -f1 -d" ")
    97  log_boot: check_log
    98  	@if [ ! -f ${LOG_STORAGE_DIR}/checkpoint ]; then \
    99  		make log_initialise LOG_STORAGE_DIR="${LOG_STORAGE_DIR}" ; \
   100  	fi
   101  	go run github.com/transparency-dev/serverless-log/cmd/sequence@a56a93b5681e5dc231882ac9de435c21cb340846 \
   102  		--storage_dir=${LOG_STORAGE_DIR} \
   103  		--origin=${LOG_ORIGIN} \
   104  		--public_key=${LOG_PUBLIC_KEY} \
   105  		--entries=${CURDIR}/${APP}_manifest
   106  	-go run github.com/transparency-dev/serverless-log/cmd/integrate@a56a93b5681e5dc231882ac9de435c21cb340846 \
   107  		--storage_dir=${LOG_STORAGE_DIR} \
   108  		--origin=${LOG_ORIGIN} \
   109  		--private_key=${LOG_PRIVATE_KEY} \
   110  		--public_key=${LOG_PUBLIC_KEY}
   111  	@mkdir -p ${LOG_ARTEFACT_DIR}
   112  	cp ${CURDIR}/${APP}.imx ${LOG_ARTEFACT_DIR}/${ARTEFACT_HASH}
   113  
   114  
   115  ## log_recovery creates a manifest for a defined version of the armory-ums image, and stores it
   116  ## in the local dev FT log.
   117  ## See https://github.com/usbarmory/armory-ums/releases
   118  log_recovery: ARMORY_UMS_RELEASE=v20231018
   119  log_recovery: ARMORY_UMS_GIT_TAG="0.0.0-incompatible+${ARMORY_UMS_RELEASE}" # Workaround for semver format requirement.
   120  log_recovery: LOG_STORAGE_DIR=$(DEV_LOG_DIR)/log
   121  log_recovery: LOG_ARTEFACT_DIR=$(DEV_LOG_DIR)/artefacts
   122  log_recovery: TAMAGO_SEMVER=$(shell ${TAMAGO} version | sed 's/.*go\([0-9]\.[0-9]*\.[0-9]*\).*/\1/')
   123  log_recovery: ARTEFACT_HASH=$(shell sha256sum ${CURDIR}/armory-ums.imx | cut -f1 -d" ")
   124  log_recovery: check_log
   125  	@if [ "${RECOVERY_PRIVATE_KEY}" == "" ]; then \
   126  		@echo "You need to set RECOVERY_PRIVATE_KEY variable"; \
   127  		exit 1; \
   128  	fi
   129  	docker build -t armory-ums-build -f recovery/Dockerfile --build-arg=TAMAGO_VERSION=${TAMAGO_SEMVER} --build-arg=ARMORY_UMS_VERSION=${ARMORY_UMS_RELEASE} --network=host  recovery/
   130  	docker create --name au-build armory-ums-build
   131  	docker cp au-build:/build/armory-ums/armory-ums.imx .
   132  	docker cp au-build:/build/armory-ums/armory-ums.imx.git-commit .
   133  	docker rm -v au-build
   134  
   135  	@if [ ! -f ${LOG_STORAGE_DIR}/checkpoint ]; then \
   136  		make log_initialise LOG_STORAGE_DIR="${LOG_STORAGE_DIR}" ; \
   137  	fi
   138  	go run github.com/transparency-dev/armored-witness/cmd/manifest@561c0b09a2cc48877a8c9e59c3fbf7ffc81cdd4d \
   139  		create \
   140  		--git_tag=${ARMORY_UMS_GIT_TAG} \
   141  		--git_commit_fingerprint=$$(cat armory-ums.imx.git-commit) \
   142  		--firmware_file=${CURDIR}/armory-ums.imx \
   143  		--firmware_type=RECOVERY \
   144  		--private_key_file=${RECOVERY_PRIVATE_KEY} \
   145  		--tamago_version=${TAMAGO_SEMVER} \
   146  		--output_file=${CURDIR}/armory-ums_manifest
   147  
   148  	go run github.com/transparency-dev/serverless-log/cmd/sequence@a56a93b5681e5dc231882ac9de435c21cb340846 \
   149  		--storage_dir=${LOG_STORAGE_DIR} \
   150  		--origin=${LOG_ORIGIN} \
   151  		--public_key=${LOG_PUBLIC_KEY} \
   152  		--entries=${CURDIR}/armory-ums_manifest
   153  	-go run github.com/transparency-dev/serverless-log/cmd/integrate@a56a93b5681e5dc231882ac9de435c21cb340846 \
   154  		--storage_dir=${LOG_STORAGE_DIR} \
   155  		--origin=${LOG_ORIGIN} \
   156  		--private_key=${LOG_PRIVATE_KEY} \
   157  		--public_key=${LOG_PUBLIC_KEY}
   158  	@mkdir -p ${LOG_ARTEFACT_DIR}
   159  	cp ${CURDIR}/armory-ums.imx ${LOG_ARTEFACT_DIR}/${ARTEFACT_HASH}
   160  
   161  
   162  #### utilities ####
   163  
   164  check_env:
   165  	@if [ "${LOG_ORIGIN}" == "" ]; then \
   166  		echo 'You need to set the LOG_ORIGIN variable'; \
   167  		exit 1; \
   168  	fi
   169  	@if [ "${LOG_PUBLIC_KEY}" == "" ] || [ ! -f "${LOG_PUBLIC_KEY}" ]; then \
   170  		echo 'You need to set the LOG_PUBLIC_KEY variable to a valid note verifier key path'; \
   171  		exit 1; \
   172  	fi
   173  	@if [ "${OS_PUBLIC_KEY1}" == "" ] || [ ! -f "${OS_PUBLIC_KEY1}" ]; then \
   174  		echo 'You need to set the OS_PUBLIC_KEY1 variable to a valid note verifier key path'; \
   175  		exit 1; \
   176  	fi
   177  	@if [ "${OS_PUBLIC_KEY2}" == "" ] || [ ! -f "${OS_PUBLIC_KEY2}" ]; then \
   178  		echo 'You need to set the OS_PUBLIC_KEY2 variable to a valid note verifier key path'; \
   179  		exit 1; \
   180  	fi
   181  
   182  check_tamago:
   183  	@if [ "${TAMAGO}" == "" ] || [ ! -f "${TAMAGO}" ]; then \
   184  		echo 'You need to set the TAMAGO variable to a compiled version of https://github.com/usbarmory/tamago-go'; \
   185  		exit 1; \
   186  	fi
   187  	@if [ "$(shell printf '%s\n' ${MINIMUM_TAMAGO_VERSION} ${TAMAGO_SEMVER} | sort -V | head -n1 )" != "${MINIMUM_TAMAGO_VERSION}" ]; then \
   188  		echo "You need TamaGo >= ${MINIMUM_TAMAGO_VERSION}, found ${TAMAGO_SEMVER}" ; \
   189  		exit 1; \
   190  	fi
   191  
   192  check_hab_keys:
   193  	@if [ "${HAB_KEYS}" == "" ]; then \
   194  		echo 'You need to set the HAB_KEYS variable to the path of secure boot keys'; \
   195  		echo 'See https://github.com/usbarmory/usbarmory/wiki/Secure-boot-(Mk-II)'; \
   196  		exit 1; \
   197  	fi
   198  
   199  dcd:
   200  	echo $(GOMODCACHE)
   201  	echo $(TAMAGO_PKG)
   202  	cp -f $(GOMODCACHE)/$(TAMAGO_PKG)/board/usbarmory/mk2/imximage.cfg $(APP).dcd
   203  
   204  clean:
   205  	@rm -fr $(APP) $(APP).bin $(APP).imx $(APP)-signed.imx $(APP).csf $(APP).dcd $(CMD) $(APP)_manifest
   206  
   207  qemu: $(APP)
   208  	$(QEMU) -kernel $(CURDIR)/armored-witness-boot
   209  
   210  qemu-gdb: TAMAGOFLAGS := $(TAMAGOFLAGS:-w=)
   211  qemu-gdb: TAMAGOFLAGS := $(TAMAGOFLAGS:-s=)
   212  qemu-gdb: $(APP)
   213  	$(QEMU) -kernel $(CURDIR)/armored-witness-boot -S -s
   214  
   215  #### dependencies ####
   216  
   217  $(APP): check_tamago check_env
   218  	$(GOENV) $(TAMAGO) build $(TAMAGOFLAGS) -o ${APP}
   219  	sha256sum $(APP)
   220  
   221  $(APP).dcd: check_tamago
   222  $(APP).dcd: GOMODCACHE=$(shell ${TAMAGO} env GOMODCACHE)
   223  $(APP).dcd: TAMAGO_PKG=$(shell grep "github.com/usbarmory/tamago v" go.mod | awk '{print $$1"@"$$2}')
   224  $(APP).dcd: dcd
   225  
   226  $(APP).bin: CROSS_COMPILE=arm-none-eabi-
   227  $(APP).bin: $(APP)
   228  	$(CROSS_COMPILE)objcopy --enable-deterministic-archives \
   229  	    -j .text -j .rodata -j .shstrtab -j .typelink \
   230  	    -j .itablink -j .gopclntab -j .go.buildinfo -j .noptrdata -j .data \
   231  	    -j .bss --set-section-flags .bss=alloc,load,contents \
   232  	    -j .noptrbss --set-section-flags .noptrbss=alloc,load,contents \
   233  	    $(APP) -O binary $(APP).bin
   234  	sha256sum $(APP).bin
   235  
   236  $(APP).imx: SOURCE_DATE_EPOCH=0
   237  $(APP).imx: $(APP).bin $(APP).dcd
   238  	echo "## disabling TZASC bypass in DCD for pre-DDR initialization ##"; \
   239  	chmod 644 $(APP).dcd; \
   240  	echo "DATA 4 0x020e4024 0x00000001  # TZASC_BYPASS" >> $(APP).dcd; \
   241  	mkimage -v -n $(APP).dcd -T imximage -e $(TEXT_START) -d $(APP).bin $(APP).imx
   242  	sha256sum $(APP).imx
   243  	# Copy entry point from ELF file
   244  	dd if=$(APP) of=$(APP).imx bs=1 count=4 skip=24 seek=4 conv=notrunc
   245  	sha256sum $(APP).imx
   246  
   247  $(APP)_manifest: imx
   248  	@if [ "${BOOT_PRIVATE_KEY}" == "" ]; then \
   249  		echo 'You need to set the BOOT_PRIVATE_KEY variable to a valid signing key path'; \
   250  		exit 1; \
   251  	fi
   252  
   253  	# Create manifest
   254  	@echo ---------- Manifest --------------
   255  	go run github.com/transparency-dev/armored-witness/cmd/manifest@561c0b09a2cc48877a8c9e59c3fbf7ffc81cdd4d \
   256  		create \
   257  		--git_tag=${GIT_SEMVER_TAG} \
   258  		--git_commit_fingerprint="${REV}" \
   259  		--firmware_file=${CURDIR}/$(APP).imx \
   260  		--firmware_type=BOOTLOADER \
   261  		--private_key_file=${BOOT_PRIVATE_KEY} \
   262  		--tamago_version=${TAMAGO_SEMVER} \
   263  		--output_file=${CURDIR}/${APP}_manifest
   264  	@echo ----------------------------------
   265  
   266  #### secure boot ####
   267  
   268  $(APP)-signed.imx: check_hab_keys $(APP).imx
   269  	${TAMAGO} install github.com/usbarmory/crucible/cmd/habtool
   270  	$(shell ${TAMAGO} env GOPATH)/bin/habtool \
   271  		-A ${HAB_KEYS}/CSF_1_key.pem \
   272  		-a ${HAB_KEYS}/CSF_1_crt.pem \
   273  		-B ${HAB_KEYS}/IMG_1_key.pem \
   274  		-b ${HAB_KEYS}/IMG_1_crt.pem \
   275  		-t ${HAB_KEYS}/SRK_1_2_3_4_table.bin \
   276  		-x 1 \
   277  		-i $(APP).imx \
   278  		-o $(APP).csf && \
   279  	cat $(APP).imx $(APP).csf > $(APP)-signed.imx