github.com/transparency-dev/armored-witness-boot@v0.1.0/Makefile (about) 1 # Copyright 2022 The Armored Witness Boot authors. All Rights Reserved. 2 # 3 # Licensed under the Apache License, Version 2.0 (the "License"); 4 # you may not use this file except in compliance with the License. 5 # You may obtain a copy of the License at 6 # 7 # http://www.apache.org/licenses/LICENSE-2.0 8 # 9 # Unless required by applicable law or agreed to in writing, software 10 # distributed under the License is distributed on an "AS IS" BASIS, 11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 # See the License for the specific language governing permissions and 13 # limitations under the License. 14 15 BUILD_EPOCH ?= $(shell /bin/date -u "+%s") 16 BUILD_DATE ?= $(shell /bin/date -u "+%Y-%m-%d %H:%M:%S") 17 BUILD_TAGS = linkramsize,linkramstart,linkprintk 18 REV = $(shell git rev-parse --short HEAD 2> /dev/null) 19 GIT_SEMVER_TAG ?= $(shell (git describe --tags --exact-match --match 'v*.*.*' 2>/dev/null || git describe --match 'v*.*.*' --tags 2>/dev/null || git describe --tags 2>/dev/null || echo -n v0.0.${BUILD_EPOCH}+`git rev-parse HEAD`) | tail -c +2 ) 20 LOG_VERIFIER = $(shell test ${LOG_PUBLIC_KEY} && cat ${LOG_PUBLIC_KEY}) 21 OS_VERIFIERS = [\"$(shell test ${OS_PUBLIC_KEY1} && cat ${OS_PUBLIC_KEY1})\", \"$(shell test ${OS_PUBLIC_KEY2} && cat ${OS_PUBLIC_KEY2})\"] 22 23 TAMAGO_SEMVER = $(shell [ -n "${TAMAGO}" -a -x "${TAMAGO}" ] && ${TAMAGO} version | sed 's/.*go\([0-9]\.[0-9]*\.[0-9]*\).*/\1/') 24 MINIMUM_TAMAGO_VERSION=1.22.0 25 26 SHELL = /bin/bash 27 28 ifeq ("${BEE}","1") 29 BUILD_TAGS := ${BUILD_TAGS},bee 30 endif 31 32 ifeq ("${CONSOLE}","on") 33 BUILD_TAGS := ${BUILD_TAGS},console 34 endif 35 36 APP := armored-witness-boot 37 CMD := armored-witness-image 38 GOENV := GO_EXTLINK_ENABLED=0 CGO_ENABLED=0 GOOS=tamago GOARM=7 GOARCH=arm 39 TEXT_START := 0x90010000 # ramStart (defined in imx6/imx6ul/memory.go) + 0x10000 40 TAMAGOFLAGS := -tags ${BUILD_TAGS} -trimpath -buildvcs=false -buildmode=exe \ 41 -ldflags "-s -w -T $(TEXT_START) -E _rt0_arm_tamago -R 0x1000 \ 42 -X 'main.Revision=${REV}' -X 'main.Version=${GIT_SEMVER_TAG}' \ 43 -X 'main.OSLogOrigin=${LOG_ORIGIN}' \ 44 -X 'main.OSLogVerifier=${LOG_VERIFIER}' \ 45 -X 'main.OSManifestVerifiers=${OS_VERIFIERS}'" 46 GOFLAGS := -trimpath -buildvcs=false -buildmode=exe -ldflags "-s -w" 47 48 QEMU ?= qemu-system-arm -machine mcimx6ul-evk -cpu cortex-a7 -m 512M \ 49 -nographic -monitor none -serial null -serial stdio \ 50 -net nic,model=imx.enet,netdev=net0 -netdev tap,id=net0,ifname=tap0,script=no,downscript=no \ 51 -semihosting 52 53 .PHONY: clean qemu qemu-gdb 54 55 #### primary targets #### 56 57 all: $(APP) 58 59 imx: $(APP).imx 60 manifest: $(APP)_manifest 61 62 imx_signed: $(APP)-signed.imx $(APP)_manifest 63 64 elf: $(APP) 65 66 $(CMD): 67 @if [ "${TAMAGO}" != "" ]; then \ 68 ${TAMAGO} build $(GOFLAGS) cmd/$(CMD)/*.go; \ 69 else \ 70 go build $(GOFLAGS) cmd/$(CMD)/*.go; \ 71 fi 72 73 ## log_initialise initialises the log stored under ${LOG_STORAGE_DIR}. 74 log_initialise: 75 echo "(Re-)initialising log at ${LOG_STORAGE_DIR}" 76 go run github.com/transparency-dev/serverless-log/cmd/integrate@a56a93b5681e5dc231882ac9de435c21cb340846 \ 77 --storage_dir=${LOG_STORAGE_DIR} \ 78 --origin=${LOG_ORIGIN} \ 79 --private_key=${LOG_PRIVATE_KEY} \ 80 --public_key=${LOG_PUBLIC_KEY} \ 81 --initialise 82 83 check_log: 84 @if [ "${LOG_PRIVATE_KEY}" == "" -o "${LOG_PUBLIC_KEY}" == "" ]; then \ 85 @echo "You need to set LOG_PRIVATE_KEY and LOG_PUBLIC_KEY variables"; \ 86 exit 1; \ 87 fi 88 @if [ "${DEV_LOG_DIR}" == "" ]; then \ 89 @echo "You need to set the DEV_LOG_DIR variable"; \ 90 exit 1; \ 91 fi 92 93 ## log_boot adds the manifest.json file created during the build to the dev FT log. 94 log_boot: LOG_STORAGE_DIR=$(DEV_LOG_DIR)/log 95 log_boot: LOG_ARTEFACT_DIR=$(DEV_LOG_DIR)/artefacts 96 log_boot: ARTEFACT_HASH=$(shell sha256sum ${CURDIR}/${APP}.imx | cut -f1 -d" ") 97 log_boot: check_log 98 @if [ ! -f ${LOG_STORAGE_DIR}/checkpoint ]; then \ 99 make log_initialise LOG_STORAGE_DIR="${LOG_STORAGE_DIR}" ; \ 100 fi 101 go run github.com/transparency-dev/serverless-log/cmd/sequence@a56a93b5681e5dc231882ac9de435c21cb340846 \ 102 --storage_dir=${LOG_STORAGE_DIR} \ 103 --origin=${LOG_ORIGIN} \ 104 --public_key=${LOG_PUBLIC_KEY} \ 105 --entries=${CURDIR}/${APP}_manifest 106 -go run github.com/transparency-dev/serverless-log/cmd/integrate@a56a93b5681e5dc231882ac9de435c21cb340846 \ 107 --storage_dir=${LOG_STORAGE_DIR} \ 108 --origin=${LOG_ORIGIN} \ 109 --private_key=${LOG_PRIVATE_KEY} \ 110 --public_key=${LOG_PUBLIC_KEY} 111 @mkdir -p ${LOG_ARTEFACT_DIR} 112 cp ${CURDIR}/${APP}.imx ${LOG_ARTEFACT_DIR}/${ARTEFACT_HASH} 113 114 115 ## log_recovery creates a manifest for a defined version of the armory-ums image, and stores it 116 ## in the local dev FT log. 117 ## See https://github.com/usbarmory/armory-ums/releases 118 log_recovery: ARMORY_UMS_RELEASE=v20231018 119 log_recovery: ARMORY_UMS_GIT_TAG="0.0.0-incompatible+${ARMORY_UMS_RELEASE}" # Workaround for semver format requirement. 120 log_recovery: LOG_STORAGE_DIR=$(DEV_LOG_DIR)/log 121 log_recovery: LOG_ARTEFACT_DIR=$(DEV_LOG_DIR)/artefacts 122 log_recovery: TAMAGO_SEMVER=$(shell ${TAMAGO} version | sed 's/.*go\([0-9]\.[0-9]*\.[0-9]*\).*/\1/') 123 log_recovery: ARTEFACT_HASH=$(shell sha256sum ${CURDIR}/armory-ums.imx | cut -f1 -d" ") 124 log_recovery: check_log 125 @if [ "${RECOVERY_PRIVATE_KEY}" == "" ]; then \ 126 @echo "You need to set RECOVERY_PRIVATE_KEY variable"; \ 127 exit 1; \ 128 fi 129 docker build -t armory-ums-build -f recovery/Dockerfile --build-arg=TAMAGO_VERSION=${TAMAGO_SEMVER} --build-arg=ARMORY_UMS_VERSION=${ARMORY_UMS_RELEASE} --network=host recovery/ 130 docker create --name au-build armory-ums-build 131 docker cp au-build:/build/armory-ums/armory-ums.imx . 132 docker cp au-build:/build/armory-ums/armory-ums.imx.git-commit . 133 docker rm -v au-build 134 135 @if [ ! -f ${LOG_STORAGE_DIR}/checkpoint ]; then \ 136 make log_initialise LOG_STORAGE_DIR="${LOG_STORAGE_DIR}" ; \ 137 fi 138 go run github.com/transparency-dev/armored-witness/cmd/manifest@561c0b09a2cc48877a8c9e59c3fbf7ffc81cdd4d \ 139 create \ 140 --git_tag=${ARMORY_UMS_GIT_TAG} \ 141 --git_commit_fingerprint=$$(cat armory-ums.imx.git-commit) \ 142 --firmware_file=${CURDIR}/armory-ums.imx \ 143 --firmware_type=RECOVERY \ 144 --private_key_file=${RECOVERY_PRIVATE_KEY} \ 145 --tamago_version=${TAMAGO_SEMVER} \ 146 --output_file=${CURDIR}/armory-ums_manifest 147 148 go run github.com/transparency-dev/serverless-log/cmd/sequence@a56a93b5681e5dc231882ac9de435c21cb340846 \ 149 --storage_dir=${LOG_STORAGE_DIR} \ 150 --origin=${LOG_ORIGIN} \ 151 --public_key=${LOG_PUBLIC_KEY} \ 152 --entries=${CURDIR}/armory-ums_manifest 153 -go run github.com/transparency-dev/serverless-log/cmd/integrate@a56a93b5681e5dc231882ac9de435c21cb340846 \ 154 --storage_dir=${LOG_STORAGE_DIR} \ 155 --origin=${LOG_ORIGIN} \ 156 --private_key=${LOG_PRIVATE_KEY} \ 157 --public_key=${LOG_PUBLIC_KEY} 158 @mkdir -p ${LOG_ARTEFACT_DIR} 159 cp ${CURDIR}/armory-ums.imx ${LOG_ARTEFACT_DIR}/${ARTEFACT_HASH} 160 161 162 #### utilities #### 163 164 check_env: 165 @if [ "${LOG_ORIGIN}" == "" ]; then \ 166 echo 'You need to set the LOG_ORIGIN variable'; \ 167 exit 1; \ 168 fi 169 @if [ "${LOG_PUBLIC_KEY}" == "" ] || [ ! -f "${LOG_PUBLIC_KEY}" ]; then \ 170 echo 'You need to set the LOG_PUBLIC_KEY variable to a valid note verifier key path'; \ 171 exit 1; \ 172 fi 173 @if [ "${OS_PUBLIC_KEY1}" == "" ] || [ ! -f "${OS_PUBLIC_KEY1}" ]; then \ 174 echo 'You need to set the OS_PUBLIC_KEY1 variable to a valid note verifier key path'; \ 175 exit 1; \ 176 fi 177 @if [ "${OS_PUBLIC_KEY2}" == "" ] || [ ! -f "${OS_PUBLIC_KEY2}" ]; then \ 178 echo 'You need to set the OS_PUBLIC_KEY2 variable to a valid note verifier key path'; \ 179 exit 1; \ 180 fi 181 182 check_tamago: 183 @if [ "${TAMAGO}" == "" ] || [ ! -f "${TAMAGO}" ]; then \ 184 echo 'You need to set the TAMAGO variable to a compiled version of https://github.com/usbarmory/tamago-go'; \ 185 exit 1; \ 186 fi 187 @if [ "$(shell printf '%s\n' ${MINIMUM_TAMAGO_VERSION} ${TAMAGO_SEMVER} | sort -V | head -n1 )" != "${MINIMUM_TAMAGO_VERSION}" ]; then \ 188 echo "You need TamaGo >= ${MINIMUM_TAMAGO_VERSION}, found ${TAMAGO_SEMVER}" ; \ 189 exit 1; \ 190 fi 191 192 check_hab_keys: 193 @if [ "${HAB_KEYS}" == "" ]; then \ 194 echo 'You need to set the HAB_KEYS variable to the path of secure boot keys'; \ 195 echo 'See https://github.com/usbarmory/usbarmory/wiki/Secure-boot-(Mk-II)'; \ 196 exit 1; \ 197 fi 198 199 dcd: 200 echo $(GOMODCACHE) 201 echo $(TAMAGO_PKG) 202 cp -f $(GOMODCACHE)/$(TAMAGO_PKG)/board/usbarmory/mk2/imximage.cfg $(APP).dcd 203 204 clean: 205 @rm -fr $(APP) $(APP).bin $(APP).imx $(APP)-signed.imx $(APP).csf $(APP).dcd $(CMD) $(APP)_manifest 206 207 qemu: $(APP) 208 $(QEMU) -kernel $(CURDIR)/armored-witness-boot 209 210 qemu-gdb: TAMAGOFLAGS := $(TAMAGOFLAGS:-w=) 211 qemu-gdb: TAMAGOFLAGS := $(TAMAGOFLAGS:-s=) 212 qemu-gdb: $(APP) 213 $(QEMU) -kernel $(CURDIR)/armored-witness-boot -S -s 214 215 #### dependencies #### 216 217 $(APP): check_tamago check_env 218 $(GOENV) $(TAMAGO) build $(TAMAGOFLAGS) -o ${APP} 219 sha256sum $(APP) 220 221 $(APP).dcd: check_tamago 222 $(APP).dcd: GOMODCACHE=$(shell ${TAMAGO} env GOMODCACHE) 223 $(APP).dcd: TAMAGO_PKG=$(shell grep "github.com/usbarmory/tamago v" go.mod | awk '{print $$1"@"$$2}') 224 $(APP).dcd: dcd 225 226 $(APP).bin: CROSS_COMPILE=arm-none-eabi- 227 $(APP).bin: $(APP) 228 $(CROSS_COMPILE)objcopy --enable-deterministic-archives \ 229 -j .text -j .rodata -j .shstrtab -j .typelink \ 230 -j .itablink -j .gopclntab -j .go.buildinfo -j .noptrdata -j .data \ 231 -j .bss --set-section-flags .bss=alloc,load,contents \ 232 -j .noptrbss --set-section-flags .noptrbss=alloc,load,contents \ 233 $(APP) -O binary $(APP).bin 234 sha256sum $(APP).bin 235 236 $(APP).imx: SOURCE_DATE_EPOCH=0 237 $(APP).imx: $(APP).bin $(APP).dcd 238 echo "## disabling TZASC bypass in DCD for pre-DDR initialization ##"; \ 239 chmod 644 $(APP).dcd; \ 240 echo "DATA 4 0x020e4024 0x00000001 # TZASC_BYPASS" >> $(APP).dcd; \ 241 mkimage -v -n $(APP).dcd -T imximage -e $(TEXT_START) -d $(APP).bin $(APP).imx 242 sha256sum $(APP).imx 243 # Copy entry point from ELF file 244 dd if=$(APP) of=$(APP).imx bs=1 count=4 skip=24 seek=4 conv=notrunc 245 sha256sum $(APP).imx 246 247 $(APP)_manifest: imx 248 @if [ "${BOOT_PRIVATE_KEY}" == "" ]; then \ 249 echo 'You need to set the BOOT_PRIVATE_KEY variable to a valid signing key path'; \ 250 exit 1; \ 251 fi 252 253 # Create manifest 254 @echo ---------- Manifest -------------- 255 go run github.com/transparency-dev/armored-witness/cmd/manifest@561c0b09a2cc48877a8c9e59c3fbf7ffc81cdd4d \ 256 create \ 257 --git_tag=${GIT_SEMVER_TAG} \ 258 --git_commit_fingerprint="${REV}" \ 259 --firmware_file=${CURDIR}/$(APP).imx \ 260 --firmware_type=BOOTLOADER \ 261 --private_key_file=${BOOT_PRIVATE_KEY} \ 262 --tamago_version=${TAMAGO_SEMVER} \ 263 --output_file=${CURDIR}/${APP}_manifest 264 @echo ---------------------------------- 265 266 #### secure boot #### 267 268 $(APP)-signed.imx: check_hab_keys $(APP).imx 269 ${TAMAGO} install github.com/usbarmory/crucible/cmd/habtool 270 $(shell ${TAMAGO} env GOPATH)/bin/habtool \ 271 -A ${HAB_KEYS}/CSF_1_key.pem \ 272 -a ${HAB_KEYS}/CSF_1_crt.pem \ 273 -B ${HAB_KEYS}/IMG_1_key.pem \ 274 -b ${HAB_KEYS}/IMG_1_crt.pem \ 275 -t ${HAB_KEYS}/SRK_1_2_3_4_table.bin \ 276 -x 1 \ 277 -i $(APP).imx \ 278 -o $(APP).csf && \ 279 cat $(APP).imx $(APP).csf > $(APP)-signed.imx