github.com/transparency-dev/armored-witness-os@v0.1.3-0.20240514084412-27eef7325168/Makefile (about)

     1  # Copyright 2022 The Armored Witness OS authors. All Rights Reserved.
     2  #
     3  # Licensed under the Apache License, Version 2.0 (the "License");
     4  # you may not use this file except in compliance with the License.
     5  # You may obtain a copy of the License at
     6  #
     7  #     http://www.apache.org/licenses/LICENSE-2.0
     8  #
     9  # Unless required by applicable law or agreed to in writing, software
    10  # distributed under the License is distributed on an "AS IS" BASIS,
    11  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  # See the License for the specific language governing permissions and
    13  # limitations under the License.
    14  
    15  BUILD_EPOCH := $(shell /bin/date -u "+%s")
    16  BUILD_TAGS = linkramsize,linkramstart,disable_fr_auth,linkprintk
    17  REV = $(shell git rev-parse --short HEAD 2> /dev/null)
    18  GIT_SEMVER_TAG ?= $(shell (git describe --tags --exact-match --match 'v*.*.*' 2>/dev/null || git describe --match 'v*.*.*' --tags 2>/dev/null || git describe --tags 2>/dev/null || echo -n v0.0.${BUILD_EPOCH}+`git rev-parse HEAD`) | tail -c +2 )
    19  SRK_HASH ?= 
    20  
    21  PROTOC ?= /usr/bin/protoc
    22  
    23  TAMAGO_SEMVER = $(shell [ -n "${TAMAGO}" -a -x "${TAMAGO}" ] && ${TAMAGO} version | sed 's/.*go\([0-9]\.[0-9]*\.[0-9]*\).*/\1/')
    24  MINIMUM_TAMAGO_VERSION=1.22.0
    25  
    26  SHELL = /bin/bash
    27  
    28  ifeq ("${DEBUG}","1")
    29  	BUILD_TAGS := ${BUILD_TAGS},debug
    30  endif
    31  ifeq ("${FAKE_STORAGE}", "1")
    32  	BUILD_TAGS := ${BUILD_TAGS},fake_storage
    33  endif
    34  ifeq ("${FAKE_RPMB}", "1")
    35  	BUILD_TAGS := ${BUILD_TAGS},fake_rpmb
    36  endif
    37  
    38  APP := ""
    39  TEXT_START = 0x80010000 # ramStart (defined in mem.go under relevant tamago/soc package) + 0x10000
    40  
    41  ifeq ("${BEE}","1")
    42  	TEXT_START := 0x10010000
    43  	BUILD_TAGS := ${BUILD_TAGS},bee
    44  endif
    45  
    46  GOENV := GO_EXTLINK_ENABLED=0 CGO_ENABLED=0 GOOS=tamago GOARM=7 GOARCH=arm
    47  ENTRY_POINT := _rt0_arm_tamago
    48  QEMU ?= qemu-system-arm -machine mcimx6ul-evk -cpu cortex-a7 -m 512M \
    49          -nographic -monitor none -serial null -serial stdio \
    50          -net nic,model=imx.enet,netdev=net0 -netdev tap,id=net0,ifname=tap0,script=no,downscript=no \
    51          -semihosting
    52  
    53  ARCH = "arm"
    54  
    55  GOFLAGS = -tags ${BUILD_TAGS} -trimpath -buildvcs=false -buildmode=exe \
    56  	-ldflags "-T ${TEXT_START} -E ${ENTRY_POINT} -R 0x1000 \
    57  		-X 'main.Revision=${REV}' \
    58  		-X 'main.Version=${GIT_SEMVER_TAG}' \
    59  		-X 'main.SRKHash=${SRK_HASH}' \
    60  		-X 'main.LogVerifier=$(shell test ${LOG_PUBLIC_KEY} && cat ${LOG_PUBLIC_KEY})' \
    61  		-X 'main.LogOrigin=${LOG_ORIGIN}' \
    62  		-X 'main.AppletManifestVerifier=$(shell test ${APPLET_PUBLIC_KEY} && cat ${APPLET_PUBLIC_KEY})' \
    63  		-X 'main.OSManifestVerifier1=$(shell test ${OS_PUBLIC_KEY1} && cat ${OS_PUBLIC_KEY1})' \
    64  		-X 'main.OSManifestVerifier2=$(shell test ${OS_PUBLIC_KEY2} && cat ${OS_PUBLIC_KEY2})'"
    65  
    66  .PHONY: clean qemu qemu-gdb
    67  
    68  #### primary targets ####
    69  
    70  all: trusted_os_embedded_applet witnessctl
    71  
    72  # This target is only used for dev builds, since the proto definitions may
    73  # change in development and require re-compilation of protos.
    74  trusted_os: APP=trusted_os
    75  trusted_os: DIR=$(CURDIR)/trusted_os
    76  trusted_os: check_embed_env create_dummy_applet proto elf manifest
    77  
    78  trusted_os_embedded_applet: APP=trusted_os
    79  trusted_os_embedded_applet: DIR=$(CURDIR)/trusted_os
    80  trusted_os_embedded_applet: check_embed_env copy_applet proto elf manifest imx
    81  trusted_os_embedded_applet:
    82  
    83  witnessctl: check_tamago
    84  	@echo "building armored-witness control tool"
    85  	@cd $(CURDIR)/cmd/witnessctl && GOPATH="${BUILD_GOPATH}" ${TAMAGO} build -v \
    86  		-ldflags "-s -w -X 'main.Revision=${REV}'" \
    87  		-o $(CURDIR)/bin/witnessctl
    88  
    89  # This target builds the Trusted OS without signing it as it is intended to be
    90  # used by the GCP build process and signed there.
    91  trusted_os_release: APP=trusted_os
    92  trusted_os_release: DIR=$(CURDIR)/trusted_os
    93  trusted_os_release: check_embed_env create_dummy_applet elf
    94  
    95  ## Targets for managing a local serverless log instance for dev/testing FT related bits.
    96  
    97  ## log_initialise initialises the log stored under ${LOG_STORAGE_DIR}.
    98  log_initialise:
    99  	echo "(Re-)initialising log at ${LOG_STORAGE_DIR}"
   100  	go run github.com/transparency-dev/serverless-log/cmd/integrate@a56a93b5681e5dc231882ac9de435c21cb340846 \
   101  		--storage_dir=${LOG_STORAGE_DIR} \
   102  		--origin=${LOG_ORIGIN} \
   103  		--private_key=${LOG_PRIVATE_KEY} \
   104  		--public_key=${LOG_PUBLIC_KEY} \
   105  		--initialise
   106  
   107  ## log_os adds the trusted_os_manifest file created during the build to the dev FT log.
   108  log_os: LOG_STORAGE_DIR=$(DEV_LOG_DIR)/log
   109  log_os: LOG_ARTEFACT_DIR=$(DEV_LOG_DIR)/artefacts
   110  log_os: ARTEFACT_HASH=$(shell sha256sum ${CURDIR}/bin/trusted_os.elf | cut -f1 -d" ")
   111  log_os:
   112  	@if [ "${LOG_PRIVATE_KEY}" == "" -o "${LOG_PUBLIC_KEY}" == "" ]; then \
   113  		echo "You need to set LOG_PRIVATE_KEY and LOG_PUBLIC_KEY variables"; \
   114  		exit 1; \
   115  	fi
   116  	@if [ "${DEV_LOG_DIR}" == "" ]; then \
   117  		echo "You need to set the DEV_LOG_DIR variable"; \
   118  		exit 1; \
   119  	fi
   120  
   121  	@if [ ! -f ${LOG_STORAGE_DIR}/checkpoint ]; then \
   122  		make log_initialise LOG_STORAGE_DIR="${LOG_STORAGE_DIR}" ; \
   123  	fi
   124  	go run github.com/transparency-dev/serverless-log/cmd/sequence@a56a93b5681e5dc231882ac9de435c21cb340846 \
   125  		--storage_dir=${LOG_STORAGE_DIR} \
   126  		--origin=${LOG_ORIGIN} \
   127  		--public_key=${LOG_PUBLIC_KEY} \
   128  		--entries=${CURDIR}/bin/trusted_os_manifest
   129  	-go run github.com/transparency-dev/serverless-log/cmd/integrate@a56a93b5681e5dc231882ac9de435c21cb340846 \
   130  		--storage_dir=${LOG_STORAGE_DIR} \
   131  		--origin=${LOG_ORIGIN} \
   132  		--private_key=${LOG_PRIVATE_KEY} \
   133  		--public_key=${LOG_PUBLIC_KEY}
   134  	@mkdir -p ${LOG_ARTEFACT_DIR}
   135  	cp ${CURDIR}/bin/trusted_os.elf ${LOG_ARTEFACT_DIR}/${ARTEFACT_HASH}
   136  
   137  
   138  #### ARM targets ####
   139  
   140  imx: $(APP).imx
   141  elf: $(APP).elf
   142  manifest: $(APP)_manifest
   143  
   144  proto:
   145  	@echo "generating protobuf classes"
   146  	-rm -f $(CURDIR)/api/*.pb.go
   147  	PATH=$(shell go env GOPATH | awk -F":" '{print $$1"/bin"}') ${PROTOC} --proto_path=$(CURDIR)/api --go_out=$(CURDIR)/api api.proto
   148  
   149  $(APP).bin: CROSS_COMPILE=arm-none-eabi-
   150  $(APP).bin: $(APP).elf
   151  	$(CROSS_COMPILE)objcopy -j .text -j .rodata -j .shstrtab -j .typelink \
   152  	    -j .itablink -j .gopclntab -j .go.buildinfo -j .noptrdata -j .data \
   153  	    -j .bss --set-section-flags .bss=alloc,load,contents \
   154  	    -j .noptrbss --set-section-flags .noptrbss=alloc,load,contents \
   155  	    $(CURDIR)/bin/$(APP).elf -O binary $(CURDIR)/bin/$(APP).bin
   156  
   157  $(APP).imx: $(APP).bin $(APP).dcd
   158  	echo "## disabling TZASC bypass in DCD for pre-DDR initialization ##"; \
   159  	chmod 644 $(CURDIR)/bin/$(APP).dcd; \
   160  	echo "DATA 4 0x020e4024 0x00000001  # TZASC_BYPASS" >> $(CURDIR)/bin/$(APP).dcd; \
   161  	mkimage -n $(CURDIR)/bin/$(APP).dcd -T imximage -e $(TEXT_START) -d $(CURDIR)/bin/$(APP).bin $(CURDIR)/bin/$(APP).imx
   162  	# Copy entry point from ELF file
   163  	dd if=$(CURDIR)/bin/$(APP).elf of=$(CURDIR)/bin/$(APP).imx bs=1 count=4 skip=24 seek=4 conv=notrunc
   164  
   165  $(APP).dcd: check_tamago
   166  $(APP).dcd: GOMODCACHE=$(shell ${TAMAGO} env GOMODCACHE)
   167  $(APP).dcd: TAMAGO_PKG=$(shell grep "github.com/usbarmory/tamago v" go.mod | awk '{print $$1"@"$$2}')
   168  $(APP).dcd: dcd
   169  
   170  #### utilities ####
   171  
   172  # Various strings need to be embedded into the binary, keys, log info, etc. check they are present.
   173  check_embed_env:
   174  	@if [ "${LOG_ORIGIN}" == "" ]; then \
   175  		echo 'You need to set the LOG_ORIGIN variable'; \
   176  		exit 1; \
   177  	fi
   178  	@if [ "${LOG_PUBLIC_KEY}" == "" ] || [ ! -f "${LOG_PUBLIC_KEY}" ]; then \
   179  		echo 'You need to set the LOG_PUBLIC_KEY variable to a valid note verifier key path'; \
   180  		exit 1; \
   181  	fi
   182  	@if [ "${APPLET_PUBLIC_KEY}" == "" ] || [ ! -f "${APPLET_PUBLIC_KEY}" ]; then \
   183  		echo 'You need to set the APPLET_PUBLIC_KEY variable to a valid note verifier key path'; \
   184  		exit 1; \
   185  	fi
   186  	@if [ "${OS_PUBLIC_KEY1}" == "" ] || [ ! -f "${OS_PUBLIC_KEY1}" ]; then \
   187  		echo 'You need to set the OS_PUBLIC_KEY1 variable to a valid note verifier key path'; \
   188  		exit 1; \
   189  	fi
   190  	@if [ "${OS_PUBLIC_KEY2}" == "" ] || [ ! -f "${OS_PUBLIC_KEY2}" ]; then \
   191  		echo 'You need to set the OS_PUBLIC_KEY2 variable to a valid note verifier key path'; \
   192  		exit 1; \
   193  	fi
   194  
   195  copy_applet: LOG_URL=file://$(DEV_LOG_DIR)/log/
   196  copy_applet:
   197  	@if [ "${APPLET_PATH}" == "" ]; then \
   198  		echo 'You need to set the APPLET_PATH variable to a valid path for the directory holding applet elf and proof bundle files (e.g. path to armored-witness-applet/bin)'; \
   199  		exit 1; \
   200  	fi
   201  	mkdir -p ${CURDIR}/trusted_os/assets
   202  	cp ${APPLET_PATH}/trusted_applet.elf ${CURDIR}/trusted_os/assets/
   203  	cp ${APPLET_PATH}/trusted_applet_manifest ${CURDIR}/trusted_os/assets/
   204  	go run ./cmd/proofbundle \
   205  		--log_origin=${LOG_ORIGIN} \
   206  		--log_url=${LOG_URL} \
   207  		--log_pubkey_file=${LOG_PUBLIC_KEY} \
   208  		--manifest_pubkey_file=${APPLET_PUBLIC_KEY} \
   209  		--manifest_file=${CURDIR}/trusted_os/assets/trusted_applet_manifest \
   210  		--applet_file=${CURDIR}/trusted_os/assets/trusted_applet.elf \
   211  		--output_file=${CURDIR}/trusted_os/assets/trusted_applet.proofbundle
   212  
   213  create_dummy_applet:
   214  	mkdir -p $(DIR)/assets
   215  	rm -f $(DIR)/assets/trusted_applet.elf && touch $(DIR)/assets/trusted_applet.elf
   216  	rm -f $(DIR)/assets/trusted_applet.proofbundle && touch $(DIR)/assets/trusted_applet.proofbundle
   217  
   218  check_tamago:
   219  	@if [ "${TAMAGO}" == "" ] || [ ! -f "${TAMAGO}" ]; then \
   220  		echo 'You need to set the TAMAGO variable to a compiled version of https://github.com/usbarmory/tamago-go'; \
   221  		exit 1; \
   222  	fi
   223  	@if [ "$(shell printf '%s\n' ${MINIMUM_TAMAGO_VERSION} ${TAMAGO_SEMVER} | sort -V | head -n1 )" != "${MINIMUM_TAMAGO_VERSION}" ]; then \
   224  		echo "You need TamaGo >= ${MINIMUM_TAMAGO_VERSION}, found ${TAMAGO_SEMVER}" ; \
   225  		exit 1; \
   226  	fi
   227  
   228  dcd:
   229  	cp -f $(GOMODCACHE)/$(TAMAGO_PKG)/board/usbarmory/mk2/imximage.cfg $(CURDIR)/bin/$(APP).dcd
   230  
   231  clean:
   232  	@rm -fr $(CURDIR)/bin/* $(CURDIR)/trusted_os/assets/* $(CURDIR)/qemu.dtb
   233  
   234  qemu: trusted_os_embedded_applet
   235  	$(QEMU) -kernel $(CURDIR)/bin/trusted_os.elf
   236  
   237  qemu-gdb: GOFLAGS := $(GOFLAGS:-w=)
   238  qemu-gdb: GOFLAGS := $(GOFLAGS:-s=)
   239  qemu-gdb: trusted_os_embedded_applet
   240  	$(QEMU) -kernel $(CURDIR)/bin/trusted_os.elf -S -s
   241  
   242  #### application target ####
   243  
   244  $(APP).elf: check_tamago
   245  	cd $(DIR) && $(GOENV) $(TAMAGO) build $(GOFLAGS) -o $(CURDIR)/bin/$(APP).elf
   246  
   247  $(APP)_manifest:
   248  	@if [ "${OS_PRIVATE_KEY1}" == "" ] || [ ! -f "${OS_PRIVATE_KEY1}" ]; then \
   249  		echo 'You need to set the OS_PRIVATE_KEY1 variable to a valid note signing key path'; \
   250  		exit 1; \
   251  	fi
   252  	@if [ "${OS_PRIVATE_KEY2}" == "" ] || [ ! -f "${OS_PRIVATE_KEY2}" ]; then \
   253  		echo 'You need to set the OS_PRIVATE_KEY2 variable to a valid note signing key path'; \
   254  		exit 1; \
   255  	fi
   256  	# Create manifest
   257  	@echo ---------- Manifest --------------
   258  	go run github.com/transparency-dev/armored-witness/cmd/manifest@561c0b09a2cc48877a8c9e59c3fbf7ffc81cdd4d \
   259  		create \
   260  		--git_tag=${GIT_SEMVER_TAG} \
   261  		--git_commit_fingerprint="${REV}" \
   262  		--firmware_file=${CURDIR}/bin/$(APP).elf \
   263  		--firmware_type=TRUSTED_OS \
   264  		--tamago_version=${TAMAGO_SEMVER} \
   265  		--private_key_file=${OS_PRIVATE_KEY1} \
   266  		--output_file=${CURDIR}/bin/${APP}_manifest
   267  	@echo ----------------------------------
   268  	# Now counter sign with OS_PRIVATE_KEY2
   269  	go run github.com/transparency-dev/armored-witness/cmd/manifest@561c0b09a2cc48877a8c9e59c3fbf7ffc81cdd4d \
   270  		create \
   271  		--git_tag=${GIT_SEMVER_TAG} \
   272  		--git_commit_fingerprint="${REV}" \
   273  		--firmware_file=${CURDIR}/bin/$(APP).elf \
   274  		--firmware_type=TRUSTED_OS \
   275  		--tamago_version=${TAMAGO_SEMVER} \
   276  		--private_key_file=${OS_PRIVATE_KEY2} | tail -1 >> ${CURDIR}/bin/${APP}_manifest