github.com/transparency-dev/armored-witness-os@v0.1.3-0.20240514084412-27eef7325168/Makefile (about) 1 # Copyright 2022 The Armored Witness OS authors. All Rights Reserved. 2 # 3 # Licensed under the Apache License, Version 2.0 (the "License"); 4 # you may not use this file except in compliance with the License. 5 # You may obtain a copy of the License at 6 # 7 # http://www.apache.org/licenses/LICENSE-2.0 8 # 9 # Unless required by applicable law or agreed to in writing, software 10 # distributed under the License is distributed on an "AS IS" BASIS, 11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 # See the License for the specific language governing permissions and 13 # limitations under the License. 14 15 BUILD_EPOCH := $(shell /bin/date -u "+%s") 16 BUILD_TAGS = linkramsize,linkramstart,disable_fr_auth,linkprintk 17 REV = $(shell git rev-parse --short HEAD 2> /dev/null) 18 GIT_SEMVER_TAG ?= $(shell (git describe --tags --exact-match --match 'v*.*.*' 2>/dev/null || git describe --match 'v*.*.*' --tags 2>/dev/null || git describe --tags 2>/dev/null || echo -n v0.0.${BUILD_EPOCH}+`git rev-parse HEAD`) | tail -c +2 ) 19 SRK_HASH ?= 20 21 PROTOC ?= /usr/bin/protoc 22 23 TAMAGO_SEMVER = $(shell [ -n "${TAMAGO}" -a -x "${TAMAGO}" ] && ${TAMAGO} version | sed 's/.*go\([0-9]\.[0-9]*\.[0-9]*\).*/\1/') 24 MINIMUM_TAMAGO_VERSION=1.22.0 25 26 SHELL = /bin/bash 27 28 ifeq ("${DEBUG}","1") 29 BUILD_TAGS := ${BUILD_TAGS},debug 30 endif 31 ifeq ("${FAKE_STORAGE}", "1") 32 BUILD_TAGS := ${BUILD_TAGS},fake_storage 33 endif 34 ifeq ("${FAKE_RPMB}", "1") 35 BUILD_TAGS := ${BUILD_TAGS},fake_rpmb 36 endif 37 38 APP := "" 39 TEXT_START = 0x80010000 # ramStart (defined in mem.go under relevant tamago/soc package) + 0x10000 40 41 ifeq ("${BEE}","1") 42 TEXT_START := 0x10010000 43 BUILD_TAGS := ${BUILD_TAGS},bee 44 endif 45 46 GOENV := GO_EXTLINK_ENABLED=0 CGO_ENABLED=0 GOOS=tamago GOARM=7 GOARCH=arm 47 ENTRY_POINT := _rt0_arm_tamago 48 QEMU ?= qemu-system-arm -machine mcimx6ul-evk -cpu cortex-a7 -m 512M \ 49 -nographic -monitor none -serial null -serial stdio \ 50 -net nic,model=imx.enet,netdev=net0 -netdev tap,id=net0,ifname=tap0,script=no,downscript=no \ 51 -semihosting 52 53 ARCH = "arm" 54 55 GOFLAGS = -tags ${BUILD_TAGS} -trimpath -buildvcs=false -buildmode=exe \ 56 -ldflags "-T ${TEXT_START} -E ${ENTRY_POINT} -R 0x1000 \ 57 -X 'main.Revision=${REV}' \ 58 -X 'main.Version=${GIT_SEMVER_TAG}' \ 59 -X 'main.SRKHash=${SRK_HASH}' \ 60 -X 'main.LogVerifier=$(shell test ${LOG_PUBLIC_KEY} && cat ${LOG_PUBLIC_KEY})' \ 61 -X 'main.LogOrigin=${LOG_ORIGIN}' \ 62 -X 'main.AppletManifestVerifier=$(shell test ${APPLET_PUBLIC_KEY} && cat ${APPLET_PUBLIC_KEY})' \ 63 -X 'main.OSManifestVerifier1=$(shell test ${OS_PUBLIC_KEY1} && cat ${OS_PUBLIC_KEY1})' \ 64 -X 'main.OSManifestVerifier2=$(shell test ${OS_PUBLIC_KEY2} && cat ${OS_PUBLIC_KEY2})'" 65 66 .PHONY: clean qemu qemu-gdb 67 68 #### primary targets #### 69 70 all: trusted_os_embedded_applet witnessctl 71 72 # This target is only used for dev builds, since the proto definitions may 73 # change in development and require re-compilation of protos. 74 trusted_os: APP=trusted_os 75 trusted_os: DIR=$(CURDIR)/trusted_os 76 trusted_os: check_embed_env create_dummy_applet proto elf manifest 77 78 trusted_os_embedded_applet: APP=trusted_os 79 trusted_os_embedded_applet: DIR=$(CURDIR)/trusted_os 80 trusted_os_embedded_applet: check_embed_env copy_applet proto elf manifest imx 81 trusted_os_embedded_applet: 82 83 witnessctl: check_tamago 84 @echo "building armored-witness control tool" 85 @cd $(CURDIR)/cmd/witnessctl && GOPATH="${BUILD_GOPATH}" ${TAMAGO} build -v \ 86 -ldflags "-s -w -X 'main.Revision=${REV}'" \ 87 -o $(CURDIR)/bin/witnessctl 88 89 # This target builds the Trusted OS without signing it as it is intended to be 90 # used by the GCP build process and signed there. 91 trusted_os_release: APP=trusted_os 92 trusted_os_release: DIR=$(CURDIR)/trusted_os 93 trusted_os_release: check_embed_env create_dummy_applet elf 94 95 ## Targets for managing a local serverless log instance for dev/testing FT related bits. 96 97 ## log_initialise initialises the log stored under ${LOG_STORAGE_DIR}. 98 log_initialise: 99 echo "(Re-)initialising log at ${LOG_STORAGE_DIR}" 100 go run github.com/transparency-dev/serverless-log/cmd/integrate@a56a93b5681e5dc231882ac9de435c21cb340846 \ 101 --storage_dir=${LOG_STORAGE_DIR} \ 102 --origin=${LOG_ORIGIN} \ 103 --private_key=${LOG_PRIVATE_KEY} \ 104 --public_key=${LOG_PUBLIC_KEY} \ 105 --initialise 106 107 ## log_os adds the trusted_os_manifest file created during the build to the dev FT log. 108 log_os: LOG_STORAGE_DIR=$(DEV_LOG_DIR)/log 109 log_os: LOG_ARTEFACT_DIR=$(DEV_LOG_DIR)/artefacts 110 log_os: ARTEFACT_HASH=$(shell sha256sum ${CURDIR}/bin/trusted_os.elf | cut -f1 -d" ") 111 log_os: 112 @if [ "${LOG_PRIVATE_KEY}" == "" -o "${LOG_PUBLIC_KEY}" == "" ]; then \ 113 echo "You need to set LOG_PRIVATE_KEY and LOG_PUBLIC_KEY variables"; \ 114 exit 1; \ 115 fi 116 @if [ "${DEV_LOG_DIR}" == "" ]; then \ 117 echo "You need to set the DEV_LOG_DIR variable"; \ 118 exit 1; \ 119 fi 120 121 @if [ ! -f ${LOG_STORAGE_DIR}/checkpoint ]; then \ 122 make log_initialise LOG_STORAGE_DIR="${LOG_STORAGE_DIR}" ; \ 123 fi 124 go run github.com/transparency-dev/serverless-log/cmd/sequence@a56a93b5681e5dc231882ac9de435c21cb340846 \ 125 --storage_dir=${LOG_STORAGE_DIR} \ 126 --origin=${LOG_ORIGIN} \ 127 --public_key=${LOG_PUBLIC_KEY} \ 128 --entries=${CURDIR}/bin/trusted_os_manifest 129 -go run github.com/transparency-dev/serverless-log/cmd/integrate@a56a93b5681e5dc231882ac9de435c21cb340846 \ 130 --storage_dir=${LOG_STORAGE_DIR} \ 131 --origin=${LOG_ORIGIN} \ 132 --private_key=${LOG_PRIVATE_KEY} \ 133 --public_key=${LOG_PUBLIC_KEY} 134 @mkdir -p ${LOG_ARTEFACT_DIR} 135 cp ${CURDIR}/bin/trusted_os.elf ${LOG_ARTEFACT_DIR}/${ARTEFACT_HASH} 136 137 138 #### ARM targets #### 139 140 imx: $(APP).imx 141 elf: $(APP).elf 142 manifest: $(APP)_manifest 143 144 proto: 145 @echo "generating protobuf classes" 146 -rm -f $(CURDIR)/api/*.pb.go 147 PATH=$(shell go env GOPATH | awk -F":" '{print $$1"/bin"}') ${PROTOC} --proto_path=$(CURDIR)/api --go_out=$(CURDIR)/api api.proto 148 149 $(APP).bin: CROSS_COMPILE=arm-none-eabi- 150 $(APP).bin: $(APP).elf 151 $(CROSS_COMPILE)objcopy -j .text -j .rodata -j .shstrtab -j .typelink \ 152 -j .itablink -j .gopclntab -j .go.buildinfo -j .noptrdata -j .data \ 153 -j .bss --set-section-flags .bss=alloc,load,contents \ 154 -j .noptrbss --set-section-flags .noptrbss=alloc,load,contents \ 155 $(CURDIR)/bin/$(APP).elf -O binary $(CURDIR)/bin/$(APP).bin 156 157 $(APP).imx: $(APP).bin $(APP).dcd 158 echo "## disabling TZASC bypass in DCD for pre-DDR initialization ##"; \ 159 chmod 644 $(CURDIR)/bin/$(APP).dcd; \ 160 echo "DATA 4 0x020e4024 0x00000001 # TZASC_BYPASS" >> $(CURDIR)/bin/$(APP).dcd; \ 161 mkimage -n $(CURDIR)/bin/$(APP).dcd -T imximage -e $(TEXT_START) -d $(CURDIR)/bin/$(APP).bin $(CURDIR)/bin/$(APP).imx 162 # Copy entry point from ELF file 163 dd if=$(CURDIR)/bin/$(APP).elf of=$(CURDIR)/bin/$(APP).imx bs=1 count=4 skip=24 seek=4 conv=notrunc 164 165 $(APP).dcd: check_tamago 166 $(APP).dcd: GOMODCACHE=$(shell ${TAMAGO} env GOMODCACHE) 167 $(APP).dcd: TAMAGO_PKG=$(shell grep "github.com/usbarmory/tamago v" go.mod | awk '{print $$1"@"$$2}') 168 $(APP).dcd: dcd 169 170 #### utilities #### 171 172 # Various strings need to be embedded into the binary, keys, log info, etc. check they are present. 173 check_embed_env: 174 @if [ "${LOG_ORIGIN}" == "" ]; then \ 175 echo 'You need to set the LOG_ORIGIN variable'; \ 176 exit 1; \ 177 fi 178 @if [ "${LOG_PUBLIC_KEY}" == "" ] || [ ! -f "${LOG_PUBLIC_KEY}" ]; then \ 179 echo 'You need to set the LOG_PUBLIC_KEY variable to a valid note verifier key path'; \ 180 exit 1; \ 181 fi 182 @if [ "${APPLET_PUBLIC_KEY}" == "" ] || [ ! -f "${APPLET_PUBLIC_KEY}" ]; then \ 183 echo 'You need to set the APPLET_PUBLIC_KEY variable to a valid note verifier key path'; \ 184 exit 1; \ 185 fi 186 @if [ "${OS_PUBLIC_KEY1}" == "" ] || [ ! -f "${OS_PUBLIC_KEY1}" ]; then \ 187 echo 'You need to set the OS_PUBLIC_KEY1 variable to a valid note verifier key path'; \ 188 exit 1; \ 189 fi 190 @if [ "${OS_PUBLIC_KEY2}" == "" ] || [ ! -f "${OS_PUBLIC_KEY2}" ]; then \ 191 echo 'You need to set the OS_PUBLIC_KEY2 variable to a valid note verifier key path'; \ 192 exit 1; \ 193 fi 194 195 copy_applet: LOG_URL=file://$(DEV_LOG_DIR)/log/ 196 copy_applet: 197 @if [ "${APPLET_PATH}" == "" ]; then \ 198 echo 'You need to set the APPLET_PATH variable to a valid path for the directory holding applet elf and proof bundle files (e.g. path to armored-witness-applet/bin)'; \ 199 exit 1; \ 200 fi 201 mkdir -p ${CURDIR}/trusted_os/assets 202 cp ${APPLET_PATH}/trusted_applet.elf ${CURDIR}/trusted_os/assets/ 203 cp ${APPLET_PATH}/trusted_applet_manifest ${CURDIR}/trusted_os/assets/ 204 go run ./cmd/proofbundle \ 205 --log_origin=${LOG_ORIGIN} \ 206 --log_url=${LOG_URL} \ 207 --log_pubkey_file=${LOG_PUBLIC_KEY} \ 208 --manifest_pubkey_file=${APPLET_PUBLIC_KEY} \ 209 --manifest_file=${CURDIR}/trusted_os/assets/trusted_applet_manifest \ 210 --applet_file=${CURDIR}/trusted_os/assets/trusted_applet.elf \ 211 --output_file=${CURDIR}/trusted_os/assets/trusted_applet.proofbundle 212 213 create_dummy_applet: 214 mkdir -p $(DIR)/assets 215 rm -f $(DIR)/assets/trusted_applet.elf && touch $(DIR)/assets/trusted_applet.elf 216 rm -f $(DIR)/assets/trusted_applet.proofbundle && touch $(DIR)/assets/trusted_applet.proofbundle 217 218 check_tamago: 219 @if [ "${TAMAGO}" == "" ] || [ ! -f "${TAMAGO}" ]; then \ 220 echo 'You need to set the TAMAGO variable to a compiled version of https://github.com/usbarmory/tamago-go'; \ 221 exit 1; \ 222 fi 223 @if [ "$(shell printf '%s\n' ${MINIMUM_TAMAGO_VERSION} ${TAMAGO_SEMVER} | sort -V | head -n1 )" != "${MINIMUM_TAMAGO_VERSION}" ]; then \ 224 echo "You need TamaGo >= ${MINIMUM_TAMAGO_VERSION}, found ${TAMAGO_SEMVER}" ; \ 225 exit 1; \ 226 fi 227 228 dcd: 229 cp -f $(GOMODCACHE)/$(TAMAGO_PKG)/board/usbarmory/mk2/imximage.cfg $(CURDIR)/bin/$(APP).dcd 230 231 clean: 232 @rm -fr $(CURDIR)/bin/* $(CURDIR)/trusted_os/assets/* $(CURDIR)/qemu.dtb 233 234 qemu: trusted_os_embedded_applet 235 $(QEMU) -kernel $(CURDIR)/bin/trusted_os.elf 236 237 qemu-gdb: GOFLAGS := $(GOFLAGS:-w=) 238 qemu-gdb: GOFLAGS := $(GOFLAGS:-s=) 239 qemu-gdb: trusted_os_embedded_applet 240 $(QEMU) -kernel $(CURDIR)/bin/trusted_os.elf -S -s 241 242 #### application target #### 243 244 $(APP).elf: check_tamago 245 cd $(DIR) && $(GOENV) $(TAMAGO) build $(GOFLAGS) -o $(CURDIR)/bin/$(APP).elf 246 247 $(APP)_manifest: 248 @if [ "${OS_PRIVATE_KEY1}" == "" ] || [ ! -f "${OS_PRIVATE_KEY1}" ]; then \ 249 echo 'You need to set the OS_PRIVATE_KEY1 variable to a valid note signing key path'; \ 250 exit 1; \ 251 fi 252 @if [ "${OS_PRIVATE_KEY2}" == "" ] || [ ! -f "${OS_PRIVATE_KEY2}" ]; then \ 253 echo 'You need to set the OS_PRIVATE_KEY2 variable to a valid note signing key path'; \ 254 exit 1; \ 255 fi 256 # Create manifest 257 @echo ---------- Manifest -------------- 258 go run github.com/transparency-dev/armored-witness/cmd/manifest@561c0b09a2cc48877a8c9e59c3fbf7ffc81cdd4d \ 259 create \ 260 --git_tag=${GIT_SEMVER_TAG} \ 261 --git_commit_fingerprint="${REV}" \ 262 --firmware_file=${CURDIR}/bin/$(APP).elf \ 263 --firmware_type=TRUSTED_OS \ 264 --tamago_version=${TAMAGO_SEMVER} \ 265 --private_key_file=${OS_PRIVATE_KEY1} \ 266 --output_file=${CURDIR}/bin/${APP}_manifest 267 @echo ---------------------------------- 268 # Now counter sign with OS_PRIVATE_KEY2 269 go run github.com/transparency-dev/armored-witness/cmd/manifest@561c0b09a2cc48877a8c9e59c3fbf7ffc81cdd4d \ 270 create \ 271 --git_tag=${GIT_SEMVER_TAG} \ 272 --git_commit_fingerprint="${REV}" \ 273 --firmware_file=${CURDIR}/bin/$(APP).elf \ 274 --firmware_type=TRUSTED_OS \ 275 --tamago_version=${TAMAGO_SEMVER} \ 276 --private_key_file=${OS_PRIVATE_KEY2} | tail -1 >> ${CURDIR}/bin/${APP}_manifest