Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add std-only examples and polish doc for main #144

Merged
merged 7 commits into from
Oct 25, 2024
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .licenserc.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,3 +30,4 @@ header:
- 'KEYS'
- 'DISCLAIMER-WIP'
- '*.json'
- 'examples/tls_server-rs/ta/test-ca/**'
138 changes: 68 additions & 70 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,25 +14,32 @@ TrustZone applications with Rust's standard library (std) and many third-party
libraries (i.e., crates). Teaclave TrustZone SDK is a sub-project of [Apache
Teaclave (incubating)](https://teaclave.apache.org/).

Teaclave TrustZone SDK provides two development modes for Rust TAs: `no-std`
(check out the `no-std` branch) and `std` (check out the `master` branch).
Teaclave TrustZone SDK provides two development modes for Rust TAs: `no-std` and `std`.
We recommend using `no-std` by default. For a detailed comparison, please refer
to [Comparison](#comparison).

**UPDATES:** We have developed a new build environment on the `main` branch,
which will now be the only branch for development and maintenance and includes
breaking changes to the legacy `master` branch.
If you're using the `master` branch and wish to migrate to the new development
branch (`main`), please refer to the
[migration guide](docs/migrating-to-new-building-env.md).

## Table of Contents

- [TA Development Modes](#ta-development-modes)
- [Comparison](#comparison)
- [Supported Examples](#supported-examples)
- [Quick Start with the OP-TEE Repo for QEMUv8](#quick-start-with-the-op-tee-repo-for-qemuv8)
- [Getting started](#getting-started)
- [Environment](#environment)
- [Getting Started](#getting-started)
- [Platforms](#platforms)
- [Develop with QEMUv8](#develop-with-qemuv8)
- [Develop on other platforms](#develop-on-other-platforms)
- [Build & Install](#build--install)
- [Develop on Other Platforms](#develop-on-other-platforms)
- [Setup Building Environment](#setup-building-environment)
- [Build Examples](#build-examples)
- [Run Rust Applications](#run-rust-applications)
- [Run Rust Applications in QEMUv8](#run-rust-applications-in-qemuv8)
- [Run Rust Applications on other platforms](#run-rust-applications-on-other-platforms)
- [Run Rust Applications on Other Platforms](#run-rust-applications-on-other-platforms)
- [Test](#test)
- [Documentation](#documentation)
- [Publication](#publication)
Expand Down Expand Up @@ -75,7 +82,7 @@ to [Comparison](#comparison).
`test_message_passing_interface`, `test_tls_client`, `test_tls_server`.


## Quick start with the OP-TEE Repo for QEMUv8
## Quick Start with the OP-TEE Repo for QEMUv8

Teaclave TrustZone SDK has been integrated into the OP-TEE Repo since OP-TEE
Release 3.15.0 (18/Oct/21). The aarch64 Rust examples are built and installed
Expand All @@ -86,9 +93,9 @@ to set up the OP-TEE repo and try the Rust examples!
UPDATES: The `no-std` TA has replaced the original `std` TAs since OP-TEE
Release 4.1.0 (19/Jan/24).

## Getting started
## Getting Started

### Environment
### Platforms

To get started with Teaclave TrustZone SDK, you could choose either [QEMU for
Armv8-A](#develop-with-qemuv8) (QEMUv8) or [other
Expand All @@ -113,7 +120,7 @@ cd [YOUR_OPTEE_DIR]/optee_rust/
git pull github master
```

#### Develop on other platforms
#### Develop on Other Platforms

If you are building trusted applications for other platforms ([platforms OP-TEE
supported](https://optee.readthedocs.io/en/latest/general/platforms.html)). QEMU
Expand All @@ -125,83 +132,74 @@ initialized in the setup process.
1. The complete list of prerequisites can be found here: [OP-TEE
Prerequisites](https://optee.readthedocs.io/en/latest/building/prerequisites.html).

``` sh
# install dependencies
sudo apt-get install android-tools-adb android-tools-fastboot autoconf \
automake bc bison build-essential ccache cscope curl device-tree-compiler \
expect flex ftp-upload gdisk iasl libattr1-dev libc6:i386 libcap-dev \
libfdt-dev libftdi-dev libglib2.0-dev libhidapi-dev libncurses5-dev \
libpixman-1-dev libssl-dev libstdc++6:i386 libtool libz1:i386 make \
mtools netcat python-crypto python3-crypto python-pyelftools \
python3-pycryptodome python3-pyelftools python-serial python3-serial \
rsync unzip uuid-dev xdg-utils xterm xz-utils zlib1g-dev
```

Alternatively, you can use a docker container built with our
[Dockerfile](Dockerfile).
```sh
# install dependencies
sudo apt-get install android-tools-adb android-tools-fastboot autoconf \
automake bc bison build-essential ccache cscope curl device-tree-compiler \
expect flex ftp-upload gdisk iasl libattr1-dev libc6:i386 libcap-dev \
libfdt-dev libftdi-dev libglib2.0-dev libhidapi-dev libncurses5-dev \
libpixman-1-dev libssl-dev libstdc++6:i386 libtool libz1:i386 make \
mtools netcat python-crypto python3-crypto python-pyelftools \
python3-pycryptodome python3-pyelftools python-serial python3-serial \
rsync unzip uuid-dev xdg-utils xterm xz-utils zlib1g-dev
```

Alternatively, you can use a docker container built with our
[Dockerfile](Dockerfile).

2. After installing dependencies or building the Docker image, fetch the source
code from the official GitHub repository:

```sh
git clone https://github.com/apache/incubator-teaclave-trustzone-sdk.git
cd incubator-teaclave-trustzone-sdk
```

``` sh
# clone the project
git clone https://github.com/apache/incubator-teaclave-trustzone-sdk.git
cd incubator-teaclave-trustzone-sdk
```

### Build & Install

To build the project, the Rust environment and several related submodules are
required.
### Setup Building Environment

1. Run the script as follows to install the Rust environment and toolchains:
1. Install the Rust environment and toolchains:

```sh
./setup.sh
```
```sh
./setup.sh
```

2. Build OP-TEE libraries

- for QEMUv8:
By default, the `OPTEE_DIR` is
`incubator-teaclave-trustzone-sdk/optee/`. OP-TEE submodules
(`optee_os` and `optee_client` for QEMUv8) will be initialized
automatically by executing:

By default, the `OPTEE_DIR` is `incubator-teaclave-trustzone-sdk/optee/`.
OP-TEE submodules (`optee_os` and `optee_client`) will be initialized
automatically by executing:
```sh
./build_optee_libraries.sh optee/
```

```
./build_optee_libraries.sh optee/
```

Then the environment should be properly set up before building applications:

``` sh
source environment
```
3. Before building applications, set up the configuration:

Note: by default, the target platform is `aarch64`. If you want to build for the
`arm` target, you can setup `ARCH` before the `source environment` command:
a. By default, the target platform is `aarch64` for both CA and TA. If
you want to build for the `arm` target, you can set up `ARCH`:

```sh
export ARCH=arm
source environment
```
```sh
export ARCH_HOST=arm
export ARCH_TA=arm
```

- for other platforms:
b. By default, the build is for `no-std` TA. If you want to enable
`std` TA, set the `STD` variable:

You should set these environment variables for building, e.g:
```sh
export STD=y
```

```
export CROSS_COMPILE_HOST="aarch64-linux-gnu-"
export CROSS_COMPILE_TA="arm-linux-gnueabihf-"
4. Run this script to set up all toolchain and library paths:

export TARGET_HOST="aarch64-unknown-linux-gnu"
export TARGET_TA="arm-unknown-linux-gnueabihf"
```sh
source environment
```

export TA_DEV_KIT_DIR=~/optee_os/out/arm-plat-vexpress/export-ta_arm32/
export OPTEE_CLIENT_EXPORT=~/optee_client/out/export/
```
### Build Examples

3. Run this command to build all Rust examples:
Run this command to build all Rust examples:

``` sh
make examples
Expand Down Expand Up @@ -263,7 +261,7 @@ mkdir shared && mount -t 9p -o trans=virtio host shared
documentation](https://optee.readthedocs.io/en/latest/building/optee_with_rust.html)
describes.

#### Run Rust Applications on other platforms
#### Run Rust Applications on Other Platforms

Copy the applications to your platform and run.

Expand Down
10 changes: 10 additions & 0 deletions ci/ci.sh
Original file line number Diff line number Diff line change
Expand Up @@ -36,4 +36,14 @@ pushd ../tests
./test_supp_plugin.sh
./test_error_handling.sh

# Run std only tests
if [ "$STD" ]; then
./test_serde.sh
./test_message_passing_interface.sh
./test_tcp_client.sh
./test_udp_socket.sh
./test_tls_client.sh
./test_tls_server.sh
fi

popd
57 changes: 57 additions & 0 deletions docs/migrating-to-new-building-env.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
---
permalink: /trustzone-sdk-docs/migrating-to-new-building-env.md
---

## Migration Guide: Moving from `master` to `main` Branch (Post-Oct 2024)

Since the `main` branch (after October 2024) introduces breaking changes
to the build environment, if users of the legacy `master` branch want to
keep upstream or use a new version of the Rust toolchain, they will need
to follow these steps to migrate their TA to the new environment.

### Step 1: Migrate Old Code to the New Environment

To migrate an example project (e.g., `tls_server-rs` in `examples/`), you

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current migration strategy seems to ask developers to duplicate the hello-world example and manually copy their source code into the corresponding subdirectories. However, this approach doesn't clearly highlight what has actually changed and what developers need to focus on during the migration.

The target audience for this section is developers currently using the master branch who have their own code repositories. The key point we need to emphasize is that no code changes are required during the migration—only the build scripts need to be updated.

The message we want to convey is simple: developers should be aware that the build process has changed compared to the legacy master branch, and the build scripts will need to be replaced. Could we clearly outline the differences in the build scripts (e.g. Cargo.toml, build.rs, Makefile, etc), step-by-step, and perhaps reference a specific commit for further clarification? This way, developers can focus on adapting their build environment without being concerned about unnecessary code modifications.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO, we should rather be describing the build environment for the main branch as to how it's structured. This will help developers writing new TAs or updating existing TAs to the build environment on main branch.

A few words for each file under following directory structure should be sufficient:

examples/acipher-rs/
├── host
│   ├── Cargo.toml
│   ├── Makefile
│   └── src
│       └── main.rs
├── Makefile
├── proto
│   ├── build.rs
│   ├── Cargo.toml
│   └── src
│       └── lib.rs
├── ta
│   ├── build.rs
│   ├── Cargo.toml
│   ├── Makefile
│   ├── src
│   │   └── main.rs
│   ├── ta_static.rs
│   └── Xargo.toml
└── uuid.txt

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doc updated, thanks for all comments

can refer to the following shell script and adjust it for your TA:

```bash
TARGET_EXAMPLE="tls_server-rs"
OLD_ROOT_PATH="/path/to/old/sdk"
NEW_PATH="/path/to/current/sdk"

# Duplicate the hello-world example in the new path as a template
cp -r ${NEW_PATH}/examples/hello_world-rs ${NEW_PATH}/examples/${TARGET_EXAMPLE}

# Remove the source code directory and copy from the old path to the new path
# including: src/ and Cargo.toml in host, ta, proto
(cd ${NEW_PATH}/examples/${TARGET_EXAMPLE}/host && rm -rf src/ Cargo.* && \
cp -r ${OLD_ROOT_PATH}/examples/${TARGET_EXAMPLE}/host/src . && \
cp ${OLD_ROOT_PATH}/examples/${TARGET_EXAMPLE}/host/Cargo.toml .)
(cd ${NEW_PATH}/examples/${TARGET_EXAMPLE}/ta && rm -rf src/ Cargo.* && \
cp -r ${OLD_ROOT_PATH}/examples/${TARGET_EXAMPLE}/ta/src . && \
cp ${OLD_ROOT_PATH}/examples/${TARGET_EXAMPLE}/ta/Cargo.toml .)
(cd ${NEW_PATH}/examples/${TARGET_EXAMPLE}/proto && rm -rf src/ Cargo.* && \
cp -r ${OLD_ROOT_PATH}/examples/${TARGET_EXAMPLE}/proto/src . && \
cp ${OLD_ROOT_PATH}/examples/${TARGET_EXAMPLE}/proto/Cargo.toml .)

# Copy the UUID file from the old path to the new path
cp ${OLD_ROOT_PATH}/examples/${TARGET_EXAMPLE}/uuid.txt \
${NEW_PATH}/examples/${TARGET_EXAMPLE}/uuid.txt

# Update binary names in host/Cargo.toml and host/Makefile
sed -i "s/hello_world-rs/${TARGET_EXAMPLE}/g" \
${NEW_PATH}/examples/${TARGET_EXAMPLE}/host/Cargo.toml
sed -i "s/hello_world-rs/${TARGET_EXAMPLE}/g" \
${NEW_PATH}/examples/${TARGET_EXAMPLE}/host/Makefile
```

### Step 2: Update `Cargo.toml`

You may need to update your `Cargo.toml` to use newer versions of crates.
The Rust toolchain for the current build environment can be found in
`rust-toolchain.toml`.

### Step 3: Build and Fix Errors

After updating, run the build process. Some errors might occur due to the
crate version upgrades—fix them as necessary.
2 changes: 1 addition & 1 deletion environment
Original file line number Diff line number Diff line change
Expand Up @@ -92,4 +92,4 @@ then
else
echo -e "Error: OPTEE_CLIENT_EXPORT=$OPTEE_CLIENT_EXPORT does not exist, please set the correct OPTEE_CLIENT_EXPORT or run \"$ ./build_optee_libraries.sh optee/\" then try again\n"
unset OPTEE_DIR
fi
fi
33 changes: 33 additions & 0 deletions examples/message_passing_interface-rs/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.

# If _HOST or _TA specific compiler/target are not specified, then use common
# compiler/target for both
CROSS_COMPILE_HOST ?= aarch64-linux-gnu-
CROSS_COMPILE_TA ?= aarch64-linux-gnu-
TARGET_HOST ?= aarch64-unknown-linux-gnu
TARGET_TA ?= aarch64-unknown-linux-gnu

all:
$(q)make -C host TARGET_HOST=$(TARGET_HOST) \
CROSS_COMPILE_HOST=$(CROSS_COMPILE_HOST)
$(q)make -C ta TARGET_TA=$(TARGET_TA) \
CROSS_COMPILE_TA=$(CROSS_COMPILE_TA)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that at the top level, TARGET_HOST and TARGET_TA are used to differentiate between the build parameters for the host and trusted application (TA), which makes sense. However, at the sub-level (host/Makefile and ta/Makefile), it may be unnecessary to keep differentiating these parameters. The sub-level Makefiles could rely on the variables passed down from the top-level Makefile and use more generic variable names, such as TARGET and CROSS_COMPILE, similar as the @CROSS_COMPILE usage for building ring.

Instead of maintaining the separate TARGET_HOST and TARGET_TA at each level, we could streamline the build process by using:

@make -C host TARGET=$(TARGET_HOST) CROSS_COMPILE=$(CROSS_COMPILE_HOST)
@make -C ta TARGET=$(TARGET_TA) CROSS_COMPILE=$(CROSS_COMPILE_TA)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sub-level Makefiles could rely on the variables passed down from the top-level Makefile and use more generic variable names, such as TARGET and CROSS_COMPILE, similar as the @CROSS_COMPILE usage for building ring.

That makes sense because the CROSS_COMPILE is needed for building inner C libraries for TA. But I have some consideration for independent building.
Keeping the CROSS_COMPILE_{HOST, TA} suffix helps to build CA or TA independently. The scenario is common, like the CA is finished and we're developing TA and willing to rebuild it.

Currently, the CROSS_COMPILE_{HOST, TA} is set by source environment on env setup stage of our SDK (https://github.com/DemesneGH/rust-optee-trustzone-sdk/blob/a84e96d4199289844285d545ac5916fb35f1e9fb/environment) .
After setup we can build only TA for one example: e.g. run make -C examples/hello_world-rs/ta.

If changed to this:

@make -C host TARGET=$(TARGET_HOST) CROSS_COMPILE=$(CROSS_COMPILE_HOST)
@make -C ta TARGET=$(TARGET_TA) CROSS_COMPILE=$(CROSS_COMPILE_TA)

The example/*/ta/Makefile needs to read CROSS_COMPILE set by example/*/Makefile.
If we want to build TA only, we have to build the entire example (using example/*/Makefile) to set correct CROSS_COMPILE, or set the CROSS_COMPILE explicitly.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

make host, make ta should be the recommended way for independent building.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

clean:
$(q)make -C host clean
m4sterchain marked this conversation as resolved.
Show resolved Hide resolved
$(q)make -C ta clean
33 changes: 33 additions & 0 deletions examples/message_passing_interface-rs/host/Cargo.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.

[package]
name = "message_passing_interface-rs"
version = "0.3.0"
authors = ["Teaclave Contributors <[email protected]>"]
license = "Apache-2.0"
repository = "https://github.com/apache/incubator-teaclave-trustzone-sdk.git"
description = "An example of Rust OP-TEE TrustZone SDK."
edition = "2018"

[dependencies]
url = "2.5.0"
proto = { path = "../proto" }
optee-teec = { path = "../../../optee-teec" }

[profile.release]
lto = true
Loading
Loading