Add TPM provider cross-compilation

This commit adds cross-compilation for the TPM provider and moves all the cross-compilation into a dedicated Docker container. Signed-off-by: Ionut Mihalcea <[email protected]>
parallaxsecond · Apr 23, 2021 · 44175bc · 44175bc
1 parent 1fdcbb4
commit 44175bc
Show file tree

Hide file tree

Showing 6 changed files with 108 additions and 22 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -54,32 +54,13 @@ jobs:
         run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh cryptoauthlib --no-stress-test
 
   cross-compilation:
-    # Currently only the Mbed Crypto and PKCS 11 providers are tested as the other ones need to cross-compile other libraries.
+    # Currently only the Mbed Crypto, PKCS 11, and TPM providers are tested as the other ones need to cross-compile other libraries.
     name: Cross-compile Parsec to various targets
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - name: Install latest nightly
-        uses: actions-rs/toolchain@v1
-        with:
-          toolchain: stable
-          override: true
-      - name: armv7-unknown-linux-gnueabihf
-        run: |
-          rustup target add armv7-unknown-linux-gnueabihf
-          sudo apt install -y gcc-multilib
-          sudo apt install -y gcc-arm-linux-gnueabihf
-          cargo build --features "pkcs11-provider, mbed-crypto-provider, all-authenticators" --target armv7-unknown-linux-gnueabihf
-      - name: aarch64-unknown-linux-gnu
-        run: |
-          rustup target add aarch64-unknown-linux-gnu
-          sudo apt install -y gcc-aarch64-linux-gnu
-          cargo build --features "pkcs11-provider, mbed-crypto-provider, all-authenticators" --target aarch64-unknown-linux-gnu
-      - name: i686-unknown-linux-gnu
-        run: |
-          sudo apt install -y gcc-multilib libc6-dev-i386
-          rustup target add i686-unknown-linux-gnu
-          cargo build --features "pkcs11-provider, mbed-crypto-provider, all-authenticators" --target i686-unknown-linux-gnu
+      - name: Run the container to execute the test script
+        run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-cross-compile /tmp/parsec/test/cross-compile.sh
 
   links:
     name: Check links

diff --git a/e2e_tests/docker_image/cross-compile-tss.sh b/e2e_tests/docker_image/cross-compile-tss.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Copyright 2021 Contributors to the Parsec project.
+# SPDX-License-Identifier: Apache-2.0
+
+# Cross compile the `tss-esapi` crate (and its dependencies) for Armv7 and Aarch64
+# In order to cross-compile the TSS library we need to also cross-compile OpenSSL
+
+set -xeuf -o pipefail
+
+# Prepare directory for cross-compiled OpenSSL files
+mkdir -p /tmp/$1
+export INSTALL_DIR=/tmp/$1
+
+pushd /tmp/openssl
+# Compile and copy files over
+./Configure $2 shared --prefix=$INSTALL_DIR --openssldir=$INSTALL_DIR/openssl --cross-compile-prefix=$1-
+make clean
+make depend
+make -j$(nproc)
+make install
+popd
+
+export INSTALL_DIR=
+
+# Prepare directory for cross-compiled TSS lib
+# `DESTDIR` is used in `make install` below to set the root of the installation paths.
+# The `./configure` script accepts a `--prefix` input variable which sets the same root,
+# but also adds it to the paths in `.pc` files used by `pkg-config`. This prevents the 
+# use of `PKG_CONFIG_SYSROOT_DIR`.
+export DESTDIR=/tmp/$1
+
+pushd /tmp/tpm2-tss
+# Compile and copy files over
+./bootstrap
+./configure --build=x86_64-pc-linux-gnu --host=$1 --target=$1 CC=$1-gcc \
+    LIBCRYPTO_CFLAGS="-I/tmp/$1/include" LIBCRYPTO_LIBS="-L/tmp/$1/lib -lcrypto"
+make clean
+make -j$(nproc)
+make install
+popd
+
+export DESTDIR=
diff --git a/e2e_tests/docker_image/Dockerfile → ..._image/parsec-service-test-all.Dockerfile b/e2e_tests/docker_image/Dockerfile → ..._image/parsec-service-test-all.Dockerfile
diff --git a/e2e_tests/docker_image/parsec-service-test-cross-compile.Dockerfile b/e2e_tests/docker_image/parsec-service-test-cross-compile.Dockerfile
@@ -0,0 +1,30 @@
+FROM ghcr.io/parallaxsecond/parsec-service-test-all
+
+# Install cross-compilers
+RUN apt install -y gcc-multilib
+RUN apt install -y gcc-arm-linux-gnueabihf
+RUN apt install -y gcc-aarch64-linux-gnu
+RUN apt install -y gcc-i686-linux-gnu libc6-dev-i386
+
+WORKDIR /tmp
+
+# Get OpenSSL source code
+ENV OPENSSL_VERSION="OpenSSL_1_1_1j"
+RUN git clone https://github.com/openssl/openssl.git --branch $OPENSSL_VERSION
+
+# Get TPM2 TSS source code
+ENV TPM2_TSS_VERSION="2.3.3"
+RUN git clone https://github.com/tpm2-software/tpm2-tss --branch $TPM2_TSS_VERSION
+
+# Copy TSS cross-compilation script
+COPY cross-compile-tss.sh /tmp/
+# Cross-compile TPM2 TSS and OpenSSL for Linux on aarch64
+RUN ./cross-compile-tss.sh aarch64-linux-gnu linux-generic64
+# Cross-compile TPM2 TSS and OpenSSL for Linux on armv7
+RUN ./cross-compile-tss.sh arm-linux-gnueabihf linux-generic32
+# Cross-compile TPM2 TSS and OpenSSL for Linux on i686
+RUN ./cross-compile-tss.sh i686-linux-gnu linux-generic32
+
+RUN rustup target add armv7-unknown-linux-gnueabihf
+RUN rustup target add aarch64-unknown-linux-gnu
+RUN rustup target add i686-unknown-linux-gnu
diff --git a/test/cross-compile.sh b/test/cross-compile.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+# Copyright 2021 Contributors to the Parsec project.
+# SPDX-License-Identifier: Apache-2.0
+
+set -xeuf -o pipefail
+
+# Allow the `pkg-config` crate to cross-compile
+export PKG_CONFIG_ALLOW_CROSS=1
+# Make the `pkg-config` crate use our wrapper
+export PKG_CONFIG=$(pwd)/test/pkg-config
+
+# Set the SYSROOT used by pkg-config
+export SYSROOT=/tmp/arm-linux-gnueabihf
+# Add the correct libcrypto to the linking process
+export RUSTFLAGS="-lcrypto -L/tmp/arm-linux-gnueabihf/lib"
+cargo build --features "pkcs11-provider, mbed-crypto-provider, tpm-provider, all-authenticators" --target armv7-unknown-linux-gnueabihf
+
+export SYSROOT=/tmp/aarch64-linux-gnu
+export RUSTFLAGS="-lcrypto -L/tmp/aarch64-linux-gnu/lib"
+cargo build --features "pkcs11-provider, mbed-crypto-provider, tpm-provider, all-authenticators" --target aarch64-unknown-linux-gnu
+
+export SYSROOT=/tmp/i686-linux-gnu
+export RUSTFLAGS="-lcrypto -L/tmp/i686-linux-gnu/lib"
+cargo build --features "pkcs11-provider, mbed-crypto-provider, tpm-provider, all-authenticators, tss-esapi/generate-bindings" --target i686-unknown-linux-gnu
diff --git a/test/pkg-config b/test/pkg-config
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+export PKG_CONFIG_PATH=
+export PKG_CONFIG_LIBDIR=$(SYSROOT)/lib/pkgconfig:${SYSROOT}/usr/lib/pkgconfig:${SYSROOT}/usr/share/pkgconfig:$(SYSROOT)/usr/local/lib/pkgconfig
+export PKG_CONFIG_SYSROOT_DIR=${SYSROOT}
+
+exec pkg-config "$@"