Merge pull request #403 from ionut-arm/cross-compile-tpm

Add TPM provider cross-compilation
parallaxsecond · May 7, 2021 · a238ad7 · a238ad7
2 parents 80b438c + 3338999
commit a238ad7
Show file tree

Hide file tree

Showing 10 changed files with 145 additions and 35 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -8,6 +8,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+      # Use the following step when updating the `parsec-service-test-all` image
+      # - name: Build the container
+      #   run: pushd e2e_tests/docker_image && docker build -t parsec-service-test-all -f parsec-service-test-all.Dockerfile . && popd
       - name: Run the container to execute the test script
         run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh all
 
@@ -16,6 +19,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+      # Use the following step when updating the `parsec-service-test-all` image
+      # - name: Build the container
+      #   run: pushd e2e_tests/docker_image && docker build -t parsec-service-test-all -f parsec-service-test-all.Dockerfile . && popd
       - name: Run the container to execute the test script
         run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh mbed-crypto
 
@@ -24,6 +30,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+      # Use the following step when updating the `parsec-service-test-all` image
+      # - name: Build the container
+      #   run: pushd e2e_tests/docker_image && docker build -t parsec-service-test-all -f parsec-service-test-all.Dockerfile . && popd
       - name: Run the container to execute the test script
         # Not running stress tests because they fail, presumably because of the same issue as #264
         run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh pkcs11 --no-stress-test
@@ -33,6 +42,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+      # Use the following step when updating the `parsec-service-test-all` image
+      # - name: Build the container
+      #   run: pushd e2e_tests/docker_image && docker build -t parsec-service-test-all -f parsec-service-test-all.Dockerfile . && popd
       - name: Run the container to execute the test script
         run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh tpm
 
@@ -41,6 +53,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+      # Use the following step when updating the `parsec-service-test-all` image
+      # - name: Build the container
+      #   run: pushd e2e_tests/docker_image && docker build -t parsec-service-test-all -f parsec-service-test-all.Dockerfile . && popd
       - name: Run the container to execute the test script
         run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh trusted-service
 
@@ -49,37 +64,24 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+      # Use the following step when updating the `parsec-service-test-all` image
+      # - name: Build the container
+      #   run: pushd e2e_tests/docker_image && docker build -t parsec-service-test-all -f parsec-service-test-all.Dockerfile . && popd
       - name: Run the container to execute the test script
         # Not running stress tests because rust-cryptoauthlib test-interface does not support required calls
         run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh cryptoauthlib --no-stress-test
 
   cross-compilation:
-    # Currently only the Mbed Crypto and PKCS 11 providers are tested as the other ones need to cross-compile other libraries.
+    # Currently only the Mbed Crypto, PKCS 11, and TPM providers are tested as the other ones need to cross-compile other libraries.
     name: Cross-compile Parsec to various targets
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - name: Install latest nightly
-        uses: actions-rs/toolchain@v1
-        with:
-          toolchain: stable
-          override: true
-      - name: armv7-unknown-linux-gnueabihf
-        run: |
-          rustup target add armv7-unknown-linux-gnueabihf
-          sudo apt install -y gcc-multilib
-          sudo apt install -y gcc-arm-linux-gnueabihf
-          cargo build --features "pkcs11-provider, mbed-crypto-provider, all-authenticators" --target armv7-unknown-linux-gnueabihf
-      - name: aarch64-unknown-linux-gnu
-        run: |
-          rustup target add aarch64-unknown-linux-gnu
-          sudo apt install -y gcc-aarch64-linux-gnu
-          cargo build --features "pkcs11-provider, mbed-crypto-provider, all-authenticators" --target aarch64-unknown-linux-gnu
-      - name: i686-unknown-linux-gnu
-        run: |
-          sudo apt install -y gcc-multilib libc6-dev-i386
-          rustup target add i686-unknown-linux-gnu
-          cargo build --features "pkcs11-provider, mbed-crypto-provider, all-authenticators" --target i686-unknown-linux-gnu
+      # Use the following step when updating the `parsec-service-test-cross-compile` image
+      # - name: Build the container
+      #   run: pushd e2e_tests/docker_image && docker build -t parsec-service-test-cross-compile -f parsec-service-test-cross-compile.Dockerfile . && popd
+      - name: Run the container to execute the test script
+        run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-cross-compile /tmp/parsec/test/cross-compile.sh
 
   links:
     name: Check links

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -29,7 +29,7 @@ log = { version = "0.4.14", features = ["serde"] }
 cryptoki = { git = "https://github.com/parallaxsecond/rust-cryptoki", rev = "850b826b631df354553bf62757f35cd394b3dfff", optional = true, features = ["psa-crypto-conversions"] }
 picky-asn1-der = { version = "0.2.4", optional = true }
 picky-asn1 = { version = "0.3.1", optional = true }
-tss-esapi = { git = "https://github.com/parallaxsecond/rust-tss-esapi", rev = "2e0ba0aa2c5aa928d960b26458778acde448981a", optional = true }
+tss-esapi = { git = "https://github.com/parallaxsecond/rust-tss-esapi", rev = "56c487a101dc85e17560416d71f0fc2eb81739a6", optional = true }
 bincode = "1.3.1"
 structopt = "0.3.21"
 derivative = "2.2.0"

diff --git a/build.rs b/build.rs
@@ -17,11 +17,11 @@ fn generate_ts_bindings(ts_include_dir: String) -> Result<()> {
         .generate_comments(false)
         .size_t_is_usize(true)
         .generate()
-        .or_else(|_| {
-            Err(Error::new(
+        .map_err(|_| {
+            Error::new(
                 ErrorKind::Other,
                 "Unable to generate bindings to trusted services locator",
-            ))
+            )
         })?;
     let out_path = PathBuf::from(env::var("OUT_DIR").unwrap());
     bindings.write_to_file(out_path.join("ts_bindings.rs"))?;
@@ -49,11 +49,11 @@ fn generate_proto_sources(contract_dir: String) -> Result<()> {
                 .path()
                 .into_os_string()
                 .into_string()
-                .or_else(|_| {
-                    Err(Error::new(
+                .map_err(|_| {
+                    Error::new(
                         ErrorKind::InvalidData,
                         "conversion from OsString to String failed",
-                    ))
+                    )
                 })
         })
         // Fail the entire operation if there was an error.

diff --git a/e2e_tests/docker_image/cross-compile-tss.sh b/e2e_tests/docker_image/cross-compile-tss.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Copyright 2021 Contributors to the Parsec project.
+# SPDX-License-Identifier: Apache-2.0
+
+# Cross compile the tpm2-tss library (and its dependencies) for a given target
+# In order to cross-compile the TSS library we need to also cross-compile OpenSSL
+
+set -xeuf -o pipefail
+
+# Prepare directory for cross-compiled OpenSSL files
+mkdir -p /tmp/$1
+export INSTALL_DIR=/tmp/$1
+
+pushd /tmp/openssl
+# Compile and copy files over
+./Configure $2 shared --prefix=$INSTALL_DIR --openssldir=$INSTALL_DIR/openssl --cross-compile-prefix=$1-
+make clean
+make depend
+make -j$(nproc)
+make install
+popd
+
+unset INSTALL_DIR
+
+# Prepare directory for cross-compiled TSS lib
+# `DESTDIR` is used in `make install` below to set the root of the installation paths.
+# The `./configure` script accepts a `--prefix` input variable which sets the same root,
+# but also adds it to the paths in `.pc` files used by `pkg-config`. This prevents the 
+# use of `PKG_CONFIG_SYSROOT_DIR`.
+export DESTDIR=/tmp/$1
+
+pushd /tmp/tpm2-tss
+# Compile and copy files over
+./bootstrap
+./configure --build=x86_64-pc-linux-gnu --host=$1 CC=$1-gcc \
+    LIBCRYPTO_CFLAGS="-I/tmp/$1/include" LIBCRYPTO_LIBS="-L/tmp/$1/lib -lcrypto"
+make clean
+make -j$(nproc)
+make install
+popd
+
+unset DESTDIR
diff --git a/e2e_tests/docker_image/Dockerfile → ..._image/parsec-service-test-all.Dockerfile b/e2e_tests/docker_image/Dockerfile → ..._image/parsec-service-test-all.Dockerfile
@@ -1,3 +1,5 @@
+# Copyright 2021 Contributors to the Parsec project.
+# SPDX-License-Identifier: Apache-2.0
 FROM ubuntu:18.04
 
 ENV PKG_CONFIG_PATH /usr/local/lib/pkgconfig

diff --git a/e2e_tests/docker_image/parsec-service-test-cross-compile.Dockerfile b/e2e_tests/docker_image/parsec-service-test-cross-compile.Dockerfile
@@ -0,0 +1,32 @@
+# Copyright 2021 Contributors to the Parsec project.
+# SPDX-License-Identifier: Apache-2.0
+FROM ghcr.io/parallaxsecond/parsec-service-test-all
+
+# Install cross-compilers
+RUN apt install -y gcc-multilib
+RUN apt install -y gcc-arm-linux-gnueabihf
+RUN apt install -y gcc-aarch64-linux-gnu
+RUN apt install -y gcc-i686-linux-gnu libc6-dev-i386
+
+WORKDIR /tmp
+
+# Get OpenSSL source code
+ENV OPENSSL_VERSION="OpenSSL_1_1_1j"
+RUN git clone https://github.com/openssl/openssl.git --branch $OPENSSL_VERSION
+
+# Get TPM2 TSS source code
+ENV TPM2_TSS_VERSION="2.3.3"
+RUN git clone https://github.com/tpm2-software/tpm2-tss --branch $TPM2_TSS_VERSION
+
+# Copy TSS cross-compilation script
+COPY cross-compile-tss.sh /tmp/
+# Cross-compile TPM2 TSS and OpenSSL for Linux on aarch64
+RUN ./cross-compile-tss.sh aarch64-linux-gnu linux-generic64
+# Cross-compile TPM2 TSS and OpenSSL for Linux on armv7
+RUN ./cross-compile-tss.sh arm-linux-gnueabihf linux-generic32
+# Cross-compile TPM2 TSS and OpenSSL for Linux on i686
+RUN ./cross-compile-tss.sh i686-linux-gnu linux-generic32
+
+RUN rustup target add armv7-unknown-linux-gnueabihf
+RUN rustup target add aarch64-unknown-linux-gnu
+RUN rustup target add i686-unknown-linux-gnu
diff --git a/src/providers/mbed_crypto/asym_encryption.rs b/src/providers/mbed_crypto/asym_encryption.rs
@@ -62,10 +62,7 @@ impl Provider {
         let id = key::Id::from_persistent_key_id(key_id)?;
         let key_attributes = key::Attributes::from_key_id(id)?;
         op.validate(key_attributes)?;
-        let salt_buff = match &op.salt {
-            Some(salt) => Some(salt.as_slice()),
-            None => None,
-        };
+        let salt_buff = op.salt.as_ref().map(|salt| salt.as_slice());
         let buffer_size = key_attributes.asymmetric_decrypt_output_size(op.alg)?;
         let mut plaintext = vec![0u8; buffer_size];
 

diff --git a/test/cross-compile.sh b/test/cross-compile.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+# Copyright 2021 Contributors to the Parsec project.
+# SPDX-License-Identifier: Apache-2.0
+
+set -xeuf -o pipefail
+
+# Allow the `pkg-config` crate to cross-compile
+export PKG_CONFIG_ALLOW_CROSS=1
+# Make the `pkg-config` crate use our wrapper
+export PKG_CONFIG=$(pwd)/test/pkg-config
+
+# Set the SYSROOT used by pkg-config
+export SYSROOT=/tmp/arm-linux-gnueabihf
+# Add the correct libcrypto to the linking process
+export RUSTFLAGS="-lcrypto -L/tmp/arm-linux-gnueabihf/lib"
+cargo build --features "pkcs11-provider, mbed-crypto-provider, tpm-provider, all-authenticators" --target armv7-unknown-linux-gnueabihf
+
+export SYSROOT=/tmp/aarch64-linux-gnu
+export RUSTFLAGS="-lcrypto -L/tmp/aarch64-linux-gnu/lib"
+cargo build --features "pkcs11-provider, mbed-crypto-provider, tpm-provider, all-authenticators" --target aarch64-unknown-linux-gnu
+
+# This is needed because for some reason the i686/i386 libs aren't picked up if we don't toss them around just before...
+apt install -y libc6-dev-i386-amd64-cross
+export SYSROOT=/tmp/i686-linux-gnu
+export RUSTFLAGS="-lcrypto -L/tmp/i686-linux-gnu/lib"
+cargo build --features "pkcs11-provider, mbed-crypto-provider, tpm-provider, all-authenticators, tss-esapi/generate-bindings" --target i686-unknown-linux-gnu
diff --git a/test/pkg-config b/test/pkg-config
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+export PKG_CONFIG_PATH=
+export PKG_CONFIG_LIBDIR=$(SYSROOT)/lib/pkgconfig:${SYSROOT}/usr/lib/pkgconfig:${SYSROOT}/usr/share/pkgconfig:$(SYSROOT)/usr/local/lib/pkgconfig
+export PKG_CONFIG_SYSROOT_DIR=${SYSROOT}
+
+exec pkg-config "$@"