From f9e7b8118b4175085950dc3dbbab72fa5d733bb6 Mon Sep 17 00:00:00 2001 From: Ionut Mihalcea Date: Fri, 23 Apr 2021 14:31:12 +0100 Subject: [PATCH] Add TPM provider cross-compilation This commit adds cross-compilation for the TPM provider and moves all the cross-compilation into a dedicated Docker container. Signed-off-by: Ionut Mihalcea --- .github/workflows/ci.yml | 58 ++++++++++--------- Cargo.lock | 4 +- Cargo.toml | 2 +- e2e_tests/docker_image/cross-compile-tss.sh | 43 ++++++++++++++ ...ile => parsec-service-test-all.Dockerfile} | 2 + ...rsec-service-test-cross-compile.Dockerfile | 32 ++++++++++ test/cross-compile.sh | 27 +++++++++ test/pkg-config | 7 +++ 8 files changed, 144 insertions(+), 31 deletions(-) create mode 100755 e2e_tests/docker_image/cross-compile-tss.sh rename e2e_tests/docker_image/{Dockerfile => parsec-service-test-all.Dockerfile} (97%) create mode 100644 e2e_tests/docker_image/parsec-service-test-cross-compile.Dockerfile create mode 100755 test/cross-compile.sh create mode 100755 test/pkg-config diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8b8debf3..4a295a6d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,78 +8,80 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + # Use the following step when updating the `parsec-service-test-all` image + - name: Build the container + run: docker build -t parsec-service-test-all -f parsec-service-test-all.Dockerfile e2e_tests/docker_image - name: Run the container to execute the test script - run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh all + run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec parsec-service-test-all /tmp/parsec/ci.sh all mbed-crypto-provider: name: Integration tests using Mbed Crypto provider runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + # Use the following step when updating the `parsec-service-test-all` image + - name: Build the container + run: docker build -t parsec-service-test-all -f parsec-service-test-all.Dockerfile e2e_tests/docker_image - name: Run the container to execute the test script - run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh mbed-crypto + run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec parsec-service-test-all /tmp/parsec/ci.sh mbed-crypto pkcs11-provider: name: Integration tests using PKCS 11 provider runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + # Use the following step when updating the `parsec-service-test-all` image + - name: Build the container + run: docker build -t parsec-service-test-all -f parsec-service-test-all.Dockerfile e2e_tests/docker_image - name: Run the container to execute the test script # Not running stress tests because they fail, presumably because of the same issue as #264 - run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh pkcs11 --no-stress-test + run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec parsec-service-test-all /tmp/parsec/ci.sh pkcs11 --no-stress-test tpm-provider: name: Integration tests using TPM provider runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + # Use the following step when updating the `parsec-service-test-all` image + - name: Build the container + run: docker build -t parsec-service-test-all -f parsec-service-test-all.Dockerfile e2e_tests/docker_image - name: Run the container to execute the test script - run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh tpm + run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec parsec-service-test-all /tmp/parsec/ci.sh tpm trusted-service-provider: name: Integration tests using Cypto Trusted Service provider runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + # Use the following step when updating the `parsec-service-test-all` image + - name: Build the container + run: docker build -t parsec-service-test-all -f parsec-service-test-all.Dockerfile e2e_tests/docker_image - name: Run the container to execute the test script - run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh trusted-service + run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec parsec-service-test-all /tmp/parsec/ci.sh trusted-service cryptoauthlib-provider: name: Integration tests using CryptoAuthentication Library provider runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + # Use the following step when updating the `parsec-service-test-all` image + - name: Build the container + run: docker build -t parsec-service-test-all -f parsec-service-test-all.Dockerfile e2e_tests/docker_image - name: Run the container to execute the test script # Not running stress tests because rust-cryptoauthlib test-interface does not support required calls - run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh cryptoauthlib --no-stress-test + run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec parsec-service-test-all /tmp/parsec/ci.sh cryptoauthlib --no-stress-test cross-compilation: - # Currently only the Mbed Crypto and PKCS 11 providers are tested as the other ones need to cross-compile other libraries. + # Currently only the Mbed Crypto, PKCS 11, and TPM providers are tested as the other ones need to cross-compile other libraries. name: Cross-compile Parsec to various targets runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - name: Install latest nightly - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - - name: armv7-unknown-linux-gnueabihf - run: | - rustup target add armv7-unknown-linux-gnueabihf - sudo apt install -y gcc-multilib - sudo apt install -y gcc-arm-linux-gnueabihf - cargo build --features "pkcs11-provider, mbed-crypto-provider, all-authenticators" --target armv7-unknown-linux-gnueabihf - - name: aarch64-unknown-linux-gnu - run: | - rustup target add aarch64-unknown-linux-gnu - sudo apt install -y gcc-aarch64-linux-gnu - cargo build --features "pkcs11-provider, mbed-crypto-provider, all-authenticators" --target aarch64-unknown-linux-gnu - - name: i686-unknown-linux-gnu - run: | - sudo apt install -y gcc-multilib libc6-dev-i386 - rustup target add i686-unknown-linux-gnu - cargo build --features "pkcs11-provider, mbed-crypto-provider, all-authenticators" --target i686-unknown-linux-gnu + # Use the following step when updating the `parsec-service-test-cross-compile` image + - name: Build the container + run: docker build -t parsec-service-test-cross-compile -f parsec-service-test-cross-compile.Dockerfile e2e_tests/docker_image + - name: Run the container to execute the test script + run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec parsec-service-test-cross-compile /tmp/parsec/test/cross-compile.sh links: name: Check links diff --git a/Cargo.lock b/Cargo.lock index b2502064..8c675029 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1161,7 +1161,7 @@ dependencies = [ [[package]] name = "tss-esapi" version = "5.0.1" -source = "git+https://github.com/parallaxsecond/rust-tss-esapi?rev=2e0ba0aa2c5aa928d960b26458778acde448981a#2e0ba0aa2c5aa928d960b26458778acde448981a" +source = "git+https://github.com/parallaxsecond/rust-tss-esapi?rev=01391d9d8a086c890c79678a337c3e0158a9adee#01391d9d8a086c890c79678a337c3e0158a9adee" dependencies = [ "bitfield", "enumflags2", @@ -1179,7 +1179,7 @@ dependencies = [ [[package]] name = "tss-esapi-sys" version = "0.1.1" -source = "git+https://github.com/parallaxsecond/rust-tss-esapi?rev=2e0ba0aa2c5aa928d960b26458778acde448981a#2e0ba0aa2c5aa928d960b26458778acde448981a" +source = "git+https://github.com/parallaxsecond/rust-tss-esapi?rev=01391d9d8a086c890c79678a337c3e0158a9adee#01391d9d8a086c890c79678a337c3e0158a9adee" dependencies = [ "pkg-config", "target-lexicon", diff --git a/Cargo.toml b/Cargo.toml index 54ca375e..76994732 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -29,7 +29,7 @@ log = { version = "0.4.14", features = ["serde"] } cryptoki = { git = "https://github.com/parallaxsecond/rust-cryptoki", rev = "850b826b631df354553bf62757f35cd394b3dfff", optional = true, features = ["psa-crypto-conversions"] } picky-asn1-der = { version = "0.2.4", optional = true } picky-asn1 = { version = "0.3.1", optional = true } -tss-esapi = { git = "https://github.com/parallaxsecond/rust-tss-esapi", rev = "2e0ba0aa2c5aa928d960b26458778acde448981a", optional = true } +tss-esapi = { git = "https://github.com/parallaxsecond/rust-tss-esapi", rev = "01391d9d8a086c890c79678a337c3e0158a9adee", optional = true } bincode = "1.3.1" structopt = "0.3.21" derivative = "2.2.0" diff --git a/e2e_tests/docker_image/cross-compile-tss.sh b/e2e_tests/docker_image/cross-compile-tss.sh new file mode 100755 index 00000000..a854b249 --- /dev/null +++ b/e2e_tests/docker_image/cross-compile-tss.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash + +# Copyright 2021 Contributors to the Parsec project. +# SPDX-License-Identifier: Apache-2.0 + +# Cross compile the tpm2-tss library (and its dependencies) for a given target +# In order to cross-compile the TSS library we need to also cross-compile OpenSSL + +set -xeuf -o pipefail + +# Prepare directory for cross-compiled OpenSSL files +mkdir -p /tmp/$1 +export INSTALL_DIR=/tmp/$1 + +pushd /tmp/openssl +# Compile and copy files over +./Configure $2 shared --prefix=$INSTALL_DIR --openssldir=$INSTALL_DIR/openssl --cross-compile-prefix=$1- +make clean +make depend +make -j$(nproc) +make install +popd + +unset INSTALL_DIR + +# Prepare directory for cross-compiled TSS lib +# `DESTDIR` is used in `make install` below to set the root of the installation paths. +# The `./configure` script accepts a `--prefix` input variable which sets the same root, +# but also adds it to the paths in `.pc` files used by `pkg-config`. This prevents the +# use of `PKG_CONFIG_SYSROOT_DIR`. +export DESTDIR=/tmp/$1 + +pushd /tmp/tpm2-tss +# Compile and copy files over +./bootstrap +./configure --build=x86_64-pc-linux-gnu --host=$1 CC=$1-gcc \ + LIBCRYPTO_CFLAGS="-I/tmp/$1/include" LIBCRYPTO_LIBS="-L/tmp/$1/lib -lcrypto" +make clean +make -j$(nproc) +make install +popd + +unset DESTDIR \ No newline at end of file diff --git a/e2e_tests/docker_image/Dockerfile b/e2e_tests/docker_image/parsec-service-test-all.Dockerfile similarity index 97% rename from e2e_tests/docker_image/Dockerfile rename to e2e_tests/docker_image/parsec-service-test-all.Dockerfile index dfefbd86..f23120b2 100644 --- a/e2e_tests/docker_image/Dockerfile +++ b/e2e_tests/docker_image/parsec-service-test-all.Dockerfile @@ -1,3 +1,5 @@ +# Copyright 2021 Contributors to the Parsec project. +# SPDX-License-Identifier: Apache-2.0 FROM ubuntu:18.04 ENV PKG_CONFIG_PATH /usr/local/lib/pkgconfig diff --git a/e2e_tests/docker_image/parsec-service-test-cross-compile.Dockerfile b/e2e_tests/docker_image/parsec-service-test-cross-compile.Dockerfile new file mode 100644 index 00000000..c7ff8665 --- /dev/null +++ b/e2e_tests/docker_image/parsec-service-test-cross-compile.Dockerfile @@ -0,0 +1,32 @@ +# Copyright 2021 Contributors to the Parsec project. +# SPDX-License-Identifier: Apache-2.0 +FROM ghcr.io/parallaxsecond/parsec-service-test-all + +# Install cross-compilers +RUN apt install -y gcc-multilib +RUN apt install -y gcc-arm-linux-gnueabihf +RUN apt install -y gcc-aarch64-linux-gnu +RUN apt install -y gcc-i686-linux-gnu libc6-dev-i386 + +WORKDIR /tmp + +# Get OpenSSL source code +ENV OPENSSL_VERSION="OpenSSL_1_1_1j" +RUN git clone https://github.com/openssl/openssl.git --branch $OPENSSL_VERSION + +# Get TPM2 TSS source code +ENV TPM2_TSS_VERSION="2.3.3" +RUN git clone https://github.com/tpm2-software/tpm2-tss --branch $TPM2_TSS_VERSION + +# Copy TSS cross-compilation script +COPY cross-compile-tss.sh /tmp/ +# Cross-compile TPM2 TSS and OpenSSL for Linux on aarch64 +RUN ./cross-compile-tss.sh aarch64-linux-gnu linux-generic64 +# Cross-compile TPM2 TSS and OpenSSL for Linux on armv7 +RUN ./cross-compile-tss.sh arm-linux-gnueabihf linux-generic32 +# Cross-compile TPM2 TSS and OpenSSL for Linux on i686 +RUN ./cross-compile-tss.sh i686-linux-gnu linux-generic32 + +RUN rustup target add armv7-unknown-linux-gnueabihf +RUN rustup target add aarch64-unknown-linux-gnu +RUN rustup target add i686-unknown-linux-gnu diff --git a/test/cross-compile.sh b/test/cross-compile.sh new file mode 100755 index 00000000..bf28424e --- /dev/null +++ b/test/cross-compile.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +# Copyright 2021 Contributors to the Parsec project. +# SPDX-License-Identifier: Apache-2.0 + +set -xeuf -o pipefail + +# Allow the `pkg-config` crate to cross-compile +export PKG_CONFIG_ALLOW_CROSS=1 +# Make the `pkg-config` crate use our wrapper +export PKG_CONFIG=$(pwd)/test/pkg-config + +# Set the SYSROOT used by pkg-config +export SYSROOT=/tmp/arm-linux-gnueabihf +# Add the correct libcrypto to the linking process +export RUSTFLAGS="-lcrypto -L/tmp/arm-linux-gnueabihf/lib" +cargo build --features "pkcs11-provider, mbed-crypto-provider, tpm-provider, all-authenticators" --target armv7-unknown-linux-gnueabihf + +export SYSROOT=/tmp/aarch64-linux-gnu +export RUSTFLAGS="-lcrypto -L/tmp/aarch64-linux-gnu/lib" +cargo build --features "pkcs11-provider, mbed-crypto-provider, tpm-provider, all-authenticators" --target aarch64-unknown-linux-gnu + +# This is needed because for some reason the i686/i386 libs aren't picked up if we don't toss them around just before... +apt install libc6-dev-i386-amd64-cross +export SYSROOT=/tmp/i686-linux-gnu +export RUSTFLAGS="-lcrypto -L/tmp/i686-linux-gnu/lib" +cargo build --features "pkcs11-provider, mbed-crypto-provider, tpm-provider, all-authenticators, tss-esapi/generate-bindings" --target i686-unknown-linux-gnu diff --git a/test/pkg-config b/test/pkg-config new file mode 100755 index 00000000..ee3a9ea9 --- /dev/null +++ b/test/pkg-config @@ -0,0 +1,7 @@ +#!/bin/sh + +export PKG_CONFIG_PATH= +export PKG_CONFIG_LIBDIR=$(SYSROOT)/lib/pkgconfig:${SYSROOT}/usr/lib/pkgconfig:${SYSROOT}/usr/share/pkgconfig:$(SYSROOT)/usr/local/lib/pkgconfig +export PKG_CONFIG_SYSROOT_DIR=${SYSROOT} + +exec pkg-config "$@"