env/: Implement Docker environment

[EduKav1813]

This implements WIP Docker environment with dependencies.

Currently we are able to install correct versions of all the dependencies. The toolchain installed is aarch64-none-elf-gcc.

Right now build fails because it tries to use aarch64-linux-gnu-gcc, while aarch64-none-elf-gcc is the toolchain listed in the requirements.

[WiktorG351]

Unfortunately it seems there is an inconsistency with the aarch64-none-elf-gcc toolchain versions as specified in the README.md.

First of all, the prerequisite versions of aarch64-none-elf-gcc don't match in these repositories:
https://github.com/crosscon/CROSSCON-Hypervisor-and-TEE-Isolation-Demos/tree/master
https://github.com/crosscon/CROSSCON-Hypervisor

which is a little weird since when following scenarios from CROSSCON-Hypervisor-and-TEE-Isolation-Demos the hypervisor also has to be built.

Another thing is, that specific version (11.2) doesn't seem to work when going through the first firmware step of the README.md for building the demo for rpi4-ws (the README.md being referred to)

As you can see in these logs, having aarch64-none-elf-gcc of version 11.2 results in an internal compiler error when buliding u-boot.

This issue stopped happening when we switched over to aarch64-none-elf-gcc version 14.2, which allows for building u-boot without errors, like in these logs.

Therefore for now we will stick with aarch64-none-elf-gcc at version 14.2.

[DavidMCerdeira]

Thank you for this!
I'm trying to build the docker locally however the make repo is 404 for me

[WiktorG351]

@DavidMCerdeira Hi,
im assuming that you are encountering errors when running the docker build -t crosscon_hv . command.

The only thing I can think of at the top of my head that could be causing issues is maybe you
have an old version of docker. I have tried rebuilding the whole thing as shown in the logs
below, and it worked just fine with Docker v26.1.3.

wgrzywacz in ~/Desktop/DYSK/cos/eduard λ git clone [email protected]:3mdeb/CROSSCON-Hypervisor-and-TEE-Isolation-Demos.git
Cloning into 'CROSSCON-Hypervisor-and-TEE-Isolation-Demos'...
remote: Enumerating objects: 452, done.
remote: Counting objects: 100% (95/95), done.
remote: Compressing objects: 100% (49/49), done.
remote: Total 452 (delta 56), reused 78 (delta 44), pack-reused 357 (from 1)
Receiving objects: 100% (452/452), 102.55 MiB | 12.79 MiB/s, done.
Resolving deltas: 100% (203/203), done.
wgrzywacz in ~/Desktop/DYSK/cos/eduard λ ls
CROSSCON-Hypervisor-and-TEE-Isolation-Demos
wgrzywacz in ~/Desktop/DYSK/cos/eduard λ cd CROSSCON-Hypervisor-and-TEE-Isolation-Demos 
wgrzywacz in ~/Desktop/DYSK/cos/eduard/CROSSCON-Hypervisor-and-TEE-Isolation-Demos on master λ git co add-docker-env 
branch 'add-docker-env' set up to track 'origin/add-docker-env'.
Switched to a new branch 'add-docker-env'
wgrzywacz in ~/Desktop/DYSK/cos/eduard/CROSSCON-Hypervisor-and-TEE-Isolation-Demos on add-docker-env λ ls
aarch64-ws  bitcoin-wallet  CROSSCON-Hypervisor  env  LICENSE  linux  lloader  malicous_ta  opensbi  optee_client  optee_os  optee_test  prebuilt  README.md  riscv64-ws  rpi4-ws  support  zcu-ws
wgrzywacz in ~/Desktop/DYSK/cos/eduard/CROSSCON-Hypervisor-and-TEE-Isolation-Demos on add-docker-env λ cd env 
wgrzywacz in ~/Desktop/DYSK/cos/eduard/CROSSCON-Hypervisor-and-TEE-Isolation-Demos/env on add-docker-env λ ls
Dockerfile  files  patches  README.md
wgrzywacz in ~/Desktop/DYSK/cos/eduard/CROSSCON-Hypervisor-and-TEE-Isolation-Demos/env on add-docker-env λ docker build -t crosscon_hv .
[+] Building 1944.2s (30/30) FINISHED                                                                                                                                                                                          docker:default
 => [internal] load build definition from Dockerfile                                                                                                                                                                                     0.0s
 => => transferring dockerfile: 4.91kB                                                                                                                                                                                                   0.0s
 => [internal] load metadata for docker.io/library/debian:12.8                                                                                                                                                                           1.5s
 => [auth] library/debian:pull token for registry-1.docker.io                                                                                                                                                                            0.0s
 => [internal] load .dockerignore                                                                                                                                                                                                        0.0s
 => => transferring context: 2B                                                                                                                                                                                                          0.0s
 => [ 1/24] FROM docker.io/library/debian:12.8@sha256:b877a1a3fdf02469440f1768cf69c9771338a875b7add5e80c45b756c92ac20a                                                                                                                   8.4s
 => => resolve docker.io/library/debian:12.8@sha256:b877a1a3fdf02469440f1768cf69c9771338a875b7add5e80c45b756c92ac20a                                                                                                                     0.0s
 => => sha256:b877a1a3fdf02469440f1768cf69c9771338a875b7add5e80c45b756c92ac20a 8.52kB / 8.52kB                                                                                                                                           0.0s
 => => sha256:cd73f5c112f19fac6d67b49d8982104fcf9c14b4ad69c2658fab8702f61b4430 1.02kB / 1.02kB                                                                                                                                           0.0s
 => => sha256:11c49840db5438765202fd3f2251fcacdf4776faaa3fc018a462bf354963623f 453B / 453B                                                                                                                                               0.0s
 => => sha256:0a96bdb8280554b560ffee0f2e5f9843dc7b625f28192021ee103ecbcc2d629b 48.50MB / 48.50MB                                                                                                                                         2.4s
 => => extracting sha256:0a96bdb8280554b560ffee0f2e5f9843dc7b625f28192021ee103ecbcc2d629b                                                                                                                                                5.8s
 => [internal] load build context                                                                                                                                                                                                        0.0s
 => => transferring context: 19.34kB                                                                                                                                                                                                     0.0s
 => [ 2/24] WORKDIR /work                                                                                                                                                                                                                1.5s
 => [ 3/24] RUN apt-get update &&     apt-get install -y     git     wget     build-essential     libfdt1     libyaml-0-2     gdebi-core     libuv1     procps     librhash0     libarchive13     libc6     libcurl4     libexpat1     157.1s
 => [ 4/24] RUN wget http://ftp.pl.debian.org/debian/pool/main/m/make-dfsg/make_4.2.1-1.2_amd64.deb     && dpkg -i make_4.2.1-1.2_amd64.deb     && rm -f make_4.2.1-1.2_amd64.deb                                                       10.6s 
 => [ 5/24] COPY patches/dtc /work/patches/dtc/                                                                                                                                                                                          2.0s 
 => [ 6/24] RUN git clone https://salsa.debian.org/crosstoolchain-team/device-tree-compiler.git     && cd device-tree-compiler     && git checkout debian/1.5.0-2     && git apply /work/patches/dtc/dtc-patch.patch     && make insta  10.5s 
 => [ 7/24] RUN wget http://ftp.pl.debian.org/debian/pool/main/o/openssl/libssl1.1_1.1.1w-0+deb11u1_amd64.deb     && dpkg -i libssl1.1_1.1.1w-0+deb11u1_amd64.deb     && rm -f libssl1.1_1.1.1w-0+deb11u1_amd64.deb                      2.9s 
 => [ 8/24] RUN git clone https://github.com/u-boot/u-boot.git     && cd u-boot     && git checkout v2020.10     && make tools-only_defconfig     && make tools     && cp tools/mkimage /usr/local/bin     && chmod +x /usr/local/bin  102.0s 
 => [ 9/24] RUN wget http://ftp.pl.debian.org/debian/pool/main/c/cmake/cmake-data_3.25.1-1~bpo11+1_all.deb     && dpkg -i cmake-data_3.25.1-1~bpo11+1_all.deb     && rm -f cmake-data_3.25.1-1~bpo11+1_all.deb                           6.5s 
 => [10/24] RUN wget http://ftp.pl.debian.org/debian/pool/main/libj/libjsoncpp/libjsoncpp24_1.9.4-4_amd64.deb     && dpkg -i libjsoncpp24_1.9.4-4_amd64.deb     && rm -f libjsoncpp24_1.9.4-4_amd64.deb                                  1.7s 
 => [11/24] COPY patches/cmake /work/patches/cmake/                                                                                                                                                                                      1.0s 
 => [12/24] RUN wget https://cmake.org/files/v3.20/cmake-3.20.0.tar.gz     && tar -xvf cmake-3.20.0.tar.gz     && cd cmake-3.20.0     && git apply /work/patches/cmake/001-search-path.diff     && git apply /work/patches/cmake/003-li  7.8s 
 => [13/24] RUN cd cmake-3.20.0     && ./bootstrap     && make install     && cd .. && rm -rf cmake-3.20.0                                                                                                                            1331.3s 
 => [14/24] RUN wget http://ftp.pl.debian.org/debian/pool/main/n/ninja-build/ninja-build_1.10.1-1_amd64.deb     && dpkg -i ninja-build_1.10.1-1_amd64.deb     && rm -f ninja-build_1.10.1-1_amd64.deb                                    2.4s 
 => [15/24] RUN apt install bash -y                                                                                                                                                                                                      3.7s 
 => [16/24] COPY files/env.sh /work/                                                                                                                                                                                                     0.9s 
 => [17/24] RUN git clone https://github.com/crosscon/CROSSCON-Hypervisor-and-TEE-Isolation-Demos.git     && mv CROSSCON-Hypervisor-and-TEE-Isolation-Demos /work/crosscon                                                              10.0s 
 => [18/24] COPY files/.gitmodules /work/crosscon/.gitmodules                                                                                                                                                                            1.1s 
 => [19/24] RUN cd /work/crosscon &&     git submodule init &&     git submodule update --depth 1                                                                                                                                       73.9s 
 => [20/24] RUN apt install python3-cryptography -y                                                                                                                                                                                      2.9s 
 => [21/24] COPY files/build.sh /work/                                                                                                                                                                                                   1.1s 
 => [22/24] RUN wget -O aarch64-none-elf.tar.xz "https://developer.arm.com/-/media/Files/downloads/gnu/11.2-2022.02/binrel/gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf.tar.xz?rev=981d8f7e91864070a466d852589598e2&hash=8D5397D4E41C9  56.7s 
 => [23/24] RUN wget -O aarch64-none-linux-gnu.tar.xz "https://developer.arm.com/-/media/Files/downloads/gnu/11.2-2022.02/binrel/gcc-arm-11.2-2022.02-x86_64-aarch64-none-linux-gnu.tar.xz?rev=33c6e30e5ac64e6dba8f0431f2c35f1b&hash=9  72.0s 
 => [24/24] WORKDIR /work/crosscon                                                                                                                                                                                                       1.2s 
 => exporting to image                                                                                                                                                                                                                  71.9s 
 => => exporting layers                                                                                                                                                                                                                 71.9s 
 => => writing image sha256:a955978e49f01a70b035e686682643f7ebebbf26e25368ec928f1921ad8ec412                                                                                                                                             0.0s 
 => => naming to docker.io/library/crosscon_hv                                                                                                                                                                                           0.0s 
wgrzywacz in ~/Desktop/DYSK/cos/eduard/CROSSCON-Hypervisor-and-TEE-Isolation-Demos/env on add-docker-env λ                                                                                      
wgrzywacz in ~/Desktop/DYSK/cos/eduard/CROSSCON-Hypervisor-and-TEE-Isolation-Demos/env on add-docker-env λ 
wgrzywacz in ~/Desktop/DYSK/cos/eduard/CROSSCON-Hypervisor-and-TEE-Isolation-Demos/env on add-docker-env λ docker run -d --name crosscon_hv_container crosscon_hv tail -f /dev/null
56e41a8f516f3a45c5952e18f3e27339bb591da7f1a80180b83de3fa0ddd4ccf
wgrzywacz in ~/Desktop/DYSK/cos/eduard/CROSSCON-Hypervisor-and-TEE-Isolation-Demos/env on add-docker-env λ docker exec -it crosscon_hv_container /bin/bash
root@56e41a8f516f:/work/crosscon# make --version
GNU Make 4.2.1
Built for x86_64-pc-linux-gnu
Copyright (C) 1988-2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
root@56e41a8f516f:/work/crosscon# exit 
exit
wgrzywacz in ~/Desktop/DYSK/cos/eduard/CROSSCON-Hypervisor-and-TEE-Isolation-Demos/env on add-docker-env λ docker --version
Docker version 26.1.3, build b72abbb
wgrzywacz in ~/Desktop/DYSK/cos/eduard/CROSSCON-Hypervisor-and-TEE-Isolation-Demos/env on add-docker-env λ 

[WiktorG351]

@DavidMCerdeira Hi, have you tried building again? Can you try following the exact commands posted above and show your output?

[tym2k1]

I've merged PR's from our side and cleaned the PR contents a little. The instructions should be now straightforward to follow. I also fixed problems that we had with compiling Trusted Applications by adding the libteec2 from Debian trixie (testing) branch. Here are the logs from the whole build process from inside the container (logged with the script utility so best previewed with less or similiar tool to format escape sequences). Here are the logs from the booted build-demo-vtee.sh

[tym2k1]

This PR starts to get a little messy. I'm not sure how to proceed with that.

I also fixed problems that we had with compiling Trusted Applications by adding the libteec2 from Debian trixie (testing) branch.

In the logs you can see that the TA's compiled and work in the end image but some time later when building i got similiar bugs as to before with the linker. Not sure why that is. For sure before merging we need to ensure that the build.sh produces at least some reproducable output.

[DavidMCerdeira]

I retested and was able to build the docker container.

In the logs you can see that the TA's compiled and work in the end image but some time later when building i got similiar bugs as to before with the linker. Not sure why that is. For sure before merging we need to ensure that the build.sh produces at least some reproducable output.

I think I have some idea of what's causing this.
Let me get back to you on this issue.

[DavidMCerdeira]

I got a similar issue when using the same bash session to compile for both RISC-V and Arm
Could that be case for this as well?

[DaniilKl]

I am a bit out of context here. Do you mean the cannot find -lteec2 issue?