diff --git a/env/.gitignore b/env/.gitignore new file mode 100644 index 0000000..751b1d0 --- /dev/null +++ b/env/.gitignore @@ -0,0 +1 @@ +build.log diff --git a/env/Dockerfile b/env/Dockerfile new file mode 100644 index 0000000..fd0a6cc --- /dev/null +++ b/env/Dockerfile @@ -0,0 +1,162 @@ +# Use Debian base image +FROM debian:12.8 + +# Set environment variables +ENV MAKE_VERSION=4.2.1 +ENV WORKDIR_PATH=/work + +# Set working directory +WORKDIR $WORKDIR_PATH + +# Update package lists, install necessary dependencies +RUN apt-get update && \ + apt-get install -y \ + git \ + wget \ + build-essential \ + libfdt1 \ + libyaml-0-2 \ + gdebi-core \ + libuv1 \ + procps \ + librhash0 \ + libarchive13 \ + libc6 \ + libcurl4 \ + libexpat1 \ + libgcc-s1 \ + binutils \ + flex \ + bison \ + pkg-config \ + openssl \ + libssl-dev \ + cpio \ + unzip \ + rsync \ + bc \ + device-tree-compiler \ + gcc-aarch64-linux-gnu \ + g++-aarch64-linux-gnu \ + python3-pyelftools \ + gcc-riscv64-linux-gnu \ + g++-riscv64-linux-gnu \ + binutils-riscv64-linux-gnu \ + libncurses-dev \ + fdisk \ + dosfstools + + +# Install Make 4.2.1 +RUN wget http://ftp.pl.debian.org/debian/pool/main/m/make-dfsg/make_4.2.1-1.2_amd64.deb \ + && dpkg -i make_4.2.1-1.2_amd64.deb \ + && rm -f make_4.2.1-1.2_amd64.deb + +# Install dtc 1.6.1 +COPY env/patches/dtc $WORKDIR_PATH/patches/dtc/ + +RUN git clone https://salsa.debian.org/crosstoolchain-team/device-tree-compiler.git \ + && cd device-tree-compiler \ + && git checkout debian/1.5.0-2 \ + && git apply $WORKDIR_PATH/patches/dtc/dtc-patch.patch \ + && make install \ + && rm -rf $WORKDIR_PATH/device-tree-compiler + +# Install libssl1.1 (requirement for mkimage) +RUN wget http://ftp.pl.debian.org/debian/pool/main/o/openssl/libssl1.1_1.1.1w-0+deb11u1_amd64.deb \ + && dpkg -i libssl1.1_1.1.1w-0+deb11u1_amd64.deb \ + && rm -f libssl1.1_1.1.1w-0+deb11u1_amd64.deb + +# Install mkimage 20.10 +RUN git clone https://github.com/u-boot/u-boot.git \ + && cd u-boot \ + && git checkout v2020.10 \ + && make tools-only_defconfig \ + && make tools \ + && cp tools/mkimage /usr/local/bin \ + && chmod +x /usr/local/bin/mkimage + +# Install cmake-data 3.25 +RUN wget http://ftp.pl.debian.org/debian/pool/main/c/cmake/cmake-data_3.25.1-1~bpo11+1_all.deb \ + && dpkg -i cmake-data_3.25.1-1~bpo11+1_all.deb \ + && rm -f cmake-data_3.25.1-1~bpo11+1_all.deb + +# Install libjsoncpp24 +RUN wget http://ftp.pl.debian.org/debian/pool/main/libj/libjsoncpp/libjsoncpp24_1.9.4-4_amd64.deb \ + && dpkg -i libjsoncpp24_1.9.4-4_amd64.deb \ + && rm -f libjsoncpp24_1.9.4-4_amd64.deb + +# Install Cmake 3.20.0 +COPY env/patches/cmake $WORKDIR_PATH/patches/cmake/ + +RUN wget https://cmake.org/files/v3.20/cmake-3.20.0.tar.gz \ + && tar -xvf cmake-3.20.0.tar.gz \ + && cd cmake-3.20.0 \ + && git apply $WORKDIR_PATH/patches/cmake/001-search-path.diff \ + && git apply $WORKDIR_PATH/patches/cmake/003-libuv-application-services.diff \ + && git apply $WORKDIR_PATH/patches/cmake/custom-application-services.patch + +RUN cd cmake-3.20.0 \ + && ./bootstrap \ + && make install \ + && cd .. && rm -rf cmake-3.20.0 + +# Install ninja 1.10.1 +RUN wget http://ftp.pl.debian.org/debian/pool/main/n/ninja-build/ninja-build_1.10.1-1_amd64.deb \ + && dpkg -i ninja-build_1.10.1-1_amd64.deb \ + && rm -f ninja-build_1.10.1-1_amd64.deb + +# Install BASH +RUN apt install bash -y +SHELL ["/bin/bash", "-c"] + +COPY env/files/.gitmodules $WORKDIR_PATH/crosscon/.gitmodules + +# Fix missing "cryptography" python module +RUN apt install python3-cryptography -y + +# copy script for rpi4-ws demo +COPY env/files/build.sh $WORKDIR_PATH/ + +# Install Arm Bare-metal toolchain +RUN wget -O aarch64-none-elf.tar.xz "https://developer.arm.com/-/media/Files/downloads/gnu/11.2-2022.02/binrel/gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf.tar.xz?rev=981d8f7e91864070a466d852589598e2&hash=8D5397D4E41C99A96989ED813E8E95F0" \ + && unxz aarch64-none-elf.tar.xz \ + && tar -xvf aarch64-none-elf.tar \ + && rm -f aarch64-none-elf.tar + + +# Install Arm GNU toolchain +RUN wget -O aarch64-none-linux-gnu.tar.xz "https://developer.arm.com/-/media/Files/downloads/gnu/11.2-2022.02/binrel/gcc-arm-11.2-2022.02-x86_64-aarch64-none-linux-gnu.tar.xz?rev=33c6e30e5ac64e6dba8f0431f2c35f1b&hash=9918A05BF47621B632C7A5C8D2BB438FB80A4480" \ + && unxz aarch64-none-linux-gnu.tar.xz \ + && tar -xvf aarch64-none-linux-gnu.tar \ + && rm -f aarch64-none-linux-gnu.tar + +# Update PATH for arm developer toolchain +ENV PATH="$WORKDIR_PATH/gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf/bin:$PATH" +ENV PATH="$WORKDIR_PATH/gcc-arm-11.2-2022.02-x86_64-aarch64-none-linux-gnu/bin:$PATH" + +# Setup CROSSCON repository +COPY ./ $WORKDIR_PATH/crosscon + +COPY env/files/.gitmodules $WORKDIR_PATH/crosscon/.gitmodules + +RUN cd $WORKDIR_PATH/crosscon && \ + git submodule init && \ + git submodule update --depth 1 + +# Add support for aarch64 packages +RUN dpkg --add-architecture arm64 + +# Add trixie repository to install the libteec2 package for aarch64 +RUN echo "deb http://deb.debian.org/debian trixie main" >> /etc/apt/sources.list && \ + echo "deb-src http://deb.debian.org/debian trixie main" >> /etc/apt/sources.list && \ + apt-get update && \ + apt-get -t trixie install -y libteec2:arm64 + +# Clean cached apt, package lists and temprorary files to reduce image size +RUN apt-get clean && \ + rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +# Make the starting directory is the CROSSCON Demos directory +WORKDIR $WORKDIR_PATH/crosscon +ENV ROOT=$WORKDIR_PATH/crosscon diff --git a/env/README.md b/env/README.md new file mode 100644 index 0000000..8396d8a --- /dev/null +++ b/env/README.md @@ -0,0 +1,190 @@ +# Docker for CROSSCON Hypervisor + +## Overview + +The purpose of this repo is to provide the environment required for +compilation of the CROSSCON hypervisor. + +## How to build the container + +Run this command from top of the repository: + +```bash +docker build -t crosscon_hv -f env/Dockerfile . +``` + +to build the docker image. The resulting image will have a `crosscon_hv` tag. +After the image has been built, a container can be created and started directly +by running this command: + +```bash +docker run -d --name crosscon_hv_container crosscon_hv tail -f /dev/null +``` + +> This step also is dependant on how you want to Flash the SD card later. All +approaches are specified [below](#Copying-the-files-to-the-SD-card.). + +Then, to enter the shell of the running container, this command can be used: + +```bash +docker exec -it crosscon_hv_container /bin/bash +``` + +> Note: If at any point when rebuilding/rerunning the container, error messages +> similar to this one pop up: +> +> ```bash +> docker: Error response from daemon: Conflict. The container name +> "/crosscon_hv_container" is already in use by container +> "d6ee75901fd0e090147d242c485651ebf5c4fc58e13d8363725a6cab830a9ba0". You have to +> remove (or rename) that container to be able to reuse that name. +> See 'docker run --help'. +> ``` +> +> This command should be used: +> +> ```bash +> docker rm --force +> ``` +> +> Alternatively: +> +> ```bash +> docker rm --force crosscon_hv_container +> ``` + +## Building the rpi4-ws demo + +This section contains instructions on how to build and flash the rpi4-ws demo. +After attaching to the container, it should look like this: + +```bash +user in ~/CROSSCON-Hypervisor-and-TEE-Isolation-Demos/env λ docker exec -it crosscon_hv_container /bin/bash +root@d6ee75901fd0:/work# +``` + +Then `cd crosscon` should be ran, and the instructions from +[the README](../rpi4-ws/README.md) followed. + +This will allow the binaries to be built, since the container has all the +necessary dependencies. + +## Copying the files to the SD card. + +Obviously, the container allows the binaries to be built without worrying about +dependencies. But in the end they have to end up on the SD card in order to +boot the demo. + +### Running the container as privileged + +You can pass all your devices to the container and use the +[Prepare SDCard](https://github.com/3mdeb/CROSSCON-Hypervisor-and-TEE-Isolation-Demos/tree/master/rpi4-ws#prepare-sdcard) +instructions directly from inside of it using the `--privileged` flag or more restrictively pass only the +single SD card. + +```bash +docker run -d --name crosscon_hv_container_copy --privileged crosscon_hv_copy tail -f /dev/null +``` + +```bash +docker run -d --name crosscon_hv_container_copy --device=/dev/sdX:/dev/sdX crosscon_hv_copy tail -f /dev/null +``` + +### Unprivileged container + +#### Firmware and bootloader files + +> Note: Before running the following commands, ensure that the SD card is +> inserted into the host machine and that it is mounted. +> (adjust the commands in this README to fit your SD card mount point). + +These commands can be ran to copy over the firmware to the SD card (this +syntax assumes they are being copied directly from the container to the SD +card): + +```bash +sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/firmware/boot/ $SDCARD_MOUNT/ +sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/config.txt $SDCARD_MOUNT/ +sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/bin/bl31.bin $SDCARD_MOUNT/ +sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/bin/u-boot.bin $SDCARD_MOUNT/ +``` + +#### Linux and Device Tree Image + +After the Linux kernel has been build and lloader has been used to produce +`linux-rpi4.bin`, that file will need to be copied out of the container and onto +the SD card: + +```bash +docker cp crosscon_hv_container:/work/crosscon/lloader/linux-rpi4.bin $SDCARD_MOUNT/ +``` + +#### Copying the CROSSCON Hypervisor Binary + +Building and copying of the hypervisor binary is done in the same script, +either `build-demo-vtee.sh` or `build-demo-dual-vtee.sh`. By looking at the +content of those scripts, it can be determined that they build the +`crossconhyp.bin` files, then copies `start*` firmware files and +`crossconhyp.bin` to the SD card mount point. + +> Note: this readme only covers the `build-demo-vtee.sh` script, since +> the idea of what is being here is understood, it becomes easy to think +> of the commands to achieve what goes on in the `dual` version of the script. + +The hypervisor will have to be built manually, then copied over to the host. +Once the end of the [the README](../rpi4-ws/README.md) demo has been reached, +instead of just running the script: + +```bash +./build-demo-vtee.sh +``` + +those files will have to be built manually: + +```bash +CONFIG_REPO=`pwd`/configs + +pushd .. + +make -C CROSSCON-Hypervisor/ \ + PLATFORM=rpi4 \ + CONFIG_BUILTIN=y \ + CONFIG_REPO=$CONFIG_REPO \ + CONFIG=rpi4-single-vTEE \ + OPTIMIZATIONS=0 \ + SDEES="sdSGX sdTZ" \ + CROSS_COMPILE=aarch64-none-elf- \ + clean + +make -C CROSSCON-Hypervisor/ \ + PLATFORM=rpi4 \ + CONFIG_BUILTIN=y \ + CONFIG_REPO=$CONFIG_REPO \ + CONFIG=rpi4-single-vTEE \ + OPTIMIZATIONS=0 \ + SDEES="sdSGX sdTZ" \ + CROSS_COMPILE=aarch64-none-elf- \ + -j`nproc` +``` + +Then confirm that the hypervisor got built correctly, and that the firmware +files exist: + +```bash +ls /work/crosscon/rpi4-ws/bin/ +ls /work/crosscon/CROSSCON-Hypervisor/bin/rpi4/builtin-configs/rpi4-single-vTEE/ +``` + +Then finally those files can be copied over to host: + +```bash +sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/firmware/boot/start* $SDCARD_MOUNT/ +sudo docker cp crosscon_hv_container:/work/crosscon/CROSSCON-Hypervisor/bin/rpi4/builtin-configs/rpi4-single-vTEE/crossconhyp.bin $SDCARD_MOUNT/ +``` + + +## QEMU build + +The docker image contains all the neccessary dependencies to build the QEMU +images as well (RISCV included), so all that needs to be done is following +the instructions from [the readme](../README.md). diff --git a/env/files/.gitmodules b/env/files/.gitmodules new file mode 100644 index 0000000..dc2785b --- /dev/null +++ b/env/files/.gitmodules @@ -0,0 +1,21 @@ +[submodule "CROSSCON-Hypervisor"] + path = CROSSCON-Hypervisor + url = http://github.com/crosscon/CROSSCON-Hypervisor.git +[submodule "optee_client"] + path = optee_client + url = http://github.com/crosscon/optee_client.git +[submodule "optee_os"] + path = optee_os + url = http://github.com/crosscon/optee_os.git +[submodule "opensbi"] + path = opensbi + url = https://github.com/bao-project/opensbi.git +[submodule "linux"] + path = linux + url = http://github.com/crosscon/linux.git +[submodule "optee_test"] + path = optee_test + url = http://github.com/crosscon/optee_test.git +[submodule "bitcoin-wallet"] + path = bitcoin-wallet + url = http://github.com/crosscon/bitcoin-wallet.git diff --git a/env/files/build.sh b/env/files/build.sh new file mode 100755 index 0000000..e2cadc9 --- /dev/null +++ b/env/files/build.sh @@ -0,0 +1,347 @@ +#!/bin/bash + +set -eou pipefail + +# go to the right directory +cd crosscon + +# make the firmware, using the right cross-compiler +export ROOT=`realpath .` +export ROOT=`pwd` +cd rpi4-ws +export RPI4_WS=`pwd` +mkdir bin +git clone https://github.com/raspberrypi/firmware.git --depth 1 --branch 1.20230405 +git clone https://github.com/u-boot/u-boot.git --depth 1 --branch v2022.10 +cd u-boot +make rpi_4_defconfig +make -j`nproc` CROSS_COMPILE=aarch64-linux-gnu- +cp -v u-boot.bin ../bin/ +cd $RPI4_WS +git clone https://github.com/bao-project/arm-trusted-firmware.git --branch bao/demo --depth 1 +cd arm-trusted-firmware +make PLAT=rpi4 -j`nproc` CROSS_COMPILE=aarch64-linux-gnu- +cp -v build/rpi4/release/bl31.bin ../bin/ +cd $RPI4_WS + +# Step 1: optee_os +cd ../optee_os + +OPTEE_DIR="./" +export O="$OPTEE_DIR/optee-rpi4" +CC="aarch64-linux-gnu-" +export CFLAGS=-Wno-cast-function-type +PLATFORM="rpi4" +ARCH="arm" +SHMEM_START="0x08000000" +SHMEM_SIZE="0x00200000" +TZDRAM_START="0x10100000" +TZDRAM_SIZE="0x00F00000" +CFG_GIC=n + +make -C $OPTEE_DIR \ + O=$O \ + CROSS_COMPILE=$CC \ + PLATFORM=$PLATFORM \ + ARCH=$ARCH \ + CFG_PKCS11_TA=n \ + CFG_SHMEM_START=$SHMEM_START \ + CFG_SHMEM_SIZE=$SHMEM_SIZE \ + CFG_CORE_DYN_SHM=n \ + CFG_NUM_THREADS=1 \ + CFG_CORE_RESERVED_SHM=y \ + CFG_CORE_ASYNC_NOTIF=n \ + CFG_TZDRAM_SIZE=$TZDRAM_SIZE \ + CFG_TZDRAM_START=$TZDRAM_START \ + CFG_GIC=y \ + CFG_ARM_GICV2=y \ + CFG_CORE_IRQ_IS_NATIVE_INTR=n \ + CFG_ARM64_core=y \ + CFG_USER_TA_TARGETS=ta_arm64 \ + CFG_DT=n \ + CFG_CORE_ASLR=n \ + CFG_CORE_WORKAROUND_SPECTRE_BP=n \ + CFG_CORE_WORKAROUND_NSITR_CACHE_PRIME=n \ + CFG_TEE_CORE_LOG_LEVEL=1 \ + DEBUG=1 -j16 + +OPTEE_DIR="./" +export O="$OPTEE_DIR/optee2-rpi4" +SHMEM_START="0x08200000" +TZDRAM_START="0x20100000" + +make -C $OPTEE_DIR \ + O=$O \ + CROSS_COMPILE=$CC \ + PLATFORM=$PLATFORM \ + ARCH=$ARCH \ + CFG_PKCS11_TA=n \ + CFG_SHMEM_START=$SHMEM_START \ + CFG_SHMEM_SIZE=$SHMEM_SIZE \ + CFG_CORE_DYN_SHM=n \ + CFG_CORE_RESERVED_SHM=y \ + CFG_CORE_ASYNC_NOTIF=n \ + CFG_TZDRAM_SIZE=$TZDRAM_SIZE \ + CFG_TZDRAM_START=$TZDRAM_START \ + CFG_GIC=y \ + CFG_ARM_GICV2=y \ + CFG_CORE_IRQ_IS_NATIVE_INTR=n \ + CFG_ARM64_core=y \ + CFG_USER_TA_TARGETS=ta_arm64 \ + CFG_DT=n \ + CFG_CORE_ASLR=n \ + CFG_CORE_WORKAROUND_SPECTRE_BP=n \ + CFG_CORE_WORKAROUND_NSITR_CACHE_PRIME=n \ + CFLAGS="${CFLAGS} -DOPTEE2" \ + CFG_EARLY_TA=y \ + CFG_TEE_CORE_LOG_LEVEL=1 \ + DEBUG=1 -j16 + +cd /work/crosscon + +# Step 2: Linux file system + +if [ ! -e buildroot ]; then + wget https://buildroot.org/downloads/buildroot-2022.11.1.tar.gz + tar -xf buildroot-2022.11.1.tar.gz + mv buildroot-2022.11.1 buildroot +fi + +mkdir buildroot/build-aarch64 +cp support/br-aarch64.config buildroot/build-aarch64/.config +cd buildroot + +# we expect this to fail +set +e +make O=build-aarch64/ -j`nproc` +set -e + +cd .. + +# Step 3: Build OP-TEE Clients + +cd optee_client + +git checkout master +make CROSS_COMPILE=aarch64-linux-gnu- WITH_TEEACL=0 O=out-aarch64 +git checkout optee2 +make CROSS_COMPILE=aarch64-linux-gnu- WITH_TEEACL=0 O=out2-aarch64 + +cd /work/crosscon + +# Step 4: Build OP-TEE xtest + +cd optee_test + +BUILDROOT=`pwd`/../buildroot/build-aarch64/ +export CROSS_COMPILE=$BUILDROOT/host/bin/aarch64-linux- +export HOST_CROSS_COMPILE=$BUILDROOT/host/bin/aarch64-linux- +export TA_CROSS_COMPILE=$BUILDROOT/host/bin/aarch64-linux- +export ARCH=aarch64 +export PLATFORM=plat-vexpress +export PLATFORM_FLAVOR=qemu_armv8a +export TA_DEV_KIT_DIR=`pwd`/../optee_os/optee-rpi4/export-ta_arm64 +export TEEC_EXPORT=`pwd`/../optee_client/out-aarch64/export/usr/ +export OPTEE_CLIENT_EXPORT=`pwd`/../optee_client/out-aarch64/export/usr/ +export CFG_TA_OPTEE_CORE_API_COMPAT_1_1=y +export DESTDIR=./to_buildroot-aarch64 +export DEBUG=0 +export CFG_TEE_TA_LOG_LEVEL=0 +export CFLAGS=-O2 +export O=`pwd`/out-aarch64 +export CFG_PKCS11_TA=n + +rm -rf $O +rm -rf to_buildroot-aarch64/ +find . -name "Makefile" -exec sed -i "s/\-lteec2$/\-lteec/g" {} + +find . -name "Makefile" -exec sed -i "s/optee2_armtz/optee_armtz/g" {} + +make clean +make -j`nproc` +make install + + +export O=`pwd`/out2-aarch64 +export DESTDIR=./to_buildroot-aarch64-2 +export TA_DEV_KIT_DIR=`pwd`/../optee_os/optee/export-ta_arm64 +export TEEC_EXPORT=`pwd`/../optee_client/out2-aarch64/export/usr/ +export OPTEE_CLIENT_EXPORT=`pwd`/../optee_client/out2-aarch64/export/usr/ +rm -rf `pwd`/out2-aarch64 +find . -name "Makefile" -exec sed -i "s/\-lteec$/\-lteec2/g" {} + +find . -name "Makefile" -exec sed -i "s/optee_armtz/optee2_armtz/g" {} + +make clean +make -j`nproc` +make install +find . -name "Makefile" -exec sed -i "s/\-lteec2$/\-lteec/g" {} + +find . -name "Makefile" -exec sed -i "s/optee2_armtz/optee_armtz/g" {} + + +mv $DESTDIR/bin/xtest $DESTDIR/bin/xtest2 +cd /work/crosscon + +# Step 5: Compile Bitcoin Wallet Client and Trusted Application + +cd bitcoin-wallet + +BUILDROOT=`pwd`/../buildroot/build-aarch64/ + +export CROSS_COMPILE=$BUILDROOT/host/bin/aarch64-linux- +export HOST_CROSS_COMPILE=$BUILDROOT/host/bin/aarch64-linux- +export TA_CROSS_COMPILE=$BUILDROOT/host/bin/aarch64-linux- +export ARCH=aarch64 +export PLATFORM=plat-virt +export TA_DEV_KIT_DIR=`pwd`/../optee_os/optee/export-ta_arm64 +export TEEC_EXPORT=`pwd`/../optee_client/out-aarch64/export/usr/ +export OPTEE_CLIENT_EXPORT=`pwd`/../optee_client/out-aarch64/export/usr/ +export CFG_TA_OPTEE_CORE_API_COMPAT_1_1=n +export DESTDIR=./to_buildroot-aarch64 +export DEBUG=0 +export CFG_TEE_TA_LOG_LEVEL=0 +export O=`pwd`/out-aarch64 + +rm -rf out-aarch64/ +## make sure we have things setup for first OP-TEE +find . -name "Makefile" -exec sed -i "s/\-lteec2$/\-lteec/g" {} + +find . -name "Makefile" -exec sed -i "s/optee2_armtz/optee_armtz/g" {} + +make clean +make -j`nproc` + +mkdir -p to_buildroot-aarch64/lib/optee_armtz +mkdir -p to_buildroot-aarch64/bin + +cp out-aarch64/*.ta to_buildroot-aarch64/lib/optee_armtz +cp host/wallet to_buildroot-aarch64/bin/bitcoin_wallet_ca +chmod +x to_buildroot-aarch64/bin/bitcoin_wallet_ca + +## setup second OP-TEE +export O=`pwd`/out2-aarch64 +export DESTDIR=./to_buildroot-aarch64-2 +export TA_DEV_KIT_DIR=`pwd`/../optee_os/optee2/export-ta_arm64 +export TEEC_EXPORT=`pwd`/../optee_client/out2-aarch64/export/usr/ +export OPTEE_CLIENT_EXPORT=`pwd`/../optee_client/out2-aarch64/export/usr/ +rm -rf `pwd`/out2-aarch64 +find . -name "Makefile" -exec sed -i "s/\-lteec/\-lteec2/g" {} + +find . -name "Makefile" -exec sed -i "s/optee_armtz/optee2_armtz/g" {} + +make clean +make -j`nproc` +## undo changes +find . -name "Makefile" -exec sed -i "s/\-lteec2/\-lteec/g" {} + +find . -name "Makefile" -exec sed -i "s/optee2_armtz/optee_armtz/g" {} + + +mkdir -p to_buildroot-aarch64-2/lib/optee2_armtz +mkdir -p to_buildroot-aarch64-2/bin + +cp out-aarch64/*.ta to_buildroot-aarch64-2/lib/optee2_armtz +cp host/wallet to_buildroot-aarch64-2/bin/bitcoin_wallet_ca2 +chmod +x to_buildroot-aarch64-2/bin/bitcoin_wallet_ca2 + + +cd /work/crosscon + +# Step 6: Compile Malicious Client and Trusted Application + +cd malicous_ta +BUILDROOT=`pwd`/../buildroot/build-aarch64/ +export CROSS_COMPILE=$BUILDROOT/host/bin/aarch64-linux- +export HOST_CROSS_COMPILE=$BUILDROOT/host/bin/aarch64-linux- +export TA_CROSS_COMPILE=$BUILDROOT/host/bin/aarch64-linux- +export ARCH=aarch64 +export PLATFORM=plat-virt +export TA_DEV_KIT_DIR=`pwd`/../optee_os/optee-aarch64/export-ta_arm64 +export TEEC_EXPORT=`pwd`/../optee_client/out-aarch64/export/usr/ +export OPTEE_CLIENT_EXPORT=`pwd`/../optee_client/out-aarch64/export/usr/ +export CFG_TA_OPTEE_CORE_API_COMPAT_1_1=n +export DESTDIR=./to_buildroot-aarch64 +export DEBUG=0 +export CFG_TEE_TA_LOG_LEVEL=2 +export O=`pwd`/out-aarch64 +export aarch64_TARGET=y +rm -rf out-aarch64/ +## make sure we have things setup for first OP-TEE +find . -name "Makefile" -exec sed -i "s/\-lteec2$/\-lteec/g" {} + +find . -name "Makefile" -exec sed -i "s/optee2_armtz/optee_armtz/g" {} + +make clean +make -j`nproc` +mkdir -p to_buildroot-aarch64/lib/optee_armtz +mkdir -p to_buildroot-aarch64/bin +cp out-aarch64/*.ta to_buildroot-aarch64/lib/optee_armtz +cp host/malicious_ca to_buildroot-aarch64/bin/malicious_ca +chmod +x to_buildroot-aarch64/bin/malicious_ca +## setup second OP-TEE +export O=`pwd`/out2-aarch64 +export DESTDIR=./to_buildroot-aarch64-2 +export TA_DEV_KIT_DIR=`pwd`/../optee_os/optee2-aarch64/export-ta_arm64 +export TEEC_EXPORT=`pwd`/../optee_client/out2-aarch64/export/usr/ +export OPTEE_CLIENT_EXPORT=`pwd`/../optee_client/out2-aarch64/export/usr/ +rm -rf `pwd`/out2-aarch64 +find . -name "Makefile" -exec sed -i "s/\-lteec/\-lteec2/g" {} + +find . -name "Makefile" -exec sed -i "s/optee_armtz/optee2_armtz/g" {} + +make clean +make -j`nproc` +## undo changes +find . -name "Makefile" -exec sed -i "s/\-lteec2/\-lteec/g" {} + +find . -name "Makefile" -exec sed -i "s/optee2_armtz/optee_armtz/g" {} + +mkdir -p to_buildroot-aarch64-2/lib/optee2_armtz +mkdir -p to_buildroot-aarch64-2/bin +cp out2-aarch64/*.ta to_buildroot-aarch64-2/lib/optee2_armtz +cp host/malicious_ca to_buildroot-aarch64-2/bin/malicious_ca2 +chmod +x to_buildroot-aarch64-2/bin/malicious_ca2 +cd /work/crosscon + +# Step 7: Finalize Linux file system + +cd buildroot +make O=build-aarch64/ -j`nproc` +cd .. + +# Step 8: Build Linux + +mkdir linux/build-aarch64/ +cp support/linux-aarch64.config linux/build-aarch64/.config + +cd linux + +make ARCH=arm64 O=build-aarch64 CROSS_COMPILE=`realpath ../buildroot/build-aarch64/host/bin/aarch64-linux-` -j16 Image dtbs + +cd $ROOT + +# Step 9: Bind Linux Image and device tree + +dtc -I dts -O dtb rpi4-ws/rpi4.dts > rpi4-ws/rpi4.dtb + +cd lloader + +rm linux-rpi4.bin +rm linux-rpi4.elf +make \ + IMAGE=../linux/build-aarch64/arch/arm64/boot/Image \ + DTB=../rpi4-ws/rpi4.dtb \ + TARGET=linux-rpi4.bin \ + CROSS_COMPILE=aarch64-none-elf- \ + ARCH=aarch64 + +cd $ROOT + +# Step "10": build-demo-vtee.sh except without copying to SD card + +CONFIG_REPO=`pwd`/configs + +pushd .. + +make -C CROSSCON-Hypervisor/ \ + PLATFORM=rpi4 \ + CONFIG_BUILTIN=y \ + CONFIG_REPO=$CONFIG_REPO \ + CONFIG=rpi4-single-vTEE \ + OPTIMIZATIONS=0 \ + SDEES="sdSGX sdTZ" \ + CROSS_COMPILE=aarch64-none-elf- \ + clean + +make -C CROSSCON-Hypervisor/ \ + PLATFORM=rpi4 \ + CONFIG_BUILTIN=y \ + CONFIG_REPO=$CONFIG_REPO \ + CONFIG=rpi4-single-vTEE \ + OPTIMIZATIONS=0 \ + SDEES="sdSGX sdTZ" \ + CROSS_COMPILE=aarch64-none-elf- \ + -j`nproc` diff --git a/env/patches/cmake/001-search-path.diff b/env/patches/cmake/001-search-path.diff new file mode 100644 index 0000000..04ab084 --- /dev/null +++ b/env/patches/cmake/001-search-path.diff @@ -0,0 +1,95 @@ +diff --git a/Modules/Platform/UnixPaths.cmake b/Modules/Platform/UnixPaths.cmake +index b9381c3d7d..5e944640b5 100644 +--- a/Modules/Platform/UnixPaths.cmake ++++ b/Modules/Platform/UnixPaths.cmake +@@ -26,9 +26,6 @@ get_filename_component(_CMAKE_INSTALL_DIR "${_CMAKE_INSTALL_DIR}" PATH) + # please make sure to keep Help/variable/CMAKE_SYSTEM_PREFIX_PATH.rst + # synchronized + list(APPEND CMAKE_SYSTEM_PREFIX_PATH +- # Standard +- /usr/local /usr / +- + # CMake install location + "${_CMAKE_INSTALL_DIR}" + ) +@@ -47,48 +44,49 @@ endif() + + # Non "standard" but common install prefixes + list(APPEND CMAKE_SYSTEM_PREFIX_PATH +- /usr/X11R6 +- /usr/pkg +- /opt + ) + + # List common include file locations not under the common prefixes. ++if(DEFINED ENV{NIX_CC} ++ AND IS_DIRECTORY "$ENV{NIX_CC}" ++ AND EXISTS "$ENV{NIX_CC}/nix-support/orig-libc" ++ AND EXISTS "$ENV{NIX_CC}/nix-support/orig-libc-dev") ++ file(STRINGS "$ENV{NIX_CC}/nix-support/orig-libc" _nix_cmake_libc) ++ file(STRINGS "$ENV{NIX_CC}/nix-support/orig-libc-dev" _nix_cmake_libc_dev) ++else() ++ set(_nix_cmake_libc @libc_lib@) ++ set(_nix_cmake_libc_dev @libc_dev@) ++endif() ++ + list(APPEND CMAKE_SYSTEM_INCLUDE_PATH +- # X11 +- /usr/include/X11 ++ "${_nix_cmake_libc_dev}/include" + ) + + list(APPEND CMAKE_SYSTEM_LIBRARY_PATH +- # X11 +- /usr/lib/X11 ++ "${_nix_cmake_libc}/lib" + ) + + list(APPEND CMAKE_PLATFORM_IMPLICIT_LINK_DIRECTORIES +- /lib /lib32 /lib64 /usr/lib /usr/lib32 /usr/lib64 ++ "${_nix_cmake_libc}/lib" + ) + +-if(CMAKE_SYSROOT_COMPILE) +- set(_cmake_sysroot_compile "${CMAKE_SYSROOT_COMPILE}") +-else() +- set(_cmake_sysroot_compile "${CMAKE_SYSROOT}") +-endif() +- + # Default per-language values. These may be later replaced after + # parsing the implicit directory information from compiler output. + set(_CMAKE_C_IMPLICIT_INCLUDE_DIRECTORIES_INIT + ${CMAKE_C_IMPLICIT_INCLUDE_DIRECTORIES} +- "${_cmake_sysroot_compile}/usr/include" ++ "${_nix_cmake_libc_dev}/include" + ) + set(_CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES_INIT + ${CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES} +- "${_cmake_sysroot_compile}/usr/include" ++ "${_nix_cmake_libc_dev}/include" + ) + set(_CMAKE_CUDA_IMPLICIT_INCLUDE_DIRECTORIES_INIT + ${CMAKE_CUDA_IMPLICIT_INCLUDE_DIRECTORIES} +- "${_cmake_sysroot_compile}/usr/include" ++ "${_nix_cmake_libc_dev}/include" + ) + +-unset(_cmake_sysroot_compile) ++unset(_nix_cmake_libc) ++unset(_nix_cmake_libc_dev) + + # Reminder when adding new locations computed from environment variables + # please make sure to keep Help/variable/CMAKE_SYSTEM_PREFIX_PATH.rst +diff --git a/Modules/Platform/WindowsPaths.cmake b/Modules/Platform/WindowsPaths.cmake +index b9e2f17979..ab517cd4a7 100644 +--- a/Modules/Platform/WindowsPaths.cmake ++++ b/Modules/Platform/WindowsPaths.cmake +@@ -70,7 +70,7 @@ endif() + + if(CMAKE_CROSSCOMPILING AND NOT CMAKE_HOST_SYSTEM_NAME MATCHES "Windows") + # MinGW (useful when cross compiling from linux with CMAKE_FIND_ROOT_PATH set) +- list(APPEND CMAKE_SYSTEM_PREFIX_PATH /) ++ # list(APPEND CMAKE_SYSTEM_PREFIX_PATH /) + endif() + + list(APPEND CMAKE_SYSTEM_INCLUDE_PATH diff --git a/env/patches/cmake/003-libuv-application-services.diff b/env/patches/cmake/003-libuv-application-services.diff new file mode 100644 index 0000000..6607a9c --- /dev/null +++ b/env/patches/cmake/003-libuv-application-services.diff @@ -0,0 +1,55 @@ +diff --git a/Utilities/cmlibuv/CMakeLists.txt b/Utilities/cmlibuv/CMakeLists.txt +index 7625cf65d9..167903e309 100644 +--- a/Utilities/cmlibuv/CMakeLists.txt ++++ b/Utilities/cmlibuv/CMakeLists.txt +@@ -193,6 +193,22 @@ if(CMAKE_SYSTEM_NAME STREQUAL "Darwin") + src/unix/kqueue.c + src/unix/proctitle.c + ) ++ ++ include(CheckIncludeFile) ++ ++ check_include_file("ApplicationServices/ApplicationServices.h" HAVE_ApplicationServices) ++ if (HAVE_ApplicationServices) ++ list(APPEND uv_defines ++ HAVE_APPLICATIONSERVICES_APPLICATIONSERVICES_H=1 ++ ) ++ endif() ++ ++ check_include_file("CoreServices/CoreServices.h" HAVE_CoreServices) ++ if (HAVE_CoreServices) ++ list(APPEND uv_defines ++ HAVE_CORESERVICES_CORESERVICES_H=1 ++ ) ++ endif() + endif() + + if(CMAKE_SYSTEM_NAME STREQUAL "Linux") +diff --git a/Utilities/cmlibuv/src/unix/fsevents.c b/Utilities/cmlibuv/src/unix/fsevents.c +index a51f29b3f6..3f6bf01968 100644 +--- a/Utilities/cmlibuv/src/unix/fsevents.c ++++ b/Utilities/cmlibuv/src/unix/fsevents.c +@@ -21,7 +21,7 @@ + #include "uv.h" + #include "internal.h" + +-#if TARGET_OS_IPHONE || MAC_OS_X_VERSION_MAX_ALLOWED < 1070 ++#if !HAVE_CORESERVICES_CORESERVICES_H || MAC_OS_X_VERSION_MAX_ALLOWED < 1070 + + /* iOS (currently) doesn't provide the FSEvents-API (nor CoreServices) */ + /* macOS prior to 10.7 doesn't provide the full FSEvents API so use kqueue */ +@@ -39,7 +39,7 @@ int uv__fsevents_close(uv_fs_event_t* handle) { + void uv__fsevents_loop_delete(uv_loop_t* loop) { + } + +-#else /* TARGET_OS_IPHONE */ ++#else /* !HAVE_CORESERVICES_CORESERVICES_H */ + + #include "darwin-stub.h" + +@@ -920,4 +920,4 @@ int uv__fsevents_close(uv_fs_event_t* handle) { + return 0; + } + +-#endif /* TARGET_OS_IPHONE */ ++#endif /* !HAVE_CORESERVICES_CORESERVICES_H */ diff --git a/env/patches/cmake/custom-application-services.patch b/env/patches/cmake/custom-application-services.patch new file mode 100644 index 0000000..7c77336 --- /dev/null +++ b/env/patches/cmake/custom-application-services.patch @@ -0,0 +1,43 @@ +diff --git a/Source/CMakeLists.txt b/Source/CMakeLists.txt +index 9a18184fd3..278d146dd1 100644 +--- a/Source/CMakeLists.txt ++++ b/Source/CMakeLists.txt +@@ -933,7 +933,6 @@ endif() + # On Apple we need CoreFoundation and CoreServices + if(APPLE) + target_link_libraries(CMakeLib "-framework CoreFoundation") +- target_link_libraries(CMakeLib "-framework CoreServices") + endif() + + if(WIN32 AND NOT UNIX) +diff --git a/Source/cmGlobalXCodeGenerator.cxx b/Source/cmGlobalXCodeGenerator.cxx +index 77403b076a..d5aac95e1e 100644 +--- a/Source/cmGlobalXCodeGenerator.cxx ++++ b/Source/cmGlobalXCodeGenerator.cxx +@@ -49,10 +49,6 @@ struct cmLinkImplementation; + + #if !defined(CMAKE_BOOTSTRAP) && defined(__APPLE__) + # include +-# if !TARGET_OS_IPHONE +-# define HAVE_APPLICATION_SERVICES +-# include +-# endif + #endif + + #if !defined(CMAKE_BOOTSTRAP) +diff --git a/Utilities/cmlibarchive/CMakeLists.txt b/Utilities/cmlibarchive/CMakeLists.txt +index 79452ffff6..a848731b7e 100644 +--- a/Utilities/cmlibarchive/CMakeLists.txt ++++ b/Utilities/cmlibarchive/CMakeLists.txt +@@ -2013,11 +2013,6 @@ IF(ENABLE_TEST) + ENDIF(ENABLE_TEST) + ENDIF() + +-# We need CoreServices on Mac OS. +-IF(APPLE) +- LIST(APPEND ADDITIONAL_LIBS "-framework CoreServices") +-ENDIF(APPLE) +- + add_subdirectory(libarchive) + IF(0) # CMake does not build libarchive's command-line tools. + add_subdirectory(cat) diff --git a/env/patches/dtc/dtc-patch.patch b/env/patches/dtc/dtc-patch.patch new file mode 100644 index 0000000..b677059 --- /dev/null +++ b/env/patches/dtc/dtc-patch.patch @@ -0,0 +1,28 @@ +diff --git a/Makefile b/Makefile +index e6b32cf1cbf5..c1dc04de7edc 100644 +--- a/Makefile ++++ b/Makefile +@@ -18,7 +18,8 @@ CONFIG_LOCALVERSION = + CPPFLAGS = -I libfdt -I . + WARNINGS = -Wall -Wpointer-arith -Wcast-qual -Wnested-externs \ + -Wstrict-prototypes -Wmissing-prototypes -Wredundant-decls -Wshadow +-CFLAGS = -g -Os $(SHAREDLIB_CFLAGS) -Werror $(WARNINGS) ++CFLAGS = -g -Os $(SHAREDLIB_CFLAGS) $(WARNINGS) ++ + + BISON = bison + LEX = flex +diff --git a/dtc-lexer.l b/dtc-lexer.l +index 06c040902444..b5b1443f171d 100644 +--- a/dtc-lexer.l ++++ b/dtc-lexer.l +@@ -38,7 +38,8 @@ LINECOMMENT "//".*\n + #include "srcpos.h" + #include "dtc-parser.tab.h" + +-YYLTYPE yylloc; ++#define YYLTYPE_IS_DECLARED 1 ++ + extern bool treesource_error; + + /* CAUTION: this will stop working if we ever use yyless() or yyunput() */