From 36a2bf116256548ce83c6c3d9ecc520dc4ef2c12 Mon Sep 17 00:00:00 2001 From: Eduard Kaverinskyi Date: Fri, 25 Oct 2024 17:04:42 +0200 Subject: [PATCH 01/23] env/: Implement Docker environment Signed-off-by: Eduard Kaverinskyi Co-authored-by: Tymoteusz Burak --- env/.gitignore | 1 + env/Dockerfile | 149 ++++++++++++++++++ env/README.md | 47 ++++++ env/files/.gitmodules | 21 +++ env/files/env.sh | 4 + env/patches/cmake/001-search-path.diff | 95 +++++++++++ .../cmake/003-libuv-application-services.diff | 55 +++++++ .../cmake/custom-application-services.patch | 43 +++++ env/patches/dtc/dtc-patch.patch | 28 ++++ 9 files changed, 443 insertions(+) create mode 100644 env/.gitignore create mode 100644 env/Dockerfile create mode 100644 env/README.md create mode 100644 env/files/.gitmodules create mode 100755 env/files/env.sh create mode 100644 env/patches/cmake/001-search-path.diff create mode 100644 env/patches/cmake/003-libuv-application-services.diff create mode 100644 env/patches/cmake/custom-application-services.patch create mode 100644 env/patches/dtc/dtc-patch.patch diff --git a/env/.gitignore b/env/.gitignore new file mode 100644 index 0000000..751b1d0 --- /dev/null +++ b/env/.gitignore @@ -0,0 +1 @@ +build.log diff --git a/env/Dockerfile b/env/Dockerfile new file mode 100644 index 0000000..75212cc --- /dev/null +++ b/env/Dockerfile @@ -0,0 +1,149 @@ +# Use Debian base image +FROM debian:latest + +# Set environment variables +ENV MAKE_VERSION=4.2.1 +ENV WORKDIR_PATH=/work + +# Set working directory +WORKDIR $WORKDIR_PATH + +# Update package lists, install necessary dependencies +RUN apt-get update && \ + apt-get install -y \ + git \ + wget \ + build-essential \ + libfdt1 \ + libyaml-0-2 \ + gdebi-core \ + libuv1 \ + procps \ + librhash0 \ + libarchive13 \ + libc6 \ + libcurl4 \ + libexpat1 \ + libgcc-s1 \ + binutils \ + flex \ + bison \ + pkg-config \ + openssl \ + libssl-dev + +# Install Make 4.2.1 +RUN wget http://ftp.pl.debian.org/debian/pool/main/m/make-dfsg/make_4.2.1-1.2_amd64.deb \ + && dpkg -i make_4.2.1-1.2_amd64.deb + +# Install dtc 1.6.1 +COPY patches/dtc $WORKDIR_PATH/patches/dtc/ + +RUN git clone https://salsa.debian.org/crosstoolchain-team/device-tree-compiler.git \ +&& cd device-tree-compiler \ +&& git checkout debian/1.5.0-2 \ +&& git apply $WORKDIR_PATH/patches/dtc/dtc-patch.patch \ +&& make install + +# Install libssl1.1 (requirement for mkimage) +RUN wget http://ftp.pl.debian.org/debian/pool/main/o/openssl/libssl1.1_1.1.1w-0+deb11u1_amd64.deb \ + && dpkg -i libssl1.1_1.1.1w-0+deb11u1_amd64.deb + +# Install mkimage 20.10 +RUN git clone https://github.com/u-boot/u-boot.git \ + && cd u-boot \ + && git checkout v2020.10 \ + && make tools-only_defconfig \ + && make tools \ + && cp tools/mkimage /usr/local/bin \ + && chmod +x /usr/local/bin/mkimage + +# Install cmake-data 3.25 +RUN wget http://ftp.pl.debian.org/debian/pool/main/c/cmake/cmake-data_3.25.1-1~bpo11+1_all.deb \ + && dpkg -i cmake-data_3.25.1-1~bpo11+1_all.deb + +# Install libjsoncpp24 +RUN wget http://ftp.pl.debian.org/debian/pool/main/libj/libjsoncpp/libjsoncpp24_1.9.4-4_amd64.deb \ +&& dpkg -i libjsoncpp24_1.9.4-4_amd64.deb + +# Install Cmake 3.20.0 +COPY patches/cmake $WORKDIR_PATH/patches/cmake/ + +RUN wget https://cmake.org/files/v3.20/cmake-3.20.0.tar.gz \ + && tar -xvf cmake-3.20.0.tar.gz \ + && cd cmake-3.20.0 \ + && git apply $WORKDIR_PATH/patches/cmake/001-search-path.diff \ + && git apply $WORKDIR_PATH/patches/cmake/003-libuv-application-services.diff \ + && git apply $WORKDIR_PATH/patches/cmake/custom-application-services.patch + +RUN cd cmake-3.20.0 \ +&& ./bootstrap \ +&& make install + +# Install ninja 1.10.1 +RUN wget http://ftp.pl.debian.org/debian/pool/main/n/ninja-build/ninja-build_1.10.1-1_amd64.deb \ + && dpkg -i ninja-build_1.10.1-1_amd64.deb + +# Install gcc 9.3.0 +RUN apt remove gcc -y + +RUN wget http://ftp.pl.debian.org/debian/pool/main/g/gcc-9/gcc-9-base_9.3.0-22_amd64.deb \ +&& dpkg -i gcc-9-base_9.3.0-22_amd64.deb + +RUN wget http://ftp.pl.debian.org/debian/pool/main/g/gcc-9/cpp-9_9.3.0-22_amd64.deb \ +&& dpkg -i cpp-9_9.3.0-22_amd64.deb + +RUN wget http://ftp.pl.debian.org/debian/pool/main/g/gcc-10/gcc-10-base_10.2.1-6_amd64.deb \ +&& dpkg -i gcc-10-base_10.2.1-6_amd64.deb + +RUN wget http://ftp.pl.debian.org/debian/pool/main/g/gcc-10/libtsan0_10.2.1-6_amd64.deb \ +&& dpkg -i libtsan0_10.2.1-6_amd64.deb + +RUN wget http://ftp.pl.debian.org/debian/pool/main/g/gcc-9/libasan5_9.3.0-22_amd64.deb \ +&& dpkg -i libasan5_9.3.0-22_amd64.deb + +RUN wget http://ftp.pl.debian.org/debian/pool/main/g/gcc-9/libgcc-9-dev_9.3.0-22_amd64.deb \ +&& dpkg -i libgcc-9-dev_9.3.0-22_amd64.deb + +RUN wget http://ftp.pl.debian.org/debian/pool/main/g/gcc-9/gcc-9_9.3.0-22_amd64.deb \ +&& dpkg -i gcc-9_9.3.0-22_amd64.deb + +# Install Arm GNU toolchain +RUN wget -O aarch64-none-elf.tar.xz "https://developer.arm.com/-/media/Files/downloads/gnu/11.2-2022.02/binrel/gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf.tar.xz?rev=981d8f7e91864070a466d852589598e2&hash=8D5397D4E41C99A96989ED813E8E95F0" \ +&& unxz aarch64-none-elf.tar.xz \ +&& tar -xvf aarch64-none-elf.tar + +# Install BASH +RUN apt install bash -y +SHELL ["/bin/bash", "-c"] + +# Update PATH +COPY files/env.sh $WORKDIR_PATH/ + +# Check versions of the dependencies +RUN source $WORKDIR_PATH/env.sh && make --version + +RUN source $WORKDIR_PATH/env.sh && dtc --version + +RUN source $WORKDIR_PATH/env.sh && gcc-9 --version + +RUN source $WORKDIR_PATH/env.sh && mkimage -V + +RUN source $WORKDIR_PATH/env.sh && cmake --version + +RUN source $WORKDIR_PATH/env.sh && ninja --version + +RUN source $WORKDIR_PATH/env.sh && aarch64-none-elf-gcc --version + +# Setup CROSSCON repository +RUN git clone https://github.com/crosscon/CROSSCON-Hypervisor-and-TEE-Isolation-Demos.git \ +&& mv CROSSCON-Hypervisor-and-TEE-Isolation-Demos $WORKDIR_PATH/crosscon + +COPY files/.gitmodules $WORKDIR_PATH/crosscon/.gitmodules + +RUN cd $WORKDIR_PATH/crosscon \ +&& git submodule init \ +&& git submodule update + +# Fix missing "cryptography" python module +RUN apt install python3-cryptography -y diff --git a/env/README.md b/env/README.md new file mode 100644 index 0000000..d9286b5 --- /dev/null +++ b/env/README.md @@ -0,0 +1,47 @@ +# Docker for CROSSCON Hypervisor + +## Overview + +The purpose of this repo is to provide the environment required for +compilation of the CROSSCON hypervisor. + +## How to build the container + +### Build the docker image + +Run the `./build.sh` to build the image. The resulting image will have +the tag: `crosscon_hv`. + +This will also produce the `build.log` log file, which is useful for +debugging. + +### Create the container from the image + +`docker create --name crosscon_hv_container crosscon_hv` + +### Start the container + +`docker run -d --name crosscon_hv_container crosscon_hv tail -f /dev/null` + +`docker exec -it crosscon_hv_container /bin/bash` + +### Remove the container + +If the container already exists, and you need to create it from newer +image, use this command: + +`docker stop crosscon_hv_container` + +`docker remove crosscon_hv_container` + +After this you should be able to create a new container. + +## After you attach + +1. Run `source env.sh` command. It will enable some of the tools that + were installed earlier to be found globally. It will also let you use + `gcc-9` as `gcc`. + +2. CROSSCON Hypervisor repository is already installed and it's + submodules were updated. It is available under the `crosscon` + directory. diff --git a/env/files/.gitmodules b/env/files/.gitmodules new file mode 100644 index 0000000..dc2785b --- /dev/null +++ b/env/files/.gitmodules @@ -0,0 +1,21 @@ +[submodule "CROSSCON-Hypervisor"] + path = CROSSCON-Hypervisor + url = http://github.com/crosscon/CROSSCON-Hypervisor.git +[submodule "optee_client"] + path = optee_client + url = http://github.com/crosscon/optee_client.git +[submodule "optee_os"] + path = optee_os + url = http://github.com/crosscon/optee_os.git +[submodule "opensbi"] + path = opensbi + url = https://github.com/bao-project/opensbi.git +[submodule "linux"] + path = linux + url = http://github.com/crosscon/linux.git +[submodule "optee_test"] + path = optee_test + url = http://github.com/crosscon/optee_test.git +[submodule "bitcoin-wallet"] + path = bitcoin-wallet + url = http://github.com/crosscon/bitcoin-wallet.git diff --git a/env/files/env.sh b/env/files/env.sh new file mode 100755 index 0000000..cb7f019 --- /dev/null +++ b/env/files/env.sh @@ -0,0 +1,4 @@ +export PATH="./device-tree-compiler:$PATH" +export PATH="./gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf/bin:$PATH" + +alias gcc="gcc-9" diff --git a/env/patches/cmake/001-search-path.diff b/env/patches/cmake/001-search-path.diff new file mode 100644 index 0000000..04ab084 --- /dev/null +++ b/env/patches/cmake/001-search-path.diff @@ -0,0 +1,95 @@ +diff --git a/Modules/Platform/UnixPaths.cmake b/Modules/Platform/UnixPaths.cmake +index b9381c3d7d..5e944640b5 100644 +--- a/Modules/Platform/UnixPaths.cmake ++++ b/Modules/Platform/UnixPaths.cmake +@@ -26,9 +26,6 @@ get_filename_component(_CMAKE_INSTALL_DIR "${_CMAKE_INSTALL_DIR}" PATH) + # please make sure to keep Help/variable/CMAKE_SYSTEM_PREFIX_PATH.rst + # synchronized + list(APPEND CMAKE_SYSTEM_PREFIX_PATH +- # Standard +- /usr/local /usr / +- + # CMake install location + "${_CMAKE_INSTALL_DIR}" + ) +@@ -47,48 +44,49 @@ endif() + + # Non "standard" but common install prefixes + list(APPEND CMAKE_SYSTEM_PREFIX_PATH +- /usr/X11R6 +- /usr/pkg +- /opt + ) + + # List common include file locations not under the common prefixes. ++if(DEFINED ENV{NIX_CC} ++ AND IS_DIRECTORY "$ENV{NIX_CC}" ++ AND EXISTS "$ENV{NIX_CC}/nix-support/orig-libc" ++ AND EXISTS "$ENV{NIX_CC}/nix-support/orig-libc-dev") ++ file(STRINGS "$ENV{NIX_CC}/nix-support/orig-libc" _nix_cmake_libc) ++ file(STRINGS "$ENV{NIX_CC}/nix-support/orig-libc-dev" _nix_cmake_libc_dev) ++else() ++ set(_nix_cmake_libc @libc_lib@) ++ set(_nix_cmake_libc_dev @libc_dev@) ++endif() ++ + list(APPEND CMAKE_SYSTEM_INCLUDE_PATH +- # X11 +- /usr/include/X11 ++ "${_nix_cmake_libc_dev}/include" + ) + + list(APPEND CMAKE_SYSTEM_LIBRARY_PATH +- # X11 +- /usr/lib/X11 ++ "${_nix_cmake_libc}/lib" + ) + + list(APPEND CMAKE_PLATFORM_IMPLICIT_LINK_DIRECTORIES +- /lib /lib32 /lib64 /usr/lib /usr/lib32 /usr/lib64 ++ "${_nix_cmake_libc}/lib" + ) + +-if(CMAKE_SYSROOT_COMPILE) +- set(_cmake_sysroot_compile "${CMAKE_SYSROOT_COMPILE}") +-else() +- set(_cmake_sysroot_compile "${CMAKE_SYSROOT}") +-endif() +- + # Default per-language values. These may be later replaced after + # parsing the implicit directory information from compiler output. + set(_CMAKE_C_IMPLICIT_INCLUDE_DIRECTORIES_INIT + ${CMAKE_C_IMPLICIT_INCLUDE_DIRECTORIES} +- "${_cmake_sysroot_compile}/usr/include" ++ "${_nix_cmake_libc_dev}/include" + ) + set(_CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES_INIT + ${CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES} +- "${_cmake_sysroot_compile}/usr/include" ++ "${_nix_cmake_libc_dev}/include" + ) + set(_CMAKE_CUDA_IMPLICIT_INCLUDE_DIRECTORIES_INIT + ${CMAKE_CUDA_IMPLICIT_INCLUDE_DIRECTORIES} +- "${_cmake_sysroot_compile}/usr/include" ++ "${_nix_cmake_libc_dev}/include" + ) + +-unset(_cmake_sysroot_compile) ++unset(_nix_cmake_libc) ++unset(_nix_cmake_libc_dev) + + # Reminder when adding new locations computed from environment variables + # please make sure to keep Help/variable/CMAKE_SYSTEM_PREFIX_PATH.rst +diff --git a/Modules/Platform/WindowsPaths.cmake b/Modules/Platform/WindowsPaths.cmake +index b9e2f17979..ab517cd4a7 100644 +--- a/Modules/Platform/WindowsPaths.cmake ++++ b/Modules/Platform/WindowsPaths.cmake +@@ -70,7 +70,7 @@ endif() + + if(CMAKE_CROSSCOMPILING AND NOT CMAKE_HOST_SYSTEM_NAME MATCHES "Windows") + # MinGW (useful when cross compiling from linux with CMAKE_FIND_ROOT_PATH set) +- list(APPEND CMAKE_SYSTEM_PREFIX_PATH /) ++ # list(APPEND CMAKE_SYSTEM_PREFIX_PATH /) + endif() + + list(APPEND CMAKE_SYSTEM_INCLUDE_PATH diff --git a/env/patches/cmake/003-libuv-application-services.diff b/env/patches/cmake/003-libuv-application-services.diff new file mode 100644 index 0000000..6607a9c --- /dev/null +++ b/env/patches/cmake/003-libuv-application-services.diff @@ -0,0 +1,55 @@ +diff --git a/Utilities/cmlibuv/CMakeLists.txt b/Utilities/cmlibuv/CMakeLists.txt +index 7625cf65d9..167903e309 100644 +--- a/Utilities/cmlibuv/CMakeLists.txt ++++ b/Utilities/cmlibuv/CMakeLists.txt +@@ -193,6 +193,22 @@ if(CMAKE_SYSTEM_NAME STREQUAL "Darwin") + src/unix/kqueue.c + src/unix/proctitle.c + ) ++ ++ include(CheckIncludeFile) ++ ++ check_include_file("ApplicationServices/ApplicationServices.h" HAVE_ApplicationServices) ++ if (HAVE_ApplicationServices) ++ list(APPEND uv_defines ++ HAVE_APPLICATIONSERVICES_APPLICATIONSERVICES_H=1 ++ ) ++ endif() ++ ++ check_include_file("CoreServices/CoreServices.h" HAVE_CoreServices) ++ if (HAVE_CoreServices) ++ list(APPEND uv_defines ++ HAVE_CORESERVICES_CORESERVICES_H=1 ++ ) ++ endif() + endif() + + if(CMAKE_SYSTEM_NAME STREQUAL "Linux") +diff --git a/Utilities/cmlibuv/src/unix/fsevents.c b/Utilities/cmlibuv/src/unix/fsevents.c +index a51f29b3f6..3f6bf01968 100644 +--- a/Utilities/cmlibuv/src/unix/fsevents.c ++++ b/Utilities/cmlibuv/src/unix/fsevents.c +@@ -21,7 +21,7 @@ + #include "uv.h" + #include "internal.h" + +-#if TARGET_OS_IPHONE || MAC_OS_X_VERSION_MAX_ALLOWED < 1070 ++#if !HAVE_CORESERVICES_CORESERVICES_H || MAC_OS_X_VERSION_MAX_ALLOWED < 1070 + + /* iOS (currently) doesn't provide the FSEvents-API (nor CoreServices) */ + /* macOS prior to 10.7 doesn't provide the full FSEvents API so use kqueue */ +@@ -39,7 +39,7 @@ int uv__fsevents_close(uv_fs_event_t* handle) { + void uv__fsevents_loop_delete(uv_loop_t* loop) { + } + +-#else /* TARGET_OS_IPHONE */ ++#else /* !HAVE_CORESERVICES_CORESERVICES_H */ + + #include "darwin-stub.h" + +@@ -920,4 +920,4 @@ int uv__fsevents_close(uv_fs_event_t* handle) { + return 0; + } + +-#endif /* TARGET_OS_IPHONE */ ++#endif /* !HAVE_CORESERVICES_CORESERVICES_H */ diff --git a/env/patches/cmake/custom-application-services.patch b/env/patches/cmake/custom-application-services.patch new file mode 100644 index 0000000..7c77336 --- /dev/null +++ b/env/patches/cmake/custom-application-services.patch @@ -0,0 +1,43 @@ +diff --git a/Source/CMakeLists.txt b/Source/CMakeLists.txt +index 9a18184fd3..278d146dd1 100644 +--- a/Source/CMakeLists.txt ++++ b/Source/CMakeLists.txt +@@ -933,7 +933,6 @@ endif() + # On Apple we need CoreFoundation and CoreServices + if(APPLE) + target_link_libraries(CMakeLib "-framework CoreFoundation") +- target_link_libraries(CMakeLib "-framework CoreServices") + endif() + + if(WIN32 AND NOT UNIX) +diff --git a/Source/cmGlobalXCodeGenerator.cxx b/Source/cmGlobalXCodeGenerator.cxx +index 77403b076a..d5aac95e1e 100644 +--- a/Source/cmGlobalXCodeGenerator.cxx ++++ b/Source/cmGlobalXCodeGenerator.cxx +@@ -49,10 +49,6 @@ struct cmLinkImplementation; + + #if !defined(CMAKE_BOOTSTRAP) && defined(__APPLE__) + # include +-# if !TARGET_OS_IPHONE +-# define HAVE_APPLICATION_SERVICES +-# include +-# endif + #endif + + #if !defined(CMAKE_BOOTSTRAP) +diff --git a/Utilities/cmlibarchive/CMakeLists.txt b/Utilities/cmlibarchive/CMakeLists.txt +index 79452ffff6..a848731b7e 100644 +--- a/Utilities/cmlibarchive/CMakeLists.txt ++++ b/Utilities/cmlibarchive/CMakeLists.txt +@@ -2013,11 +2013,6 @@ IF(ENABLE_TEST) + ENDIF(ENABLE_TEST) + ENDIF() + +-# We need CoreServices on Mac OS. +-IF(APPLE) +- LIST(APPEND ADDITIONAL_LIBS "-framework CoreServices") +-ENDIF(APPLE) +- + add_subdirectory(libarchive) + IF(0) # CMake does not build libarchive's command-line tools. + add_subdirectory(cat) diff --git a/env/patches/dtc/dtc-patch.patch b/env/patches/dtc/dtc-patch.patch new file mode 100644 index 0000000..b677059 --- /dev/null +++ b/env/patches/dtc/dtc-patch.patch @@ -0,0 +1,28 @@ +diff --git a/Makefile b/Makefile +index e6b32cf1cbf5..c1dc04de7edc 100644 +--- a/Makefile ++++ b/Makefile +@@ -18,7 +18,8 @@ CONFIG_LOCALVERSION = + CPPFLAGS = -I libfdt -I . + WARNINGS = -Wall -Wpointer-arith -Wcast-qual -Wnested-externs \ + -Wstrict-prototypes -Wmissing-prototypes -Wredundant-decls -Wshadow +-CFLAGS = -g -Os $(SHAREDLIB_CFLAGS) -Werror $(WARNINGS) ++CFLAGS = -g -Os $(SHAREDLIB_CFLAGS) $(WARNINGS) ++ + + BISON = bison + LEX = flex +diff --git a/dtc-lexer.l b/dtc-lexer.l +index 06c040902444..b5b1443f171d 100644 +--- a/dtc-lexer.l ++++ b/dtc-lexer.l +@@ -38,7 +38,8 @@ LINECOMMENT "//".*\n + #include "srcpos.h" + #include "dtc-parser.tab.h" + +-YYLTYPE yylloc; ++#define YYLTYPE_IS_DECLARED 1 ++ + extern bool treesource_error; + + /* CAUTION: this will stop working if we ever use yyless() or yyunput() */ From 498d56e3495ca3f4168ab6992ec271c9f1a1412e Mon Sep 17 00:00:00 2001 From: Wiktor Grzywacz Date: Wed, 27 Nov 2024 16:08:37 +0100 Subject: [PATCH 02/23] Dockerfile: add necessary deps --- env/Dockerfile | 49 ++++++++++--------------------------------------- 1 file changed, 10 insertions(+), 39 deletions(-) diff --git a/env/Dockerfile b/env/Dockerfile index 75212cc..ade1037 100644 --- a/env/Dockerfile +++ b/env/Dockerfile @@ -84,30 +84,6 @@ RUN cd cmake-3.20.0 \ RUN wget http://ftp.pl.debian.org/debian/pool/main/n/ninja-build/ninja-build_1.10.1-1_amd64.deb \ && dpkg -i ninja-build_1.10.1-1_amd64.deb -# Install gcc 9.3.0 -RUN apt remove gcc -y - -RUN wget http://ftp.pl.debian.org/debian/pool/main/g/gcc-9/gcc-9-base_9.3.0-22_amd64.deb \ -&& dpkg -i gcc-9-base_9.3.0-22_amd64.deb - -RUN wget http://ftp.pl.debian.org/debian/pool/main/g/gcc-9/cpp-9_9.3.0-22_amd64.deb \ -&& dpkg -i cpp-9_9.3.0-22_amd64.deb - -RUN wget http://ftp.pl.debian.org/debian/pool/main/g/gcc-10/gcc-10-base_10.2.1-6_amd64.deb \ -&& dpkg -i gcc-10-base_10.2.1-6_amd64.deb - -RUN wget http://ftp.pl.debian.org/debian/pool/main/g/gcc-10/libtsan0_10.2.1-6_amd64.deb \ -&& dpkg -i libtsan0_10.2.1-6_amd64.deb - -RUN wget http://ftp.pl.debian.org/debian/pool/main/g/gcc-9/libasan5_9.3.0-22_amd64.deb \ -&& dpkg -i libasan5_9.3.0-22_amd64.deb - -RUN wget http://ftp.pl.debian.org/debian/pool/main/g/gcc-9/libgcc-9-dev_9.3.0-22_amd64.deb \ -&& dpkg -i libgcc-9-dev_9.3.0-22_amd64.deb - -RUN wget http://ftp.pl.debian.org/debian/pool/main/g/gcc-9/gcc-9_9.3.0-22_amd64.deb \ -&& dpkg -i gcc-9_9.3.0-22_amd64.deb - # Install Arm GNU toolchain RUN wget -O aarch64-none-elf.tar.xz "https://developer.arm.com/-/media/Files/downloads/gnu/11.2-2022.02/binrel/gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf.tar.xz?rev=981d8f7e91864070a466d852589598e2&hash=8D5397D4E41C99A96989ED813E8E95F0" \ && unxz aarch64-none-elf.tar.xz \ @@ -120,21 +96,6 @@ SHELL ["/bin/bash", "-c"] # Update PATH COPY files/env.sh $WORKDIR_PATH/ -# Check versions of the dependencies -RUN source $WORKDIR_PATH/env.sh && make --version - -RUN source $WORKDIR_PATH/env.sh && dtc --version - -RUN source $WORKDIR_PATH/env.sh && gcc-9 --version - -RUN source $WORKDIR_PATH/env.sh && mkimage -V - -RUN source $WORKDIR_PATH/env.sh && cmake --version - -RUN source $WORKDIR_PATH/env.sh && ninja --version - -RUN source $WORKDIR_PATH/env.sh && aarch64-none-elf-gcc --version - # Setup CROSSCON repository RUN git clone https://github.com/crosscon/CROSSCON-Hypervisor-and-TEE-Isolation-Demos.git \ && mv CROSSCON-Hypervisor-and-TEE-Isolation-Demos $WORKDIR_PATH/crosscon @@ -147,3 +108,13 @@ RUN cd $WORKDIR_PATH/crosscon \ # Fix missing "cryptography" python module RUN apt install python3-cryptography -y + +# necessary for optee_os and client +RUN apt update && apt install -y gcc-aarch64-linux-gnu g++-aarch64-linux-gnu +RUN apt-get update && apt-get install -y python3-pyelftools + +# necessary for building buildroot +RUN apt-get update && apt-get install -y cpio unzip rsync bc + +# device tree compiler, neccessary for step 8 +RUN apt-get update && apt-get install -y device-tree-compiler From 2927e9b63854a8409744ffb7e953a22cf58b338d Mon Sep 17 00:00:00 2001 From: Wiktor Grzywacz Date: Wed, 27 Nov 2024 16:25:56 +0100 Subject: [PATCH 03/23] env/build.sh: added --- env/build.sh | 1 + 1 file changed, 1 insertion(+) create mode 100755 env/build.sh diff --git a/env/build.sh b/env/build.sh new file mode 100755 index 0000000..5699310 --- /dev/null +++ b/env/build.sh @@ -0,0 +1 @@ +docker build -t crosscon_hv . From cf0fcb98d68d58b1f940e939008d2a17c1e98f94 Mon Sep 17 00:00:00 2001 From: Wiktor Grzywacz Date: Wed, 27 Nov 2024 19:54:31 +0100 Subject: [PATCH 04/23] env/Dockerfile: reorder packages neatly --- env/Dockerfile | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/env/Dockerfile b/env/Dockerfile index ade1037..77dc044 100644 --- a/env/Dockerfile +++ b/env/Dockerfile @@ -30,7 +30,15 @@ RUN apt-get update && \ bison \ pkg-config \ openssl \ - libssl-dev + libssl-dev \ + cpio \ + unzip \ + rsync \ + bc \ + device-tree-compiler \ + gcc-aarch64-linux-gnu \ + g++-aarch64-linux-gnu \ + python3-pyelftools # Install Make 4.2.1 RUN wget http://ftp.pl.debian.org/debian/pool/main/m/make-dfsg/make_4.2.1-1.2_amd64.deb \ @@ -108,13 +116,3 @@ RUN cd $WORKDIR_PATH/crosscon \ # Fix missing "cryptography" python module RUN apt install python3-cryptography -y - -# necessary for optee_os and client -RUN apt update && apt install -y gcc-aarch64-linux-gnu g++-aarch64-linux-gnu -RUN apt-get update && apt-get install -y python3-pyelftools - -# necessary for building buildroot -RUN apt-get update && apt-get install -y cpio unzip rsync bc - -# device tree compiler, neccessary for step 8 -RUN apt-get update && apt-get install -y device-tree-compiler From ae46b668db453cd4dcd0460b2e771463258d6b2e Mon Sep 17 00:00:00 2001 From: Wiktor Grzywacz Date: Mon, 9 Dec 2024 18:22:20 +0100 Subject: [PATCH 05/23] deleted build script, readme update --- env/README.md | 201 ++++++++++++++++++++++++++++++++++++++++++++------ env/build.sh | 1 - 2 files changed, 178 insertions(+), 24 deletions(-) delete mode 100755 env/build.sh diff --git a/env/README.md b/env/README.md index d9286b5..90e480d 100644 --- a/env/README.md +++ b/env/README.md @@ -7,41 +7,196 @@ compilation of the CROSSCON hypervisor. ## How to build the container -### Build the docker image +Run this command: -Run the `./build.sh` to build the image. The resulting image will have -the tag: `crosscon_hv`. +```bash +docker build -t crosscon_hv . +``` -This will also produce the `build.log` log file, which is useful for -debugging. +to build the docker image. The resulting image will have a `crosscon_hv` tag. +After the image has been built you will need to create a container from that +image, it can be done with this command: -### Create the container from the image +```bash +docker create --name crosscon_hv_container crosscon_hv +``` -`docker create --name crosscon_hv_container crosscon_hv` +Then all that's left to do is run the image and enter the shell of the +container, by running these commands: -### Start the container +```bash +docker run -d --name crosscon_hv_container crosscon_hv tail -f /dev/null +docker exec -it crosscon_hv_container /bin/bash +``` -`docker run -d --name crosscon_hv_container crosscon_hv tail -f /dev/null` +> Note: If at any point when rebuilding/rerunning the container you get error messages +> similar to this one: -`docker exec -it crosscon_hv_container /bin/bash` +```bash +docker: Error response from daemon: Conflict. The container name +"/crosscon_hv_container" is already in use by container +"d6ee75901fd0e090147d242c485651ebf5c4fc58e13d8363725a6cab830a9ba0". You have to +remove (or rename) that container to be able to reuse that name. +See 'docker run --help'. +``` -### Remove the container +Just use this command: -If the container already exists, and you need to create it from newer -image, use this command: +```bash +docker rm --force +``` -`docker stop crosscon_hv_container` +## Building the rpi4-ws demo -`docker remove crosscon_hv_container` +This section contains instructions on how to build and flash the rpi4-ws demo. +After attaching to the container, it should look like this: -After this you should be able to create a new container. +```bash +user in ~/CROSSCON-Hypervisor-and-TEE-Isolation-Demos/env λ docker exec -it crosscon_hv_container /bin/bash +root@d6ee75901fd0:/work# +``` -## After you attach +Then you should `cd crosscon`, and follow the instructions from +[the README](../rpi4-ws/README.md). -1. Run `source env.sh` command. It will enable some of the tools that - were installed earlier to be found globally. It will also let you use - `gcc-9` as `gcc`. +This will allow you to build the binaries, since the container has all the +necessary dependencies, but here are some important tips to bear in mind: -2. CROSSCON Hypervisor repository is already installed and it's - submodules were updated. It is available under the `crosscon` - directory. +### Cross-compilator names + +Sometimes, the instructions are not 100% accurate when it comes to the +`CROSS_COMPILE` flag in the `make` commands. The only time i have come across +this, is when trying to compile the `optee_client`, the readme says to do this: + +```bash +make CROSS_COMPILE=aarch64-none-linux-gnu- WITH_TEEACL=0 O=out-aarch64 +``` + +but the correct command for ubuntu (which our container is based off of) is this: + +```bash +make CROSS_COMPILE=aarch64-linux-gnu- WITH_TEEACL=0 O=out-aarch64 +``` + +as you can see the `CROSS_COMPILE` argument should be `aarch64-linux-gnu-`, NOT +`aarch64-none-linux-gnu-`. If you ever encounter build errors, this should be +the first thing to check. + +> Note: while `aarch64-none-linux-gnu-` is supposed to be the bare-metal +> cross-compiler, having it on the container causes internal compiler errors and +its unusable. `aarch64-linux-gnu-` Seens to work just fine for our purposes. + +### Copying the files to the SD card. + +Obviously, the container allows you to build the binaries without worrying about +dependencies. But you also have to get them on the SD card in order to boot +the demo. + +#### Firmware and bootloader files + +In order to correctly do this, first you have to make sure get the firmware +files over from the container on your host. Instead of doing this: + +> Note: Before running the following commands, ensure you have inserted the +> SD card into your host machine and that it is mounted at /media/$USER/boot +> (adjust the path as necessary if your system uses a different mount point). + +```bash +cd $RPI4_WS +SDCARD=/media/$USER/boot + +cp -vr firmware/boot/* $SDCARD +cp -v config.txt $SDCARD +cp -v bin/bl31.bin $SDCARD +cp -v bin/u-boot.bin $SDCARD +``` + +like the readme tells you to, you will have to run these commands on host +(here I assumed that we are copying the files directly over to the SD card, +but it doesnt really matter. If you want to, you can copy them to host, +then later to the SD card): + +```bash +sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/firmware/boot/ /run/media/$USER/ +sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/config.txt /run/media/$USER/boot/ +sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/bin/bl31.bin /run/media/$USER/boot/ +sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/bin/u-boot.bin /run/media/$USER/boot/ +``` + +#### Linux and Device Tree Image + +After you’ve built the Linux kernel and used lloader to produce +`linux-rpi4.bin`, you’ll need to copy that file out of the container and onto +your SD card: + +```bash +docker cp crosscon_hv_container:/work/crosscon/lloader/linux-rpi4.bin /media/$USER/boot +``` + +#### Copying the CROSSCON Hypervisor Binary + +Building and copying of the hypervisor binary is done in the same script, +either `build-demo-vtee.sh` or `build-demo-dual-vtee.sh`. If you look at the +content of those scripts, you will see that they build the `crossconhyp.bin` +files, then copies `start*` firmware files and `crossconhyp.bin` to the SD card +mount point. + +> Note: this readme only covers the `build-demo-vtee.sh` script, since once +> you understand the idea of what we are doing here, it becomes easy to think +> of the commands to achieve what goes on in the `dual` version of the script. + +Since we are inside a container, we will have to build the hypervisor manually, +then copy it over to host. Once you get to the end of +[the README](../rpi4-ws/README.md), instead of just running the script: + +```bash +./build-demo-vtee.sh +``` + +we will have to build those files manually: + +```bash +cd /work/crosscon + +make -C CROSSCON-Hypervisor/ \ + PLATFORM=rpi4 \ + CONFIG_BUILTIN=y \ + CONFIG_REPO=$CONFIG_REPO \ + CONFIG=rpi4-single-vTEE \ + OPTIMIZATIONS=0 \ + SDEES="sdSGX sdTZ" \ + CROSS_COMPILE=aarch64-none-elf- \ + clean + +make -C CROSSCON-Hypervisor/ \ + PLATFORM=rpi4 \ + CONFIG_BUILTIN=y \ + CONFIG_REPO=$CONFIG_REPO \ + CONFIG=rpi4-single-vTEE \ + OPTIMIZATIONS=0 \ + SDEES="sdSGX sdTZ" \ + CROSS_COMPILE=aarch64-none-elf- \ + -j`nproc` +``` + +Then make sure that the hypervisor got built correctly, and that the firmware files +exist: + +```bash +ls /work/crosscon/rpi4-ws/bin/ +ls /work/crosscon/CROSSCON-Hypervisor/bin/rpi4/builtin-configs/rpi4-single-vTEE/ +``` + +Then finally copy those files over to the host: + +```bash +sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/firmware/boot/start* $SDCARD_MOUNT/ +sudo docker cp crosscon_hv_container:/work/crosscon/CROSSCON-Hypervisor/bin/rpi4/builtin-configs/rpi4-single-vTEE/crossconhyp.bin $SDCARD_MOUNT/ +``` + + +## QEMU build + +The docker image contains all the neccessary dependencies to build the QEMU +images as well (RISCV included), so all that needs to be done is following +the instructions from [the readme](../README.md). diff --git a/env/build.sh b/env/build.sh deleted file mode 100755 index 5699310..0000000 --- a/env/build.sh +++ /dev/null @@ -1 +0,0 @@ -docker build -t crosscon_hv . From 0ec27f9b579c53a23357ec38ce69cbe9bd8cdbab Mon Sep 17 00:00:00 2001 From: Wiktor Grzywacz Date: Mon, 9 Dec 2024 18:23:14 +0100 Subject: [PATCH 06/23] Dockerfile: add qemu riscv deps and add build script for rpi4-ws demo --- env/Dockerfile | 8 +- env/files/build.sh | 347 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 354 insertions(+), 1 deletion(-) create mode 100755 env/files/build.sh diff --git a/env/Dockerfile b/env/Dockerfile index 77dc044..db0274c 100644 --- a/env/Dockerfile +++ b/env/Dockerfile @@ -38,7 +38,10 @@ RUN apt-get update && \ device-tree-compiler \ gcc-aarch64-linux-gnu \ g++-aarch64-linux-gnu \ - python3-pyelftools + python3-pyelftools \ + gcc-riscv64-linux-gnu \ + g++-riscv64-linux-gnu \ + binutils-riscv64-linux-gnu # Install Make 4.2.1 RUN wget http://ftp.pl.debian.org/debian/pool/main/m/make-dfsg/make_4.2.1-1.2_amd64.deb \ @@ -116,3 +119,6 @@ RUN cd $WORKDIR_PATH/crosscon \ # Fix missing "cryptography" python module RUN apt install python3-cryptography -y + +# copy script for rpi4-ws demo +COPY files/build.sh $WORKDIR_PATH/ diff --git a/env/files/build.sh b/env/files/build.sh new file mode 100755 index 0000000..e2cadc9 --- /dev/null +++ b/env/files/build.sh @@ -0,0 +1,347 @@ +#!/bin/bash + +set -eou pipefail + +# go to the right directory +cd crosscon + +# make the firmware, using the right cross-compiler +export ROOT=`realpath .` +export ROOT=`pwd` +cd rpi4-ws +export RPI4_WS=`pwd` +mkdir bin +git clone https://github.com/raspberrypi/firmware.git --depth 1 --branch 1.20230405 +git clone https://github.com/u-boot/u-boot.git --depth 1 --branch v2022.10 +cd u-boot +make rpi_4_defconfig +make -j`nproc` CROSS_COMPILE=aarch64-linux-gnu- +cp -v u-boot.bin ../bin/ +cd $RPI4_WS +git clone https://github.com/bao-project/arm-trusted-firmware.git --branch bao/demo --depth 1 +cd arm-trusted-firmware +make PLAT=rpi4 -j`nproc` CROSS_COMPILE=aarch64-linux-gnu- +cp -v build/rpi4/release/bl31.bin ../bin/ +cd $RPI4_WS + +# Step 1: optee_os +cd ../optee_os + +OPTEE_DIR="./" +export O="$OPTEE_DIR/optee-rpi4" +CC="aarch64-linux-gnu-" +export CFLAGS=-Wno-cast-function-type +PLATFORM="rpi4" +ARCH="arm" +SHMEM_START="0x08000000" +SHMEM_SIZE="0x00200000" +TZDRAM_START="0x10100000" +TZDRAM_SIZE="0x00F00000" +CFG_GIC=n + +make -C $OPTEE_DIR \ + O=$O \ + CROSS_COMPILE=$CC \ + PLATFORM=$PLATFORM \ + ARCH=$ARCH \ + CFG_PKCS11_TA=n \ + CFG_SHMEM_START=$SHMEM_START \ + CFG_SHMEM_SIZE=$SHMEM_SIZE \ + CFG_CORE_DYN_SHM=n \ + CFG_NUM_THREADS=1 \ + CFG_CORE_RESERVED_SHM=y \ + CFG_CORE_ASYNC_NOTIF=n \ + CFG_TZDRAM_SIZE=$TZDRAM_SIZE \ + CFG_TZDRAM_START=$TZDRAM_START \ + CFG_GIC=y \ + CFG_ARM_GICV2=y \ + CFG_CORE_IRQ_IS_NATIVE_INTR=n \ + CFG_ARM64_core=y \ + CFG_USER_TA_TARGETS=ta_arm64 \ + CFG_DT=n \ + CFG_CORE_ASLR=n \ + CFG_CORE_WORKAROUND_SPECTRE_BP=n \ + CFG_CORE_WORKAROUND_NSITR_CACHE_PRIME=n \ + CFG_TEE_CORE_LOG_LEVEL=1 \ + DEBUG=1 -j16 + +OPTEE_DIR="./" +export O="$OPTEE_DIR/optee2-rpi4" +SHMEM_START="0x08200000" +TZDRAM_START="0x20100000" + +make -C $OPTEE_DIR \ + O=$O \ + CROSS_COMPILE=$CC \ + PLATFORM=$PLATFORM \ + ARCH=$ARCH \ + CFG_PKCS11_TA=n \ + CFG_SHMEM_START=$SHMEM_START \ + CFG_SHMEM_SIZE=$SHMEM_SIZE \ + CFG_CORE_DYN_SHM=n \ + CFG_CORE_RESERVED_SHM=y \ + CFG_CORE_ASYNC_NOTIF=n \ + CFG_TZDRAM_SIZE=$TZDRAM_SIZE \ + CFG_TZDRAM_START=$TZDRAM_START \ + CFG_GIC=y \ + CFG_ARM_GICV2=y \ + CFG_CORE_IRQ_IS_NATIVE_INTR=n \ + CFG_ARM64_core=y \ + CFG_USER_TA_TARGETS=ta_arm64 \ + CFG_DT=n \ + CFG_CORE_ASLR=n \ + CFG_CORE_WORKAROUND_SPECTRE_BP=n \ + CFG_CORE_WORKAROUND_NSITR_CACHE_PRIME=n \ + CFLAGS="${CFLAGS} -DOPTEE2" \ + CFG_EARLY_TA=y \ + CFG_TEE_CORE_LOG_LEVEL=1 \ + DEBUG=1 -j16 + +cd /work/crosscon + +# Step 2: Linux file system + +if [ ! -e buildroot ]; then + wget https://buildroot.org/downloads/buildroot-2022.11.1.tar.gz + tar -xf buildroot-2022.11.1.tar.gz + mv buildroot-2022.11.1 buildroot +fi + +mkdir buildroot/build-aarch64 +cp support/br-aarch64.config buildroot/build-aarch64/.config +cd buildroot + +# we expect this to fail +set +e +make O=build-aarch64/ -j`nproc` +set -e + +cd .. + +# Step 3: Build OP-TEE Clients + +cd optee_client + +git checkout master +make CROSS_COMPILE=aarch64-linux-gnu- WITH_TEEACL=0 O=out-aarch64 +git checkout optee2 +make CROSS_COMPILE=aarch64-linux-gnu- WITH_TEEACL=0 O=out2-aarch64 + +cd /work/crosscon + +# Step 4: Build OP-TEE xtest + +cd optee_test + +BUILDROOT=`pwd`/../buildroot/build-aarch64/ +export CROSS_COMPILE=$BUILDROOT/host/bin/aarch64-linux- +export HOST_CROSS_COMPILE=$BUILDROOT/host/bin/aarch64-linux- +export TA_CROSS_COMPILE=$BUILDROOT/host/bin/aarch64-linux- +export ARCH=aarch64 +export PLATFORM=plat-vexpress +export PLATFORM_FLAVOR=qemu_armv8a +export TA_DEV_KIT_DIR=`pwd`/../optee_os/optee-rpi4/export-ta_arm64 +export TEEC_EXPORT=`pwd`/../optee_client/out-aarch64/export/usr/ +export OPTEE_CLIENT_EXPORT=`pwd`/../optee_client/out-aarch64/export/usr/ +export CFG_TA_OPTEE_CORE_API_COMPAT_1_1=y +export DESTDIR=./to_buildroot-aarch64 +export DEBUG=0 +export CFG_TEE_TA_LOG_LEVEL=0 +export CFLAGS=-O2 +export O=`pwd`/out-aarch64 +export CFG_PKCS11_TA=n + +rm -rf $O +rm -rf to_buildroot-aarch64/ +find . -name "Makefile" -exec sed -i "s/\-lteec2$/\-lteec/g" {} + +find . -name "Makefile" -exec sed -i "s/optee2_armtz/optee_armtz/g" {} + +make clean +make -j`nproc` +make install + + +export O=`pwd`/out2-aarch64 +export DESTDIR=./to_buildroot-aarch64-2 +export TA_DEV_KIT_DIR=`pwd`/../optee_os/optee/export-ta_arm64 +export TEEC_EXPORT=`pwd`/../optee_client/out2-aarch64/export/usr/ +export OPTEE_CLIENT_EXPORT=`pwd`/../optee_client/out2-aarch64/export/usr/ +rm -rf `pwd`/out2-aarch64 +find . -name "Makefile" -exec sed -i "s/\-lteec$/\-lteec2/g" {} + +find . -name "Makefile" -exec sed -i "s/optee_armtz/optee2_armtz/g" {} + +make clean +make -j`nproc` +make install +find . -name "Makefile" -exec sed -i "s/\-lteec2$/\-lteec/g" {} + +find . -name "Makefile" -exec sed -i "s/optee2_armtz/optee_armtz/g" {} + + +mv $DESTDIR/bin/xtest $DESTDIR/bin/xtest2 +cd /work/crosscon + +# Step 5: Compile Bitcoin Wallet Client and Trusted Application + +cd bitcoin-wallet + +BUILDROOT=`pwd`/../buildroot/build-aarch64/ + +export CROSS_COMPILE=$BUILDROOT/host/bin/aarch64-linux- +export HOST_CROSS_COMPILE=$BUILDROOT/host/bin/aarch64-linux- +export TA_CROSS_COMPILE=$BUILDROOT/host/bin/aarch64-linux- +export ARCH=aarch64 +export PLATFORM=plat-virt +export TA_DEV_KIT_DIR=`pwd`/../optee_os/optee/export-ta_arm64 +export TEEC_EXPORT=`pwd`/../optee_client/out-aarch64/export/usr/ +export OPTEE_CLIENT_EXPORT=`pwd`/../optee_client/out-aarch64/export/usr/ +export CFG_TA_OPTEE_CORE_API_COMPAT_1_1=n +export DESTDIR=./to_buildroot-aarch64 +export DEBUG=0 +export CFG_TEE_TA_LOG_LEVEL=0 +export O=`pwd`/out-aarch64 + +rm -rf out-aarch64/ +## make sure we have things setup for first OP-TEE +find . -name "Makefile" -exec sed -i "s/\-lteec2$/\-lteec/g" {} + +find . -name "Makefile" -exec sed -i "s/optee2_armtz/optee_armtz/g" {} + +make clean +make -j`nproc` + +mkdir -p to_buildroot-aarch64/lib/optee_armtz +mkdir -p to_buildroot-aarch64/bin + +cp out-aarch64/*.ta to_buildroot-aarch64/lib/optee_armtz +cp host/wallet to_buildroot-aarch64/bin/bitcoin_wallet_ca +chmod +x to_buildroot-aarch64/bin/bitcoin_wallet_ca + +## setup second OP-TEE +export O=`pwd`/out2-aarch64 +export DESTDIR=./to_buildroot-aarch64-2 +export TA_DEV_KIT_DIR=`pwd`/../optee_os/optee2/export-ta_arm64 +export TEEC_EXPORT=`pwd`/../optee_client/out2-aarch64/export/usr/ +export OPTEE_CLIENT_EXPORT=`pwd`/../optee_client/out2-aarch64/export/usr/ +rm -rf `pwd`/out2-aarch64 +find . -name "Makefile" -exec sed -i "s/\-lteec/\-lteec2/g" {} + +find . -name "Makefile" -exec sed -i "s/optee_armtz/optee2_armtz/g" {} + +make clean +make -j`nproc` +## undo changes +find . -name "Makefile" -exec sed -i "s/\-lteec2/\-lteec/g" {} + +find . -name "Makefile" -exec sed -i "s/optee2_armtz/optee_armtz/g" {} + + +mkdir -p to_buildroot-aarch64-2/lib/optee2_armtz +mkdir -p to_buildroot-aarch64-2/bin + +cp out-aarch64/*.ta to_buildroot-aarch64-2/lib/optee2_armtz +cp host/wallet to_buildroot-aarch64-2/bin/bitcoin_wallet_ca2 +chmod +x to_buildroot-aarch64-2/bin/bitcoin_wallet_ca2 + + +cd /work/crosscon + +# Step 6: Compile Malicious Client and Trusted Application + +cd malicous_ta +BUILDROOT=`pwd`/../buildroot/build-aarch64/ +export CROSS_COMPILE=$BUILDROOT/host/bin/aarch64-linux- +export HOST_CROSS_COMPILE=$BUILDROOT/host/bin/aarch64-linux- +export TA_CROSS_COMPILE=$BUILDROOT/host/bin/aarch64-linux- +export ARCH=aarch64 +export PLATFORM=plat-virt +export TA_DEV_KIT_DIR=`pwd`/../optee_os/optee-aarch64/export-ta_arm64 +export TEEC_EXPORT=`pwd`/../optee_client/out-aarch64/export/usr/ +export OPTEE_CLIENT_EXPORT=`pwd`/../optee_client/out-aarch64/export/usr/ +export CFG_TA_OPTEE_CORE_API_COMPAT_1_1=n +export DESTDIR=./to_buildroot-aarch64 +export DEBUG=0 +export CFG_TEE_TA_LOG_LEVEL=2 +export O=`pwd`/out-aarch64 +export aarch64_TARGET=y +rm -rf out-aarch64/ +## make sure we have things setup for first OP-TEE +find . -name "Makefile" -exec sed -i "s/\-lteec2$/\-lteec/g" {} + +find . -name "Makefile" -exec sed -i "s/optee2_armtz/optee_armtz/g" {} + +make clean +make -j`nproc` +mkdir -p to_buildroot-aarch64/lib/optee_armtz +mkdir -p to_buildroot-aarch64/bin +cp out-aarch64/*.ta to_buildroot-aarch64/lib/optee_armtz +cp host/malicious_ca to_buildroot-aarch64/bin/malicious_ca +chmod +x to_buildroot-aarch64/bin/malicious_ca +## setup second OP-TEE +export O=`pwd`/out2-aarch64 +export DESTDIR=./to_buildroot-aarch64-2 +export TA_DEV_KIT_DIR=`pwd`/../optee_os/optee2-aarch64/export-ta_arm64 +export TEEC_EXPORT=`pwd`/../optee_client/out2-aarch64/export/usr/ +export OPTEE_CLIENT_EXPORT=`pwd`/../optee_client/out2-aarch64/export/usr/ +rm -rf `pwd`/out2-aarch64 +find . -name "Makefile" -exec sed -i "s/\-lteec/\-lteec2/g" {} + +find . -name "Makefile" -exec sed -i "s/optee_armtz/optee2_armtz/g" {} + +make clean +make -j`nproc` +## undo changes +find . -name "Makefile" -exec sed -i "s/\-lteec2/\-lteec/g" {} + +find . -name "Makefile" -exec sed -i "s/optee2_armtz/optee_armtz/g" {} + +mkdir -p to_buildroot-aarch64-2/lib/optee2_armtz +mkdir -p to_buildroot-aarch64-2/bin +cp out2-aarch64/*.ta to_buildroot-aarch64-2/lib/optee2_armtz +cp host/malicious_ca to_buildroot-aarch64-2/bin/malicious_ca2 +chmod +x to_buildroot-aarch64-2/bin/malicious_ca2 +cd /work/crosscon + +# Step 7: Finalize Linux file system + +cd buildroot +make O=build-aarch64/ -j`nproc` +cd .. + +# Step 8: Build Linux + +mkdir linux/build-aarch64/ +cp support/linux-aarch64.config linux/build-aarch64/.config + +cd linux + +make ARCH=arm64 O=build-aarch64 CROSS_COMPILE=`realpath ../buildroot/build-aarch64/host/bin/aarch64-linux-` -j16 Image dtbs + +cd $ROOT + +# Step 9: Bind Linux Image and device tree + +dtc -I dts -O dtb rpi4-ws/rpi4.dts > rpi4-ws/rpi4.dtb + +cd lloader + +rm linux-rpi4.bin +rm linux-rpi4.elf +make \ + IMAGE=../linux/build-aarch64/arch/arm64/boot/Image \ + DTB=../rpi4-ws/rpi4.dtb \ + TARGET=linux-rpi4.bin \ + CROSS_COMPILE=aarch64-none-elf- \ + ARCH=aarch64 + +cd $ROOT + +# Step "10": build-demo-vtee.sh except without copying to SD card + +CONFIG_REPO=`pwd`/configs + +pushd .. + +make -C CROSSCON-Hypervisor/ \ + PLATFORM=rpi4 \ + CONFIG_BUILTIN=y \ + CONFIG_REPO=$CONFIG_REPO \ + CONFIG=rpi4-single-vTEE \ + OPTIMIZATIONS=0 \ + SDEES="sdSGX sdTZ" \ + CROSS_COMPILE=aarch64-none-elf- \ + clean + +make -C CROSSCON-Hypervisor/ \ + PLATFORM=rpi4 \ + CONFIG_BUILTIN=y \ + CONFIG_REPO=$CONFIG_REPO \ + CONFIG=rpi4-single-vTEE \ + OPTIMIZATIONS=0 \ + SDEES="sdSGX sdTZ" \ + CROSS_COMPILE=aarch64-none-elf- \ + -j`nproc` From d4f7df0b072a9f028bb94abc14c3481af055d2b1 Mon Sep 17 00:00:00 2001 From: Wiktor Grzywacz Date: Thu, 12 Dec 2024 14:55:23 +0100 Subject: [PATCH 07/23] remove tarballs, change debian version, update path --- env/Dockerfile | 47 +++++++++++++++++++++++++++++------------------ env/files/env.sh | 4 ++-- 2 files changed, 31 insertions(+), 20 deletions(-) diff --git a/env/Dockerfile b/env/Dockerfile index db0274c..4d7068f 100644 --- a/env/Dockerfile +++ b/env/Dockerfile @@ -1,5 +1,5 @@ # Use Debian base image -FROM debian:latest +FROM debian:12.8 # Set environment variables ENV MAKE_VERSION=4.2.1 @@ -45,20 +45,23 @@ RUN apt-get update && \ # Install Make 4.2.1 RUN wget http://ftp.pl.debian.org/debian/pool/main/m/make-dfsg/make_4.2.1-1.2_amd64.deb \ - && dpkg -i make_4.2.1-1.2_amd64.deb + && dpkg -i make_4.2.1-1.2_amd64.deb \ + && rm -f make_4.2.1-1.2_amd64.deb # Install dtc 1.6.1 COPY patches/dtc $WORKDIR_PATH/patches/dtc/ RUN git clone https://salsa.debian.org/crosstoolchain-team/device-tree-compiler.git \ -&& cd device-tree-compiler \ -&& git checkout debian/1.5.0-2 \ -&& git apply $WORKDIR_PATH/patches/dtc/dtc-patch.patch \ -&& make install + && cd device-tree-compiler \ + && git checkout debian/1.5.0-2 \ + && git apply $WORKDIR_PATH/patches/dtc/dtc-patch.patch \ + && make install \ + && rm -rf $WORKDIR_PATH/device-tree-compiler # Install libssl1.1 (requirement for mkimage) RUN wget http://ftp.pl.debian.org/debian/pool/main/o/openssl/libssl1.1_1.1.1w-0+deb11u1_amd64.deb \ - && dpkg -i libssl1.1_1.1.1w-0+deb11u1_amd64.deb + && dpkg -i libssl1.1_1.1.1w-0+deb11u1_amd64.deb \ + && rm -f libssl1.1_1.1.1w-0+deb11u1_amd64.deb # Install mkimage 20.10 RUN git clone https://github.com/u-boot/u-boot.git \ @@ -71,11 +74,13 @@ RUN git clone https://github.com/u-boot/u-boot.git \ # Install cmake-data 3.25 RUN wget http://ftp.pl.debian.org/debian/pool/main/c/cmake/cmake-data_3.25.1-1~bpo11+1_all.deb \ - && dpkg -i cmake-data_3.25.1-1~bpo11+1_all.deb + && dpkg -i cmake-data_3.25.1-1~bpo11+1_all.deb \ + && rm -f cmake-data_3.25.1-1~bpo11+1_all.deb # Install libjsoncpp24 RUN wget http://ftp.pl.debian.org/debian/pool/main/libj/libjsoncpp/libjsoncpp24_1.9.4-4_amd64.deb \ -&& dpkg -i libjsoncpp24_1.9.4-4_amd64.deb + && dpkg -i libjsoncpp24_1.9.4-4_amd64.deb \ + && rm -f libjsoncpp24_1.9.4-4_amd64.deb # Install Cmake 3.20.0 COPY patches/cmake $WORKDIR_PATH/patches/cmake/ @@ -88,17 +93,20 @@ RUN wget https://cmake.org/files/v3.20/cmake-3.20.0.tar.gz \ && git apply $WORKDIR_PATH/patches/cmake/custom-application-services.patch RUN cd cmake-3.20.0 \ -&& ./bootstrap \ -&& make install + && ./bootstrap \ + && make install \ + && cd .. && rm -rf cmake-3.20.0 # Install ninja 1.10.1 RUN wget http://ftp.pl.debian.org/debian/pool/main/n/ninja-build/ninja-build_1.10.1-1_amd64.deb \ - && dpkg -i ninja-build_1.10.1-1_amd64.deb + && dpkg -i ninja-build_1.10.1-1_amd64.deb \ + && rm -f ninja-build_1.10.1-1_amd64.deb # Install Arm GNU toolchain RUN wget -O aarch64-none-elf.tar.xz "https://developer.arm.com/-/media/Files/downloads/gnu/11.2-2022.02/binrel/gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf.tar.xz?rev=981d8f7e91864070a466d852589598e2&hash=8D5397D4E41C99A96989ED813E8E95F0" \ -&& unxz aarch64-none-elf.tar.xz \ -&& tar -xvf aarch64-none-elf.tar + && unxz aarch64-none-elf.tar.xz \ + && tar -xvf aarch64-none-elf.tar \ + && rm -f aarch64-none-elf.tar # Install BASH RUN apt install bash -y @@ -109,16 +117,19 @@ COPY files/env.sh $WORKDIR_PATH/ # Setup CROSSCON repository RUN git clone https://github.com/crosscon/CROSSCON-Hypervisor-and-TEE-Isolation-Demos.git \ -&& mv CROSSCON-Hypervisor-and-TEE-Isolation-Demos $WORKDIR_PATH/crosscon + && mv CROSSCON-Hypervisor-and-TEE-Isolation-Demos $WORKDIR_PATH/crosscon COPY files/.gitmodules $WORKDIR_PATH/crosscon/.gitmodules -RUN cd $WORKDIR_PATH/crosscon \ -&& git submodule init \ -&& git submodule update +RUN cd $WORKDIR_PATH/crosscon && \ + git submodule init && \ + git submodule update --depth 1 # Fix missing "cryptography" python module RUN apt install python3-cryptography -y # copy script for rpi4-ws demo COPY files/build.sh $WORKDIR_PATH/ + +# make sure path is updated +RUN echo 'export PATH=/opt/arm-gnu-toolchain-*-x86_64-aarch64-none-elf/bin:$PATH' >> ~/.bashrc diff --git a/env/files/env.sh b/env/files/env.sh index cb7f019..0e89caf 100755 --- a/env/files/env.sh +++ b/env/files/env.sh @@ -1,4 +1,4 @@ -export PATH="./device-tree-compiler:$PATH" -export PATH="./gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf/bin:$PATH" +export PATH="/work/device-tree-compiler:$PATH" +export PATH="/work/gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf/bin:$PATH" alias gcc="gcc-9" From 94aaf437907f5167e7f5a9e182347c6cfb14c35c Mon Sep 17 00:00:00 2001 From: Wiktor Grzywacz Date: Thu, 12 Dec 2024 15:01:14 +0100 Subject: [PATCH 08/23] fix export --- env/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/env/Dockerfile b/env/Dockerfile index 4d7068f..acc5d8f 100644 --- a/env/Dockerfile +++ b/env/Dockerfile @@ -132,4 +132,4 @@ RUN apt install python3-cryptography -y COPY files/build.sh $WORKDIR_PATH/ # make sure path is updated -RUN echo 'export PATH=/opt/arm-gnu-toolchain-*-x86_64-aarch64-none-elf/bin:$PATH' >> ~/.bashrc +RUN echo 'export PATH="/work/gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf/bin:$PATH"' >> ~/.bashrc From 7834e0bacb9de1b8e1f43b3379b2094481397df0 Mon Sep 17 00:00:00 2001 From: Wiktor Grzywacz Date: Thu, 12 Dec 2024 16:26:57 +0100 Subject: [PATCH 09/23] add working toolchain to dockerfile --- env/Dockerfile | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/env/Dockerfile b/env/Dockerfile index acc5d8f..9d39496 100644 --- a/env/Dockerfile +++ b/env/Dockerfile @@ -102,12 +102,6 @@ RUN wget http://ftp.pl.debian.org/debian/pool/main/n/ninja-build/ninja-build_1.1 && dpkg -i ninja-build_1.10.1-1_amd64.deb \ && rm -f ninja-build_1.10.1-1_amd64.deb -# Install Arm GNU toolchain -RUN wget -O aarch64-none-elf.tar.xz "https://developer.arm.com/-/media/Files/downloads/gnu/11.2-2022.02/binrel/gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf.tar.xz?rev=981d8f7e91864070a466d852589598e2&hash=8D5397D4E41C99A96989ED813E8E95F0" \ - && unxz aarch64-none-elf.tar.xz \ - && tar -xvf aarch64-none-elf.tar \ - && rm -f aarch64-none-elf.tar - # Install BASH RUN apt install bash -y SHELL ["/bin/bash", "-c"] @@ -131,5 +125,21 @@ RUN apt install python3-cryptography -y # copy script for rpi4-ws demo COPY files/build.sh $WORKDIR_PATH/ -# make sure path is updated -RUN echo 'export PATH="/work/gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf/bin:$PATH"' >> ~/.bashrc +# Install Linaro AArch64 bare-metal toolchain (aarch64-none-elf) +RUN wget https://releases.linaro.org/archive/14.11/components/toolchain/binaries/aarch64-none-elf/gcc-linaro-4.9-2014.11-x86_64_aarch64-elf.tar.xz \ + && tar -xf gcc-linaro-4.9-2014.11-x86_64_aarch64-elf.tar.xz -C /opt \ + && rm -f gcc-linaro-4.9-2014.11-x86_64_aarch64-elf.tar.xz + +# Install Arm GNU toolchain +RUN wget -O aarch64-none-elf.tar.xz "https://developer.arm.com/-/media/Files/downloads/gnu/11.2-2022.02/binrel/gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf.tar.xz?rev=981d8f7e91864070a466d852589598e2&hash=8D5397D4E41C99A96989ED813E8E95F0" \ + && unxz aarch64-none-elf.tar.xz \ + && tar -xvf aarch64-none-elf.tar \ + && rm -f aarch64-none-elf.tar + +# Install ARM Developer Toolchain (AArch64-none-elf, Linux version) +RUN wget https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/arm-gnu-toolchain-14.2.rel1-x86_64-aarch64-none-elf.tar.xz \ +&& tar -xf arm-gnu-toolchain-14.2.rel1-x86_64-aarch64-none-elf.tar.xz -C /opt \ +&& rm -f arm-gnu-toolchain-14.2.rel1-x86_64-aarch64-none-elf.tar.xz + +# Update PATH for arm developer toolchain +RUN echo 'export PATH="/opt/arm-gnu-toolchain-14.2.rel1-x86_64-aarch64-none-elf/bin:$PATH"' >> ~/.bashrc From ea8cc9e818b91c932c8f3a4775d0903ef48b441b Mon Sep 17 00:00:00 2001 From: Wiktor Grzywacz Date: Thu, 12 Dec 2024 17:11:32 +0100 Subject: [PATCH 10/23] env/README.md: remove unnecessary docker create instruction --- env/README.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/env/README.md b/env/README.md index 90e480d..f7f9d5e 100644 --- a/env/README.md +++ b/env/README.md @@ -14,18 +14,16 @@ docker build -t crosscon_hv . ``` to build the docker image. The resulting image will have a `crosscon_hv` tag. -After the image has been built you will need to create a container from that -image, it can be done with this command: +After the image has been built you can create and start a container directly by +running: ```bash -docker create --name crosscon_hv_container crosscon_hv +docker run -d --name crosscon_hv_container crosscon_hv tail -f /dev/null ``` -Then all that's left to do is run the image and enter the shell of the -container, by running these commands: +Then, to enter the shell of the running container, use this command: ```bash -docker run -d --name crosscon_hv_container crosscon_hv tail -f /dev/null docker exec -it crosscon_hv_container /bin/bash ``` From 5258cfa6db42e9a87d73960d3010d95a9c500394 Mon Sep 17 00:00:00 2001 From: Wiktor Grzywacz Date: Thu, 12 Dec 2024 17:13:05 +0100 Subject: [PATCH 11/23] env/README.md: change ubuntu to debian --- env/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/env/README.md b/env/README.md index f7f9d5e..cd92423 100644 --- a/env/README.md +++ b/env/README.md @@ -70,7 +70,7 @@ this, is when trying to compile the `optee_client`, the readme says to do this: make CROSS_COMPILE=aarch64-none-linux-gnu- WITH_TEEACL=0 O=out-aarch64 ``` -but the correct command for ubuntu (which our container is based off of) is this: +but the correct command for debian (which our container is based off of) is this: ```bash make CROSS_COMPILE=aarch64-linux-gnu- WITH_TEEACL=0 O=out-aarch64 From 05f2dd89b464a361bf43c04e6b5aea982d1f1e16 Mon Sep 17 00:00:00 2001 From: Wiktor Grzywacz Date: Thu, 12 Dec 2024 17:29:31 +0100 Subject: [PATCH 12/23] env/README.md: change adressing (no first person) --- env/README.md | 123 ++++++++++++++++++++------------------------------ 1 file changed, 49 insertions(+), 74 deletions(-) diff --git a/env/README.md b/env/README.md index cd92423..7d0d0f7 100644 --- a/env/README.md +++ b/env/README.md @@ -14,35 +14,35 @@ docker build -t crosscon_hv . ``` to build the docker image. The resulting image will have a `crosscon_hv` tag. -After the image has been built you can create and start a container directly by -running: +After the image has been built, a container can be created and started directly +by running this command: ```bash docker run -d --name crosscon_hv_container crosscon_hv tail -f /dev/null ``` -Then, to enter the shell of the running container, use this command: +Then, to enter the shell of the running container, this command can be used: ```bash docker exec -it crosscon_hv_container /bin/bash ``` -> Note: If at any point when rebuilding/rerunning the container you get error messages -> similar to this one: - -```bash -docker: Error response from daemon: Conflict. The container name -"/crosscon_hv_container" is already in use by container -"d6ee75901fd0e090147d242c485651ebf5c4fc58e13d8363725a6cab830a9ba0". You have to -remove (or rename) that container to be able to reuse that name. -See 'docker run --help'. -``` - -Just use this command: - -```bash -docker rm --force -``` +> Note: If at any point when rebuilding/rerunning the container, error messages +> similar to this one pop up: +> +> ```bash +> docker: Error response from daemon: Conflict. The container name +> "/crosscon_hv_container" is already in use by container +> "d6ee75901fd0e090147d242c485651ebf5c4fc58e13d8363725a6cab830a9ba0". You have to +> remove (or rename) that container to be able to reuse that name. +> See 'docker run --help'. +> ``` +> +> This command should be used: +> +> ```bash +> docker rm --force +> ``` ## Building the rpi4-ws demo @@ -54,49 +54,25 @@ user in ~/CROSSCON-Hypervisor-and-TEE-Isolation-Demos/env λ docker exec -it cro root@d6ee75901fd0:/work# ``` -Then you should `cd crosscon`, and follow the instructions from -[the README](../rpi4-ws/README.md). - -This will allow you to build the binaries, since the container has all the -necessary dependencies, but here are some important tips to bear in mind: - -### Cross-compilator names - -Sometimes, the instructions are not 100% accurate when it comes to the -`CROSS_COMPILE` flag in the `make` commands. The only time i have come across -this, is when trying to compile the `optee_client`, the readme says to do this: - -```bash -make CROSS_COMPILE=aarch64-none-linux-gnu- WITH_TEEACL=0 O=out-aarch64 -``` - -but the correct command for debian (which our container is based off of) is this: - -```bash -make CROSS_COMPILE=aarch64-linux-gnu- WITH_TEEACL=0 O=out-aarch64 -``` - -as you can see the `CROSS_COMPILE` argument should be `aarch64-linux-gnu-`, NOT -`aarch64-none-linux-gnu-`. If you ever encounter build errors, this should be -the first thing to check. +Then `cd crosscon` should be ran, and the instructions from +[the README](../rpi4-ws/README.md) followed. -> Note: while `aarch64-none-linux-gnu-` is supposed to be the bare-metal -> cross-compiler, having it on the container causes internal compiler errors and -its unusable. `aarch64-linux-gnu-` Seens to work just fine for our purposes. +This will allow the binaries to be built, since the container has all the +necessary dependencies. ### Copying the files to the SD card. -Obviously, the container allows you to build the binaries without worrying about -dependencies. But you also have to get them on the SD card in order to boot -the demo. +Obviously, the container allows the binaries to be built without worrying about +dependencies. But in the end they have to end up on the SD card in order to +boot the demo. #### Firmware and bootloader files -In order to correctly do this, first you have to make sure get the firmware -files over from the container on your host. Instead of doing this: +In order to correctly do this, first the firmware files have to be transferred +over from the container to the host. Instead of doing this: -> Note: Before running the following commands, ensure you have inserted the -> SD card into your host machine and that it is mounted at /media/$USER/boot +> Note: Before running the following commands, ensure that the SD card is +> inserted into the host machine and that it is mounted at /media/$USER/boot > (adjust the path as necessary if your system uses a different mount point). ```bash @@ -109,10 +85,9 @@ cp -v bin/bl31.bin $SDCARD cp -v bin/u-boot.bin $SDCARD ``` -like the readme tells you to, you will have to run these commands on host -(here I assumed that we are copying the files directly over to the SD card, -but it doesnt really matter. If you want to, you can copy them to host, -then later to the SD card): +Then these commands can be ran to copy over the firmware to the SD card (this +syntax assumes they are being copied directly from the container to the SD +card): ```bash sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/firmware/boot/ /run/media/$USER/ @@ -123,9 +98,9 @@ sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/bin/u-boot.bin /run/ #### Linux and Device Tree Image -After you’ve built the Linux kernel and used lloader to produce -`linux-rpi4.bin`, you’ll need to copy that file out of the container and onto -your SD card: +After the Linux kernel has been build and lloader has been used to produce +`linux-rpi4.bin`, that file will need to be copied out of the container and onto +the SD card: ```bash docker cp crosscon_hv_container:/work/crosscon/lloader/linux-rpi4.bin /media/$USER/boot @@ -134,24 +109,24 @@ docker cp crosscon_hv_container:/work/crosscon/lloader/linux-rpi4.bin /media/$US #### Copying the CROSSCON Hypervisor Binary Building and copying of the hypervisor binary is done in the same script, -either `build-demo-vtee.sh` or `build-demo-dual-vtee.sh`. If you look at the -content of those scripts, you will see that they build the `crossconhyp.bin` -files, then copies `start*` firmware files and `crossconhyp.bin` to the SD card -mount point. +either `build-demo-vtee.sh` or `build-demo-dual-vtee.sh`. By looking at the +content of those scripts, it can be determined that they build the +`crossconhyp.bin` files, then copies `start*` firmware files and +`crossconhyp.bin` to the SD card mount point. -> Note: this readme only covers the `build-demo-vtee.sh` script, since once -> you understand the idea of what we are doing here, it becomes easy to think +> Note: this readme only covers the `build-demo-vtee.sh` script, since +> the idea of what is being here is understood, it becomes easy to think > of the commands to achieve what goes on in the `dual` version of the script. -Since we are inside a container, we will have to build the hypervisor manually, -then copy it over to host. Once you get to the end of -[the README](../rpi4-ws/README.md), instead of just running the script: +The hypervisor will have to be built manually, then copied over to the host. +Once the end of the [the README](../rpi4-ws/README.md) demo has been reached, +instead of just running the script: ```bash ./build-demo-vtee.sh ``` -we will have to build those files manually: +those files will have to be built manually: ```bash cd /work/crosscon @@ -177,15 +152,15 @@ make -C CROSSCON-Hypervisor/ \ -j`nproc` ``` -Then make sure that the hypervisor got built correctly, and that the firmware files -exist: +Then confirm that the hypervisor got built correctly, and that the firmware +files exist: ```bash ls /work/crosscon/rpi4-ws/bin/ ls /work/crosscon/CROSSCON-Hypervisor/bin/rpi4/builtin-configs/rpi4-single-vTEE/ ``` -Then finally copy those files over to the host: +Then finally those files can be copied over to host: ```bash sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/firmware/boot/start* $SDCARD_MOUNT/ From 0b87c267c7ec3da0d3ef502efc5994a284d7e3db Mon Sep 17 00:00:00 2001 From: Tymoteusz Burak Date: Thu, 12 Dec 2024 19:51:03 +0100 Subject: [PATCH 13/23] env/Dockerfile: start interactive shell at /work/crosscon --- env/Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/env/Dockerfile b/env/Dockerfile index 9d39496..68afe40 100644 --- a/env/Dockerfile +++ b/env/Dockerfile @@ -143,3 +143,7 @@ RUN wget https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/ # Update PATH for arm developer toolchain RUN echo 'export PATH="/opt/arm-gnu-toolchain-14.2.rel1-x86_64-aarch64-none-elf/bin:$PATH"' >> ~/.bashrc + +# Make the starting directory is the CROSSCON Demos directory +WORKDIR $WORKDIR_PATH/crosscon +ENV ROOT=$WORKDIR_PATH/crosscon From 6c30b9fd7e79fbe604b6229c3d0eb51d93980cdf Mon Sep 17 00:00:00 2001 From: Tymoteusz Burak Date: Fri, 13 Dec 2024 06:46:08 +0100 Subject: [PATCH 14/23] env/Dockerfile: use aarch64-*-gcc v11.2 --- env/Dockerfile | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/env/Dockerfile b/env/Dockerfile index 68afe40..711f29d 100644 --- a/env/Dockerfile +++ b/env/Dockerfile @@ -125,24 +125,22 @@ RUN apt install python3-cryptography -y # copy script for rpi4-ws demo COPY files/build.sh $WORKDIR_PATH/ -# Install Linaro AArch64 bare-metal toolchain (aarch64-none-elf) -RUN wget https://releases.linaro.org/archive/14.11/components/toolchain/binaries/aarch64-none-elf/gcc-linaro-4.9-2014.11-x86_64_aarch64-elf.tar.xz \ - && tar -xf gcc-linaro-4.9-2014.11-x86_64_aarch64-elf.tar.xz -C /opt \ - && rm -f gcc-linaro-4.9-2014.11-x86_64_aarch64-elf.tar.xz - -# Install Arm GNU toolchain +# Install Arm Bare-metal toolchain RUN wget -O aarch64-none-elf.tar.xz "https://developer.arm.com/-/media/Files/downloads/gnu/11.2-2022.02/binrel/gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf.tar.xz?rev=981d8f7e91864070a466d852589598e2&hash=8D5397D4E41C99A96989ED813E8E95F0" \ && unxz aarch64-none-elf.tar.xz \ && tar -xvf aarch64-none-elf.tar \ && rm -f aarch64-none-elf.tar -# Install ARM Developer Toolchain (AArch64-none-elf, Linux version) -RUN wget https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/arm-gnu-toolchain-14.2.rel1-x86_64-aarch64-none-elf.tar.xz \ -&& tar -xf arm-gnu-toolchain-14.2.rel1-x86_64-aarch64-none-elf.tar.xz -C /opt \ -&& rm -f arm-gnu-toolchain-14.2.rel1-x86_64-aarch64-none-elf.tar.xz + +# Install Arm GNU toolchain +RUN wget -O aarch64-none-linux-gnu.tar.xz "https://developer.arm.com/-/media/Files/downloads/gnu/11.2-2022.02/binrel/gcc-arm-11.2-2022.02-x86_64-aarch64-none-linux-gnu.tar.xz?rev=33c6e30e5ac64e6dba8f0431f2c35f1b&hash=9918A05BF47621B632C7A5C8D2BB438FB80A4480" \ + && unxz aarch64-none-linux-gnu.tar.xz \ + && tar -xvf aarch64-none-linux-gnu.tar \ + && rm -f aarch64-none-linux-gnu.tar # Update PATH for arm developer toolchain -RUN echo 'export PATH="/opt/arm-gnu-toolchain-14.2.rel1-x86_64-aarch64-none-elf/bin:$PATH"' >> ~/.bashrc +ENV PATH="$WORKDIR_PATH/gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf/bin:$PATH" +ENV PATH="$WORKDIR_PATH/gcc-arm-11.2-2022.02-x86_64-aarch64-none-linux-gnu/bin:$PATH" # Make the starting directory is the CROSSCON Demos directory WORKDIR $WORKDIR_PATH/crosscon From 82a7c3a40f1ef1c98df9accc8636023d0019f929 Mon Sep 17 00:00:00 2001 From: Tymoteusz Burak Date: Thu, 19 Dec 2024 16:16:45 +0100 Subject: [PATCH 15/23] env/Dockerfile: add ncurses To be able to configure the end OS with `make menuconfig` --- env/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/env/Dockerfile b/env/Dockerfile index 711f29d..970c4aa 100644 --- a/env/Dockerfile +++ b/env/Dockerfile @@ -41,7 +41,8 @@ RUN apt-get update && \ python3-pyelftools \ gcc-riscv64-linux-gnu \ g++-riscv64-linux-gnu \ - binutils-riscv64-linux-gnu + binutils-riscv64-linux-gnu \ + libncurses-dev # Install Make 4.2.1 RUN wget http://ftp.pl.debian.org/debian/pool/main/m/make-dfsg/make_4.2.1-1.2_amd64.deb \ From ffa95dee3c9327347da8684bde7facd616cecb36 Mon Sep 17 00:00:00 2001 From: Tymoteusz Burak Date: Thu, 19 Dec 2024 16:46:16 +0100 Subject: [PATCH 16/23] env/*: copy the local repository instead of pulling a fresh one --- env/Dockerfile | 28 ++++++++++++---------------- env/README.md | 4 ++-- 2 files changed, 14 insertions(+), 18 deletions(-) diff --git a/env/Dockerfile b/env/Dockerfile index 970c4aa..eccd867 100644 --- a/env/Dockerfile +++ b/env/Dockerfile @@ -50,7 +50,7 @@ RUN wget http://ftp.pl.debian.org/debian/pool/main/m/make-dfsg/make_4.2.1-1.2_am && rm -f make_4.2.1-1.2_amd64.deb # Install dtc 1.6.1 -COPY patches/dtc $WORKDIR_PATH/patches/dtc/ +COPY env/patches/dtc $WORKDIR_PATH/patches/dtc/ RUN git clone https://salsa.debian.org/crosstoolchain-team/device-tree-compiler.git \ && cd device-tree-compiler \ @@ -84,7 +84,7 @@ RUN wget http://ftp.pl.debian.org/debian/pool/main/libj/libjsoncpp/libjsoncpp24_ && rm -f libjsoncpp24_1.9.4-4_amd64.deb # Install Cmake 3.20.0 -COPY patches/cmake $WORKDIR_PATH/patches/cmake/ +COPY env/patches/cmake $WORKDIR_PATH/patches/cmake/ RUN wget https://cmake.org/files/v3.20/cmake-3.20.0.tar.gz \ && tar -xvf cmake-3.20.0.tar.gz \ @@ -107,24 +107,11 @@ RUN wget http://ftp.pl.debian.org/debian/pool/main/n/ninja-build/ninja-build_1.1 RUN apt install bash -y SHELL ["/bin/bash", "-c"] -# Update PATH -COPY files/env.sh $WORKDIR_PATH/ - -# Setup CROSSCON repository -RUN git clone https://github.com/crosscon/CROSSCON-Hypervisor-and-TEE-Isolation-Demos.git \ - && mv CROSSCON-Hypervisor-and-TEE-Isolation-Demos $WORKDIR_PATH/crosscon - -COPY files/.gitmodules $WORKDIR_PATH/crosscon/.gitmodules - -RUN cd $WORKDIR_PATH/crosscon && \ - git submodule init && \ - git submodule update --depth 1 - # Fix missing "cryptography" python module RUN apt install python3-cryptography -y # copy script for rpi4-ws demo -COPY files/build.sh $WORKDIR_PATH/ +COPY env/files/build.sh $WORKDIR_PATH/ # Install Arm Bare-metal toolchain RUN wget -O aarch64-none-elf.tar.xz "https://developer.arm.com/-/media/Files/downloads/gnu/11.2-2022.02/binrel/gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf.tar.xz?rev=981d8f7e91864070a466d852589598e2&hash=8D5397D4E41C99A96989ED813E8E95F0" \ @@ -143,6 +130,15 @@ RUN wget -O aarch64-none-linux-gnu.tar.xz "https://developer.arm.com/-/media/Fil ENV PATH="$WORKDIR_PATH/gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf/bin:$PATH" ENV PATH="$WORKDIR_PATH/gcc-arm-11.2-2022.02-x86_64-aarch64-none-linux-gnu/bin:$PATH" +# Setup CROSSCON repository +COPY ./ $WORKDIR_PATH/crosscon + +COPY env/files/.gitmodules $WORKDIR_PATH/crosscon/.gitmodules + +RUN cd $WORKDIR_PATH/crosscon && \ + git submodule init && \ + git submodule update --depth 1 + # Make the starting directory is the CROSSCON Demos directory WORKDIR $WORKDIR_PATH/crosscon ENV ROOT=$WORKDIR_PATH/crosscon diff --git a/env/README.md b/env/README.md index 7d0d0f7..7f81c26 100644 --- a/env/README.md +++ b/env/README.md @@ -7,10 +7,10 @@ compilation of the CROSSCON hypervisor. ## How to build the container -Run this command: +Run this command from top of the repository: ```bash -docker build -t crosscon_hv . +docker build -t crosscon_hv -f env/Dockerfile . ``` to build the docker image. The resulting image will have a `crosscon_hv` tag. From 1221614f278852d8dc7357a18138d700b6e49a1b Mon Sep 17 00:00:00 2001 From: Daniil Klimuk Date: Tue, 24 Dec 2024 11:47:34 +0100 Subject: [PATCH 17/23] env: README: fix building hypervisor artifacts Signed-off-by: Daniil Klimuk --- env/README.md | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/env/README.md b/env/README.md index 7f81c26..7e87037 100644 --- a/env/README.md +++ b/env/README.md @@ -129,26 +129,28 @@ instead of just running the script: those files will have to be built manually: ```bash -cd /work/crosscon +CONFIG_REPO=`pwd`/configs + +pushd .. make -C CROSSCON-Hypervisor/ \ - PLATFORM=rpi4 \ - CONFIG_BUILTIN=y \ - CONFIG_REPO=$CONFIG_REPO \ - CONFIG=rpi4-single-vTEE \ - OPTIMIZATIONS=0 \ + PLATFORM=rpi4 \ + CONFIG_BUILTIN=y \ + CONFIG_REPO=$CONFIG_REPO \ + CONFIG=rpi4-single-vTEE \ + OPTIMIZATIONS=0 \ SDEES="sdSGX sdTZ" \ - CROSS_COMPILE=aarch64-none-elf- \ + CROSS_COMPILE=aarch64-none-elf- \ clean make -C CROSSCON-Hypervisor/ \ - PLATFORM=rpi4 \ - CONFIG_BUILTIN=y \ - CONFIG_REPO=$CONFIG_REPO \ - CONFIG=rpi4-single-vTEE \ - OPTIMIZATIONS=0 \ + PLATFORM=rpi4 \ + CONFIG_BUILTIN=y \ + CONFIG_REPO=$CONFIG_REPO \ + CONFIG=rpi4-single-vTEE \ + OPTIMIZATIONS=0 \ SDEES="sdSGX sdTZ" \ - CROSS_COMPILE=aarch64-none-elf- \ + CROSS_COMPILE=aarch64-none-elf- \ -j`nproc` ``` From 5873e4e8d26945fc4800d903e21d48335d0bbd82 Mon Sep 17 00:00:00 2001 From: Tymoteusz Burak Date: Mon, 27 Jan 2025 18:22:06 +0100 Subject: [PATCH 18/23] env/README.md: standarize mountpoint path reference --- env/README.md | 28 +++++++++------------------- 1 file changed, 9 insertions(+), 19 deletions(-) diff --git a/env/README.md b/env/README.md index 7e87037..5996fcd 100644 --- a/env/README.md +++ b/env/README.md @@ -69,31 +69,21 @@ boot the demo. #### Firmware and bootloader files In order to correctly do this, first the firmware files have to be transferred -over from the container to the host. Instead of doing this: +over from the container to the host. > Note: Before running the following commands, ensure that the SD card is -> inserted into the host machine and that it is mounted at /media/$USER/boot -> (adjust the path as necessary if your system uses a different mount point). +> inserted into the host machine and that it is mounted. +> (adjust the commands in this README to fit your SD card mount point). -```bash -cd $RPI4_WS -SDCARD=/media/$USER/boot - -cp -vr firmware/boot/* $SDCARD -cp -v config.txt $SDCARD -cp -v bin/bl31.bin $SDCARD -cp -v bin/u-boot.bin $SDCARD -``` - -Then these commands can be ran to copy over the firmware to the SD card (this +These commands can be ran to copy over the firmware to the SD card (this syntax assumes they are being copied directly from the container to the SD card): ```bash -sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/firmware/boot/ /run/media/$USER/ -sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/config.txt /run/media/$USER/boot/ -sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/bin/bl31.bin /run/media/$USER/boot/ -sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/bin/u-boot.bin /run/media/$USER/boot/ +sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/firmware/boot/ $SDCARD_MOUNT/ +sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/config.txt $SDCARD_MOUNT/ +sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/bin/bl31.bin $SDCARD_MOUNT/ +sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/bin/u-boot.bin $SDCARD_MOUNT/ ``` #### Linux and Device Tree Image @@ -103,7 +93,7 @@ After the Linux kernel has been build and lloader has been used to produce the SD card: ```bash -docker cp crosscon_hv_container:/work/crosscon/lloader/linux-rpi4.bin /media/$USER/boot +docker cp crosscon_hv_container:/work/crosscon/lloader/linux-rpi4.bin $SDCARD_MOUNT/ ``` #### Copying the CROSSCON Hypervisor Binary From 07c10605da70a81515d2f051ba20fe38c6ffe0d2 Mon Sep 17 00:00:00 2001 From: Tymoteusz Burak Date: Mon, 27 Jan 2025 19:44:41 +0100 Subject: [PATCH 19/23] env/Dockerfile: fix path when running from repo rootdir --- env/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/env/Dockerfile b/env/Dockerfile index eccd867..8c88e61 100644 --- a/env/Dockerfile +++ b/env/Dockerfile @@ -107,6 +107,8 @@ RUN wget http://ftp.pl.debian.org/debian/pool/main/n/ninja-build/ninja-build_1.1 RUN apt install bash -y SHELL ["/bin/bash", "-c"] +COPY env/files/.gitmodules $WORKDIR_PATH/crosscon/.gitmodules + # Fix missing "cryptography" python module RUN apt install python3-cryptography -y From 2b0e06ba9ff86a75a44cc13ed4dc83ccb7fb81db Mon Sep 17 00:00:00 2001 From: Tymoteusz Burak Date: Mon, 27 Jan 2025 19:47:57 +0100 Subject: [PATCH 20/23] env/files/env.sh: remove We should be setting the environment variables in Dockerfile --- env/files/env.sh | 4 ---- 1 file changed, 4 deletions(-) delete mode 100755 env/files/env.sh diff --git a/env/files/env.sh b/env/files/env.sh deleted file mode 100755 index 0e89caf..0000000 --- a/env/files/env.sh +++ /dev/null @@ -1,4 +0,0 @@ -export PATH="/work/device-tree-compiler:$PATH" -export PATH="/work/gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf/bin:$PATH" - -alias gcc="gcc-9" From bf4a892f497fa7c6bcfd03f0336fd4f8cecc62e0 Mon Sep 17 00:00:00 2001 From: Tymoteusz Burak Date: Mon, 27 Jan 2025 19:50:30 +0100 Subject: [PATCH 21/23] env/Dockerfile: add libteec2 package from trixie repository --- env/Dockerfile | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/env/Dockerfile b/env/Dockerfile index 8c88e61..21152e9 100644 --- a/env/Dockerfile +++ b/env/Dockerfile @@ -141,6 +141,15 @@ RUN cd $WORKDIR_PATH/crosscon && \ git submodule init && \ git submodule update --depth 1 +# Add support for aarch64 packages +RUN dpkg --add-architecture arm64 + +# Add trixie repository to install the libteec2 package for aarch64 +RUN echo "deb http://deb.debian.org/debian trixie main" >> /etc/apt/sources.list && \ + echo "deb-src http://deb.debian.org/debian trixie main" >> /etc/apt/sources.list && \ + apt-get update && \ + apt-get -t trixie install -y libteec2:arm64 + # Make the starting directory is the CROSSCON Demos directory WORKDIR $WORKDIR_PATH/crosscon ENV ROOT=$WORKDIR_PATH/crosscon From cefe3809e2a5eac77eef5db1a20ac9602dddf405 Mon Sep 17 00:00:00 2001 From: Tymoteusz Burak Date: Mon, 27 Jan 2025 20:05:39 +0100 Subject: [PATCH 22/23] env/Dockerfile: reduce image size by cleaning at the end --- env/Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/env/Dockerfile b/env/Dockerfile index 21152e9..30bc50c 100644 --- a/env/Dockerfile +++ b/env/Dockerfile @@ -150,6 +150,10 @@ RUN echo "deb http://deb.debian.org/debian trixie main" >> /etc/apt/sources.list apt-get update && \ apt-get -t trixie install -y libteec2:arm64 +# Clean cached apt, package lists and temprorary files to reduce image size +RUN apt-get clean && \ + rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + # Make the starting directory is the CROSSCON Demos directory WORKDIR $WORKDIR_PATH/crosscon ENV ROOT=$WORKDIR_PATH/crosscon From b437f7ecfe2a24bed6219e805ad0133882b832f4 Mon Sep 17 00:00:00 2001 From: Tymoteusz Burak Date: Tue, 28 Jan 2025 17:51:53 +0100 Subject: [PATCH 23/23] env/README.md: add instructions how to flash SD from inside container --- env/Dockerfile | 5 ++++- env/README.md | 31 +++++++++++++++++++++++++++---- 2 files changed, 31 insertions(+), 5 deletions(-) diff --git a/env/Dockerfile b/env/Dockerfile index 30bc50c..fd0a6cc 100644 --- a/env/Dockerfile +++ b/env/Dockerfile @@ -42,7 +42,10 @@ RUN apt-get update && \ gcc-riscv64-linux-gnu \ g++-riscv64-linux-gnu \ binutils-riscv64-linux-gnu \ - libncurses-dev + libncurses-dev \ + fdisk \ + dosfstools + # Install Make 4.2.1 RUN wget http://ftp.pl.debian.org/debian/pool/main/m/make-dfsg/make_4.2.1-1.2_amd64.deb \ diff --git a/env/README.md b/env/README.md index 5996fcd..8396d8a 100644 --- a/env/README.md +++ b/env/README.md @@ -21,6 +21,9 @@ by running this command: docker run -d --name crosscon_hv_container crosscon_hv tail -f /dev/null ``` +> This step also is dependant on how you want to Flash the SD card later. All +approaches are specified [below](#Copying-the-files-to-the-SD-card.). + Then, to enter the shell of the running container, this command can be used: ```bash @@ -43,6 +46,12 @@ docker exec -it crosscon_hv_container /bin/bash > ```bash > docker rm --force > ``` +> +> Alternatively: +> +> ```bash +> docker rm --force crosscon_hv_container +> ``` ## Building the rpi4-ws demo @@ -60,16 +69,30 @@ Then `cd crosscon` should be ran, and the instructions from This will allow the binaries to be built, since the container has all the necessary dependencies. -### Copying the files to the SD card. +## Copying the files to the SD card. Obviously, the container allows the binaries to be built without worrying about dependencies. But in the end they have to end up on the SD card in order to boot the demo. -#### Firmware and bootloader files +### Running the container as privileged -In order to correctly do this, first the firmware files have to be transferred -over from the container to the host. +You can pass all your devices to the container and use the +[Prepare SDCard](https://github.com/3mdeb/CROSSCON-Hypervisor-and-TEE-Isolation-Demos/tree/master/rpi4-ws#prepare-sdcard) +instructions directly from inside of it using the `--privileged` flag or more restrictively pass only the +single SD card. + +```bash +docker run -d --name crosscon_hv_container_copy --privileged crosscon_hv_copy tail -f /dev/null +``` + +```bash +docker run -d --name crosscon_hv_container_copy --device=/dev/sdX:/dev/sdX crosscon_hv_copy tail -f /dev/null +``` + +### Unprivileged container + +#### Firmware and bootloader files > Note: Before running the following commands, ensure that the SD card is > inserted into the host machine and that it is mounted.