env/: Implement Docker environment

env/.gitignore

@@ -0,0 +1 @@
+build.log

env/Dockerfile

@@ -0,0 +1,162 @@
+# Use Debian base image
+FROM debian:12.8
+
+# Set environment variables
+ENV MAKE_VERSION=4.2.1
+ENV WORKDIR_PATH=/work
+
+# Set working directory
+WORKDIR $WORKDIR_PATH
+
+# Update package lists, install necessary dependencies
+RUN apt-get update && \
+    apt-get install -y \
+    git \
+    wget \
+    build-essential \
+    libfdt1 \
+    libyaml-0-2 \
+    gdebi-core \
+    libuv1 \
+    procps \
+    librhash0 \
+    libarchive13 \
+    libc6 \
+    libcurl4 \
+    libexpat1 \
+    libgcc-s1 \
+    binutils \
+    flex \
+    bison \
+    pkg-config \
+    openssl \
+    libssl-dev \
+    cpio \
+    unzip \
+    rsync \
+    bc \
+    device-tree-compiler \
+    gcc-aarch64-linux-gnu \
+    g++-aarch64-linux-gnu \
+    python3-pyelftools  \
+    gcc-riscv64-linux-gnu \
+    g++-riscv64-linux-gnu \
+    binutils-riscv64-linux-gnu \
+    libncurses-dev \
+    fdisk \
+    dosfstools
+
+
+# Install Make 4.2.1
+RUN wget http://ftp.pl.debian.org/debian/pool/main/m/make-dfsg/make_4.2.1-1.2_amd64.deb \
+    && dpkg -i make_4.2.1-1.2_amd64.deb \
+    && rm -f make_4.2.1-1.2_amd64.deb
+
+# Install dtc 1.6.1
+COPY env/patches/dtc $WORKDIR_PATH/patches/dtc/
+
+RUN git clone https://salsa.debian.org/crosstoolchain-team/device-tree-compiler.git \
+    && cd device-tree-compiler \
+    && git checkout debian/1.5.0-2 \
+    && git apply $WORKDIR_PATH/patches/dtc/dtc-patch.patch \
+    && make install \
+    && rm -rf $WORKDIR_PATH/device-tree-compiler
+
+# Install libssl1.1 (requirement for mkimage)
+RUN wget http://ftp.pl.debian.org/debian/pool/main/o/openssl/libssl1.1_1.1.1w-0+deb11u1_amd64.deb \
+    && dpkg -i libssl1.1_1.1.1w-0+deb11u1_amd64.deb \
+    && rm -f libssl1.1_1.1.1w-0+deb11u1_amd64.deb
+
+# Install mkimage 20.10
+RUN git clone https://github.com/u-boot/u-boot.git \
+    && cd u-boot \
+    && git checkout v2020.10 \
+    && make tools-only_defconfig \
+    && make tools \
+    && cp tools/mkimage /usr/local/bin \
+    && chmod +x /usr/local/bin/mkimage
+
+# Install cmake-data 3.25
+RUN wget http://ftp.pl.debian.org/debian/pool/main/c/cmake/cmake-data_3.25.1-1~bpo11+1_all.deb \
+    && dpkg -i cmake-data_3.25.1-1~bpo11+1_all.deb \
+    && rm -f cmake-data_3.25.1-1~bpo11+1_all.deb
+
+# Install libjsoncpp24
+RUN wget http://ftp.pl.debian.org/debian/pool/main/libj/libjsoncpp/libjsoncpp24_1.9.4-4_amd64.deb \
+    && dpkg -i libjsoncpp24_1.9.4-4_amd64.deb \
+    && rm -f libjsoncpp24_1.9.4-4_amd64.deb
+
+# Install Cmake 3.20.0
+COPY env/patches/cmake $WORKDIR_PATH/patches/cmake/
+
+RUN wget https://cmake.org/files/v3.20/cmake-3.20.0.tar.gz \
+    && tar -xvf cmake-3.20.0.tar.gz \
+    && cd cmake-3.20.0 \
+    && git apply $WORKDIR_PATH/patches/cmake/001-search-path.diff \
+    && git apply $WORKDIR_PATH/patches/cmake/003-libuv-application-services.diff \
+    && git apply $WORKDIR_PATH/patches/cmake/custom-application-services.patch
+
+RUN cd cmake-3.20.0 \
+    && ./bootstrap \
+    && make install \
+    && cd .. && rm -rf cmake-3.20.0
+
+# Install ninja 1.10.1
+RUN wget http://ftp.pl.debian.org/debian/pool/main/n/ninja-build/ninja-build_1.10.1-1_amd64.deb \
+    && dpkg -i ninja-build_1.10.1-1_amd64.deb \
+    && rm -f ninja-build_1.10.1-1_amd64.deb
+
+# Install BASH
+RUN apt install bash -y
+SHELL ["/bin/bash", "-c"]
+
+COPY env/files/.gitmodules $WORKDIR_PATH/crosscon/.gitmodules
+
+# Fix missing "cryptography" python module
+RUN apt install python3-cryptography -y
+
+# copy script for rpi4-ws demo
+COPY env/files/build.sh $WORKDIR_PATH/
+
+# Install Arm Bare-metal toolchain
+RUN wget -O aarch64-none-elf.tar.xz "https://developer.arm.com/-/media/Files/downloads/gnu/11.2-2022.02/binrel/gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf.tar.xz?rev=981d8f7e91864070a466d852589598e2&hash=8D5397D4E41C99A96989ED813E8E95F0" \
+    && unxz aarch64-none-elf.tar.xz \
+    && tar -xvf aarch64-none-elf.tar \
+    && rm -f aarch64-none-elf.tar
+
+
+# Install Arm GNU toolchain
+RUN wget -O aarch64-none-linux-gnu.tar.xz "https://developer.arm.com/-/media/Files/downloads/gnu/11.2-2022.02/binrel/gcc-arm-11.2-2022.02-x86_64-aarch64-none-linux-gnu.tar.xz?rev=33c6e30e5ac64e6dba8f0431f2c35f1b&hash=9918A05BF47621B632C7A5C8D2BB438FB80A4480" \
+    && unxz aarch64-none-linux-gnu.tar.xz \
+    && tar -xvf aarch64-none-linux-gnu.tar \
+    && rm -f aarch64-none-linux-gnu.tar
+
+# Update PATH for arm developer toolchain
+ENV PATH="$WORKDIR_PATH/gcc-arm-11.2-2022.02-x86_64-aarch64-none-elf/bin:$PATH"
+ENV PATH="$WORKDIR_PATH/gcc-arm-11.2-2022.02-x86_64-aarch64-none-linux-gnu/bin:$PATH"
+
+# Setup CROSSCON repository
+COPY ./ $WORKDIR_PATH/crosscon
+
+COPY env/files/.gitmodules $WORKDIR_PATH/crosscon/.gitmodules
+
+RUN cd $WORKDIR_PATH/crosscon && \
+    git submodule init && \
+    git submodule update --depth 1
+
+# Add support for aarch64 packages
+RUN dpkg --add-architecture arm64
+
+# Add trixie repository to install the libteec2 package for aarch64
+RUN echo "deb http://deb.debian.org/debian trixie main" >> /etc/apt/sources.list && \
+    echo "deb-src http://deb.debian.org/debian trixie main" >> /etc/apt/sources.list && \
+    apt-get update && \
+    apt-get -t trixie install -y libteec2:arm64
+
+# Clean cached apt, package lists and temprorary files to reduce image size
+RUN apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+# Make the starting directory is the CROSSCON Demos directory
+WORKDIR $WORKDIR_PATH/crosscon
+ENV ROOT=$WORKDIR_PATH/crosscon

env/README.md

@@ -0,0 +1,190 @@
+# Docker for CROSSCON Hypervisor
+
+## Overview
+
+The purpose of this repo is to provide the environment required for
+compilation of the CROSSCON hypervisor.
+
+## How to build the container
+
+Run this command from top of the repository:
+
+```bash
+docker build -t crosscon_hv -f env/Dockerfile .
+```
+
+to build the docker image. The resulting image will have a `crosscon_hv` tag.
+After the image has been built, a container can be created and started directly
+by running this command:
+
+```bash
+docker run -d --name crosscon_hv_container crosscon_hv tail -f /dev/null
+```
+
+> This step also is dependant on how you want to Flash the SD card later. All
+approaches are specified [below](#Copying-the-files-to-the-SD-card.).
+
+Then, to enter the shell of the running container, this command can be used:
+
+```bash
+docker exec -it crosscon_hv_container /bin/bash
+```
+
+> Note: If at any point when rebuilding/rerunning the container, error messages
+> similar to this one pop up:
+>
+> ```bash
+> docker: Error response from daemon: Conflict. The container name
+> "/crosscon_hv_container" is already in use by container
+> "d6ee75901fd0e090147d242c485651ebf5c4fc58e13d8363725a6cab830a9ba0". You have to
+> remove (or rename) that container to be able to reuse that name.
+> See 'docker run --help'.
+> ```
+>
+> This command should be used:
+>
+> ```bash
+> docker rm --force <hash_of_the_container_from_the_error_message>
+> ```
+>
+> Alternatively:
+>
+> ```bash
+> docker rm --force crosscon_hv_container
+> ```
+
+## Building the rpi4-ws demo
+
+This section contains instructions on how to build and flash the rpi4-ws demo.
+After attaching to the container, it should look like this:
+
+```bash
+user in ~/CROSSCON-Hypervisor-and-TEE-Isolation-Demos/env λ docker exec -it crosscon_hv_container /bin/bash
+root@d6ee75901fd0:/work#
+```
+
+Then `cd crosscon` should be ran, and the instructions from
+[the README](../rpi4-ws/README.md) followed.
+
+This will allow the binaries to be built, since the container has all the
+necessary dependencies.
+
+## Copying the files to the SD card.
+
+Obviously, the container allows the binaries to be built without worrying about
+dependencies. But in the end they have to end up on the SD card in order to
+boot the demo.
+
+### Running the container as privileged
+
+You can pass all your devices to the container and use the
+[Prepare SDCard](https://github.com/3mdeb/CROSSCON-Hypervisor-and-TEE-Isolation-Demos/tree/master/rpi4-ws#prepare-sdcard)
+instructions directly from inside of it using the `--privileged` flag or more restrictively pass only the
+single SD card.
+
+```bash
+docker run -d --name crosscon_hv_container_copy --privileged crosscon_hv_copy tail -f /dev/null
+```
+
+```bash
+docker run -d --name crosscon_hv_container_copy --device=/dev/sdX:/dev/sdX crosscon_hv_copy tail -f /dev/null
+```
+
+### Unprivileged container
+
+#### Firmware and bootloader files
+
+> Note: Before running the following commands, ensure that the SD card is
+> inserted into the host machine and that it is mounted.
+> (adjust the commands in this README to fit your SD card mount point).
+
+These commands can be ran to copy over the firmware to the SD card (this
+syntax assumes they are being copied directly from the container to the SD
+card):
+
+```bash
+sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/firmware/boot/ $SDCARD_MOUNT/
+sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/config.txt $SDCARD_MOUNT/
+sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/bin/bl31.bin $SDCARD_MOUNT/
+sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/bin/u-boot.bin $SDCARD_MOUNT/
+```
+
+#### Linux and Device Tree Image
+
+After the Linux kernel has been build and lloader has been used to produce
+`linux-rpi4.bin`, that file will need to be copied out of the container and onto
+the SD card:
+
+```bash
+docker cp crosscon_hv_container:/work/crosscon/lloader/linux-rpi4.bin $SDCARD_MOUNT/
+```
+
+#### Copying the CROSSCON Hypervisor Binary
+
+Building and copying of the hypervisor binary is done in the same script,
+either `build-demo-vtee.sh` or `build-demo-dual-vtee.sh`. By looking at the
+content of those scripts, it can be determined that they build the
+`crossconhyp.bin` files, then copies `start*` firmware files and
+`crossconhyp.bin` to the SD card mount point.
+
+> Note: this readme only covers the `build-demo-vtee.sh` script, since
+> the idea of what is being here is understood, it becomes easy to think
+> of the commands to achieve what goes on in the `dual` version of the script.
+
+The hypervisor will have to be built manually, then copied over to the host.
+Once the end of the [the README](../rpi4-ws/README.md) demo has been reached,
+instead of just running the script:
+
+```bash
+./build-demo-vtee.sh
+```
+
+those files will have to be built manually:
+
+```bash
+CONFIG_REPO=`pwd`/configs
+
+pushd ..
+
+make -C CROSSCON-Hypervisor/ \
+	PLATFORM=rpi4 \
+	CONFIG_BUILTIN=y \
+	CONFIG_REPO=$CONFIG_REPO \
+	CONFIG=rpi4-single-vTEE \
+	OPTIMIZATIONS=0 \
+        SDEES="sdSGX sdTZ" \
+	CROSS_COMPILE=aarch64-none-elf- \
+        clean
+
+make -C CROSSCON-Hypervisor/ \
+	PLATFORM=rpi4 \
+	CONFIG_BUILTIN=y \
+	CONFIG_REPO=$CONFIG_REPO \
+	CONFIG=rpi4-single-vTEE \
+	OPTIMIZATIONS=0 \
+        SDEES="sdSGX sdTZ" \
+	CROSS_COMPILE=aarch64-none-elf- \
+        -j`nproc`
+```
+
+Then confirm that the hypervisor got built correctly, and that the firmware
+files exist:
+
+```bash
+ls /work/crosscon/rpi4-ws/bin/
+ls /work/crosscon/CROSSCON-Hypervisor/bin/rpi4/builtin-configs/rpi4-single-vTEE/
+```
+
+Then finally those files can be copied over to host:
+
+```bash
+sudo docker cp crosscon_hv_container:/work/crosscon/rpi4-ws/firmware/boot/start* $SDCARD_MOUNT/
+sudo docker cp crosscon_hv_container:/work/crosscon/CROSSCON-Hypervisor/bin/rpi4/builtin-configs/rpi4-single-vTEE/crossconhyp.bin $SDCARD_MOUNT/
+```
+
+
+## QEMU build
+
+The docker image contains all the neccessary dependencies to build the QEMU
+images as well (RISCV included), so all that needs to be done is following
+the instructions from [the readme](../README.md).

env/files/.gitmodules

@@ -0,0 +1,21 @@
+[submodule "CROSSCON-Hypervisor"]
+	path = CROSSCON-Hypervisor
+	url = http://github.com/crosscon/CROSSCON-Hypervisor.git
+[submodule "optee_client"]
+	path = optee_client
+	url = http://github.com/crosscon/optee_client.git
+[submodule "optee_os"]
+	path = optee_os
+	url = http://github.com/crosscon/optee_os.git
+[submodule "opensbi"]
+	path = opensbi
+	url = https://github.com/bao-project/opensbi.git
+[submodule "linux"]
+	path = linux
+	url = http://github.com/crosscon/linux.git
+[submodule "optee_test"]
+	path = optee_test
+	url = http://github.com/crosscon/optee_test.git
+[submodule "bitcoin-wallet"]
+	path = bitcoin-wallet
+	url = http://github.com/crosscon/bitcoin-wallet.git