Age | Commit message (Collapse) | Author |
|
|
|
Ubuntu 20.04 no longer really supports Python 2, so we'd have to fork
the packaging code if we wanted to keep support for Python 2
elsewhere. Given that Python 3 has been around for a more than a
decade and that Python 2 was formally EOLed more than six months ago
as of this writing, this seems like an unnecessary complication.
The biggest change is rewriting the Homebrew formula for Python 3.
|
|
|
|
This is a first step towards moving all of the Cryptech code from
Python 2 to Python 3. At this stage, the goal is to make the same
source code work in both language dialects, and to build packages
which install both versions of the library code.
This is a necessary step along the way, but since Python 2 is already
past EOL as of this writing and since some distributions have started
dropping all support for Python 2, we will almost certainly want to
drop all Python 2 support in the relatively near future, if only
because it's not really to do all the packaging right for both
versions at once without much more trouble than a dead language
dialect is probably worth. All platforms we care about should support
Python 3 already, any that don't probably have much worse problems.
So the primary purpose of pushing this particular commit is to archive
what will probably be the last version supporting Python 2, while
giving folks a chance to test the incoming Python 3 support a bit.
Once we've cut loose from Python 2 for good, there's some cleanup we
can and should do (eg, all the gymnastics to work around Python 2's
handling of bytes as a form of text rather than a sequence of small
integers), but for the moment we want to keep that compatability,
albeit briefly.
|
|
Prior to this change, it was not possible to build the release
packaging without the release engineering PGP key, which is nicely
paranoid but ignores the possibility that people other than the
release engineer might want to reuse our packaging. Doh.
So we still use the release engineering key to sign the manifest in
the firmware tarball if the key is available, but if it's not we
produce an unsigned manifest.
|
|
Developer consensus is that between mulitple new cores and a number of
performance improvements, this is worthy of a major version number bump.
|
|
|
|
It's been a while since we did a full reproducible build via the
releng tree. Some of the old modules are now obsolete, and a couple
of the new ones weren't present.
This is an initial test after updating the existing submodules and
adding the missing ones. I don't really expect it to work, it's a
first attempt.
At minimum, we should go through and clean out submodules we no longer
use, but that can wait until we figure out if we now have all the
right modules and branches recorded here and whether the resulting
configuration works properly.
|
|
|
|
|
|
|
|
This also catches some recent-ish changes to aes, chacha, and rosc_entropy.
|
|
|
|
|
|
|
|
|
|
This is the recent stuff that's not specific to the fmc_clk effort.
In theory this should all just work (with the old asynchronous
clocking), in practice, well, that's part of what we want to test.
|
|
Some recent changes to sw/libhal were not tested properly against
sw/pkcs11, which led to a couple of build issues and a segfault.
These have now been fixed.
The floggings will continue until morale improves.
|
|
|
|
|
|
Specific reason for this build was to test removal of a couple of
TerASIC-specific files.
Other accumulated changes include:
* A bunch of work on the AES core;
* A bunch of minor performance enhancements in the C code, mostly
related to RSA signature time (which is still a problem, but this
set of fixes removed a bunch of dumb stuff which was masking what we
now think is the root cause of the performance issue);
* A bunch of minor fixes and cleanups in the C code (eg, assertions
now log something to the console rather than just locking up).
|
|
|
|
reprepro strictly follows the Debian package rule that two package
files which have the same name must have identical content. Which is
fine, except when we want to support the same version of a package on
multiple releases of the same Debian-flavored operating system.
The usual hack for this is to add a release-specific tag to the end of
the version string. The brute force way of doing this requires
modifying the source package for each release, but there's an obscure
hack which lets us augment the binary package versions directly.
|
|
NB: this change is not by itself enough to prep the build environment
for new platforms, one must also (manually):
a) Update the conf/distributions files in the reprepro repositories to
include the new codenames;
b) Install an updated version of the debootstrap package on the build
machine so that it knows how to construct the base environment for
the new codenames; and
c) Create the initial pbuilder environments fot the new codenames
using `pbuilder-dist create`.
There may be other steps I've forgotten, it's been a while since we
last added a new codename.
Per recommendation in the Debian Wiki, the debootstrap package I
expect to use for this was manually backported (so that our existing
build machine can know how to build for codenames newer than what the
build machine itself is running). In this case I'm using the
stretch-backports version (to get Ubuntu Bionic).
|
|
|
|
|
|
|
|
Most recent AES core doesn't synthesize properly with core_selector,
and we have other fixes to test. So back AES changes out of the
releng build for now, re-add them when we sort this out.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
We don't really need PyCrypto for most things, and installing it on
the fly is easy with apt-get, but it's not worth trying to explain why
it's always included on OSX and has to be installed manually on Linux.
|
|
Python package dependencies in Homebrew packages are tricky enough
that it's easiest just to install PyCrypto unconditionally on OSX.
|
|
|
|
|
|
The ks9 branch of sw/libhal breaks keystore backwards compatability
again. Unclear whether we should do something about that, but since
we do have a workaround in the form of cryptech_backup --soft-backup,
we should ship that *before* we break the keystore again, so that
careful users can back up before the problematic firmware upgrade.
|
|
|
|
Homebrew reserves the right to decide on the fly which copy of the
Python 2.7 interpreter (Apple's or Homebrew's) we should be using.
This is mostly reasonable, but makes it tricky when a Homebrew package
includes both a Python "application" and Python "bindings", because
the bindings may be installed where the script doesn't see them. So
we symlink the bindings into the application's private library tree,
just as if the bindings were a third-party library our application
needed. Silly, but it works (this week).
|
|
|
|
|