diff options
author | Rob Austein <sra@hactrn.net> | 2021-02-14 16:01:15 +0000 |
---|---|---|
committer | Rob Austein <sra@hactrn.net> | 2021-02-14 16:01:15 +0000 |
commit | e18e5b3d2559f5f0395ffe79416cdca3abc89310 (patch) | |
tree | 340bdc43c4bfa7bcc3c048eea4db848cabe470de /markdown/BuildingFromSource.md | |
parent | ad1cc0517983e599897929b4c94463bf2af78f7c (diff) |
Start restructuring for Pelican
Diffstat (limited to 'markdown/BuildingFromSource.md')
-rw-r--r-- | markdown/BuildingFromSource.md | 229 |
1 files changed, 0 insertions, 229 deletions
diff --git a/markdown/BuildingFromSource.md b/markdown/BuildingFromSource.md deleted file mode 100644 index 8f2a4fd..0000000 --- a/markdown/BuildingFromSource.md +++ /dev/null @@ -1,229 +0,0 @@ -[[PageOutline]] - -# Building Cryptech Software/Firmware/Bitstream From Source - -Everything you need to build our software, firmware, and FPGA -bitstreams from source yourself is publicly available, but the process -is a bit complicated. Overall, there are two methods, one of which -our developers use while writing this stuff, the other of which we use -for the automated reproducible builds which go into our binary -distributions. Both methods eventually boil down to "get the source -code then run make", but the details differ. - -## What developers do - -We check out copies of all the several dozen separate repositories and -carefully arrange them in a tree structure which matches the official -naming scheme. Yes, really. It's tedious, but we have -[export:/user/sra/build-tools/https-sync-repos.py a script to automate this]. -Be warned that this script is a kludge which relies on parsing -XML from this Wiki; this is nasty, but reasonably stable, because the -XML itself is generated by another script. - -Once you have this tree, you can hop around within it, building -whichever bits are of interest to you. So if you want to rebuild just -the HSM firmware (the C code that runs on the ARM), you would go to -`sw/stm32` and run `make` there. - -## What we do for reproducible builds - -Reproducible builds use the same tree structure (as they must for the -various Makefiles to work properly), but the entire tree is embedded -in a git "superrepository" which also contains the release engineering -goo necessary to make the whole thing work. Do `git help submodule` -for an introduction to git's submodule mechanism. - -With this model, one just checks out a copy of -[source:/releng/alpha the superrepository], -runs `make` in its top directory, and eventually -the complete package pops out the other side. - -``` -git clone https://git.cryptech.is/releng/alpha.git -cd alpha -make -``` - -That's the good news. The bad news is that this process has higher -demands on its build environment: it expects to find the a complete -tool set, including the XiLinx synthesis tools, the several different -cross compilers for the firmware, and the `pbuilder` system for -building clean room packages for Ubuntu and Debian. - -As a compromise, one can use this source tree as if it were the -development source tree described above: just use the supermodule to -pull down everything else, but then ignore the supermodule and build -individual pieces as if you'd checked out all the repositories by -hand. - -## Skip all this git mess and just download a tarball - -There's another alternative, which is simpler than any of the above: -just download the source tarball. Since the only build environments -we support at the moment are Debian Jessie and Ubuntu Xenial, which -also happen to be environments for which we build binary packages, you -can just use APT: - -``` -apt-get source cryptech-alpha -``` - -Which will give you the same tree structure, but without all the git fun. - -## Build environment - -Our software and firmware developers use the Debian and Ubuntu Linux -distributions. Our current build box for binary packages runs Debian -Jessie. - -Our Verilog developers use various environments and have been known to -use graphical tools, but synthesis of the bitstreams that go in our -binary packages is done via the XiLinx command line tools on the same -Debian Jessie machine as the software and firmware builds. - -Which tools you need will of course depend on exactly what you're -trying to do. - -Most of the tools work on either 32-bit or 64-bit machines, but if you -intend to run the full binary package build script, you'll need a -64-bit machine (or VM) because the tools won't build 64-bit binaries -on a 32-bit machine. - -Basic tool set (not all required for every purpose, but they're all -supported Debian packages so it's usually easier just to install them -all and not worry about it): - -``` - apt-get install git pbuilder ubuntu-dev-tools rsync sudo - apt-get install python-yaml python-serial python-crypto python-ecdsa - apt-get install gcc-arm-none-eabi gdb-arm-none-eabi - apt-get install gcc-avr binutils-avr avr-libc - apt-get -t jessie-backports install debootstrap distro-info-data - apt-get install reprepro ubuntu-archive-keyring -``` - -This is not an exhaustive list, because some of the other packages we -use are pulled in by these as dependencies. - -You will also need a copy of the XiLinx tools, which is tedious enough -that it's described in a separate section, below. - -Once you have all the tools installed, you'll need a copy of the -source tree, as explained in the preceeding sections. - -pbuilder requires a bit of setup (you can skip this if you're not -trying to do the full binary package build): - -``` -for code in jessie xenial; do for arch in i386 amd64; do pbuilder-dist $code $arch create; done; done -ln -s jessie_result ~/pbuilder/jessie-amd64_result -ln -s xenial_result ~/pbuilder/xenial-amd64_result -``` - -## Installing the XiLinx tools - -XiLinx tools setup is a bit involved. You can skip this section if -you don't intend to build FPGA bitstreams. - -We use the command line versions of the XiLinx tools, but installing -them requires a graphical environment, because the XiLinx installer -and license manager are GUI tools. If you're running this on a server -and don't already have a graphical environment installed, you can get -away with something fairly minimal. For example, if you have a VNC -viewer such as "Chicken of the VNC" on your laptop, you can get away -with a fairly minimal X11 toolset: - -``` -apt-get install tightvncserver xterm icewm -``` - -If you're already running X11 on your laptop and are comfortable with -extruding that to the build machine, eg, via `ssh -Y`, you can just -use that (not recommended for long-haul use, eg, if the laptop is in -Boston and the server is in Reykjavik). - -You'll need to start by using a web browser to download the -[Xilinx ISE Design Suite](http://www.xilinx.com/support/download/index.html/content/xilinx/en/downloadNav/design-tools.html). - -XiLinx only supports specific versions of Red Hat and Suse Linux, but -their tools do run on Debian and Ubuntu. A few caveats: - - -* Debian and Ubuntu symlink `/bin/sh` to `/bin/dash`, which can't handle - - some of the syntax used in XiLinx's shell scripts, so you'll need to - change that symlink to point to `/bin/bash`. - - -* Although the XiLinx software can be installed as user or root, by - - default it wants to install into /opt/Xilinx, so you need to install - as root if you want to do that. - - -* The XiLinx tools are disk hogs, so if you're building a VM for this, - - you'll probably want to give it at least 30-40 GB of disk space. - -Step-by-step installation: - -1. Unpack `Xilinx_ISE_DS_Lin_14.7_1015_1.tar` (or whatever version you have). -2. In an X11 environment, cd to `Xilinx_ISE_DS_Lin_14.7_1015_1`, and run `sudo ./xsetup` -3. Click through two screens of license agreements. -4. Select `ISE WebPACK`. -5. Unselect (or leave unselected) Install Cable Drivers. -6. Go! - -Well, not quite. You'll need to convince the ISE tools that you have -a valid license to use the ISE tools. Go to -http://www.xilinx.com/products/design-tools/ise-design-suite/ise-webpack.htm, -click the `Licensing Solutions` link. On the page to which that takes -you, expand the section `Obtain a license for Free or Evaluation -product`. To download the ISE Webpack, you should have created an -account, so now you can go to the Licensing Site and use that account -to create a Certificate Based License. - -You do not need to go through the HostID dance, just say Do It. You -will then receive a certificate in email (not an X.509 certificate) -which you will be able to use. Then start the ISE Webpack by issuing -the command `ise`. Go to the Help menu and Manage Licenses. Use the -resulting new License Manager window to install the `.lic` file. This -process is complex and flakey. - -Here's -[another description of installing ISE on Ubuntu](http://www.armadeus.com/wiki/index.php?title=ISE_WebPack_installation_on_Linux). - -The `ise` binary referred to above is in `/opt/Xilinx/14.7/ISE_DS/ISE/bin/lin64/ise` -(or in `.../lin/ise`, but the pbuilder setup requires a 64-bit build machine). - -When running this remotely under tightvncserver, setup looks something like this: - -``` -vncserver :0 -geometry 1280x768 -depth 16 -localhost -export DISPLAY=:0 XAUTHORITY=~/.Xauthority -icewm& -``` - -Then, either in the same shell as the above or in an xterm in the new display - -``` -cd Xilinx_ISE_DS_Lin_14.7_1015_1 -sudo ./xsetup - -cd -/opt/Xilinx/14.7/ISE_DS/ISE/bin/lin64/ise -``` - -It turns out you don't really need to run the whole `ise` tool to -get to the license manager, you can just run - -``` -/opt/Xilinx/14.7/ISE_DS/common/bin/lin64/xlcm -manage -``` - -But you do have to source the appropriate settings file first, none of -the XiLinx tools work properly without that: - -``` -. /opt/Xilinx/14.7/ISE_DS/settings64.sh -``` |