diff options
author | Rob Austein <sra@hactrn.net> | 2020-09-13 23:04:30 +0000 |
---|---|---|
committer | Rob Austein <sra@hactrn.net> | 2020-09-13 23:04:30 +0000 |
commit | b092ffbcbe2c9398494f7dc9db6f0796971633e0 (patch) | |
tree | 6fabf690f1ebf485a9fea9af5298e44ad2a59a3e /raw-wiki-dump/GitRepositories%2Freleng%2Falpha | |
parent | 9d927e49d9c10fc16c6dfa4a2a96cdb6216e4e2b (diff) |
Import Cryptech wiki dump
Diffstat (limited to 'raw-wiki-dump/GitRepositories%2Freleng%2Falpha')
-rw-r--r-- | raw-wiki-dump/GitRepositories%2Freleng%2Falpha | 139 |
1 files changed, 139 insertions, 0 deletions
diff --git a/raw-wiki-dump/GitRepositories%2Freleng%2Falpha b/raw-wiki-dump/GitRepositories%2Freleng%2Falpha new file mode 100644 index 0000000..55ad7f1 --- /dev/null +++ b/raw-wiki-dump/GitRepositories%2Freleng%2Falpha @@ -0,0 +1,139 @@ +{{{ +#!htmlcomment + +This page is maintained automatically by a script. Don't modify this page by hand, +your changes will just be overwritten the next time the script runs. Talk to your +Friendly Neighborhood Repository Maintainer if you need to change something here. + +}}} + +{{{ +#!html +<h1>releng/alpha</h1> + +<p>Release engineering stuff for Cryptech Alpha board and support software.</p> + +<h2>Overview</h2> + +<p>The Makefiles and scripts in this repository attempt to automate the +process of building packaged versions of the firmware and software for +the Cryptech Alpha board. At a high level, this consists of two main +phases:</p> + +<ol> +<li><p>Building a firmware package (Verilog and C code which runs on the +Alpha board itself, regardless the host system to which the Alpha +is connected); and</p></li> +<li><p>Building software packages (code which runs on the host to which +the Alpha is connected).</p></li> +</ol> + +<p>Since the firmware is the same for any given version of the Cryptech +source code, and since the process of building the firmware binaries +is both time-consuming and involves tools like the XiLinx Verilog +synthesis toolkit and cross-compilers for multiple CPUs (the Alpha's +Cortex M4 ARM CPU and the Atmel AVR ATtiny828 MCU used to implement +the anti-tampering logic for the master key memory), we include a +signed tarball containing pre-built binaries for all the firmware as +part of the source tarball for the software packages.</p> + +<p>You are of course free to build all of this for yourself, with or +without modification, the pre-built versions are just a convenience.</p> + +<h2>Source Tree</h2> + +<p>The source code itself, for both the firmware and the software, is in +the source/ directory, with names corresponding to the canonical names +of the relevant git repositories. At the time this document was +written, a few of the repositories in question had not yet been +promoted to their expected permanent homes in the core/ or sw/ trees, +but we expect this to be temporary. Regardless, directory names +within the source/ directory tree are intended to track the canonical +names of the git repositories, whatever they may be at any given time.</p> + +<h2>Firmware Build Process</h2> + +<p>The firmware build process consists of five main phases:</p> + +<ol> +<li><p>Building a "shadow" directory tree populated with symlinks back to +the source tree. This allows us to preserve binaries between +compilation runs where appropriate, without cluttering up the +source tree with various intermediate files which don't belong +there. In particular, this allows to skip the Verilog synthesis +stage when nothing there has changed, which makes the overall +build process run significantly faster.</p></li> +<li><p>Synthesizing the Verilog source code into a bitstream. This phase +generates a single bitstream file, suitable for loading into the +Alpha's FPGA chip.</p></li> +<li><p>Cross-compiling C code for the Alpha's ARM processor. This +produces two images: the bootloader, and the HSM firmware itself.</p></li> +<li><p>Cross compiling C code for the Alpha's AVR MCU. This produces a +single image, which runs the tamper-response controller.</p></li> +<li><p>Packaging all of the firmware created in the above steps into a +tarball, with some meta-data describing the package, including +SHA-2 digests of all of the firmware image files and a signature +over the entire meta-data block.</p></li> +</ol> + +<p>The precise formats which show up in the firmware tarball are subject +to change. At the moment, they consist of:</p> + +<ul> +<li><p>A raw bitstream (".bit" file) for the Xilinx Artix-7 FPGA.</p></li> +<li><p>ELF and raw binary image files for the Cortex M4 ARM CPU; we supply +both .elf and .bin files because some tools want one format, some +want the other.</p></li> +<li><p>A ".hex" image for the AVR MCU.</p></li> +</ul> + +<p>The overall packaging for the firmware tarball is intentionally pretty +boring: tar, gzip, gpg, and JSON. The intent is that users be able to +use our firmware tarball even if the scripts we provide are unsuitable +for some reason.</p> + +<p>The final result of the firmware build process is the firmware +tarball, which is written into the source/ tree for inclusion by the +software packaging phase.</p> + +<h2>Software Build Process</h2> + +<p>The software build process also consists of several phases, but is a +bit more open-ended than the firmware build process. Phases in the +current build process:</p> + +<ol> +<li><p>Building a source tarball and Debian source package (".dsc"). +The Debian and Ubuntu Linux distributions are our primary +development platforms, so we need to produce packages for them in +any case, and the process of producing a Debian-family source +package produces a source tarball as one of its outputs, so we get +that for free by doing this step first.</p></li> +<li><p>Running <a href="https://pbuilder.alioth.debian.org/">pbuilder</a> to generate clean binary packages for the +"i386" and "amd64" architectures for Debian Jessie and Ubuntu +Xenial.</p></li> +<li><p>Loading all of the Debian and Ubuntu packages produced above into +the staging instances of a set of APT repositories.</p></li> +<li><p>Generation of a <a href="http://brew.sh/">Homebrew</a> formula and committing that formula to +the staging instance of a Homebrew "tap" (git repository), using the +tarball created during the Debian source package stage as the +source package. The Homebrew formula is source-only (no "bottled" +binary packages): creating binary packages would not be +particularly difficult (one <a href="https://github.com/tpoechtrager/osxcross">osxcross</a> instance per version of +OSX we want to support would do it), but Apple's Xcode SDK license +doesn't permit this unless we run our build farm on Apple +hardware.</p></li> +<li><p>Uploading changes from the staging repositories to our public +repositories.</p></li> +</ol> + +<p>In theory, it would also be possible to produce Windows binaries using +the <a href="http://www.mingw.org/">MinGW</a> cross-compilation environment, but Windows is sufficiently +different from all other platforms that even minimal Windows support +would almost certainly require extensive source code changes, so we +have not put any serious thought into build issues for Windows.</p> +}}} + +[[RepositoryIndex(format=table,glob=releng/alpha)]] + +|| Clone `https://git.cryptech.is/releng/alpha.git` || |