building: prerequisite: Install cryptography by pip on Ubuntu 20.04

[markz-zhang]

The cryptography python package in Ubuntu 20.04 is too old for new OP-TEE releases. Using pip to install a new version cryptography should be used to avoid build errors.

[jforissier]

I tried building for QEMUv8 in a docker image (docker run -it --rm ubuntu:20.04) and did not meet any issue related to the cryptography package. I did have to add python-is-python3, git, libslirp-dev, wget and cpio which are missing from the prerequisites, though. Which platform are you building? What is your Ubuntu version? Are all your packages up-to-date? (sudo apt update; sudo apt upgrade)

root@e7db4287398d:~/optee/build# cat /etc/issue
Ubuntu 20.04.6 LTS \n \l

[markz-zhang]

jforissier, I didn't test qemuv8 so it may work. I am testing building nvidia jetson optee source package. The error log is like:

SIGN    /home/mohits/rel-35_TOT/sources/optee/optee/build/t234/ta/subkey1/5c206987-16a3-59cc-ab0f-64b9cfc9e758.ta
Traceback (most recent call last):
  File "/home/mohits/rel-35_TOT/sources/optee/optee/build/t234/export-ta_arm64/scripts/sign_encrypt.py", line 968, in <module>
    main()
  File "/home/mohits/rel-35_TOT/sources/optee/optee/build/t234/export-ta_arm64/scripts/sign_encrypt.py", line 964, in main
    args.func(args)
  File "/home/mohits/rel-35_TOT/sources/optee/optee/build/t234/export-ta_arm64/scripts/sign_encrypt.py", line 841, in command_sign_enc
    ta_image.add_subkey(args.subkey, args.name)
  File "/home/mohits/rel-35_TOT/sources/optee/optee/build/t234/export-ta_arm64/scripts/sign_encrypt.py", line 793, in add_subkey
    sk_image.parse()
  File "/home/mohits/rel-35_TOT/sources/optee/optee/build/t234/export-ta_arm64/scripts/sign_encrypt.py", line 562, in parse
    self.subkey_key = rsa.RSAPublicNumbers(e, n).public_key()
TypeError: public_key() missing 1 required positional argument: 'backend'

Looking at the line #562 of sign_encrypt.py, it is:

self.subkey_key = rsa.RSAPublicNumbers(e, n).public_key()

So if you look at the v2.8 python3 cryptography document: https://cryptography.io/en/2.8/hazmat/primitives/asymmetric/rsa/, it shows that the "public_key" function requires a parameter named "backend". But if you take a look at the latest version document: https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/, this parameter is not needed anymore.

I think this explains the build error. The reason why you didn't hit this I guess is either qemuv8 building doesn't need this "sign_encrypt.py", or your python3 cryptography has a higher version installed.

BTW: I just installed a clean Ubuntu 20.04.6 and upgraded all packages, and I confirm that the cryptography python package in this Ubuntu distro is v2.8:

mohits@mohits-dt05:~/rel-35_TOT/sources/optee$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.6 LTS
Release:    20.04
Codename:   focal
mohits@mohits-dt05:~/rel-35_TOT/sources/optee$ 
mohits@mohits-dt05:~/rel-35_TOT/sources/optee$ dpkg -S python3-cryptography
python3-cryptography: /usr/share/doc/python3-cryptography
python3-cryptography: /usr/share/doc/python3-cryptography/copyright
python3-cryptography: /usr/share/doc/python3-cryptography/changelog.Debian.gz
python3-cryptography: /usr/share/python3/dist/python3-cryptography
mohits@mohits-dt05:~/rel-35_TOT/sources/optee$ 
mohits@mohits-dt05:~/rel-35_TOT/sources/optee$ dpkg -s python3-cryptography
Package: python3-cryptography
Status: install ok installed
Priority: optional
Section: python
Installed-Size: 1593
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: amd64
Source: python-cryptography
Version: 2.8-3ubuntu0.1
Depends: python3 (>= 3~), python3-cffi-backend-api-min (<= 9729), python3-cffi-backend-api-max (>= 9729), python3-six (>= 1.4.1), python3:any, libc6 (>= 2.14), libssl1.1 (>= 1.1.1)
Suggests: python-cryptography-doc, python3-cryptography-vectors
Breaks: python3-openssl (<< 16.0.0)
Description: Python library exposing cryptographic recipes and primitives (Python 3)
 The cryptography library is designed to be a "one-stop-shop" for
 all your cryptographic needs in Python.
 .
 As an alternative to the libraries that came before it, cryptography
 tries to address some of the issues with those libraries:
  - Lack of PyPy and Python 3 support.
  - Lack of maintenance.
  - Use of poor implementations of algorithms (i.e. ones with known
    side-channel attacks).
  - Lack of high level, "Cryptography for humans", APIs.
  - Absence of algorithms such as AES-GCM.
  - Poor introspectability, and thus poor testability.
  - Extremely error prone APIs, and bad defaults.
 .
 This package contains the Python 3 version of cryptography.
Homepage: https://cryptography.io/
Original-Maintainer: Tristan Seligmann <mithrandi@debian.org>
mohits@mohits-dt05:~/rel-35_TOT/sources/optee$ 
mohits@mohits-dt05:~/rel-35_TOT/sources/optee$ pip3 list | grep -ie crypto
cryptography           2.8                 
mohits@mohits-dt05:~/rel-35_TOT/sources/optee$ 

[jforissier]

Now I understand why I am not getting any error when building for QEMUv8 with my Dockerfile. It is because the build does not use the Python packages provided by the Linux distribution. Instead the packages built and installed by Buildroot are used. For example when optee_test is built and the TAs are signed, the rsa module is loaded from out-br/per-package/optee_test_ext/host/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetric. But outside of Buildroot, sign_encrypt.py would indeed fail to generate subkeys.

Therefore I believe this PR is correct. Could you please add a comment to the commit description? Something like:

building: prerequisite: Install cryptography by pip on Ubuntu 20.04

The cryptography python package in Ubuntu 20.04 is too old for new
OP-TEE releases. Using pip to install a new version cryptography should
be used to avoid build errors such as:

SIGN    /home/mohits/rel-35_TOT/sources/optee/optee/build/t234/ta/subkey1/5c206987-16a3-59cc-ab0f-64b9cfc9e758.ta
Traceback (most recent call last):
  File "/home/mohits/rel-35_TOT/sources/optee/optee/build/t234/export-ta_arm64/scripts/sign_encrypt.py", line 968, in <module>
    main()
  File "/home/mohits/rel-35_TOT/sources/optee/optee/build/t234/export-ta_arm64/scripts/sign_encrypt.py", line 964, in main
    args.func(args)
  File "/home/mohits/rel-35_TOT/sources/optee/optee/build/t234/export-ta_arm64/scripts/sign_encrypt.py", line 841, in command_sign_enc
    ta_image.add_subkey(args.subkey, args.name)
  File "/home/mohits/rel-35_TOT/sources/optee/optee/build/t234/export-ta_arm64/scripts/sign_encrypt.py", line 793, in add_subkey
    sk_image.parse()
  File "/home/mohits/rel-35_TOT/sources/optee/optee/build/t234/export-ta_arm64/scripts/sign_encrypt.py", line 562, in parse
    self.subkey_key = rsa.RSAPublicNumbers(e, n).public_key()
TypeError: public_key() missing 1 required positional argument: 'backend'

Note that this error does not occur when building optee_test in the OP-TEE
development environment [1] because the Python packages are not
provided by the Linux distribution but by Buildroot in 
out-br/per-package/optee_test_ext/host/lib/python3.10/site-packages

Link: https://optee.readthedocs.io/en/latest/building/gits/build.html#build [1]
Signed-off-by: ...

Then please add:

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

[markz-zhang]

Thanks a lot jforissier. I've updated the patch.

[jbech-linaro]

With https://github.com/OP-TEE/optee_docs/pull/204 just being merged, I think this patch has to be slightly updated. Sorry for not merging it before.

[github-actions[bot]]

This pull request has been marked as a stale pull request because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this pull request will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.