Open b49020 opened 9 months ago
@DemesneGH @Sword-Destiny @jbech-linaro @jenswi-linaro @jforissier @etienne-lms @daniel-thompson @Ablu Fyi..
Feedback/comments are very much welcome, thanks.
@b49020 Thanks so much for your contributions!
Since the std
still fits some cases which relying on serde
, network
, and other crates that have not support no-std
yet, how about merging the PR into the separate branch from master
?
BTW please check out the failed CI tasks, thanks!
Thanks @DemesneGH for your comments.
Since the std still fits some cases which relying on serde, network, and other crates that have not support no-std yet, how about merging the PR into the separate branch from master?
Sure I am open to merging this in separate branch for now but I would like to see optee-utee
crate new release with no-std
support. That would allow people to write their own TAs using latest rust toolchain support without the need to have this full SDK cloned. I would like to give trusted keys TA rewrite in rust a try so that we have real world TAs written in rust rather than just examples in this SDK.
BTW please check out the failed CI tasks
My bad, I forgot to update linker configuration for host applications. The build didn't show any issue for me since the host applications weren't rebuilt. BTW, the issue should be fixed now, please re-run CI now.
Rather than create a branch is it possible to introduce a no_std feature to optee-utee crate (similar to crates like serde which support no_std but it is optional). That would allow progressive adoption of no_std without having to fork.
Cargo can handle some quite complex feature combinations, including marking up examples that require std-only crates so you don't need to enable them crate wide.
Rather than create a branch is it possible to introduce a no_std feature to optee-utee crate (similar to crates like serde which support no_std but it is optional). That would allow progressive adoption of no_std without having to fork.
Good point. I agree with you.
@b49020 Seems there are some license issue on CI:
ERROR the following files don't have a valid license header:
examples/acipher-rs/ta/dyn_list
examples/aes-rs/ta/dyn_list
examples/authentication-rs/ta/dyn_list
examples/big_int-rs/ta/dyn_list
examples/diffie_hellman-rs/ta/dyn_list
examples/digest-rs/ta/dyn_list
examples/hello_world-rs/ta/dyn_list
examples/hotp-rs/ta/dyn_list
examples/random-rs/ta/dyn_list
examples/secure_storage-rs/ta/dyn_list
examples/signature_verification-rs/ta/dyn_list
examples/supp_plugin-rs/ta/dyn_list
examples/time-rs/ta/dyn_list
ERROR one or more files does not have a valid license header
Rather than create a branch is it possible to introduce a no_std feature to optee-utee crate (similar to crates like serde which support no_std but it is optional). That would allow progressive adoption of no_std without having to fork.
That sounds fine but for std
counterpart I am not sure if the current custom OP-TEE toolchain target (along with libc and compiler builtin forks) can support the latest rust nightly toolchain. Currently its based on nightly-2021-09-20
. But we need recent nightly releases for C FFI bindings like core::ffi::c_size_t
. @DemesneGH any thoughts on the uprev?
Seems there are some license issue on CI:
dyn_list
files are generated by <optee_os>/ta/link.mk
and to be consumed directly by the linker. So I don't think they deserve any license text.
The current CI failure is due to following missing patch to OP-TEE build repo as I have stated above:
build$ git diff
diff --git a/br-ext/package/optee_rust_examples_ext/optee_rust_examples_ext.mk b/br-ext/package/optee_rust_examples_ext/optee_rust_examples_ext.mk
index e19e8b5..af2f368 100644
--- a/br-ext/package/optee_rust_examples_ext/optee_rust_examples_ext.mk
+++ b/br-ext/package/optee_rust_examples_ext/optee_rust_examples_ext.mk
@@ -12,7 +12,7 @@ endif
EXAMPLE = $(wildcard examples/*)
HOST_TARGET := aarch64-unknown-linux-gnu
-TA_TARGET := aarch64-unknown-optee-trustzone
+TA_TARGET := aarch64-unknown-linux-gnu
export RUST_TARGET_PATH = $(@D)
export RUST_COMPILER_RT_ROOT = $(RUST_TARGET_PATH)/rust/rust/src/llvm-project/compiler-rt
Thanks @Ablu for your review.
It looks like there is interest to optimize for size. Since you are using nightly anyway, you may want to try:
Binary size reduction is not such a hard requirement here. However, from security point of view its better to reduce code footprint which this no_std
adoption would provide us. Also, I would like to keep nightly dependencies to a minimal since we should aim to migrate to a stable toochain build instead.
That sounds fine but for
std
counterpart I am not sure if the current custom OP-TEE toolchain target (along with libc and compiler builtin forks) can support the latest rust nightly toolchain. Currently its based onnightly-2021-09-20
. But we need recent nightly releases for C FFI bindings likecore::ffi::c_size_t
. @DemesneGH any thoughts on the uprev?
@b49020 I see. I think after upstreaming the aarch64-unknown-optee-trustzone
target (as discussed at https://github.com/apache/incubator-teaclave-trustzone-sdk/issues/113) we can support the latest toolchain and then proceed to merge the no-std
as the feature. Since that needs more effort, I'd prefer the separate no-std
branch for now.
@DemesneGH How about we rather stick the std
based TAs to v0.2.0
of optee-utee
crate and merge no-std
feature in a later version of optee-utee
crate using latest rust toolchain? Although I am still uncertain about stability (reasons already provided here) of aarch64-unknown-optee-trustzone
target but we shouldn't gate OP-TEE rust development for its availability upstream. BTW, we can very well uprev std
TAs once we have that upstream support available.
This will atleast allow the adoption of no-std
TAs with migration option for other std
TAs as well. Also, as I mentioned earlier we would like to provide OP-TEE community with standardized rust environment to develop standalone TAs.
The current CI failure is due to following missing patch to OP-TEE build repo as I have stated above:
The patch has been posted here: https://github.com/OP-TEE/build/pull/714
@b49020 do you need a new release on https://crates.io/crates/optee-utee?
@daniel-thompson @DemesneGH So I gave no_std
being an optional feature a try for optee-utee
and optee-utee-sys
crates, it turns out that I found a way to keep the std TAs alongside no_std TAs. I did managed the older rust toolchain pinning for std TAs via following in the Makefile:
rustup override set nightly-2021-09-20
@xargo build --target $(TARGET) --release --verbose -Z unstable-options --config $(LINKER_CFG)
rustup override unset
I hope this is something we can agree upon, feedback/comments are very much welcome.
do you need a new release on https://crates.io/crates/optee-utee?
Yeah once we have sufficient functionality implemented to enable standalone rust TAs development. I suppose we still lack inter TA communication rust library APIs, right?
@DemesneGH The CI reports No space left on device
, are there any space constraints for CI? BTW, I don't think this PR adds anything extra apart from extra latest nightly toolchain installation.
The CI reports
No space left on device
, are there any space constraints for CI?
The Github actions provide at least 14G storage (reference: https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources). It would be more than 14GB sometimes (https://github.com/actions/runner-images/issues/2840#issuecomment-791177163) since the error haven't occurred before.
There are some workaround on https://github.com/actions/runner-images/issues/2840#issuecomment-790492173 but I'd prefer to remove the dependencies of aarch64-unknown-optee-trustzone
target (large clones in setup.sh).
I'm trying to summarize the conclusions we reached and the steps for breaking down, please correct me if I've misunderstood:
STAGE 1:
no-std
a separate branch from master
.optee-utee
crate is no-std
by default, corresponding to no-std
branch on repo. Users can import the crate using cargo add optee-utee
.std
, they should clone the SDK repo of master
branch and setup the environment.comments:
for no-std
branch:
aarch64-unknown-optee-trustzone
target related files such as aarch64-unknown-optee-trustzone.json
, arm-unknown-optee-trustzone.json
, environment
, and std
-only examples
. It makes things clear and also helps us to figure out the difference when we trying to merge the no-std
branch at STAGE 2. (BTW it's also the workaround for the no space left
issue above)for publishing optee-utee crates:
optee-utee
crate with just cargo add
, we may need a build.rs
inside the optee-utee
crate which download toolchains, optee c source code and compile c libs.STAGE 2 (after the STAGE 1 is finished):
optee-utee
crate (enable the std
feature)aarch64-unknown-optee-trustzone
uprevno-std
into master
@DemesneGH I mostly agree with your stage 1 but for stage 2 I think once we have published optee-utee
crate on crates.io then we can just drop optee-utee
from master
branch and instead just use:
optee-utee = { version = "x.x.x", features = ["std"] }
This would avoid any divergence and allow the std counterpart to be regularly tested with latest optee-utee
changes too. I think we should follow the same approach for optee-teec
as well where no-std
acts as the main development branch and releases are synced to crates.io. OTOH, if we rather have std
as a separate branch and keep master
as the main development branch then it would be even better.
If you agree then please feel free to create a separate branch (std or no-std).
if we rather have std as a separate branch and keep master as the main development branch then it would be even better.
So once we have the aarch64-unknown-optee-trustzone
upstreamed then it would just be a simple move to migrate std
examples from std
branch to master
branch.
if we rather have
std
as a separate branch and keepmaster
as the main development branch then it would be even better
Sure, after we finished the stage 1 which means the no-std
is stable I'm okay to set the no-std
as main branch.
Sure, after we finished the stage 1 which means the no-std is stable I'm okay to set the no-std as main branch.
Fair enough, let's go with no-std
branch then. Let me know once it's created, I will create a PR for that.
@DemesneGH Created PR for no-std
here: https://github.com/apache/incubator-teaclave-trustzone-sdk/pull/115
@DemesneGH With no-std
changes merged, the next step is to publish optee-utee
crate.
todo: support for inter-TA APIs
Although I agree it is an important feature which I will target next but I still think we can have v0.3.0
published for optee-utee
crate without it to allow developers start playing with standalone rust TAs. We can target this feature for next v0.4.0
release.
Aiming that users use the optee-utee crate with just cargo add, we may need a build.rs inside the optee-utee crate which download toolchains, optee c source code and compile c libs.
I don't think we should bundle a script to build OP-TEE OS since it can be configured in many ways for different platforms. We should rather depend on TA_DEV_KIT_DIR
environment variable to provide path to pre-build OP-TEE utee libraries. This is quite similar to C development environment. I will make corresponding changes to optee-utee
crate regarding this.
We should rather depend on TA_DEV_KIT_DIR environment variable to provide path to pre-build OP-TEE utee libraries. This is quite similar to C development environment. I will make corresponding changes to optee-utee crate regarding this.
Fyi.. https://github.com/apache/incubator-teaclave-trustzone-sdk/pull/116
The CI reports
No space left on device
, are there any space constraints for CI?The Github actions provide at least 14G storage (reference: https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources). It would be more than 14GB sometimes (actions/runner-images#2840 (comment)) since the error haven't occurred before.
There are some workaround on actions/runner-images#2840 (comment) but I'd prefer to remove the dependencies of
aarch64-unknown-optee-trustzone
target (large clones in setup.sh).
This might help: https://github.com/OP-TEE/optee_os/commit/788069fa88ed8bf376a07991196fbf80c36b7e06 (although minimizing the cloned data is certainly a good idea regardless).
This might help: https://github.com/OP-TEE/optee_os/commit/788069fa88ed8bf376a07991196fbf80c36b7e06 (although minimizing the cloned data is certainly a good idea regardless).
With https://github.com/OP-TEE/manifest/pull/260, the rust build would be significantly lighter for OP-TEE CI. Given that I am also thinking that we should probably get rid of OPTEE_RUST_ENABLE
flag and enable OP-TEE rust examples in the default build, thoughts?
This might help: OP-TEE/optee_os@788069f (although minimizing the cloned data is certainly a good idea regardless).
With OP-TEE/manifest#260, the rust build would be significantly lighter for OP-TEE CI. Given that I am also thinking that we should probably get rid of
OPTEE_RUST_ENABLE
flag and enable OP-TEE rust examples in the default build, thoughts?
Perhaps just make it ?= y
by default, but it is always good to have a way to disable things in case they break.
This also raises the question of make check
(C apps) vs make check-rust
. Should make check
run both? (it makes sense if make
builds both). But then we may want to be able to run only the C apps perhaps (make check-c
?). TBD.
Perhaps just make it ?= y by default, but it is always good to have a way to disable things in case they break.
That sounds reasonable. I will do that as a next step to current rust examples build refactoring.
This also raises the question of make check (C apps) vs make check-rust. Should make check run both? (it makes sense if make builds both). But then we may want to be able to run only the C apps perhaps (make check-c?). TBD.
How about if we rather add rust.exp
to build repo and have the check tests conditional under CHECK_TESTS
similar to what we did for trusted keys tests?
Perhaps just make it ?= y by default, but it is always good to have a way to disable things in case they break.
That sounds reasonable. I will do that as a next step to current rust examples build refactoring.
OK thanks.
This also raises the question of make check (C apps) vs make check-rust. Should make check run both? (it makes sense if make builds both). But then we may want to be able to run only the C apps perhaps (make check-c?). TBD.
How about if we rather add
rust.exp
to build repo and have the check tests conditional underCHECK_TESTS
similar to what we did for trusted keys tests?
Yes, much better :+1:
Hi @b49020 Could you review the updated README which added the no-std
description? https://github.com/apache/incubator-teaclave-trustzone-sdk/pull/128
Thanks!
Existing OP-TEE rust environment required a custom rust toolchain target for OP-TEE based TAs. I suppose back in 2019 when this SDK was created, rust embedded ecosystem (especially no_std support) was in its very early stages of development. But as of today many rust crates have already added support for rust no_std or are being actively worked on to add rust no_std support for example rustls here(https://github.com/rustls/rustls/pull/1399).
This effort is a followup effort to the discussion here (https://github.com/apache/incubator-teaclave-trustzone-sdk/issues/113). The major motivation for this effort was to make OP-TEE rust TAs development environment to be the first class citizen. Rust
no_std
support seems to provide quite similar environment as we have on the C counterpart side in OP-TEE (we don't support fully fledged libc/glibc but rather our own quite simple libutils library).Upsides for this PR:
Downsides for this PR:
Testing
Their is one change needed for OP-TEE build repo in order to build this PR as follows. Once there is consensus on this PR, I will submit this change as well.
Once that's done we should be able to build OP-TEE buildroot setup with rust support:
For interactive run, just bring up Qemu with below command and run rust examples:
Or you can test all rust examples in one go:
Performance comparisons
After this PR, the TA performance becomes equivalent to the C counterparts. This is impressive improvement as compared to 35% performance gap earlier as illustrated here (https://github.com/apache/incubator-teaclave-trustzone-sdk/issues/89).
See below comparison after this PR:
Size comparisons
As you can observe from the comparisons below, there is approx. 70K - 80K TA binary size reduction after this PR:
Before this PR: