Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

optee, openenclave: added custom key path parameter #238

Open
wants to merge 4 commits into
base: 0.1.4-dogebox-pre
Choose a base branch
from
Open

optee, openenclave: added custom key path parameter #238

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c10c3b5
ci: added 'tags' to 'on:' for sign actions
edtubbs Oct 28, 2024
9888ad5
ci: updated runner to macos-13
edtubbs Nov 4, 2024
a4c2fb0
ci: added logic for enclave signing
edtubbs Nov 11, 2024
c4f2960
optee, openenclave: added custom key path parameter
edtubbs Nov 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 36 additions & 18 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ name: CI
on:
push:
branches: [ "*-dev-*"]
tags: [ "v*" ]
pull_request:
branches: [ "*" ]

Expand Down Expand Up @@ -102,7 +103,7 @@ jobs:
goal: install
- name: x86_64-macos
host: x86_64-apple-darwin15
os: macos-12
os: macos-13
run-tests: true
dep-opts: "SPEED=slow V=1"
config-opts: "--enable-static --disable-shared --enable-test-passwd"
Expand Down Expand Up @@ -369,6 +370,9 @@ jobs:
"x86_64-linux-openenclave" | "aarch64-linux-optee" | "x86_64-nixos"):
if ([ "${{ matrix.name }}" == "aarch64-linux-optee" ]); then
make install
if [[ "${{ github.ref }}" == "refs/tags/"* ]]; then
printf "%s" "${{ secrets.DEFAULT_TA_PEM }}" > rsa_private.pem
fi
docker pull jforissier/optee_os_ci:qemu_check
docker run -v "$(pwd):/src" -w /src jforissier/optee_os_ci:qemu_check /bin/bash -c "\
# Set up the environment and build the OP-TEE SDK
Expand All @@ -379,13 +383,13 @@ jobs:
curl https://storage.googleapis.com/git-repo-downloads/repo > /bin/repo && chmod a+x /bin/repo && \
mkdir -p optee && \
cd optee && \
repo init -u https://github.com/edtubbs/manifest.git -m nanopc-t6.xml -b nanopc-t6 && \
repo init -u https://github.com/OP-TEE/manifest.git -m nanopc-t6.xml -b master && \
export FORCE_UNSAFE_CONFIGURE=1 && \
repo sync -j\"$(getconf _NPROCESSORS_ONLN)\" && \
if [[ "${{ github.ref }}" == refs/tags/* ]]; then \
mv /src/rsa_private.pem /src/optee/optee_os/keys/default_ta.pem; \
fi && \
patch -F 4 /src/optee/build/common.mk < /src/src/optee/common.mk.patch && \
patch /src/optee/build/kconfigs/qemu.conf < /src/src/optee/qemu.conf.patch && \
patch /src/optee/linux/arch/arm64/boot/dts/rockchip/rk3588-nanopi6-common.dtsi < /src/src/optee/rk3588-nanopi6-common.dtsi.patch && \
patch /src/optee/u-boot/include/configs/nanopi6.h < /src/src/optee/nanopi6.h.patch && \
cd build && \
make toolchains -j\"$(getconf _NPROCESSORS_ONLN)\" && \
export CFG_TEE_CORE_LOG_LEVEL=0 && \
Expand Down Expand Up @@ -444,22 +448,28 @@ jobs:
export PATH=/src/optee/toolchains/aarch64/bin:$PATH && \
export CC=aarch64-linux-gnu-gcc && \

# Run the libdogecoin TA
cd /src/src/optee/host && \
make -j"$(getconf _NPROCESSORS_ONLN)" \
CROSS_COMPILE=aarch64-linux-gnu- \
LDFLAGS=\"-L/src/optee/toolchains/aarch64/lib -L/src/depends/aarch64-linux-gnu/lib -ldogecoin -lunistring\" \
CFLAGS=\"-I/src/optee/toolchains/aarch64/include -I/src/src/optee/ta/include -I/src/depends/aarch64-linux-gnu/include -I/src/depends/aarch64-linux-gnu/include/ykpers-1 -I/src/depends/aarch64-linux-gnu/include/dogecoin\" && \

# Build the Trusted Application
cd ../ta && \
cd /src/src/optee/ta && \
make -j"$(getconf _NPROCESSORS_ONLN)" \
CROSS_COMPILE=aarch64-linux-gnu- \
LDFLAGS=\"-L/src/depends/aarch64-linux-gnu/lib -ldogecoin -lunistring\" \
CFLAGS=\"-I/src/depends/aarch64-linux-gnu/include -I/src/depends/aarch64-linux-gnu/include/dogecoin\" \
PLATFORM=vexpress-qemu_armv8a \
TA_DEV_KIT_DIR=/src/optee/optee_os/out/arm/export-ta_arm64 && \

# Build libdogecoin for Host
cd /src/ && \
./configure --prefix=/src/depends/aarch64-linux-gnu LIBS=-levent_pthreads --enable-static --disable-shared --enable-test-passwd HOST=aarch64-linux-gnu && \
make -j 4 && \
make install && \

# Run the libdogecoin TA
cd /src/src/optee/host && \
make -j"$(getconf _NPROCESSORS_ONLN)" \
CROSS_COMPILE=aarch64-linux-gnu- \
LDFLAGS=\"-L/src/optee/toolchains/aarch64/lib -L/src/depends/aarch64-linux-gnu/lib -ldogecoin -lunistring\" \
CFLAGS=\"-I/src/optee/toolchains/aarch64/include -I/src/src/optee/ta/include -I/src/depends/aarch64-linux-gnu/include -I/src/depends/aarch64-linux-gnu/include/ykpers-1 -I/src/depends/aarch64-linux-gnu/include/dogecoin\" && \

# Create symbolic links and prepare image
mkdir -p /src/optee/out/bin && \
cd /src/optee/out/bin && \
Expand Down Expand Up @@ -489,6 +499,14 @@ jobs:
elif ([ "${{ matrix.name }}" == "x86_64-linux-openenclave" ]); then
make install && \
mkdir -p src/openenclave/build && \
make -j 4 -C depends HOST=x86_64-pc-linux-gnu/host && \
./configure --prefix=${{ github.workspace }}/depends/x86_64-pc-linux-gnu/host --enable-test-passwd && \
make && \
make install && \
if [[ "${{ github.ref }}" == refs/tags/* ]]; then
printf "%s" "${{ secrets.OE_PRIVATE_PEM }}" > src/openenclave/build/private.pem && \
openssl rsa -pubout -in src/openenclave/build/private.pem -out src/openenclave/build/public.pem; \
fi && \
docker run -v $PWD:/src -w /src ubuntu:20.04 bash -c "\
# Install dependencies
export DEBIAN_FRONTEND=noninteractive && \
Expand Down Expand Up @@ -738,26 +756,26 @@ jobs:
MACOS_CODE_CERT_TEAM_ID: ${{ secrets.LIBDOGECOIN_DEV_APPLE_TEAM_ID }}
MACOS_EXECUTABLE_PATH: bin/spvnode
run: |
/usr/bin/codesign --force --keychain ~/Library/Keychains/build.keychain -s $MACOS_CODE_CERT_TEAM_ID --deep --options=runtime "$MACOS_EXECUTABLE_PATH"
/usr/bin/codesign --force --keychain ~/Library/Keychains/build.keychain -s $MACOS_CODE_CERT_TEAM_ID --deep --options=runtime --verbose "$MACOS_EXECUTABLE_PATH"

- name: Sign such (x86_64-macos)
env:
MACOS_CODE_CERT_TEAM_ID: ${{ secrets.LIBDOGECOIN_DEV_APPLE_TEAM_ID }}
MACOS_EXECUTABLE_PATH: bin/such
run: |
/usr/bin/codesign --force --keychain ~/Library/Keychains/build.keychain -s $MACOS_CODE_CERT_TEAM_ID --deep --options=runtime "$MACOS_EXECUTABLE_PATH"
/usr/bin/codesign --force --keychain ~/Library/Keychains/build.keychain -s $MACOS_CODE_CERT_TEAM_ID --deep --options=runtime --verbose "$MACOS_EXECUTABLE_PATH"

- name: Sign sendtx (x86_64-macos)
env:
MACOS_CODE_CERT_TEAM_ID: ${{ secrets.LIBDOGECOIN_DEV_APPLE_TEAM_ID }}
MACOS_EXECUTABLE_PATH: bin/sendtx
run: |
/usr/bin/codesign --force --keychain ~/Library/Keychains/build.keychain -s $MACOS_CODE_CERT_TEAM_ID --deep --options=runtime "$MACOS_EXECUTABLE_PATH"
/usr/bin/codesign --force --keychain ~/Library/Keychains/build.keychain -s $MACOS_CODE_CERT_TEAM_ID --deep --options=runtime --verbose "$MACOS_EXECUTABLE_PATH"

- name: Upload artifacts (i686-win)
- name: Upload artifacts (x86_64-macos)
uses: actions/upload-artifact@v4
with:
name: libdogecoin-${{ github.sha }}-i686-win-signed
name: libdogecoin-${{ github.sha }}-x86_64-macos-signed
path: |
bin/**
docs/**
Expand Down
Loading
Loading