Integrate TPM 2.0 v183 changes from Trusted Computing Group. (#112)

Co-authored-by: Brad Litterell <[email protected]>
microsoft · Oct 4, 2024 · ee21db0 · ee21db0
1 parent e9fc7b8
commit ee21db0
Show file tree

Hide file tree

Showing 1,150 changed files with 45,758 additions and 300,614 deletions.
diff --git a/.azuredevops/cmake_build_win.yml b/.azuredevops/cmake_build_win.yml
@@ -0,0 +1,40 @@
+# editing pipeline due to message in ADO about a bad trigger.
+
+variables:
+  - name: BuildOutput
+    value: out
+  - name: VerboseOutput
+    value: true
+
+strategy:
+  matrix:
+    windows_x86_openssl:
+      imageName: windows-2019
+      targetArchitecture: Win32
+      cmakecryptoargs: -DcryptoLib_Symmetric=Ossl -DcryptoLib_Hash=Ossl -DcryptoLib_BnMath=Ossl -DcryptoLib_Math=TpmBigNum
+
+pool:
+  vmImage: $(imageName)
+
+steps:
+- checkout: self
+  submodules: true
+
+
+###################################################
+# Windows
+###################################################
+
+# Use CMake to setup target build environment
+- task: CMake@1
+  inputs:
+    cmakeArgs: -S $(BUILD.SOURCESDIRECTORY)\TPMCmd -B $(BUILD.SOURCESDIRECTORY)\TPMCmd\$(BuildOutput) -G "Visual Studio 16 2019" -A $(targetArchitecture) $(cmakecryptoargs)
+  displayName: CMake setup build environment
+  condition: eq( variables['Agent.OS'], 'Windows_NT' )
+
+# Use CMake to execute build
+- task: CMake@1
+  inputs:
+    cmakeArgs: --build $(BUILD.SOURCESDIRECTORY)\TPMCmd\$(BuildOutput)
+  displayName: CMake build TPM2
+  condition: eq( variables['Agent.OS'], 'Windows_NT' )
diff --git a/.clang-format b/.clang-format
@@ -1,4 +1,5 @@
 ---
+# Last formatted with clang-format version 17.0.3
 Language:        Cpp
 BasedOnStyle:  Microsoft
 AccessModifierOffset: -4

diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs
@@ -0,0 +1,22 @@
+# By default, the Github Blame UI ignores commits in this file.
+# To use this file locally, run either:
+#   git blame --ignore-revs-file .git-blame-ignore-revs
+#   git config blame.ignoreRevsFile .git-blame-ignore-revs
+
+# https://github.com/TrustedComputingGroup/TPM-Internal/pull/4
+# Mass trim whitespace from .c & .h files, preserving line endings.
+705706aa59d777566159f346ce8bf04cac0fa64c
+
+# https://github.com/TrustedComputingGroup/TPM-Internal/pull/2
+# Apply .clang-format
+c68483355e66d714266a3fe8cde8e12c907783b5
+
+# https://github.com/TrustedComputingGroup/TPM-Internal/pull/21
+# Run clang-format on samples folder
+5d12e6e85290252ee141ecfba4eb5338d30300ee
+
+# https://github.com/TrustedComputingGroup/TPM-Internal/pull/65
+# setup line normalization
+7ada6844eefed59c8d1eb53a27b43e7ca6b5bc1a
+# Apply clang-format.
+9a9eab4140ba61e3083996b8123c99cf94f66f57
diff --git a/.gitattributes b/.gitattributes
@@ -6,10 +6,11 @@
 *.py        text eol=lf
 *.ps1       text eol=lf
 *.yml       text eol=lf
-*.sh        text eol=lf
-# VS & CMD prefer CRLF
+# not sure if VS likes LF in its project files
 *.vcproj    text eol=crlf
+# ditto for CMD.exe
 *.cmd       text eol=crlf
+*.sh        text eol=lf
 
 ###############################################################################
 # behavior for image files

diff --git a/.githooks/pre-commit b/.githooks/pre-commit
@@ -0,0 +1,72 @@
+#!/bin/bash
+# run clang-format as a pre-commit hook.
+#
+# requires a specific path to clang-format be provided via git-config.
+# simply runs given clang-format with -style=file, expecting a .clang-format file
+# in the root of the repository. Format changes are automatically applied, but
+# any errors in this script result in commit failure.
+#
+# If reformatting the code undoes all the changes in the commit, then the commit will be blocked.
+# The only way around it is to use --no-verify. --allow-empty doesn't work because that
+# check happens prior to git calling the hook, and I don't know how to interrogate
+# the state of --allow-empty from inside the hook.
+#
+# this hook can be force-run on a segment of commits via rebase using exec.  For example
+# this will replay and format all the commits on the current branch since commit c77fa657.
+# git rebase --strategy-option=theirs -x "git reset --soft HEAD~1 && git commit -C HEAD@{1}" --onto c77fa657 c77fa657
+#
+# this trick suggested by: # https://www.dlyr.fr/stuff/2021/03/magic-rebase-and-format/
+#
+# This hook has only been tested on Windows, and on Windows the path to clang-format should be a
+# Windows, not Linux format path, for example:
+#
+# >git config --local --add hooks.clangformat.path "c:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\Llvm\bin\clang-format.exe"
+#
+# This should work on Windows and Linux (not-verified) if hooks.clangformat.path is set to "clang-format"
+# with clang-format already on your path.
+#
+# Redirect output to stderr.
+exec 1>&2
+# fail commit if hook fails
+set -e
+
+CLANG_FORMAT=$(git config --get hooks.clangformat.path)
+if [ -z "${CLANG_FORMAT}" ]; then
+  echo A path to clang-format must be set in hooks.clangformat.path
+  exit 1
+fi
+
+format_file() {
+  file="${1}"
+  echo "formatting ${file}"
+  if [ -f $file ]; then
+    # move working dir file out of the way
+    mv ${file} ${file}.working
+    # unstage the changes to be committed from the index
+    git restore --worktree ${file}
+    # and format it.
+    "${CLANG_FORMAT}" -i --style=file ${file}
+    # add back to index
+    git add ${file}
+    # replace pending worktree changes
+    mv ${file}.working ${file}
+  fi
+}
+
+for file in `git diff-index --cached --name-only HEAD | grep -iE '\.(cpp|cc|c|h|hpp|inl)$' ` ; do
+  format_file "${file}"
+done
+
+# after formatting there may be no remaining (staged) changes
+# so check and abort commit if nothing remains.
+set +e
+# Assume something remains
+EXIT_CODE=0
+# sets $? to 1 if anything is different
+git diff-index --cached --exit-code HEAD
+if [ $? -eq 0 ]; then
+  # nothing remains, fail hook
+  echo No changes remain after auto-format hook.  Aborting commit...
+  EXIT_CODE=1
+fi
+exit ${EXIT_CODE}
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,7 @@
+# See https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+# Each line is a file pattern followed by one or more owners.
+
+# These owners will be the default owners for everything in
+# the repo. Unless a later match takes precedence,
+# These will be requested for review when someone opens a pull request.
+*   @bradlitterell @N7JTI 
diff --git a/.github/workflows/docker-check.yml b/.github/workflows/docker-check.yml
@@ -0,0 +1,31 @@
+name: docker build validation
+
+on:
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+jobs:
+  build-validation:
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@v1
+
+      # Build the Docker image (native platform only) to check the build.
+      # Don't build cross-platform as it takes 10x as long.
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          push: false
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -0,0 +1,67 @@
+name: publish container
+
+on:
+  push:
+    # Publish semver tags as releases.
+    tags: [ 'v*.*.*' ]
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+
+
+jobs:
+  publish-container:
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Set up QEMU for cross-platform builds below
+      - name: Set up QEMU
+        id: qemu
+        uses: docker/setup-qemu-action@v1
+        with:
+          image: tonistiigi/binfmt:latest
+          platforms: all
+
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@v2
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=semver,pattern=r{{version}}
+
+      # Login against a Docker registry
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Build and push Docker image with Buildx
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/.github/workflows/giant-run-tests.yml b/.github/workflows/giant-run-tests.yml
@@ -0,0 +1,77 @@
+# Run the tests against the simulator
+
+name: run_tests_on_fast_runner
+
+# Controls when the workflow will run
+on:
+  # Triggers the workflow on push or pull request events but only for the main branches
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+env:
+  RESULTS_SUMMARY: ""
+
+jobs:
+  run_tests:
+    # Run in a special container that has the .NET 6 SDK already set up and the compliance tests compiled
+    runs-on: GiantRunners
+    container:
+      image: ghcr.io/trustedcomputinggroup/compliance_pc-tpm-internal:r1.74.0
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          path: simulator
+
+      # Build the simulator
+      - name: Compile
+        run: |
+          cd simulator/TPMCmd
+          ./bootstrap
+          EXTRA_CFLAGS="--coverage" ./configure
+          make -j
+
+      # Run the tests against the simulator with a fixed seed
+      - name: Run tests against OpenSSL-based simulator
+        timeout-minutes: 10
+        run: >
+          DOTNET_ROOT=/dotnet6
+          /build/Debug/net5/TcgComplianceTestSuite
+          -tpm simulator/TPMCmd/Simulator/src/tpm2-simulator
+          -seed 1 -pick_ports -address localhost:30000
+          -expectations simulator/testing/expectations.json
+
+      - name: Generate coverage report
+        if: success() || failure()
+        run: gcovr -r simulator --html-details coverage.html
+
+      - name: Archive coverage report
+        if: success() || failure()
+        run: zip coverage.zip *.css coverage.*.html coverage.html
+
+      - name: Upload XML results
+        uses: actions/upload-artifact@v3
+        if: success() || failure()
+        with:
+          name: report.xml
+          path: TpmTests.Report.xml
+
+      - name: Upload HTML results
+        uses: actions/upload-artifact@v3
+        if: success() || failure()
+        with:
+          name: report.html
+          path: TpmTests.Report.html
+
+      - name: Upload coverage report
+        uses: actions/upload-artifact@v3
+        if: success() || failure()
+        with:
+          name: coverage.zip
+          path: coverage.zip