Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for v2 signing with mlca_framework #41

Merged
merged 3 commits into from
May 15, 2024
Merged

Add support for v2 signing with mlca_framework #41

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b668132
Add support for v2 signing with mlca_framework
cjengel Mar 26, 2024
41beb36
Apply clang format to new tool
cjengel May 10, 2024
49fea67
Code updates from review comments
cjengel May 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
7 changes: 7 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,11 @@ create-container
hashkeys
Makefile
print-container
gendilkey
gendilsig
verifydilsig
extractdilkey
bin/
*.o
*.a

31 changes: 29 additions & 2 deletions Makefile.am
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@
ACLOCAL_AMFLAGS = -I m4

bin_PROGRAMS = create-container print-container hashkeys
if ADD_DILITHIUM
bin_PROGRAMS += gendilkey gendilsig verifydilsig extractdilkey
endif

dist_bin_SCRIPTS = bulkSign.sh crtSignedContainer.sh sign-with-local-keys.sh

Expand All @@ -42,13 +45,37 @@ create_container_LDADD = -lssl -lcrypto
print_container_SOURCES = \
print-container.c

print_container_CPPFLAGS = $(AM_CPPFLAGS) -I. -g3 -std=gnu99
print_container_CPPFLAGS = $(AM_CPPFLAGS) -I. -g3 -std=gnu99 ${DIL_CPPFLAGS}

print_container_LDFLAGS =
print_container_LDADD = -lssl -lcrypto
print_container_LDADD = -lssl -lcrypto ${DIL_LDADD}

hashkeys_SOURCES = \
hashkeys.c

hashkeys_CPPFLAGS = $(AM_CPPFLAGS) -I. -g3 -std=gnu99
hashkeys_LDFLAGS =
hashkeys_LDADD = -lssl -lcrypto


if ADD_DILITHIUM
gendilkey_SOURCES = gendilkey.c
gendilkey_CPPFLAGS = $(AM_CPPFLAGS) -I. ${DIL_CPPFLAGS} -g3 -std=gnu99
gendilkey_LDFLAGS =
gendilkey_LDADD = ${DIL_LDADD}

gendilsig_SOURCES = gendilsig.c
gendilsig_CPPFLAGS = $(AM_CPPFLAGS) -I. ${DIL_CPPFLAGS} -g3 -std=gnu99
gendilsig_LDFLAGS =
gendilsig_LDADD = ${DIL_LDADD}

verifydilsig_SOURCES = verifydilsig.c
verifydilsig_CPPFLAGS = $(AM_CPPFLAGS) -I. ${DIL_CPPFLAGS} -g3 -std=gnu99
verifydilsig_LDFLAGS =
verifydilsig_LDADD = ${DIL_LDADD}

extractdilkey_SOURCES = extractdilkey.c
extractdilkey_CPPFLAGS = $(AM_CPPFLAGS) -I. ${DIL_CPPFLAGS} -g3 -std=gnu99
extractdilkey_LDFLAGS =
extractdilkey_LDADD = ${DIL_LDADD}
endif
2 changes: 1 addition & 1 deletion Makefile.lite
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ hashkeys: hashkeys.c
$(CC) -g -Wall -Wextra -I. $^ -o $@ -lssl -lcrypto -std=gnu99

clean:
$(RM) create-container print-container hashkeys
$(RM) create-container print-container hashkeys *.o

prefix = /usr/local
exec_prefix = $(prefix)
Expand Down
38 changes: 38 additions & 0 deletions Makefile.v2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
all: create-container print-container hashkeys gendilkey gendilsig verifydilsig extractdilkey
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is there an entirely new makefile instead of extending the existing makefile? default does not need to include the dilithium tools.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is just a simple makefile the main build process uses automake. Doing this I didn't have to take the time to figure out how to build print-container differently based on the build target


create-container: create-container.c
$(CC) -g -Wall -Wextra -I. $^ -o $@ -lssl -lcrypto -std=gnu99

print-container: print-container.c
$(CC) -g -Wall -Wextra -I. $^ -o $@ -lssl -lcrypto -std=gnu99 -DADD_DILITHIUM -I${MLCA_PATH}/include -I${MLCA_PATH}/qsc/crystals ${MLCA_PATH}/build/libmlca2.a

hashkeys: hashkeys.c
$(CC) -g -Wall -Wextra -I. $^ -o $@ -lssl -lcrypto -std=gnu99

gendilkey: gendilkey.c
$(CC) -g -Wall -Wextra -I. -I${MLCA_PATH}/include -I${MLCA_PATH}/qsc/crystals $^ -o $@ ${MLCA_PATH}/build/libmlca2.a -std=gnu99
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How is ${MLCA_PATH}/build/libmlca2.a supposed to integrate into op-build? Reading over this review, it looks like this is supposed to be an external library - but its usage/linkage seems to be hard coded into all of the build files and include paths.

My expectation would be that op-build/buildroot would build the library and install it somewhere in the "host" buildroot. Then the tooling here would pick it up from some system location.

It's just very weird to have a static link dependency without any documentation/information how how it is supposed to exist.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

op-build doesn't use these static makefiles it uses autoconf. And for that it doesn't use MLCA_PATH as (like you mentioned) it the MLCA library gets installed into 'host' paths so special include paths are not required. MLCA_PATH is a way to enable building when you just have both git clones side by side.


gendilsig: gendilsig.c
$(CC) -g -Wall -Wextra -I. -I${MLCA_PATH}/include -I${MLCA_PATH}/qsc/crystals $^ -o $@ ${MLCA_PATH}/build/libmlca2.a -std=gnu99

verifydilsig: verifydilsig.c
$(CC) -g -Wall -Wextra -I. -I${MLCA_PATH}/include -I${MLCA_PATH}/qsc/crystals $^ -o $@ ${MLCA_PATH}/build/libmlca2.a -std=gnu99

extractdilkey: extractdilkey.c
$(CC) -g -Wall -Wextra -I. -I${MLCA_PATH}/include -I${MLCA_PATH}/qsc/crystals $^ -o $@ ${MLCA_PATH}/build/libmlca2.a -std=gnu99

clean:
$(RM) create-container print-container hashkeys gendilkey gendilsig verifydilsig extractdilkey

prefix = /usr/local
exec_prefix = $(prefix)
bindir = $(exec_prefix)/bin

install:
cp create-container print-container hashkeys gendilkey gendilsig verifydilsig extractdilkey "$(bindir)"
cp bulkSign.sh crtSignedContainer.sh sign-with-local-keys.sh "$(bindir)"

uninstall:
cd "$(bindir)" && $(RM) create-container print-container hashkeys gendilkey gendilsig verifydilsig extractdilkey
cd "$(bindir)" && $(RM) bulkSign.sh crtSignedContainer.sh sign-with-local-keys.sh

18 changes: 18 additions & 0 deletions build_all.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,15 @@ case "$(echo "$1" | tr "[:upper:]" "[:lower:]")" in
cp -p Makefile.lite Makefile
make
;;
v2)
if [ "X$MLCA_PATH" = "X" ]; then
echo "Must set MLCA_PATH env variable to point to mlca_framework repository"
exit 1
fi
cp -p config.h.lite config.h
cp -p Makefile.v2 Makefile
make
;;
gnu)
autoreconf -i -Wno-unsupported && \
./configure && \
Expand All @@ -19,6 +28,15 @@ case "$(echo "$1" | tr "[:upper:]" "[:lower:]")" in
cp -p Makefile.aix Makefile
gnu-make
;;
gnuv2)
if [ "X$MLCA_PATH" = "X" ]; then
echo "Must set MLCA_PATH env variable to point to mlca_framework repository"
exit 1
fi
autoreconf -i -Wno-unsupported && \
./configure --enable-sign-v2 && \
make
;;
*)
echo "Unknown build type: $1"
exit 1
Expand Down
24 changes: 23 additions & 1 deletion configure.ac
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# autoconf script

AC_PREREQ([2.65])
AC_INIT(sb-signtool, 0.9, matthew.vaught@ibm.com)
AC_INIT(sb-signtool, 0.10, matthew.vaught@ibm.com)
AM_INIT_AUTOMAKE([foreign])
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])
Expand Down Expand Up @@ -58,6 +58,28 @@ AC_CHECK_HEADERS(openssl/sha.h)
AM_CPPFLAGS="-Wall -Wextra"
AC_SUBST(AM_CPPFLAGS)

# Add optional v2/dilithium support
AC_ARG_VAR(MLCA_PATH, [Path to MLCA repository])

DIL_CPPFLAGS=
DIL_LDADD=
AC_ARG_ENABLE([sign-v2],
AS_HELP_STRING([--enable-sign-v2], [Enable support for v2 containers]) )
AM_CONDITIONAL([ADD_DILITHIUM], [test "x$enable_sign_v2" = "xyes"])
AS_IF([test "x$enable_sign_v2" = "xyes"], [
PKG_CHECK_MODULES(OPENSSL, [ openssl >= 1.1 ])
DIL_CPPFLAGS="-DADD_DILITHIUM"
DIL_LDADD="-lmlca2_shared"
AS_IF([test "x$MLCA_PATH" != "x"], [
DIL_CPPFLAGS+=" -I${MLCA_PATH}/include -I${MLCA_PATH}/qsc/crystals"
DIL_LDADD="${MLCA_PATH}/build/libmlca2.a"
])

])
AC_SUBST(DIL_CPPFLAGS)
AC_SUBST(DIL_LDADD)
# AC_CHECK_LIB for mlca library

AC_CONFIG_FILES([Makefile])
AC_OUTPUT

Expand Down