incubator-teaclave-trustzone-sdk icon indicating copy to clipboard operation
incubator-teaclave-trustzone-sdk copied to clipboard

Published 20 hours ago verified publisher icon apache

RFC: An effort to standardize OP-TEE rust based TAs development environment

Open b49020 opened this issue 1 year ago • 32 comments

Existing OP-TEE rust environment required a custom rust toolchain target for OP-TEE based TAs. I suppose back in 2019 when this SDK was created, rust embedded ecosystem (especially no_std support) was in its very early stages of development. But as of today many rust crates have already added support for rust no_std or are being actively worked on to add rust no_std support for example rustls here(https://github.com/rustls/rustls/pull/1399).

This effort is a followup effort to the discussion here (https://github.com/apache/incubator-teaclave-trustzone-sdk/issues/113). The major motivation for this effort was to make OP-TEE rust TAs development environment to be the first class citizen. Rust no_std support seems to provide quite similar environment as we have on the C counterpart side in OP-TEE (we don't support fully fledged libc/glibc but rather our own quite simple libutils library).

Upsides for this PR:

  • Reusing standard rust aarch64 teir-1 toolchain target (aarch64-unknown-linux-gnu) for TAs development.
  • Significant rust TAs performance improvements.
  • Significant rust TAs binary size reduction.
  • Dropping custom rust toolchain/libc/compiler-builtins support.
  • Make rust TA builds to be quite similar to rust Linux application builds:
  $ cargo build --target $(TARGET) --release --verbose --config $(LINKER_CFG)

Downsides for this PR:

  • We have to drop networking and serde related TA examples due to their strong reliance on rust std support. But as I mentioned above with no_std support picking up, we should be able to rewrite them.

Testing

Their is one change needed for OP-TEE build repo in order to build this PR as follows. Once there is consensus on this PR, I will submit this change as well.

build$ git diff
diff --git a/br-ext/package/optee_rust_examples_ext/optee_rust_examples_ext.mk b/br-ext/package/optee_rust_examples_ext/optee_rust_examples_ext.mk
index e19e8b5..af2f368 100644
--- a/br-ext/package/optee_rust_examples_ext/optee_rust_examples_ext.mk
+++ b/br-ext/package/optee_rust_examples_ext/optee_rust_examples_ext.mk
@@ -12,7 +12,7 @@ endif
 EXAMPLE = $(wildcard examples/*)
 
 HOST_TARGET := aarch64-unknown-linux-gnu
-TA_TARGET := aarch64-unknown-optee-trustzone
+TA_TARGET := aarch64-unknown-linux-gnu
 
 export RUST_TARGET_PATH = $(@D)
 export RUST_COMPILER_RT_ROOT = $(RUST_TARGET_PATH)/rust/rust/src/llvm-project/compiler-rt

Once that's done we should be able to build OP-TEE buildroot setup with rust support:

$ make -j`nproc` OPTEE_RUST_ENABLE=y

For interactive run, just bring up Qemu with below command and run rust examples:

$ make run-only

Or you can test all rust examples in one go:

$ make check-only-rust
<snip>
Starting QEMU...
 done, guest is booted.
Test Rust applications:
Running acipher-rs...
Test success
Running aes-rs...
Test success
Running authentication-rs...
Test success
Running big_int-rs...
Test success
Running diffie_hellman-rs...
Test success
Running digest-rs...
Test success
Running hello_world-rs...
Test success
Running hotp-rs...
Test success
Running random-rs...
Test success
Running secure_storage-rs...
Test success
Running supp_plugin-rs...
Test success
Running time-rs...
Test success
Running signature_verification-rs...
Test success
Test Rust application finished

Performance comparisons

After this PR, the TA performance becomes equivalent to the C counterparts. This is impressive improvement as compared to 35% performance gap earlier as illustrated here (https://github.com/apache/incubator-teaclave-trustzone-sdk/issues/89).

See below comparison after this PR:

# time aes-rs 
Prepare encode operation
Load key in TA
Reset ciphering operation in TA (provides the initial vector)
Encode buffer from TA
Prepare decode operation
Load key in TA
Reset ciphering operation in TA (provides the initial vector)
Decode buffer from TA
Clear text and decoded text match
real	0m 0.10s
user	0m 0.00s
sys	0m 0.09s
# 
# time optee_example_aes 
Prepare session with the TA
Prepare encode operation
Load key in TA
Reset ciphering operation in TA (provides the initial vector)
Encode buffer from TA
Prepare decode operation
Load key in TA
Reset ciphering operation in TA (provides the initial vector)
Decode buffer from TA
Clear text and decoded text match
real	0m 0.10s
user	0m 0.00s
sys	0m 0.08s
#
#
# time random-rs 
Invoking TA to generate random UUID...
Invoking done!
Generate random UUID: 60ee720f-493b-45a2-f7413c1bfc3df154
Success
real	0m 0.08s
user	0m 0.00s
sys	0m 0.07s
# 
# time optee_example_random 
Invoking TA to generate random UUID... 
TA generated UUID value = 0x4d45495584fb6fa851a761c3583dc3c
real	0m 0.08s
user	0m 0.00s
sys	0m 0.06s

Size comparisons

As you can observe from the comparisons below, there is approx. 70K - 80K TA binary size reduction after this PR:

$ ls -lh ./per-package/optee_rust_examples_ext/target/lib/optee_armtz/
...
-r--r--r-- 2 sumit sumit 197K Dec 21 17:29 057f4b66-bdab-11eb-96cf-33d6e41cc849.ta
-r--r--r-- 2 sumit sumit 197K Dec 21 17:30 0864c8ec-bdab-11eb-8926-c7fa47a8c92d.ta
-r--r--r-- 2 sumit sumit 197K Dec 21 17:30 0a5a06b2-bdab-11eb-add0-77f29de31296.ta
-r--r--r-- 2 sumit sumit 197K Dec 21 17:30 0bef16a2-bdab-11eb-94be-6f9815f37c21.ta
-r--r--r-- 2 sumit sumit 197K Dec 21 17:30 0e6bf4fe-bdab-11eb-9bc5-3f4ecb50aee7.ta
-r--r--r-- 2 sumit sumit 196K Dec 21 17:30 10de87e2-bdab-11eb-b73c-63fec73e597c.ta
-r--r--r-- 2 sumit sumit 196K Dec 21 17:30 133af0ca-bdab-11eb-9130-43bf7873bf67.ta
-r--r--r-- 2 sumit sumit 197K Dec 21 17:30 1585d412-bdab-11eb-ba91-3b085fd2601f.ta
-r--r--r-- 2 sumit sumit 196K Dec 21 17:30 197c710c-bdab-11eb-8f3f-17a5f698d23b.ta
-r--r--r-- 2 sumit sumit 197K Dec 21 17:30 1cd6d392-bdab-11eb-9082-abc902ac5cd4.ta
-r--r--r-- 2 sumit sumit 196K Dec 21 17:31 21b1a1da-bdab-11eb-b614-275a7098826f.ta
-r--r--r-- 2 sumit sumit 262K Dec 21 17:31 255fc838-de89-42d3-9a8e-d044c50fa57c.ta
-r--r--r-- 2 sumit sumit 197K Dec 21 17:31 c7e478c2-89b3-46eb-ac19-571e66c3830d.ta

Before this PR:

$ ls -lh ./per-package/optee_rust_examples_ext/target/lib/optee_armtz/
...
-r--r--r-- 2 sumit.garg primary 272K Dec 19 10:26 057f4b66-bdab-11eb-96cf-33d6e41cc849.ta
-r--r--r-- 2 sumit.garg primary 273K Dec 19 10:26 0864c8ec-bdab-11eb-8926-c7fa47a8c92d.ta
-r--r--r-- 2 sumit.garg primary 273K Dec 19 10:26 0a5a06b2-bdab-11eb-add0-77f29de31296.ta
-r--r--r-- 2 sumit.garg primary 273K Dec 19 10:27 0bef16a2-bdab-11eb-94be-6f9815f37c21.ta
-r--r--r-- 2 sumit.garg primary 272K Dec 19 10:27 0e6bf4fe-bdab-11eb-9bc5-3f4ecb50aee7.ta
-r--r--r-- 2 sumit.garg primary 264K Dec 19 10:27 10de87e2-bdab-11eb-b73c-63fec73e597c.ta
-r--r--r-- 2 sumit.garg primary 264K Dec 19 10:28 133af0ca-bdab-11eb-9130-43bf7873bf67.ta
-r--r--r-- 2 sumit.garg primary 272K Dec 19 10:28 1585d412-bdab-11eb-ba91-3b085fd2601f.ta
...
-r--r--r-- 2 sumit.garg primary 264K Dec 19 10:29 197c710c-bdab-11eb-8f3f-17a5f698d23b.ta
-r--r--r-- 2 sumit.garg primary 268K Dec 19 10:29 1cd6d392-bdab-11eb-9082-abc902ac5cd4.ta
...
-r--r--r-- 2 sumit.garg primary 260K Dec 19 10:32 21b1a1da-bdab-11eb-b614-275a7098826f.ta
-r--r--r-- 2 sumit.garg primary 273K Dec 19 10:31 255fc838-de89-42d3-9a8e-d044c50fa57c.ta
...
-r--r--r-- 2 sumit.garg primary 338K Dec 19 10:31 c7e478c2-89b3-46eb-ac19-571e66c3830d.ta
...

b49020 avatar Dec 21 '23 13:12 b49020