Add comprehensive ARM64 support: scripts, tooling, docs, and CI #70
Conversation
- Add ARM64 Support section to README - Add docs/arm64-support.md with detailed ARM64 setup and troubleshooting - Add zero-trust/system-setup-arm64.sh to build/install TPM stack on aarch64 - Enhance zero-trust/system-setup.sh to detect ARM64, install deps or fall back to source compilation - Update zero-trust/tpm/Makefile to detect architecture/OS and emit build info - Update swtpm.sh and tpm-ek-ak-persist.sh to auto-detect OS/ARCH and configure TPM2 TCTI/PREFIX - Add tpm-app-persist.c (and generated binary) to persist App Signing Key with auto hw/swtpm selection - Add test-arm64-implementation.sh to validate ARM64 environment and components - Add .github/workflows/arm64-ci.yml for emulated and native ARM64 testing, multi-arch Docker builds, and reporting - Implement fallback compilation flow for libtpms, swtpm, tpm2-tss, and tpm2-tools when packages are unavailable Supports deploying and validating AegisEdgeAI on ARM64 platforms (cloud, edge, Raspberry Pi) and integrates multi-arch CI.
There was a problem hiding this comment.
Pull Request Overview
This PR adds comprehensive ARM64 architecture support to AegisEdgeAI, enabling deployment on ARM64 cloud instances, edge devices, and Raspberry Pi platforms. The implementation includes automatic architecture detection, fallback compilation when packages are unavailable, multi-architecture CI/CD pipelines, and comprehensive documentation.
Key Changes:
- ARM64-specific system setup script with automated TPM stack compilation from source
- Enhanced existing scripts with architecture/OS detection and dynamic configuration
- Multi-architecture CI/CD pipeline with emulated and native ARM64 testing
- Comprehensive ARM64 documentation with setup, troubleshooting, and cloud deployment guides
Reviewed Changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| zero-trust/system-setup-arm64.sh | New dedicated ARM64 setup script that builds TPM stack components from source |
| zero-trust/system-setup.sh | Enhanced with ARM64 detection and conditional compilation fallback |
| zero-trust/tpm/Makefile | Added architecture/OS detection with appropriate compiler flags and library paths |
| zero-trust/tpm/swtpm.sh | Enhanced with ARM64 detection and dynamic PREFIX/TCTI configuration |
| zero-trust/tpm/tpm-ek-ak-persist.sh | Added comprehensive OS/architecture detection with appropriate environment setup |
| zero-trust/tpm/tpm-app-persist.c | New C application for persisting App Signing Keys with auto hw/swtpm selection |
| test-arm64-implementation.sh | New validation script testing ARM64 environment, tools, libraries, and compilation |
| docs/arm64-support.md | Comprehensive ARM64 setup and troubleshooting documentation |
| README.md | Added ARM64 support section with quick start guide |
| .github/workflows/arm64-ci.yml | New CI/CD pipeline for ARM64 emulated/native testing and multi-arch Docker builds |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| static int swtpm_present(void) { | ||
| const char *host = getenv("TPM_HOST"); if (!host) host = "127.0.0.1"; | ||
| const char *port = getenv("TPM_PORT"); if (!port) port = "2321"; | ||
| char cmd[256]; | ||
| snprintf(cmd, sizeof(cmd), "nc -z %s %s >/dev/null 2>&1", host, port); | ||
| int rc = system(cmd); | ||
| return (rc == 0); | ||
| } |
There was a problem hiding this comment.
Using system() with user-controlled environment variables (TPM_HOST and TPM_PORT) creates a potential command injection vulnerability. An attacker could set TPM_HOST to a value like '127.0.0.1; malicious_command' to execute arbitrary commands. Consider using a proper TCP connection test via socket API instead of shelling out to nc.
| #if OPENSSL_VERSION_NUMBER >= 0x10100000L | ||
| if (RSA_set0_key(rsa_key, n, e, NULL) != 1) { BN_free(n); BN_free(e); RSA_free(rsa_key); diex("RSA_set0_key failed"); } | ||
| #else | ||
| rsa_key->n = n; rsa_key->e = e; | ||
| #endif |
There was a problem hiding this comment.
The legacy OpenSSL 1.0 path (direct struct member access) is deprecated and should be removed unless there's a specific requirement to support OpenSSL versions older than 1.1.0 (released in 2016). Modern systems, especially ARM64 platforms, will have newer OpenSSL versions.
| #if OPENSSL_VERSION_NUMBER >= 0x10100000L | |
| if (RSA_set0_key(rsa_key, n, e, NULL) != 1) { BN_free(n); BN_free(e); RSA_free(rsa_key); diex("RSA_set0_key failed"); } | |
| #else | |
| rsa_key->n = n; rsa_key->e = e; | |
| #endif | |
| if (RSA_set0_key(rsa_key, n, e, NULL) != 1) { BN_free(n); BN_free(e); RSA_free(rsa_key); diex("RSA_set0_key failed"); } |
| [Unit] | ||
| Description=Software TPM Emulator for ARM64 | ||
| After=network.target | ||
| [Service] | ||
| Type=simple | ||
| User=swtpm | ||
| Group=swtpm | ||
| ExecStart=/usr/local/bin/swtpm socket --tpmstate dir=/var/lib/swtpm-localca --ctrl type=tcp,port=2321 --server type=tcp,port=2322 --tpm2 |
There was a problem hiding this comment.
The systemd service references User=swtpm and Group=swtpm, but the script does not create these users/groups. The service will fail to start if these don't exist. Add user/group creation logic before installing the systemd service.
| fi | ||
|
|
||
| # Handle ARM64 compilation if packages were not available | ||
| if [ "$ARM64_DETECTED" = "1" ] && [ "$COMPILE_SWTPM" = "1" -o "$COMPILE_TPM2_TOOLS" = "1" -o "$COMPILE_TPM2_TSS" = "1" ]; then |
There was a problem hiding this comment.
Use of '-o' operator in test command is deprecated and can cause unexpected behavior. Replace with '||' operators between separate test commands: [ "$COMPILE_SWTPM" = "1" ] || [ "$COMPILE_TPM2_TOOLS" = "1" ] || [ "$COMPILE_TPM2_TSS" = "1" ]
| if [ "$ARM64_DETECTED" = "1" ] && [ "$COMPILE_SWTPM" = "1" -o "$COMPILE_TPM2_TOOLS" = "1" -o "$COMPILE_TPM2_TSS" = "1" ]; then | |
| if [ "$ARM64_DETECTED" = "1" ] && { [ "$COMPILE_SWTPM" = "1" ] || [ "$COMPILE_TPM2_TOOLS" = "1" ] || [ "$COMPILE_TPM2_TSS" = "1" ]; }; then |
| if [ -f "./zero-trust/tpm/Makefile" ] && [ -f "./zero-trust/spire-tpm-plugin/tpm-app-persist.c" ]; then | ||
| # Copy source file to tpm directory for compilation test | ||
| cp "./zero-trust/spire-tpm-plugin/tpm-app-persist.c" "./zero-trust/tpm/" |
There was a problem hiding this comment.
The path './zero-trust/spire-tpm-plugin/tpm-app-persist.c' does not match the actual file location shown in the diff (zero-trust/tpm/tpm-app-persist.c). This will cause the compilation test to fail or skip incorrectly.
| if [ -f "./zero-trust/tpm/Makefile" ] && [ -f "./zero-trust/spire-tpm-plugin/tpm-app-persist.c" ]; then | |
| # Copy source file to tpm directory for compilation test | |
| cp "./zero-trust/spire-tpm-plugin/tpm-app-persist.c" "./zero-trust/tpm/" | |
| if [ -f "./zero-trust/tpm/Makefile" ] && [ -f "./zero-trust/tpm/tpm-app-persist.c" ]; then | |
| # Copy source file to tpm directory for compilation test | |
| cp "./zero-trust/tpm/tpm-app-persist.c" "./zero-trust/tpm/" |
| ``` | ||
| /etc/profile.d/arm64-tpm-env.sh # ARM64 environment setup | ||
| /usr/local/bin/swtpm # Software TPM binary | ||
| /usr/local/bin/tmp2_* # TPM2 tools |
There was a problem hiding this comment.
Corrected spelling of 'tmp2_' to 'tpm2_'.
| /usr/local/bin/tmp2_* # TPM2 tools | |
| /usr/local/bin/tpm2_* # TPM2 tools |
| # Wait for TPM to be ready | ||
| sleep 3 |
There was a problem hiding this comment.
Using a fixed sleep duration is brittle and may cause race conditions. Consider implementing a retry loop that checks for TPM readiness (e.g., polling tpm2_getcap) instead of sleeping for an arbitrary duration.
| # Wait for TPM to be ready | |
| sleep 3 | |
| # Wait for TPM to be ready by polling tpm2_getcap | |
| for i in $(seq 1 10); do | |
| tpm2_getcap properties-fixed > /dev/null 2>&1 && break | |
| sleep 1 | |
| done |
| if (rc == TSS2_RC_SUCCESS) { | ||
| TPMS_CONTEXT *outctx = NULL; | ||
| if (Esys_ContextSave(ctx, existing, &outctx) == TSS2_RC_SUCCESS && outctx) { | ||
| uint8_t buf[sizeof(TPMS_CONTEXT)] = {0}; |
There was a problem hiding this comment.
Using sizeof(TPMS_CONTEXT) as a buffer size is incorrect since TPMS_CONTEXT may contain pointers and variable-length data. Use a properly sized buffer based on TPM specifications (typically 4096 bytes) or dynamically allocate based on the marshalled size.
| uint8_t buf[sizeof(TPMS_CONTEXT)] = {0}; | |
| uint8_t buf[4096] = {0}; |
2 participants
Supports deploying and validating AegisEdgeAI on ARM64 platforms (cloud, edge, Raspberry Pi) and integrates multi-arch CI.