Skip to content

Commit

Permalink
A batch of docs style fixes.
Browse files Browse the repository at this point in the history 
[email protected]
BUG=524256

Review URL: https://codereview.chromium.org/1319543002

Cr-Commit-Position: refs/heads/master@{#345360}
  • Loading branch information
@nodirt
nodirt authored and Commit bot committed Aug 25, 2015
1 parent 92b5c2c commit 06cbaa0
Show file tree
Hide file tree
Showing 11 changed files with 435 additions and 237 deletions.
63 changes: 31 additions & 32 deletions docs/tpm_quick_ref.md
View file
Original file line number Diff line number Diff line change
@@ -1,32 +1,31 @@
# Introduction

This page is meant to help keep track of [TPM](Glossary.md) use across the system. It may not be up-to-date at any given point, but it's a wiki so you know what to do.

# Details

* TPM ownership management:
> > http://git.chromium.org/gitweb/?p=chromiumos/platform/cryptohome.git;a=blob;f=README.tpm
* TPM\_Clear is done (as in vboot\_reference) but in the firmware code itself on switch between dev and verified modes and in recovery. (TODO: link code)

* TPM owner password clearing (triggered at sign-in by chrome):
> > http://git.chromium.org/gitweb/?p=chromium/chromium.git;a=blob;f=chrome/browser/chromeos/login/login_utils.cc;h=9c4564e074c650bd91c27243c589d603740793bb;hb=HEAD#l861
* PCR extend (no active use elsewhere):
> > http://git.chromium.org/gitweb/?p=chromiumos/platform/vboot_reference.git;a=blob;f=firmware/lib/tpm_bootmode.c
* NVRAM use for OS rollback attack protection:
> > http://git.chromium.org/gitweb/?p=chromiumos/platform/vboot_reference.git;a=blob;f=firmware/lib/rollback_index.c
* Tamper evident storage:
> > http://git.chromium.org/gitweb/?p=chromiumos/platform/cryptohome.git;a=blob;f=README.lockbox
* Tamper-evident storage for avoiding runtime device management mode changes:
> > http://git.chromium.org/gitweb/?p=chromium/chromium.git;a=blob;f=chrome/browser/chromeos/login/enrollment/enterprise_enrollment_screen.cc
* User key/passphrase and cached data protection:
> > http://git.chromium.org/gitweb/?p=chromiumos/platform/cryptohome.git;a=blob;f=README.homedirs
* A TPM in a Chrome device has an EK certificate that is signed by an intermediate certificate authority that is dedicated to the specific TPMs allocated for use in Chrome devices. OS-level self-validation of the platform TPM should be viable with this or chaining any other trust expectations.

* TPM is used for per-user certificate storage (NSS+PKCS#11) using opencryptoki but soon to be replaced by chaps. Update links here when chaps stabilizes (Each user's pkcs#11 key store is kept in their homedir to ensure it is tied to the local user account) This functionality includes VPN and 802.1x-related keypairs.
# TPM Quick ref

TODO: this page looks very outdated. glossary.md does not exist,
git.chromium.org does not exist. Delete it?

This page is meant to help keep track of TPM use across the system. It may not
be up-to-date at any given point, but it's a wiki so you know what to do.

## Details

* [TPM ownership management](http://git.chromium.org/gitweb/?p=chromiumos/platform/cryptohome.git;a=blob;f=README.tpm)
* TPM_Clear is done (as in vboot_reference) but in the firmware code itself on
switch between dev and verified modes and in recovery. (TODO: link code)
* [TPM owner password clearing](http://git.chromium.org/gitweb/?p=chromium/chromium.git;a=blob;f=chrome/browser/chromeos/login/login_utils.cc;h=9c4564e074c650bd91c27243c589d603740793bb;hb=HEAD#l861)
(triggered at sign-in by chrome):
* [PCR extend](http://git.chromium.org/gitweb/?p=chromiumos/platform/vboot_reference.git;a=blob;f=firmware/lib/tpm_bootmode.c)
(no active use elsewhere):
* [NVRAM use for OS rollback attack protection](http://git.chromium.org/gitweb/?p=chromiumos/platform/vboot_reference.git;a=blob;f=firmware/lib/rollback_index.c)
* [Tamper evident storage](http://git.chromium.org/gitweb/?p=chromiumos/platform/cryptohome.git;a=blob;f=README.lockbox)
* [Tamper-evident storage for avoiding runtime device management mode changes](http://git.chromium.org/gitweb/?p=chromium/chromium.git;a=blob;f=chrome/browser/chromeos/login/enrollment/enterprise_enrollment_screen.cc)
* [User key/passphrase and cached data protection](http://git.chromium.org/gitweb/?p=chromiumos/platform/cryptohome.git;a=blob;f=README.homedirs)
* A TPM in a Chrome device has an EK certificate that is signed by an
intermediate certificate authority that is dedicated to the specific TPMs
allocated for use in Chrome devices. OS-level self-validation of the
platform TPM should be viable with this or chaining any other trust
expectations.
* TPM is used for per-user certificate storage (NSS+PKCS#11) using
opencryptoki but soon to be replaced by chaps. Update links here when chaps
stabilizes (Each user's pkcs#11 key store is kept in their homedir to ensure
it is tied to the local user account). This functionality includes VPN and
802.1x-related keypairs.
31 changes: 22 additions & 9 deletions docs/updating_clang.md
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,24 @@
# Updating clang

1. Sync your Chromium tree to the latest revision to pick up any plugin changes and test the new compiler against ToT
1. Update clang revision in tools/clang/scripts/update.sh, upload CL to rietveld
1. Run tools/clang/scripts/package.py to create a tgz of the binary (mac and linux)
1. Do a local clobber build with that clang (mac and linux). Check that everything builds fine and no new warnings appear. (Optional if the revision picked in 1 was vetted by other means already.)
1. Upload the binaries using gsutil, they will appear at http://commondatastorage.googleapis.com/chromium-browser-clang/index.html
1. Run goma package update script to push these packages to goma, send email
1. `git cl try -m tryserver.chromium.mac -b mac_chromium_rel_ng -b mac_chromium_asan_rel_ng -b mac_chromium_gn_dbg -b ios_rel_device_ninja && git cl try -m tryserver.chromium.linux -b linux_chromium_gn_dbg -b linux_chromium_chromeos_dbg_ng -b linux_chromium_asan_rel_ng -b linux_chromium_chromeos_asan_rel_ng -b android_clang_dbg_recipe -b linux_chromium_trusty32_rel -b linux_chromium_rel_ng && git cl try -m tryserver.blink -b linux_blink_rel`
1. Commit roll CL from the first step
1. The bots will now pull the prebuilt binary, and goma will have a matching binary, too.
1. Sync your Chromium tree to the latest revision to pick up any plugin
changes and test the new compiler against ToT
1. Update clang revision in tools/clang/scripts/update.sh, upload CL to
rietveld
1. Run tools/clang/scripts/package.py to create a tgz of the binary (mac and
linux)
1. Do a local clobber build with that clang (mac and linux). Check that
everything builds fine and no new warnings appear. (Optional if the
revision picked in 1 was vetted by other means already.)
1. Upload the binaries using gsutil, they will appear at
http://commondatastorage.googleapis.com/chromium-browser-clang/index.html
1. Run goma package update script to push these packages to goma, send email
1. `git cl try -m tryserver.chromium.mac -b mac_chromium_rel_ng -b
mac_chromium_asan_rel_ng -b mac_chromium_gn_dbg -b ios_rel_device_ninja &&
git cl try -m tryserver.chromium.linux -b linux_chromium_gn_dbg -b
linux_chromium_chromeos_dbg_ng -b linux_chromium_asan_rel_ng -b
linux_chromium_chromeos_asan_rel_ng -b android_clang_dbg_recipe -b
linux_chromium_trusty32_rel -b linux_chromium_rel_ng && git cl try -m
tryserver.blink -b linux_blink_rel`
1. Commit roll CL from the first step
1. The bots will now pull the prebuilt binary, and goma will have a matching
binary, too.
106 changes: 69 additions & 37 deletions docs/updating_clang_format_binaries.md
View file
Original file line number Diff line number Diff line change
@@ -1,25 +1,35 @@
Instructions on how to update the [clang-format binaries](ClangFormat.md) that come with a checkout of Chromium.
# Updating Clang format binaries

<h2>Prerequisites</h2>
Instructions on how to update the [clang-format binaries](clang_format.md) that
come with a checkout of Chromium.

You'll need a Windows machine, a Linux machine, and a Mac; all capable of building clang-format. You'll also need permissions to upload to the appropriate google storage bucket. Chromium infrastructure team members have this, and others can be granted the permission based on need. Talk to ncarter or hinoka about getting access.
## Prerequisites

<h2>Pick a head svn revision</h2>
You'll need a Windows machine, a Linux machine, and a Mac; all capable of
building clang-format. You'll also need permissions to upload to the appropriate
google storage bucket. Chromium infrastructure team members have this, and
others can be granted the permission based on need. Talk to ncarter or hinoka
about getting access.

Consult http://llvm.org/svn/llvm-project/ for the current head revision. This will be the CLANG\_REV you'll use later to check out each platform to a consistent state.
## Pick a head svn revision

<h2>Build a release-mode clang-format on each platform</h2>
Consult http://llvm.org/svn/llvm-project/ for the current head revision. This
will be the CLANG_REV you'll use later to check out each platform to a
consistent state.

Follow the the official instructions here: http://clang.llvm.org/get_started.html.
## Build a release-mode clang-format on each platform

Follow the the official instructions here:
http://clang.llvm.org/get_started.html.

Windows step-by-step:
```
[double check you have the tools you need]

```shell
# [double check you have the tools you need]
where cmake.exe # You need to install this.
where svn.exe # Maybe fix with: set PATH=%PATH%;D:\src\depot_tools\svn_bin
"c:\Program Files (x86)\Microsoft Visual Studio 12.0\vc\vcvarsall.bat" amd64_x86

set CLANG_REV=198831 # You must change this value (see above)

[from a clean directory, check out and build]
Expand All @@ -33,13 +43,16 @@ svn co http://llvm.org/svn/llvm-project/cfe/trunk@%CLANG_REV% clang
cd ..\..\llvm-build
set CC=cl
set CXX=cl
cmake -G Ninja ..\llvm -DCMAKE_BUILD_TYPE=Release -DLLVM_USE_CRT_RELEASE=MT -DLLVM_ENABLE_ASSERTIONS=NO -DLLVM_ENABLE_THREADS=NO -DPYTHON_EXECUTABLE=d:\src\depot_tools\python276_bin\python.exe
cmake -G Ninja ..\llvm -DCMAKE_BUILD_TYPE=Release -DLLVM_USE_CRT_RELEASE=MT \
-DLLVM_ENABLE_ASSERTIONS=NO -DLLVM_ENABLE_THREADS=NO \
-DPYTHON_EXECUTABLE=d:\src\depot_tools\python276_bin\python.exe
ninja clang-format
bin\clang-format.exe --version
```

Mac & Linux step-by-step:
```

```shell
# Check out.
export CLANG_REV=198831 # You must change this value (see above)
rm -rf llvm
Expand All @@ -52,43 +65,62 @@ svn co http://llvm.org/svn/llvm-project/cfe/trunk@$CLANG_REV clang
cd ../../llvm-build

# Option 1: with cmake
MACOSX_DEPLOYMENT_TARGET=10.9 cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_ASSERTIONS=NO -DLLVM_ENABLE_THREADS=NO ../llvm/
time caffeinate ninja clang-format
strip bin/clang-format
# (On Linux, to build with clang, which produces smaller binaries, add this to your cmake invocation.
# On Mac, the system compiler is already clang so it's not needed there.)
-DCMAKE_C_COMPILER=$PWD/../chrome/src/third_party/llvm-build/Release+Asserts/bin/clang -DCMAKE_CXX_COMPILER=$PWD/../chrome/src/third_party/llvm-build/Release+Asserts/bin/clang++
MACOSX_DEPLOYMENT_TARGET=10.9 cmake -G Ninja -DCMAKE_BUILD_TYPE=Release \
-DLLVM_ENABLE_ASSERTIONS=NO -DLLVM_ENABLE_THREADS=NO ../llvm/
time caffeinate ninja clang-format
strip bin/clang-format

# (On Linux, to build with clang, which produces smaller binaries, add this to
# your cmake invocation.
# On Mac, the system compiler is already clang so it's not needed there.)
-DCMAKE_C_COMPILER=$PWD/../chrome/src/third_party/llvm-build/Release+Asserts/bin/clang -DCMAKE_CXX_COMPILER=$PWD/../chrome/src/third_party/llvm-build/Release+Asserts/bin/clang++
```

TODO: these ^^ instructions looks odd. Are they correct???

Platform specific notes:
* Windows: Visual Studio 2013 only.
* Linux: so far (as of January 2014) we've just included a 64-bit binary. It's important to disable threading, else clang-format will depend on libatomic.so.1 which doesn't exist on Precise.
* Mac: Remember to set `MACOSX_DEPLOYMENT_TARGET` when building! If you get configure warnings, you may need to install XCode 5 and avoid a goma environment.

<h2>Upload each binary to google storage</h2>
* Windows: Visual Studio 2013 only.
* Linux: so far (as of January 2014) we've just included a 64-bit binary. It's
important to disable threading, else clang-format will depend on
libatomic.so.1 which doesn't exist on Precise.
* Mac: Remember to set `MACOSX_DEPLOYMENT_TARGET` when building! If you get
configure warnings, you may need to install XCode 5 and avoid a goma
environment.

Copy the binaries into your chromium checkout (under `src/buildtools/(win|linux64|mac)/clang-format(.exe?)`).
For each binary, you'll need to run upload\_to\_google\_storage.py according to the instructions in [README.txt](https://code.google.com/p/chromium/codesearch#chromium/src/buildtools/clang_format/README.txt). This will upload the binary into a publicly accessible google storage bucket, and update `.sha1` file in your Chrome checkout. You'll check in the `.sha1` file (but NOT the clang-format binary) into source control. In order to be able to upload, you'll need write permission to the bucket -- see the prerequisites.
## Upload each binary to google storage

<h2>Copy the helper scripts and update README.chromium</h2>
Copy the binaries into your chromium checkout (under
`src/buildtools/(win|linux64|mac)/clang-format(.exe?)`). For each binary, you'll
need to run upload_to_google_storage.py according to the instructions in
[README.txt](/buildtools/clang_format/README.txt). This will upload the binary
into a publicly accessible google storage bucket, and update `.sha1` file in
your Chrome checkout. You'll check in the `.sha1` file (but NOT the clang-format
binary) into source control. In order to be able to upload, you'll need write
permission to the bucket -- see the prerequisites.

There are some auxiliary scripts that ought to be kept updated in lockstep with the clang-format binary. These get copied into third\_party/clang\_format/scripts in your Chromium checkout.
## Copy the helper scripts and update README.chromium

There are some auxiliary scripts that ought to be kept updated in lockstep with
the clang-format binary. These get copied into
third_party/clang_format/scripts in your Chromium checkout.

The `README.chromium` file ought to be updated with version and date info.

<h2>Upload a CL according to the following template</h2>
## Upload a CL according to the following template

```
Update clang-format binaries and scripts for all platforms.
Update clang-format binaries and scripts for all platforms.

I followed these instructions:
https://code.google.com/p/chromium/wiki/UpdatingClangFormatBinaries
I followed these instructions:
https://chromium.googlesource.com/chromium/src/+/master/docs/updating_clang_format_binaries.md

The binaries were built at clang revision ####### on ####DATETIME####.
The binaries were built at clang revision ####### on ####DATETIME####.

BUG=
```
BUG=

The change should <b>always</b> include new `.sha1` files for each platform (we want to keep these in lockstep), should <b>never</b> include `clang-format` binaries directly. The change should <b>always</b> update `README.chromium`
The change should **always** include new `.sha1` files for each platform (we
want to keep these in lockstep), should **never** include `clang-format`
binaries directly. The change should **always** update `README.chromium`

clang-format binaries should weigh in at 1.5MB or less. Watch out for size regressions.
clang-format binaries should weigh in at 1.5MB or less. Watch out for size
regressions.
47 changes: 32 additions & 15 deletions docs/use_find_bugs_for_android.md
View file
Original file line number Diff line number Diff line change
@@ -1,32 +1,49 @@
# Introduction
# Use FindBugs for Android

[FindBugs](http://findbugs.sourceforge.net) is an open source static analysis tool from the University of Maryland that looks for potential bugs in Java class files. We have some scripts to run it over the Java code at build time.
[FindBugs](http://findbugs.sourceforge.net) is an open source static analysis
tool from the University of Maryland that looks for potential bugs in Java class
files. We have some scripts to run it over the Java code at build time.

# How To Run
## How To Run

For gyp builds, add `run_findbugs=1` to your `GYP_DEFINES`.

For gn builds, add `run_findbugs=true` to the args you pass to `gn gen`:

```
gn gen --args='target_os="android" run_findbugs=true'
```
gn gen --args='target_os="android" run_findbugs=true'

Note that running findbugs will add time to your build. The amount of additional time required depends on the number of targets on which findbugs runs, though it will usually be between 1-10 minutes.
Note that running findbugs will add time to your build. The amount of additional
time required depends on the number of targets on which findbugs runs, though it
will usually be between 1-10 minutes.

Some of the warnings are false positives. In general, they should be suppressed using [@SuppressFBWarnings](https://code.google.com/p/chromium/codesearch#chromium/src/base/android/java/src/org/chromium/base/annotations/SuppressFBWarnings.java). In the rare event that a warning should be suppressed across the entire code base, it should be added to the [exclusion file](https://code.google.com/p/chromium/codesearch#chromium/src/build/android/findbugs_filter/findbugs_exclude.xml) instead. If you modify this file:
Some of the warnings are false positives. In general, they should be suppressed
using
[@SuppressFBWarnings](https://code.google.com/p/chromium/codesearch#chromium/src/base/android/java/src/org/chromium/base/annotations/SuppressFBWarnings.java).
In the rare event that a warning should be suppressed across the entire
code base, it should be added to the
[exclusion file](https://code.google.com/p/chromium/codesearch#chromium/src/build/android/findbugs_filter/findbugs_exclude.xml)
instead. If you modify this file:

* Include a comment that says what you're suppressing and why.
* The existing suppressions should give you an idea of the syntax. See also the FindBugs documentation. Note that the documentation doesn't seem totally accurate (there's probably some version skew between the online docs and the version of FindBugs we're using) so you may have to experiment a little.
* Include a comment that says what you're suppressing and why.
* The existing suppressions should give you an idea of the syntax. See also
the FindBugs documentation. Note that the documentation doesn't seem totally
accurate (there's probably some version skew between the online docs and the
version of FindBugs we're using) so you may have to experiment a little.

# Chromium's [FindBugs](http://findbugs.sourceforge.net) plugin

We have [FindBugs plugin](https://code.google.com/p/chromium/codesearch#chromium/src/tools/android/findbugs_plugin/) to enforce chromium specific Java rules. It currently detects:
* Synchronized method
* Synchronized this
We have
[FindBugs plugin](https://code.google.com/p/chromium/codesearch#chromium/src/tools/android/findbugs_plugin/)
to enforce chromium specific Java rules. It currently detects:

* Synchronized method
* Synchronized this

# [FindBugs](http://findbugs.sourceforge.net) on the Bots

[FindBugs](http://findbugs.sourceforge.net) is configured to run on:
* [android\_clang\_dbg\_recipe](http://build.chromium.org/p/tryserver.chromium.linux/builders/android_clang_dbg_recipe) on the commit queue
* [Android Clang Builder (dbg)](http://build.chromium.org/p/chromium.linux/builders/Android%20Clang%20Builder%20(dbg)) on the main waterfall

* [android_clang_dbg_recipe](http://build.chromium.org/p/tryserver.chromium.linux/builders/android_clang_dbg_recipe)
on the commit queue
* [Android Clang Builder (dbg)](http://build.chromium.org/p/chromium.linux/builders/Android%20Clang%20Builder%20\(dbg\))
on the main waterfall
Loading

0 comments on commit 06cbaa0

Please sign in to comment.