Skip to content

Regain control over the SDK libraries #1036

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 9 commits into
base: master
Choose a base branch
from
Draft

Regain control over the SDK libraries #1036

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
e29eccd
New workflow to trigger the build of clang rt builtins
apaillier-ledger Apr 3, 2025
216cd65
New script to build clang rt builtins
apaillier-ledger Apr 2, 2025
fb81559
Automatic PR creation with clangrt
iartemov-ledger Jul 4, 2025
4845f9e
Updating static SDK libraries
Jul 7, 2025
09860e1
Merge pull request #1035 from LedgerHQ/sdk_libs_update
iartemov-ledger Jul 7, 2025
cf81182
Enables the use of clang rt builtins instead of libgcc
apaillier-ledger Apr 1, 2025
a5dd399
Fixing SYSROOT to picolibc path
iartemov-ledger Jul 2, 2025
94b820b
Removing integrated libc and libm, using the ones from picolibc
iartemov-ledger Jul 8, 2025
0dd9032
Adding libraries-related documentation
iartemov-ledger Jul 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
92 changes: 92 additions & 0 deletions .github/workflows/build_clangrt_builtins.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
name: Build clang runtime builtins

on:
workflow_dispatch:
inputs:
target_sdk_branch:
type: string
required: false
default: 'master'
create_pr:
type: boolean
required: false
default: false

# TODO: remove this next line before merging!
push:

env:
GIT_USER_EMAIL: 'ledger@github.com'
GIT_USER_NAME: 'SDKLibsUpdaterGithub'
UPDATE_BRANCH: 'sdk_libs_update'

jobs:
build:
runs-on: ubuntu-latest
container:
image: ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-lite:latest
strategy:
fail-fast: false
matrix:
target:
- core: cortex-m3
se: st33
- core: cortex-m35p+nodsp
se: st33k1

steps:
- uses: actions/checkout@v4
with:
# TODO: remove this next line before merging!
ref: feat/regain_control_over_libs
sparse-checkout: |
tools/build_clangrt_builtins.sh
sparse-checkout-cone-mode: false

- run: ./tools/build_clangrt_builtins.sh -t ${{ matrix.target.core }} -o artifact/arch/${{ matrix.target.se }}/lib

- uses: actions/upload-artifact@v4
with:
name: arch-${{ matrix.target.se }}
path: artifact/

merge:
Comment on lines +25 to +53

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 17 days ago

To fix the issue, we need to add a permissions block to the workflow. This block should specify the least privileges required for each job. For example:

  • The build job only needs contents: read to check out the repository.
  • The merge job may need contents: read and actions: write for artifact handling.
  • The pr_create job requires contents: read and pull-requests: write to create pull requests.

The permissions block can be added at the root level of the workflow to apply to all jobs or individually for each job. In this case, we will add permissions for each job to ensure granular control.

Suggested changeset 1
.github/workflows/build_clangrt_builtins.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build_clangrt_builtins.yml b/.github/workflows/build_clangrt_builtins.yml
--- a/.github/workflows/build_clangrt_builtins.yml
+++ b/.github/workflows/build_clangrt_builtins.yml
@@ -25,2 +25,4 @@
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     container:
@@ -55,2 +57,5 @@
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
     steps:
@@ -65,2 +70,5 @@
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     if: ${{ success() && inputs.create_pr }}
EOF
@@ -25,2 +25,4 @@
runs-on: ubuntu-latest
permissions:
contents: read
container:
@@ -55,2 +57,5 @@
runs-on: ubuntu-latest
permissions:
contents: read
actions: write
steps:
@@ -65,2 +70,5 @@
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
if: ${{ success() && inputs.create_pr }}
Copilot is powered by AI and may make mistakes. Always verify output.
needs: build
runs-on: ubuntu-latest
steps:
- uses: actions/upload-artifact/merge@v4
with:
name: arch
pattern: arch-*
delete-merged: true

pr_create:
Comment on lines +54 to +63

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 17 days ago

To fix the issue, we will add a permissions block at the workflow level to define the minimal permissions required for the workflow. This block will apply to all jobs unless overridden at the job level. Based on the workflow's operations, the following permissions are required:

  • contents: read for accessing the repository's contents.
  • pull-requests: write for creating pull requests in the pr_create job.

We will add the permissions block at the top of the workflow file, just below the name field.

Suggested changeset 1
.github/workflows/build_clangrt_builtins.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build_clangrt_builtins.yml b/.github/workflows/build_clangrt_builtins.yml
--- a/.github/workflows/build_clangrt_builtins.yml
+++ b/.github/workflows/build_clangrt_builtins.yml
@@ -1,2 +1,5 @@
 name: Build clang runtime builtins
+permissions:
+  contents: read
+  pull-requests: write
 
EOF
@@ -1,2 +1,5 @@
name: Build clang runtime builtins
permissions:
contents: read
pull-requests: write

Copilot is powered by AI and may make mistakes. Always verify output.
needs: merge
runs-on: ubuntu-latest
if: ${{ success() && inputs.create_pr }}
continue-on-error: true
steps:
- name: Clone repository
uses: actions/checkout@v4
with:
# by default the action uses fetch-depth = 1, which creates
# shallow repositories from which we can't push
fetch-depth: 0
ref: ${{ inputs.target_sdk_branch }}

- name: Download Binaries artifact
uses: actions/download-artifact@v4
with:
name: arch

- name: PR creation
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git config --global user.email ${{ env.GIT_USER_EMAIL }}
git config --global user.name ${{ env.GIT_USER_NAME }}
git switch --create ${{ env.UPDATE_BRANCH }}
git add -A .
git commit -m 'Updating static SDK libraries'
git push -u origin ${{ env.UPDATE_BRANCH }}
gh pr create -B ${{ inputs.target_sdk_branch }} --title '[SDK_LIBS_UPDATE] Updating static SDK libraries' --body 'Created by Github workflow "${{ github.workflow }}", job "${{ github.job }}", run "${{ github.run_id }}".'
Comment on lines +64 to +92

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 17 days ago

To fix the issue, we will add a permissions block to the pr_create job to explicitly define the minimal permissions required for its tasks. Specifically, the pr_create job needs contents: write to push changes to a branch and pull-requests: write to create a pull request. This change ensures that the GITHUB_TOKEN has only the necessary permissions, reducing the risk of unintended actions.

The permissions block will be added under the pr_create job definition in the .github/workflows/build_clangrt_builtins.yml file.

Suggested changeset 1
.github/workflows/build_clangrt_builtins.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build_clangrt_builtins.yml b/.github/workflows/build_clangrt_builtins.yml
--- a/.github/workflows/build_clangrt_builtins.yml
+++ b/.github/workflows/build_clangrt_builtins.yml
@@ -66,2 +66,5 @@
     if: ${{ success() && inputs.create_pr }}
+    permissions:
+      contents: write
+      pull-requests: write
     continue-on-error: true
EOF
@@ -66,2 +66,5 @@
if: ${{ success() && inputs.create_pr }}
permissions:
contents: write
pull-requests: write
continue-on-error: true
Copilot is powered by AI and may make mistakes. Always verify output.
5 changes: 4 additions & 1 deletion Makefile.defines
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,9 @@ endif
SYSROOT = $(shell $(GCCPATH)arm-none-eabi-gcc -print-sysroot)
ifeq ($(SYSROOT),)
# path for Debian-based systems
SYSROOT = /usr/lib/arm-none-eabi
SYSROOT = /usr/lib/picolibc/arm-none-eabi
endif

CFLAGS += --sysroot="$(SYSROOT)"

# optimization and debugging levels
Expand Down Expand Up @@ -107,13 +108,15 @@ endif
ifeq ($(TARGET_NAME),TARGET_NANOX)
CPU = cortex-m0plus
CFLAGS += -frwpi
LDFLAGS += -L$(SYSROOT)/lib/thumb/v7-m/nofp/
LDFLAGS += -L$(BOLOS_SDK)/arch/st33/lib/
endif

ifeq ($(TARGET_NAME),$(filter $(TARGET_NAME),TARGET_STAX TARGET_FLEX TARGET_NANOS2))
CPU = cortex-m35p+nodsp
CFLAGS += -msoft-float
CFLAGS += -frwpi
LDFLAGS += -L$(SYSROOT)/lib/thumb/v8-m.main/nofp/
LDFLAGS += -L$(BOLOS_SDK)/arch/st33k1/lib/
endif

Expand Down
8 changes: 5 additions & 3 deletions Makefile.standard_app
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -254,14 +254,16 @@ APP_FLAGS_APP_LOAD_PARAMS = $(shell printf '0x%x' $$(( $(STANDARD_APP_FLAGS) + $
CC = $(CLANGPATH)clang
AS = $(CLANGPATH)clang
ifeq ($(TARGET_NAME),TARGET_NANOS)
LD = $(GCCPATH)arm-none-eabi-gcc
LD = $(GCCPATH)arm-none-eabi-gcc
LDLIBS += -lgcc
else
LD = $(CLANGPATH)clang
LD = $(CLANGPATH)clang
LDLIBS += -lclang_rt.builtins
endif

AFLAGS += --target=arm-none-eabi

LDLIBS += -lm -lgcc -lc
LDLIBS += -lm -lc

#####################################################################
# MISC #
Expand Down
Binary file removed arch/st33/lib/libc.a
View file
Open in desktop
Binary file not shown.
Binary file added arch/st33/lib/libclang_rt.builtins.a
View file
Open in desktop
Binary file not shown.
Binary file removed arch/st33/lib/libm.a
View file
Open in desktop
Binary file not shown.
Binary file removed arch/st33k1/lib/libc.a
View file
Open in desktop
Binary file not shown.
Binary file added arch/st33k1/lib/libclang_rt.builtins.a
View file
Open in desktop
Binary file not shown.
Binary file removed arch/st33k1/lib/libm.a
View file
Open in desktop
Binary file not shown.
95 changes: 95 additions & 0 deletions tools/build_clangrt_builtins.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
#!/usr/bin/env bash

set -e

TARGET_CPU=""
OUTPUT_DIR=""

while getopts "t:o:" opt
do
case "$opt" in
t)
TARGET_CPU="$OPTARG"
;;
o)
OUTPUT_DIR="$OPTARG"
;;
?)
exit 1
;;
esac
done
shift "$((OPTIND - 1))"

if [ -z "$TARGET_CPU" ] || [ -z "$OUTPUT_DIR" ]
then
echo "Usage: $0 -t TARGET_CPU -o OUTPUT_FILE" >&2
exit 1
fi

mkdir -p "$OUTPUT_DIR"
OUTPUT_DIR=$(realpath "$OUTPUT_DIR")

# enable source repository
sed -i 's/^\(Types: deb\)$/\1 deb-src/g' /etc/apt/sources.list.d/debian.sources

apt update

apt install -y --no-install-recommends \
dpkg-dev \
llvm-dev

LLVM_VERSION=$(clang --version | head -n1 | rev | cut -d" " -f1 | rev)
LLVM_MAJOR_VERSION=$(echo "$LLVM_VERSION" | cut -d. -f1)

cd /tmp

LLVM_DIR="llvm-toolchain-$LLVM_MAJOR_VERSION-$LLVM_VERSION"
if [ ! -d "$LLVM_DIR" ]
then
# install Debian source package
apt source "llvm-toolchain-$LLVM_MAJOR_VERSION"
fi

cd "$LLVM_DIR"
rm -rf build
mkdir build
cd build

TARGET=arm-none-eabi
SYSROOT=/usr/lib/arm-none-eabi

cmake ../compiler-rt \
-DCMAKE_TRY_COMPILE_TARGET_TYPE=STATIC_LIBRARY \
-DCOMPILER_RT_OS_DIR="baremetal" \
-DCOMPILER_RT_BUILD_BUILTINS=ON \
-DCOMPILER_RT_BUILD_CRT=OFF \
-DCOMPILER_RT_BUILD_SANITIZERS=OFF \
-DCOMPILER_RT_BUILD_XRAY=OFF \
-DCOMPILER_RT_BUILD_LIBFUZZER=OFF \
-DCOMPILER_RT_BUILD_PROFILE=OFF \
-DCOMPILER_RT_BUILD_MEMPROF=OFF \
-DCOMPILER_RT_BUILD_ORC=OFF \
-DCMAKE_C_COMPILER="$(which clang)" \
-DCMAKE_C_COMPILER_TARGET="${TARGET}" \
-DCMAKE_ASM_COMPILER_TARGET="${TARGET}" \
-DCMAKE_AR="$(which llvm-ar)" \
-DCMAKE_NM="$(which llvm-nm)" \
-DCMAKE_RANLIB="$(which llvm-ranlib)" \
-DCOMPILER_RT_BAREMETAL_BUILD=ON \
-DCOMPILER_RT_DEFAULT_TARGET_ONLY=ON \
-DLLVM_CONFIG_PATH="$(which llvm-config)" \
-DCOMPILER_RT_HAS_FPIC_FLAG=OFF \
-DCMAKE_C_FLAGS="-mcpu=${TARGET_CPU} -mlittle-endian -mthumb -Oz -g0 -fropi -frwpi" \
-DCMAKE_ASM_FLAGS="-mcpu=${TARGET_CPU} -mlittle-endian -mthumb" \
-DCMAKE_SYSROOT="$SYSROOT"
make -j

# Removing duplicated symbols that are also present in picolibc
ar d lib/baremetal/libclang_rt.builtins-arm.a aeabi_memset.S.o
ar d lib/baremetal/libclang_rt.builtins-arm.a aeabi_memmove.S.o
ar d lib/baremetal/libclang_rt.builtins-arm.a aeabi_memcpy.S.o

# Output
mkdir -p "$OUTPUT_DIR"
cp lib/baremetal/libclang_rt.builtins-arm.a "$OUTPUT_DIR/libclang_rt.builtins.a"
Loading