Promote tier 3 arm64e-apple-ios target to tier 2

[arttet]

Promote arm64e-apple-ios target to tier 2.

A tier 2 target must have value to people other than its maintainers. (It may still be a niche target, but it must not be exclusively useful for an inherently closed group.)

I believe that the arm64e-apple-ios target has the same meaning as aarch64-apple-ios. It can be used alongside aarch64-apple-ios, but with some limitations at the moment.

A tier 2 target must have a designated team of developers (the "target maintainers") available to consult on target-specific build-breaking issues, or if necessary to develop target-specific language or library implementation details. This team must have at least 2 developers.

I am a maintainer of this target, so I believe we can extend the team to include *-apple-ios.

The target maintainers should not only fix target-specific issues, but should use any such issue as an opportunity to educate the Rust community about portability to their target, and enhance documentation of the target.

I have been working on this, so I have a backlog related to it.

The target must not place undue burden on Rust developers not specifically concerned with that target. Rust developers are expected to not gratuitously break a tier 2 target, but are not expected to become experts in every tier 2 target, and are not expected to provide target-specific implementations for every tier 2 target.

This target is almost the same as aarch64-apple-ios which is tier 2, so there shouldn't be any burden.

The target must provide documentation for the Rust community explaining how to build for the target using cross-compilation, and explaining how to run tests for the target. If at all possible, this documentation should show how to run Rust programs and tests for the target using emulation, to allow anyone to do so. If the target cannot be feasibly emulated, the documentation should explain how to obtain and work with physical hardware, cloud systems, or equivalent.

Cross compilation and testing are explained on the targets page.

The target must document its baseline expectations for the features or versions of CPUs, operating systems, libraries, runtime environments, and similar.

The target specifies that it can work on iOS 11+.

Tier 2 targets must not leave any significant portions of core or the standard library unimplemented or stubbed out, unless they cannot possibly be supported on the target.

No change.

The code generation backend for the target should not have deficiencies that invalidate Rust safety properties, as evaluated by the Rust compiler team. (This requirement does not apply to arbitrary security enhancements or mitigations provided by code generation backends, only to those properties needed to ensure safe Rust code cannot cause undefined behavior or other unsoundness.) If this requirement does not hold, the target must clearly and prominently document any such limitations as part of the target's entry in the target tier list, and ideally also via a failing test in the testsuite. The Rust compiler team must be satisfied with the balance between these limitations and the difficulty of implementing the necessary features.

It doesn't.

If the target supports C code, and the target has an interoperable calling convention for C code, the Rust target must support that C calling convention for the platform via extern "C". The C calling convention does not need to be the default Rust calling convention for the target, however.

It supports the C calling convention with some limitations.

The target must build reliably in CI, for all components that Rust's CI considers mandatory.

I can build this target using the same methods as in CI.

The approving teams may additionally require that a subset of tests pass in CI, such as enough to build a functional "hello world" program, ./x.py test --no-run, or equivalent "smoke tests". In particular, this requirement may apply if the target builds host tools, or if the tests in question provide substantial value via early detection of critical problems.

No problem.

Building the target in CI must not take substantially longer than the current slowest target in CI, and should not substantially raise the maintenance burden of the CI infrastructure. This requirement is subjective, to be evaluated by the infrastructure team, and will take the community importance of the target into account.

It should be more or less the same speed as aarch64-apple-ios. I usually build this target in CI for up to 2 hours.

Tier 2 targets should, if at all possible, support cross-compiling. Tier 2 targets should not require using the target as the host for builds, even if the target supports host tools.

This is supported without any issues.

In addition to the legal requirements for all targets (specified in the tier 3 requirements), because a tier 2 target typically involves the Rust project building and supplying various compiled binaries, incorporating the target and redistributing any resulting compiled binaries (e.g. built libraries, host tools if any) must not impose any onerous license requirements on any members of the Rust project, including infrastructure team members and those operating CI systems. This is a subjective requirement, to be evaluated by the approving teams.

I believe that since it is more or less the same as aarch64-apple-ios, there shouldn't be any issues.

Tier 2 targets must not impose burden on the authors of pull requests, or other developers in the community, to ensure that tests pass for the target. In particular, do not post comments (automated or manual) on a PR that derail or suggest a block on the PR based on tests failing for the target. Do not send automated messages or notifications (via any medium, including via @) to a PR author or others involved with a PR regarding the PR breaking tests on a tier 2 target, unless they have opted into such messages.

No problem.

The target maintainers should regularly run the testsuite for the target, and should fix any test failures in a reasonably timely fashion.

Agree.

All requirements for tier 3 apply.

Agree.

Process

The main points of the Major Change Process are as follows:

• File an issue describing the proposal.
• A compiler team member or contributor who is knowledgeable in the area can second by writing @rustbot second.
  • Finding a "second" suffices for internal changes. If however, you are proposing a new public-facing feature, such as a -C flag, then full team check-off is required.
  • Compiler team members can initiate a check-off via @rfcbot fcp merge on either the MCP or the PR.
• Once an MCP is seconded, the Final Comment Period begins. If no objections are raised after 10 days, the MCP is considered approved.

You can read more about Major Change Proposals on forge.

Comments

This issue is not meant to be used for technical discussion. There is a Zulip stream for that. Use this issue to leave procedural comments, such as volunteering to review, indicating that you second the proposal (or third, etc), or raising a concern that you would like to be addressed.

You can read more about Major Change Proposals on forge.

See #717
See rust-lang/rust#73628

[rustbot]

This issue is not meant to be used for technical discussion. There is a Zulip stream for that. Use this issue to leave procedural comments, such as volunteering to review, indicating that you second the proposal (or third, etc), or raising a concern that you would like to be addressed.

Concerns or objections to the proposal should be discussed on Zulip and formally registered here by adding a comment with the following syntax:

@rustbot concern reason-for-concern 
<description of the concern> 

Concerns can be lifted with:

@rustbot resolve reason-for-concern 

See documentation at https://forge.rust-lang.org

cc @rust-lang/compiler @rust-lang/compiler-contributors

[comex]

@rustbot concern insecure

The purpose of arm64e targets is to be the same as aarch64 but with pointer authentication enabled for calls and returns.

Since the last time this was tried, it appears that LLVM upstream has finished implementing authenticated calls and returns, but there is still a frontend component that rustc is missing.

Specifically:

1. All functions should get the ptrauth-calls and ptrauth-returns attributes.
2. All indirect calls should get ptrauth operand bundles.
3. Whenever a pointer to a known function is created, it should use a pointer authentication constant.

As far as I can tell, nobody has implemented this for rustc, so the generated assembly (as of rust-lang/rust@17a19e684cd) still doesn't use pointer authentication at all. I expect that the code will still work, but with some compatibility problems (passing function pointers to C code won't work), and critical security problems.

Authenticated calls and returns forms a sort of chain of trust: you start from a valid entry point, and every jump from there should either be a direct jump to an address known to be valid, or an indirect jump which uses authentication to ensure the target address is valid. So if any unauthenticated return or indirect call exists in any function ever called, it breaks the chain of trust for the whole process.

Until that's fixed, my opinion is that this target shouldn't be considered production-ready. To be fair, as far as the tier policy goes, pointer authentication is not a "propert[y] needed to ensure safe Rust code cannot cause undefined behavior". It seems closer to "arbitrary security enhancements or mitigations provided by code generation backends", which are not required in order for a target to be tier 2. But silently degrading security for the whole process seems like a pretty big flaw that perhaps wasn't envisioned when writing this policy.

[arttet]

Hi @comex,

Thank you so much for your feedback. Of course, we need to implement it. I would appreciate it if you could open a ticket for this.

I believe this feature could be useful for any AArch64 targets.

The arm64e ABI is not stable yet. Apple is still actively developing it, so there are some differences between Apple's LLVM and the upstream LLVM. As I mentioned earlier, there are limitations for this target, but I don't believe they present critical security issues.

According to this article, some attacks against ARM pointer authentication have been demonstrated. Additionally, the Threat Analysis Group (TAG) has noted that there have been years of exploits targeting arm64e on iOS, showing that iOS is not inherently secure by design.

Until that's fixed, my opinion is that this target shouldn't be considered production-ready.

I completely agree with this. There's still a lot of work to be done before this target is production-ready. However, it could be valuable for research purposes. We can also avoid regressions for this architecture by integrating it into CI. According to the Rust target policy, this target has the potential to be promoted. I hope this will attract more contributors to these targets and help us achieve our goals faster.

[arttet]

I have summarized the known issues. I understand there are some concerns, so I believe we should revisit this topic once all these tickets are resolved.