Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SGX target to std and dependencies #56066

Merged
merged 12 commits into from
Dec 7, 2018
Merged

Conversation

jethrogb
Copy link
Contributor

@jethrogb jethrogb commented Nov 19, 2018

This PR adds tier 3 std support for the x86_64-fortanix-unknown-sgx target.

Background

Intel Software Guard Extensions (SGX) is an instruction set extension for x86 that allows executing code in fully-isolated secure enclaves. These enclaves reside in the address space of a regular user process, but access to the enclave's address space from outside (by e.g. the OS or a hypervisor) is blocked.

From within such enclaves, there is no access to the operating system or hardware peripherals. In order to communicate with the outside world, enclaves require an untrusted “helper” program that runs as a normal user process.

SGX is not a sandboxing technology: code inside SGX has full access to all memory belonging to the process it is running in.

Overview

The Fortanix SGX ABI (compiler target x86_64-fortanix-unknown-sgx) is an interface for Intel SGX enclaves. It is a small yet functional interface suitable for writing larger enclaves. In contrast to other enclave interfaces, this interface is primarly designed for running entire applications in an enclave. The interface has been under development since early 2016 and builds on Fortanix's significant experience running enclaves in production.

Also unlike other enclave interfaces, this is the only implementation of an enclave interface that is nearly pure-Rust (except for the entry point code).

A description of the ABI may be found at https://docs.rs/fortanix-sgx-abi/ and https://github.com/fortanix/rust-sgx/blob/master/doc/FORTANIX-SGX-ABI.md.

The following parts of std are not supported and most operations will error when used:

  • std::fs
  • std::process
  • std::net::UdpSocket

Future plans

A separate PR (#56067) will add the SGX target to the rust compiler. In the very near future, I expect to upgrade this target to tier 2.

This PR is just the initial support to make things mostly work. There will be more work coming in the future, for example to add interfaces to the native SGX primitives, implement unwinding, optimize usercalls.

UDP and some form of filesystem support may be added in the future, but process support seems unlikely given the platform's constraints.

Testing build

  1. Install Xargo: cargo install xargo
  2. Create a new Cargo project, for example: cargo new --bin sgxtest.
  3. Put the following in a file Xargo.toml next to your Cargo.toml:
[target.x86_64-fortanix-unknown-sgx.dependencies.std]
git = "https://github.com/jethrogb/rust"
branch = "jb/sgx-target"

NB. This can be quite slow. Instead, you can have a local checkout of that branch and use path = "/path/to/rust/src/libstd" instead. Don't forget to checkout the submodules too!

  1. Build:
xargo build --target x86_64-fortanix-unknown-sgx

Testing execution

Execution is currently only supported on x86-64 Linux, but support for Windows is planned.

  1. Install pre-requisites. In order to test execution, you'll need to have a CPU with Intel SGX support. SGX support needs to be enabled in the BIOS. You'll also need to install the SGX driver and Platform Software (PSW) from Intel.

  2. Install toolchain, executor:

cargo install sgxs-tools --version 0.6.0-rc1
cargo install fortanix-sgx-tools --version 0.1.0-rc1
  1. Start the enclave:
ftxsgx-elf2sgxs target/x86_64-fortanix-unknown-sgx/debug/sgxtest --heap-size 0x20000 --ssaframesize 1 --stack-size 0x20000 --threads 1 --debug
sgxs-append -i target/x86_64-fortanix-unknown-sgx/debug/sgxtest.sgxs
ftxsgx-runner target/x86_64-fortanix-unknown-sgx/debug/sgxtest.sgxs

@rust-highfive
Copy link
Collaborator

r? @KodrAus

(rust_highfive has picked a reviewer for you, use r? to override)

@rust-highfive
Copy link
Collaborator

⚠️ Warning ⚠️

  • These commits modify submodules.

@rust-highfive rust-highfive added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Nov 19, 2018
@rust-highfive
Copy link
Collaborator

Your PR failed on Travis (raw log). Through arcane magic we have determined that the following fragments from the build log may contain information about the problem.

Click to expand the log.
travis_time:end:2987abc3:start=1542626200926557621,finish=1542626258294439081,duration=57367881460
$ git checkout -qf FETCH_HEAD
travis_fold:end:git.checkout

Encrypted environment variables have been removed for security reasons.
See https://docs.travis-ci.com/user/pull-requests/#Pull-Requests-and-Security-Restrictions
$ export SCCACHE_BUCKET=rust-lang-ci-sccache2
$ export SCCACHE_REGION=us-west-1
Setting environment variables from .travis.yml
$ export IMAGE=x86_64-gnu-llvm-5.0
---
[00:00:06] Cloning into '/home/travis/build/rust-lang/rust/src/tools/cargo'...
[00:00:06] Cloning into '/home/travis/build/rust-lang/rust/src/tools/clang'...
[00:00:51] Cloning into '/home/travis/build/rust-lang/rust/src/tools/lld'...
[00:00:51] Cloning into '/home/travis/build/rust-lang/rust/src/tools/lldb'...
[00:00:52] error: Server does not allow request for unadvertised object 373989eaae98351bf2c41a04e85c2128ba9d6e1a
[00:00:52] Fetched in submodule path 'src/dlmalloc', but it did not contain 373989eaae98351bf2c41a04e85c2128ba9d6e1a. Direct fetching of that commit failed.
[00:00:53] Cleared directory 'src/dlmalloc'
[00:00:53] Submodule 'src/dlmalloc' (https://github.com/alexcrichton/dlmalloc-rs.git) unregistered for path 'src/dlmalloc'
[00:00:53] Cleared directory 'src/doc/nomicon'
[00:00:53] Submodule 'src/doc/nomicon' (https://github.com/rust-lang-nursery/nomicon.git) unregistered for path 'src/doc/nomicon'
---
[00:00:53] Submodule 'src/tools/miri' (https://github.com/solson/miri.git) registered for path 'src/tools/miri'
[00:00:53] Submodule 'src/tools/rls' (https://github.com/rust-lang-nursery/rls.git) registered for path 'src/tools/rls'
[00:00:53] Submodule 'src/rust-installer' (https://github.com/rust-lang/rust-installer.git) registered for path 'src/tools/rust-installer'
[00:00:53] Submodule 'src/tools/rustfmt' (https://github.com/rust-lang-nursery/rustfmt.git) registered for path 'src/tools/rustfmt'
[00:00:54] error: Server does not allow request for unadvertised object 373989eaae98351bf2c41a04e85c2128ba9d6e1a
[00:00:54] Fetched in submodule path 'src/dlmalloc', but it did not contain 373989eaae98351bf2c41a04e85c2128ba9d6e1a. Direct fetching of that commit failed.
[00:00:56] Cleared directory 'src/dlmalloc'
[00:00:56] Submodule 'src/dlmalloc' (https://github.com/alexcrichton/dlmalloc-rs.git) unregistered for path 'src/dlmalloc'
[00:00:56] Cleared directory 'src/doc/nomicon'
[00:00:56] Submodule 'src/doc/nomicon' (https://github.com/rust-lang-nursery/nomicon.git) unregistered for path 'src/doc/nomicon'
---
[00:00:56] Submodule 'src/tools/miri' (https://github.com/solson/miri.git) registered for path 'src/tools/miri'
[00:00:56] Submodule 'src/tools/rls' (https://github.com/rust-lang-nursery/rls.git) registered for path 'src/tools/rls'
[00:00:56] Submodule 'src/rust-installer' (https://github.com/rust-lang/rust-installer.git) registered for path 'src/tools/rust-installer'
[00:00:56] Submodule 'src/tools/rustfmt' (https://github.com/rust-lang-nursery/rustfmt.git) registered for path 'src/tools/rustfmt'
[00:00:57] error: Server does not allow request for unadvertised object 373989eaae98351bf2c41a04e85c2128ba9d6e1a
[00:00:57] Fetched in submodule path 'src/dlmalloc', but it did not contain 373989eaae98351bf2c41a04e85c2128ba9d6e1a. Direct fetching of that commit failed.
[00:01:00] Cleared directory 'src/dlmalloc'
[00:01:00] Submodule 'src/dlmalloc' (https://github.com/alexcrichton/dlmalloc-rs.git) unregistered for path 'src/dlmalloc'
[00:01:00] Cleared directory 'src/doc/nomicon'
[00:01:00] Submodule 'src/doc/nomicon' (https://github.com/rust-lang-nursery/nomicon.git) unregistered for path 'src/doc/nomicon'
---
[00:01:00] Submodule 'src/tools/miri' (https://github.com/solson/miri.git) registered for path 'src/tools/miri'
[00:01:00] Submodule 'src/tools/rls' (https://github.com/rust-lang-nursery/rls.git) registered for path 'src/tools/rls'
[00:01:00] Submodule 'src/rust-installer' (https://github.com/rust-lang/rust-installer.git) registered for path 'src/tools/rust-installer'
[00:01:00] Submodule 'src/tools/rustfmt' (https://github.com/rust-lang-nursery/rustfmt.git) registered for path 'src/tools/rustfmt'
[00:01:01] error: Server does not allow request for unadvertised object 373989eaae98351bf2c41a04e85c2128ba9d6e1a
[00:01:01] Fetched in submodule path 'src/dlmalloc', but it did not contain 373989eaae98351bf2c41a04e85c2128ba9d6e1a. Direct fetching of that commit failed.
[00:01:05] Cleared directory 'src/dlmalloc'
[00:01:05] Submodule 'src/dlmalloc' (https://github.com/alexcrichton/dlmalloc-rs.git) unregistered for path 'src/dlmalloc'
[00:01:05] Cleared directory 'src/doc/nomicon'
[00:01:05] Submodule 'src/doc/nomicon' (https://github.com/rust-lang-nursery/nomicon.git) unregistered for path 'src/doc/nomicon'
---
[00:01:05] Submodule 'src/tools/miri' (https://github.com/solson/miri.git) unregistered for path 'src/tools/miri'
[00:01:05] Cleared directory 'src/tools/rls'
[00:01:05] Submodule 'src/tools/rls' (https://github.com/rust-lang-nursery/rls.git) unregistered for path 'src/tools/rls'
[00:01:05] Cleared directory 'src/tools/rust-installer'
[00:01:05] Submodule 'src/rust-installer' (https://github.com/rust-lang/rust-installer.git) unregistered for path 'src/t[00:01:06] error: Server does not allow request for unadvertised object 373989eaae98351bf2c41a04e85c2128ba9d6e1a
[00:01:06] Fetched in submodule path 'src/dlmalloc', but it did not contain 373989eaae98351bf2c41a04e85c2128ba9d6e1a. Direct fetching of that commit failed.
travis_time:end:2f34b1b8:start=1542626267110139081,finish=1542626333490863441,duration=66380724360
The command "stamp sh -x -c "$RUN_SCRIPT"" exited with 1.
travis_time:start:2e01b220
$ date && (curl -fs --head https://google.com | grep ^Date: | sed 's/Date: //g' || true)
---
travis_time:end:047dd018:start=1542626333761724004,finish=1542626333769146063,duration=7422059
travis_fold:end:after_failure.3
travis_fold:start:after_failure.4
travis_time:start:368440e3
$ ln -s . checkout && for CORE in obj/cores/core.*; do EXE=$(echo $CORE | sed 's|obj/cores/core\.[0-9]*\.!checkout!\(.*\)|\1|;y|!|/|'); if [ -f "$EXE" ]; then printf travis_fold":start:crashlog\n\033[31;1m%s\033[0m\n" "$CORE"; gdb --batch -q -c "$CORE" "$EXE" -iex 'set auto-load off' -iex 'dir src/' -iex 'set sysroot .' -ex bt -ex q; echo travis_fold":"end:crashlog; fi; done || true
travis_fold:end:after_failure.4
travis_fold:start:after_failure.5
travis_time:start:0346ae1c
travis_time:start:0346ae1c
$ cat ./obj/build/x86_64-unknown-linux-gnu/native/asan/build/lib/asan/clang_rt.asan-dynamic-i386.vers || true
cat: ./obj/build/x86_64-unknown-linux-gnu/native/asan/build/lib/asan/clang_rt.asan-dynamic-i386.vers: No such file or directory
travis_fold:end:after_failure.5
travis_fold:start:after_failure.6
travis_time:start:02283108
$ dmesg | grep -i kill

I'm a bot! I can only do what humans tell me to, so if this was not helpful or you have suggestions for improvements, please ping or otherwise contact @TimNN. (Feature Requests)

src/libstd/Cargo.toml Outdated Show resolved Hide resolved
@@ -482,7 +484,7 @@ impl Builder {
};

Ok(JoinHandle(JoinInner {
native: Some(imp::Thread::new(stack_size, Box::new(main))?),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@oliver-giersch I have now implemented my suggestion from #55132 here.

@jethrogb
Copy link
Contributor Author

cc @nathanawmk

@gnzlbg
Copy link
Contributor

gnzlbg commented Nov 19, 2018

The following parts of std are not supported and most operations will error when used:

No portable code written against libstd that uses these features will work on this target, and erroring at run-time is IMO the worst possible solution to this problem.

This is our fault for looking the other way to get wasm32 support, but we should fix that instead of making things worse by adding a whole spectrum of broken and incompatible versions of libstd to Rust.

src/libstd/thread/mod.rs Outdated Show resolved Hide resolved
@KodrAus
Copy link
Contributor

KodrAus commented Nov 19, 2018

No portable code written against libstd that uses these features will work on this target, and erroring at run-time is IMO the worst possible solution to this problem.

@gnzlbg Hmm, as far as I know we haven't really got an alternative solution right now, and I think short of rejecting any new implementations until we do at least keeping patchy libstd implementations consistent in how they're patchy could help us improve the situation across the board in the future.

r? @alexcrichton

@gnzlbg
Copy link
Contributor

gnzlbg commented Nov 20, 2018

Hmm, as far as I know we haven't really got an alternative solution right now,

All targets in this space solve this problem by just depending on libcore and/or liballoc. This approach has merged RFCs with consensus.

There is one single experimental unstable target (wasm32-unknown-unknown) for which we made a very big exception. For this target, we allow code code targeting libstd to compile successfully but break at run-time. This approach has no consensus, no eRFCs, no RFCs, and if we decide to pursue something else, the whole wasm32-unknown-unknown ecosystem will break and we have decided that this loss would be ok.

I think that adding more targets like wasm32-unknown-unknown before there is consensus about the overall direction is a very bad idea, in particular given how controversial this direction is.

So given that there are alternative solutions to this problem that work, are used successfully by many other similar targets, and that have consensus, why should we make an exception for this target ?


EDIT: FWIW I am semi-convinced that the approach being pursued by wasm32-unknown-unknown is not crazy, that it has chances to actually work properly, and even achieve consensus. But adding more targets and users to this approach is already painting us into a corner in which we cannot even discuss better technical solutions because that would already break too much code that accepted the risk of being broken.

@jethrogb
Copy link
Contributor Author

All targets in this space solve this problem by just depending on libcore and/or liballoc.

I'm not entirely sure what you mean by "this space". In any case, this is also not true. There are many targets in std right now that error (or worse, panic) when things are not supported. Redox, Fuchsia, CloudABI, WebAssembly, L4RE all do this.

So given that there are alternative solutions to this problem that work

There are no alternative solutions that work. Just providing core support is not an option.

Yes, once we have the portability lint and whatever has been proposed but never implemented in this space, we might be able to work on a different, more general, solution but that shouldn't prevent implementations of new targets in the mean time.

@gnzlbg
Copy link
Contributor

gnzlbg commented Nov 20, 2018

I'm not entirely sure what you mean by "this space".

The Redox, Fuchsia, etc. targets all plan to support full libstd at some point, they are just not there yet.

OTOH, wasm32-unknown-unknown probably won't be ever able to support most of libstd because per its target triple (!= wasm32-experimental-emscripten) it is completely independent of an OS of any kind. All other targets that do require a full-fledged OS provide either libcore only, or libcore+liballoc. wasm32-unknown-unknown is the exception here AFAIK.

Just providing core support is not an option.

I might have misunderstood you on chat and in the libc PR, but what I understood from your explanations there is that this target is just like wasm32-unknown-unknown target in that it will never have access to a full-fledged OS, and in that libstd support for this target cannot offer anything beyond libcore+liballoc. Did I understood that correctly? If I did, then why isn't libcore+liballoc enough? Otherwise, could you clarify what exactly this target will be able to do from libstd that it is not available in libcore+liballoc ?

Yes, once we have the portability lint and whatever has been proposed but never implemented in this space, we might be able to work on a different, more general, solution

The split of the standard library into libcore, liballoc, and libstd has been proposed, achieved consensus, merged, and implemented.

@jethrogb
Copy link
Contributor Author

jethrogb commented Nov 20, 2018

I might have misunderstood you on chat and in the libc PR, but what I understood from your explanations there is that this target is just like wasm32-unknown-unknown target in that it will never have access to a full-fledged OS, and in that libstd support for this target cannot offer anything beyond libcore+liballoc. Did I understood that correctly?

No. The libc situation is just like wasm. As mentioned in the initial post under “overview”, only std::fs, std::process, and std::net::UdpSocket are not supported, with some of those considered for future support under “future plans”. Crucially, networking (other than UDP), threading, synchronization primitives, time, etc. is all supported. You might have noticed this PR adds about 5000 lines. What do you think all that code is doing?

@gnzlbg
Copy link
Contributor

gnzlbg commented Nov 20, 2018

No. As mentioned in the initial post under “overview”, only std::fs, std::process, and std::net::UdpSocket are not supported, with some of those considered for future support under “future plans”. Crucially, networking (other than UDP), threading, synchronization primitives, time, etc. is all supported.

Then that explains why I was confused as hell on chat while I kept asking these questions and you kept answering that this target is just like wasm32-unknown-unknown. It isn't, not at all.

@jethrogb
Copy link
Contributor Author

Then that explains why I was confused as hell on chat while I kept asking these questions and you kept answering that this target is just like wasm32-unknown-unknown.

I'm sorry you were confused. I thought we were talking about libc, not std.

@gnzlbg
Copy link
Contributor

gnzlbg commented Nov 20, 2018

I'm sorry you were confused. I thought we were talking about libc, not std.

Yeah, no wonder we both got frustrated on chat, we were both talking about completely different things! Sorry about that!

Copy link
Member

@alexcrichton alexcrichton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is all looking pretty good to me! I didn't review any SGX-specific code too carefully, mostly just the integration points with the rest of the standard library.

src/libstd/Cargo.toml Outdated Show resolved Hide resolved
@@ -26,6 +26,7 @@ const fn done<T>() -> *mut Arc<T> { 1_usize as *mut _ }
unsafe impl<T> Sync for Lazy<T> {}

impl<T> Lazy<T> {
#[unstable(feature = "sys_internals", issue = "0")] // FIXME: min_const_fn
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed this cropping up in a few places for a few APIs, but how come this was necessary? (should be fine in any case, just curious)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think ultimately comes down to the various const fn new implementations in waitqueue.rs.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm ok, that seems suspicious but it seems fine anyway

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe someone with more experience with min_const_fn can suggest an alternative solution? @oli-obk ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can't call an unstable const fn from a stable one. You might be able to make all of the functions called from this one stable and then you won't need the unstable anymore. note that as of right now, you cannot call unsafe const fns from any const fn.

If you want, just merge the PR as is and open an issue about it and assign it to me

src/libstd/io/error.rs Show resolved Hide resolved
// Some platforms know that printing to stderr won't ever actually
// print anything, and if that's the case we can skip the default
// hook.
Hook::Default if stderr_prints_nothing() => {}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe at the time this was added this was an optimization for wasm specifically in LTO mode to ensure that lots of panicking infrastructure csan be removed because in this case the payload is never actually used.

I haven't finished reading this patch yet, but it may be worthwhile running the wasm tests as they should in theory catch this if it's still a problem!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made sure the changes should have the same functionality, and I also checked that set_payload isn't really doing much so it's ok to do unconditionally. But yeah I suppose some form of LTO might no longer work.

The crux is that currently in this target, checking whether there is a panic output mechanism prevents future use of the same (it's an atomic “take”). I can think if there's another way to restructure all this tomorrow, but this was the best I could come up with a few months ago :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, with regards to this and #56066 (comment), I conflated two things a little bit.

In the SGX target, whether panicking can ever output anything at all is determined post-link time by setting/unsetting the DEBUG global flag. This is because panic message may contain sensitive information, so it's opt-in. This requirement leads to the function signature: fn panic_output() -> Option<PanicOutput>. Ideally having DEBUG = false leads to the same fast-path as wasm without a panic implementation.

The second requirement that leads to the "writer factory" in PanicOutput::Custom is that in this target the panic writer can only be constructed once.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I refactored this a bunch to use types instead of bare functions. I think it should be LTOable. Please take a look.

src/libstd/panicking.rs Outdated Show resolved Hide resolved
src/rustc/fortanix-sgx-abi_shim/Cargo.toml Outdated Show resolved Hide resolved
src/libstd/sys/sgx/abi/entry.S Show resolved Hide resolved
src/libstd/sys/sgx/abi/mod.rs Outdated Show resolved Hide resolved
src/libstd/sys/sgx/cmath.rs Outdated Show resolved Hide resolved
src/libstd/sys/sgx/rwlock.rs Show resolved Hide resolved
@rust-highfive
Copy link
Collaborator

Your PR failed on Travis (raw log). Through arcane magic we have determined that the following fragments from the build log may contain information about the problem.

Click to expand the log.
travis_time:end:04612227:start=1542790659604356140,finish=1542790717912816069,duration=58308459929
$ git checkout -qf FETCH_HEAD
travis_fold:end:git.checkout

Encrypted environment variables have been removed for security reasons.
See https://docs.travis-ci.com/user/pull-requests/#Pull-Requests-and-Security-Restrictions
$ export SCCACHE_BUCKET=rust-lang-ci-sccache2
$ export SCCACHE_REGION=us-west-1
Setting environment variables from .travis.yml
$ export IMAGE=x86_64-gnu-llvm-5.0
---
[00:00:55] Cloning into '/home/travis/build/rust-lang/rust/src/libcompiler_builtins/compiler-rt'...
[00:00:58] Cloning into '/home/travis/build/rust-lang/rust/src/libcompiler_builtins/libm'...
[00:00:59] Submodule path 'src/libcompiler_builtins/compiler-rt': checked out '7e387f0f90b493ae72930c787c381a80055a7ec9'
[00:00:59] Submodule path 'src/libcompiler_builtins/libm': checked out '3559e703795d33e84a91da2a35f2f3baac47e872'
[00:00:59] error: Server does not allow request for unadvertised object bc01bab69ad69606425b31c7fcca31c4d3479b22
[00:00:59] Fetched in submodule path 'src/liblibc', but it did not contain bc01bab69ad69606425b31c7fcca31c4d3479b22. Direct fetching of that commit failed.
[00:01:01] Cleared directory 'src/dlmalloc'
[00:01:01] Submodule 'src/dlmalloc' (https://github.com/alexcrichton/dlmalloc-rs.git) unregistered for path 'src/dlmalloc'
[00:01:01] Cleared directory 'src/doc/nomicon'
[00:01:01] Submodule 'src/doc/nomicon' (https://github.com/rust-lang-nursery/nomicon.git) unregistered for path 'src/doc/nomicon'
---
[00:01:01] Submodule path 'src/libbacktrace': checked out 'f4d02bbdbf8a2c5a31f0801dfef597a86caad9e3'
[00:01:01] Submodule path 'src/libcompiler_builtins': checked out 'e43c838450371008db60d552a586876855ba3d0d'
[00:01:01] Submodule path 'src/libcompiler_builtins/compiler-rt': checked out '7e387f0f90b493ae72930c787c381a80055a7ec9'
[00:01:01] Submodule path 'src/libcompiler_builtins/libm': checked out '3559e703795d33e84a91da2a35f2f3baac47e872'
[00:01:02] error: Server does not allow request for unadvertised object bc01bab69ad69606425b31c7fcca31c4d3479b22
[00:01:02] Fetched in submodule path 'src/liblibc', but it did not contain bc01bab69ad69606425b31c7fcca31c4d3479b22. Direct fetching of that commit failed.
[00:01:04] Cleared directory 'src/dlmalloc'
[00:01:04] Submodule 'src/dlmalloc' (https://github.com/alexcrichton/dlmalloc-rs.git) unregistered for path 'src/dlmalloc'
[00:01:04] Cleared directory 'src/doc/nomicon'
[00:01:04] Submodule 'src/doc/nomicon' (https://github.com/rust-lang-nursery/nomicon.git) unregistered for path 'src/doc/nomicon'
---
[00:01:05] Submodule path 'src/libbacktrace': checked out 'f4d02bbdbf8a2c5a31f0801dfef597a86caad9e3'
[00:01:05] Submodule path 'src/libcompiler_builtins': checked out 'e43c838450371008db60d552a586876855ba3d0d'
[00:01:05] Submodule path 'src/libcompiler_builtins/compiler-rt': checked out '7e387f0f90b493ae72930c787c381a80055a7ec9'
[00:01:05] Submodule path 'src/libcompiler_builtins/libm': checked out '3559e703795d33e84a91da2a35f2f3baac47e872'
[00:01:06] error: Server does not allow request for unadvertised object bc01bab69ad69606425b31c7fcca31c4d3479b22
[00:01:06] Fetched in submodule path 'src/liblibc', but it did not contain bc01bab69ad69606425b31c7fcca31c4d3479b22. Direct fetching of that commit failed.
[00:01:09] Cleared directory 'src/dlmalloc'
[00:01:09] Submodule 'src/dlmalloc' (https://github.com/alexcrichton/dlmalloc-rs.git) unregistered for path 'src/dlmalloc'
[00:01:09] Cleared directory 'src/doc/nomicon'
[00:01:09] Submodule 'src/doc/nomicon' (https://github.com/rust-lang-nursery/nomicon.git) unregistered for path 'src/doc/nomicon'
---
[00:01:10] Submodule path 'src/libbacktrace': checked out 'f4d02bbdbf8a2c5a31f0801dfef597a86caad9e3'
[00:01:10] Submodule path 'src/libcompiler_builtins': checked out 'e43c838450371008db60d552a586876855ba3d0d'
[00:01:10] Submodule path 'src/libcompiler_builtins/compiler-rt': checked out '7e387f0f90b493ae72930c787c381a80055a7ec9'
[00:01:10] Submodule path 'src/libcompiler_builtins/libm': checked out '3559e703795d33e84a91da2a35f2f3baac47e872'
[00:01:11] error: Server does not allow request for unadvertised object bc01bab69ad69606425b31c7fcca31c4d3479b22
[00:01:11] Fetched in submodule path 'src/liblibc', but it did not contain bc01bab69ad69606425b31c7fcca31c4d3479b22. Direct fetching of that commit failed.
[00:01:15] Cleared directory 'src/dlmalloc'
[00:01:15] Submodule 'src/dlmalloc' (https://github.com/alexcrichton/dlmalloc-rs.git) unregistered for path 'src/dlmalloc'
[00:01:15] Cleared directory 'src/doc/nomicon'
[00:01:15] Submodule 'src/doc/nomicon' (https://github.com/rust-lang-nursery/nomicon.git) unregistered for path 'src/doc/nomicon'
---
[00:01:15] Submodule path 'src/libbacktrace': checked out 'f4d02bbdbf8a2c5a31f0801dfef597a86caad9e3'
[00:01:15] Submodule path 'src/libcompiler_builtins': checked out 'e43c838450371008db60d552a586876855ba3d0d'
[00:01:16] Submodule path 'src/libcompiler_builtins/compiler-rt': checked out '7e387f0f90b493ae72930c787c381a80055a7ec9'
[00:01:16] Submodule path 'src/libcompiler_builtins/libm': checked out '3559e703795d33e84a91da2a35f2f3baac47e872'
[00:01:20] error: Server does not allow request for unadvertised object bc01bab69ad69606425b31c7fcca31c4d3479b22
[00:01:20] Fetched in submodule path 'src/liblibc', but it did not contain bc01bab69ad69606425b31c7fcca31c4d3479b22. Direct fetching of that commit failed.
travis_time:end:3a029c18:start=1542790727218738993,finish=1542790807304813607,duration=80086074614
The command "stamp sh -x -c "$RUN_SCRIPT"" exited with 1.
travis_time:start:119442ac
$ date && (curl -fs --head https://google.com | grep ^Date: | sed 's/Date: //g' || true)
---
travis_time:end:07357482:start=1542790807560892722,finish=1542790807567152185,duration=6259463
travis_fold:end:after_failure.3
travis_fold:start:after_failure.4
travis_time:start:06383b80
$ ln -s . checkout && for CORE in obj/cores/core.*; do EXE=$(echo $CORE | sed 's|obj/cores/core\.[0-9]*\.!checkout!\(.*\)|\1|;y|!|/|'); if [ -f "$EXE" ]; then printf travis_fold":start:crashlog\n\033[31;1m%s\033[0m\n" "$CORE"; gdb --batch -q -c "$CORE" "$EXE" -iex 'set auto-load off' -iex 'dir src/' -iex 'set sysroot .' -ex bt -ex q; echo travis_fold":"end:crashlog; fi; done || true
travis_fold:end:after_failure.4
travis_fold:start:after_failure.5
travis_time:start:0b2acb08
travis_time:start:0b2acb08
$ cat ./obj/build/x86_64-unknown-linux-gnu/native/asan/build/lib/asan/clang_rt.asan-dynamic-i386.vers || true
cat: ./obj/build/x86_64-unknown-linux-gnu/native/asan/build/lib/asan/clang_rt.asan-dynamic-i386.vers: No such file or directory
travis_fold:end:after_failure.5
travis_fold:start:after_failure.6
travis_time:start:16fade26
$ dmesg | grep -i kill

I'm a bot! I can only do what humans tell me to, so if this was not helpful or you have suggestions for improvements, please ping or otherwise contact @TimNN. (Feature Requests)

@jethrogb
Copy link
Contributor Author

jethrogb commented Dec 7, 2018

I don't understand this failure. Is there something special that needs to be done when adding submodules or adding shim crates?

@jethrogb
Copy link
Contributor Author

jethrogb commented Dec 7, 2018

I think this fixes it.

@bors r=alexcrichton

@bors
Copy link
Contributor

bors commented Dec 7, 2018

📌 Commit 7bea6a1 has been approved by alexcrichton

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Dec 7, 2018
@bors
Copy link
Contributor

bors commented Dec 7, 2018

⌛ Testing commit 7bea6a1 with merge 15a2607...

bors added a commit that referenced this pull request Dec 7, 2018
Add SGX target to std and dependencies

This PR adds tier 3 `std` support for the `x86_64-fortanix-unknown-sgx` target.

### Background

Intel Software Guard Extensions (SGX) is an instruction set extension for x86 that allows executing code in fully-isolated *secure enclaves*. These enclaves reside in the address space of a regular user process, but access to the enclave's address space from outside (by e.g. the OS or a hypervisor) is blocked.

From within such enclaves, there is no access to the operating system or hardware peripherals. In order to communicate with the outside world, enclaves require an untrusted “helper” program that runs as a normal user process.

SGX is **not** a sandboxing technology: code inside SGX has full access to all memory belonging to the process it is running in.

### Overview

The Fortanix SGX ABI (compiler target `x86_64-fortanix-unknown-sgx`) is an interface for Intel SGX enclaves. It is a small yet functional interface suitable for writing larger enclaves. In contrast to other enclave interfaces, this interface is primarly designed for running entire applications in an enclave. The interface has been under development since early 2016 and builds on Fortanix's significant experience running enclaves in production.

Also unlike other enclave interfaces, this is the only implementation of an enclave interface that is nearly pure-Rust (except for the entry point code).

A description of the ABI may be found at https://docs.rs/fortanix-sgx-abi/ and https://github.com/fortanix/rust-sgx/blob/master/doc/FORTANIX-SGX-ABI.md.

The following parts of `std` are not supported and most operations will error when used:

* `std::fs`
* `std::process`
* `std::net::UdpSocket`

### Future plans

A separate PR (#56067) will add the SGX target to the rust compiler. In the very near future, I expect to upgrade this target to tier 2.

This PR is just the initial support to make things mostly work. There will be more work coming in the future, for example to add interfaces to the native SGX primitives, implement unwinding, optimize usercalls.

UDP and some form of filesystem support may be added in the future, but process support seems unlikely given the platform's constraints.

### Testing build

1. Install [Xargo](https://github.com/japaric/xargo): `cargo install xargo`
2. Create a new Cargo project, for example: `cargo new --bin sgxtest`.
3. Put the following in a file `Xargo.toml` next to your `Cargo.toml`:

```toml
[target.x86_64-fortanix-unknown-sgx.dependencies.std]
git = "https://github.com/jethrogb/rust"
branch = "jb/sgx-target"
```

NB. This can be quite slow. Instead, you can have a local checkout of that branch and use `path = "/path/to/rust/src/libstd"` instead. Don't forget to checkout the submodules too!

4. Build:

```sh
xargo build --target x86_64-fortanix-unknown-sgx
```

### Testing execution

Execution is currently only supported on x86-64 Linux, but support for Windows is planned.

1. Install pre-requisites. In order to test execution, you'll need to have a CPU with Intel SGX support. SGX support needs to be enabled in the BIOS. You'll also need to install the SGX driver and Platform Software (PSW) from [Intel](https://01.org/intel-software-guard-extensions).

2. Install toolchain, executor:
```sh
cargo install sgxs-tools --version 0.6.0-rc1
cargo install fortanix-sgx-tools --version 0.1.0-rc1
```

3. Start the enclave:

```sh
ftxsgx-elf2sgxs target/x86_64-fortanix-unknown-sgx/debug/sgxtest --heap-size 0x20000 --ssaframesize 1 --stack-size 0x20000 --threads 1 --debug
sgxs-append -i target/x86_64-fortanix-unknown-sgx/debug/sgxtest.sgxs
ftxsgx-runner target/x86_64-fortanix-unknown-sgx/debug/sgxtest.sgxs
```
@bors
Copy link
Contributor

bors commented Dec 7, 2018

☀️ Test successful - status-appveyor, status-travis
Approved by: alexcrichton
Pushing 15a2607 to master...

@bors bors merged commit 7bea6a1 into rust-lang:master Dec 7, 2018
@rust-highfive
Copy link
Collaborator

📣 Toolstate changed by #56066!

Tested on commit 15a2607.
Direct link to PR: #56066

💔 clippy-driver on windows: test-pass → test-fail (cc @Manishearth @llogiq @mcarton @oli-obk, @rust-lang/infra).
💔 clippy-driver on linux: test-pass → test-fail (cc @Manishearth @llogiq @mcarton @oli-obk, @rust-lang/infra).

rust-highfive added a commit to rust-lang-nursery/rust-toolstate that referenced this pull request Dec 7, 2018
Tested on commit rust-lang/rust@15a2607.
Direct link to PR: <rust-lang/rust#56066>

💔 clippy-driver on windows: test-pass → test-fail (cc @Manishearth @llogiq @mcarton @oli-obk, @rust-lang/infra).
💔 clippy-driver on linux: test-pass → test-fail (cc @Manishearth @llogiq @mcarton @oli-obk, @rust-lang/infra).
jethrogb added a commit to jethrogb/rust-forge that referenced this pull request Dec 9, 2018
@workingjubilee workingjubilee added the O-SGX Target: SGX label Jul 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
O-SGX Target: SGX S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion.
Projects
None yet
Development

Successfully merging this pull request may close these issues.