ci: allow passing setup code to hash-rust #993
Conversation
Codecov Report
@@ Coverage Diff @@
## main #993 +/- ##
===========================================
- Coverage 67.94% 26.23% -41.71%
===========================================
Files 127 24 -103
Lines 10304 1635 -8669
===========================================
- Hits 7001 429 -6572
+ Misses 3278 1181 -2097
Partials 25 25 Continue to review full report at Codecov.
|
nhynes
force-pushed
the
nhynes/config-hash-rush
branch
2 times, most recently
from
1e3913a to
b4f3349
Compare
.github/actions/hash-rust/action.yml
Outdated
| TARGET="x86_64-fortanix-unknown-sgx" | ||
| export CARGO_TARGET_DIR="$CARGO_TARGET_ROOT/sgx" | ||
| export CFLAGS_x86_64_fortanix_unknown_sgx="-isystem/usr/include/x86_64-linux-gnu -mlvi-hardening -mllvm -x86-experimental-lvi-inline-asm-hardening" | ||
| export CFLAGS_x86_64_fortanix_unknown_sgx="-isystem/usr/include/x86_64-linux-gnu -mlvi-hardening -mllvm -x86-experimental-lvi-inline-asm-hardening -fstack-protector-all" |
There was a problem hiding this comment.
Why the -fstack-protector-all, this will not work because the Fortanix ABI currently sets FS and GS bases to the same value and the stack protector assumes the canary value is at FS:0x28 but with the Fortanix ABI that contains a copy of RSP. This causes stuff to crash due to canary mismatch.
There was a problem hiding this comment.
I just want to get something to insert the __stack_check_guard. I believe that it's inserted into the code generated by ring (it would be ring), and isn't defined by LLVM during the top-level build likely because the global is the old way of doing things.
I put in oasisprotocol/sapphire-paratime@866b1fd#diff-8383ec3e7666578793741ef1253328c1dc4bd0e3012176816493eb57e6d81773R10-R15, but I'm not sure if that works now. Have you seen this error before?
= note: rust-lld: error: undefined symbol: __stack_chk_guard
>>> referenced by curve25519.c:476 (crypto/curve25519/curve25519.c:476)
>>> curve25519.o:(GFp_x25519_ge_frombytes_vartime) in archive /tmp/rustc0BgQWN/libring-34fe96515ca24ea8.rlib
>>> referenced by curve25519.c:0 (crypto/curve25519/curve25519.c:0)
>>> curve25519.o:(GFp_x25519_ge_frombytes_vartime) in archive /tmp/rustc0BgQWN/libring-34fe96515ca24ea8.rlib
>>> referenced by curve25519.c:782 (crypto/curve25519/curve25519.c:782)
>>> curve25519.o:(GFp_x25519_ge_scalarmult_base) in archive /tmp/rustc0BgQWN/libring-34fe96515ca24ea8.rlib
>>> referenced 14 more times
Maybe what I need is -mstack-protector-guard=global, but then that would require-fstack-protector, which is not permitted? Hm.
There was a problem hiding this comment.
There was a problem hiding this comment.
Regular ring doesn't work with SGX and the upstream author explicitly refuses to merge support for it despite other people implementing everything, for (IMO) stupid reasons. This is why we also got rid of ring everywhere. Why do you need ring anyway?
There was a problem hiding this comment.
I'm using a ring fork that I've confirmed works. It's not used by the runtime, but it's used by a workspace dependency. I didn't want to use a workspace, but basically all of the GH tooling requires it.
nhynes
force-pushed
the
nhynes/config-hash-rush
branch
from
b9d56dd to
0b2d4ff
Compare
But the build happens in a Docker container so whatever actions do shouldn't matter? The Docker image specifically uses the same Rust toolchain version as the SDK. We are planning on bumping that version btw. |
nhynes
force-pushed
the
nhynes/config-hash-rush
branch
2 times, most recently
from
39f3cc3 to
0b2d4ff
Compare
The Rust action is in the sapphire-paratime repo and uses the Generally, it'd be nice to be able to install packages 'n stuff into the container for paratimes that want to benefit from it. |
nhynes
force-pushed
the
nhynes/config-hash-rush
branch
from
0b2d4ff to
27eefd0
Compare
2 participants
For me, this is to allow
rustup target add x86_64-fortanix-unknown-sgxbefore building, as I cannot have arust-toolchain.tomlauto-install it because actions-rs does not support it.