Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nix: pass compiler args #4

Open
sbellem opened this issue Mar 5, 2022 · 0 comments
Open

nix: pass compiler args #4

sbellem opened this issue Mar 5, 2022 · 0 comments

Comments

@sbellem
Copy link
Owner

sbellem commented Mar 5, 2022
edited
Loading

As per https://github.com/fortanix/rust-sgx/tree/master/em-app, to build for SGX, some compiler flags are passed:

export CFLAGS_x86_64_fortanix_unknown_sgx="-isystem/usr/include/x86_64-linux-gnu -mlvi-hardening -mllvm -x86-experimental-lvi-inline-asm-hardening"
export CC_x86_64_fortanix_unknown_sgx=clang-11

cargo build --target=x86_64-fortanix-unknown-sgx --locked

It's also what the CI does, as defined under the oasis-sdk/.github/actions/hash-rust/action.yml.

Related/background: rust-lang/llvm-project#58

UPDATE
Added the options in

cipher-paratime/flake.nix

Lines 86 to 101 in b01c667

# TODO: Make sure it's ok to drop "-isystem/usr/include/x86_64-linux-gnu"
#
# See nixpkgs manual sect 6.8
#
# 6.8. Purity in Nixpkgs
# Measures taken to prevent dependencies on packages outside the
# store, and what you can do to prevent them.
#
# GCC doesn’t search in locations such as /usr/include. In fact,
# attempts to add such directories through the -I flag are
# filtered out. Likewise, the linker (from GNU binutils) doesn’t
# search in standard locations such as /usr/lib. Programs built on
# Linux are linked against a GNU C Library that likewise doesn’t
# search in the default system locations.
CFLAGS_X86_64_FORTANIX_UNKNOWN_SGX = "-mlvi-hardening -mllvm -x86-experimental-lvi-inline-asm-hardening";
CC_X86_64_FORTANIX_UNKNOWN_SGX = clang_11;

Except for the cflag option -isystem/usr/include/x86_64-linux-gnu. As pointed out in the TODO note in the code snippet above, section 6.8 Purity in Nixpkgs of the Nixpkgs (21.11) Manual, points out:

Measures taken to prevent dependencies on packages outside the store, and what you can do to prevent them.

GCC doesn’t search in locations such as /usr/include. In fact, attempts to add such directories through the -I flag are filtered out. Likewise, the linker (from GNU binutils) doesn’t search in standard locations such as /usr/lib. Programs built on Linux are linked against a GNU C Library that likewise doesn’t search in the default system locations.

So, maybe it's fine to totally omit the option -isystem/usr/include/x86_64-linux-gnu as it would be ignored, or should it be replaced to the appropriate location under the nix/store/...?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sbellem