[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MirageOS-devel] OCaml-TLS directly on Xen



On 17 Sep 2014, at 11:53, Hannes Mehnert <hannes@xxxxxxxxxxx> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA384
> 
> Hey,
> 
> I demonstrated that OCaml-TLS runs directly on Xen at the OCaml
> workshop. The port is still a bit hackish, thus I hope to get some
> feedback (esp. regarding what features (such as FORTIFY_SOURCE stack
> protection, and/or assert (should minios provide an assert_fail
> symbol?)) we want to compile our C code with, and how to upstream
> these changes properly).
> 
> I develop on a cubieboard2, where I pinned mirage
> (44bd28f862549aa1f149421c1e515bb3703e40d7), mirage-xen
> (0251870f14030315b00ffdd0cd0112d8788270a1) and tcpip
> (05148f900352eabaa615b60d5b2fb518f5518edd) to git HEAD (as well as
> x509/asn1-combinators/nocrypto/tls).
> 

Very nice indeed!

> Several libraries needed to be modified to run in the Xen environment:
> 
> minios
> - ------
> 
> https://github.com/hannesm/xen/tree/tls-fixes
> some symbols are required for the various C libraries below, namely:
> abort (calling do_exit)

Adding this to MiniOS should be fine (waiting for Thomas Leonard to
return from vacation).

> __stack_chk_guard (being NULL)

Is this really essential -- it's inserted by the gcc stack smash
checker isn't it?  Should be no harm in putting it into MiniOS, but
I'd prefer understanding if it'll cause problems if (e.g.) clang is
used to build the toolchain as well.

> fprintf/printf/stdout/stderr/fflush (for gmp and zarith)

I'd definitely prefer to have these in a separate 'nanolibc'
separate from MiniOS itself.  I believe James Bielman could also
use such a shim library to compile libselinux as well.

> 
> gmp (the GNU multi-precision arithmetic library)
> - ------------------------------------------------
> 
> Configure (esp. config.guess) gets confused by an arm dualcore:
> http://berlin.ccc.de/~hannes/gmp-6a.diff fixes this.
> 
> I used the following CFLAGS:
> export CFLAGS="-marm -O2 -pedantic -fomit-frame-pointer -fno-builtin
> - -D_FORTIFY_SOURCE=0"
> ./configure
> make

This is possibly worth folding in to be compiled statically
(as a separate library) in the mirage-minios-xen repository
(which is turning into our aggregation-of-libraries-repo).

> 
> zarith
> - ------
> 
> Due to subtle differences of GNU libm and openlibm (esp isinf/isnan is
> rewritten in the GNU version to __isinf/__isnan), I modified caml_z.c
> to #include <openlibm.h> instead of <math.h> (should openlibm instead
> install its header file as math.h!?)
> 
> Patch at http://berlin.ccc.de/~hannes/zarith.diff
> 
> I additionally pointed zarith to my custom gmp library:
> export CPPFLAGS="-I/home/mirage/gmp-6.0.0.orig
> - -I/home/mirage/.opam/system/include"
> export LDFLAGS="-L/home/mirage/gmp-6.0.0.orig/.libs"
> 
> (the previously mentioned CFLAGS are also still active!)

Deferring to Thomas on this one...

> 
> ctypes (0.3.3)
> - --------------
> 
> nocrypto (from git) depends on ctypes, which needed some CFLAGS (to
> avoid assert_fail being called (-DNDEBUG), sscanf being translated to
> __isoc99_sscanf (-D_GNU_SOURCE)), patch
> http://berlin.ccc.de/~hannes/ctypes.diff
> 

This definition of GNU_SOURCE worries me -- is it happening because
of a mismatch of header files somewhere in the compilation of the C
library?  It shouldn't be necessary to define it in the normal course
of operation of ctypes.

> nocrypto
> - --------
> 
> https://github.com/mirleft/ocaml-nocrypto/tree/xen-fixes (adds -DNDEBUG)

Likewise, we should be able to define assert_fail in MiniOS I think,
as this is a fairly widely used header defined in SUS.

> tls
> - ---
> 
> https://github.com/mirleft/ocaml-tls/tree/xen-fixes (use Io_page
> aligned cstructs before transmitting)

Misaligned Cstructs strike again... :-)

> 
> 
> Once these libraries are patched, the minimum TLS server
> https://github.com/mirleft/tls-mvp-server/tree/fixes works (with
> export NET="direct" and s/-unix/-xen/ (mirage-clock-xen,
> mirage-entropy-xen) in config.ml), and some minor modifications to the
> Makefile to link in the right gmp/minios/...

Awesome!  Thomas Gazagnaire is looking at the Conduit patches right
now, which should provide the right place to hook the TLS stack into
Cohttp and friends.

-anil

_______________________________________________
MirageOS-devel mailing list
MirageOS-devel@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.