New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mbedtls: cmake&ninja, threading, clean-up; hiawatha: options, Nix mbedtls #41722
Conversation
Let's discuss what to do more.
To configure CMake for building shared libraries, use:
There are many different build modes available within the CMake buildsystem. Most of them are available for gcc and clang, though some are compiler-specific:
|
Tests Mbed TLS includes an elaborate test suite in tests/ that initially requires Perl to generate the tests files (e.g. test_suite_mpi.c). These files are generated from a function file (e.g. suites/test_suite_mpi.function) and a data file (e.g. suites/test_suite_mpi.data). The function file contains the test functions. The data file contains the test cases, specified as parameters that will be passed to the test function. For machines with a Unix shell and OpenSSL (and optionally GnuTLS) installed, additional test scripts are available:
|
Both |
And all other options are there. |
Configure script keys: |
|
Looks something like this. CMake build works great on Linux. Please launch macOS build. |
Calling maintainer @fpletz. Hello! |
@jtojnar. |
@GrahamcOfBorg build mbedtls |
Success on aarch64-linux (full log) Attempted: mbedtls Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: mbedtls Partial log (click to expand)
|
Success on x86_64-darwin (full log) Attempted: mbedtls Partial log (click to expand)
|
@@ -7,7 +7,7 @@ | |||
, libxslt | |||
, libxml2 | |||
|
|||
, enableSSL ? true | |||
, enableSystemTls ? true, mbedtls ? null |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should always use system TLS, if we build with TLS support.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
System-wide thread-able dynamic library - makes it a less secure variant to bundled library.
Through threading process in some cases some information can be shared, or gathered.
https://tls.mbed.org/kb/development/thread-safety-and-multi-threading
That is why I made this switch. For truly paranoid people to crank-up the security more.
Sigh. Of course, everything always has some security explanation.
P.S.
As this is secure server - I enabled TLS by default.
Case when TLS would not be needed, but secure server needed - is possible, but probably not a spread case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can imagine encryption to be disabled on embedded devices or local server in protected network.
Using bundled libraries is inherently less secure than using the system one. Nixpkgs maintainers can apply security fixes and update the library globally, long before hiawatha or other consumer updates. As for the link, I think it refers to memory safety (as usual with shared memory and concurrency), different applications would use different memory ranges.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. I also understood words as they are about parallel threads in one application can indirectly disclose some information to one another.
I would change comment notes.
As they are elementary, I implemented all Hiawatha build switches at this point. That looks like not too superfluous.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this is the case, it really would not matter when system library is used. The threads will use the same library in either case.
]; | ||
|
||
postInstall = stdenv.lib.optionalString stdenv.isDarwin '' | ||
install_name_tool -change libmbedcrypto.dylib $out/lib/libmbedcrypto.dylib $out/lib/libmbedtls.dylib |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possibly ask the author of these lines.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Mic92 Good day!
Long story short.
I migrate mbed TLS to officially supported CMake.
Mostly Linux and Mac builds seems to be clean.
Please say your toughs on these changes that undo also positInstalls
from commit.
I can not find way to text macOS, or get a bundle of builded by bot /nix/store/csyz7nid4zkf766z9djsxspx4b6cafnd-mbedtls-2.10.0
to investigate.
So, please say your thoughts on these changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the fixes are there primarily for the consumers of the library
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did not add these lines.
Are those required? @mnacamura
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My addition was the DLEXT=dylib
part only. If extension is .so
, some programs cannot find library on darwin. So I added it.
The contents of postInstall
was I think added in #20940.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But the build by cmake seems to do it correctly without these lines.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Summary: We decided that this clean-up of code is legitimate, so it stays.
( if enableCache then "-DENABLE_CACHE=on" else "-DENABLE_CACHE=off" ) | ||
( if enableIpV6 then "-DENABLE_IPV6=on" else "-DENABLE_IPV6=off" ) | ||
( if enableTls then "-DENABLE_TLS=on" else "-DENABLE_TLS=off" ) | ||
( if enableSystemTls then "-DUSE_SYSTEM_MBEDTLS=on" else "-DUSE_SYSTEM_MBEDTLS=off" ) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding it again because it was collapsed by GitHub, we should always build with system libraries.
@GrahamcOfBorg build mbedtls |
Failure on x86_64-linux (full log) Partial log (click to expand)
|
@GrahamcOfBorg build hiawatha |
Failure on x86_64-linux (full log) Partial log (click to expand)
|
Failure on x86_64-darwin (full log) Partial log (click to expand)
|
Failure on x86_64-darwin (full log) Partial log (click to expand)
|
Failure on aarch64-linux (full log) Partial log (click to expand)
|
Failure on aarch64-linux (full log) Partial log (click to expand)
|
f23a7a2
to
f241a5f
Compare
@Mic92 |
@GrahamcOfBorg build hiawatha |
@Anton-Latukha you can also ask for ofborg access here: NixOS/ofborg#173 |
Success on aarch64-linux (full log) Attempted: hiawatha Partial log (click to expand)
|
Success on x86_64-darwin (full log) Attempted: hiawatha Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: hiawatha Partial log (click to expand)
|
…dtls (NixOS#41722) * mbedtls: build with cmake&ninja, clean-up * mbedtls: cmake ninja Darwin build clean-up * hiawatha: add build options, use system mbedTLS, platforms -> unix
Motivation for this change
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)