Closed binxing closed 1 year ago
Team has agreed on the proposal. Task listed created.
Hi @xiangquanliu and @billionairiam, I made a mistake in the opening comment about PIE. Probably I wasn't using the lastest rustc. It turns out on GCC has this relatively newer option -static-pie
that embeds relocation logic in the executable's startup code, so PIEs created with -static-pie
do NOT require a dynamic loader. And it seems the latest rust-1.72.0 makes use of that option, hence -Crelocation-model=static
is unnecessary and in fact breaks the build. The opening comment has been updated and I'll update acond
's README soon.
This issue captures/discusses options for building
acond
to achieveMinimal TCB Size
The objective is to achieve minimal initrd image but NOT
acond
binary.Generally, static linking yields smaller
acond
binary because unused functions from standard libraries (e.g., libc, libssl, etc.). But the user may copy additional executables into initrd for functionalities like disk encryption or SSH support, and in those cases dynamic linking may reduce the overall size by sharing common libraries among all the executables.Linking
acond
StaticallyThe size of libc affects
acond
binary size significantly. musl-libc is famous for its small size (when compared with glibc) so is preferred.The easiest way to build
acond
as a static executable is to build it on musl based Linux distro like Alpine, using Rust targetx86_64-unknown-linux-musl
.Please noterustc
generates statically linked PIE (Position Independent Executable) on musl target by default. PIEs must be relocated before being executed, henceacond
by default still requires the dynamic linker (which is the musl libc shared object) to run. The flag-Crelocation-model=static
instructsrustc
to create the executable with a fixed base address to avoid depending on the dynamic linker.Linking
acond
DynamicallyThe command below links
acond
to the system libraries dynamically.The flag
-Ctarget-feature=-crt-static
is necessary on musl targets where static linking is the default.FIPS Compliance
OpenSSL is undergoing the certification process and likely to be the first crypto library to receive FIPS-140-3 certificates.
OpenSSL is certifying its FIPS module (
fips.so
), meaning any application must use the FIPS module as-is to stay compliant with FIPS, and that implies dynamic linking.OpenSSL is only validated on Ubuntu and Debian distros, so a FIPS compliant
acond
must be built on Ubuntu/Debian.Reproducible Build
nix
seems the solution at first glance. However, it provides only glibc based OpenSSL (i.e., no musl based OpenSSL) build in its repo without static OpenSSL libs. With that said, the only choice onnix
is to dynamically link to glibc, and that makes initrd much bigger. It also lacks FIPS support.An alternative is the rust container, which has a tag for every rust release on every supported Linux distro. Builds seem reproducible for
acond
source. Please note such reproducibility is incomplete as it cannot prove the external libs (libc and OpenSSL libs) were built from particular source. We will have to rely on the Linux distro for reproducibility of those libs.Conclusion/Proposal
Both static and dynamic linking should be supported.
rust:alpine
container for small TCB builds. Both static and dynamic linking supports are needed.rust:1.72.0-alpine3.18
.musl-dev
,openssl-dev
,openssl-libs-static
, andprotobuf-dev
) for each ACON release.rust:slim
container for FIPS builds. Only dynamic linking support is needed.rust:1.72.0-bookworm
.Tasks
rust:alpine
and dynamic linking onrust:slim
) in CI/CD.acond
'sMakefile
andREADME.md
to describe the above processes.@binxing - Create a script to capture exact versions of .deb packages on Debian- Tracked by a separate issue (#4) as FIPS support is out of scope for the upcoming release.