-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Always set the RDRAND and RDSEED features on SGX #56710
Conversation
r? @estebank (rust_highfive has picked a reviewer for you, use r? to override) |
Actually, I'm not sure if this is the correct way to set this. This parameter seems to go directly into LLVM, but I also want to trigger |
The job Click to expand the log.
I'm a bot! I can only do what humans tell me to, so if this was not helpful or you have suggestions for improvements, please ping or otherwise contact |
I think this is the right place to configure, but a plus sign may be needed in front as it's llvm syntax |
d889b22
to
5acab2d
Compare
Yes, that's it, thanks. |
r? @alexcrichton you are probably better suited to approve this :) |
@bors: r+ rollup |
📌 Commit 5acab2d has been approved by |
…alexcrichton Always set the RDRAND and RDSEED features on SGX Not sure if this is 100% correct. This [Intel article](https://software.intel.com/en-us/articles/intel-software-guard-extensions-tutorial-part-5-enclave-development) goes in great depth regarding using (untrusted) CPUID to see whether RDRAND/RDSEED is supported, and explains what happens to the enclave if the CPUID result is faked. I'd say that an implementation of SGX that doesn't make RDRAND available to the enclave is so severely limited/broken that it's ok if you get #UD in that case. The case is less clear for RDSEED, but it so far every processor released by Intel with SGX support also has RDSEED (including Gemini Lake). cc @briansmith
…alexcrichton Always set the RDRAND and RDSEED features on SGX Not sure if this is 100% correct. This [Intel article](https://software.intel.com/en-us/articles/intel-software-guard-extensions-tutorial-part-5-enclave-development) goes in great depth regarding using (untrusted) CPUID to see whether RDRAND/RDSEED is supported, and explains what happens to the enclave if the CPUID result is faked. I'd say that an implementation of SGX that doesn't make RDRAND available to the enclave is so severely limited/broken that it's ok if you get #UD in that case. The case is less clear for RDSEED, but it so far every processor released by Intel with SGX support also has RDSEED (including Gemini Lake). cc @briansmith
…alexcrichton Always set the RDRAND and RDSEED features on SGX Not sure if this is 100% correct. This [Intel article](https://software.intel.com/en-us/articles/intel-software-guard-extensions-tutorial-part-5-enclave-development) goes in great depth regarding using (untrusted) CPUID to see whether RDRAND/RDSEED is supported, and explains what happens to the enclave if the CPUID result is faked. I'd say that an implementation of SGX that doesn't make RDRAND available to the enclave is so severely limited/broken that it's ok if you get #UD in that case. The case is less clear for RDSEED, but it so far every processor released by Intel with SGX support also has RDSEED (including Gemini Lake). cc @briansmith
…alexcrichton Always set the RDRAND and RDSEED features on SGX Not sure if this is 100% correct. This [Intel article](https://software.intel.com/en-us/articles/intel-software-guard-extensions-tutorial-part-5-enclave-development) goes in great depth regarding using (untrusted) CPUID to see whether RDRAND/RDSEED is supported, and explains what happens to the enclave if the CPUID result is faked. I'd say that an implementation of SGX that doesn't make RDRAND available to the enclave is so severely limited/broken that it's ok if you get #UD in that case. The case is less clear for RDSEED, but it so far every processor released by Intel with SGX support also has RDSEED (including Gemini Lake). cc @briansmith
…alexcrichton Always set the RDRAND and RDSEED features on SGX Not sure if this is 100% correct. This [Intel article](https://software.intel.com/en-us/articles/intel-software-guard-extensions-tutorial-part-5-enclave-development) goes in great depth regarding using (untrusted) CPUID to see whether RDRAND/RDSEED is supported, and explains what happens to the enclave if the CPUID result is faked. I'd say that an implementation of SGX that doesn't make RDRAND available to the enclave is so severely limited/broken that it's ok if you get #UD in that case. The case is less clear for RDSEED, but it so far every processor released by Intel with SGX support also has RDSEED (including Gemini Lake). cc @briansmith
…alexcrichton Always set the RDRAND and RDSEED features on SGX Not sure if this is 100% correct. This [Intel article](https://software.intel.com/en-us/articles/intel-software-guard-extensions-tutorial-part-5-enclave-development) goes in great depth regarding using (untrusted) CPUID to see whether RDRAND/RDSEED is supported, and explains what happens to the enclave if the CPUID result is faked. I'd say that an implementation of SGX that doesn't make RDRAND available to the enclave is so severely limited/broken that it's ok if you get #UD in that case. The case is less clear for RDSEED, but it so far every processor released by Intel with SGX support also has RDSEED (including Gemini Lake). cc @briansmith
…alexcrichton Always set the RDRAND and RDSEED features on SGX Not sure if this is 100% correct. This [Intel article](https://software.intel.com/en-us/articles/intel-software-guard-extensions-tutorial-part-5-enclave-development) goes in great depth regarding using (untrusted) CPUID to see whether RDRAND/RDSEED is supported, and explains what happens to the enclave if the CPUID result is faked. I'd say that an implementation of SGX that doesn't make RDRAND available to the enclave is so severely limited/broken that it's ok if you get #UD in that case. The case is less clear for RDSEED, but it so far every processor released by Intel with SGX support also has RDSEED (including Gemini Lake). cc @briansmith
…alexcrichton Always set the RDRAND and RDSEED features on SGX Not sure if this is 100% correct. This [Intel article](https://software.intel.com/en-us/articles/intel-software-guard-extensions-tutorial-part-5-enclave-development) goes in great depth regarding using (untrusted) CPUID to see whether RDRAND/RDSEED is supported, and explains what happens to the enclave if the CPUID result is faked. I'd say that an implementation of SGX that doesn't make RDRAND available to the enclave is so severely limited/broken that it's ok if you get #UD in that case. The case is less clear for RDSEED, but it so far every processor released by Intel with SGX support also has RDSEED (including Gemini Lake). cc @briansmith
…alexcrichton Always set the RDRAND and RDSEED features on SGX Not sure if this is 100% correct. This [Intel article](https://software.intel.com/en-us/articles/intel-software-guard-extensions-tutorial-part-5-enclave-development) goes in great depth regarding using (untrusted) CPUID to see whether RDRAND/RDSEED is supported, and explains what happens to the enclave if the CPUID result is faked. I'd say that an implementation of SGX that doesn't make RDRAND available to the enclave is so severely limited/broken that it's ok if you get #UD in that case. The case is less clear for RDSEED, but it so far every processor released by Intel with SGX support also has RDSEED (including Gemini Lake). cc @briansmith
Rollup of 7 pull requests Successful merges: - #56677 (#[must_use] on traits in stdlib) - #56679 (overhaul external doc attribute diagnostics) - #56682 (Update the stdsimd submodule) - #56691 (fix install broken link) - #56710 (Always set the RDRAND and RDSEED features on SGX) - #56713 (Test capacity of ZST vector) - #56841 (Add some unit tests to compiletest) Failed merges: r? @ghost
Not sure if this is 100% correct.
This Intel article goes in great depth regarding using (untrusted) CPUID to see whether RDRAND/RDSEED is supported, and explains what happens to the enclave if the CPUID result is faked.
I'd say that an implementation of SGX that doesn't make RDRAND available to the enclave is so severely limited/broken that it's ok if you get #UD in that case. The case is less clear for RDSEED, but it so far every processor released by Intel with SGX support also has RDSEED (including Gemini Lake).
cc @briansmith