diff --git a/default.nix b/default.nix new file mode 100644 index 000000000..776d58bcf --- /dev/null +++ b/default.nix @@ -0,0 +1,28 @@ +let + sources = import ./npins; + profiles = import ./profiles.nix; + overlays.debug = import ./nix/overlays { + inherit sources; + env = profiles.debug; + }; + overlays.release = import ./nix/overlays { + inherit sources; + env = profiles.release; + }; + pkgs.debug = import sources.nixpkgs { + overlays = [ + overlays.debug.dataplane + ]; + }; + pkgs.release = import sources.nixpkgs { + overlays = [ + overlays.release.dataplane + ]; + }; +in +{ + +}: +{ + inherit sources pkgs; +} diff --git a/nix/overlays/dataplane.nix b/nix/overlays/dataplane.nix new file mode 100644 index 000000000..3487cba14 --- /dev/null +++ b/nix/overlays/dataplane.nix @@ -0,0 +1,179 @@ +{ + sources, + env ? { }, +}: +final: prev: +let + helpers.addToEnv = + add: orig: + orig + // ( + with builtins; (mapAttrs (var: val: (toString (orig.${var} or "")) + " " + (toString val)) add) + ); + adapt = final.stdenvAdapters; + bintools = final.buildPackages.llvmPackages.bintools; + lld = final.buildPackages.llvmPackages.lld; + stdenv-llvm = adapt.addAttrsToDerivation (orig: { + doCheck = false; + nativeBuildInputs = (orig.nativeBuildInputs or [ ]) ++ [ + bintools + lld + ]; + }) (adapt.makeStaticLibraries final.buildPackages.llvmPackages.stdenv); + stdenv-llvm-with-flags = adapt.addAttrsToDerivation (orig: { + env = helpers.addToEnv env (orig.env or { }); + }) stdenv-llvm; + dataplane-dep = pkg: pkg.override { stdenv = stdenv-llvm-with-flags; }; +in +{ + # Don't bother adapting ethtool or iproute2's build to our custom flags / env. Failure to null this can trigger + # _massive_ builds because ethtool depends on libnl (et al), and we _do_ overlay libnl. Thus, the ethtool / iproute2 + # get rebuilt and you end up rebuilding the whole world. + # + # To be clear, we can still use ethtool / iproute2 if we want, we just don't need to optimize / lto it. + # If you want to include ethtool / iproute2, I recommend just cutting another small overlay and static linking them. + # Alternatively, you could skip that and just ship the default build of ethtool. + ethtool = null; + iproute2 = null; + + # These are only used in docs and can make our build explode in size if we let any of this rebuild in this overlay. + # It is much easier to just not build docs in this overlay. We don't care if the build depends on pandoc per se, but + # you will regret the need to rebuild ghc :shrug: + gd = null; + graphviz = null; + mscgen = null; + pandoc = null; + + # We should avoid accepting anything in our dpdk + friends pkgs which depends on udev / systemd; our deploy won't + # support any such mechanisms. + # + # Usually this type of dependency takes the form of udev rules / systemd service files being generated (which is no + # problem). That said, builds which hard and fast depend on systemd or udev are very suspicious in this context, so + # exceptions to this removal should be granted with care and some level of prejudice. At minimum, such exceptions + # tend to make it hard to cross compile which is an important test case for our sysroot. + systemd = null; + udev = null; + udevCheckHook = null; + + # libmd is used by libbsd (et al) which is an optional dependency of dpdk. + # + # We _might_ actually care about perf here, so we lto this package. + # At minimum, the provided functions are generally quite small and likely to benefit from inlining, so static linking + # is a solid plan. + libmd = (dataplane-dep prev.libmd).overrideAttrs (orig: { + outputs = (orig.outputs or [ "out" ]) ++ [ "static" ]; + # we need to enable shared libs (in addition to static) to make dpdk's build happy. Basically, DPDK's build has no + # means of disabling shared libraries, and it doesn't really make any sense to static link this into each .so + # file. Ideally we would just _not_ build those .so files, but that would require doing brain surgery on dpdk's + # meson build, and maintaining such a change set is not worth it to avoid building some .so files. + configureFlags = (orig.configureFlags or [ ]) ++ [ + "--enable-shared" + ]; + postInstall = (orig.postInstall or "") + '' + mkdir -p "$static/lib"; + mv $out/lib/*.a $static/lib; + ''; + }); + + # This is a (technically optional) dependency of DPDK used for secure string manipulation and some hashes we value; + # static link + lto for sure. + # + # This is also a reasonably important target for `-fsanitize=cfi` and or `-fsanitize=safe-stack` as libbsd provides + # more secure versions of classic C string manipulation utilities, and I'm all about that defense-in-depth. + libbsd = (dataplane-dep prev.libbsd).overrideAttrs (orig: { + outputs = (orig.outputs or [ "out" ]) ++ [ "static" ]; + # we need to enable shared (in addition to static) to build dpdk. + # See the note on libmd for reasoning. + configureFlags = orig.configureFlags ++ [ + "--enable-shared" + ]; + postInstall = (orig.postInstall or "") + '' + mkdir -p "$static/lib"; + mv $out/lib/*.a $static/lib; + ''; + }); + + # This is (for better or worse) used by dpdk to parse / manipulate netlink messages. + # + # We don't care about performance here, so this may be a good candidate for size reduction compiler flags like -Os. + # + # That said, we don't currently have infrastructure to pass flags at a per package level and building that is more + # trouble than a minor reduction in binary size / instruction cache pressure is likely worth. Also, lto doesn't + # currently love size optimizations. The better option is likely to use PGO + BOLT to put these functions far away + # from the hot path in the final ELF file's layout and just ignore that this stuff is compiled with -O3 and friends. + # + # More, this is a very low level library designed to send messages between a privileged process and the kernel. + # The simple fact that this appears in our toolchain justifies sanitizers like safe-stack and cfi and/or flags like + # -fcf-protection=full. + libnl = dataplane-dep prev.libnl; + + # This is needed by DPDK in order to determine which pinned core runs on which numa node and which NIC is most + # efficiently connected to which NUMA node. You can disable the need for this library entirely by editing dpdk's + # build to specify `-Dmax_numa_nodes=1`. + # + # While we don't currently hide NUMA mechanics from DPDK, there is something to be said for eliminating this library + # from our toolchain as a fair level of permissions and a lot of different low level trickery is required to make it + # function. In "the glorious future" we should bump all of this logic up to the dataplane's init process, compute + # what we need to, pre-mmap _all_ of our heap memory, configure our cgroups and CPU affinities, and then pin our cores + # and use memory pools local to the numa node of the pinned core. That would be a fair amount of work, but it would + # liminate a fairly large dependency and likely increase the performance and security of the dataplane. + # + # For now, we leave this on so DPDK can do some of that for us. That said, this logic is quite cold and would ideally + # be size optimized and punted far from all hot paths. BOLT should be helpful here. + numactl = (dataplane-dep prev.numactl).overrideAttrs (orig: { + outputs = (prev.lib.lists.remove "man" orig.outputs) ++ [ "static" ]; + # we need to enable shared (in addition to static) to build dpdk. + # See the note on libmd for reasoning. + configureFlags = (orig.configureFlags or [ ]) ++ [ + "--enable-shared" # dpdk does not like to build its .so files if we don't build numa.so as well + ]; + postInstall = (orig.postInstall or "") + '' + mkdir -p "$static/lib"; + mv $out/lib/*.a $static/lib; + ''; + }); + + # This is one of the two most important to optimize components of the whole build (along with dpdk itself). + # + # RDMA-core is the low level building block for many of the PMDs within DPDK including the mlx5 PMD. It is a + # performance and security critical library which we will likely never be able to remove from our dependencies. + # + # Some of this library is almost always called in a very tight loop, especially as used by DPDK PMDs. It is happy to + # link dynamically or statically, and we should make a strong effort to make sure that we always pick static linking + # to enable inlining (wherever the compiler decides it makes sense). You very likely want to enable lto here in any + # release build. + rdma-core = (dataplane-dep prev.rdma-core).overrideAttrs (orig: { + version = sources.rdma-core.branch; + src = sources.rdma-core.outPath; + outputs = [ + "dev" + "out" + "static" + ]; + cmakeFlags = orig.cmakeFlags ++ [ + "-DENABLE_STATIC=1" + # we don't need pyverbs, and turning it off reduces build time / complexity. + "-DNO_PYVERBS=1" + # no need for docs in container images. + "-DNO_MAN_PAGES=1" + # we don't care about this lib's exported symbols / compat situation _at all_ because we static link (which + # doesn't even have symbol versioning / compatibility in the first place). Turning this off just reduces the + # build's internal complexity and makes lto easier. + "-DNO_COMPAT_SYMS=1" + ]; + postInstall = (orig.postInstall or "") + '' + mkdir -p $static/lib; + mv $out/lib/*.a $static/lib/ + ''; + }); + + # Compiling DPDK is the primary objective of this overlay. + # + # We care _a lot_ about how this is compiled and should always use flags which are either optimized for performance + # or debugging. After all, if you aren't doing something performance critical then I don't know why you want DPDK at + # all :) + # + # Also, while this library has a respectable security track record, this is also a super strong candidate for + # cfi, safe-stack, and cf-protection. + dpdk = dataplane-dep (final.callPackage ../pkgs/dpdk { src = sources.dpdk; }); +} diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix new file mode 100644 index 000000000..6139dfb3c --- /dev/null +++ b/nix/overlays/default.nix @@ -0,0 +1,9 @@ +{ + sources, + env ? { }, +}: +{ + dataplane = import ./dataplane.nix { + inherit sources env; + }; +} diff --git a/nix/pkgs/dpdk/default.nix b/nix/pkgs/dpdk/default.nix new file mode 100644 index 000000000..44d4474bd --- /dev/null +++ b/nix/pkgs/dpdk/default.nix @@ -0,0 +1,284 @@ +{ + src, + stdenv, + lib, + pkg-config, + meson, + ninja, + libbsd, + numactl, + rdma-core, + libnl, + python3, + build-params ? { + lto = "true"; + build-type = "release"; # "debug" | "release" + }, +}: + +stdenv.mkDerivation { + pname = "dpdk"; + version = src.branch; + src = src.outPath; + nativeBuildInputs = [ + meson + ninja + pkg-config + python3 + python3.pkgs.pyelftools + ]; + + buildInputs = [ + libbsd + libnl + numactl + rdma-core + ]; + + postPatch = '' + patchShebangs config/arm buildtools + # We have no use for RTE_TRACE at all and it makes things more difficult from a security POV so disable it + sed -i 's/#define RTE_TRACE 1/#undef RTE_TRACE/g' config/rte_config.h + # We have no use for receive or transmit callbacks at this time so disable them + sed -i 's/#define RTE_ETHDEV_RXTX_CALLBACKS 1/#undef RTE_ETHDEV_RXTX_CALLBACKS/g' config/rte_config.h + ''; + + mesonFlags = + let + disabledLibs = [ + "acl" + "argparse" + "bbdev" + "bitratestats" + "bpf" + "cfgfile" + "compressdev" + "dispatcher" + "distributor" + "efd" + "fib" + "gpudev" + "graph" + "gro" + "gso" + "ip_frag" + "ipsec" + "jobstats" + "latencystats" + "lpm" + "member" + "metrics" + "mldev" + "node" + "pcapng" + "pdcp" + "pdump" + "pipeline" + "port" + "power" + "ptr_compress" + "rawdev" + "regexdev" + "reorder" + "rib" + "sched" + "table" + ]; + enabledLibs = [ + "cryptodev" # required for vhost + "dmadev" # required by vhost + "ethdev" + "eventdev" + "pci" + "security" + "timer" + "vhost" + ]; + disabledDrivers = [ + "baseband/*" + "bus/ifpga" + "bus/vdev" + "bus/vmbus" + "common/cnxk" + "common/cpt" + "common/dpaax" + "common/octeontx" + "common/octeontx2" + "common/qat" + "common/sfc_efx" + "compress/*" + "compress/mlx5" + "compress/zlib" + "crypto/*" + "crypto/aesni_gcm" + "crypto/aesni_mb" + "crypto/bcmfs" + "crypto/ccp" + "crypto/kasumi" + "crypto/mlx5" + "crypto/nitrox" + "crypto/null" + "crypto/openssl" + "crypto/scheduler" + "crypto/snow3g" + "crypto/virtio" + "crypto/zuc" + "event/dlb" + "event/dsw" + "event/opdl" + "event/skeleton" + "event/sw" + "net/acc100" + "net/af_packet" + "net/af_xdp" + "net/ark" + "net/atlantic" + "net/avp" + "net/axgbe" + "net/bcmfs" + "net/bnx2x" + "net/bnxt" + "net/bond" + "net/caam_jr" + "net/ccp" + "net/cnxk" + "net/cnxk_bphy" + "net/cpt" + "net/cxgbe" + "net/dlb2" + "net/dpaa" + "net/dpaa2" + "net/dpaa2_cmdif" + "net/dpaa2_qdma" + "net/dpaa2_sec" + "net/dpaa_sec" + "net/dpaax" + "net/dsw" + "net/ena" + "net/enetc" + "net/enic" + "net/failsafe" + "net/fm10k" + "net/fpga_5gnr_fec" + "net/fpga_lte_fec" + "net/fslmc" + "net/hinic" + "net/hns3" + "net/ifc" + "net/ifpga" + "net/igc" + "net/ioat" + "net/ionic" + "net/ipn3ke" + "net/kasumi" + "net/kni" + "net/liquidio" + "net/memif" + "net/mlx4" + "net/netvsc" + "net/nfp" + "net/ngbe" + "net/nitrox" + "net/ntb" + "net/null" + "net/octeontx" + "net/octeontx2" + "net/octeontx2_dma" + "net/octeontx2_ep" + "net/octeontx_ep" + "net/opdl" + "net/pcap" + "net/pfe" + "net/qede" + "net/sfc" + "net/sfc_efx" + "net/skeleton" + "net/snow3g" + "net/softnic" + "net/tap" + "net/thunderx" + "net/turbo_sw" + "net/txgbe" + "net/vdev" + "net/vdev_netvsc" + "net/vmbus" + "net/vmxnet3" + "net/zuc" + "raw/*" + "raw/ioat" + "raw/ntb" + "raw/skeleton" + "regex/*" + "regex/mlx5" + "vdpa/*" + "vdpa/ifc" + ]; + enabledDrivers = [ + "bus/auxiliary" + "bus/pci" + "common/mlx5" + "mempool/bucket" + "mempool/ring" + "mempool/stack" + "net/auxiliary" + "net/dmadev" + "net/intel/e1000" + "net/intel/i40e" + "net/intel/iavf" + "net/intel/ixgbe" + "net/mlx5" + "net/ring" + "net/vhost" + "net/virtio" + "vdpa/mlx5" + ]; + in + with build-params; + [ + "--buildtype=${build-type}" + "-Dauto_features=disabled" + "-Db_colorout=never" + "-Db_lto=${lto}" + "-Db_lundef=true" + "-Db_pgo=off" + "-Db_pie=true" + "-Dbackend=ninja" + "-Ddefault_library=static" + "-Denable_docs=false" + "-Denable_driver_sdk=false" + "-Dmax_numa_nodes=8" + "-Dtests=false" # Running DPDK tests in CI is usually silly + "-Duse_hpet=false" + "-Ddebug=false" + ''-Ddisable_drivers=${lib.concatStringsSep "," disabledDrivers}'' + ''-Denable_drivers=${lib.concatStringsSep "," enabledDrivers}'' + ''-Denable_libs=${lib.concatStringsSep "," enabledLibs}'' + ''-Ddisable_libs=${lib.concatStringsSep "," disabledLibs}'' + ]; + + outputs = [ + "out" + "static" + "dev" + "share" + ]; + + postInstall = '' + # Remove docs. We don't build these anyway + rm -rf $out/share/doc + mkdir -p $static/lib $share; + mv $out/lib/*.a $static/lib + mv $out/share $share + ''; + + meta = with lib; { + description = "Set of libraries and drivers for fast packet processing"; + homepage = "http://dpdk.org/"; + license = with licenses; [ + lgpl21 + gpl2 + bsd2 + ]; + platforms = platforms.linux; + }; +} diff --git a/npins/default.nix b/npins/default.nix new file mode 100644 index 000000000..659247626 --- /dev/null +++ b/npins/default.nix @@ -0,0 +1,146 @@ +/* + This file is provided under the MIT licence: + + Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +*/ +# Generated by npins. Do not modify; will be overwritten regularly +let + data = builtins.fromJSON (builtins.readFile ./sources.json); + version = data.version; + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 + range = + first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 + stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 + stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); + concatMapStrings = f: list: concatStrings (map f list); + concatStrings = builtins.concatStringsSep ""; + + # If the environment variable NPINS_OVERRIDE_${name} is set, then use + # the path directly as opposed to the fetched source. + # (Taken from Niv for compatibility) + mayOverride = + name: path: + let + envVarName = "NPINS_OVERRIDE_${saneName}"; + saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name; + ersatz = builtins.getEnv envVarName; + in + if ersatz == "" then + path + else + # this turns the string into an actual Nix path (for both absolute and + # relative paths) + builtins.trace "Overriding path of \"${name}\" with \"${ersatz}\" due to set \"${envVarName}\"" ( + if builtins.substring 0 1 ersatz == "/" then + /. + ersatz + else + /. + builtins.getEnv "PWD" + "/${ersatz}" + ); + + mkSource = + name: spec: + assert spec ? type; + let + path = + if spec.type == "Git" then + mkGitSource spec + else if spec.type == "GitRelease" then + mkGitSource spec + else if spec.type == "PyPi" then + mkPyPiSource spec + else if spec.type == "Channel" then + mkChannelSource spec + else if spec.type == "Tarball" then + mkTarballSource spec + else + builtins.throw "Unknown source type ${spec.type}"; + in + spec // { outPath = mayOverride name path; }; + + mkGitSource = + { + repository, + revision, + url ? null, + submodules, + hash, + branch ? null, + ... + }: + assert repository ? type; + # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository + # In the latter case, there we will always be an url to the tarball + if url != null && !submodules then + builtins.fetchTarball { + inherit url; + sha256 = hash; # FIXME: check nix version & use SRI hashes + } + else + let + url = + if repository.type == "Git" then + repository.url + else if repository.type == "GitHub" then + "https://github.com/${repository.owner}/${repository.repo}.git" + else if repository.type == "GitLab" then + "${repository.server}/${repository.repo_path}.git" + else + throw "Unrecognized repository type ${repository.type}"; + urlToName = + url: rev: + let + matched = builtins.match "^.*/([^/]*)(\\.git)?$" url; + + short = builtins.substring 0 7 rev; + + appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else ""; + in + "${if matched == null then "source" else builtins.head matched}${appendShort}"; + name = urlToName url revision; + in + builtins.fetchGit { + rev = revision; + inherit name; + # hash = hash; + inherit url submodules; + }; + + mkPyPiSource = + { url, hash, ... }: + builtins.fetchurl { + inherit url; + sha256 = hash; + }; + + mkChannelSource = + { url, hash, ... }: + builtins.fetchTarball { + inherit url; + sha256 = hash; + }; + + mkTarballSource = + { + url, + locked_url ? url, + hash, + ... + }: + builtins.fetchTarball { + url = locked_url; + sha256 = hash; + }; +in +if version == 5 then + builtins.mapAttrs mkSource data.pins +else + throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" diff --git a/npins/sources.json b/npins/sources.json new file mode 100644 index 000000000..bc55da807 --- /dev/null +++ b/npins/sources.json @@ -0,0 +1,37 @@ +{ + "pins": { + "dpdk": { + "type": "Git", + "repository": { + "type": "GitHub", + "owner": "DPDK", + "repo": "dpdk" + }, + "branch": "25.11", + "submodules": false, + "revision": "ed957165eadbe60a47d5ec223578cdd1c13d0bd9", + "url": "https://github.com/DPDK/dpdk/archive/ed957165eadbe60a47d5ec223578cdd1c13d0bd9.tar.gz", + "hash": "09h7wnmq4c9xm1nsyv5mz1yf91c1l6vy9sdcamb09qjjx4wgs0q9" + }, + "nixpkgs": { + "type": "Channel", + "name": "nixpkgs-unstable", + "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre911335.23735a82a828/nixexprs.tar.xz", + "hash": "03cv7yy3ldb3i50in6qkm98y68nlid874l52wayzgx0z7pbpq1rk" + }, + "rdma-core": { + "type": "Git", + "repository": { + "type": "GitHub", + "owner": "githedgehog", + "repo": "rdma-core" + }, + "branch": "fix-lto-60.0", + "submodules": false, + "revision": "9ae1b26593e2cb53239e1124f88ce1698d53857e", + "url": "https://github.com/githedgehog/rdma-core/archive/9ae1b26593e2cb53239e1124f88ce1698d53857e.tar.gz", + "hash": "1djdsfga9if02pl8ynnyyf640xdd37fha6zp3xlylciy8apzn1r4" + } + }, + "version": 5 +} diff --git a/profiles.nix b/profiles.nix new file mode 100644 index 000000000..b3d52d626 --- /dev/null +++ b/profiles.nix @@ -0,0 +1,71 @@ +let + common.NIX_CFLAGS_COMPILE = [ + "-glldb" + "-gdwarf-5" + # odr or strict-aliasing violations are indicative of LTO incompatibility, so check for that + "-Werror=odr" + "-Werror=strict-aliasing" + ]; + common.NIX_CXXFLAGS_COMPILE = common.NIX_CFLAGS_COMPILE; + common.NIX_CFLAGS_LINK = [ + # getting proper LTO from LLVM compiled objects is best done with lld rather than ld, mold, or wild (at least at the + # time of writing) + "-fuse-ld=lld" + # we always want pic/pie and GOT offsets should be computed at compile time whenever possible + "-Wl,-z,relro,-z,now" + ]; + debug.NIX_CFLAGS_COMPILE = [ + "-fno-inline" + "-fno-omit-frame-pointer" + "-D_FORTIFY_SOURCE=0" # disable security stuff because the goal is to make the asm as easy to understand as possible + "-Wno-macro-redefined" # many apps opt in to _FORTIFY_SOURCE={1,2,3} explicitly, and -Wall errors when you redefine + ]; + debug.NIX_CXXFLAGS_COMPILE = debug.NIX_CFLAGS_COMPILE; + debug.NIX_CFLAGS_LINK = [ ]; + optimize.NIX_CFLAGS_COMPILE = [ + "-O3" + "-flto=full" + "-ffat-lto-objects" + "-fsplit-lto-unit" # important for compatibility with rust's LTO + ]; + optimize.NIX_CXXFLAGS_COMPILE = optimize.NIX_CFLAGS_COMPILE ++ [ + "-fwhole-program-vtables" + ]; + optimize.NIX_CFLAGS_LINK = [ + "-flto=full" + "-Wl,--lto-whole-program-visibility" + # just to keep the artifacts small, we don't currently use any linked artifact anyway + "-Wl,--gc-sections" + "-Wl,--as-needed" + ]; + secure.NIX_CFLAGS_COMPILE = [ + "-fstack-protector-strong" + "-fstack-clash-protection" + # "-fcf-protection=full" # requires extra testing before we enable + # "-fsanitize=safe-stack" # requires extra testing before we enable (not compatible with musl) + # "-fsanitize=cfi" # requires extra testing before we enable + # enable if you turn on cfi to properly link with rust + # "-fsanitize-cfi-icall-experimental-normalize-integers" + # consider enabling if you turn on cfi (not compatible with cross DSO cfi) + # "-fsanitize-cfi-icall-generalize-pointers" + ]; + secure.NIX_CXXFLAGS_COMPILE = secure.NIX_CFLAGS_COMPILE; + # handing the CFLAGS back to clang/lld is basically required for -fsanitize + secure.NIX_CFLAGS_LINK = secure.NIX_CFLAGS_COMPILE; + combine-profiles = + features: + builtins.foldl' ( + acc: elem: builtins.mapAttrs (var: val: (acc.${var} or [ ]) ++ val) elem + ) { } features; +in +{ + debug = combine-profiles [ + common + debug + ]; + release = combine-profiles [ + common + optimize + secure + ]; +} diff --git a/shell.nix b/shell.nix index 112c4b8a4..918e6cad1 100644 --- a/shell.nix +++ b/shell.nix @@ -12,6 +12,7 @@ just nil nixd + npins wget ]); }).env