Build enclave with static GMP and NTL

[ab37695543xs]

Hi, my environment is Ubuntu 18.04 and default CC and CXX are clang.
I want to use NTL in enclave, and I've tried built static GMP and NTL in following 2 commands:

./configure CXX=clang++-8 --prefix=$HOME/mylibs --enable-cxx=yes --enable-shared=no
./configure CXX=clang++-8 DEF_PREFIX=$HOME/mylibs NTL_GMP_LIP=on GMP_PREFIX=$HOME/mylibs SHARED=off NTL_STD_CXX14=on

My enclave CmakeLists:

target_link_libraries(
    enclave openenclave::oeenclave openenclave::oecrypto${OE_CRYPTO_LIB}
    openenclave::oelibcxx)

set( CMAKE_CXX_FLAGS "-pthread -std=c++17" )
include_directories( "$ENV{HOME}/mylibs/include" )
target_link_libraries( enclave "$ENV{HOME}/mylibs/lib/libntl.a" )
target_link_libraries( enclave "$ENV{HOME}/mylibs/lib/libgmp.a" )

This works fine when compiling non-enclave app, but I'd fail to compile enclave like this:

/usr/bin/ld: /home/billsun/mylibs/lib/libgmp.a(lt22-init.o): relocation R_X86_64_32S against `.rodata' can not be used when making a PIE object; 以 -fPIC 選項重新編譯
/usr/bin/ld: /home/billsun/mylibs/lib/libgmp.a(realloc.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a PIE object; 以 -fPIC 選項重新編譯
/usr/bin/ld: /home/billsun/mylibs/lib/libgmp.a(lt86-sqrtrem.o): relocation R_X86_64_32S against `.rodata' can not be used when making a PIE object; 以 -fPIC 選項重新編譯

What's the proper way to build static library in enclave? Thanks.

[anakrish]

I will take a look at this and report back.

[anakrish]

Can you try adding -fPIC to the C++ compiler options as suggested in the error message?

Also do a verbose build of the enclave to make sure that -fPIC appears after -fPIE in the compiler command line.

[ab37695543xs]

I use GMP only to make it simpler, adding -fPIC will get the same result, here's my verbose

I tried to rebuild GMP with -fPIC

./configure CC=clang-8 --prefix=$HOME/mylibs --enable-shared=no CFLAGS="-fPIC"

Also checked the corresponding object file (same as the one without flag)

$ objdump -r lt22-init.o 

lt22-init.o：     檔案格式 elf64-x86-64

RELOCATION RECORDS FOR [.text]:
OFFSET           TYPE              VALUE 
000000000000000b R_X86_64_32S      .rodata

RELOCATION RECORDS FOR [.eh_frame]:
OFFSET           TYPE              VALUE 
0000000000000020 R_X86_64_PC32     .text

If I build a non-enclave code with -pie flag, I will get same linking error

[anakrish]

GMP

This is a bit tricky to do currently due to the following

• We link with -pie which allows the linker to do a better job since it knows that it is building an executable and not a general shared library. You could remove the -pie flag and link the enclave. Most likely it should work; but we don't extensively test this scenario where the enclave has been built without -pie. Also, it may be harder to figure out how to remove the -pie flag via cmake.
• OE SDK uses MUSL C library. Therefore GMP ought to be built against MUSL.
  One way to get a MUSL built copy of GMP is to fetch it from a MUSL based distribution like Alpine Linux.

We are working on a package manager apkman that will automatically fetch packages from Alpine Linux instance.
With the tool, you could just do apkman add gmp to fetch the package locally, then add $(apkman root)/usr/include to include path, and $(apkman root)/usr/lib to linker path and then link against libgmp.a. Here is an example of using GMP
within enclave: https://github.com/anakrish/openenclave/tree/ak-tools-apkman/tests/tools/apkman/libs/gmp/enc

If you are interested, I can help you try out the tool.

NTL

Open Enclave uses LLVM CXX library and therefore, NTK ought to be built against OE's C++ library. This is quite difficult to do currently.
One alternative is to build NTL in Alpine Linux (MUSL based) and then copy over libntl.a and libstdc++.a from Alpine.