1
0
mirror of https://github.com/golang/go synced 2024-11-24 16:50:13 -07:00
go/misc/nacl
Filippo Valsorda 53374e7e06 crypto/ed25519: promote from golang.org/x/crypto/ed25519
The crypto/tls and crypto/x509 APIs leak PublicKey and PrivateKey types,
so in order to add support for Ed25519 certificates we need the ed25519
package in the stdlib.

It's also a primitive that's reasonable to use directly in applications,
as it is a modern, safe and fast signing algorithm, for which there
aren't higher level APIs. (The nacl/sign API is limiting in that it
repeats the message.)

A few docs changes will come in a follow-up, and a CL will land on
golang.org/x/crypto/ed25519 to make it a type alias wrapper on Go 1.13+.

Updates #25355

Change-Id: I057f20cc7d1aca2b95c29ce73eb03c3b237e413f
Reviewed-on: https://go-review.googlesource.com/c/go/+/174945
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2019-05-06 23:23:45 +00:00
..
testdata misc: fix typos in various docs 2019-03-07 07:30:06 +00:00
go_nacl_386_exec
go_nacl_amd64p32_exec
go_nacl_arm_exec
mkzip.go
README internal/traceparser: provide parser that uses less space and parses segments of runtime trace files 2018-10-23 14:00:14 +00:00
testzip.proto crypto/ed25519: promote from golang.org/x/crypto/ed25519 2019-05-06 23:23:45 +00:00

Native Client
=============

This document outlines the basics of building and developing the Go runtime and
programs in the Native Client (NaCl) environment.

Go 1.3 supports three architectures

 * nacl/386 which is standard 386.
 * nacl/amd64p32 which is a 64 bit architecture, where the address space is
   limited to a 4gb window.
 * nacl/arm which is 32-bit ARMv7A architecture with 1GB address space.

For background it is recommended that you read https://golang.org/s/go13nacl.

Prerequisites
-------------

Native Client programs are executed inside a sandbox, the NaCl runtime. This
runtime must be installed before you can use NaCl programs.

The NaCl distribution comes with an installer which ensures you have access to
the latest version of the runtime. The version tracks the Chrome numbering
scheme.

# Download NaCl

Download nacl_sdk.zip file from
	https://developer.chrome.com/native-client/sdk/download
and unpack it. I chose /opt/nacl_sdk.

# Update

The zip file contains a small skeleton that can be used to download the correct
sdk. These are released every 6-8 weeks, in line with Chrome releases.
	
	% cd /opt/nacl_sdk
	% ./naclsdk update

At this time pepper_49 is the stable version. The NaCl port needs at least pepper_39
to work. If naclsdk downloads a later version, please adjust accordingly.

The cmd/go helper scripts expect that the loaders sel_ldr_{x86_{32,64},arm} and
nacl_helper_bootstrap_arm are in your path. I find it easiest to make a symlink
from the NaCl distribution to my $GOPATH/bin directory.

	% ln -nfs /opt/nacl_sdk/pepper_39/tools/sel_ldr_x86_32 $GOPATH/bin/sel_ldr_x86_32
	% ln -nfs /opt/nacl_sdk/pepper_39/tools/sel_ldr_x86_64 $GOPATH/bin/sel_ldr_x86_64
	% ln -nfs /opt/nacl_sdk/pepper_39/tools/sel_ldr_arm $GOPATH/bin/sel_ldr_arm

Additionally, for NaCl/ARM only:

	% ln -nfs /opt/nacl_sdk/pepper_39/tools/nacl_helper_bootstrap_arm $GOPATH/bin/nacl_helper_bootstrap_arm

Support scripts
---------------

Symlink the two scripts in this directory into your $PATH, just as you did with
NaCl sdk above.

	% ln -nfs $GOROOT/misc/nacl/go_nacl_amd64p32_exec $GOPATH/bin/go_nacl_amd64p32_exec
	% ln -nfs $GOROOT/misc/nacl/go_nacl_386_exec $GOPATH/bin/go_nacl_386_exec
	% ln -nfs $GOROOT/misc/nacl/go_nacl_arm_exec $GOPATH/bin/go_nacl_arm_exec

Building and testing
--------------------

Building for NaCl is similar to cross compiling for other platforms. However,
as it is not possible to ever build in a `native` NaCl environment, the cmd/go
tool has been enhanced to allow the full build, all.bash, to be executed,
rather than just the compile stage, make.bash.

The cmd/go tool knows that if GOOS is set to `nacl` it should not try to
execute any binaries itself. Instead it passes their execution to a support
script which sets up a Native Client environment and invokes the NaCl sandbox.

The script's name has a special format, go_$GOOS_$GOARCH_exec, so cmd/go can
find it.

In short, if the support scripts are in place, the cmd/go tool can be used as
per normal.

# Build and test Go for NaCl

NaCl does not permit direct file system access. Instead, package syscall
provides a simulated file system served by in-memory data. The script
nacltest.bash is the NaCl equivalent of all.bash. It builds NaCl with an
in-memory file system containing files needed for tests, and then it runs the
tests.

	% cd go/src
	% env GOARCH=amd64p32 ./nacltest.bash

Debugging
---------

Assuming that you have built nacl/amd64p32 binary ./mybin and can run as:

	% sel_ldr_x86_64 -l /dev/null -S -e ./mybin

Create the nacl manifest file mybin.manifest with the following contents:

	{ "program": { "x86-64": { "url": "mybin" } } }

url is the path to the binary relative to the manifest file.
Then, run the program as:

	% sel_ldr_x86_64 -g -l /dev/null -S -e ./mybin

The -g flag instructs the loader to stop at startup. Then, in another console:

	% /opt/nacl_sdk/pepper_39/toolchain/linux_x86_glibc/bin/x86_64-nacl-gdb
	% nacl-manifest mybin.manifest
	% target remote :4014

If you see that the program is stopped in _rt0_amd64p32_nacl, then symbols are
loaded successfully and you can type 'c' to start the program.
Next time you can automate it as:

	% /opt/nacl_sdk/pepper_39/toolchain/linux_x86_glibc/bin/x86_64-nacl-gdb \
		-ex 'nacl-manifest mybin.manifest' -ex 'target remote :4014'