Skip to content

PVF worker: separate worker binaries and build with musl #650

Closed
#2461
Closed
PVF worker: separate worker binaries and build with musl#650
#2461
Assignees
mrcnski
@mrcnski

Description

@mrcnski
mrcnski
opened on Apr 23, 2023

ISSUE

Overview

Per the security/sandboxing work in #882, we want to separate the PVF worker binaries and build them with musl. There are several advantages in doing this:

  • Forcing the use of musl instead of whatever the system C lib is, means we can better control and sandbox the expected syscalls.
  • It is also a win for more deterministic execution, i.e. more homogeneity in execution times and memory used, as opposed to when validators can use different libc's.
  • [nvm: we already use LTO in production builds.] With a separate binary we can always apply LTO optimizations to this binary alone. LTO may make compile times prohibitively long for all of polkadot, but the impact on a small binary is much smaller and there may be performance wins. (Related: Optimize validator binaries with LTO polkadot#4311.)
  • With smaller binaries we minimize the risk of ROP gadgets.

Todo

  • move PVF workers into separate binaries
  • adapt wasm-builder for worker binaries
  • include the binary into polkadot executable at build-time (similar to this)
  • ... some other stuff
  • 1. Update the CI jobs, docker scripts, etc. to build the worker binaries with musl.
  • 2. Update the validator guide with new instructions for building the worker binaries.
  • 3. Announce to validators that the instructions have changed, and non-musl binaries will become a hard error in the next release.
  • 4. Make musl workers a requirement for running secure mode.
  • 5. Finally, enable full seccomp rules (logging violations for a while).

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

parachains team board

Status

Completed

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions