I'm Ryan from Estonia. I have a Ph.D. in cryptoloogie and working on a project that will use Intel SGX for government customers. We would like to use Rust for this purpose and I have a question about Rust SGX support.
I noticed that Rust official distribution already has a target for SGX, which is developed by a private company called Fornatix in America. However, this SGX target is very tightly coupled with this vendor's tools and I think it's American vendor's way to pushing their own products through Rust. Note that SGX is not like other compiler targets, because it requires at least the following highly vendor specific tools:
- A custom loader that can load SGX binaries into Enclaves.
- A custom file format that specifies what parts of the the executable binary should be used in the enclave sha256 computation
- A custom Input/Output protocol between the enclave and host
Currently all these parts are vendor specific and NOT part of the standard Rust distribution, so I want to ask how you decided to choose this vendor over someone else. For large government projects, using an unqualified vendor's tools is complete no no, and I would like to understand how the Rust team decided to merge this vendor's code? (If your answer is "we will do whatever we want because its our code" that fine, but it will be good to know if that's your answer.)
Another licensing question (which my company is also hiring a lawyer for). What are the attribution requirements for using mainline Rust compiler with SGX. Can we just say Rust community, or do we need to individually attribute it to the American Vendor? (Of course we will write our own loader etc.)
We really want to use Rust for this project, but it seems SGX target was added without an open RFC process.