Merge pull request #154157 from yaxitech/sgx-ssl
sgx-ssl: init at lin_2.15.1_1.1.1l
This commit is contained in:
commit
5a6a12256d
4 changed files with 202 additions and 0 deletions
|
@ -12172,6 +12172,12 @@
|
|||
githubId = 1183303;
|
||||
name = "Jakob Klepp";
|
||||
};
|
||||
trundle = {
|
||||
name = "Andreas Stührk";
|
||||
email = "andy@hammerhartes.de";
|
||||
github = "Trundle";
|
||||
githubId = 332418;
|
||||
};
|
||||
tscholak = {
|
||||
email = "torsten.scholak@googlemail.com";
|
||||
github = "tscholak";
|
||||
|
|
95
pkgs/os-specific/linux/sgx/ssl/default.nix
Normal file
95
pkgs/os-specific/linux/sgx/ssl/default.nix
Normal file
|
@ -0,0 +1,95 @@
|
|||
{ stdenv
|
||||
, fetchFromGitHub
|
||||
, fetchpatch
|
||||
, fetchurl
|
||||
, lib
|
||||
, perl
|
||||
, sgx-sdk
|
||||
, which
|
||||
, debug ? false
|
||||
}:
|
||||
let
|
||||
sgxVersion = sgx-sdk.versionTag;
|
||||
opensslVersion = "1.1.1l";
|
||||
in
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "sgx-ssl" + lib.optionalString debug "-debug";
|
||||
version = "lin_${sgxVersion}_${opensslVersion}";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "intel";
|
||||
repo = "intel-sgx-ssl";
|
||||
rev = version;
|
||||
hash = "sha256-ibPXs90ni2fkxJ09fNO6wWVpfCFdko6MjBFkEsyIih8=";
|
||||
};
|
||||
|
||||
postUnpack =
|
||||
let
|
||||
opensslSourceArchive = fetchurl {
|
||||
url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
|
||||
hash = "sha256-C3o+XlnDSCf+DDp0t+yLrvMCuY+oAIjX+RU6oW+na9E=";
|
||||
};
|
||||
in
|
||||
''
|
||||
ln -s ${opensslSourceArchive} $sourceRoot/openssl_source/openssl-${opensslVersion}.tar.gz
|
||||
'';
|
||||
|
||||
patches = [
|
||||
# https://github.com/intel/intel-sgx-ssl/pull/111
|
||||
./intel-sgx-ssl-pr-111.patch
|
||||
];
|
||||
|
||||
postPatch = ''
|
||||
patchShebangs Linux/build_openssl.sh
|
||||
|
||||
# Run the test in the `installCheckPhase`, not the `buildPhase`
|
||||
substituteInPlace Linux/sgx/Makefile \
|
||||
--replace '$(MAKE) -C $(TEST_DIR) all' \
|
||||
'bash -c "true"'
|
||||
'';
|
||||
|
||||
enableParallelBuilding = true;
|
||||
|
||||
nativeBuildInputs = [
|
||||
perl
|
||||
sgx-sdk
|
||||
stdenv.glibc
|
||||
which
|
||||
];
|
||||
|
||||
makeFlags = [
|
||||
"-C Linux"
|
||||
] ++ lib.optionals debug [
|
||||
"DEBUG=1"
|
||||
];
|
||||
|
||||
installFlags = [
|
||||
"DESTDIR=$(out)"
|
||||
];
|
||||
|
||||
# Build the test app
|
||||
#
|
||||
# Running the test app is currently only supported on Intel CPUs
|
||||
# and will fail on non-Intel CPUs even in SGX simulation mode.
|
||||
# Therefore, we only build the test app without running it until
|
||||
# upstream resolves the issue: https://github.com/intel/intel-sgx-ssl/issues/113
|
||||
doInstallCheck = true;
|
||||
installCheckTarget = "all";
|
||||
installCheckFlags = [
|
||||
"SGX_MODE=SIM"
|
||||
"-C sgx/test_app"
|
||||
"-j 1" # Makefile doesn't support multiple jobs
|
||||
];
|
||||
preInstallCheck = ''
|
||||
# Expects the enclave file in the current working dir
|
||||
ln -s sgx/test_app/TestEnclave.signed.so .
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL";
|
||||
homepage = "https://github.com/intel/intel-sgx-ssl";
|
||||
maintainers = with maintainers; [ trundle veehaitch ];
|
||||
platforms = [ "x86_64-linux" ];
|
||||
license = with licenses; [ bsd3 openssl ];
|
||||
};
|
||||
}
|
99
pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch
Normal file
99
pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch
Normal file
|
@ -0,0 +1,99 @@
|
|||
From 1683c336e11b3cbe2b48c1be1c9460a661523c71 Mon Sep 17 00:00:00 2001
|
||||
From: Vincent Haupert <mail@vincent-haupert.de>
|
||||
Date: Sat, 8 Jan 2022 17:22:31 +0100
|
||||
Subject: [PATCH 1/3] Linux: fix Nix detection
|
||||
|
||||
Detect the `OS_ID` of Nix by probing for the presence of the `NIX_STORE`
|
||||
environment variable instead of `NIX_PATH`. The latter is only set in a
|
||||
`nix-shell` session but isn't when building a derivation through
|
||||
`nix-build`. In contrast, the `NIX_STORE` environment variable is set in
|
||||
both cases.
|
||||
|
||||
Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
|
||||
---
|
||||
Linux/sgx/buildenv.mk | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Linux/sgx/buildenv.mk b/Linux/sgx/buildenv.mk
|
||||
index cd8818e..dac23c7 100644
|
||||
--- a/Linux/sgx/buildenv.mk
|
||||
+++ b/Linux/sgx/buildenv.mk
|
||||
@@ -65,7 +65,7 @@ $(shell mkdir -p $(PACKAGE_LIB))
|
||||
UBUNTU_CONFNAME:=/usr/include/x86_64-linux-gnu/bits/confname.h
|
||||
ifneq ("$(wildcard $(UBUNTU_CONFNAME))","")
|
||||
OS_ID=1
|
||||
-else ifeq ($(origin NIX_PATH),environment)
|
||||
+else ifeq ($(origin NIX_STORE),environment)
|
||||
OS_ID=3
|
||||
else
|
||||
OS_ID=2
|
||||
|
||||
From f493525face589d759223bfa45bb802c31ddce4f Mon Sep 17 00:00:00 2001
|
||||
From: Vincent Haupert <mail@vincent-haupert.de>
|
||||
Date: Sat, 8 Jan 2022 17:33:22 +0100
|
||||
Subject: [PATCH 2/3] Linux: call binaries relative to PATH
|
||||
|
||||
Using an absolute path to call binaries is incompatible with
|
||||
distributions which do not follow the Filesystem Hierachy Standard;
|
||||
Nix is an example. Also, it is inconsistent with the rest of the code
|
||||
base, let alone superfluous.
|
||||
|
||||
Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
|
||||
---
|
||||
Linux/build_openssl.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
|
||||
index 7d77b79..e8b59a1 100755
|
||||
--- a/Linux/build_openssl.sh
|
||||
+++ b/Linux/build_openssl.sh
|
||||
@@ -38,7 +38,7 @@ SGXSSL_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
||||
echo $SGXSSL_ROOT
|
||||
|
||||
OPENSSL_INSTALL_DIR="$SGXSSL_ROOT/../openssl_source/OpenSSL_install_dir_tmp"
|
||||
-OPENSSL_VERSION=`/bin/ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | /usr/bin/head -1 | /bin/grep -o '[^/]*$' | /bin/sed -s -- 's/\.tar\.gz//'`
|
||||
+OPENSSL_VERSION=`ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | head -1 | grep -o '[^/]*$' | sed -s -- 's/\.tar\.gz//'`
|
||||
if [ "$OPENSSL_VERSION" == "" ]
|
||||
then
|
||||
echo "In order to run this script, OpenSSL tar.gz package must be located in openssl_source/ directory."
|
||||
|
||||
From fdb883d30fff72b5cfb8c61a2288d3d948f64224 Mon Sep 17 00:00:00 2001
|
||||
From: Vincent Haupert <mail@vincent-haupert.de>
|
||||
Date: Tue, 11 Jan 2022 10:56:39 +0100
|
||||
Subject: [PATCH 3/3] Linux: properly extract GCC major version
|
||||
|
||||
Calling `gcc -dumpversion` yields the full version string, e.g.,
|
||||
`10.3.0`. The `build_openssl.sh` bash script uses the `-ge` number
|
||||
comparison operator to check if the returned version is at least
|
||||
8. This results in an error if the returned GCC version includes a patch
|
||||
version; "10.3.0" isn't a valid number.
|
||||
|
||||
This commit fixes the version detection by only extracting the relevant
|
||||
major version of GCC.
|
||||
|
||||
Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
|
||||
---
|
||||
Linux/build_openssl.sh | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
|
||||
index e8b59a1..6e4046f 100755
|
||||
--- a/Linux/build_openssl.sh
|
||||
+++ b/Linux/build_openssl.sh
|
||||
@@ -82,6 +82,7 @@ fi
|
||||
MITIGATION_OPT=""
|
||||
MITIGATION_FLAGS=""
|
||||
CC_VERSION=`gcc -dumpversion`
|
||||
+CC_VERSION_MAJOR=`echo "$CC_VERSION" | cut -f1 -d.`
|
||||
for arg in "$@"
|
||||
do
|
||||
case $arg in
|
||||
@@ -99,7 +100,7 @@ do
|
||||
;;
|
||||
-mfunction-return=thunk-extern)
|
||||
MITIGATION_FLAGS+=" $arg"
|
||||
- if [[ $CC_VERSION -ge 8 ]] ; then
|
||||
+ if [[ "$CC_VERSION_MAJOR" -ge 8 ]] ; then
|
||||
MITIGATION_FLAGS+=" -fcf-protection=none"
|
||||
fi
|
||||
shift
|
|
@ -22899,6 +22899,8 @@ with pkgs;
|
|||
|
||||
sgx-sdk = callPackage ../os-specific/linux/sgx/sdk { };
|
||||
|
||||
sgx-ssl = callPackage ../os-specific/linux/sgx/ssl { };
|
||||
|
||||
sgx-psw = callPackage ../os-specific/linux/sgx/psw { };
|
||||
|
||||
shadow = callPackage ../os-specific/linux/shadow { };
|
||||
|
|
Loading…
Reference in a new issue