Merge pull request #126990 from sbellem/sgxsdk

This commit is contained in:
Sandro 2021-11-09 22:54:56 +01:00 committed by GitHub
commit a0ab6d84ff
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 191 additions and 0 deletions

View file

@ -10185,6 +10185,12 @@
githubId = 720864;
name = "Sébastien Bourdeauducq";
};
sbellem = {
email = "sbellem@gmail.com";
github = "sbellem";
githubId = 125458;
name = "Sylvain Bellemare";
};
sbond75 = {
name = "sbond75";
email = "43617712+sbond75@users.noreply.github.com";

View file

@ -0,0 +1,159 @@
{ lib
, stdenv
, fetchpatch
, fetchurl
, fetchFromGitHub
, callPackage
, autoconf
, automake
, binutils
, cmake
, file
, git
, libtool
, nasm
, ncurses
, ocaml
, ocamlPackages
, openssl
, perl
, python3
, texinfo
, which
, writeShellScript
}:
stdenv.mkDerivation rec {
pname = "sgx-sdk";
version = "2.14";
src = fetchFromGitHub {
owner = "intel";
repo = "linux-sgx";
rev = "0cea078f17a24fb807e706409972d77f7a958db9";
sha256 = "1cr2mkk459s270ng0yddgcryi0zc3dfmg9rmdrdh9mhy2mc1kx0g";
fetchSubmodules = true;
};
patches = [
(fetchpatch {
name = "replace-bin-cp-with-cp.patch";
url = "https://github.com/intel/linux-sgx/commit/e0db5291d46d1c124980719d63829d65f89cf2c7.patch";
sha256 = "0xwlpm1r4rl4anfhjkr6fgz0gcyhr0ng46fv8iw9hfsh891yqb7z";
})
(fetchpatch {
name = "sgx_ippcp.h.patch";
url = "https://github.com/intel/linux-sgx/commit/e5929083f8161a8e7404afc0577936003fbb9d0b.patch";
sha256 = "12bgs9rxlq82hn5prl9qz2r4mwypink8hzdz4cki4k4cmkw961f5";
})
];
postPatch = ''
patchShebangs ./linux/installer/bin/build-installpkg.sh \
./linux/installer/common/sdk/createTarball.sh \
./linux/installer/common/sdk/install.sh
'';
dontConfigure = true;
# SDK built with stackprotector produces broken enclaves which crash at runtime.
# Disable all to be safe, SDK build configures compiler mitigations manually.
hardeningDisable = [ "all" ];
nativeBuildInputs = [
cmake
git
ocaml
ocamlPackages.ocamlbuild
perl
python3
texinfo
nasm
file
ncurses
autoconf
automake
];
buildInputs = [
libtool
openssl
];
BINUTILS_DIR = "${binutils}/bin";
# Build external/ippcp_internal first. The Makefile is rewritten to make the
# build faster by splitting different versions of ipp-crypto builds and to
# avoid patching the Makefile for reproducibility issues.
buildPhase = let
ipp-crypto-no_mitigation = callPackage (import ./ipp-crypto.nix) {};
sgx-asm-pp = "python ${src}/build-scripts/sgx-asm-pp.py --assembler=nasm";
nasm-load = writeShellScript "nasm-load" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=LOAD $@";
ipp-crypto-cve_2020_0551_load = callPackage (import ./ipp-crypto.nix) {
extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-load}" ];
};
nasm-cf = writeShellScript "nasm-cf" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=CF $@";
ipp-crypto-cve_2020_0551_cf = callPackage (import ./ipp-crypto.nix) {
extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-cf}" ];
};
in ''
cd external/ippcp_internal
mkdir -p lib/linux/intel64/no_mitigation
cp ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a lib/linux/intel64/no_mitigation
chmod a+w lib/linux/intel64/no_mitigation/libippcp.a
cp ${ipp-crypto-no_mitigation}/include/* ./inc
mkdir -p lib/linux/intel64/cve_2020_0551_load
cp ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a lib/linux/intel64/cve_2020_0551_load
chmod a+w lib/linux/intel64/cve_2020_0551_load/libippcp.a
mkdir -p lib/linux/intel64/cve_2020_0551_cf
cp ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a lib/linux/intel64/cve_2020_0551_cf
chmod a+w lib/linux/intel64/cve_2020_0551_cf/libippcp.a
rm -f ./inc/ippcp.h
patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i ./inc/ippcp20u3.patch -o ./inc/ippcp.h
mkdir -p license
cp ${ipp-crypto-no_mitigation.src}/LICENSE ./license
# Build the SDK installation package.
cd ../..
# Nix patches make so that $(SHELL) defaults to "sh" instead of "/bin/sh".
# The build uses $(SHELL) as an argument to file -L which requires a path.
make SHELL=$SHELL sdk_install_pkg
runHook postBuild
'';
postBuild = ''
patchShebangs ./linux/installer/bin/sgx_linux_x64_sdk_*.bin
'';
installPhase = ''
echo -e 'no\n'$out | ./linux/installer/bin/sgx_linux_x64_sdk_*.bin
'';
dontFixup = true;
doInstallCheck = true;
installCheckInputs = [ which ];
installCheckPhase = ''
source $out/sgxsdk/environment
cd SampleCode/SampleEnclave
make SGX_MODE=SGX_SIM
./app
'';
meta = with lib; {
description = "Intel SGX SDK for Linux built with IPP Crypto Library";
homepage = "https://github.com/intel/linux-sgx";
maintainers = with maintainers; [ sbellem arturcygan ];
platforms = [ "x86_64-linux" ];
license = with licenses; [ bsd3 ];
};
}

View file

@ -0,0 +1,24 @@
{ lib
, stdenv
, fetchFromGitHub
, cmake
, python3
, nasm
, extraCmakeFlags ? []
}:
stdenv.mkDerivation rec {
pname = "ipp-crypto";
version = "2020_update3";
src = fetchFromGitHub {
owner = "intel";
repo = "ipp-crypto";
rev = "ipp-crypto_${version}";
sha256 = "02vlda6mlhbd12ljzdf65klpx4kmx1ylch9w3yllsiya4hwqzy4b";
};
cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags;
nativeBuildInputs = [ cmake python3 nasm ];
}

View file

@ -22473,6 +22473,8 @@ with pkgs;
seturgent = callPackage ../os-specific/linux/seturgent { };
sgx-sdk = callPackage ../os-specific/linux/sgx-sdk { };
shadow = callPackage ../os-specific/linux/shadow { };
sinit = callPackage ../os-specific/linux/sinit {