nixos/intel-sgx: add option for Intel SGX DCAP compatibility
The Intel SGX DCAP driver makes the SGX application enclave device and the SGX provisioning enclave available below the path `/dev/sgx/`. Since Linux 5.11, a derivation of the DCAP driver is part of the kernel and available through the X86_SGX config option; NixOS enables this option by default. In contrast to the out-of-tree DCAP driver, the in-tree SGX driver uses a flat hierarchy for the SGX devices resulting in the paths `/dev/sgx_enclave` for the application enclave device and `/dev/sgx_provison` for the provisioning enclave device. As of this commit, even the latest version of the Intel SGX PSW libraries still tries to open the (legacy) DCAP paths only. This means that SGX software currently cannot find the required SGX devices even if the system actually supports SGX through the in-tree driver. Intel wants to change this behavior in an upcoming release of intel/linux-sgx. Having said that, SGX software assuming the SGX devices below `/dev/sgx/` will prevail. Therefore, this commit introduces the NixOS configuration option `hardware.cpu.intel.sgx.enableDcapCompat` which creates the necessary symlinks to support existing SGX software. The option defaults to true as it is currently the only way to support SGX software. Also, enabling the SGX AESM service enables the option. The permissions of the devices `/dev/sgx_enclave` and `/dev/sgx_provison` remain the same, i.e., are not affected regardless of having the new option enabled or not.
This commit is contained in:
parent
7180c7bb6e
commit
b88ddadf8b
2 changed files with 48 additions and 21 deletions
|
@ -1,10 +1,24 @@
|
|||
{ config, lib, ... }:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.hardware.cpu.intel.sgx.provision;
|
||||
defaultGroup = "sgx_prv";
|
||||
cfg = config.hardware.cpu.intel.sgx;
|
||||
defaultPrvGroup = "sgx_prv";
|
||||
in
|
||||
{
|
||||
options.hardware.cpu.intel.sgx.enableDcapCompat = mkOption {
|
||||
description = ''
|
||||
Whether to enable backward compatibility for SGX software build for the
|
||||
out-of-tree Intel SGX DCAP driver.
|
||||
|
||||
Creates symbolic links for the SGX devices <literal>/dev/sgx_enclave</literal>
|
||||
and <literal>/dev/sgx_provision</literal> to make them available as
|
||||
<literal>/dev/sgx/enclave</literal> and <literal>/dev/sgx/provision</literal>,
|
||||
respectively.
|
||||
'';
|
||||
type = types.bool;
|
||||
default = true;
|
||||
};
|
||||
|
||||
options.hardware.cpu.intel.sgx.provision = {
|
||||
enable = mkEnableOption "access to the Intel SGX provisioning device";
|
||||
user = mkOption {
|
||||
|
@ -15,7 +29,7 @@ in
|
|||
group = mkOption {
|
||||
description = "Group to assign to the SGX provisioning device.";
|
||||
type = types.str;
|
||||
default = defaultGroup;
|
||||
default = defaultPrvGroup;
|
||||
};
|
||||
mode = mkOption {
|
||||
description = "Mode to set for the SGX provisioning device.";
|
||||
|
@ -24,24 +38,32 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
assertions = [
|
||||
{
|
||||
assertion = hasAttr cfg.user config.users.users;
|
||||
message = "Given user does not exist";
|
||||
}
|
||||
{
|
||||
assertion = (cfg.group == defaultGroup) || (hasAttr cfg.group config.users.groups);
|
||||
message = "Given group does not exist";
|
||||
}
|
||||
];
|
||||
config = mkMerge [
|
||||
(mkIf cfg.provision.enable {
|
||||
assertions = [
|
||||
{
|
||||
assertion = hasAttr cfg.provision.user config.users.users;
|
||||
message = "Given user does not exist";
|
||||
}
|
||||
{
|
||||
assertion = (cfg.provision.group == defaultPrvGroup) || (hasAttr cfg.provision.group config.users.groups);
|
||||
message = "Given group does not exist";
|
||||
}
|
||||
];
|
||||
|
||||
users.groups = optionalAttrs (cfg.group == defaultGroup) {
|
||||
"${cfg.group}" = { };
|
||||
};
|
||||
users.groups = optionalAttrs (cfg.provision.group == defaultPrvGroup) {
|
||||
"${cfg.provision.group}" = { };
|
||||
};
|
||||
|
||||
services.udev.extraRules = ''
|
||||
SUBSYSTEM=="misc", KERNEL=="sgx_provision", OWNER="${cfg.user}", GROUP="${cfg.group}", MODE="${cfg.mode}"
|
||||
'';
|
||||
};
|
||||
services.udev.extraRules = with cfg.provision; ''
|
||||
SUBSYSTEM=="misc", KERNEL=="sgx_provision", OWNER="${user}", GROUP="${group}", MODE="${mode}"
|
||||
'';
|
||||
})
|
||||
(mkIf cfg.enableDcapCompat {
|
||||
services.udev.extraRules = ''
|
||||
SUBSYSTEM=="misc", KERNEL=="sgx_enclave", SYMLINK+="sgx/enclave"
|
||||
SUBSYSTEM=="misc", KERNEL=="sgx_provision", SYMLINK+="sgx/provision"
|
||||
'';
|
||||
})
|
||||
];
|
||||
}
|
||||
|
|
|
@ -73,6 +73,11 @@ in
|
|||
|
||||
hardware.cpu.intel.sgx.provision.enable = true;
|
||||
|
||||
# Make sure the AESM service can find the SGX devices until
|
||||
# https://github.com/intel/linux-sgx/issues/772 is resolved
|
||||
# and updated in nixpkgs.
|
||||
hardware.cpu.intel.sgx.enableDcapCompat = mkForce true;
|
||||
|
||||
systemd.services.aesmd =
|
||||
let
|
||||
storeAesmFolder = "${sgx-psw}/aesm";
|
||||
|
|
Loading…
Reference in a new issue