sgx-ssl: split out tests. build-only by default.

- Normally SGX has a SIM mode for running enclave tests on non-Intel SGX capable hardware; however, these tests do some tricky stuff with cpuid and CPU trap handling that make them non-portable. - This diff makes it so OfBorg (which can't _run_ the tests) at least builds them. The tests are also split out into a separate derivation to save my sanity when iterating on them, since sgx-ssl takes like 30 min to build...
2024-02-01 21:36:25 +08:00 · 2024-02-01 21:36:25 +08:00 · bf15997e3d
commit bf15997e3d
parent 9dd20575b3
2 changed files with 108 additions and 13 deletions
--- a/pkgs/os-specific/linux/sgx/ssl/default.nix
+++ b/pkgs/os-specific/linux/sgx/ssl/default.nix
@ -1,8 +1,8 @@
 { stdenv
+, callPackage
 , fetchFromGitHub
 , fetchurl
 , lib
-, openssl
 , perl
 , sgx-sdk
 , which
@ -37,7 +37,7 @@ stdenv.mkDerivation {
  postPatch = ''
    patchShebangs Linux/build_openssl.sh

-    # Run the test in the `installCheckPhase`, not the `buildPhase`
+    # Skip the tests. Build and run separately (see below).
    substituteInPlace Linux/sgx/Makefile \
      --replace '$(MAKE) -C $(TEST_DIR) all' \
                'bash -c "true"'
@ -46,7 +46,6 @@ stdenv.mkDerivation {
  nativeBuildInputs = [
    perl
    sgx-sdk
-    stdenv.cc.libc
    which
  ];

@ -60,16 +59,17 @@ stdenv.mkDerivation {
    "DESTDIR=$(out)"
  ];

-  # Build the test app
-  doInstallCheck = true;
-  installCheckTarget = "test";
-  installCheckFlags = [
-    "SGX_MODE=SIM"
-    "-j 1" # Makefile doesn't support multiple jobs
-  ];
-  nativeInstallCheckInputs = [
-    openssl
-  ];
+  # These tests build on any x86_64-linux but BOTH SIM and HW will only _run_ on
+  # real Intel hardware. Split these out so OfBorg doesn't choke on this pkg.
+  #
+  # ```
+  # nix run .#sgx-ssl.tests.HW
+  # nix run .#sgx-ssl.tests.SIM
+  # ```
+  passthru.tests = {
+    HW = callPackage ./tests.nix { sgxMode = "HW"; inherit opensslVersion; };
+    SIM = callPackage ./tests.nix { sgxMode = "SIM"; inherit opensslVersion; };
+  };

  meta = with lib; {
    description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL";
--- a/pkgs/os-specific/linux/sgx/ssl/tests.nix
+++ b/pkgs/os-specific/linux/sgx/ssl/tests.nix
@ -0,0 +1,95 @@
+# This package _builds_ (but doesn't run!) the sgx-ssl test enclave + harness.
+# The whole package effectively does:
+#
+# ```
+# SGX_MODE=${sgxMode} make -C Linux/sgx/test_app
+# cp Linux/sgx/{TestApp,TestEnclave.signed.so} $out/bin
+# ```
+#
+# OfBorg fails to run these tests since they require real Intel HW. That
+# includes the simulation mode! The tests appears to do something fancy with
+# cpuid and exception trap handlers that make them very non-portable.
+#
+# These tests are split out from the parent pkg since recompiling the parent
+# takes like 30 min : )
+
+{ lib
+, openssl
+, sgx-psw
+, sgx-sdk
+, sgx-ssl
+, stdenv
+, which
+, opensslVersion ? throw "required parameter"
+, sgxMode ? throw "required parameter" # "SIM" or "HW"
+}:
+stdenv.mkDerivation {
+  inherit (sgx-ssl) postPatch src version;
+  pname = sgx-ssl.pname + "-tests-${sgxMode}";
+
+  postUnpack = sgx-ssl.postUnpack + ''
+    sourceRootAbs=$(readlink -e $sourceRoot)
+    packageDir=$sourceRootAbs/Linux/package
+
+    # Do the inverse of 'make install' and symlink built artifacts back into
+    # '$src/Linux/package/' to avoid work.
+    mkdir $packageDir/lib $packageDir/lib64
+    ln -s ${lib.getLib sgx-ssl}/lib/* $packageDir/lib/
+    ln -s ${lib.getLib sgx-ssl}/lib64/* $packageDir/lib64/
+    ln -sf ${lib.getDev sgx-ssl}/include/* $packageDir/include/
+
+    # test_app needs some internal openssl headers.
+    # See: tail end of 'Linux/build_openssl.sh'
+    tar -C $sourceRootAbs/openssl_source -xf $sourceRootAbs/openssl_source/openssl-${opensslVersion}.tar.gz
+    echo '#define OPENSSL_VERSION_STR "${opensslVersion}"' > $sourceRootAbs/Linux/sgx/osslverstr.h
+    ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/crypto $sourceRootAbs/Linux/sgx/test_app/enclave/
+    ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/internal $sourceRootAbs/Linux/sgx/test_app/enclave/
+  '';
+
+  nativeBuildInputs = [
+    openssl.bin
+    sgx-sdk
+    which
+  ];
+
+  preBuild = ''
+    # Need to regerate the edl header
+    make -C Linux/sgx/libsgx_tsgxssl sgx_tsgxssl_t.c
+  '';
+
+  makeFlags = [
+    "-C Linux/sgx/test_app"
+    "SGX_MODE=${sgxMode}"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    # Enclaves can't be stripped after signing.
+    install -Dm 755 Linux/sgx/test_app/TestEnclave.signed.so -t $TMPDIR/enclaves
+
+    install -Dm 755 Linux/sgx/test_app/TestApp -t $out/bin
+
+    runHook postInstall
+  '';
+
+  postFixup = ''
+    # Move the enclaves where they actually belong.
+    mv $TMPDIR/enclaves/*.signed.so* $out/bin/
+
+    # HW SGX must runs against sgx-psw, not sgx-sdk.
+    if [[ "${sgxMode}" == "HW" ]]; then
+      patchelf \
+        --set-rpath "$( \
+          patchelf --print-rpath $out/bin/TestApp \
+            | sed 's|${lib.getLib sgx-sdk}|${lib.getLib sgx-psw}|' \
+        )" \
+        $out/bin/TestApp
+    fi
+  '';
+
+  meta = {
+    platforms = [ "x86_64-linux" ];
+    mainProgram = "TestApp";
+  };
+}