From a03b0a37b65ade6e76b7577952a9b64e6b865bc7 Mon Sep 17 00:00:00 2001 From: Philip Hayes Date: Tue, 12 Sep 2023 11:32:27 -0700 Subject: [PATCH 1/6] sgx-sdk: 2.16 -> 2.21 Release notes: sgx-sdk/ipp-crypto: 2021.3 -> 2021.7 * The `substituteInPlace` is no longer necessary as corresponding PR was merged. --- .../os-specific/linux/sgx/samples/default.nix | 39 ++++++++++++++++-- pkgs/os-specific/linux/sgx/sdk/default.nix | 40 +++++++++++++++---- pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix | 16 +++----- 3 files changed, 72 insertions(+), 23 deletions(-) diff --git a/pkgs/os-specific/linux/sgx/samples/default.nix b/pkgs/os-specific/linux/sgx/samples/default.nix index 2afd62de75d4..0cbd6db02838 100644 --- a/pkgs/os-specific/linux/sgx/samples/default.nix +++ b/pkgs/os-specific/linux/sgx/samples/default.nix @@ -1,6 +1,7 @@ { stdenv , lib , makeWrapper +, openssl , sgx-sdk , sgx-psw , which @@ -18,6 +19,7 @@ let nativeBuildInputs = [ makeWrapper + openssl which ]; @@ -66,7 +68,9 @@ let in { cxx11SGXDemo = buildSample "Cxx11SGXDemo"; - localAttestation = (buildSample "LocalAttestation").overrideAttrs (oldAttrs: { + cxx14SGXDemo = buildSample "Cxx14SGXDemo"; + cxx17SGXDemo = buildSample "Cxx17SGXDemo"; + localAttestation = (buildSample "LocalAttestation").overrideAttrs (old: { installPhase = '' runHook preInstall @@ -86,7 +90,7 @@ in }); powerTransition = buildSample "PowerTransition"; protobufSGXDemo = buildSample "ProtobufSGXDemo"; - remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (oldAttrs: { + remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (old: { # Makefile sets rpath to point to $TMPDIR preFixup = '' patchelf --remove-rpath $out/bin/app @@ -97,13 +101,40 @@ in ''; }); sampleEnclave = buildSample "SampleEnclave"; - sampleEnclavePCL = buildSample "SampleEnclavePCL"; sampleEnclaveGMIPP = buildSample "SampleEnclaveGMIPP"; - sealUnseal = (buildSample "SealUnseal").overrideAttrs (oldAttrs: { + sampleMbedCrypto = buildSample "SampleMbedCrypto"; + sealUnseal = (buildSample "SealUnseal").overrideAttrs (old: { prePatch = '' substituteInPlace App/App.cpp \ --replace '"sealed_data_blob.txt"' '"/tmp/sealed_data_blob.txt"' ''; }); switchless = buildSample "Switchless"; + # # Requires SGX-patched openssl (sgxssl) build + # sampleAttestedTLS = buildSample "SampleAttestedTLS"; +} // lib.optionalAttrs (!isSimulation) { + # # Requires kernel >= v6.2 && HW SGX + # sampleAEXNotify = buildSample "SampleAEXNotify"; + + # Requires HW SGX + sampleCommonLoader = (buildSample "SampleCommonLoader").overrideAttrs (old: { + nativeBuildInputs = [ sgx-psw ] ++ old.nativeBuildInputs; + + installPhase = '' + runHook preInstall + + mkdir -p $out/{bin,lib} + mv sample app + install -m 755 app $out/bin + + wrapProgram "$out/bin/app" \ + --chdir "$out/lib" \ + --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [sgx-psw]}" + + runHook postInstall + ''; + }); + + # # SEGFAULTs in simulation mode? + # sampleEnclavePCL = buildSample "SampleEnclavePCL"; } diff --git a/pkgs/os-specific/linux/sgx/sdk/default.nix b/pkgs/os-specific/linux/sgx/sdk/default.nix index 053aaecbcbb7..7b78a8a9a4b3 100644 --- a/pkgs/os-specific/linux/sgx/sdk/default.nix +++ b/pkgs/os-specific/linux/sgx/sdk/default.nix @@ -29,15 +29,15 @@ stdenv.mkDerivation rec { pname = "sgx-sdk"; # Version as given in se_version.h - version = "2.16.100.4"; + version = "2.21.100.1"; # Version as used in the Git tag - versionTag = "2.16"; + versionTag = "2.21"; src = fetchFromGitHub { owner = "intel"; repo = "linux-sgx"; rev = "sgx_${versionTag}"; - hash = "sha256-qgXuJJWiqmcU11umCsE3DnlK4VryuTDAsNf53YPw6UY="; + hash = "sha256-Yo2G0H0XUI2p9W7lDRLkFHw2t8X1220brGohQJ0r2WY="; fetchSubmodules = true; }; @@ -55,10 +55,32 @@ stdenv.mkDerivation rec { }) ]; + # There's a `make preparation` step that downloads some prebuilt binaries and + # applies some patches to the in-repo git submodules. We can't just run it, + # since it downloads things, so this step just extracts the patching steps. postPatch = '' patchShebangs linux/installer/bin/build-installpkg.sh \ linux/installer/common/sdk/createTarball.sh \ - linux/installer/common/sdk/install.sh + linux/installer/common/sdk/install.sh \ + external/sgx-emm/create_symlink.sh + + echo "Running 'make preparation' but without download steps" + + # Seems to download something. Build currently uses ipp-crypto and not + # sgxssl so probably not an issue. + # $ ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild + + pushd external/openmp/openmp_code + git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 \ + || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R + popd + + pushd external/protobuf/protobuf_code + git apply ../sgx_protobuf.patch >/dev/null 2>&1 \ + || git apply ../sgx_protobuf.patch --check -R + popd + + ./external/sgx-emm/create_symlink.sh ''; # We need `cmake` as a build input but don't use it to kick off the build phase @@ -123,7 +145,7 @@ stdenv.mkDerivation rec { lib/linux/intel64/cve_2020_0551_cf/libippcp.a rm inc/ippcp.h - patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u3.patch -o inc/ippcp.h + patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u7.patch -o inc/ippcp.h install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE @@ -136,8 +158,6 @@ stdenv.mkDerivation rec { "DEBUG=1" ]; - enableParallelBuilding = true; - postBuild = '' patchShebangs linux/installer/bin/sgx_linux_x64_sdk_${version}.bin ''; @@ -166,6 +186,11 @@ stdenv.mkDerivation rec { mv $installDir/lib64 lib ln -s lib/ lib64 + # Fixup the symlinks for libsgx_urts.so.* -> libsgx_urts.so + for file in lib/libsgx_urts.so.*; do + ln -srf lib/libsgx_urts.so $file + done + mv $installDir/include/ . mkdir -p share/ @@ -204,7 +229,6 @@ stdenv.mkDerivation rec { runHook postInstall ''; - preFixup = '' echo "Strip sgxsdk prefix" for path in "$out/share/bin/environment" "$out/bin/sgx-gdb"; do diff --git a/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix b/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix index b9f682f5319b..968a36455562 100644 --- a/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix +++ b/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix @@ -1,5 +1,4 @@ -{ lib -, gcc11Stdenv +{ gcc11Stdenv , fetchFromGitHub , cmake , nasm @@ -7,29 +6,24 @@ , python3 , extraCmakeFlags ? [ ] }: - gcc11Stdenv.mkDerivation rec { pname = "ipp-crypto"; - version = "2021.3"; + version = "2021.7"; src = fetchFromGitHub { owner = "intel"; repo = "ipp-crypto"; rev = "ippcp_${version}"; - hash = "sha256-QEJXvQ//zhQqibFxXwPMdS1MHewgyb24LRmkycVSGrM="; + hash = "sha256-3W0LlJgmrp2Rk7xQ+0GQfkF2UpH4htx9R7IL86smtnY="; }; - # Fix typo: https://github.com/intel/ipp-crypto/pull/33 - postPatch = '' - substituteInPlace sources/cmake/ippcp-gen-config.cmake \ - --replace 'ippcpo-config.cmake' 'ippcp-config.cmake' - ''; - cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags; nativeBuildInputs = [ cmake nasm + # TODO(phlip9): The most recent `ipp-crypto` version (2021.9) now uses + # OpenSSL v3 so we can avoid this EOL version when sgx-sdk updates. openssl_1_1 python3 ]; From 77d43f5fb86d4be5466ca7991b5b626c44e63f1c Mon Sep 17 00:00:00 2001 From: Philip Hayes Date: Tue, 12 Sep 2023 15:08:49 -0700 Subject: [PATCH 2/6] sgx-psw: 2.16 -> 2.21 * Updated platform enclaves. * Re-enable parallel build; seems to work properly across several different machines. * Ensure all non-enclave libs get stripped so we don't add `gcc` to the runtime closure. * I'm not sure what the value of providing a non-platfrom /bin/mount is for non-NixOS users for a service that isn't used that only bloats closure size. --- pkgs/os-specific/linux/sgx/psw/default.nix | 48 +++++++++++++++------- 1 file changed, 33 insertions(+), 15 deletions(-) diff --git a/pkgs/os-specific/linux/sgx/psw/default.nix b/pkgs/os-specific/linux/sgx/psw/default.nix index fa4a7be01cf5..9b5c8087b232 100644 --- a/pkgs/os-specific/linux/sgx/psw/default.nix +++ b/pkgs/os-specific/linux/sgx/psw/default.nix @@ -5,15 +5,11 @@ , coreutils , curl , file -, glibc , makeWrapper , nixosTests , protobuf , python3 , sgx-sdk -, shadow -, systemd -, util-linux , which , debug ? false }: @@ -23,16 +19,21 @@ stdenv.mkDerivation rec { postUnpack = let + # Fetch the pre-built, Intel-signed Architectural Enclaves (AE). They help + # run user application enclaves, verify launch policies, produce remote + # attestation quotes, and do platform certification. ae.prebuilt = fetchurl { url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz"; - hash = "sha256-JriA9UGYFkAPuCtRizk8RMM1YOYGR/eO9ILnx47A40s="; + hash = "sha256-IckW4p1XWkWCDCErXyTtnKYKeAUaCrp5iAMsRBMjLX0="; }; + # Also include the Data Center Attestation Primitives (DCAP) platform + # enclaves. dcap = rec { - version = "1.13"; + version = "1.18"; filename = "prebuilt_dcap_${version}.tar.gz"; prebuilt = fetchurl { url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; - hash = "sha256-0kD6hxN8qZ/7/H99aboQx7Qg7ewmYPEexoU6nqczAik="; + hash = "sha256-9ceys7ozOEienug+9MTZ6dw3nx7VBfxLNiwhZYv4SzY="; }; }; in @@ -75,9 +76,6 @@ stdenv.mkDerivation rec { dontUseCmakeConfigure = true; - # Randomly fails if enabled - enableParallelBuilding = false; - buildFlags = [ "psw_install_pkg" ] ++ lib.optionals debug [ @@ -131,6 +129,31 @@ stdenv.mkDerivation rec { rmdir $sgxPswDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1) ''; + stripDebugList = [ + # Only strip the host libraries. If we don't strip, we accidentally pull in + # `gcc`... + # + # We need to avoid stripping the enclave ".signed.so" files, since that + # would modify the enclave measurement (hash). + # + # TODO(phlip9): put the enclave libraries in a separate directory or tell + # strip to ignore all "*.signed.so". + "aesm/aesm_service" + "aesm/libCppMicroServices.so.4.0.0" + "aesm/libdcap_quoteprov.so" + "aesm/libipc.so" + "aesm/liboal.so" + "aesm/libsgx_default_qcnl_wrapper.so" + "aesm/libsgx_pce_logic.so.1" + "aesm/libsgx_qe3_logic.so.1" + "aesm/liburts_internal.so" + "aesm/libutils.so" + + "aesm/bundles" + "lib" + "bin" + ]; + # Most—if not all—of those fixups are not relevant for NixOS as we have our own # NixOS module which is based on those files without relying on them. Still, it # is helpful to have properly patched versions for non-NixOS distributions. @@ -151,11 +174,6 @@ stdenv.mkDerivation rec { "${coreutils}/bin/chmod" \ --replace "/bin/kill" \ "${coreutils}/bin/kill" - - echo "Fixing remount-dev-exec.service" - substituteInPlace $out/lib/systemd/system/remount-dev-exec.service \ - --replace '/bin/mount' \ - "${util-linux}/bin/mount" ''; passthru.tests = { From c037c23bda0e034b6effe2795c5e04391b8ae9d1 Mon Sep 17 00:00:00 2001 From: Philip Hayes Date: Tue, 12 Sep 2023 15:40:12 -0700 Subject: [PATCH 3/6] sgx-ssl: 1.1.1l -> 1.1.1u Release notes: --- pkgs/os-specific/linux/sgx/ssl/default.nix | 34 ++----- .../linux/sgx/ssl/intel-sgx-ssl-pr-111.patch | 99 ------------------- 2 files changed, 10 insertions(+), 123 deletions(-) delete mode 100644 pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch diff --git a/pkgs/os-specific/linux/sgx/ssl/default.nix b/pkgs/os-specific/linux/sgx/ssl/default.nix index f3f6ce485063..9d1905e09d1f 100644 --- a/pkgs/os-specific/linux/sgx/ssl/default.nix +++ b/pkgs/os-specific/linux/sgx/ssl/default.nix @@ -1,8 +1,8 @@ { stdenv , fetchFromGitHub -, fetchpatch , fetchurl , lib +, openssl , perl , sgx-sdk , which @@ -10,9 +10,9 @@ }: let sgxVersion = sgx-sdk.versionTag; - opensslVersion = "1.1.1l"; + opensslVersion = "1.1.1u"; in -stdenv.mkDerivation rec { +stdenv.mkDerivation { pname = "sgx-ssl" + lib.optionalString debug "-debug"; version = "${sgxVersion}_${opensslVersion}"; @@ -20,25 +20,20 @@ stdenv.mkDerivation rec { owner = "intel"; repo = "intel-sgx-ssl"; rev = "lin_${sgxVersion}_${opensslVersion}"; - hash = "sha256-ibPXs90ni2fkxJ09fNO6wWVpfCFdko6MjBFkEsyIih8="; + hash = "sha256-zbXEQz72VUPqnGrboX6oXliaLpbcos7tV6K9lX+zleg="; }; postUnpack = let opensslSourceArchive = fetchurl { url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz"; - hash = "sha256-C3o+XlnDSCf+DDp0t+yLrvMCuY+oAIjX+RU6oW+na9E="; + hash = "sha256-4vjYS1I+7NBse+diaDA3AwD7zBU4a/UULXJ1j2lj68Y="; }; in '' ln -s ${opensslSourceArchive} $sourceRoot/openssl_source/openssl-${opensslVersion}.tar.gz ''; - patches = [ - # https://github.com/intel/intel-sgx-ssl/pull/111 - ./intel-sgx-ssl-pr-111.patch - ]; - postPatch = '' patchShebangs Linux/build_openssl.sh @@ -48,8 +43,6 @@ stdenv.mkDerivation rec { 'bash -c "true"' ''; - enableParallelBuilding = true; - nativeBuildInputs = [ perl sgx-sdk @@ -68,28 +61,21 @@ stdenv.mkDerivation rec { ]; # Build the test app - # - # Running the test app is currently only supported on Intel CPUs - # and will fail on non-Intel CPUs even in SGX simulation mode. - # Therefore, we only build the test app without running it until - # upstream resolves the issue: https://github.com/intel/intel-sgx-ssl/issues/113 doInstallCheck = true; - installCheckTarget = "all"; + installCheckTarget = "test"; installCheckFlags = [ "SGX_MODE=SIM" - "-C sgx/test_app" "-j 1" # Makefile doesn't support multiple jobs ]; - preInstallCheck = '' - # Expects the enclave file in the current working dir - ln -s sgx/test_app/TestEnclave.signed.so . - ''; + nativeInstallCheckInputs = [ + openssl + ]; meta = with lib; { description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL"; homepage = "https://github.com/intel/intel-sgx-ssl"; maintainers = with maintainers; [ trundle veehaitch ]; platforms = [ "x86_64-linux" ]; - license = with licenses; [ bsd3 openssl ]; + license = [ licenses.bsd3 licenses.openssl ]; }; } diff --git a/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch b/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch deleted file mode 100644 index 6ef06d7e231b..000000000000 --- a/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 1683c336e11b3cbe2b48c1be1c9460a661523c71 Mon Sep 17 00:00:00 2001 -From: Vincent Haupert -Date: Sat, 8 Jan 2022 17:22:31 +0100 -Subject: [PATCH 1/3] Linux: fix Nix detection - -Detect the `OS_ID` of Nix by probing for the presence of the `NIX_STORE` -environment variable instead of `NIX_PATH`. The latter is only set in a -`nix-shell` session but isn't when building a derivation through -`nix-build`. In contrast, the `NIX_STORE` environment variable is set in -both cases. - -Signed-off-by: Vincent Haupert ---- - Linux/sgx/buildenv.mk | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Linux/sgx/buildenv.mk b/Linux/sgx/buildenv.mk -index cd8818e..dac23c7 100644 ---- a/Linux/sgx/buildenv.mk -+++ b/Linux/sgx/buildenv.mk -@@ -65,7 +65,7 @@ $(shell mkdir -p $(PACKAGE_LIB)) - UBUNTU_CONFNAME:=/usr/include/x86_64-linux-gnu/bits/confname.h - ifneq ("$(wildcard $(UBUNTU_CONFNAME))","") - OS_ID=1 --else ifeq ($(origin NIX_PATH),environment) -+else ifeq ($(origin NIX_STORE),environment) - OS_ID=3 - else - OS_ID=2 - -From f493525face589d759223bfa45bb802c31ddce4f Mon Sep 17 00:00:00 2001 -From: Vincent Haupert -Date: Sat, 8 Jan 2022 17:33:22 +0100 -Subject: [PATCH 2/3] Linux: call binaries relative to PATH - -Using an absolute path to call binaries is incompatible with -distributions which do not follow the Filesystem Hierachy Standard; -Nix is an example. Also, it is inconsistent with the rest of the code -base, let alone superfluous. - -Signed-off-by: Vincent Haupert ---- - Linux/build_openssl.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh -index 7d77b79..e8b59a1 100755 ---- a/Linux/build_openssl.sh -+++ b/Linux/build_openssl.sh -@@ -38,7 +38,7 @@ SGXSSL_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" - echo $SGXSSL_ROOT - - OPENSSL_INSTALL_DIR="$SGXSSL_ROOT/../openssl_source/OpenSSL_install_dir_tmp" --OPENSSL_VERSION=`/bin/ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | /usr/bin/head -1 | /bin/grep -o '[^/]*$' | /bin/sed -s -- 's/\.tar\.gz//'` -+OPENSSL_VERSION=`ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | head -1 | grep -o '[^/]*$' | sed -s -- 's/\.tar\.gz//'` - if [ "$OPENSSL_VERSION" == "" ] - then - echo "In order to run this script, OpenSSL tar.gz package must be located in openssl_source/ directory." - -From fdb883d30fff72b5cfb8c61a2288d3d948f64224 Mon Sep 17 00:00:00 2001 -From: Vincent Haupert -Date: Tue, 11 Jan 2022 10:56:39 +0100 -Subject: [PATCH 3/3] Linux: properly extract GCC major version - -Calling `gcc -dumpversion` yields the full version string, e.g., -`10.3.0`. The `build_openssl.sh` bash script uses the `-ge` number -comparison operator to check if the returned version is at least -8. This results in an error if the returned GCC version includes a patch -version; "10.3.0" isn't a valid number. - -This commit fixes the version detection by only extracting the relevant -major version of GCC. - -Signed-off-by: Vincent Haupert ---- - Linux/build_openssl.sh | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh -index e8b59a1..6e4046f 100755 ---- a/Linux/build_openssl.sh -+++ b/Linux/build_openssl.sh -@@ -82,6 +82,7 @@ fi - MITIGATION_OPT="" - MITIGATION_FLAGS="" - CC_VERSION=`gcc -dumpversion` -+CC_VERSION_MAJOR=`echo "$CC_VERSION" | cut -f1 -d.` - for arg in "$@" - do - case $arg in -@@ -99,7 +100,7 @@ do - ;; - -mfunction-return=thunk-extern) - MITIGATION_FLAGS+=" $arg" -- if [[ $CC_VERSION -ge 8 ]] ; then -+ if [[ "$CC_VERSION_MAJOR" -ge 8 ]] ; then - MITIGATION_FLAGS+=" -fcf-protection=none" - fi - shift From d8958b1861c4b23df71330ad2f07f2506b533d97 Mon Sep 17 00:00:00 2001 From: Philip Hayes Date: Tue, 12 Sep 2023 16:06:54 -0700 Subject: [PATCH 4/6] sgx-azure-dcap-client: 1.11.2 -> 1.12.1 Release notes: --- .../linux/sgx/azure-dcap-client/default.nix | 16 +++------------- .../linux/sgx/azure-dcap-client/test-suite.nix | 11 ++++++++--- .../tests-missing-includes.patch | 12 ++++++++++++ 3 files changed, 23 insertions(+), 16 deletions(-) create mode 100644 pkgs/os-specific/linux/sgx/azure-dcap-client/tests-missing-includes.patch diff --git a/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix b/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix index eed99122cd64..cd3d2f94d6f3 100644 --- a/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix +++ b/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix @@ -1,6 +1,5 @@ { stdenv , fetchFromGitHub -, fetchurl , lib , curl , nlohmann_json @@ -9,7 +8,6 @@ , linkFarmFromDrvs , callPackage }: - let # Although those headers are also included in the source of `sgx-psw`, the `azure-dcap-client` build needs specific versions filterSparse = list: '' @@ -18,19 +16,11 @@ let cp ${lib.concatStringsSep " " list} "$out/" ''; headers = linkFarmFromDrvs "azure-dcpa-client-intel-headers" [ - (fetchFromGitHub rec { - name = "${repo}-headers"; - owner = "intel"; - repo = "SGXDataCenterAttestationPrimitives"; - rev = "0436284f12f1bd5da7e7a06f6274d36b4c8d39f9"; - sparseCheckout = [ "QuoteGeneration/quote_wrapper/common/inc/sgx_ql_lib_common.h" ]; - hash = "sha256-ipKpYHbiwjCUXF/pCArJZy5ko1YX2wqMMdSnMUzhkgY="; - postFetch = filterSparse sparseCheckout; - }) (fetchFromGitHub rec { name = "${repo}-headers"; owner = "intel"; repo = "linux-sgx"; + # See: for the revision `azure-dcap-client` uses. rev = "1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be"; hash = "sha256-WJRoS6+NBVJrFmHABEEDpDhW+zbWFUl65AycCkRavfs="; sparseCheckout = [ @@ -44,13 +34,13 @@ let in stdenv.mkDerivation rec { pname = "azure-dcap-client"; - version = "1.11.2"; + version = "1.12.1"; src = fetchFromGitHub { owner = "microsoft"; repo = pname; rev = version; - hash = "sha256-EYj3jnzTyJRl6N7avNf9VrB8r9U6zIE6wBNeVsMtWCA="; + hash = "sha256-q0dI4WdA1ue4sw+QfSherh31Ldf9gnhoft66o3E9gnU="; }; nativeBuildInputs = [ diff --git a/pkgs/os-specific/linux/sgx/azure-dcap-client/test-suite.nix b/pkgs/os-specific/linux/sgx/azure-dcap-client/test-suite.nix index 71fdb2bab39c..1e4432ecc642 100644 --- a/pkgs/os-specific/linux/sgx/azure-dcap-client/test-suite.nix +++ b/pkgs/os-specific/linux/sgx/azure-dcap-client/test-suite.nix @@ -3,12 +3,16 @@ , gtest , makeWrapper }: -sgx-azure-dcap-client.overrideAttrs (oldAttrs: { - nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [ +sgx-azure-dcap-client.overrideAttrs (old: { + nativeBuildInputs = old.nativeBuildInputs ++ [ makeWrapper gtest ]; + patches = [ + ./tests-missing-includes.patch + ]; + buildFlags = [ "tests" ]; @@ -22,6 +26,7 @@ sgx-azure-dcap-client.overrideAttrs (oldAttrs: { ''; postFixup = '' - wrapProgram "$out/bin/tests" --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-azure-dcap-client ]}" + wrapProgram "$out/bin/tests" \ + --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-azure-dcap-client ]}" ''; }) diff --git a/pkgs/os-specific/linux/sgx/azure-dcap-client/tests-missing-includes.patch b/pkgs/os-specific/linux/sgx/azure-dcap-client/tests-missing-includes.patch new file mode 100644 index 000000000000..287fbd39af41 --- /dev/null +++ b/pkgs/os-specific/linux/sgx/azure-dcap-client/tests-missing-includes.patch @@ -0,0 +1,12 @@ +diff --git a/src/UnitTest/test_local_cache.cpp b/src/UnitTest/test_local_cache.cpp +index 5fbc31b..6b8d52e 100644 +--- a/src/UnitTest/test_local_cache.cpp ++++ b/src/UnitTest/test_local_cache.cpp +@@ -5,6 +5,7 @@ + #include + + #undef NDEBUG // ensure that asserts are never compiled out ++#include + #include + #include + #include From 8d2a5753fd6d60e53a4b9e65606e87763ceeb7c7 Mon Sep 17 00:00:00 2001 From: Philip Hayes Date: Wed, 1 Nov 2023 12:17:18 -0700 Subject: [PATCH 5/6] sgx-sdk/ipp-crypto: 2021.7 -> 2021.9.0 - Removes `sgx-sdk` dependency on EOL OpenSSL v1.1 - Updated ipp-crypto version is technically beyond the upstream `linux-sgx` repo's pinned version, but appears to work just as well. Diff: Changelog: --- pkgs/os-specific/linux/sgx/sdk/default.nix | 6 ++---- pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix | 10 ++++------ 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/pkgs/os-specific/linux/sgx/sdk/default.nix b/pkgs/os-specific/linux/sgx/sdk/default.nix index 7b78a8a9a4b3..2570406a7112 100644 --- a/pkgs/os-specific/linux/sgx/sdk/default.nix +++ b/pkgs/os-specific/linux/sgx/sdk/default.nix @@ -2,7 +2,6 @@ , stdenv , fetchFromGitHub , fetchpatch -, fetchzip , autoconf , automake , binutils @@ -13,10 +12,9 @@ , git , libtool , linkFarmFromDrvs -, nasm , ocaml , ocamlPackages -, openssl_1_1 +, openssl , perl , python3 , texinfo @@ -106,7 +104,7 @@ stdenv.mkDerivation rec { buildInputs = [ libtool - openssl_1_1 + openssl ]; BINUTILS_DIR = "${binutils}/bin"; diff --git a/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix b/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix index 968a36455562..5a4c941a22b9 100644 --- a/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix +++ b/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix @@ -2,19 +2,19 @@ , fetchFromGitHub , cmake , nasm -, openssl_1_1 +, openssl , python3 , extraCmakeFlags ? [ ] }: gcc11Stdenv.mkDerivation rec { pname = "ipp-crypto"; - version = "2021.7"; + version = "2021.9.0"; src = fetchFromGitHub { owner = "intel"; repo = "ipp-crypto"; rev = "ippcp_${version}"; - hash = "sha256-3W0LlJgmrp2Rk7xQ+0GQfkF2UpH4htx9R7IL86smtnY="; + hash = "sha256-+ITnxyrkDQp4xRa+PVzXdYsSkI5sMNwQGfGU+lFJ6co="; }; cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags; @@ -22,9 +22,7 @@ gcc11Stdenv.mkDerivation rec { nativeBuildInputs = [ cmake nasm - # TODO(phlip9): The most recent `ipp-crypto` version (2021.9) now uses - # OpenSSL v3 so we can avoid this EOL version when sgx-sdk updates. - openssl_1_1 + openssl python3 ]; } From 84ba69f030f4a7cccefa50cdedcccebd91a1f703 Mon Sep 17 00:00:00 2001 From: Philip Hayes Date: Thu, 21 Dec 2023 13:25:21 +0100 Subject: [PATCH 6/6] sgx-psw: more robust stripping w/o touching enclaves --- pkgs/os-specific/linux/sgx/psw/default.nix | 44 +++++++++++----------- 1 file changed, 21 insertions(+), 23 deletions(-) diff --git a/pkgs/os-specific/linux/sgx/psw/default.nix b/pkgs/os-specific/linux/sgx/psw/default.nix index 9b5c8087b232..22e52b6ec9fd 100644 --- a/pkgs/os-specific/linux/sgx/psw/default.nix +++ b/pkgs/os-specific/linux/sgx/psw/default.nix @@ -118,8 +118,18 @@ stdenv.mkDerivation rec { rm $sgxPswDir/{cleanup.sh,startup.sh} rm -r $sgxPswDir/scripts + # Move aesmd binaries/libraries/enclaves mv $sgxPswDir/aesm/ $out/ + # We absolutely MUST avoid stripping or patching these ".signed.so" SGX + # enclaves. Stripping would change each enclave measurement (hash of the + # binary). + # + # We're going to temporarily move these enclave libs to another directory + # until after stripping/patching in the fixupPhase. + mkdir $TMPDIR/enclaves + mv $out/aesm/*.signed.so* $TMPDIR/enclaves + mkdir $out/bin makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \ --suffix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \ @@ -130,34 +140,22 @@ stdenv.mkDerivation rec { ''; stripDebugList = [ - # Only strip the host libraries. If we don't strip, we accidentally pull in - # `gcc`... - # - # We need to avoid stripping the enclave ".signed.so" files, since that - # would modify the enclave measurement (hash). - # - # TODO(phlip9): put the enclave libraries in a separate directory or tell - # strip to ignore all "*.signed.so". - "aesm/aesm_service" - "aesm/libCppMicroServices.so.4.0.0" - "aesm/libdcap_quoteprov.so" - "aesm/libipc.so" - "aesm/liboal.so" - "aesm/libsgx_default_qcnl_wrapper.so" - "aesm/libsgx_pce_logic.so.1" - "aesm/libsgx_qe3_logic.so.1" - "aesm/liburts_internal.so" - "aesm/libutils.so" - - "aesm/bundles" "lib" "bin" + # Also strip binaries/libs in the `aesm` directory + "aesm" ]; - # Most—if not all—of those fixups are not relevant for NixOS as we have our own - # NixOS module which is based on those files without relying on them. Still, it - # is helpful to have properly patched versions for non-NixOS distributions. postFixup = '' + # Move the SGX enclaves back after everything else has been stripped. + mv $TMPDIR/enclaves/*.signed.so* $out/aesm/ + rmdir $TMPDIR/enclaves + + # Fixup the aesmd systemd service + # + # Most—if not all—of those fixups are not relevant for NixOS as we have our own + # NixOS module which is based on those files without relying on them. Still, it + # is helpful to have properly patched versions for non-NixOS distributions. echo "Fixing aesmd.service" substituteInPlace $out/lib/systemd/system/aesmd.service \ --replace '@aesm_folder@' \