cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

Merge pull request #254845 from phlip9/update-sgx-2.21

Browse source 
sgx-sdk: 2.16 -> 2.21
This commit is contained in:
Ryan Lahfa 2024-01-12 20:06:07 +01:00 committed by GitHub
commit e947a837d7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 141 additions and 186 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix
View file

@ -1,6 +1,5 @@
{ stdenv { stdenv
, fetchFromGitHub , fetchFromGitHub
, fetchurl
, lib , lib
, curl , curl
, nlohmann_json , nlohmann_json
@ -9,7 +8,6 @@
, linkFarmFromDrvs , linkFarmFromDrvs
, callPackage , callPackage
}: }:
let let
# Although those headers are also included in the source of `sgx-psw`, the `azure-dcap-client` build needs specific versions # Although those headers are also included in the source of `sgx-psw`, the `azure-dcap-client` build needs specific versions
filterSparse = list: '' filterSparse = list: ''
@ -18,19 +16,11 @@ let
cp ${lib.concatStringsSep " " list} "$out/" cp ${lib.concatStringsSep " " list} "$out/"
''; '';
headers = linkFarmFromDrvs "azure-dcpa-client-intel-headers" [ headers = linkFarmFromDrvs "azure-dcpa-client-intel-headers" [
(fetchFromGitHub rec {
name = "${repo}-headers";
owner = "intel";
repo = "SGXDataCenterAttestationPrimitives";
rev = "0436284f12f1bd5da7e7a06f6274d36b4c8d39f9";
sparseCheckout = [ "QuoteGeneration/quote_wrapper/common/inc/sgx_ql_lib_common.h" ];
hash = "sha256-ipKpYHbiwjCUXF/pCArJZy5ko1YX2wqMMdSnMUzhkgY=";
postFetch = filterSparse sparseCheckout;
})
(fetchFromGitHub rec { (fetchFromGitHub rec {
name = "${repo}-headers"; name = "${repo}-headers";
owner = "intel"; owner = "intel";
repo = "linux-sgx"; repo = "linux-sgx";
# See: <src/Linux/configure> for the revision `azure-dcap-client` uses.
rev = "1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be"; rev = "1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be";
hash = "sha256-WJRoS6+NBVJrFmHABEEDpDhW+zbWFUl65AycCkRavfs="; hash = "sha256-WJRoS6+NBVJrFmHABEEDpDhW+zbWFUl65AycCkRavfs=";
sparseCheckout = [ sparseCheckout = [
@ -44,13 +34,13 @@ let
in in
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "azure-dcap-client"; pname = "azure-dcap-client";
version = "1.11.2"; version = "1.12.1";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "microsoft"; owner = "microsoft";
repo = pname; repo = pname;
rev = version; rev = version;
hash = "sha256-EYj3jnzTyJRl6N7avNf9VrB8r9U6zIE6wBNeVsMtWCA="; hash = "sha256-q0dI4WdA1ue4sw+QfSherh31Ldf9gnhoft66o3E9gnU=";
}; };
nativeBuildInputs = [ nativeBuildInputs = [

11
pkgs/os-specific/linux/sgx/azure-dcap-client/test-suite.nix
View file

@ -3,12 +3,16 @@
, gtest , gtest
, makeWrapper , makeWrapper
}: }:
sgx-azure-dcap-client.overrideAttrs (oldAttrs: { sgx-azure-dcap-client.overrideAttrs (old: {
nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [ nativeBuildInputs = old.nativeBuildInputs ++ [
makeWrapper makeWrapper
gtest gtest
]; ];
patches = [
./tests-missing-includes.patch
];
buildFlags = [ buildFlags = [
"tests" "tests"
]; ];
@ -22,6 +26,7 @@ sgx-azure-dcap-client.overrideAttrs (oldAttrs: {
''; '';
postFixup = '' postFixup = ''
wrapProgram "$out/bin/tests" --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-azure-dcap-client ]}" wrapProgram "$out/bin/tests" \
--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-azure-dcap-client ]}"
''; '';
}) })

12
pkgs/os-specific/linux/sgx/azure-dcap-client/tests-missing-includes.patch Normal file
View file

@ -0,0 +1,12 @@
diff --git a/src/UnitTest/test_local_cache.cpp b/src/UnitTest/test_local_cache.cpp
index 5fbc31b..6b8d52e 100644
--- a/src/UnitTest/test_local_cache.cpp
+++ b/src/UnitTest/test_local_cache.cpp
@@ -5,6 +5,7 @@
#include <gtest/gtest.h>
#undef NDEBUG // ensure that asserts are never compiled out
+#include <array>
#include <cassert>
#include <cstdio>
#include <cstring>

48
pkgs/os-specific/linux/sgx/psw/default.nix
View file

@ -5,15 +5,11 @@
, coreutils , coreutils
, curl , curl
, file , file
, glibc
, makeWrapper , makeWrapper
, nixosTests , nixosTests
, protobuf , protobuf
, python3 , python3
, sgx-sdk , sgx-sdk
, shadow
, systemd
, util-linux
, which , which
, debug ? false , debug ? false
}: }:
@ -23,16 +19,21 @@ stdenv.mkDerivation rec {
postUnpack = postUnpack =
let let
# Fetch the pre-built, Intel-signed Architectural Enclaves (AE). They help
# run user application enclaves, verify launch policies, produce remote
# attestation quotes, and do platform certification.
ae.prebuilt = fetchurl { ae.prebuilt = fetchurl {
url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz"; url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz";
hash = "sha256-JriA9UGYFkAPuCtRizk8RMM1YOYGR/eO9ILnx47A40s="; hash = "sha256-IckW4p1XWkWCDCErXyTtnKYKeAUaCrp5iAMsRBMjLX0=";
}; };
# Also include the Data Center Attestation Primitives (DCAP) platform
# enclaves.
dcap = rec { dcap = rec {
version = "1.13"; version = "1.18";
filename = "prebuilt_dcap_${version}.tar.gz"; filename = "prebuilt_dcap_${version}.tar.gz";
prebuilt = fetchurl { prebuilt = fetchurl {
url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
hash = "sha256-0kD6hxN8qZ/7/H99aboQx7Qg7ewmYPEexoU6nqczAik="; hash = "sha256-9ceys7ozOEienug+9MTZ6dw3nx7VBfxLNiwhZYv4SzY=";
}; };
}; };
in in
@ -75,9 +76,6 @@ stdenv.mkDerivation rec {
dontUseCmakeConfigure = true; dontUseCmakeConfigure = true;
# Randomly fails if enabled
enableParallelBuilding = false;
buildFlags = [ buildFlags = [
"psw_install_pkg" "psw_install_pkg"
] ++ lib.optionals debug [ ] ++ lib.optionals debug [
@ -120,8 +118,18 @@ stdenv.mkDerivation rec {
rm $sgxPswDir/{cleanup.sh,startup.sh} rm $sgxPswDir/{cleanup.sh,startup.sh}
rm -r $sgxPswDir/scripts rm -r $sgxPswDir/scripts
# Move aesmd binaries/libraries/enclaves
mv $sgxPswDir/aesm/ $out/ mv $sgxPswDir/aesm/ $out/
# We absolutely MUST avoid stripping or patching these ".signed.so" SGX
# enclaves. Stripping would change each enclave measurement (hash of the
# binary).
#
# We're going to temporarily move these enclave libs to another directory
# until after stripping/patching in the fixupPhase.
mkdir $TMPDIR/enclaves
mv $out/aesm/*.signed.so* $TMPDIR/enclaves
mkdir $out/bin mkdir $out/bin
makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \ makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \
--suffix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \ --suffix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \
@ -131,10 +139,23 @@ stdenv.mkDerivation rec {
rmdir $sgxPswDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1) rmdir $sgxPswDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1)
''; '';
stripDebugList = [
"lib"
"bin"
# Also strip binaries/libs in the `aesm` directory
"aesm"
];
postFixup = ''
# Move the SGX enclaves back after everything else has been stripped.
mv $TMPDIR/enclaves/*.signed.so* $out/aesm/
rmdir $TMPDIR/enclaves
# Fixup the aesmd systemd service
#
# Most—if not all—of those fixups are not relevant for NixOS as we have our own # Most—if not all—of those fixups are not relevant for NixOS as we have our own
# NixOS module which is based on those files without relying on them. Still, it # NixOS module which is based on those files without relying on them. Still, it
# is helpful to have properly patched versions for non-NixOS distributions. # is helpful to have properly patched versions for non-NixOS distributions.
postFixup = ''
echo "Fixing aesmd.service" echo "Fixing aesmd.service"
substituteInPlace $out/lib/systemd/system/aesmd.service \ substituteInPlace $out/lib/systemd/system/aesmd.service \
--replace '@aesm_folder@' \ --replace '@aesm_folder@' \
@ -151,11 +172,6 @@ stdenv.mkDerivation rec {
"${coreutils}/bin/chmod" \ "${coreutils}/bin/chmod" \
--replace "/bin/kill" \ --replace "/bin/kill" \
"${coreutils}/bin/kill" "${coreutils}/bin/kill"
echo "Fixing remount-dev-exec.service"
substituteInPlace $out/lib/systemd/system/remount-dev-exec.service \
--replace '/bin/mount' \
"${util-linux}/bin/mount"
''; '';
passthru.tests = { passthru.tests = {

39
pkgs/os-specific/linux/sgx/samples/default.nix
View file

@ -1,6 +1,7 @@
{ stdenv { stdenv
, lib , lib
, makeWrapper , makeWrapper
, openssl
, sgx-sdk , sgx-sdk
, sgx-psw , sgx-psw
, which , which
@ -18,6 +19,7 @@ let
nativeBuildInputs = [ nativeBuildInputs = [
makeWrapper makeWrapper
openssl
which which
]; ];
@ -66,7 +68,9 @@ let
in in
{ {
cxx11SGXDemo = buildSample "Cxx11SGXDemo"; cxx11SGXDemo = buildSample "Cxx11SGXDemo";
localAttestation = (buildSample "LocalAttestation").overrideAttrs (oldAttrs: { cxx14SGXDemo = buildSample "Cxx14SGXDemo";
cxx17SGXDemo = buildSample "Cxx17SGXDemo";
localAttestation = (buildSample "LocalAttestation").overrideAttrs (old: {
installPhase = '' installPhase = ''
runHook preInstall runHook preInstall
@ -86,7 +90,7 @@ in
}); });
powerTransition = buildSample "PowerTransition"; powerTransition = buildSample "PowerTransition";
protobufSGXDemo = buildSample "ProtobufSGXDemo"; protobufSGXDemo = buildSample "ProtobufSGXDemo";
remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (oldAttrs: { remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (old: {
# Makefile sets rpath to point to $TMPDIR # Makefile sets rpath to point to $TMPDIR
preFixup = '' preFixup = ''
patchelf --remove-rpath $out/bin/app patchelf --remove-rpath $out/bin/app
@ -97,13 +101,40 @@ in
''; '';
}); });
sampleEnclave = buildSample "SampleEnclave"; sampleEnclave = buildSample "SampleEnclave";
sampleEnclavePCL = buildSample "SampleEnclavePCL";
sampleEnclaveGMIPP = buildSample "SampleEnclaveGMIPP"; sampleEnclaveGMIPP = buildSample "SampleEnclaveGMIPP";
sealUnseal = (buildSample "SealUnseal").overrideAttrs (oldAttrs: { sampleMbedCrypto = buildSample "SampleMbedCrypto";
sealUnseal = (buildSample "SealUnseal").overrideAttrs (old: {
prePatch = '' prePatch = ''
substituteInPlace App/App.cpp \ substituteInPlace App/App.cpp \
--replace '"sealed_data_blob.txt"' '"/tmp/sealed_data_blob.txt"' --replace '"sealed_data_blob.txt"' '"/tmp/sealed_data_blob.txt"'
''; '';
}); });
switchless = buildSample "Switchless"; switchless = buildSample "Switchless";
# # Requires SGX-patched openssl (sgxssl) build
# sampleAttestedTLS = buildSample "SampleAttestedTLS";
} // lib.optionalAttrs (!isSimulation) {
# # Requires kernel >= v6.2 && HW SGX
# sampleAEXNotify = buildSample "SampleAEXNotify";
# Requires HW SGX
sampleCommonLoader = (buildSample "SampleCommonLoader").overrideAttrs (old: {
nativeBuildInputs = [ sgx-psw ] ++ old.nativeBuildInputs;
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,lib}
mv sample app
install -m 755 app $out/bin
wrapProgram "$out/bin/app" \
--chdir "$out/lib" \
--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [sgx-psw]}"
runHook postInstall
'';
});
# # SEGFAULTs in simulation mode?
# sampleEnclavePCL = buildSample "SampleEnclavePCL";
} }

46
pkgs/os-specific/linux/sgx/sdk/default.nix
View file

@ -2,7 +2,6 @@
, stdenv , stdenv
, fetchFromGitHub , fetchFromGitHub
, fetchpatch , fetchpatch
, fetchzip
, autoconf , autoconf
, automake , automake
, binutils , binutils
@ -13,10 +12,9 @@
, git , git
, libtool , libtool
, linkFarmFromDrvs , linkFarmFromDrvs
, nasm
, ocaml , ocaml
, ocamlPackages , ocamlPackages
, openssl_1_1 , openssl
, perl , perl
, python3 , python3
, texinfo , texinfo
@ -29,15 +27,15 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "sgx-sdk"; pname = "sgx-sdk";
# Version as given in se_version.h # Version as given in se_version.h
version = "2.16.100.4"; version = "2.21.100.1";
# Version as used in the Git tag # Version as used in the Git tag
versionTag = "2.16"; versionTag = "2.21";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "intel"; owner = "intel";
repo = "linux-sgx"; repo = "linux-sgx";
rev = "sgx_${versionTag}"; rev = "sgx_${versionTag}";
hash = "sha256-qgXuJJWiqmcU11umCsE3DnlK4VryuTDAsNf53YPw6UY="; hash = "sha256-Yo2G0H0XUI2p9W7lDRLkFHw2t8X1220brGohQJ0r2WY=";
fetchSubmodules = true; fetchSubmodules = true;
}; };
@ -55,10 +53,32 @@ stdenv.mkDerivation rec {
}) })
]; ];
# There's a `make preparation` step that downloads some prebuilt binaries and
# applies some patches to the in-repo git submodules. We can't just run it,
# since it downloads things, so this step just extracts the patching steps.
postPatch = '' postPatch = ''
patchShebangs linux/installer/bin/build-installpkg.sh \ patchShebangs linux/installer/bin/build-installpkg.sh \
linux/installer/common/sdk/createTarball.sh \ linux/installer/common/sdk/createTarball.sh \
linux/installer/common/sdk/install.sh linux/installer/common/sdk/install.sh \
external/sgx-emm/create_symlink.sh
echo "Running 'make preparation' but without download steps"
# Seems to download something. Build currently uses ipp-crypto and not
# sgxssl so probably not an issue.
# $ ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
pushd external/openmp/openmp_code
git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 \
|| git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
popd
pushd external/protobuf/protobuf_code
git apply ../sgx_protobuf.patch >/dev/null 2>&1 \
|| git apply ../sgx_protobuf.patch --check -R
popd
./external/sgx-emm/create_symlink.sh
''; '';
# We need `cmake` as a build input but don't use it to kick off the build phase # We need `cmake` as a build input but don't use it to kick off the build phase
@ -84,7 +104,7 @@ stdenv.mkDerivation rec {
buildInputs = [ buildInputs = [
libtool libtool
openssl_1_1 openssl
]; ];
BINUTILS_DIR = "${binutils}/bin"; BINUTILS_DIR = "${binutils}/bin";
@ -123,7 +143,7 @@ stdenv.mkDerivation rec {
lib/linux/intel64/cve_2020_0551_cf/libippcp.a lib/linux/intel64/cve_2020_0551_cf/libippcp.a
rm inc/ippcp.h rm inc/ippcp.h
patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u3.patch -o inc/ippcp.h patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u7.patch -o inc/ippcp.h
install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE
@ -136,8 +156,6 @@ stdenv.mkDerivation rec {
"DEBUG=1" "DEBUG=1"
]; ];
enableParallelBuilding = true;
postBuild = '' postBuild = ''
patchShebangs linux/installer/bin/sgx_linux_x64_sdk_${version}.bin patchShebangs linux/installer/bin/sgx_linux_x64_sdk_${version}.bin
''; '';
@ -166,6 +184,11 @@ stdenv.mkDerivation rec {
mv $installDir/lib64 lib mv $installDir/lib64 lib
ln -s lib/ lib64 ln -s lib/ lib64
# Fixup the symlinks for libsgx_urts.so.* -> libsgx_urts.so
for file in lib/libsgx_urts.so.*; do
ln -srf lib/libsgx_urts.so $file
done
mv $installDir/include/ . mv $installDir/include/ .
mkdir -p share/ mkdir -p share/
@ -204,7 +227,6 @@ stdenv.mkDerivation rec {
runHook postInstall runHook postInstall
''; '';
preFixup = '' preFixup = ''
echo "Strip sgxsdk prefix" echo "Strip sgxsdk prefix"
for path in "$out/share/bin/environment" "$out/bin/sgx-gdb"; do for path in "$out/share/bin/environment" "$out/bin/sgx-gdb"; do

18
pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix
View file

@ -1,36 +1,28 @@
{ lib { gcc11Stdenv
, gcc11Stdenv
, fetchFromGitHub , fetchFromGitHub
, cmake , cmake
, nasm , nasm
, openssl_1_1 , openssl
, python3 , python3
, extraCmakeFlags ? [ ] , extraCmakeFlags ? [ ]
}: }:
gcc11Stdenv.mkDerivation rec { gcc11Stdenv.mkDerivation rec {
pname = "ipp-crypto"; pname = "ipp-crypto";
version = "2021.3"; version = "2021.9.0";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "intel"; owner = "intel";
repo = "ipp-crypto"; repo = "ipp-crypto";
rev = "ippcp_${version}"; rev = "ippcp_${version}";
hash = "sha256-QEJXvQ//zhQqibFxXwPMdS1MHewgyb24LRmkycVSGrM="; hash = "sha256-+ITnxyrkDQp4xRa+PVzXdYsSkI5sMNwQGfGU+lFJ6co=";
}; };
# Fix typo: https://github.com/intel/ipp-crypto/pull/33
postPatch = ''
substituteInPlace sources/cmake/ippcp-gen-config.cmake \
--replace 'ippcpo-config.cmake' 'ippcp-config.cmake'
'';
cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags; cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags;
nativeBuildInputs = [ nativeBuildInputs = [
cmake cmake
nasm nasm
openssl_1_1 openssl
python3 python3
]; ];
} }

34
pkgs/os-specific/linux/sgx/ssl/default.nix
View file

@ -1,8 +1,8 @@
{ stdenv { stdenv
, fetchFromGitHub , fetchFromGitHub
, fetchpatch
, fetchurl , fetchurl
, lib , lib
, openssl
, perl , perl
, sgx-sdk , sgx-sdk
, which , which
@ -10,9 +10,9 @@
}: }:
let let
sgxVersion = sgx-sdk.versionTag; sgxVersion = sgx-sdk.versionTag;
opensslVersion = "1.1.1l"; opensslVersion = "1.1.1u";
in in
stdenv.mkDerivation rec { stdenv.mkDerivation {
pname = "sgx-ssl" + lib.optionalString debug "-debug"; pname = "sgx-ssl" + lib.optionalString debug "-debug";
version = "${sgxVersion}_${opensslVersion}"; version = "${sgxVersion}_${opensslVersion}";
@ -20,25 +20,20 @@ stdenv.mkDerivation rec {
owner = "intel"; owner = "intel";
repo = "intel-sgx-ssl"; repo = "intel-sgx-ssl";
rev = "lin_${sgxVersion}_${opensslVersion}"; rev = "lin_${sgxVersion}_${opensslVersion}";
hash = "sha256-ibPXs90ni2fkxJ09fNO6wWVpfCFdko6MjBFkEsyIih8="; hash = "sha256-zbXEQz72VUPqnGrboX6oXliaLpbcos7tV6K9lX+zleg=";
}; };
postUnpack = postUnpack =
let let
opensslSourceArchive = fetchurl { opensslSourceArchive = fetchurl {
url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz"; url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
hash = "sha256-C3o+XlnDSCf+DDp0t+yLrvMCuY+oAIjX+RU6oW+na9E="; hash = "sha256-4vjYS1I+7NBse+diaDA3AwD7zBU4a/UULXJ1j2lj68Y=";
}; };
in in
'' ''
ln -s ${opensslSourceArchive} $sourceRoot/openssl_source/openssl-${opensslVersion}.tar.gz ln -s ${opensslSourceArchive} $sourceRoot/openssl_source/openssl-${opensslVersion}.tar.gz
''; '';
patches = [
# https://github.com/intel/intel-sgx-ssl/pull/111
./intel-sgx-ssl-pr-111.patch
];
postPatch = '' postPatch = ''
patchShebangs Linux/build_openssl.sh patchShebangs Linux/build_openssl.sh
@ -48,8 +43,6 @@ stdenv.mkDerivation rec {
'bash -c "true"' 'bash -c "true"'
''; '';
enableParallelBuilding = true;
nativeBuildInputs = [ nativeBuildInputs = [
perl perl
sgx-sdk sgx-sdk
@ -68,28 +61,21 @@ stdenv.mkDerivation rec {
]; ];
# Build the test app # Build the test app
#
# Running the test app is currently only supported on Intel CPUs
# and will fail on non-Intel CPUs even in SGX simulation mode.
# Therefore, we only build the test app without running it until
# upstream resolves the issue: https://github.com/intel/intel-sgx-ssl/issues/113
doInstallCheck = true; doInstallCheck = true;
installCheckTarget = "all"; installCheckTarget = "test";
installCheckFlags = [ installCheckFlags = [
"SGX_MODE=SIM" "SGX_MODE=SIM"
"-C sgx/test_app"
"-j 1" # Makefile doesn't support multiple jobs "-j 1" # Makefile doesn't support multiple jobs
]; ];
preInstallCheck = '' nativeInstallCheckInputs = [
# Expects the enclave file in the current working dir openssl
ln -s sgx/test_app/TestEnclave.signed.so . ];
'';
meta = with lib; { meta = with lib; {
description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL"; description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL";
homepage = "https://github.com/intel/intel-sgx-ssl"; homepage = "https://github.com/intel/intel-sgx-ssl";
maintainers = with maintainers; [ trundle veehaitch ]; maintainers = with maintainers; [ trundle veehaitch ];
platforms = [ "x86_64-linux" ]; platforms = [ "x86_64-linux" ];
license = with licenses; [ bsd3 openssl ]; license = [ licenses.bsd3 licenses.openssl ];
}; };
} }

99
pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch
View file

@ -1,99 +0,0 @@
From 1683c336e11b3cbe2b48c1be1c9460a661523c71 Mon Sep 17 00:00:00 2001
From: Vincent Haupert <mail@vincent-haupert.de>
Date: Sat, 8 Jan 2022 17:22:31 +0100
Subject: [PATCH 1/3] Linux: fix Nix detection
Detect the `OS_ID` of Nix by probing for the presence of the `NIX_STORE`
environment variable instead of `NIX_PATH`. The latter is only set in a
`nix-shell` session but isn't when building a derivation through
`nix-build`. In contrast, the `NIX_STORE` environment variable is set in
both cases.
Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
---
Linux/sgx/buildenv.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Linux/sgx/buildenv.mk b/Linux/sgx/buildenv.mk
index cd8818e..dac23c7 100644
--- a/Linux/sgx/buildenv.mk
+++ b/Linux/sgx/buildenv.mk
@@ -65,7 +65,7 @@ $(shell mkdir -p $(PACKAGE_LIB))
UBUNTU_CONFNAME:=/usr/include/x86_64-linux-gnu/bits/confname.h
ifneq ("$(wildcard $(UBUNTU_CONFNAME))","")
OS_ID=1
-else ifeq ($(origin NIX_PATH),environment)
+else ifeq ($(origin NIX_STORE),environment)
OS_ID=3
else
OS_ID=2
From f493525face589d759223bfa45bb802c31ddce4f Mon Sep 17 00:00:00 2001
From: Vincent Haupert <mail@vincent-haupert.de>
Date: Sat, 8 Jan 2022 17:33:22 +0100
Subject: [PATCH 2/3] Linux: call binaries relative to PATH
Using an absolute path to call binaries is incompatible with
distributions which do not follow the Filesystem Hierachy Standard;
Nix is an example. Also, it is inconsistent with the rest of the code
base, let alone superfluous.
Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
---
Linux/build_openssl.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
index 7d77b79..e8b59a1 100755
--- a/Linux/build_openssl.sh
+++ b/Linux/build_openssl.sh
@@ -38,7 +38,7 @@ SGXSSL_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
echo $SGXSSL_ROOT
OPENSSL_INSTALL_DIR="$SGXSSL_ROOT/../openssl_source/OpenSSL_install_dir_tmp"
-OPENSSL_VERSION=`/bin/ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | /usr/bin/head -1 | /bin/grep -o '[^/]*$' | /bin/sed -s -- 's/\.tar\.gz//'`
+OPENSSL_VERSION=`ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | head -1 | grep -o '[^/]*$' | sed -s -- 's/\.tar\.gz//'`
if [ "$OPENSSL_VERSION" == "" ]
then
echo "In order to run this script, OpenSSL tar.gz package must be located in openssl_source/ directory."
From fdb883d30fff72b5cfb8c61a2288d3d948f64224 Mon Sep 17 00:00:00 2001
From: Vincent Haupert <mail@vincent-haupert.de>
Date: Tue, 11 Jan 2022 10:56:39 +0100
Subject: [PATCH 3/3] Linux: properly extract GCC major version
Calling `gcc -dumpversion` yields the full version string, e.g.,
`10.3.0`. The `build_openssl.sh` bash script uses the `-ge` number
comparison operator to check if the returned version is at least
8. This results in an error if the returned GCC version includes a patch
version; "10.3.0" isn't a valid number.
This commit fixes the version detection by only extracting the relevant
major version of GCC.
Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
---
Linux/build_openssl.sh | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
index e8b59a1..6e4046f 100755
--- a/Linux/build_openssl.sh
+++ b/Linux/build_openssl.sh
@@ -82,6 +82,7 @@ fi
MITIGATION_OPT=""
MITIGATION_FLAGS=""
CC_VERSION=`gcc -dumpversion`
+CC_VERSION_MAJOR=`echo "$CC_VERSION" | cut -f1 -d.`
for arg in "$@"
do
case $arg in
@@ -99,7 +100,7 @@ do
;;
-mfunction-return=thunk-extern)
MITIGATION_FLAGS+=" $arg"
- if [[ $CC_VERSION -ge 8 ]] ; then
+ if [[ "$CC_VERSION_MAJOR" -ge 8 ]] ; then
MITIGATION_FLAGS+=" -fcf-protection=none"
fi
shift