ghostfox/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

push sheeet
Some checks failed
Periodic Merges (6h) / master → staging-nixos (push) Failing after 12m50s
Details
Periodic Merges (6h) / master → staging-next (push) Failing after 12m54s
Details
Periodic Merges (24h) / merge-base(master,staging) → haskell-updates (push) Failing after 11m54s
Details
Periodic Merges (6h) / staging-next → staging (push) Failing after 12m13s
Details
Periodic Merges (24h) / staging-next-25.05 → staging-25.05 (push) Failing after 13m24s
Details
Periodic Merges (24h) / release-25.05 → staging-next-25.05 (push) Failing after 14m28s
Details

Browse Source
This commit is contained in:
Dark Steveneq
2025-10-09 14:15:47 +02:00
commit 646b892680
49168 changed files with 5897842 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
pkgs/os-specific/linux/sgx/psw/cppmicroservices-no-mtime.patch Normal file
View File

@@ -0,0 +1,26 @@
diff --git a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
index aee499e9..13fa89d4 100644
--- a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
+++ b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
@@ -105,7 +105,7 @@ bool BundleResourceContainer::GetStat(int index,
const_cast<mz_zip_archive*>(&m_ZipArchive), index)
? true
: false;
- stat.modifiedTime = zipStat.m_time;
+ stat.modifiedTime = 0;
stat.crc32 = zipStat.m_crc32;
// This will limit the size info from uint64 to uint32 on 32-bit
// architectures. We don't care because we assume resources > 2GB
diff --git a/external/CppMicroServices/third_party/miniz.c b/external/CppMicroServices/third_party/miniz.c
index 6b0ebd7a..fa2aebca 100644
--- a/external/CppMicroServices/third_party/miniz.c
+++ b/external/CppMicroServices/third_party/miniz.c
@@ -170,7 +170,7 @@
// If MINIZ_NO_TIME is specified then the ZIP archive functions will not be able to get the current time, or
// get/set file times, and the C run-time funcs that get/set times won't be called.
// The current downside is the times written to your archives will be from 1979.
-//#define MINIZ_NO_TIME
+#define MINIZ_NO_TIME
// Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's.
//#define MINIZ_NO_ARCHIVE_APIS

275
pkgs/os-specific/linux/sgx/psw/default.nix Normal file
View File

@@ -0,0 +1,275 @@
{
stdenv,
lib,
fetchurl,
fetchFromGitHub,
cmake,
coreutils,
curl,
file,
git,
makeWrapper,
nixosTests,
protobuf,
python3,
ocaml,
ocamlPackages,
which,
debug ? false,
}:
stdenv.mkDerivation rec {
pname = "sgx-psw";
# Version as given in se_version.h
version = "2.25.100.3";
# Version as used in the Git tag
versionTag = "2.25";
src = fetchFromGitHub {
owner = "intel";
repo = "linux-sgx";
rev = "sgx_${versionTag}";
hash = "sha256-RR+vFTd9ZM6XUn3KgQeUM+xoj1Ava4zQzFYA/nfXyaw=";
fetchSubmodules = true;
};
# Extract Intel-provided, pre-built enclaves and libs.
postUnpack =
let
# Fetch the pre-built, Intel-signed Architectural Enclaves (AE). They help
# run user application enclaves, verify launch policies, produce remote
# attestation quotes, and do platform certification.
ae.prebuilt = fetchurl {
url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz";
hash = "sha256-Hlh96rYOyml2y50d8ASKz6U97Fl0hbGYECeZiG9nMSQ=";
};
# Pre-built ipp-crypto with mitigations.
optlib.prebuilt = fetchurl {
url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/optimized_libs_${versionTag}.tar.gz";
hash = "sha256-7mDTaLtpOQLHQ6Fv+FWJ2k/veJZPXIcuj7kOdRtRqhg=";
};
# Fetch the Data Center Attestation Primitives (DCAP) platform enclaves
# and pre-built sgxssl.
dcap = rec {
version = "1.22";
filename = "prebuilt_dcap_${version}.tar.gz";
prebuilt = fetchurl {
url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
hash = "sha256-RTpJQ6epoAN8YQXSJUjJQ5mPaQIiQpStTWFsnspjjDQ=";
};
};
in
''
# Make sure this is the right version of linux-sgx
grep -q '"${version}"' "$src/common/inc/internal/se_version.h" \
|| (echo "Could not find expected version ${version} in linux-sgx source" >&2 && exit 1)
tar -xzvf ${ae.prebuilt} -C $sourceRoot/
tar -xzvf ${optlib.prebuilt} -C $sourceRoot/
# Make sure we use the correct version of prebuilt DCAP
grep -q 'ae_file_name=${dcap.filename}' "$src/external/dcap_source/QuoteGeneration/download_prebuilt.sh" \
|| (echo "Could not find expected prebuilt DCAP ${dcap.filename} in linux-sgx source" >&2 && exit 1)
tar -xzvf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source ./prebuilt/
tar -xzvf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration ./psw/
'';
patches = [
# There's a `make preparation` step that downloads some prebuilt binaries
# and applies some patches to the in-repo git submodules. This patch removes
# the parts that download things, since we can't do that inside the sandbox.
./disable-downloads.patch
# This patch disables mtime in bundled zip file for reproducible builds.
#
# Context: The `aesm_service` binary depends on a vendored library called
# `CppMicroServices`. At build time, this lib creates and then bundles
# service resources into a zip file and then embeds this zip into the
# binary. Without changes, the `aesm_service` will be different after every
# build because the embedded zip file contents have different modified times.
./cppmicroservices-no-mtime.patch
];
postPatch =
let
# The base directories we want to copy headers from. The exact headers are
# parsed from <linux/installer/common/sdk/BOMs/sdk_base.txt>
bomDirsToCopyFrom = builtins.concatStringsSep "|" [
"common/"
"external/dcap_source/"
"external/ippcp_internal/"
"external/sgx-emm/"
"psw/"
"sdk/tlibcxx/"
];
in
''
patchShebangs \
external/sgx-emm/create_symlink.sh \
linux/installer/bin/build-installpkg.sh \
linux/installer/common/psw/createTarball.sh \
linux/installer/common/psw/install.sh
# Run sgx-sdk preparation step
make preparation
# Build a fake SGX_SDK directory. Normally sgx-psw depends on first building
# all of sgx-sdk, however we can actually build them independently by just
# copying a few header files and building `sgx_edger8r` separately.
mkdir .sgxsdk
export SGX_SDK="$(readlink -f .sgxsdk)"
# Parse the BOM for the headers we need, then copy them into SGX_SDK
# Each line in the BOM.txt looks like:
# <deliverydir>/...\t<installdir>/package/...\t....
# TODO(phlip9): hardlink?
sed -n -r 's:^<deliverydir>/(${bomDirsToCopyFrom})(\S+)\s<installdir>/package/(\S+)\s.*$:\1\2\n.sgxsdk/\3:p' \
< linux/installer/common/sdk/BOMs/sdk_base.txt \
| xargs --max-args=2 install -v -D
'';
nativeBuildInputs = [
cmake
file
git
makeWrapper
ocaml
ocamlPackages.ocamlbuild
python3
which
];
buildInputs = [
curl
protobuf
];
dontUseCmakeConfigure = true;
preBuild = ''
# Build `sgx_edger8r`, the enclave .edl -> .h file codegen tool.
# Then place it in `$SGX_SDK/bin` and `$SGX_SDK/bin/x64`.
make -C sdk/edger8r/linux
mkdir -p $SGX_SDK/bin/x64
sgx_edger8r_bin="$(readlink -f build/linux/sgx_edger8r)"
ln -s $sgx_edger8r_bin $SGX_SDK/bin/
ln -s $sgx_edger8r_bin $SGX_SDK/bin/x64/
# Add this so we can link against libsgx_urts.
build_dir="$(readlink -f build/linux)"
ln -s $build_dir $SGX_SDK/lib
ln -s $build_dir $SGX_SDK/lib64
'';
buildFlags = [ "psw_install_pkg" ] ++ lib.optionals debug [ "DEBUG=1" ];
installFlags = [
"-C linux/installer/common/psw/output"
"DESTDIR=$(TMPDIR)/install"
];
postInstall = ''
installDir=$TMPDIR/install
sgxPswDir=$installDir/opt/intel/sgxpsw
mv $installDir/usr/lib64/ $out/lib/
ln -sr $out/lib $out/lib64
# Install udev rules to lib/udev/rules.d
mv $sgxPswDir/udev/ $out/lib/
# Install example AESM config
mkdir $out/etc/
mv $sgxPswDir/aesm/conf/aesmd.conf $out/etc/
rmdir $sgxPswDir/aesm/conf/
# Delete init service
rm $sgxPswDir/aesm/aesmd.conf
# Move systemd services
mkdir -p $out/lib/systemd/system/
mv $sgxPswDir/aesm/aesmd.service $out/lib/systemd/system/
mv $sgxPswDir/remount-dev-exec.service $out/lib/systemd/system/
# Move misc files
mkdir $out/share/
mv $sgxPswDir/licenses $out/share/
# Remove unnecessary files
rm $sgxPswDir/{cleanup.sh,startup.sh}
rm -r $sgxPswDir/scripts
# Move aesmd binaries/libraries/enclaves
mv $sgxPswDir/aesm/ $out/
# We absolutely MUST avoid stripping or patching these ".signed.so" SGX
# enclaves. Stripping would change each enclave measurement (hash of the
# binary).
#
# We're going to temporarily move these enclave libs to another directory
# until after stripping/patching in the fixupPhase.
mkdir $TMPDIR/enclaves
mv $out/aesm/*.signed.so* $TMPDIR/enclaves
mkdir $out/bin
makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \
--suffix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \
--chdir "$out/aesm"
# Make sure we didn't forget to handle any files
rmdir $sgxPswDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1)
'';
stripDebugList = [
"lib"
"bin"
# Also strip binaries/libs in the `aesm` directory
"aesm"
];
postFixup = ''
# Move the SGX enclaves back after everything else has been stripped.
mv $TMPDIR/enclaves/*.signed.so* $out/aesm/
rmdir $TMPDIR/enclaves
# Fixup the aesmd systemd service
#
# Mostif not allof those fixups are not relevant for NixOS as we have our own
# NixOS module which is based on those files without relying on them. Still, it
# is helpful to have properly patched versions for non-NixOS distributions.
echo "Fixing aesmd.service"
substituteInPlace $out/lib/systemd/system/aesmd.service \
--replace-fail '@aesm_folder@' \
"$out/aesm" \
--replace-fail 'Type=forking' \
'Type=simple' \
--replace-fail "ExecStart=$out/aesm/aesm_service" \
"ExecStart=$out/bin/aesm_service --no-daemon"\
--replace-fail "/bin/mkdir" \
"${coreutils}/bin/mkdir" \
--replace-fail "/bin/chown" \
"${coreutils}/bin/chown" \
--replace-fail "/bin/chmod" \
"${coreutils}/bin/chmod" \
--replace-fail "/bin/kill" \
"${coreutils}/bin/kill"
'';
passthru.tests = {
service = nixosTests.aesmd;
};
meta = {
description = "Intel SGX Architectural Enclave Service Manager";
homepage = "https://github.com/intel/linux-sgx";
maintainers = with lib.maintainers; [
phlip9
veehaitch
citadelcore
];
platforms = [ "x86_64-linux" ];
license = [ lib.licenses.bsd3 ];
};
}

32
pkgs/os-specific/linux/sgx/psw/disable-downloads.patch Normal file
View File

@@ -0,0 +1,32 @@
diff --git a/Makefile b/Makefile
index 19bc05a..6b1acd4 100644
--- a/Makefile
+++ b/Makefile
@@ -50,13 +50,13 @@ tips:
preparation:
# As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip.
# Only enable the download from git
- git submodule update --init --recursive
+ # git submodule update --init --recursive
cd external/dcap_source/external/jwt-cpp && git apply ../0001-Add-a-macro-to-disable-time-support-in-jwt-for-SGX.patch >/dev/null 2>&1 || \
git apply ../0001-Add-a-macro-to-disable-time-support-in-jwt-for-SGX.patch -R --check
- ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
+ # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R
- cd external/protobuf/protobuf_code && git submodule update --init --recursive && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R
+ cd external/protobuf/protobuf_code && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R
./external/sgx-emm/create_symlink.sh
cd external/mbedtls/mbedtls_code && git apply ../sgx_mbedtls.patch >/dev/null 2>&1 || git apply ../sgx_mbedtls.patch --check -R
cd external/cbor && cp -r libcbor sgx_libcbor
@@ -64,8 +64,8 @@ preparation:
cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R
cd external/ippcp_internal/ipp-crypto && git apply ../0001-IPP-crypto-for-SGX.patch > /dev/null 2>&1 || git apply ../0001-IPP-crypto-for-SGX.patch --check -R
cd external/ippcp_internal/ipp-crypto && mkdir -p build
- ./download_prebuilt.sh
- ./external/dcap_source/QuoteGeneration/download_prebuilt.sh
+ # ./download_prebuilt.sh
+ # ./external/dcap_source/QuoteGeneration/download_prebuilt.sh
psw:
$(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS)

146
pkgs/os-specific/linux/sgx/samples/default.nix Normal file
View File

@@ -0,0 +1,146 @@
{
stdenv,
lib,
makeWrapper,
openssl,
sgx-sdk,
sgx-psw,
which,
# "SIM" or "HW"
sgxMode,
}:
let
isSimulation = sgxMode == "SIM";
buildSample =
name:
stdenv.mkDerivation {
pname = name;
version = sgxMode;
src = sgx-sdk.out;
sourceRoot = "${sgx-sdk.name}/share/SampleCode/${name}";
nativeBuildInputs = [
makeWrapper
openssl
which
];
buildInputs = [
sgx-sdk
];
# The samples don't have proper support for parallel building
# causing them to fail randomly.
enableParallelBuilding = false;
buildFlags = [
"SGX_MODE=${sgxMode}"
];
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,lib}
install -m 755 app $out/bin
install *.so $out/lib
wrapProgram "$out/bin/app" \
--chdir "$out/lib" \
${lib.optionalString (!isSimulation)
''--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"''
}
runHook postInstall
'';
# Breaks the signature of the enclaves
dontFixup = true;
# We don't have access to real SGX hardware during the build
doInstallCheck = isSimulation;
installCheckPhase = ''
runHook preInstallCheck
pushd /
echo a | $out/bin/app
popd
runHook preInstallCheck
'';
};
in
{
cxx11SGXDemo = buildSample "Cxx11SGXDemo";
cxx14SGXDemo = buildSample "Cxx14SGXDemo";
cxx17SGXDemo = buildSample "Cxx17SGXDemo";
localAttestation = (buildSample "LocalAttestation").overrideAttrs (old: {
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,lib}
install -m 755 bin/app* $out/bin
install bin/*.so $out/lib
for bin in $out/bin/*; do
wrapProgram $bin \
--chdir "$out/lib" \
${lib.optionalString (!isSimulation)
''--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"''
}
done
runHook postInstall
'';
});
powerTransition = buildSample "PowerTransition";
protobufSGXDemo = buildSample "ProtobufSGXDemo";
remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (old: {
# Makefile sets rpath to point to $TMPDIR
preFixup = ''
patchelf --remove-rpath $out/bin/app
'';
postInstall = ''
install sample_libcrypto/*.so $out/lib
'';
});
sampleEnclave = buildSample "SampleEnclave";
sampleEnclaveGMIPP = buildSample "SampleEnclaveGMIPP";
sampleMbedCrypto = buildSample "SampleMbedCrypto";
sealUnseal = (buildSample "SealUnseal").overrideAttrs (old: {
prePatch = ''
substituteInPlace App/App.cpp \
--replace '"sealed_data_blob.txt"' '"/tmp/sealed_data_blob.txt"'
'';
});
switchless = buildSample "Switchless";
# # Requires SGX-patched openssl (sgxssl) build
# sampleAttestedTLS = buildSample "SampleAttestedTLS";
}
// lib.optionalAttrs (!isSimulation) {
# # Requires kernel >= v6.2 && HW SGX
# sampleAEXNotify = buildSample "SampleAEXNotify";
# Requires HW SGX
sampleCommonLoader = (buildSample "SampleCommonLoader").overrideAttrs (old: {
nativeBuildInputs = [ sgx-psw ] ++ old.nativeBuildInputs;
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,lib}
mv sample app
install -m 755 app $out/bin
wrapProgram "$out/bin/app" \
--chdir "$out/lib" \
--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"
runHook postInstall
'';
});
# # SEGFAULTs in simulation mode?
# sampleEnclavePCL = buildSample "SampleEnclavePCL";
}

26
pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch Normal file
View File

@@ -0,0 +1,26 @@
diff --git a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
index aee499e9..13fa89d4 100644
--- a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
+++ b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
@@ -105,7 +105,7 @@ bool BundleResourceContainer::GetStat(int index,
const_cast<mz_zip_archive*>(&m_ZipArchive), index)
? true
: false;
- stat.modifiedTime = zipStat.m_time;
+ stat.modifiedTime = 0;
stat.crc32 = zipStat.m_crc32;
// This will limit the size info from uint64 to uint32 on 32-bit
// architectures. We don't care because we assume resources > 2GB
diff --git a/external/CppMicroServices/third_party/miniz.c b/external/CppMicroServices/third_party/miniz.c
index 6b0ebd7a..fa2aebca 100644
--- a/external/CppMicroServices/third_party/miniz.c
+++ b/external/CppMicroServices/third_party/miniz.c
@@ -170,7 +170,7 @@
// If MINIZ_NO_TIME is specified then the ZIP archive functions will not be able to get the current time, or
// get/set file times, and the C run-time funcs that get/set times won't be called.
// The current downside is the times written to your archives will be from 1979.
-//#define MINIZ_NO_TIME
+#define MINIZ_NO_TIME
// Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's.
//#define MINIZ_NO_ARCHIVE_APIS

305
pkgs/os-specific/linux/sgx/sdk/default.nix Normal file
View File

@@ -0,0 +1,305 @@
{
lib,
stdenv,
fetchFromGitHub,
autoconf,
automake,
binutils,
callPackage,
cmake,
file,
gdb,
git,
libtool,
linkFarmFromDrvs,
ocaml,
ocamlPackages,
openssl,
perl,
python3,
texinfo,
validatePkgConfig,
writeShellApplication,
writeShellScript,
writeText,
debug ? false,
}:
stdenv.mkDerivation rec {
pname = "sgx-sdk";
# Version as given in se_version.h
version = "2.24.100.3";
# Version as used in the Git tag
versionTag = "2.24";
src = fetchFromGitHub {
owner = "intel";
repo = "linux-sgx";
rev = "sgx_${versionTag}";
hash = "sha256-1urEdfMKNUqqyJ3wQ10+tvtlRuAKELpaCWIOzjCbYKw=";
fetchSubmodules = true;
};
postUnpack = ''
# Make sure this is the right version of linux-sgx
grep -q '"${version}"' "$src/common/inc/internal/se_version.h" \
|| (echo "Could not find expected version ${version} in linux-sgx source" >&2 && exit 1)
'';
patches = [
# There's a `make preparation` step that downloads some prebuilt binaries
# and applies some patches to the in-repo git submodules. This patch removes
# the parts that download things, since we can't do that inside the sandbox.
./disable-downloads.patch
# This patch disable mtime in bundled zip file for reproducible builds.
#
# Context: The `aesm_service` binary depends on a vendored library called
# `CppMicroServices`. At build time, this lib creates and then bundles
# service resources into a zip file and then embeds this zip into the
# binary. Without changes, the `aesm_service` will be different after every
# build because the embedded zip file contents have different modified times.
./cppmicroservices-no-mtime.patch
];
postPatch = ''
patchShebangs linux/installer/bin/build-installpkg.sh \
linux/installer/common/sdk/createTarball.sh \
linux/installer/common/sdk/install.sh \
external/sgx-emm/create_symlink.sh
make preparation
'';
# We need `cmake` as a build input but don't use it to kick off the build phase
dontUseCmakeConfigure = true;
# SDK built with stackprotector produces broken enclaves which crash at runtime.
# Disable all to be safe, SDK build configures compiler mitigations manually.
hardeningDisable = [ "all" ];
nativeBuildInputs = [
autoconf
automake
cmake
file
git
ocaml
ocamlPackages.ocamlbuild
perl
python3
texinfo
validatePkgConfig
];
buildInputs = [
libtool
openssl
];
BINUTILS_DIR = "${binutils}/bin";
# Build external/ippcp_internal first. The Makefile is rewritten to make the
# build faster by splitting different versions of ipp-crypto builds and to
# avoid patching the Makefile for reproducibility issues.
preBuild =
let
ipp-crypto-no_mitigation = callPackage ./ipp-crypto.nix { };
sgx-asm-pp = "python ${src}/build-scripts/sgx-asm-pp.py --assembler=nasm";
nasm-load = writeShellScript "nasm-load" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=LOAD $@";
ipp-crypto-cve_2020_0551_load = callPackage ./ipp-crypto.nix {
extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-load}" ];
};
nasm-cf = writeShellScript "nasm-cf" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=CF $@";
ipp-crypto-cve_2020_0551_cf = callPackage ./ipp-crypto.nix {
extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-cf}" ];
};
in
''
echo "Setting up IPP crypto build artifacts"
pushd 'external/ippcp_internal'
install -D -m a+rw ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a \
lib/linux/intel64/no_mitigation/libippcp.a
install -D -m a+rw ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a \
lib/linux/intel64/cve_2020_0551_load/libippcp.a
install -D -m a+rw ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a \
lib/linux/intel64/cve_2020_0551_cf/libippcp.a
cp -r ${ipp-crypto-no_mitigation}/include/* inc/
mkdir inc/ippcp
cp ${ipp-crypto-no_mitigation}/include/fips_cert.h inc/ippcp/
rm inc/ippcp.h
patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i ./inc/ippcp21u11.patch -o ./inc/ippcp.h
install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE
popd
'';
buildFlags = [
"sdk_install_pkg"
]
++ lib.optionals debug [
"DEBUG=1"
];
postBuild = ''
patchShebangs linux/installer/bin/sgx_linux_x64_sdk_${version}.bin
'';
installPhase = ''
runHook preInstall
installDir=$TMPDIR
./linux/installer/bin/sgx_linux_x64_sdk_${version}.bin -prefix $installDir
installDir=$installDir/sgxsdk
echo "Move files created by installer"
mkdir -p $out/bin
pushd $out
mv $installDir/bin/sgx-gdb $out/bin
mkdir $out/bin/x64
for file in $installDir/bin/x64/*; do
mv $file bin/
ln -sr bin/$(basename $file) bin/x64/
done
rmdir $installDir/bin/{x64,}
# Move `lib64` to `lib` and symlink `lib64`
mv $installDir/lib64 lib
ln -s lib/ lib64
# Fixup the symlinks for libsgx_urts.so.* -> libsgx_urts.so
for file in lib/libsgx_urts.so.*; do
ln -srf lib/libsgx_urts.so $file
done
mv $installDir/include/ .
mkdir -p share/
mv $installDir/{SampleCode,licenses} share/
mkdir -p share/bin
mv $installDir/{environment,buildenv.mk} share/bin/
ln -s share/bin/{environment,buildenv.mk} .
# pkgconfig should go to lib/
mv $installDir/pkgconfig lib/
ln -s lib/pkgconfig/ .
# Also create the `sdk_libs` for compat. All the files
# link to libraries in `lib64/`, we shouldn't link the entire
# directory, however, as there seems to be some ambiguity between
# SDK and PSW libraries.
mkdir sdk_libs/
for file in $installDir/sdk_libs/*; do
ln -sr lib/$(basename $file) sdk_libs/
rm $file
done
rmdir $installDir/sdk_libs
# No uninstall script required
rm $installDir/uninstall.sh
# Create an `sgxsdk` symlink which points to `$out` for compat
ln -sr . sgxsdk
# Make sure we didn't forget any files
rmdir $installDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1)
popd
runHook postInstall
'';
preFixup = ''
echo "Strip sgxsdk prefix"
for path in "$out/share/bin/environment" "$out/bin/sgx-gdb"; do
substituteInPlace $path --replace "$TMPDIR/sgxsdk" "$out"
done
echo "Fixing pkg-config files"
sed -i "s|prefix=.*|prefix=$out|g" $out/lib/pkgconfig/*.pc
echo "Fixing SGX_SDK default in samples"
substituteInPlace $out/share/SampleCode/LocalAttestation/buildenv.mk \
--replace '/opt/intel/sgxsdk' "$out"
for file in $out/share/SampleCode/*/Makefile; do
substituteInPlace $file \
--replace '/opt/intel/sgxsdk' "$out"
done
echo "Fixing BINUTILS_DIR in buildenv.mk"
substituteInPlace $out/share/bin/buildenv.mk \
--replace 'BINUTILS_DIR ?= /usr/local/bin' \
'BINUTILS_DIR ?= ${BINUTILS_DIR}'
echo "Fixing GDB path in bin/sgx-gdb"
substituteInPlace $out/bin/sgx-gdb --replace '/usr/local/bin/gdb' '${gdb}/bin/gdb'
'';
doInstallCheck = true;
installCheckPhase = ''
runHook preInstallCheck
# Make sure all symlinks are valid
output=$(find "$out" -type l -exec test ! -e {} \; -print)
if [[ -n "$output" ]]; then
echo "Broken symlinks:"
echo "$output"
exit 1
fi
runHook postInstallCheck
'';
setupHook = writeText "setup-hook.sh" ''
sgxsdk() {
export SGX_SDK=@out@
}
postHooks+=(sgxsdk)
'';
passthru.tests = callPackage ../samples { sgxMode = "SIM"; };
# Run tests in SGX hardware mode on an SGX-enabled machine
# $(nix-build -A sgx-sdk.runTestsHW)/bin/run-tests-hw
passthru.runTestsHW =
let
testsHW = lib.filterAttrs (_: v: v ? "name") (callPackage ../samples { sgxMode = "HW"; });
testsHWLinked = linkFarmFromDrvs "sgx-samples-hw-bundle" (lib.attrValues testsHW);
in
writeShellApplication {
name = "run-tests-hw";
text = ''
for test in ${testsHWLinked}/*; do
printf '*** Running test %s ***\n\n' "$(basename "$test")"
printf 'a\n' | "$test/bin/app"
printf '\n'
done
'';
};
meta = {
description = "Intel SGX SDK for Linux built with IPP Crypto Library";
homepage = "https://github.com/intel/linux-sgx";
maintainers = with lib.maintainers; [
phlip9
sbellem
arturcygan
veehaitch
];
platforms = [ "x86_64-linux" ];
license = [ lib.licenses.bsd3 ];
};
}

28
pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch Normal file
View File

@@ -0,0 +1,28 @@
diff --git a/Makefile b/Makefile
index 73502a7..f24bd11 100644
--- a/Makefile
+++ b/Makefile
@@ -50,18 +50,18 @@ tips:
preparation:
# As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip.
# Only enable the download from git
- git submodule update --init --recursive
- ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
+ # git submodule update --init --recursive
+ # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R
- cd external/protobuf/protobuf_code && git submodule update --init --recursive && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R
+ cd external/protobuf/protobuf_code && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R
./external/sgx-emm/create_symlink.sh
cd external/mbedtls/mbedtls_code && git apply ../sgx_mbedtls.patch >/dev/null 2>&1 || git apply ../sgx_mbedtls.patch --check -R
cd external/cbor && cp -r libcbor sgx_libcbor
cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R
cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R
- ./download_prebuilt.sh
- ./external/dcap_source/QuoteGeneration/download_prebuilt.sh
+ # ./download_prebuilt.sh
+ # ./external/dcap_source/QuoteGeneration/download_prebuilt.sh
psw:
$(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS)

40
pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix Normal file
View File

@@ -0,0 +1,40 @@
{
stdenv,
fetchFromGitHub,
cmake,
nasm,
openssl,
python3,
extraCmakeFlags ? [ ],
}:
stdenv.mkDerivation rec {
pname = "ipp-crypto";
version = "2021.11.1";
src = fetchFromGitHub {
owner = "intel";
repo = "ipp-crypto";
rev = "ippcp_${version}";
hash = "sha256-OgNrrPE8jFVD/hcv7A43Bno96r4Z/lb7/SE6TEL7RDI=";
};
cmakeFlags = [
"-DARCH=intel64"
# sgx-sdk now requires FIPS-compliance mode turned on
"-DIPPCP_FIPS_MODE=on"
]
++ extraCmakeFlags;
# Yes, it seems bad for a cryptography library to trigger this
# warning. We previously pinned an EOL GCC which avoided it, but this
# issue is present regardless of whether we use a compiler that flags
# it up or not; upstream just doesnt test with modern compilers.
env.NIX_CFLAGS_COMPILE = "-Wno-error=stringop-overflow";
nativeBuildInputs = [
cmake
nasm
openssl
python3
];
}