diff options
Diffstat (limited to 'nixpkgs/pkgs/os-specific/linux/sgx/psw/default.nix')
| -rw-r--r-- | nixpkgs/pkgs/os-specific/linux/sgx/psw/default.nix | 190 |
1 files changed, 190 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/os-specific/linux/sgx/psw/default.nix b/nixpkgs/pkgs/os-specific/linux/sgx/psw/default.nix new file mode 100644 index 000000000000..b418d5c18225 --- /dev/null +++ b/nixpkgs/pkgs/os-specific/linux/sgx/psw/default.nix @@ -0,0 +1,190 @@ +{ stdenv +, lib +, fetchurl +, cmake +, coreutils +, curl +, file +, glibc +, makeWrapper +, nixosTests +, protobuf +, python3 +, sgx-sdk +, shadow +, systemd +, util-linux +, which +, debug ? false +}: +stdenv.mkDerivation rec { + inherit (sgx-sdk) version versionTag src; + pname = "sgx-psw"; + + postUnpack = + let + ae.prebuilt = fetchurl { + url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz"; + hash = "sha256-JriA9UGYFkAPuCtRizk8RMM1YOYGR/eO9ILnx47A40s="; + }; + dcap = rec { + version = "1.12.1"; + filename = "prebuilt_dcap_${version}.tar.gz"; + prebuilt = fetchurl { + url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; + hash = "sha256-V/XHva9Sq3P36xSW+Sd0G6Dnk4H0ANO1Ns/u+FI1eGI="; + }; + }; + in + sgx-sdk.postUnpack + '' + # Make sure we use the correct version of prebuilt DCAP + grep -q 'ae_file_name=${dcap.filename}' "$src/external/dcap_source/QuoteGeneration/download_prebuilt.sh" \ + || (echo "Could not find expected prebuilt DCAP ${dcap.filename} in linux-sgx source" >&2 && exit 1) + + tar -zxf ${ae.prebuilt} -C $sourceRoot/ + tar -zxf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration/ + ''; + + nativeBuildInputs = [ + cmake + file + makeWrapper + python3 + sgx-sdk + which + ]; + + buildInputs = [ + curl + protobuf + ]; + + hardeningDisable = lib.optionals debug [ + "fortify" + ]; + + postPatch = '' + # https://github.com/intel/linux-sgx/pull/730 + substituteInPlace buildenv.mk --replace '/bin/cp' 'cp' + substituteInPlace psw/ae/aesm_service/source/CMakeLists.txt \ + --replace '/usr/bin/getconf' 'getconf' + + # https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/205 + substituteInPlace ./external/dcap_source/QuoteGeneration/buildenv.mk \ + --replace '/bin/cp' 'cp' + substituteInPlace external/dcap_source/tools/SGXPlatformRegistration/Makefile \ + --replace '/bin/cp' 'cp' + substituteInPlace external/dcap_source/tools/SGXPlatformRegistration/buildenv.mk \ + --replace '/bin/cp' 'cp' + + patchShebangs \ + linux/installer/bin/build-installpkg.sh \ + linux/installer/common/psw/createTarball.sh \ + linux/installer/common/psw/install.sh + ''; + + dontUseCmakeConfigure = true; + + # Randomly fails if enabled + enableParallelBuilding = false; + + buildFlags = [ + "psw_install_pkg" + ] ++ lib.optionals debug [ + "DEBUG=1" + ]; + + installFlags = [ + "-C linux/installer/common/psw/output" + "DESTDIR=$(TMPDIR)/install" + ]; + + postInstall = '' + installDir=$TMPDIR/install + sgxPswDir=$installDir/opt/intel/sgxpsw + + mv $installDir/usr/lib64/ $out/lib/ + ln -sr $out/lib $out/lib64 + + # Install udev rules to lib/udev/rules.d + mv $sgxPswDir/udev/ $out/lib/ + + # Install example AESM config + mkdir $out/etc/ + mv $sgxPswDir/aesm/conf/aesmd.conf $out/etc/ + rmdir $sgxPswDir/aesm/conf/ + + # Delete init service + rm $sgxPswDir/aesm/aesmd.conf + + # Move systemd services + mkdir -p $out/lib/systemd/system/ + mv $sgxPswDir/aesm/aesmd.service $out/lib/systemd/system/ + mv $sgxPswDir/remount-dev-exec.service $out/lib/systemd/system/ + + # Move misc files + mkdir $out/share/ + mv $sgxPswDir/licenses $out/share/ + + # Remove unnecessary files + rm $sgxPswDir/{cleanup.sh,startup.sh} + rm -r $sgxPswDir/scripts + + mv $sgxPswDir/aesm/ $out/ + + mkdir $out/bin + makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \ + --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \ + --run "cd $out/aesm" + + # Make sure we didn't forget to handle any files + rmdir $sgxPswDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1) + ''; + + # Most—if not all—of those fixups are not relevant for NixOS as we have our own + # NixOS module which is based on those files without relying on them. Still, it + # is helpful to have properly patched versions for non-NixOS distributions. + postFixup = '' + header "Fixing aesmd.service" + substituteInPlace $out/lib/systemd/system/aesmd.service \ + --replace '@aesm_folder@' \ + "$out/aesm" \ + --replace 'Type=forking' \ + 'Type=simple' \ + --replace "ExecStart=$out/aesm/aesm_service" \ + "ExecStart=$out/bin/aesm_service --no-daemon"\ + --replace "/bin/mkdir" \ + "${coreutils}/bin/mkdir" \ + --replace "/bin/chown" \ + "${coreutils}/bin/chown" \ + --replace "/bin/chmod" \ + "${coreutils}/bin/chmod" \ + --replace "/bin/kill" \ + "${coreutils}/bin/kill" + + header "Fixing remount-dev-exec.service" + substituteInPlace $out/lib/systemd/system/remount-dev-exec.service \ + --replace '/bin/mount' \ + "${util-linux}/bin/mount" + + header "Fixing linksgx.sh" + # https://github.com/intel/linux-sgx/pull/736 + substituteInPlace $out/aesm/linksgx.sh \ + --replace '/usr/bin/getent' \ + '${glibc.bin}/bin/getent' \ + --replace '/usr/sbin/usermod' \ + '${shadow}/bin/usermod' + ''; + + passthru.tests = { + service = nixosTests.aesmd; + }; + + meta = with lib; { + description = "Intel SGX Architectural Enclave Service Manager"; + homepage = "https://github.com/intel/linux-sgx"; + maintainers = with maintainers; [ veehaitch citadelcore ]; + platforms = [ "x86_64-linux" ]; + license = with licenses; [ bsd3 ]; + }; +} |