about summary refs log tree commit diff
path: root/nixpkgs/pkgs/os-specific/linux/sgx/ssl
diff options
context:
space:
mode:
Diffstat (limited to 'nixpkgs/pkgs/os-specific/linux/sgx/ssl')
-rw-r--r--nixpkgs/pkgs/os-specific/linux/sgx/ssl/default.nix34
-rw-r--r--nixpkgs/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch99
2 files changed, 10 insertions, 123 deletions
diff --git a/nixpkgs/pkgs/os-specific/linux/sgx/ssl/default.nix b/nixpkgs/pkgs/os-specific/linux/sgx/ssl/default.nix
index f3f6ce485063..9d1905e09d1f 100644
--- a/nixpkgs/pkgs/os-specific/linux/sgx/ssl/default.nix
+++ b/nixpkgs/pkgs/os-specific/linux/sgx/ssl/default.nix
@@ -1,8 +1,8 @@
 { stdenv
 , fetchFromGitHub
-, fetchpatch
 , fetchurl
 , lib
+, openssl
 , perl
 , sgx-sdk
 , which
@@ -10,9 +10,9 @@
 }:
 let
   sgxVersion = sgx-sdk.versionTag;
-  opensslVersion = "1.1.1l";
+  opensslVersion = "1.1.1u";
 in
-stdenv.mkDerivation rec {
+stdenv.mkDerivation {
   pname = "sgx-ssl" + lib.optionalString debug "-debug";
   version = "${sgxVersion}_${opensslVersion}";
 
@@ -20,25 +20,20 @@ stdenv.mkDerivation rec {
     owner = "intel";
     repo = "intel-sgx-ssl";
     rev = "lin_${sgxVersion}_${opensslVersion}";
-    hash = "sha256-ibPXs90ni2fkxJ09fNO6wWVpfCFdko6MjBFkEsyIih8=";
+    hash = "sha256-zbXEQz72VUPqnGrboX6oXliaLpbcos7tV6K9lX+zleg=";
   };
 
   postUnpack =
     let
       opensslSourceArchive = fetchurl {
         url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
-        hash = "sha256-C3o+XlnDSCf+DDp0t+yLrvMCuY+oAIjX+RU6oW+na9E=";
+        hash = "sha256-4vjYS1I+7NBse+diaDA3AwD7zBU4a/UULXJ1j2lj68Y=";
       };
     in
     ''
       ln -s ${opensslSourceArchive} $sourceRoot/openssl_source/openssl-${opensslVersion}.tar.gz
     '';
 
-  patches = [
-    # https://github.com/intel/intel-sgx-ssl/pull/111
-    ./intel-sgx-ssl-pr-111.patch
-  ];
-
   postPatch = ''
     patchShebangs Linux/build_openssl.sh
 
@@ -48,8 +43,6 @@ stdenv.mkDerivation rec {
                 'bash -c "true"'
   '';
 
-  enableParallelBuilding = true;
-
   nativeBuildInputs = [
     perl
     sgx-sdk
@@ -68,28 +61,21 @@ stdenv.mkDerivation rec {
   ];
 
   # Build the test app
-  #
-  # Running the test app is currently only supported on Intel CPUs
-  # and will fail on non-Intel CPUs even in SGX simulation mode.
-  # Therefore, we only build the test app without running it until
-  # upstream resolves the issue: https://github.com/intel/intel-sgx-ssl/issues/113
   doInstallCheck = true;
-  installCheckTarget = "all";
+  installCheckTarget = "test";
   installCheckFlags = [
     "SGX_MODE=SIM"
-    "-C sgx/test_app"
     "-j 1" # Makefile doesn't support multiple jobs
   ];
-  preInstallCheck = ''
-    # Expects the enclave file in the current working dir
-    ln -s sgx/test_app/TestEnclave.signed.so .
-  '';
+  nativeInstallCheckInputs = [
+    openssl
+  ];
 
   meta = with lib; {
     description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL";
     homepage = "https://github.com/intel/intel-sgx-ssl";
     maintainers = with maintainers; [ trundle veehaitch ];
     platforms = [ "x86_64-linux" ];
-    license = with licenses; [ bsd3 openssl ];
+    license = [ licenses.bsd3 licenses.openssl ];
   };
 }
diff --git a/nixpkgs/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch b/nixpkgs/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch
deleted file mode 100644
index 6ef06d7e231b..000000000000
--- a/nixpkgs/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 1683c336e11b3cbe2b48c1be1c9460a661523c71 Mon Sep 17 00:00:00 2001
-From: Vincent Haupert <mail@vincent-haupert.de>
-Date: Sat, 8 Jan 2022 17:22:31 +0100
-Subject: [PATCH 1/3] Linux: fix Nix detection
-
-Detect the `OS_ID` of Nix by probing for the presence of the `NIX_STORE`
-environment variable instead of `NIX_PATH`. The latter is only set in a
-`nix-shell` session but isn't when building a derivation through
-`nix-build`. In contrast, the `NIX_STORE` environment variable is set in
-both cases.
-
-Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
----
- Linux/sgx/buildenv.mk | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Linux/sgx/buildenv.mk b/Linux/sgx/buildenv.mk
-index cd8818e..dac23c7 100644
---- a/Linux/sgx/buildenv.mk
-+++ b/Linux/sgx/buildenv.mk
-@@ -65,7 +65,7 @@ $(shell mkdir -p $(PACKAGE_LIB))
- UBUNTU_CONFNAME:=/usr/include/x86_64-linux-gnu/bits/confname.h
- ifneq ("$(wildcard $(UBUNTU_CONFNAME))","")
- 	OS_ID=1
--else ifeq ($(origin NIX_PATH),environment)
-+else ifeq ($(origin NIX_STORE),environment)
- 	OS_ID=3
- else
- 	OS_ID=2
-
-From f493525face589d759223bfa45bb802c31ddce4f Mon Sep 17 00:00:00 2001
-From: Vincent Haupert <mail@vincent-haupert.de>
-Date: Sat, 8 Jan 2022 17:33:22 +0100
-Subject: [PATCH 2/3] Linux: call binaries relative to PATH
-
-Using an absolute path to call binaries is incompatible with
-distributions which do not follow the Filesystem Hierachy Standard;
-Nix is an example. Also, it is inconsistent with the rest of the code
-base, let alone superfluous.
-
-Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
----
- Linux/build_openssl.sh | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
-index 7d77b79..e8b59a1 100755
---- a/Linux/build_openssl.sh
-+++ b/Linux/build_openssl.sh
-@@ -38,7 +38,7 @@ SGXSSL_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
- echo $SGXSSL_ROOT
- 
- OPENSSL_INSTALL_DIR="$SGXSSL_ROOT/../openssl_source/OpenSSL_install_dir_tmp"
--OPENSSL_VERSION=`/bin/ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | /usr/bin/head -1 | /bin/grep -o '[^/]*$' | /bin/sed -s -- 's/\.tar\.gz//'`
-+OPENSSL_VERSION=`ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | head -1 | grep -o '[^/]*$' | sed -s -- 's/\.tar\.gz//'`
- if [ "$OPENSSL_VERSION" == "" ] 
- then
- 	echo "In order to run this script, OpenSSL tar.gz package must be located in openssl_source/ directory."
-
-From fdb883d30fff72b5cfb8c61a2288d3d948f64224 Mon Sep 17 00:00:00 2001
-From: Vincent Haupert <mail@vincent-haupert.de>
-Date: Tue, 11 Jan 2022 10:56:39 +0100
-Subject: [PATCH 3/3] Linux: properly extract GCC major version
-
-Calling `gcc -dumpversion` yields the full version string, e.g.,
-`10.3.0`. The `build_openssl.sh` bash script uses the `-ge` number
-comparison operator to check if the returned version is at least
-8. This results in an error if the returned GCC version includes a patch
-version; "10.3.0" isn't a valid number.
-
-This commit fixes the version detection by only extracting the relevant
-major version of GCC.
-
-Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
----
- Linux/build_openssl.sh | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
-index e8b59a1..6e4046f 100755
---- a/Linux/build_openssl.sh
-+++ b/Linux/build_openssl.sh
-@@ -82,6 +82,7 @@ fi
- MITIGATION_OPT=""
- MITIGATION_FLAGS=""
- CC_VERSION=`gcc -dumpversion`
-+CC_VERSION_MAJOR=`echo "$CC_VERSION" | cut -f1 -d.`
- for arg in "$@"
- do
-     case $arg in
-@@ -99,7 +100,7 @@ do
-         ;;
-     -mfunction-return=thunk-extern)
-         MITIGATION_FLAGS+=" $arg"
--        if [[ $CC_VERSION -ge 8 ]] ; then
-+        if [[ "$CC_VERSION_MAJOR" -ge 8 ]] ; then
-             MITIGATION_FLAGS+=" -fcf-protection=none"
-         fi
-         shift
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-10 23:30:39 +0000