diff options
Diffstat (limited to 'nixpkgs/pkgs/os-specific/linux/sgx/ssl')
-rw-r--r-- | nixpkgs/pkgs/os-specific/linux/sgx/ssl/default.nix | 34 | ||||
-rw-r--r-- | nixpkgs/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch | 99 |
2 files changed, 10 insertions, 123 deletions
diff --git a/nixpkgs/pkgs/os-specific/linux/sgx/ssl/default.nix b/nixpkgs/pkgs/os-specific/linux/sgx/ssl/default.nix index f3f6ce485063..9d1905e09d1f 100644 --- a/nixpkgs/pkgs/os-specific/linux/sgx/ssl/default.nix +++ b/nixpkgs/pkgs/os-specific/linux/sgx/ssl/default.nix @@ -1,8 +1,8 @@ { stdenv , fetchFromGitHub -, fetchpatch , fetchurl , lib +, openssl , perl , sgx-sdk , which @@ -10,9 +10,9 @@ }: let sgxVersion = sgx-sdk.versionTag; - opensslVersion = "1.1.1l"; + opensslVersion = "1.1.1u"; in -stdenv.mkDerivation rec { +stdenv.mkDerivation { pname = "sgx-ssl" + lib.optionalString debug "-debug"; version = "${sgxVersion}_${opensslVersion}"; @@ -20,25 +20,20 @@ stdenv.mkDerivation rec { owner = "intel"; repo = "intel-sgx-ssl"; rev = "lin_${sgxVersion}_${opensslVersion}"; - hash = "sha256-ibPXs90ni2fkxJ09fNO6wWVpfCFdko6MjBFkEsyIih8="; + hash = "sha256-zbXEQz72VUPqnGrboX6oXliaLpbcos7tV6K9lX+zleg="; }; postUnpack = let opensslSourceArchive = fetchurl { url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz"; - hash = "sha256-C3o+XlnDSCf+DDp0t+yLrvMCuY+oAIjX+RU6oW+na9E="; + hash = "sha256-4vjYS1I+7NBse+diaDA3AwD7zBU4a/UULXJ1j2lj68Y="; }; in '' ln -s ${opensslSourceArchive} $sourceRoot/openssl_source/openssl-${opensslVersion}.tar.gz ''; - patches = [ - # https://github.com/intel/intel-sgx-ssl/pull/111 - ./intel-sgx-ssl-pr-111.patch - ]; - postPatch = '' patchShebangs Linux/build_openssl.sh @@ -48,8 +43,6 @@ stdenv.mkDerivation rec { 'bash -c "true"' ''; - enableParallelBuilding = true; - nativeBuildInputs = [ perl sgx-sdk @@ -68,28 +61,21 @@ stdenv.mkDerivation rec { ]; # Build the test app - # - # Running the test app is currently only supported on Intel CPUs - # and will fail on non-Intel CPUs even in SGX simulation mode. - # Therefore, we only build the test app without running it until - # upstream resolves the issue: https://github.com/intel/intel-sgx-ssl/issues/113 doInstallCheck = true; - installCheckTarget = "all"; + installCheckTarget = "test"; installCheckFlags = [ "SGX_MODE=SIM" - "-C sgx/test_app" "-j 1" # Makefile doesn't support multiple jobs ]; - preInstallCheck = '' - # Expects the enclave file in the current working dir - ln -s sgx/test_app/TestEnclave.signed.so . - ''; + nativeInstallCheckInputs = [ + openssl + ]; meta = with lib; { description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL"; homepage = "https://github.com/intel/intel-sgx-ssl"; maintainers = with maintainers; [ trundle veehaitch ]; platforms = [ "x86_64-linux" ]; - license = with licenses; [ bsd3 openssl ]; + license = [ licenses.bsd3 licenses.openssl ]; }; } diff --git a/nixpkgs/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch b/nixpkgs/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch deleted file mode 100644 index 6ef06d7e231b..000000000000 --- a/nixpkgs/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 1683c336e11b3cbe2b48c1be1c9460a661523c71 Mon Sep 17 00:00:00 2001 -From: Vincent Haupert <mail@vincent-haupert.de> -Date: Sat, 8 Jan 2022 17:22:31 +0100 -Subject: [PATCH 1/3] Linux: fix Nix detection - -Detect the `OS_ID` of Nix by probing for the presence of the `NIX_STORE` -environment variable instead of `NIX_PATH`. The latter is only set in a -`nix-shell` session but isn't when building a derivation through -`nix-build`. In contrast, the `NIX_STORE` environment variable is set in -both cases. - -Signed-off-by: Vincent Haupert <mail@vincent-haupert.de> ---- - Linux/sgx/buildenv.mk | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Linux/sgx/buildenv.mk b/Linux/sgx/buildenv.mk -index cd8818e..dac23c7 100644 ---- a/Linux/sgx/buildenv.mk -+++ b/Linux/sgx/buildenv.mk -@@ -65,7 +65,7 @@ $(shell mkdir -p $(PACKAGE_LIB)) - UBUNTU_CONFNAME:=/usr/include/x86_64-linux-gnu/bits/confname.h - ifneq ("$(wildcard $(UBUNTU_CONFNAME))","") - OS_ID=1 --else ifeq ($(origin NIX_PATH),environment) -+else ifeq ($(origin NIX_STORE),environment) - OS_ID=3 - else - OS_ID=2 - -From f493525face589d759223bfa45bb802c31ddce4f Mon Sep 17 00:00:00 2001 -From: Vincent Haupert <mail@vincent-haupert.de> -Date: Sat, 8 Jan 2022 17:33:22 +0100 -Subject: [PATCH 2/3] Linux: call binaries relative to PATH - -Using an absolute path to call binaries is incompatible with -distributions which do not follow the Filesystem Hierachy Standard; -Nix is an example. Also, it is inconsistent with the rest of the code -base, let alone superfluous. - -Signed-off-by: Vincent Haupert <mail@vincent-haupert.de> ---- - Linux/build_openssl.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh -index 7d77b79..e8b59a1 100755 ---- a/Linux/build_openssl.sh -+++ b/Linux/build_openssl.sh -@@ -38,7 +38,7 @@ SGXSSL_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" - echo $SGXSSL_ROOT - - OPENSSL_INSTALL_DIR="$SGXSSL_ROOT/../openssl_source/OpenSSL_install_dir_tmp" --OPENSSL_VERSION=`/bin/ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | /usr/bin/head -1 | /bin/grep -o '[^/]*$' | /bin/sed -s -- 's/\.tar\.gz//'` -+OPENSSL_VERSION=`ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | head -1 | grep -o '[^/]*$' | sed -s -- 's/\.tar\.gz//'` - if [ "$OPENSSL_VERSION" == "" ] - then - echo "In order to run this script, OpenSSL tar.gz package must be located in openssl_source/ directory." - -From fdb883d30fff72b5cfb8c61a2288d3d948f64224 Mon Sep 17 00:00:00 2001 -From: Vincent Haupert <mail@vincent-haupert.de> -Date: Tue, 11 Jan 2022 10:56:39 +0100 -Subject: [PATCH 3/3] Linux: properly extract GCC major version - -Calling `gcc -dumpversion` yields the full version string, e.g., -`10.3.0`. The `build_openssl.sh` bash script uses the `-ge` number -comparison operator to check if the returned version is at least -8. This results in an error if the returned GCC version includes a patch -version; "10.3.0" isn't a valid number. - -This commit fixes the version detection by only extracting the relevant -major version of GCC. - -Signed-off-by: Vincent Haupert <mail@vincent-haupert.de> ---- - Linux/build_openssl.sh | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh -index e8b59a1..6e4046f 100755 ---- a/Linux/build_openssl.sh -+++ b/Linux/build_openssl.sh -@@ -82,6 +82,7 @@ fi - MITIGATION_OPT="" - MITIGATION_FLAGS="" - CC_VERSION=`gcc -dumpversion` -+CC_VERSION_MAJOR=`echo "$CC_VERSION" | cut -f1 -d.` - for arg in "$@" - do - case $arg in -@@ -99,7 +100,7 @@ do - ;; - -mfunction-return=thunk-extern) - MITIGATION_FLAGS+=" $arg" -- if [[ $CC_VERSION -ge 8 ]] ; then -+ if [[ "$CC_VERSION_MAJOR" -ge 8 ]] ; then - MITIGATION_FLAGS+=" -fcf-protection=none" - fi - shift |