diff options
Diffstat (limited to 'pkgs/os-specific/linux/sgx')
| -rw-r--r-- | pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix | 94 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/sgx/azure-dcap-client/test-suite.nix | 32 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/sgx/azure-dcap-client/tests-missing-includes.patch | 12 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/sgx/psw/default.nix | 188 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/sgx/samples/default.nix | 140 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch | 26 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/sgx/sdk/default.nix | 298 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch | 28 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix | 32 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/sgx/ssl/default.nix | 81 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/sgx/ssl/tests.nix | 95 |
11 files changed, 0 insertions, 1026 deletions
diff --git a/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix b/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix deleted file mode 100644 index 99e5c4b1a09c..000000000000 --- a/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ stdenv -, fetchFromGitHub -, fetchpatch -, lib -, curl -, nlohmann_json -, openssl -, pkg-config -, linkFarmFromDrvs -, callPackage -}: -let - # Although those headers are also included in the source of `sgx-psw`, the `azure-dcap-client` build needs specific versions - filterSparse = list: '' - cp -r "$out"/. . - find "$out" -mindepth 1 -delete - cp ${lib.concatStringsSep " " list} "$out/" - ''; - headers = linkFarmFromDrvs "azure-dcap-client-intel-headers" [ - (fetchFromGitHub rec { - name = "${repo}-headers"; - owner = "intel"; - repo = "linux-sgx"; - # See: <src/Linux/configure> for the revision `azure-dcap-client` uses. - rev = "1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be"; - hash = "sha256-WJRoS6+NBVJrFmHABEEDpDhW+zbWFUl65AycCkRavfs="; - sparseCheckout = [ - "common/inc/sgx_report.h" - "common/inc/sgx_key.h" - "common/inc/sgx_attributes.h" - ]; - postFetch = filterSparse sparseCheckout; - }) - ]; -in -stdenv.mkDerivation rec { - pname = "azure-dcap-client"; - version = "1.12.3"; - - src = fetchFromGitHub { - owner = "microsoft"; - repo = pname; - rev = version; - hash = "sha256-zTDaICsSPXctgFRCZBiZwXV9dLk2pFL9kp5a8FkiTZA="; - }; - - patches = [ - # Fix gcc-13 build: - # https://github.com/microsoft/Azure-DCAP-Client/pull/197 - (fetchpatch { - name = "gcc-13.patch"; - url = "https://github.com/microsoft/Azure-DCAP-Client/commit/fbcae7b3c8f1155998248cf5b5f4c1df979483f5.patch"; - hash = "sha256-ezEuQql3stn58N1ZPKMlhPpUOBkDpCcENpGwFAmWtHc="; - }) - ]; - - nativeBuildInputs = [ - pkg-config - ]; - - buildInputs = [ - curl - nlohmann_json - openssl - ]; - - postPatch = '' - mkdir -p src/Linux/ext/intel - find -L '${headers}' -type f -exec ln -s {} src/Linux/ext/intel \; - - substitute src/Linux/Makefile{.in,} \ - --replace-fail '##CURLINC##' '${curl.dev}/include/curl/' \ - --replace-fail '$(TEST_SUITE): $(PROVIDER_LIB) $(TEST_SUITE_OBJ)' '$(TEST_SUITE): $(TEST_SUITE_OBJ)' - ''; - - env.NIX_CFLAGS_COMPILE = "-Wno-deprecated-declarations"; - - makeFlags = [ - "-C src/Linux" - "prefix=$(out)" - ]; - - # Online test suite; run with - # $(nix-build -A sgx-azure-dcap-client.tests.suite)/bin/tests - passthru.tests.suite = callPackage ./test-suite.nix { }; - - meta = { - description = "Interfaces between SGX SDKs and the Azure Attestation SGX Certification Cache"; - homepage = "https://github.com/microsoft/azure-dcap-client"; - maintainers = with lib.maintainers; [ phlip9 trundle veehaitch ]; - platforms = [ "x86_64-linux" ]; - license = [ lib.licenses.mit ]; - }; -} diff --git a/pkgs/os-specific/linux/sgx/azure-dcap-client/test-suite.nix b/pkgs/os-specific/linux/sgx/azure-dcap-client/test-suite.nix deleted file mode 100644 index 40d80ece8abf..000000000000 --- a/pkgs/os-specific/linux/sgx/azure-dcap-client/test-suite.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ lib -, sgx-azure-dcap-client -, gtest -, makeWrapper -}: -sgx-azure-dcap-client.overrideAttrs (old: { - nativeBuildInputs = old.nativeBuildInputs ++ [ - makeWrapper - gtest - ]; - - patches = (old.patches or []) ++ [ - ./tests-missing-includes.patch - ]; - - buildFlags = [ - "tests" - ]; - - installPhase = '' - runHook preInstall - - install -D ./src/Linux/tests "$out/bin/tests" - - runHook postInstall - ''; - - postFixup = '' - wrapProgram "$out/bin/tests" \ - --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-azure-dcap-client ]}" - ''; -}) diff --git a/pkgs/os-specific/linux/sgx/azure-dcap-client/tests-missing-includes.patch b/pkgs/os-specific/linux/sgx/azure-dcap-client/tests-missing-includes.patch deleted file mode 100644 index 287fbd39af41..000000000000 --- a/pkgs/os-specific/linux/sgx/azure-dcap-client/tests-missing-includes.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/src/UnitTest/test_local_cache.cpp b/src/UnitTest/test_local_cache.cpp -index 5fbc31b..6b8d52e 100644 ---- a/src/UnitTest/test_local_cache.cpp -+++ b/src/UnitTest/test_local_cache.cpp -@@ -5,6 +5,7 @@ - #include <gtest/gtest.h> - - #undef NDEBUG // ensure that asserts are never compiled out -+#include <array> - #include <cassert> - #include <cstdio> - #include <cstring> diff --git a/pkgs/os-specific/linux/sgx/psw/default.nix b/pkgs/os-specific/linux/sgx/psw/default.nix deleted file mode 100644 index 829b0c6525ec..000000000000 --- a/pkgs/os-specific/linux/sgx/psw/default.nix +++ /dev/null @@ -1,188 +0,0 @@ -{ stdenv -, lib -, fetchurl -, cmake -, coreutils -, curl -, file -, makeWrapper -, nixosTests -, protobuf -, python3 -, sgx-sdk -, which -, debug ? false -}: -stdenv.mkDerivation rec { - inherit (sgx-sdk) patches src version versionTag; - pname = "sgx-psw"; - - postUnpack = - let - # Fetch the pre-built, Intel-signed Architectural Enclaves (AE). They help - # run user application enclaves, verify launch policies, produce remote - # attestation quotes, and do platform certification. - ae.prebuilt = fetchurl { - url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz"; - hash = "sha256-IGV9VEwY/cQBV4Vz2sps4JgRweWRl/l08ocb9P4SH8Q="; - }; - # Also include the Data Center Attestation Primitives (DCAP) platform - # enclaves. - dcap = rec { - version = "1.21"; - filename = "prebuilt_dcap_${version}.tar.gz"; - prebuilt = fetchurl { - url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; - hash = "sha256-/PPD2MyNxoCwzNljIFcpkFvItXbyvymsJ7+Uf4IyZuk="; - }; - }; - in - sgx-sdk.postUnpack + '' - # Make sure we use the correct version of prebuilt DCAP - grep -q 'ae_file_name=${dcap.filename}' "$src/external/dcap_source/QuoteGeneration/download_prebuilt.sh" \ - || (echo "Could not find expected prebuilt DCAP ${dcap.filename} in linux-sgx source" >&2 && exit 1) - - tar -zxf ${ae.prebuilt} -C $sourceRoot/ - tar -zxf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration/ - ''; - - nativeBuildInputs = [ - cmake - file - makeWrapper - python3 - sgx-sdk - which - ]; - - buildInputs = [ - curl - protobuf - ]; - - hardeningDisable = [ - # causes redefinition of _FORTIFY_SOURCE - "fortify3" - ] ++ lib.optionals debug [ - "fortify" - ]; - - postPatch = '' - patchShebangs \ - linux/installer/bin/build-installpkg.sh \ - linux/installer/common/psw/createTarball.sh \ - linux/installer/common/psw/install.sh - ''; - - dontUseCmakeConfigure = true; - - buildFlags = [ - "psw_install_pkg" - ] ++ lib.optionals debug [ - "DEBUG=1" - ]; - - installFlags = [ - "-C linux/installer/common/psw/output" - "DESTDIR=$(TMPDIR)/install" - ]; - - postInstall = '' - installDir=$TMPDIR/install - sgxPswDir=$installDir/opt/intel/sgxpsw - - mv $installDir/usr/lib64/ $out/lib/ - ln -sr $out/lib $out/lib64 - - # Install udev rules to lib/udev/rules.d - mv $sgxPswDir/udev/ $out/lib/ - - # Install example AESM config - mkdir $out/etc/ - mv $sgxPswDir/aesm/conf/aesmd.conf $out/etc/ - rmdir $sgxPswDir/aesm/conf/ - - # Delete init service - rm $sgxPswDir/aesm/aesmd.conf - - # Move systemd services - mkdir -p $out/lib/systemd/system/ - mv $sgxPswDir/aesm/aesmd.service $out/lib/systemd/system/ - mv $sgxPswDir/remount-dev-exec.service $out/lib/systemd/system/ - - # Move misc files - mkdir $out/share/ - mv $sgxPswDir/licenses $out/share/ - - # Remove unnecessary files - rm $sgxPswDir/{cleanup.sh,startup.sh} - rm -r $sgxPswDir/scripts - - # Move aesmd binaries/libraries/enclaves - mv $sgxPswDir/aesm/ $out/ - - # We absolutely MUST avoid stripping or patching these ".signed.so" SGX - # enclaves. Stripping would change each enclave measurement (hash of the - # binary). - # - # We're going to temporarily move these enclave libs to another directory - # until after stripping/patching in the fixupPhase. - mkdir $TMPDIR/enclaves - mv $out/aesm/*.signed.so* $TMPDIR/enclaves - - mkdir $out/bin - makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \ - --suffix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \ - --chdir "$out/aesm" - - # Make sure we didn't forget to handle any files - rmdir $sgxPswDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1) - ''; - - stripDebugList = [ - "lib" - "bin" - # Also strip binaries/libs in the `aesm` directory - "aesm" - ]; - - postFixup = '' - # Move the SGX enclaves back after everything else has been stripped. - mv $TMPDIR/enclaves/*.signed.so* $out/aesm/ - rmdir $TMPDIR/enclaves - - # Fixup the aesmd systemd service - # - # Most—if not all—of those fixups are not relevant for NixOS as we have our own - # NixOS module which is based on those files without relying on them. Still, it - # is helpful to have properly patched versions for non-NixOS distributions. - echo "Fixing aesmd.service" - substituteInPlace $out/lib/systemd/system/aesmd.service \ - --replace-fail '@aesm_folder@' \ - "$out/aesm" \ - --replace-fail 'Type=forking' \ - 'Type=simple' \ - --replace-fail "ExecStart=$out/aesm/aesm_service" \ - "ExecStart=$out/bin/aesm_service --no-daemon"\ - --replace-fail "/bin/mkdir" \ - "${coreutils}/bin/mkdir" \ - --replace-fail "/bin/chown" \ - "${coreutils}/bin/chown" \ - --replace-fail "/bin/chmod" \ - "${coreutils}/bin/chmod" \ - --replace-fail "/bin/kill" \ - "${coreutils}/bin/kill" - ''; - - passthru.tests = { - service = nixosTests.aesmd; - }; - - meta = { - description = "Intel SGX Architectural Enclave Service Manager"; - homepage = "https://github.com/intel/linux-sgx"; - maintainers = with lib.maintainers; [ phlip9 veehaitch citadelcore ]; - platforms = [ "x86_64-linux" ]; - license = [ lib.licenses.bsd3 ]; - }; -} diff --git a/pkgs/os-specific/linux/sgx/samples/default.nix b/pkgs/os-specific/linux/sgx/samples/default.nix deleted file mode 100644 index 0cbd6db02838..000000000000 --- a/pkgs/os-specific/linux/sgx/samples/default.nix +++ /dev/null @@ -1,140 +0,0 @@ -{ stdenv -, lib -, makeWrapper -, openssl -, sgx-sdk -, sgx-psw -, which - # "SIM" or "HW" -, sgxMode -}: -let - isSimulation = sgxMode == "SIM"; - buildSample = name: stdenv.mkDerivation { - pname = name; - version = sgxMode; - - src = sgx-sdk.out; - sourceRoot = "${sgx-sdk.name}/share/SampleCode/${name}"; - - nativeBuildInputs = [ - makeWrapper - openssl - which - ]; - - buildInputs = [ - sgx-sdk - ]; - - # The samples don't have proper support for parallel building - # causing them to fail randomly. - enableParallelBuilding = false; - - buildFlags = [ - "SGX_MODE=${sgxMode}" - ]; - - installPhase = '' - runHook preInstall - - mkdir -p $out/{bin,lib} - install -m 755 app $out/bin - install *.so $out/lib - - wrapProgram "$out/bin/app" \ - --chdir "$out/lib" \ - ${lib.optionalString (!isSimulation) - ''--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"''} - - runHook postInstall - ''; - - # Breaks the signature of the enclaves - dontFixup = true; - - # We don't have access to real SGX hardware during the build - doInstallCheck = isSimulation; - installCheckPhase = '' - runHook preInstallCheck - - pushd / - echo a | $out/bin/app - popd - - runHook preInstallCheck - ''; - }; -in -{ - cxx11SGXDemo = buildSample "Cxx11SGXDemo"; - cxx14SGXDemo = buildSample "Cxx14SGXDemo"; - cxx17SGXDemo = buildSample "Cxx17SGXDemo"; - localAttestation = (buildSample "LocalAttestation").overrideAttrs (old: { - installPhase = '' - runHook preInstall - - mkdir -p $out/{bin,lib} - install -m 755 bin/app* $out/bin - install bin/*.so $out/lib - - for bin in $out/bin/*; do - wrapProgram $bin \ - --chdir "$out/lib" \ - ${lib.optionalString (!isSimulation) - ''--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"''} - done - - runHook postInstall - ''; - }); - powerTransition = buildSample "PowerTransition"; - protobufSGXDemo = buildSample "ProtobufSGXDemo"; - remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (old: { - # Makefile sets rpath to point to $TMPDIR - preFixup = '' - patchelf --remove-rpath $out/bin/app - ''; - - postInstall = '' - install sample_libcrypto/*.so $out/lib - ''; - }); - sampleEnclave = buildSample "SampleEnclave"; - sampleEnclaveGMIPP = buildSample "SampleEnclaveGMIPP"; - sampleMbedCrypto = buildSample "SampleMbedCrypto"; - sealUnseal = (buildSample "SealUnseal").overrideAttrs (old: { - prePatch = '' - substituteInPlace App/App.cpp \ - --replace '"sealed_data_blob.txt"' '"/tmp/sealed_data_blob.txt"' - ''; - }); - switchless = buildSample "Switchless"; - # # Requires SGX-patched openssl (sgxssl) build - # sampleAttestedTLS = buildSample "SampleAttestedTLS"; -} // lib.optionalAttrs (!isSimulation) { - # # Requires kernel >= v6.2 && HW SGX - # sampleAEXNotify = buildSample "SampleAEXNotify"; - - # Requires HW SGX - sampleCommonLoader = (buildSample "SampleCommonLoader").overrideAttrs (old: { - nativeBuildInputs = [ sgx-psw ] ++ old.nativeBuildInputs; - - installPhase = '' - runHook preInstall - - mkdir -p $out/{bin,lib} - mv sample app - install -m 755 app $out/bin - - wrapProgram "$out/bin/app" \ - --chdir "$out/lib" \ - --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [sgx-psw]}" - - runHook postInstall - ''; - }); - - # # SEGFAULTs in simulation mode? - # sampleEnclavePCL = buildSample "SampleEnclavePCL"; -} diff --git a/pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch b/pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch deleted file mode 100644 index 019f58927152..000000000000 --- a/pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff --git a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp -index aee499e9..13fa89d4 100644 ---- a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp -+++ b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp -@@ -105,7 +105,7 @@ bool BundleResourceContainer::GetStat(int index, - const_cast<mz_zip_archive*>(&m_ZipArchive), index) - ? true - : false; -- stat.modifiedTime = zipStat.m_time; -+ stat.modifiedTime = 0; - stat.crc32 = zipStat.m_crc32; - // This will limit the size info from uint64 to uint32 on 32-bit - // architectures. We don't care because we assume resources > 2GB -diff --git a/external/CppMicroServices/third_party/miniz.c b/external/CppMicroServices/third_party/miniz.c -index 6b0ebd7a..fa2aebca 100644 ---- a/external/CppMicroServices/third_party/miniz.c -+++ b/external/CppMicroServices/third_party/miniz.c -@@ -170,7 +170,7 @@ - // If MINIZ_NO_TIME is specified then the ZIP archive functions will not be able to get the current time, or - // get/set file times, and the C run-time funcs that get/set times won't be called. - // The current downside is the times written to your archives will be from 1979. --//#define MINIZ_NO_TIME -+#define MINIZ_NO_TIME - - // Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's. - //#define MINIZ_NO_ARCHIVE_APIS diff --git a/pkgs/os-specific/linux/sgx/sdk/default.nix b/pkgs/os-specific/linux/sgx/sdk/default.nix deleted file mode 100644 index 4f7374d634f3..000000000000 --- a/pkgs/os-specific/linux/sgx/sdk/default.nix +++ /dev/null @@ -1,298 +0,0 @@ -{ lib -, stdenv -, fetchFromGitHub -, autoconf -, automake -, binutils -, callPackage -, cmake -, file -, gdb -, git -, libtool -, linkFarmFromDrvs -, ocaml -, ocamlPackages -, openssl -, perl -, python3 -, texinfo -, validatePkgConfig -, writeShellApplication -, writeShellScript -, writeText -, debug ? false -}: -stdenv.mkDerivation rec { - pname = "sgx-sdk"; - # Version as given in se_version.h - version = "2.24.100.3"; - # Version as used in the Git tag - versionTag = "2.24"; - - src = fetchFromGitHub { - owner = "intel"; - repo = "linux-sgx"; - rev = "sgx_${versionTag}"; - hash = "sha256-1urEdfMKNUqqyJ3wQ10+tvtlRuAKELpaCWIOzjCbYKw="; - fetchSubmodules = true; - }; - - postUnpack = '' - # Make sure this is the right version of linux-sgx - grep -q '"${version}"' "$src/common/inc/internal/se_version.h" \ - || (echo "Could not find expected version ${version} in linux-sgx source" >&2 && exit 1) - ''; - - patches = [ - # There's a `make preparation` step that downloads some prebuilt binaries - # and applies some patches to the in-repo git submodules. This patch removes - # the parts that download things, since we can't do that inside the sandbox. - ./disable-downloads.patch - - # This patch disable mtime in bundled zip file for reproducible builds. - # - # Context: The `aesm_service` binary depends on a vendored library called - # `CppMicroServices`. At build time, this lib creates and then bundles - # service resources into a zip file and then embeds this zip into the - # binary. Without changes, the `aesm_service` will be different after every - # build because the embedded zip file contents have different modified times. - ./cppmicroservices-no-mtime.patch - ]; - - postPatch = '' - patchShebangs linux/installer/bin/build-installpkg.sh \ - linux/installer/common/sdk/createTarball.sh \ - linux/installer/common/sdk/install.sh \ - external/sgx-emm/create_symlink.sh - - make preparation - ''; - - # We need `cmake` as a build input but don't use it to kick off the build phase - dontUseCmakeConfigure = true; - - # SDK built with stackprotector produces broken enclaves which crash at runtime. - # Disable all to be safe, SDK build configures compiler mitigations manually. - hardeningDisable = [ "all" ]; - - nativeBuildInputs = [ - autoconf - automake - cmake - file - git - ocaml - ocamlPackages.ocamlbuild - perl - python3 - texinfo - validatePkgConfig - ]; - - buildInputs = [ - libtool - openssl - ]; - - BINUTILS_DIR = "${binutils}/bin"; - - # Build external/ippcp_internal first. The Makefile is rewritten to make the - # build faster by splitting different versions of ipp-crypto builds and to - # avoid patching the Makefile for reproducibility issues. - preBuild = - let - ipp-crypto-no_mitigation = callPackage ./ipp-crypto.nix { }; - - sgx-asm-pp = "python ${src}/build-scripts/sgx-asm-pp.py --assembler=nasm"; - - nasm-load = writeShellScript "nasm-load" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=LOAD $@"; - ipp-crypto-cve_2020_0551_load = callPackage ./ipp-crypto.nix { - extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-load}" ]; - }; - - nasm-cf = writeShellScript "nasm-cf" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=CF $@"; - ipp-crypto-cve_2020_0551_cf = callPackage ./ipp-crypto.nix { - extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-cf}" ]; - }; - in - '' - echo "Setting up IPP crypto build artifacts" - - pushd 'external/ippcp_internal' - - install -D -m a+rw ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a \ - lib/linux/intel64/no_mitigation/libippcp.a - install -D -m a+rw ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a \ - lib/linux/intel64/cve_2020_0551_load/libippcp.a - install -D -m a+rw ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a \ - lib/linux/intel64/cve_2020_0551_cf/libippcp.a - - cp -r ${ipp-crypto-no_mitigation}/include/* inc/ - - mkdir inc/ippcp - cp ${ipp-crypto-no_mitigation}/include/fips_cert.h inc/ippcp/ - - rm inc/ippcp.h - patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i ./inc/ippcp21u11.patch -o ./inc/ippcp.h - - install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE - - popd - ''; - - buildFlags = [ - "sdk_install_pkg" - ] ++ lib.optionals debug [ - "DEBUG=1" - ]; - - postBuild = '' - patchShebangs linux/installer/bin/sgx_linux_x64_sdk_${version}.bin - ''; - - installPhase = '' - runHook preInstall - - installDir=$TMPDIR - ./linux/installer/bin/sgx_linux_x64_sdk_${version}.bin -prefix $installDir - installDir=$installDir/sgxsdk - - echo "Move files created by installer" - - mkdir -p $out/bin - pushd $out - - mv $installDir/bin/sgx-gdb $out/bin - mkdir $out/bin/x64 - for file in $installDir/bin/x64/*; do - mv $file bin/ - ln -sr bin/$(basename $file) bin/x64/ - done - rmdir $installDir/bin/{x64,} - - # Move `lib64` to `lib` and symlink `lib64` - mv $installDir/lib64 lib - ln -s lib/ lib64 - - # Fixup the symlinks for libsgx_urts.so.* -> libsgx_urts.so - for file in lib/libsgx_urts.so.*; do - ln -srf lib/libsgx_urts.so $file - done - - mv $installDir/include/ . - - mkdir -p share/ - mv $installDir/{SampleCode,licenses} share/ - - mkdir -p share/bin - mv $installDir/{environment,buildenv.mk} share/bin/ - ln -s share/bin/{environment,buildenv.mk} . - - # pkgconfig should go to lib/ - mv $installDir/pkgconfig lib/ - ln -s lib/pkgconfig/ . - - # Also create the `sdk_libs` for compat. All the files - # link to libraries in `lib64/`, we shouldn't link the entire - # directory, however, as there seems to be some ambiguity between - # SDK and PSW libraries. - mkdir sdk_libs/ - for file in $installDir/sdk_libs/*; do - ln -sr lib/$(basename $file) sdk_libs/ - rm $file - done - rmdir $installDir/sdk_libs - - # No uninstall script required - rm $installDir/uninstall.sh - - # Create an `sgxsdk` symlink which points to `$out` for compat - ln -sr . sgxsdk - - # Make sure we didn't forget any files - rmdir $installDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1) - - popd - - runHook postInstall - ''; - - preFixup = '' - echo "Strip sgxsdk prefix" - for path in "$out/share/bin/environment" "$out/bin/sgx-gdb"; do - substituteInPlace $path --replace "$TMPDIR/sgxsdk" "$out" - done - - echo "Fixing pkg-config files" - sed -i "s|prefix=.*|prefix=$out|g" $out/lib/pkgconfig/*.pc - - echo "Fixing SGX_SDK default in samples" - substituteInPlace $out/share/SampleCode/LocalAttestation/buildenv.mk \ - --replace '/opt/intel/sgxsdk' "$out" - for file in $out/share/SampleCode/*/Makefile; do - substituteInPlace $file \ - --replace '/opt/intel/sgxsdk' "$out" - done - - echo "Fixing BINUTILS_DIR in buildenv.mk" - substituteInPlace $out/share/bin/buildenv.mk \ - --replace 'BINUTILS_DIR ?= /usr/local/bin' \ - 'BINUTILS_DIR ?= ${BINUTILS_DIR}' - - echo "Fixing GDB path in bin/sgx-gdb" - substituteInPlace $out/bin/sgx-gdb --replace '/usr/local/bin/gdb' '${gdb}/bin/gdb' - ''; - - doInstallCheck = true; - - installCheckPhase = '' - runHook preInstallCheck - - # Make sure all symlinks are valid - output=$(find "$out" -type l -exec test ! -e {} \; -print) - if [[ -n "$output" ]]; then - echo "Broken symlinks:" - echo "$output" - exit 1 - fi - - runHook postInstallCheck - ''; - - setupHook = writeText "setup-hook.sh" '' - sgxsdk() { - export SGX_SDK=@out@ - } - - postHooks+=(sgxsdk) - ''; - - passthru.tests = callPackage ../samples { sgxMode = "SIM"; }; - - # Run tests in SGX hardware mode on an SGX-enabled machine - # $(nix-build -A sgx-sdk.runTestsHW)/bin/run-tests-hw - passthru.runTestsHW = - let - testsHW = lib.filterAttrs (_: v: v ? "name") (callPackage ../samples { sgxMode = "HW"; }); - testsHWLinked = linkFarmFromDrvs "sgx-samples-hw-bundle" (lib.attrValues testsHW); - in - writeShellApplication { - name = "run-tests-hw"; - text = '' - for test in ${testsHWLinked}/*; do - printf '*** Running test %s ***\n\n' "$(basename "$test")" - printf 'a\n' | "$test/bin/app" - printf '\n' - done - ''; - }; - - meta = { - description = "Intel SGX SDK for Linux built with IPP Crypto Library"; - homepage = "https://github.com/intel/linux-sgx"; - maintainers = with lib.maintainers; [ phlip9 sbellem arturcygan veehaitch ]; - platforms = [ "x86_64-linux" ]; - license = [ lib.licenses.bsd3 ]; - }; -} diff --git a/pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch b/pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch deleted file mode 100644 index c045606df144..000000000000 --- a/pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff --git a/Makefile b/Makefile -index 73502a7..f24bd11 100644 ---- a/Makefile -+++ b/Makefile -@@ -50,18 +50,18 @@ tips: - preparation: - # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip. - # Only enable the download from git -- git submodule update --init --recursive -- ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild -+ # git submodule update --init --recursive -+ # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild - cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R - cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R -- cd external/protobuf/protobuf_code && git submodule update --init --recursive && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R -+ cd external/protobuf/protobuf_code && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R - ./external/sgx-emm/create_symlink.sh - cd external/mbedtls/mbedtls_code && git apply ../sgx_mbedtls.patch >/dev/null 2>&1 || git apply ../sgx_mbedtls.patch --check -R - cd external/cbor && cp -r libcbor sgx_libcbor - cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R - cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R -- ./download_prebuilt.sh -- ./external/dcap_source/QuoteGeneration/download_prebuilt.sh -+ # ./download_prebuilt.sh -+ # ./external/dcap_source/QuoteGeneration/download_prebuilt.sh - - psw: - $(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS) diff --git a/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix b/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix deleted file mode 100644 index eba9e7f6a0e5..000000000000 --- a/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ gcc11Stdenv -, fetchFromGitHub -, cmake -, nasm -, openssl -, python3 -, extraCmakeFlags ? [ ] -}: -gcc11Stdenv.mkDerivation rec { - pname = "ipp-crypto"; - version = "2021.11.1"; - - src = fetchFromGitHub { - owner = "intel"; - repo = "ipp-crypto"; - rev = "ippcp_${version}"; - hash = "sha256-OgNrrPE8jFVD/hcv7A43Bno96r4Z/lb7/SE6TEL7RDI="; - }; - - cmakeFlags = [ - "-DARCH=intel64" - # sgx-sdk now requires FIPS-compliance mode turned on - "-DIPPCP_FIPS_MODE=on" - ] ++ extraCmakeFlags; - - nativeBuildInputs = [ - cmake - nasm - openssl - python3 - ]; -} diff --git a/pkgs/os-specific/linux/sgx/ssl/default.nix b/pkgs/os-specific/linux/sgx/ssl/default.nix deleted file mode 100644 index 73cde2e030af..000000000000 --- a/pkgs/os-specific/linux/sgx/ssl/default.nix +++ /dev/null @@ -1,81 +0,0 @@ -{ stdenv -, callPackage -, fetchFromGitHub -, fetchurl -, lib -, perl -, sgx-sdk -, which -, debug ? false -}: -let - sgxVersion = sgx-sdk.versionTag; - opensslVersion = "3.0.13"; -in -stdenv.mkDerivation { - pname = "sgx-ssl" + lib.optionalString debug "-debug"; - version = "${sgxVersion}_${opensslVersion}"; - - src = fetchFromGitHub { - owner = "intel"; - repo = "intel-sgx-ssl"; - rev = "3.0_Rev2"; - hash = "sha256-dmLyaG6v+skjSa0KxLAfIfSBOxp9grrI7ds6WdGPe0I="; - }; - - postUnpack = - let - opensslSourceArchive = fetchurl { - url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz"; - hash = "sha256-iFJXU/edO+wn0vp8ZqoLkrOqlJja/ZPXz6SzeAza4xM="; - }; - in - '' - ln -s ${opensslSourceArchive} $sourceRoot/openssl_source/openssl-${opensslVersion}.tar.gz - ''; - - postPatch = '' - patchShebangs Linux/build_openssl.sh - - # Skip the tests. Build and run separately (see below). - substituteInPlace Linux/sgx/Makefile \ - --replace-fail '$(MAKE) -C $(TEST_DIR) all' \ - 'bash -c "true"' - ''; - - nativeBuildInputs = [ - perl - sgx-sdk - which - ]; - - makeFlags = [ - "-C Linux" - ] ++ lib.optionals debug [ - "DEBUG=1" - ]; - - installFlags = [ - "DESTDIR=$(out)" - ]; - - # These tests build on any x86_64-linux but BOTH SIM and HW will only _run_ on - # real Intel hardware. Split these out so OfBorg doesn't choke on this pkg. - # - # ``` - # nix run .#sgx-ssl.tests.HW - # nix run .#sgx-ssl.tests.SIM - # ``` - passthru.tests = { - HW = callPackage ./tests.nix { sgxMode = "HW"; inherit opensslVersion; }; - SIM = callPackage ./tests.nix { sgxMode = "SIM"; inherit opensslVersion; }; - }; - - meta = { - description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL"; - homepage = "https://github.com/intel/intel-sgx-ssl"; - maintainers = with lib.maintainers; [ phlip9 trundle veehaitch ]; - platforms = [ "x86_64-linux" ]; - license = with lib.licenses; [ bsd3 openssl ]; - }; -} diff --git a/pkgs/os-specific/linux/sgx/ssl/tests.nix b/pkgs/os-specific/linux/sgx/ssl/tests.nix deleted file mode 100644 index d9357ba04310..000000000000 --- a/pkgs/os-specific/linux/sgx/ssl/tests.nix +++ /dev/null @@ -1,95 +0,0 @@ -# This package _builds_ (but doesn't run!) the sgx-ssl test enclave + harness. -# The whole package effectively does: -# -# ``` -# SGX_MODE=${sgxMode} make -C Linux/sgx/test_app -# cp Linux/sgx/{TestApp,TestEnclave.signed.so} $out/bin -# ``` -# -# OfBorg fails to run these tests since they require real Intel HW. That -# includes the simulation mode! The tests appears to do something fancy with -# cpuid and exception trap handlers that make them very non-portable. -# -# These tests are split out from the parent pkg since recompiling the parent -# takes like 30 min : ) - -{ lib -, openssl -, sgx-psw -, sgx-sdk -, sgx-ssl -, stdenv -, which -, opensslVersion ? throw "required parameter" -, sgxMode ? throw "required parameter" # "SIM" or "HW" -}: -stdenv.mkDerivation { - inherit (sgx-ssl) postPatch src version; - pname = sgx-ssl.pname + "-tests-${sgxMode}"; - - postUnpack = sgx-ssl.postUnpack + '' - sourceRootAbs=$(readlink -e $sourceRoot) - packageDir=$sourceRootAbs/Linux/package - - # Do the inverse of 'make install' and symlink built artifacts back into - # '$src/Linux/package/' to avoid work. - mkdir $packageDir/lib $packageDir/lib64 - ln -s ${lib.getLib sgx-ssl}/lib/* $packageDir/lib/ - ln -s ${lib.getLib sgx-ssl}/lib64/* $packageDir/lib64/ - ln -sf ${lib.getDev sgx-ssl}/include/* $packageDir/include/ - - # test_app needs some internal openssl headers. - # See: tail end of 'Linux/build_openssl.sh' - tar -C $sourceRootAbs/openssl_source -xf $sourceRootAbs/openssl_source/openssl-${opensslVersion}.tar.gz - echo '#define OPENSSL_VERSION_STR "${opensslVersion}"' > $sourceRootAbs/Linux/sgx/osslverstr.h - ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/crypto $sourceRootAbs/Linux/sgx/test_app/enclave/ - ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/internal $sourceRootAbs/Linux/sgx/test_app/enclave/ - ''; - - nativeBuildInputs = [ - openssl.bin - sgx-sdk - which - ]; - - preBuild = '' - # Need to regerate the edl header - make -C Linux/sgx/libsgx_tsgxssl sgx_tsgxssl_t.c - ''; - - makeFlags = [ - "-C Linux/sgx/test_app" - "SGX_MODE=${sgxMode}" - ]; - - installPhase = '' - runHook preInstall - - # Enclaves can't be stripped after signing. - install -Dm 755 Linux/sgx/test_app/TestEnclave.signed.so -t $TMPDIR/enclaves - - install -Dm 755 Linux/sgx/test_app/TestApp -t $out/bin - - runHook postInstall - ''; - - postFixup = '' - # Move the enclaves where they actually belong. - mv $TMPDIR/enclaves/*.signed.so* $out/bin/ - - # HW SGX must runs against sgx-psw, not sgx-sdk. - if [[ "${sgxMode}" == "HW" ]]; then - patchelf \ - --set-rpath "$( \ - patchelf --print-rpath $out/bin/TestApp \ - | sed 's|${lib.getLib sgx-sdk}|${lib.getLib sgx-psw}|' \ - )" \ - $out/bin/TestApp - fi - ''; - - meta = { - platforms = [ "x86_64-linux" ]; - mainProgram = "TestApp"; - }; -} |