diff options
-rw-r--r-- | maintainers/maintainer-list.nix | 6 | ||||
-rw-r--r-- | pkgs/os-specific/linux/sgx-sdk/default.nix | 159 | ||||
-rw-r--r-- | pkgs/os-specific/linux/sgx-sdk/ipp-crypto.nix | 24 | ||||
-rw-r--r-- | pkgs/top-level/all-packages.nix | 2 |
4 files changed, 191 insertions, 0 deletions
diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix index 282a018dff9ac..feebff4884f33 100644 --- a/maintainers/maintainer-list.nix +++ b/maintainers/maintainer-list.nix @@ -10185,6 +10185,12 @@ githubId = 720864; name = "Sébastien Bourdeauducq"; }; + sbellem = { + email = "sbellem@gmail.com"; + github = "sbellem"; + githubId = 125458; + name = "Sylvain Bellemare"; + }; sbond75 = { name = "sbond75"; email = "43617712+sbond75@users.noreply.github.com"; diff --git a/pkgs/os-specific/linux/sgx-sdk/default.nix b/pkgs/os-specific/linux/sgx-sdk/default.nix new file mode 100644 index 0000000000000..130fd12cbb913 --- /dev/null +++ b/pkgs/os-specific/linux/sgx-sdk/default.nix @@ -0,0 +1,159 @@ +{ lib +, stdenv +, fetchpatch +, fetchurl +, fetchFromGitHub +, callPackage +, autoconf +, automake +, binutils +, cmake +, file +, git +, libtool +, nasm +, ncurses +, ocaml +, ocamlPackages +, openssl +, perl +, python3 +, texinfo +, which +, writeShellScript +}: + +stdenv.mkDerivation rec { + pname = "sgx-sdk"; + version = "2.14"; + + src = fetchFromGitHub { + owner = "intel"; + repo = "linux-sgx"; + rev = "0cea078f17a24fb807e706409972d77f7a958db9"; + sha256 = "1cr2mkk459s270ng0yddgcryi0zc3dfmg9rmdrdh9mhy2mc1kx0g"; + fetchSubmodules = true; + }; + + patches = [ + (fetchpatch { + name = "replace-bin-cp-with-cp.patch"; + url = "https://github.com/intel/linux-sgx/commit/e0db5291d46d1c124980719d63829d65f89cf2c7.patch"; + sha256 = "0xwlpm1r4rl4anfhjkr6fgz0gcyhr0ng46fv8iw9hfsh891yqb7z"; + }) + (fetchpatch { + name = "sgx_ippcp.h.patch"; + url = "https://github.com/intel/linux-sgx/commit/e5929083f8161a8e7404afc0577936003fbb9d0b.patch"; + sha256 = "12bgs9rxlq82hn5prl9qz2r4mwypink8hzdz4cki4k4cmkw961f5"; + }) + ]; + postPatch = '' + patchShebangs ./linux/installer/bin/build-installpkg.sh \ + ./linux/installer/common/sdk/createTarball.sh \ + ./linux/installer/common/sdk/install.sh + ''; + + dontConfigure = true; + + # SDK built with stackprotector produces broken enclaves which crash at runtime. + # Disable all to be safe, SDK build configures compiler mitigations manually. + hardeningDisable = [ "all" ]; + + nativeBuildInputs = [ + cmake + git + ocaml + ocamlPackages.ocamlbuild + perl + python3 + texinfo + nasm + file + ncurses + autoconf + automake + ]; + + buildInputs = [ + libtool + openssl + ]; + + BINUTILS_DIR = "${binutils}/bin"; + + # Build external/ippcp_internal first. The Makefile is rewritten to make the + # build faster by splitting different versions of ipp-crypto builds and to + # avoid patching the Makefile for reproducibility issues. + buildPhase = let + ipp-crypto-no_mitigation = callPackage (import ./ipp-crypto.nix) {}; + + sgx-asm-pp = "python ${src}/build-scripts/sgx-asm-pp.py --assembler=nasm"; + + nasm-load = writeShellScript "nasm-load" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=LOAD $@"; + ipp-crypto-cve_2020_0551_load = callPackage (import ./ipp-crypto.nix) { + extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-load}" ]; + }; + + nasm-cf = writeShellScript "nasm-cf" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=CF $@"; + ipp-crypto-cve_2020_0551_cf = callPackage (import ./ipp-crypto.nix) { + extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-cf}" ]; + }; + in '' + cd external/ippcp_internal + + mkdir -p lib/linux/intel64/no_mitigation + cp ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a lib/linux/intel64/no_mitigation + chmod a+w lib/linux/intel64/no_mitigation/libippcp.a + cp ${ipp-crypto-no_mitigation}/include/* ./inc + + mkdir -p lib/linux/intel64/cve_2020_0551_load + cp ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a lib/linux/intel64/cve_2020_0551_load + chmod a+w lib/linux/intel64/cve_2020_0551_load/libippcp.a + + mkdir -p lib/linux/intel64/cve_2020_0551_cf + cp ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a lib/linux/intel64/cve_2020_0551_cf + chmod a+w lib/linux/intel64/cve_2020_0551_cf/libippcp.a + + rm -f ./inc/ippcp.h + patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i ./inc/ippcp20u3.patch -o ./inc/ippcp.h + + mkdir -p license + cp ${ipp-crypto-no_mitigation.src}/LICENSE ./license + + # Build the SDK installation package. + cd ../.. + + # Nix patches make so that $(SHELL) defaults to "sh" instead of "/bin/sh". + # The build uses $(SHELL) as an argument to file -L which requires a path. + make SHELL=$SHELL sdk_install_pkg + + runHook postBuild + ''; + + postBuild = '' + patchShebangs ./linux/installer/bin/sgx_linux_x64_sdk_*.bin + ''; + + installPhase = '' + echo -e 'no\n'$out | ./linux/installer/bin/sgx_linux_x64_sdk_*.bin + ''; + + dontFixup = true; + + doInstallCheck = true; + installCheckInputs = [ which ]; + installCheckPhase = '' + source $out/sgxsdk/environment + cd SampleCode/SampleEnclave + make SGX_MODE=SGX_SIM + ./app + ''; + + meta = with lib; { + description = "Intel SGX SDK for Linux built with IPP Crypto Library"; + homepage = "https://github.com/intel/linux-sgx"; + maintainers = with maintainers; [ sbellem arturcygan ]; + platforms = [ "x86_64-linux" ]; + license = with licenses; [ bsd3 ]; + }; +} diff --git a/pkgs/os-specific/linux/sgx-sdk/ipp-crypto.nix b/pkgs/os-specific/linux/sgx-sdk/ipp-crypto.nix new file mode 100644 index 0000000000000..52cef4f82815b --- /dev/null +++ b/pkgs/os-specific/linux/sgx-sdk/ipp-crypto.nix @@ -0,0 +1,24 @@ +{ lib +, stdenv +, fetchFromGitHub +, cmake +, python3 +, nasm +, extraCmakeFlags ? [] +}: + +stdenv.mkDerivation rec { + pname = "ipp-crypto"; + version = "2020_update3"; + + src = fetchFromGitHub { + owner = "intel"; + repo = "ipp-crypto"; + rev = "ipp-crypto_${version}"; + sha256 = "02vlda6mlhbd12ljzdf65klpx4kmx1ylch9w3yllsiya4hwqzy4b"; + }; + + cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags; + + nativeBuildInputs = [ cmake python3 nasm ]; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index f9fd59bbf896c..ed598faef807a 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -22473,6 +22473,8 @@ with pkgs; seturgent = callPackage ../os-specific/linux/seturgent { }; + sgx-sdk = callPackage ../os-specific/linux/sgx-sdk { }; + shadow = callPackage ../os-specific/linux/shadow { }; sinit = callPackage ../os-specific/linux/sinit { |