1 files changed, 95 insertions, 0 deletions
diff --git a/pkgs/os-specific/linux/sgx/ssl/default.nix b/pkgs/os-specific/linux/sgx/ssl/default.nix
new file mode 100644
index 0000000000000..c54eda19d6a21
--- /dev/null
+++ b/pkgs/os-specific/linux/sgx/ssl/default.nix
@@ -0,0 +1,95 @@
+{ stdenv
+, fetchFromGitHub
+, fetchpatch
+, fetchurl
+, lib
+, perl
+, sgx-sdk
+, which
+, debug ? false
+}:
+let
+  sgxVersion = sgx-sdk.versionTag;
+  opensslVersion = "1.1.1l";
+in
+stdenv.mkDerivation rec {
+  pname = "sgx-ssl" + lib.optionalString debug "-debug";
+  version = "lin_${sgxVersion}_${opensslVersion}";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "intel-sgx-ssl";
+    rev = version;
+    hash = "sha256-ibPXs90ni2fkxJ09fNO6wWVpfCFdko6MjBFkEsyIih8=";
+  };
+
+  postUnpack =
+    let
+      opensslSourceArchive = fetchurl {
+        url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
+        hash = "sha256-C3o+XlnDSCf+DDp0t+yLrvMCuY+oAIjX+RU6oW+na9E=";
+      };
+    in
+    ''
+      ln -s ${opensslSourceArchive} $sourceRoot/openssl_source/openssl-${opensslVersion}.tar.gz
+    '';
+
+  patches = [
+    # https://github.com/intel/intel-sgx-ssl/pull/111
+    ./intel-sgx-ssl-pr-111.patch
+  ];
+
+  postPatch = ''
+    patchShebangs Linux/build_openssl.sh
+
+    # Run the test in the `installCheckPhase`, not the `buildPhase`
+    substituteInPlace Linux/sgx/Makefile \
+      --replace '$(MAKE) -C $(TEST_DIR) all' \
+                'bash -c "true"'
+  '';
+
+  enableParallelBuilding = true;
+
+  nativeBuildInputs = [
+    perl
+    sgx-sdk
+    stdenv.glibc
+    which
+  ];
+
+  makeFlags = [
+    "-C Linux"
+  ] ++ lib.optionals debug [
+    "DEBUG=1"
+  ];
+
+  installFlags = [
+    "DESTDIR=$(out)"
+  ];
+
+  # Build the test app
+  #
+  # Running the test app is currently only supported on Intel CPUs
+  # and will fail on non-Intel CPUs even in SGX simulation mode.
+  # Therefore, we only build the test app without running it until
+  # upstream resolves the issue: https://github.com/intel/intel-sgx-ssl/issues/113
+  doInstallCheck = true;
+  installCheckTarget = "all";
+  installCheckFlags = [
+    "SGX_MODE=SIM"
+    "-C sgx/test_app"
+    "-j 1" # Makefile doesn't support multiple jobs
+  ];
+  preInstallCheck = ''
+    # Expects the enclave file in the current working dir
+    ln -s sgx/test_app/TestEnclave.signed.so .
+  '';
+
+  meta = with lib; {
+    description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL";
+    homepage = "https://github.com/intel/intel-sgx-ssl";
+    maintainers = with maintainers; [ trundle veehaitch ];
+    platforms = [ "x86_64-linux" ];
+    license = with licenses; [ bsd3 openssl ];
+  };
+}