about summary refs log tree commit diff
path: root/pkgs/os-specific/linux/sgx
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/os-specific/linux/sgx')
-rw-r--r--pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix6
-rw-r--r--pkgs/os-specific/linux/sgx/psw/default.nix10
-rw-r--r--pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch26
-rw-r--r--pkgs/os-specific/linux/sgx/sdk/default.nix48
-rw-r--r--pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch26
-rw-r--r--pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix4
-rw-r--r--pkgs/os-specific/linux/sgx/ssl/default.nix36
-rw-r--r--pkgs/os-specific/linux/sgx/ssl/tests.nix95
8 files changed, 193 insertions, 58 deletions
diff --git a/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix b/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix
index 0ee191e868957..c21f8ea8a644b 100644
--- a/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix
+++ b/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix
@@ -35,13 +35,13 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "azure-dcap-client";
-  version = "1.12.1";
+  version = "1.12.3";
 
   src = fetchFromGitHub {
     owner = "microsoft";
     repo = pname;
     rev = version;
-    hash = "sha256-q0dI4WdA1ue4sw+QfSherh31Ldf9gnhoft66o3E9gnU=";
+    hash = "sha256-zTDaICsSPXctgFRCZBiZwXV9dLk2pFL9kp5a8FkiTZA=";
   };
 
   patches = [
@@ -87,7 +87,7 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "Interfaces between SGX SDKs and the Azure Attestation SGX Certification Cache";
     homepage = "https://github.com/microsoft/azure-dcap-client";
-    maintainers = with maintainers; [ trundle veehaitch ];
+    maintainers = with maintainers; [ phlip9 trundle veehaitch ];
     platforms = [ "x86_64-linux" ];
     license = [ licenses.mit ];
   };
diff --git a/pkgs/os-specific/linux/sgx/psw/default.nix b/pkgs/os-specific/linux/sgx/psw/default.nix
index 22e52b6ec9fdb..42e00071d8101 100644
--- a/pkgs/os-specific/linux/sgx/psw/default.nix
+++ b/pkgs/os-specific/linux/sgx/psw/default.nix
@@ -14,7 +14,7 @@
 , debug ? false
 }:
 stdenv.mkDerivation rec {
-  inherit (sgx-sdk) version versionTag src;
+  inherit (sgx-sdk) patches src version versionTag;
   pname = "sgx-psw";
 
   postUnpack =
@@ -24,16 +24,16 @@ stdenv.mkDerivation rec {
       # attestation quotes, and do platform certification.
       ae.prebuilt = fetchurl {
         url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz";
-        hash = "sha256-IckW4p1XWkWCDCErXyTtnKYKeAUaCrp5iAMsRBMjLX0=";
+        hash = "sha256-IGV9VEwY/cQBV4Vz2sps4JgRweWRl/l08ocb9P4SH8Q=";
       };
       # Also include the Data Center Attestation Primitives (DCAP) platform
       # enclaves.
       dcap = rec {
-        version = "1.18";
+        version = "1.20";
         filename = "prebuilt_dcap_${version}.tar.gz";
         prebuilt = fetchurl {
           url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
-          hash = "sha256-9ceys7ozOEienug+9MTZ6dw3nx7VBfxLNiwhZYv4SzY=";
+          hash = "sha256-nPsI89KSBA3cSNTMWyktZP5dkf+BwL3NZ4MuUf6G98o=";
         };
       };
     in
@@ -181,7 +181,7 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "Intel SGX Architectural Enclave Service Manager";
     homepage = "https://github.com/intel/linux-sgx";
-    maintainers = with maintainers; [ veehaitch citadelcore ];
+    maintainers = with maintainers; [ phlip9 veehaitch citadelcore ];
     platforms = [ "x86_64-linux" ];
     license = with licenses; [ bsd3 ];
   };
diff --git a/pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch b/pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch
new file mode 100644
index 0000000000000..019f58927152a
--- /dev/null
+++ b/pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch
@@ -0,0 +1,26 @@
+diff --git a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
+index aee499e9..13fa89d4 100644
+--- a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
++++ b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
+@@ -105,7 +105,7 @@ bool BundleResourceContainer::GetStat(int index,
+                    const_cast<mz_zip_archive*>(&m_ZipArchive), index)
+                    ? true
+                    : false;
+-    stat.modifiedTime = zipStat.m_time;
++    stat.modifiedTime = 0;
+     stat.crc32 = zipStat.m_crc32;
+     // This will limit the size info from uint64 to uint32 on 32-bit
+     // architectures. We don't care because we assume resources > 2GB
+diff --git a/external/CppMicroServices/third_party/miniz.c b/external/CppMicroServices/third_party/miniz.c
+index 6b0ebd7a..fa2aebca 100644
+--- a/external/CppMicroServices/third_party/miniz.c
++++ b/external/CppMicroServices/third_party/miniz.c
+@@ -170,7 +170,7 @@
+ // If MINIZ_NO_TIME is specified then the ZIP archive functions will not be able to get the current time, or
+ // get/set file times, and the C run-time funcs that get/set times won't be called.
+ // The current downside is the times written to your archives will be from 1979.
+-//#define MINIZ_NO_TIME
++#define MINIZ_NO_TIME
+
+ // Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's.
+ //#define MINIZ_NO_ARCHIVE_APIS
diff --git a/pkgs/os-specific/linux/sgx/sdk/default.nix b/pkgs/os-specific/linux/sgx/sdk/default.nix
index 2570406a7112e..67489ee3c07c4 100644
--- a/pkgs/os-specific/linux/sgx/sdk/default.nix
+++ b/pkgs/os-specific/linux/sgx/sdk/default.nix
@@ -1,7 +1,6 @@
 { lib
 , stdenv
 , fetchFromGitHub
-, fetchpatch
 , autoconf
 , automake
 , binutils
@@ -27,15 +26,15 @@
 stdenv.mkDerivation rec {
   pname = "sgx-sdk";
   # Version as given in se_version.h
-  version = "2.21.100.1";
+  version = "2.23.100.2";
   # Version as used in the Git tag
-  versionTag = "2.21";
+  versionTag = "2.23";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "linux-sgx";
     rev = "sgx_${versionTag}";
-    hash = "sha256-Yo2G0H0XUI2p9W7lDRLkFHw2t8X1220brGohQJ0r2WY=";
+    hash = "sha256-i+fE6xKiuljG8LY8TIHgrW15DVpdp46bZdNo/BjgT/I=";
     fetchSubmodules = true;
   };
 
@@ -46,39 +45,28 @@ stdenv.mkDerivation rec {
   '';
 
   patches = [
-    # Fix missing pthread_compat.h, see https://github.com/intel/linux-sgx/pull/784
-    (fetchpatch {
-      url = "https://github.com/intel/linux-sgx/commit/254b58f922a6bd49c308a4f47f05f525305bd760.patch";
-      sha256 = "sha256-sHU++K7NJ+PdITx3y0PwstA9MVh10rj2vrLn01N9F4w=";
-    })
+    # There's a `make preparation` step that downloads some prebuilt binaries
+    # and applies some patches to the in-repo git submodules. This patch removes
+    # the parts that download things, since we can't do that inside the sandbox.
+    ./disable-downloads.patch
+
+    # This patch disable mtime in bundled zip file for reproducible builds.
+    #
+    # Context: The `aesm_service` binary depends on a vendored library called
+    # `CppMicroServices`. At build time, this lib creates and then bundles
+    # service resources into a zip file and then embeds this zip into the
+    # binary. Without changes, the `aesm_service` will be different after every
+    # build because the embedded zip file contents have different modified times.
+    ./cppmicroservices-no-mtime.patch
   ];
 
-  # There's a `make preparation` step that downloads some prebuilt binaries and
-  # applies some patches to the in-repo git submodules. We can't just run it,
-  # since it downloads things, so this step just extracts the patching steps.
   postPatch = ''
     patchShebangs linux/installer/bin/build-installpkg.sh \
       linux/installer/common/sdk/createTarball.sh \
       linux/installer/common/sdk/install.sh \
       external/sgx-emm/create_symlink.sh
 
-    echo "Running 'make preparation' but without download steps"
-
-    # Seems to download something. Build currently uses ipp-crypto and not
-    # sgxssl so probably not an issue.
-    # $ ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
-
-    pushd external/openmp/openmp_code
-      git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 \
-        || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
-    popd
-
-    pushd external/protobuf/protobuf_code
-      git apply ../sgx_protobuf.patch >/dev/null 2>&1 \
-        || git apply ../sgx_protobuf.patch --check -R
-    popd
-
-    ./external/sgx-emm/create_symlink.sh
+    make preparation
   '';
 
   # We need `cmake` as a build input but don't use it to kick off the build phase
@@ -300,7 +288,7 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "Intel SGX SDK for Linux built with IPP Crypto Library";
     homepage = "https://github.com/intel/linux-sgx";
-    maintainers = with maintainers; [ sbellem arturcygan veehaitch ];
+    maintainers = with maintainers; [ phlip9 sbellem arturcygan veehaitch ];
     platforms = [ "x86_64-linux" ];
     license = with licenses; [ bsd3 ];
   };
diff --git a/pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch b/pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch
new file mode 100644
index 0000000000000..bdf9b9f9136e9
--- /dev/null
+++ b/pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch
@@ -0,0 +1,26 @@
+diff --git a/Makefile b/Makefile
+index 32433051..2e480efb 100644
+--- a/Makefile
++++ b/Makefile
+@@ -50,8 +50,8 @@ tips:
+ preparation:
+ # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip.
+ # Only enable the download from git
+-	git submodule update --init --recursive
+-	./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
++	# git submodule update --init --recursive
++	# ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
+ 	cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 ||  git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
+ 	cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 ||  git apply ../sgx_protobuf.patch --check -R
+ 	./external/sgx-emm/create_symlink.sh
+@@ -59,8 +59,8 @@ preparation:
+ 	cd external/cbor && cp -r libcbor sgx_libcbor
+ 	cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R
+ 	cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R
+-	./download_prebuilt.sh
+-	./external/dcap_source/QuoteGeneration/download_prebuilt.sh
++	# ./download_prebuilt.sh
++	# ./external/dcap_source/QuoteGeneration/download_prebuilt.sh
+ 
+ psw:
+ 	$(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS)
diff --git a/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix b/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix
index 5a4c941a22b99..c72a0c5285164 100644
--- a/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix
+++ b/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix
@@ -8,13 +8,13 @@
 }:
 gcc11Stdenv.mkDerivation rec {
   pname = "ipp-crypto";
-  version = "2021.9.0";
+  version = "2021.10.0";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "ipp-crypto";
     rev = "ippcp_${version}";
-    hash = "sha256-+ITnxyrkDQp4xRa+PVzXdYsSkI5sMNwQGfGU+lFJ6co=";
+    hash = "sha256-DfXsJ+4XqyjCD+79LUD53Cx8D46o1a4fAZa2UxGI1Xg=";
   };
 
   cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags;
diff --git a/pkgs/os-specific/linux/sgx/ssl/default.nix b/pkgs/os-specific/linux/sgx/ssl/default.nix
index 9d1905e09d1f7..94d7e20b21c41 100644
--- a/pkgs/os-specific/linux/sgx/ssl/default.nix
+++ b/pkgs/os-specific/linux/sgx/ssl/default.nix
@@ -1,8 +1,8 @@
 { stdenv
+, callPackage
 , fetchFromGitHub
 , fetchurl
 , lib
-, openssl
 , perl
 , sgx-sdk
 , which
@@ -10,7 +10,7 @@
 }:
 let
   sgxVersion = sgx-sdk.versionTag;
-  opensslVersion = "1.1.1u";
+  opensslVersion = "3.0.12";
 in
 stdenv.mkDerivation {
   pname = "sgx-ssl" + lib.optionalString debug "-debug";
@@ -19,15 +19,15 @@ stdenv.mkDerivation {
   src = fetchFromGitHub {
     owner = "intel";
     repo = "intel-sgx-ssl";
-    rev = "lin_${sgxVersion}_${opensslVersion}";
-    hash = "sha256-zbXEQz72VUPqnGrboX6oXliaLpbcos7tV6K9lX+zleg=";
+    rev = "3.0_Rev2";
+    hash = "sha256-dmLyaG6v+skjSa0KxLAfIfSBOxp9grrI7ds6WdGPe0I=";
   };
 
   postUnpack =
     let
       opensslSourceArchive = fetchurl {
         url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
-        hash = "sha256-4vjYS1I+7NBse+diaDA3AwD7zBU4a/UULXJ1j2lj68Y=";
+        hash = "sha256-+Tyejt3l6RZhGd4xdV/Ie0qjSGNmL2fd/LoU0La2m2E=";
       };
     in
     ''
@@ -37,7 +37,7 @@ stdenv.mkDerivation {
   postPatch = ''
     patchShebangs Linux/build_openssl.sh
 
-    # Run the test in the `installCheckPhase`, not the `buildPhase`
+    # Skip the tests. Build and run separately (see below).
     substituteInPlace Linux/sgx/Makefile \
       --replace '$(MAKE) -C $(TEST_DIR) all' \
                 'bash -c "true"'
@@ -46,7 +46,6 @@ stdenv.mkDerivation {
   nativeBuildInputs = [
     perl
     sgx-sdk
-    stdenv.cc.libc
     which
   ];
 
@@ -60,21 +59,22 @@ stdenv.mkDerivation {
     "DESTDIR=$(out)"
   ];
 
-  # Build the test app
-  doInstallCheck = true;
-  installCheckTarget = "test";
-  installCheckFlags = [
-    "SGX_MODE=SIM"
-    "-j 1" # Makefile doesn't support multiple jobs
-  ];
-  nativeInstallCheckInputs = [
-    openssl
-  ];
+  # These tests build on any x86_64-linux but BOTH SIM and HW will only _run_ on
+  # real Intel hardware. Split these out so OfBorg doesn't choke on this pkg.
+  #
+  # ```
+  # nix run .#sgx-ssl.tests.HW
+  # nix run .#sgx-ssl.tests.SIM
+  # ```
+  passthru.tests = {
+    HW = callPackage ./tests.nix { sgxMode = "HW"; inherit opensslVersion; };
+    SIM = callPackage ./tests.nix { sgxMode = "SIM"; inherit opensslVersion; };
+  };
 
   meta = with lib; {
     description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL";
     homepage = "https://github.com/intel/intel-sgx-ssl";
-    maintainers = with maintainers; [ trundle veehaitch ];
+    maintainers = with maintainers; [ phlip9 trundle veehaitch ];
     platforms = [ "x86_64-linux" ];
     license = [ licenses.bsd3 licenses.openssl ];
   };
diff --git a/pkgs/os-specific/linux/sgx/ssl/tests.nix b/pkgs/os-specific/linux/sgx/ssl/tests.nix
new file mode 100644
index 0000000000000..d9357ba043102
--- /dev/null
+++ b/pkgs/os-specific/linux/sgx/ssl/tests.nix
@@ -0,0 +1,95 @@
+# This package _builds_ (but doesn't run!) the sgx-ssl test enclave + harness.
+# The whole package effectively does:
+#
+# ```
+# SGX_MODE=${sgxMode} make -C Linux/sgx/test_app
+# cp Linux/sgx/{TestApp,TestEnclave.signed.so} $out/bin
+# ```
+#
+# OfBorg fails to run these tests since they require real Intel HW. That
+# includes the simulation mode! The tests appears to do something fancy with
+# cpuid and exception trap handlers that make them very non-portable.
+#
+# These tests are split out from the parent pkg since recompiling the parent
+# takes like 30 min : )
+
+{ lib
+, openssl
+, sgx-psw
+, sgx-sdk
+, sgx-ssl
+, stdenv
+, which
+, opensslVersion ? throw "required parameter"
+, sgxMode ? throw "required parameter" # "SIM" or "HW"
+}:
+stdenv.mkDerivation {
+  inherit (sgx-ssl) postPatch src version;
+  pname = sgx-ssl.pname + "-tests-${sgxMode}";
+
+  postUnpack = sgx-ssl.postUnpack + ''
+    sourceRootAbs=$(readlink -e $sourceRoot)
+    packageDir=$sourceRootAbs/Linux/package
+
+    # Do the inverse of 'make install' and symlink built artifacts back into
+    # '$src/Linux/package/' to avoid work.
+    mkdir $packageDir/lib $packageDir/lib64
+    ln -s ${lib.getLib sgx-ssl}/lib/* $packageDir/lib/
+    ln -s ${lib.getLib sgx-ssl}/lib64/* $packageDir/lib64/
+    ln -sf ${lib.getDev sgx-ssl}/include/* $packageDir/include/
+
+    # test_app needs some internal openssl headers.
+    # See: tail end of 'Linux/build_openssl.sh'
+    tar -C $sourceRootAbs/openssl_source -xf $sourceRootAbs/openssl_source/openssl-${opensslVersion}.tar.gz
+    echo '#define OPENSSL_VERSION_STR "${opensslVersion}"' > $sourceRootAbs/Linux/sgx/osslverstr.h
+    ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/crypto $sourceRootAbs/Linux/sgx/test_app/enclave/
+    ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/internal $sourceRootAbs/Linux/sgx/test_app/enclave/
+  '';
+
+  nativeBuildInputs = [
+    openssl.bin
+    sgx-sdk
+    which
+  ];
+
+  preBuild = ''
+    # Need to regerate the edl header
+    make -C Linux/sgx/libsgx_tsgxssl sgx_tsgxssl_t.c
+  '';
+
+  makeFlags = [
+    "-C Linux/sgx/test_app"
+    "SGX_MODE=${sgxMode}"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    # Enclaves can't be stripped after signing.
+    install -Dm 755 Linux/sgx/test_app/TestEnclave.signed.so -t $TMPDIR/enclaves
+
+    install -Dm 755 Linux/sgx/test_app/TestApp -t $out/bin
+
+    runHook postInstall
+  '';
+
+  postFixup = ''
+    # Move the enclaves where they actually belong.
+    mv $TMPDIR/enclaves/*.signed.so* $out/bin/
+
+    # HW SGX must runs against sgx-psw, not sgx-sdk.
+    if [[ "${sgxMode}" == "HW" ]]; then
+      patchelf \
+        --set-rpath "$( \
+          patchelf --print-rpath $out/bin/TestApp \
+            | sed 's|${lib.getLib sgx-sdk}|${lib.getLib sgx-psw}|' \
+        )" \
+        $out/bin/TestApp
+    fi
+  '';
+
+  meta = {
+    platforms = [ "x86_64-linux" ];
+    mainProgram = "TestApp";
+  };
+}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-09 16:18:01 +0000