2021-12-19 01:06:50 +00:00
|
|
|
{ stdenv
|
|
|
|
, lib
|
|
|
|
, fetchurl
|
|
|
|
, cmake
|
|
|
|
, coreutils
|
|
|
|
, curl
|
|
|
|
, file
|
|
|
|
, makeWrapper
|
|
|
|
, nixosTests
|
|
|
|
, protobuf
|
|
|
|
, python3
|
|
|
|
, sgx-sdk
|
|
|
|
, which
|
|
|
|
, debug ? false
|
|
|
|
}:
|
|
|
|
stdenv.mkDerivation rec {
|
|
|
|
inherit (sgx-sdk) version versionTag src;
|
|
|
|
pname = "sgx-psw";
|
|
|
|
|
|
|
|
postUnpack =
|
|
|
|
let
|
2024-01-13 08:15:51 +00:00
|
|
|
# Fetch the pre-built, Intel-signed Architectural Enclaves (AE). They help
|
|
|
|
# run user application enclaves, verify launch policies, produce remote
|
|
|
|
# attestation quotes, and do platform certification.
|
2021-12-19 01:06:50 +00:00
|
|
|
ae.prebuilt = fetchurl {
|
|
|
|
url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz";
|
2024-01-13 08:15:51 +00:00
|
|
|
hash = "sha256-IckW4p1XWkWCDCErXyTtnKYKeAUaCrp5iAMsRBMjLX0=";
|
2021-12-19 01:06:50 +00:00
|
|
|
};
|
2024-01-13 08:15:51 +00:00
|
|
|
# Also include the Data Center Attestation Primitives (DCAP) platform
|
|
|
|
# enclaves.
|
2021-12-19 01:06:50 +00:00
|
|
|
dcap = rec {
|
2024-01-13 08:15:51 +00:00
|
|
|
version = "1.18";
|
2021-12-19 01:06:50 +00:00
|
|
|
filename = "prebuilt_dcap_${version}.tar.gz";
|
|
|
|
prebuilt = fetchurl {
|
|
|
|
url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
|
2024-01-13 08:15:51 +00:00
|
|
|
hash = "sha256-9ceys7ozOEienug+9MTZ6dw3nx7VBfxLNiwhZYv4SzY=";
|
2021-12-19 01:06:50 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
in
|
|
|
|
sgx-sdk.postUnpack + ''
|
|
|
|
# Make sure we use the correct version of prebuilt DCAP
|
|
|
|
grep -q 'ae_file_name=${dcap.filename}' "$src/external/dcap_source/QuoteGeneration/download_prebuilt.sh" \
|
|
|
|
|| (echo "Could not find expected prebuilt DCAP ${dcap.filename} in linux-sgx source" >&2 && exit 1)
|
|
|
|
|
|
|
|
tar -zxf ${ae.prebuilt} -C $sourceRoot/
|
|
|
|
tar -zxf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration/
|
|
|
|
'';
|
|
|
|
|
|
|
|
nativeBuildInputs = [
|
|
|
|
cmake
|
|
|
|
file
|
|
|
|
makeWrapper
|
|
|
|
python3
|
|
|
|
sgx-sdk
|
|
|
|
which
|
|
|
|
];
|
|
|
|
|
|
|
|
buildInputs = [
|
|
|
|
curl
|
|
|
|
protobuf
|
|
|
|
];
|
|
|
|
|
2023-07-15 17:15:38 +00:00
|
|
|
hardeningDisable = [
|
|
|
|
# causes redefinition of _FORTIFY_SOURCE
|
|
|
|
"fortify3"
|
|
|
|
] ++ lib.optionals debug [
|
2021-12-19 01:06:50 +00:00
|
|
|
"fortify"
|
|
|
|
];
|
|
|
|
|
|
|
|
postPatch = ''
|
|
|
|
patchShebangs \
|
|
|
|
linux/installer/bin/build-installpkg.sh \
|
|
|
|
linux/installer/common/psw/createTarball.sh \
|
|
|
|
linux/installer/common/psw/install.sh
|
|
|
|
'';
|
|
|
|
|
|
|
|
dontUseCmakeConfigure = true;
|
|
|
|
|
|
|
|
buildFlags = [
|
|
|
|
"psw_install_pkg"
|
|
|
|
] ++ lib.optionals debug [
|
|
|
|
"DEBUG=1"
|
|
|
|
];
|
|
|
|
|
|
|
|
installFlags = [
|
|
|
|
"-C linux/installer/common/psw/output"
|
|
|
|
"DESTDIR=$(TMPDIR)/install"
|
|
|
|
];
|
|
|
|
|
|
|
|
postInstall = ''
|
|
|
|
installDir=$TMPDIR/install
|
|
|
|
sgxPswDir=$installDir/opt/intel/sgxpsw
|
|
|
|
|
|
|
|
mv $installDir/usr/lib64/ $out/lib/
|
|
|
|
ln -sr $out/lib $out/lib64
|
|
|
|
|
|
|
|
# Install udev rules to lib/udev/rules.d
|
|
|
|
mv $sgxPswDir/udev/ $out/lib/
|
|
|
|
|
|
|
|
# Install example AESM config
|
|
|
|
mkdir $out/etc/
|
|
|
|
mv $sgxPswDir/aesm/conf/aesmd.conf $out/etc/
|
|
|
|
rmdir $sgxPswDir/aesm/conf/
|
|
|
|
|
|
|
|
# Delete init service
|
|
|
|
rm $sgxPswDir/aesm/aesmd.conf
|
|
|
|
|
|
|
|
# Move systemd services
|
|
|
|
mkdir -p $out/lib/systemd/system/
|
|
|
|
mv $sgxPswDir/aesm/aesmd.service $out/lib/systemd/system/
|
|
|
|
mv $sgxPswDir/remount-dev-exec.service $out/lib/systemd/system/
|
|
|
|
|
|
|
|
# Move misc files
|
|
|
|
mkdir $out/share/
|
|
|
|
mv $sgxPswDir/licenses $out/share/
|
|
|
|
|
|
|
|
# Remove unnecessary files
|
|
|
|
rm $sgxPswDir/{cleanup.sh,startup.sh}
|
|
|
|
rm -r $sgxPswDir/scripts
|
|
|
|
|
2024-01-13 08:15:51 +00:00
|
|
|
# Move aesmd binaries/libraries/enclaves
|
2021-12-19 01:06:50 +00:00
|
|
|
mv $sgxPswDir/aesm/ $out/
|
|
|
|
|
2024-01-13 08:15:51 +00:00
|
|
|
# We absolutely MUST avoid stripping or patching these ".signed.so" SGX
|
|
|
|
# enclaves. Stripping would change each enclave measurement (hash of the
|
|
|
|
# binary).
|
|
|
|
#
|
|
|
|
# We're going to temporarily move these enclave libs to another directory
|
|
|
|
# until after stripping/patching in the fixupPhase.
|
|
|
|
mkdir $TMPDIR/enclaves
|
|
|
|
mv $out/aesm/*.signed.so* $TMPDIR/enclaves
|
|
|
|
|
2021-12-19 01:06:50 +00:00
|
|
|
mkdir $out/bin
|
|
|
|
makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \
|
2022-12-28 21:21:41 +00:00
|
|
|
--suffix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \
|
2022-04-27 09:35:20 +00:00
|
|
|
--chdir "$out/aesm"
|
2021-12-19 01:06:50 +00:00
|
|
|
|
|
|
|
# Make sure we didn't forget to handle any files
|
|
|
|
rmdir $sgxPswDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1)
|
|
|
|
'';
|
|
|
|
|
2024-01-13 08:15:51 +00:00
|
|
|
stripDebugList = [
|
|
|
|
"lib"
|
|
|
|
"bin"
|
|
|
|
# Also strip binaries/libs in the `aesm` directory
|
|
|
|
"aesm"
|
|
|
|
];
|
|
|
|
|
2021-12-19 01:06:50 +00:00
|
|
|
postFixup = ''
|
2024-01-13 08:15:51 +00:00
|
|
|
# Move the SGX enclaves back after everything else has been stripped.
|
|
|
|
mv $TMPDIR/enclaves/*.signed.so* $out/aesm/
|
|
|
|
rmdir $TMPDIR/enclaves
|
|
|
|
|
|
|
|
# Fixup the aesmd systemd service
|
|
|
|
#
|
|
|
|
# Most—if not all—of those fixups are not relevant for NixOS as we have our own
|
|
|
|
# NixOS module which is based on those files without relying on them. Still, it
|
|
|
|
# is helpful to have properly patched versions for non-NixOS distributions.
|
2023-02-02 18:25:31 +00:00
|
|
|
echo "Fixing aesmd.service"
|
2021-12-19 01:06:50 +00:00
|
|
|
substituteInPlace $out/lib/systemd/system/aesmd.service \
|
|
|
|
--replace '@aesm_folder@' \
|
|
|
|
"$out/aesm" \
|
|
|
|
--replace 'Type=forking' \
|
|
|
|
'Type=simple' \
|
|
|
|
--replace "ExecStart=$out/aesm/aesm_service" \
|
|
|
|
"ExecStart=$out/bin/aesm_service --no-daemon"\
|
|
|
|
--replace "/bin/mkdir" \
|
|
|
|
"${coreutils}/bin/mkdir" \
|
|
|
|
--replace "/bin/chown" \
|
|
|
|
"${coreutils}/bin/chown" \
|
|
|
|
--replace "/bin/chmod" \
|
|
|
|
"${coreutils}/bin/chmod" \
|
|
|
|
--replace "/bin/kill" \
|
|
|
|
"${coreutils}/bin/kill"
|
|
|
|
'';
|
|
|
|
|
|
|
|
passthru.tests = {
|
|
|
|
service = nixosTests.aesmd;
|
|
|
|
};
|
|
|
|
|
|
|
|
meta = with lib; {
|
|
|
|
description = "Intel SGX Architectural Enclave Service Manager";
|
|
|
|
homepage = "https://github.com/intel/linux-sgx";
|
|
|
|
maintainers = with maintainers; [ veehaitch citadelcore ];
|
|
|
|
platforms = [ "x86_64-linux" ];
|
|
|
|
license = with licenses; [ bsd3 ];
|
|
|
|
};
|
|
|
|
}
|