{ lib , stdenv , fetchFromGitHub , fetchpatch , fetchzip , callPackage , autoconf , automake , binutils , cmake , file , gdb , git , libtool , nasm , ocaml , ocamlPackages , openssl , perl , python3 , texinfo , validatePkgConfig , writeShellScript , writeText , debug ? false }: stdenv.mkDerivation rec { pname = "sgx-sdk"; # Version as given in se_version.h version = "2.15.101.1"; # Version as used in the Git tag versionTag = "2.15.1"; src = fetchFromGitHub { owner = "intel"; repo = "linux-sgx"; rev = "sgx_${versionTag}"; hash = "sha256-e11COTR5eDPMB81aPRKatvIkAOeX+OZgnvn2utiv78M="; fetchSubmodules = true; }; postUnpack = '' # Make sure this is the right version of linux-sgx grep -q '"${version}"' "$src/common/inc/internal/se_version.h" \ || (echo "Could not find expected version ${version} in linux-sgx source" >&2 && exit 1) ''; patches = [ # Fix missing pthread_compat.h, see https://github.com/intel/linux-sgx/pull/784 (fetchpatch { url = "https://github.com/intel/linux-sgx/commit/254b58f922a6bd49c308a4f47f05f525305bd760.patch"; sha256 = "sha256-sHU++K7NJ+PdITx3y0PwstA9MVh10rj2vrLn01N9F4w="; }) # Commit to add missing sgx_ippcp.h not yet part of this release (fetchpatch { name = "add-missing-sgx_ippcp-header.patch"; url = "https://github.com/intel/linux-sgx/commit/51d1087b707a47e18588da7bae23e5f686d44be6.patch"; sha256 = "sha256-RZC14H1oEuGp0zn8CySDPy1KNqP/POqb+KMYoQt2A7M="; }) ]; postPatch = '' # https://github.com/intel/linux-sgx/pull/730 substituteInPlace buildenv.mk --replace '/bin/cp' 'cp' patchShebangs linux/installer/bin/build-installpkg.sh \ linux/installer/common/sdk/createTarball.sh \ linux/installer/common/sdk/install.sh ''; # We need `cmake` as a build input but don't use it to kick off the build phase dontUseCmakeConfigure = true; # SDK built with stackprotector produces broken enclaves which crash at runtime. # Disable all to be safe, SDK build configures compiler mitigations manually. hardeningDisable = [ "all" ]; nativeBuildInputs = [ autoconf automake cmake file git ocaml ocamlPackages.ocamlbuild perl python3 texinfo validatePkgConfig ]; buildInputs = [ libtool openssl ]; BINUTILS_DIR = "${binutils}/bin"; # Build external/ippcp_internal first. The Makefile is rewritten to make the # build faster by splitting different versions of ipp-crypto builds and to # avoid patching the Makefile for reproducibility issues. preBuild = let ipp-crypto-no_mitigation = callPackage ./ipp-crypto.nix { }; sgx-asm-pp = "python ${src}/build-scripts/sgx-asm-pp.py --assembler=nasm"; nasm-load = writeShellScript "nasm-load" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=LOAD $@"; ipp-crypto-cve_2020_0551_load = callPackage ./ipp-crypto.nix { extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-load}" ]; }; nasm-cf = writeShellScript "nasm-cf" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=CF $@"; ipp-crypto-cve_2020_0551_cf = callPackage ./ipp-crypto.nix { extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-cf}" ]; }; in '' header "Setting up IPP crypto build artifacts" pushd 'external/ippcp_internal' cp -r ${ipp-crypto-no_mitigation}/include/. inc/ install -D -m a+rw ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a \ lib/linux/intel64/no_mitigation/libippcp.a install -D -m a+rw ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a \ lib/linux/intel64/cve_2020_0551_load/libippcp.a install -D -m a+rw ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a \ lib/linux/intel64/cve_2020_0551_cf/libippcp.a rm inc/ippcp.h patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u3.patch -o inc/ippcp.h install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE popd ''; buildFlags = [ "sdk_install_pkg" ] ++ lib.optionals debug [ "DEBUG=1" ]; enableParallelBuilding = true; postBuild = '' patchShebangs linux/installer/bin/sgx_linux_x64_sdk_${version}.bin ''; installPhase = '' runHook preInstall installDir=$TMPDIR ./linux/installer/bin/sgx_linux_x64_sdk_${version}.bin -prefix $installDir installDir=$installDir/sgxsdk header "Move files created by installer" mkdir -p $out/bin pushd $out mv $installDir/bin/sgx-gdb $out/bin mkdir $out/bin/x64 for file in $installDir/bin/x64/*; do mv $file bin/ ln -sr bin/$(basename $file) bin/x64/ done rmdir $installDir/bin/{x64,} # Move `lib64` to `lib` and symlink `lib64` mv $installDir/lib64 lib ln -s lib/ lib64 mv $installDir/include/ . mkdir -p share/ mv $installDir/{SampleCode,licenses} share/ mkdir -p share/bin mv $installDir/{environment,buildenv.mk} share/bin/ ln -s share/bin/{environment,buildenv.mk} . # pkgconfig should go to lib/ mv $installDir/pkgconfig lib/ ln -s lib/pkgconfig/ . # Also create the `sdk_libs` for compat. All the files # link to libraries in `lib64/`, we shouldn't link the entire # directory, however, as there seems to be some ambiguity between # SDK and PSW libraries. mkdir sdk_libs/ for file in $installDir/sdk_libs/*; do ln -sr lib/$(basename $file) sdk_libs/ rm $file done rmdir $installDir/sdk_libs # No uninstall script required rm $installDir/uninstall.sh # Create an `sgxsdk` symlink which points to `$out` for compat ln -sr . sgxsdk # Make sure we didn't forget any files rmdir $installDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1) popd runHook postInstall ''; preFixup = '' header "Strip sgxsdk prefix" for path in "$out/share/bin/environment" "$out/bin/sgx-gdb"; do substituteInPlace $path --replace "$TMPDIR/sgxsdk" "$out" done header "Fixing pkg-config files" sed -i "s|prefix=.*|prefix=$out|g" $out/lib/pkgconfig/*.pc header "Fixing SGX_SDK default in samples" substituteInPlace $out/share/SampleCode/LocalAttestation/buildenv.mk \ --replace '/opt/intel/sgxsdk' "$out" for file in $out/share/SampleCode/*/Makefile; do substituteInPlace $file \ --replace '/opt/intel/sgxsdk' "$out" done header "Fixing BINUTILS_DIR in buildenv.mk" substituteInPlace $out/share/bin/buildenv.mk \ --replace 'BINUTILS_DIR ?= /usr/local/bin' \ 'BINUTILS_DIR ?= ${BINUTILS_DIR}' header "Fixing GDB path in bin/sgx-gdb" substituteInPlace $out/bin/sgx-gdb --replace '/usr/local/bin/gdb' '${gdb}/bin/gdb' ''; doInstallCheck = true; installCheckPhase = '' runHook preInstallCheck # Make sure all symlinks are valid output=$(find "$out" -type l -exec test ! -e {} \; -print) if [[ -n "$output" ]]; then echo "Broken symlinks:" echo "$output" exit 1 fi runHook postInstallCheck ''; setupHook = writeText "setup-hook.sh" '' sgxsdk() { export SGX_SDK=@out@ } postHooks+=(sgxsdk) ''; passthru.tests = callPackage ./samples.nix { }; meta = with lib; { description = "Intel SGX SDK for Linux built with IPP Crypto Library"; homepage = "https://github.com/intel/linux-sgx"; maintainers = with maintainers; [ sbellem arturcygan veehaitch ]; platforms = [ "x86_64-linux" ]; license = with licenses; [ bsd3 ]; }; }