Merge pull request #283405 from phlip9/update-sgx-2.23
sgx-sdk: 2.21 -> 2.23
This commit is contained in:
commit
60158aae64
@ -35,13 +35,13 @@ let
|
||||
in
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "azure-dcap-client";
|
||||
version = "1.12.1";
|
||||
version = "1.12.3";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "microsoft";
|
||||
repo = pname;
|
||||
rev = version;
|
||||
hash = "sha256-q0dI4WdA1ue4sw+QfSherh31Ldf9gnhoft66o3E9gnU=";
|
||||
hash = "sha256-zTDaICsSPXctgFRCZBiZwXV9dLk2pFL9kp5a8FkiTZA=";
|
||||
};
|
||||
|
||||
patches = [
|
||||
@ -87,7 +87,7 @@ stdenv.mkDerivation rec {
|
||||
meta = with lib; {
|
||||
description = "Interfaces between SGX SDKs and the Azure Attestation SGX Certification Cache";
|
||||
homepage = "https://github.com/microsoft/azure-dcap-client";
|
||||
maintainers = with maintainers; [ trundle veehaitch ];
|
||||
maintainers = with maintainers; [ phlip9 trundle veehaitch ];
|
||||
platforms = [ "x86_64-linux" ];
|
||||
license = [ licenses.mit ];
|
||||
};
|
||||
|
@ -14,7 +14,7 @@
|
||||
, debug ? false
|
||||
}:
|
||||
stdenv.mkDerivation rec {
|
||||
inherit (sgx-sdk) version versionTag src;
|
||||
inherit (sgx-sdk) patches src version versionTag;
|
||||
pname = "sgx-psw";
|
||||
|
||||
postUnpack =
|
||||
@ -24,16 +24,16 @@ stdenv.mkDerivation rec {
|
||||
# attestation quotes, and do platform certification.
|
||||
ae.prebuilt = fetchurl {
|
||||
url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz";
|
||||
hash = "sha256-IckW4p1XWkWCDCErXyTtnKYKeAUaCrp5iAMsRBMjLX0=";
|
||||
hash = "sha256-IGV9VEwY/cQBV4Vz2sps4JgRweWRl/l08ocb9P4SH8Q=";
|
||||
};
|
||||
# Also include the Data Center Attestation Primitives (DCAP) platform
|
||||
# enclaves.
|
||||
dcap = rec {
|
||||
version = "1.18";
|
||||
version = "1.20";
|
||||
filename = "prebuilt_dcap_${version}.tar.gz";
|
||||
prebuilt = fetchurl {
|
||||
url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
|
||||
hash = "sha256-9ceys7ozOEienug+9MTZ6dw3nx7VBfxLNiwhZYv4SzY=";
|
||||
hash = "sha256-nPsI89KSBA3cSNTMWyktZP5dkf+BwL3NZ4MuUf6G98o=";
|
||||
};
|
||||
};
|
||||
in
|
||||
@ -181,7 +181,7 @@ stdenv.mkDerivation rec {
|
||||
meta = with lib; {
|
||||
description = "Intel SGX Architectural Enclave Service Manager";
|
||||
homepage = "https://github.com/intel/linux-sgx";
|
||||
maintainers = with maintainers; [ veehaitch citadelcore ];
|
||||
maintainers = with maintainers; [ phlip9 veehaitch citadelcore ];
|
||||
platforms = [ "x86_64-linux" ];
|
||||
license = with licenses; [ bsd3 ];
|
||||
};
|
||||
|
@ -0,0 +1,26 @@
|
||||
diff --git a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
|
||||
index aee499e9..13fa89d4 100644
|
||||
--- a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
|
||||
+++ b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
|
||||
@@ -105,7 +105,7 @@ bool BundleResourceContainer::GetStat(int index,
|
||||
const_cast<mz_zip_archive*>(&m_ZipArchive), index)
|
||||
? true
|
||||
: false;
|
||||
- stat.modifiedTime = zipStat.m_time;
|
||||
+ stat.modifiedTime = 0;
|
||||
stat.crc32 = zipStat.m_crc32;
|
||||
// This will limit the size info from uint64 to uint32 on 32-bit
|
||||
// architectures. We don't care because we assume resources > 2GB
|
||||
diff --git a/external/CppMicroServices/third_party/miniz.c b/external/CppMicroServices/third_party/miniz.c
|
||||
index 6b0ebd7a..fa2aebca 100644
|
||||
--- a/external/CppMicroServices/third_party/miniz.c
|
||||
+++ b/external/CppMicroServices/third_party/miniz.c
|
||||
@@ -170,7 +170,7 @@
|
||||
// If MINIZ_NO_TIME is specified then the ZIP archive functions will not be able to get the current time, or
|
||||
// get/set file times, and the C run-time funcs that get/set times won't be called.
|
||||
// The current downside is the times written to your archives will be from 1979.
|
||||
-//#define MINIZ_NO_TIME
|
||||
+#define MINIZ_NO_TIME
|
||||
|
||||
// Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's.
|
||||
//#define MINIZ_NO_ARCHIVE_APIS
|
@ -1,7 +1,6 @@
|
||||
{ lib
|
||||
, stdenv
|
||||
, fetchFromGitHub
|
||||
, fetchpatch
|
||||
, autoconf
|
||||
, automake
|
||||
, binutils
|
||||
@ -27,15 +26,15 @@
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "sgx-sdk";
|
||||
# Version as given in se_version.h
|
||||
version = "2.21.100.1";
|
||||
version = "2.23.100.2";
|
||||
# Version as used in the Git tag
|
||||
versionTag = "2.21";
|
||||
versionTag = "2.23";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "intel";
|
||||
repo = "linux-sgx";
|
||||
rev = "sgx_${versionTag}";
|
||||
hash = "sha256-Yo2G0H0XUI2p9W7lDRLkFHw2t8X1220brGohQJ0r2WY=";
|
||||
hash = "sha256-i+fE6xKiuljG8LY8TIHgrW15DVpdp46bZdNo/BjgT/I=";
|
||||
fetchSubmodules = true;
|
||||
};
|
||||
|
||||
@ -46,39 +45,28 @@ stdenv.mkDerivation rec {
|
||||
'';
|
||||
|
||||
patches = [
|
||||
# Fix missing pthread_compat.h, see https://github.com/intel/linux-sgx/pull/784
|
||||
(fetchpatch {
|
||||
url = "https://github.com/intel/linux-sgx/commit/254b58f922a6bd49c308a4f47f05f525305bd760.patch";
|
||||
sha256 = "sha256-sHU++K7NJ+PdITx3y0PwstA9MVh10rj2vrLn01N9F4w=";
|
||||
})
|
||||
# There's a `make preparation` step that downloads some prebuilt binaries
|
||||
# and applies some patches to the in-repo git submodules. This patch removes
|
||||
# the parts that download things, since we can't do that inside the sandbox.
|
||||
./disable-downloads.patch
|
||||
|
||||
# This patch disable mtime in bundled zip file for reproducible builds.
|
||||
#
|
||||
# Context: The `aesm_service` binary depends on a vendored library called
|
||||
# `CppMicroServices`. At build time, this lib creates and then bundles
|
||||
# service resources into a zip file and then embeds this zip into the
|
||||
# binary. Without changes, the `aesm_service` will be different after every
|
||||
# build because the embedded zip file contents have different modified times.
|
||||
./cppmicroservices-no-mtime.patch
|
||||
];
|
||||
|
||||
# There's a `make preparation` step that downloads some prebuilt binaries and
|
||||
# applies some patches to the in-repo git submodules. We can't just run it,
|
||||
# since it downloads things, so this step just extracts the patching steps.
|
||||
postPatch = ''
|
||||
patchShebangs linux/installer/bin/build-installpkg.sh \
|
||||
linux/installer/common/sdk/createTarball.sh \
|
||||
linux/installer/common/sdk/install.sh \
|
||||
external/sgx-emm/create_symlink.sh
|
||||
|
||||
echo "Running 'make preparation' but without download steps"
|
||||
|
||||
# Seems to download something. Build currently uses ipp-crypto and not
|
||||
# sgxssl so probably not an issue.
|
||||
# $ ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
|
||||
|
||||
pushd external/openmp/openmp_code
|
||||
git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 \
|
||||
|| git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
|
||||
popd
|
||||
|
||||
pushd external/protobuf/protobuf_code
|
||||
git apply ../sgx_protobuf.patch >/dev/null 2>&1 \
|
||||
|| git apply ../sgx_protobuf.patch --check -R
|
||||
popd
|
||||
|
||||
./external/sgx-emm/create_symlink.sh
|
||||
make preparation
|
||||
'';
|
||||
|
||||
# We need `cmake` as a build input but don't use it to kick off the build phase
|
||||
@ -300,7 +288,7 @@ stdenv.mkDerivation rec {
|
||||
meta = with lib; {
|
||||
description = "Intel SGX SDK for Linux built with IPP Crypto Library";
|
||||
homepage = "https://github.com/intel/linux-sgx";
|
||||
maintainers = with maintainers; [ sbellem arturcygan veehaitch ];
|
||||
maintainers = with maintainers; [ phlip9 sbellem arturcygan veehaitch ];
|
||||
platforms = [ "x86_64-linux" ];
|
||||
license = with licenses; [ bsd3 ];
|
||||
};
|
||||
|
26
pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch
Normal file
26
pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch
Normal file
@ -0,0 +1,26 @@
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 32433051..2e480efb 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -50,8 +50,8 @@ tips:
|
||||
preparation:
|
||||
# As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip.
|
||||
# Only enable the download from git
|
||||
- git submodule update --init --recursive
|
||||
- ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
|
||||
+ # git submodule update --init --recursive
|
||||
+ # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
|
||||
cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
|
||||
cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R
|
||||
./external/sgx-emm/create_symlink.sh
|
||||
@@ -59,8 +59,8 @@ preparation:
|
||||
cd external/cbor && cp -r libcbor sgx_libcbor
|
||||
cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R
|
||||
cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R
|
||||
- ./download_prebuilt.sh
|
||||
- ./external/dcap_source/QuoteGeneration/download_prebuilt.sh
|
||||
+ # ./download_prebuilt.sh
|
||||
+ # ./external/dcap_source/QuoteGeneration/download_prebuilt.sh
|
||||
|
||||
psw:
|
||||
$(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS)
|
@ -8,13 +8,13 @@
|
||||
}:
|
||||
gcc11Stdenv.mkDerivation rec {
|
||||
pname = "ipp-crypto";
|
||||
version = "2021.9.0";
|
||||
version = "2021.10.0";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "intel";
|
||||
repo = "ipp-crypto";
|
||||
rev = "ippcp_${version}";
|
||||
hash = "sha256-+ITnxyrkDQp4xRa+PVzXdYsSkI5sMNwQGfGU+lFJ6co=";
|
||||
hash = "sha256-DfXsJ+4XqyjCD+79LUD53Cx8D46o1a4fAZa2UxGI1Xg=";
|
||||
};
|
||||
|
||||
cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags;
|
||||
|
@ -1,8 +1,8 @@
|
||||
{ stdenv
|
||||
, callPackage
|
||||
, fetchFromGitHub
|
||||
, fetchurl
|
||||
, lib
|
||||
, openssl
|
||||
, perl
|
||||
, sgx-sdk
|
||||
, which
|
||||
@ -10,7 +10,7 @@
|
||||
}:
|
||||
let
|
||||
sgxVersion = sgx-sdk.versionTag;
|
||||
opensslVersion = "1.1.1u";
|
||||
opensslVersion = "3.0.12";
|
||||
in
|
||||
stdenv.mkDerivation {
|
||||
pname = "sgx-ssl" + lib.optionalString debug "-debug";
|
||||
@ -19,15 +19,15 @@ stdenv.mkDerivation {
|
||||
src = fetchFromGitHub {
|
||||
owner = "intel";
|
||||
repo = "intel-sgx-ssl";
|
||||
rev = "lin_${sgxVersion}_${opensslVersion}";
|
||||
hash = "sha256-zbXEQz72VUPqnGrboX6oXliaLpbcos7tV6K9lX+zleg=";
|
||||
rev = "3.0_Rev2";
|
||||
hash = "sha256-dmLyaG6v+skjSa0KxLAfIfSBOxp9grrI7ds6WdGPe0I=";
|
||||
};
|
||||
|
||||
postUnpack =
|
||||
let
|
||||
opensslSourceArchive = fetchurl {
|
||||
url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
|
||||
hash = "sha256-4vjYS1I+7NBse+diaDA3AwD7zBU4a/UULXJ1j2lj68Y=";
|
||||
hash = "sha256-+Tyejt3l6RZhGd4xdV/Ie0qjSGNmL2fd/LoU0La2m2E=";
|
||||
};
|
||||
in
|
||||
''
|
||||
@ -37,7 +37,7 @@ stdenv.mkDerivation {
|
||||
postPatch = ''
|
||||
patchShebangs Linux/build_openssl.sh
|
||||
|
||||
# Run the test in the `installCheckPhase`, not the `buildPhase`
|
||||
# Skip the tests. Build and run separately (see below).
|
||||
substituteInPlace Linux/sgx/Makefile \
|
||||
--replace '$(MAKE) -C $(TEST_DIR) all' \
|
||||
'bash -c "true"'
|
||||
@ -46,7 +46,6 @@ stdenv.mkDerivation {
|
||||
nativeBuildInputs = [
|
||||
perl
|
||||
sgx-sdk
|
||||
stdenv.cc.libc
|
||||
which
|
||||
];
|
||||
|
||||
@ -60,21 +59,22 @@ stdenv.mkDerivation {
|
||||
"DESTDIR=$(out)"
|
||||
];
|
||||
|
||||
# Build the test app
|
||||
doInstallCheck = true;
|
||||
installCheckTarget = "test";
|
||||
installCheckFlags = [
|
||||
"SGX_MODE=SIM"
|
||||
"-j 1" # Makefile doesn't support multiple jobs
|
||||
];
|
||||
nativeInstallCheckInputs = [
|
||||
openssl
|
||||
];
|
||||
# These tests build on any x86_64-linux but BOTH SIM and HW will only _run_ on
|
||||
# real Intel hardware. Split these out so OfBorg doesn't choke on this pkg.
|
||||
#
|
||||
# ```
|
||||
# nix run .#sgx-ssl.tests.HW
|
||||
# nix run .#sgx-ssl.tests.SIM
|
||||
# ```
|
||||
passthru.tests = {
|
||||
HW = callPackage ./tests.nix { sgxMode = "HW"; inherit opensslVersion; };
|
||||
SIM = callPackage ./tests.nix { sgxMode = "SIM"; inherit opensslVersion; };
|
||||
};
|
||||
|
||||
meta = with lib; {
|
||||
description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL";
|
||||
homepage = "https://github.com/intel/intel-sgx-ssl";
|
||||
maintainers = with maintainers; [ trundle veehaitch ];
|
||||
maintainers = with maintainers; [ phlip9 trundle veehaitch ];
|
||||
platforms = [ "x86_64-linux" ];
|
||||
license = [ licenses.bsd3 licenses.openssl ];
|
||||
};
|
||||
|
95
pkgs/os-specific/linux/sgx/ssl/tests.nix
Normal file
95
pkgs/os-specific/linux/sgx/ssl/tests.nix
Normal file
@ -0,0 +1,95 @@
|
||||
# This package _builds_ (but doesn't run!) the sgx-ssl test enclave + harness.
|
||||
# The whole package effectively does:
|
||||
#
|
||||
# ```
|
||||
# SGX_MODE=${sgxMode} make -C Linux/sgx/test_app
|
||||
# cp Linux/sgx/{TestApp,TestEnclave.signed.so} $out/bin
|
||||
# ```
|
||||
#
|
||||
# OfBorg fails to run these tests since they require real Intel HW. That
|
||||
# includes the simulation mode! The tests appears to do something fancy with
|
||||
# cpuid and exception trap handlers that make them very non-portable.
|
||||
#
|
||||
# These tests are split out from the parent pkg since recompiling the parent
|
||||
# takes like 30 min : )
|
||||
|
||||
{ lib
|
||||
, openssl
|
||||
, sgx-psw
|
||||
, sgx-sdk
|
||||
, sgx-ssl
|
||||
, stdenv
|
||||
, which
|
||||
, opensslVersion ? throw "required parameter"
|
||||
, sgxMode ? throw "required parameter" # "SIM" or "HW"
|
||||
}:
|
||||
stdenv.mkDerivation {
|
||||
inherit (sgx-ssl) postPatch src version;
|
||||
pname = sgx-ssl.pname + "-tests-${sgxMode}";
|
||||
|
||||
postUnpack = sgx-ssl.postUnpack + ''
|
||||
sourceRootAbs=$(readlink -e $sourceRoot)
|
||||
packageDir=$sourceRootAbs/Linux/package
|
||||
|
||||
# Do the inverse of 'make install' and symlink built artifacts back into
|
||||
# '$src/Linux/package/' to avoid work.
|
||||
mkdir $packageDir/lib $packageDir/lib64
|
||||
ln -s ${lib.getLib sgx-ssl}/lib/* $packageDir/lib/
|
||||
ln -s ${lib.getLib sgx-ssl}/lib64/* $packageDir/lib64/
|
||||
ln -sf ${lib.getDev sgx-ssl}/include/* $packageDir/include/
|
||||
|
||||
# test_app needs some internal openssl headers.
|
||||
# See: tail end of 'Linux/build_openssl.sh'
|
||||
tar -C $sourceRootAbs/openssl_source -xf $sourceRootAbs/openssl_source/openssl-${opensslVersion}.tar.gz
|
||||
echo '#define OPENSSL_VERSION_STR "${opensslVersion}"' > $sourceRootAbs/Linux/sgx/osslverstr.h
|
||||
ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/crypto $sourceRootAbs/Linux/sgx/test_app/enclave/
|
||||
ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/internal $sourceRootAbs/Linux/sgx/test_app/enclave/
|
||||
'';
|
||||
|
||||
nativeBuildInputs = [
|
||||
openssl.bin
|
||||
sgx-sdk
|
||||
which
|
||||
];
|
||||
|
||||
preBuild = ''
|
||||
# Need to regerate the edl header
|
||||
make -C Linux/sgx/libsgx_tsgxssl sgx_tsgxssl_t.c
|
||||
'';
|
||||
|
||||
makeFlags = [
|
||||
"-C Linux/sgx/test_app"
|
||||
"SGX_MODE=${sgxMode}"
|
||||
];
|
||||
|
||||
installPhase = ''
|
||||
runHook preInstall
|
||||
|
||||
# Enclaves can't be stripped after signing.
|
||||
install -Dm 755 Linux/sgx/test_app/TestEnclave.signed.so -t $TMPDIR/enclaves
|
||||
|
||||
install -Dm 755 Linux/sgx/test_app/TestApp -t $out/bin
|
||||
|
||||
runHook postInstall
|
||||
'';
|
||||
|
||||
postFixup = ''
|
||||
# Move the enclaves where they actually belong.
|
||||
mv $TMPDIR/enclaves/*.signed.so* $out/bin/
|
||||
|
||||
# HW SGX must runs against sgx-psw, not sgx-sdk.
|
||||
if [[ "${sgxMode}" == "HW" ]]; then
|
||||
patchelf \
|
||||
--set-rpath "$( \
|
||||
patchelf --print-rpath $out/bin/TestApp \
|
||||
| sed 's|${lib.getLib sgx-sdk}|${lib.getLib sgx-psw}|' \
|
||||
)" \
|
||||
$out/bin/TestApp
|
||||
fi
|
||||
'';
|
||||
|
||||
meta = {
|
||||
platforms = [ "x86_64-linux" ];
|
||||
mainProgram = "TestApp";
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue
Block a user