dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

sgx-sdk, sgx-psw: improve samples

Browse Source 
Make it easier to review updates to `sgx-{sdk,psw}` on machines with
actual SGX hardware support. The passthru tests build and run the SGX
samples in simulation mode which works without any hardware support. To
run the samples on a machine with SGX hardware support, issue the
following command:

```bash
 $(nix-build -A sgx-sdk.runTestsHW)/bin/run-tests-hw
```

Make sure the SGX AESM daemon is running as some tests require it. See
the `services.aesmd.*` NixOS module options and the `sgx-psw` package
for details.
This commit is contained in:
Vincent Haupert 2022-01-02 23:38:00 +01:00
parent 0bf7411211
commit 9dac06a14d
3 changed files with 131 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
pkgs/os-specific/linux/sgx/samples/default.nix Normal file
View File

@ -0,0 +1,109 @@
{ stdenv
, lib
, makeWrapper
, sgx-sdk
, sgx-psw
, which
# "SIM" or "HW"
, sgxMode
}:
let
isSimulation = sgxMode == "SIM";
buildSample = name: stdenv.mkDerivation {
pname = name;
version = sgxMode;
src = sgx-sdk.out;
sourceRoot = "${sgx-sdk.name}/share/SampleCode/${name}";
nativeBuildInputs = [
makeWrapper
which
];
buildInputs = [
sgx-sdk
];
# The samples don't have proper support for parallel building
# causing them to fail randomly.
enableParallelBuilding = false;
buildFlags = [
"SGX_MODE=${sgxMode}"
];
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,lib}
install -m 755 app $out/bin
install *.so $out/lib
wrapProgram "$out/bin/app" \
--run "cd $out/lib" \
${lib.optionalString (!isSimulation)
''--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"''}
runHook postInstall
'';
# Breaks the signature of the enclaves
dontFixup = true;
# We don't have access to real SGX hardware during the build
doInstallCheck = isSimulation;
installCheckPhase = ''
runHook preInstallCheck
pushd /
echo a | $out/bin/app
popd
runHook preInstallCheck
'';
};
in
{
cxx11SGXDemo = buildSample "Cxx11SGXDemo";
localAttestation = (buildSample "LocalAttestation").overrideAttrs (oldAttrs: {
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,lib}
install -m 755 bin/app* $out/bin
install bin/*.so $out/lib
for bin in $out/bin/*; do
wrapProgram $bin \
--run "cd $out/lib" \
${lib.optionalString (!isSimulation)
''--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"''}
done
runHook postInstall
'';
});
powerTransition = buildSample "PowerTransition";
protobufSGXDemo = buildSample "ProtobufSGXDemo";
remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (oldAttrs: {
# Makefile sets rpath to point to $TMPDIR
preFixup = ''
patchelf --remove-rpath $out/bin/app
'';
postInstall = ''
install sample_libcrypto/*.so $out/lib
'';
});
sampleEnclave = buildSample "SampleEnclave";
sampleEnclavePCL = buildSample "SampleEnclavePCL";
sampleEnclaveGMIPP = buildSample "SampleEnclaveGMIPP";
sealUnseal = (buildSample "SealUnseal").overrideAttrs (oldAttrs: {
prePatch = ''
substituteInPlace App/App.cpp \
--replace '"sealed_data_blob.txt"' '"/tmp/sealed_data_blob.txt"'
'';
});
switchless = buildSample "Switchless";
}

24
pkgs/os-specific/linux/sgx/sdk/default.nix
View File

@ -3,15 +3,16 @@
, fetchFromGitHub , fetchFromGitHub
, fetchpatch , fetchpatch
, fetchzip , fetchzip
, callPackage
, autoconf , autoconf
, automake , automake
, binutils , binutils
, callPackage
, cmake , cmake
, file , file
, gdb , gdb
, git , git
, libtool , libtool
, linkFarmFromDrvs
, nasm , nasm
, ocaml , ocaml
, ocamlPackages , ocamlPackages
@ -20,6 +21,7 @@
, python3 , python3
, texinfo , texinfo
, validatePkgConfig , validatePkgConfig
, writeShellApplication
, writeShellScript , writeShellScript
, writeText , writeText
, debug ? false , debug ? false
@ -257,7 +259,25 @@ stdenv.mkDerivation rec {
postHooks+=(sgxsdk) postHooks+=(sgxsdk)
''; '';
passthru.tests = callPackage ./samples.nix { }; passthru.tests = callPackage ../samples { sgxMode = "SIM"; };
# Run tests in SGX hardware mode on an SGX-enabled machine
# $(nix-build -A sgx-sdk.runTestsHW)/bin/run-tests-hw
passthru.runTestsHW =
let
testsHW = lib.filterAttrs (_: v: v ? "name") (callPackage ../samples { sgxMode = "HW"; });
testsHWLinked = linkFarmFromDrvs "sgx-samples-hw-bundle" (lib.attrValues testsHW);
in
writeShellApplication {
name = "run-tests-hw";
text = ''
for test in ${testsHWLinked}/*; do
printf '*** Running test %s ***\n\n' "$(basename "$test")"
printf 'a\n' | "$test/bin/app"
printf '\n'
done
'';
};
meta = with lib; { meta = with lib; {
description = "Intel SGX SDK for Linux built with IPP Crypto Library"; description = "Intel SGX SDK for Linux built with IPP Crypto Library";

63
pkgs/os-specific/linux/sgx/sdk/samples.nix
View File

@ -1,63 +0,0 @@
{ stdenv
, sgx-sdk
, which
}:
let
buildSample = name: stdenv.mkDerivation rec {
inherit name;
src = sgx-sdk.out;
sourceRoot = "${sgx-sdk.name}/share/SampleCode/${name}";
buildInputs = [
sgx-sdk
];
# The samples don't have proper support for parallel building
# causing them to fail randomly.
enableParallelBuilding = false;
buildFlags = [
"SGX_MODE=SIM"
];
installPhase = ''
mkdir $out
install -m 755 app $out/app
install *.so $out/
'';
doInstallCheck = true;
installCheckInputs = [ which ];
installCheckPhase = ''
pushd $out
./app
popd
'';
};
in
{
cxx11SGXDemo = buildSample "Cxx11SGXDemo";
localAttestation = (buildSample "LocalAttestation").overrideAttrs (oldAttrs: {
installPhase = ''
mkdir $out
cp -r bin/. $out/
'';
});
powerTransition = (buildSample "PowerTransition").overrideAttrs (oldAttrs: {
# Requires interaction
doInstallCheck = false;
});
protobufSGXDemo = buildSample "ProtobufSGXDemo";
remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (oldAttrs: {
dontFixup = true;
installCheckPhase = ''
echo "a" | LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/sample_libcrypto ./app
'';
});
sampleEnclave = buildSample "SampleEnclave";
sampleEnclavePCL = buildSample "SampleEnclavePCL";
sampleEnclaveGMIPP = buildSample "SampleEnclaveGMIPP";
sealUnseal = buildSample "SealUnseal";
switchless = buildSample "Switchless";
}