nixos/aesmd: add option to configure quote provider library
Changes sgx-psw to append `aesm` to `LD_LIBRARY_PATH`: - Append instead of prepend to allow for overriding in service config - As we already add a wrapper to add `aesm` to `LD_LIBRARY_PATH` it is not necessary to also set in `LD_LIBRARY_PATH` of the systemd service. Co-authored-by: Vincent Haupert <mail@vincent-haupert.de>
This commit is contained in:
parent
7de32b0ce9
commit
da0dc8339c
@ -25,6 +25,12 @@ in
|
||||
default = false;
|
||||
description = lib.mdDoc "Whether to build the PSW package in debug mode.";
|
||||
};
|
||||
quoteProviderLibrary = mkOption {
|
||||
type = with types; nullOr path;
|
||||
default = null;
|
||||
example = literalExpression "pkgs.sgx-azure-dcap-client";
|
||||
description = lib.mdDoc "Custom quote provider library to use.";
|
||||
};
|
||||
settings = mkOption {
|
||||
description = lib.mdDoc "AESM configuration";
|
||||
default = { };
|
||||
@ -83,7 +89,6 @@ in
|
||||
storeAesmFolder = "${sgx-psw}/aesm";
|
||||
# Hardcoded path AESM_DATA_FOLDER in psw/ae/aesm_service/source/oal/linux/aesm_util.cpp
|
||||
aesmDataFolder = "/var/opt/aesmd/data";
|
||||
aesmStateDirSystemd = "%S/aesmd";
|
||||
in
|
||||
{
|
||||
description = "Intel Architectural Enclave Service Manager";
|
||||
@ -98,7 +103,7 @@ in
|
||||
environment = {
|
||||
NAME = "aesm_service";
|
||||
AESM_PATH = storeAesmFolder;
|
||||
LD_LIBRARY_PATH = storeAesmFolder;
|
||||
LD_LIBRARY_PATH = makeLibraryPath [ cfg.quoteProviderLibrary ];
|
||||
};
|
||||
|
||||
# Make sure any of the SGX application enclave devices is available
|
||||
|
@ -1,7 +1,7 @@
|
||||
{ pkgs, lib, ... }: {
|
||||
name = "aesmd";
|
||||
meta = {
|
||||
maintainers = with lib.maintainers; [ veehaitch ];
|
||||
maintainers = with lib.maintainers; [ trundle veehaitch ];
|
||||
};
|
||||
|
||||
nodes.machine = { lib, ... }: {
|
||||
@ -25,38 +25,69 @@
|
||||
|
||||
# We don't have a real SGX machine in NixOS tests
|
||||
systemd.services.aesmd.unitConfig.AssertPathExists = lib.mkForce [ ];
|
||||
|
||||
specialisation = {
|
||||
withQuoteProvider.configuration = { ... }: {
|
||||
services.aesmd.quoteProviderLibrary = pkgs.sgx-azure-dcap-client;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
with subtest("aesmd.service starts"):
|
||||
machine.wait_for_unit("aesmd.service")
|
||||
status, main_pid = machine.systemctl("show --property MainPID --value aesmd.service")
|
||||
assert status == 0, "Could not get MainPID of aesmd.service"
|
||||
main_pid = main_pid.strip()
|
||||
testScript = { nodes, ... }:
|
||||
let
|
||||
specialisations = "${nodes.machine.system.build.toplevel}/specialisation";
|
||||
in
|
||||
''
|
||||
def get_aesmd_pid():
|
||||
status, main_pid = machine.systemctl("show --property MainPID --value aesmd.service")
|
||||
assert status == 0, "Could not get MainPID of aesmd.service"
|
||||
return main_pid.strip()
|
||||
|
||||
with subtest("aesmd.service runtime directory permissions"):
|
||||
runtime_dir = "/run/aesmd";
|
||||
res = machine.succeed(f"stat -c '%a %U %G' {runtime_dir}").strip()
|
||||
assert "750 aesmd sgx" == res, f"{runtime_dir} does not have the expected permissions: {res}"
|
||||
with subtest("aesmd.service starts"):
|
||||
machine.wait_for_unit("aesmd.service")
|
||||
|
||||
with subtest("aesm.socket available on host"):
|
||||
socket_path = "/var/run/aesmd/aesm.socket"
|
||||
machine.wait_until_succeeds(f"test -S {socket_path}")
|
||||
machine.succeed(f"test 777 -eq $(stat -c '%a' {socket_path})")
|
||||
for op in [ "-r", "-w", "-x" ]:
|
||||
machine.succeed(f"sudo -u sgxtest test {op} {socket_path}")
|
||||
machine.fail(f"sudo -u nosgxtest test {op} {socket_path}")
|
||||
main_pid = get_aesmd_pid()
|
||||
|
||||
with subtest("Copies white_list_cert_to_be_verify.bin"):
|
||||
whitelist_path = "/var/opt/aesmd/data/white_list_cert_to_be_verify.bin"
|
||||
whitelist_perms = machine.succeed(
|
||||
f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/stat -c '%a' {whitelist_path}"
|
||||
).strip()
|
||||
assert "644" == whitelist_perms, f"white_list_cert_to_be_verify.bin has permissions {whitelist_perms}"
|
||||
with subtest("aesmd.service runtime directory permissions"):
|
||||
runtime_dir = "/run/aesmd";
|
||||
res = machine.succeed(f"stat -c '%a %U %G' {runtime_dir}").strip()
|
||||
assert "750 aesmd sgx" == res, f"{runtime_dir} does not have the expected permissions: {res}"
|
||||
|
||||
with subtest("Writes and binds aesm.conf in service namespace"):
|
||||
aesmd_config = machine.succeed(f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/cat /etc/aesmd.conf")
|
||||
with subtest("aesm.socket available on host"):
|
||||
socket_path = "/var/run/aesmd/aesm.socket"
|
||||
machine.wait_until_succeeds(f"test -S {socket_path}")
|
||||
machine.succeed(f"test 777 -eq $(stat -c '%a' {socket_path})")
|
||||
for op in [ "-r", "-w", "-x" ]:
|
||||
machine.succeed(f"sudo -u sgxtest test {op} {socket_path}")
|
||||
machine.fail(f"sudo -u nosgxtest test {op} {socket_path}")
|
||||
|
||||
assert aesmd_config == "whitelist url = http://nixos.org\nproxy type = direct\ndefault quoting type = ecdsa_256\n", "aesmd.conf differs"
|
||||
'';
|
||||
with subtest("Copies white_list_cert_to_be_verify.bin"):
|
||||
whitelist_path = "/var/opt/aesmd/data/white_list_cert_to_be_verify.bin"
|
||||
whitelist_perms = machine.succeed(
|
||||
f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/stat -c '%a' {whitelist_path}"
|
||||
).strip()
|
||||
assert "644" == whitelist_perms, f"white_list_cert_to_be_verify.bin has permissions {whitelist_perms}"
|
||||
|
||||
with subtest("Writes and binds aesm.conf in service namespace"):
|
||||
aesmd_config = machine.succeed(f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/cat /etc/aesmd.conf")
|
||||
|
||||
assert aesmd_config == "whitelist url = http://nixos.org\nproxy type = direct\ndefault quoting type = ecdsa_256\n", "aesmd.conf differs"
|
||||
|
||||
with subtest("aesmd.service without quote provider library has correct LD_LIBRARY_PATH"):
|
||||
status, environment = machine.systemctl("show --property Environment --value aesmd.service")
|
||||
assert status == 0, "Could not get Environment of aesmd.service"
|
||||
env_by_name = dict(entry.split("=", 1) for entry in environment.split())
|
||||
assert not env_by_name["LD_LIBRARY_PATH"], "LD_LIBRARY_PATH is not empty"
|
||||
|
||||
with subtest("aesmd.service with quote provider library starts"):
|
||||
machine.succeed('${specialisations}/withQuoteProvider/bin/switch-to-configuration test')
|
||||
machine.wait_for_unit("aesmd.service")
|
||||
|
||||
main_pid = get_aesmd_pid()
|
||||
|
||||
with subtest("aesmd.service with quote provider library has correct LD_LIBRARY_PATH"):
|
||||
ld_library_path = machine.succeed(f"xargs -0 -L1 -a /proc/{main_pid}/environ | grep LD_LIBRARY_PATH")
|
||||
assert ld_library_path.startswith("LD_LIBRARY_PATH=${pkgs.sgx-azure-dcap-client}/lib:"), \
|
||||
"LD_LIBRARY_PATH is not set to the configured quote provider library"
|
||||
'';
|
||||
}
|
||||
|
@ -69,7 +69,7 @@ in {
|
||||
_3proxy = runTest ./3proxy.nix;
|
||||
acme = runTest ./acme.nix;
|
||||
adguardhome = runTest ./adguardhome.nix;
|
||||
aesmd = runTest ./aesmd.nix;
|
||||
aesmd = runTestOn ["x86_64-linux"] ./aesmd.nix;
|
||||
agate = runTest ./web-servers/agate.nix;
|
||||
agda = handleTest ./agda.nix {};
|
||||
airsonic = handleTest ./airsonic.nix {};
|
||||
|
@ -121,7 +121,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
mkdir $out/bin
|
||||
makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \
|
||||
--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \
|
||||
--suffix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \
|
||||
--chdir "$out/aesm"
|
||||
|
||||
# Make sure we didn't forget to handle any files
|
||||
|
Loading…
Reference in New Issue
Block a user