Loading pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix +3 −3 Original line number Diff line number Diff line Loading @@ -35,13 +35,13 @@ let in stdenv.mkDerivation rec { pname = "azure-dcap-client"; version = "1.12.1"; version = "1.12.3"; src = fetchFromGitHub { owner = "microsoft"; repo = pname; rev = version; hash = "sha256-q0dI4WdA1ue4sw+QfSherh31Ldf9gnhoft66o3E9gnU="; hash = "sha256-zTDaICsSPXctgFRCZBiZwXV9dLk2pFL9kp5a8FkiTZA="; }; patches = [ Loading Loading @@ -87,7 +87,7 @@ stdenv.mkDerivation rec { meta = with lib; { description = "Interfaces between SGX SDKs and the Azure Attestation SGX Certification Cache"; homepage = "https://github.com/microsoft/azure-dcap-client"; maintainers = with maintainers; [ trundle veehaitch ]; maintainers = with maintainers; [ phlip9 trundle veehaitch ]; platforms = [ "x86_64-linux" ]; license = [ licenses.mit ]; }; Loading pkgs/os-specific/linux/sgx/psw/default.nix +5 −5 Original line number Diff line number Diff line Loading @@ -14,7 +14,7 @@ , debug ? false }: stdenv.mkDerivation rec { inherit (sgx-sdk) version versionTag src; inherit (sgx-sdk) patches src version versionTag; pname = "sgx-psw"; postUnpack = Loading @@ -24,16 +24,16 @@ stdenv.mkDerivation rec { # attestation quotes, and do platform certification. ae.prebuilt = fetchurl { url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz"; hash = "sha256-IckW4p1XWkWCDCErXyTtnKYKeAUaCrp5iAMsRBMjLX0="; hash = "sha256-IGV9VEwY/cQBV4Vz2sps4JgRweWRl/l08ocb9P4SH8Q="; }; # Also include the Data Center Attestation Primitives (DCAP) platform # enclaves. dcap = rec { version = "1.18"; version = "1.20"; filename = "prebuilt_dcap_${version}.tar.gz"; prebuilt = fetchurl { url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; hash = "sha256-9ceys7ozOEienug+9MTZ6dw3nx7VBfxLNiwhZYv4SzY="; hash = "sha256-nPsI89KSBA3cSNTMWyktZP5dkf+BwL3NZ4MuUf6G98o="; }; }; in Loading Loading @@ -181,7 +181,7 @@ stdenv.mkDerivation rec { meta = with lib; { description = "Intel SGX Architectural Enclave Service Manager"; homepage = "https://github.com/intel/linux-sgx"; maintainers = with maintainers; [ veehaitch citadelcore ]; maintainers = with maintainers; [ phlip9 veehaitch citadelcore ]; platforms = [ "x86_64-linux" ]; license = with licenses; [ bsd3 ]; }; Loading pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch 0 → 100644 +26 −0 Original line number Diff line number Diff line diff --git a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp index aee499e9..13fa89d4 100644 --- a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp +++ b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp @@ -105,7 +105,7 @@ bool BundleResourceContainer::GetStat(int index, const_cast<mz_zip_archive*>(&m_ZipArchive), index) ? true : false; - stat.modifiedTime = zipStat.m_time; + stat.modifiedTime = 0; stat.crc32 = zipStat.m_crc32; // This will limit the size info from uint64 to uint32 on 32-bit // architectures. We don't care because we assume resources > 2GB diff --git a/external/CppMicroServices/third_party/miniz.c b/external/CppMicroServices/third_party/miniz.c index 6b0ebd7a..fa2aebca 100644 --- a/external/CppMicroServices/third_party/miniz.c +++ b/external/CppMicroServices/third_party/miniz.c @@ -170,7 +170,7 @@ // If MINIZ_NO_TIME is specified then the ZIP archive functions will not be able to get the current time, or // get/set file times, and the C run-time funcs that get/set times won't be called. // The current downside is the times written to your archives will be from 1979. -//#define MINIZ_NO_TIME +#define MINIZ_NO_TIME // Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's. //#define MINIZ_NO_ARCHIVE_APIS pkgs/os-specific/linux/sgx/sdk/default.nix +18 −30 Original line number Diff line number Diff line { lib , stdenv , fetchFromGitHub , fetchpatch , autoconf , automake , binutils Loading @@ -27,15 +26,15 @@ stdenv.mkDerivation rec { pname = "sgx-sdk"; # Version as given in se_version.h version = "2.21.100.1"; version = "2.23.100.2"; # Version as used in the Git tag versionTag = "2.21"; versionTag = "2.23"; src = fetchFromGitHub { owner = "intel"; repo = "linux-sgx"; rev = "sgx_${versionTag}"; hash = "sha256-Yo2G0H0XUI2p9W7lDRLkFHw2t8X1220brGohQJ0r2WY="; hash = "sha256-i+fE6xKiuljG8LY8TIHgrW15DVpdp46bZdNo/BjgT/I="; fetchSubmodules = true; }; Loading @@ -46,39 +45,28 @@ stdenv.mkDerivation rec { ''; patches = [ # Fix missing pthread_compat.h, see https://github.com/intel/linux-sgx/pull/784 (fetchpatch { url = "https://github.com/intel/linux-sgx/commit/254b58f922a6bd49c308a4f47f05f525305bd760.patch"; sha256 = "sha256-sHU++K7NJ+PdITx3y0PwstA9MVh10rj2vrLn01N9F4w="; }) # There's a `make preparation` step that downloads some prebuilt binaries # and applies some patches to the in-repo git submodules. This patch removes # the parts that download things, since we can't do that inside the sandbox. ./disable-downloads.patch # This patch disable mtime in bundled zip file for reproducible builds. # # Context: The `aesm_service` binary depends on a vendored library called # `CppMicroServices`. At build time, this lib creates and then bundles # service resources into a zip file and then embeds this zip into the # binary. Without changes, the `aesm_service` will be different after every # build because the embedded zip file contents have different modified times. ./cppmicroservices-no-mtime.patch ]; # There's a `make preparation` step that downloads some prebuilt binaries and # applies some patches to the in-repo git submodules. We can't just run it, # since it downloads things, so this step just extracts the patching steps. postPatch = '' patchShebangs linux/installer/bin/build-installpkg.sh \ linux/installer/common/sdk/createTarball.sh \ linux/installer/common/sdk/install.sh \ external/sgx-emm/create_symlink.sh echo "Running 'make preparation' but without download steps" # Seems to download something. Build currently uses ipp-crypto and not # sgxssl so probably not an issue. # $ ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild pushd external/openmp/openmp_code git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 \ || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R popd pushd external/protobuf/protobuf_code git apply ../sgx_protobuf.patch >/dev/null 2>&1 \ || git apply ../sgx_protobuf.patch --check -R popd ./external/sgx-emm/create_symlink.sh make preparation ''; # We need `cmake` as a build input but don't use it to kick off the build phase Loading Loading @@ -300,7 +288,7 @@ stdenv.mkDerivation rec { meta = with lib; { description = "Intel SGX SDK for Linux built with IPP Crypto Library"; homepage = "https://github.com/intel/linux-sgx"; maintainers = with maintainers; [ sbellem arturcygan veehaitch ]; maintainers = with maintainers; [ phlip9 sbellem arturcygan veehaitch ]; platforms = [ "x86_64-linux" ]; license = with licenses; [ bsd3 ]; }; Loading pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch 0 → 100644 +26 −0 Original line number Diff line number Diff line diff --git a/Makefile b/Makefile index 32433051..2e480efb 100644 --- a/Makefile +++ b/Makefile @@ -50,8 +50,8 @@ tips: preparation: # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip. # Only enable the download from git - git submodule update --init --recursive - ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild + # git submodule update --init --recursive + # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R ./external/sgx-emm/create_symlink.sh @@ -59,8 +59,8 @@ preparation: cd external/cbor && cp -r libcbor sgx_libcbor cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R - ./download_prebuilt.sh - ./external/dcap_source/QuoteGeneration/download_prebuilt.sh + # ./download_prebuilt.sh + # ./external/dcap_source/QuoteGeneration/download_prebuilt.sh psw: $(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS) Loading
pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix +3 −3 Original line number Diff line number Diff line Loading @@ -35,13 +35,13 @@ let in stdenv.mkDerivation rec { pname = "azure-dcap-client"; version = "1.12.1"; version = "1.12.3"; src = fetchFromGitHub { owner = "microsoft"; repo = pname; rev = version; hash = "sha256-q0dI4WdA1ue4sw+QfSherh31Ldf9gnhoft66o3E9gnU="; hash = "sha256-zTDaICsSPXctgFRCZBiZwXV9dLk2pFL9kp5a8FkiTZA="; }; patches = [ Loading Loading @@ -87,7 +87,7 @@ stdenv.mkDerivation rec { meta = with lib; { description = "Interfaces between SGX SDKs and the Azure Attestation SGX Certification Cache"; homepage = "https://github.com/microsoft/azure-dcap-client"; maintainers = with maintainers; [ trundle veehaitch ]; maintainers = with maintainers; [ phlip9 trundle veehaitch ]; platforms = [ "x86_64-linux" ]; license = [ licenses.mit ]; }; Loading
pkgs/os-specific/linux/sgx/psw/default.nix +5 −5 Original line number Diff line number Diff line Loading @@ -14,7 +14,7 @@ , debug ? false }: stdenv.mkDerivation rec { inherit (sgx-sdk) version versionTag src; inherit (sgx-sdk) patches src version versionTag; pname = "sgx-psw"; postUnpack = Loading @@ -24,16 +24,16 @@ stdenv.mkDerivation rec { # attestation quotes, and do platform certification. ae.prebuilt = fetchurl { url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz"; hash = "sha256-IckW4p1XWkWCDCErXyTtnKYKeAUaCrp5iAMsRBMjLX0="; hash = "sha256-IGV9VEwY/cQBV4Vz2sps4JgRweWRl/l08ocb9P4SH8Q="; }; # Also include the Data Center Attestation Primitives (DCAP) platform # enclaves. dcap = rec { version = "1.18"; version = "1.20"; filename = "prebuilt_dcap_${version}.tar.gz"; prebuilt = fetchurl { url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; hash = "sha256-9ceys7ozOEienug+9MTZ6dw3nx7VBfxLNiwhZYv4SzY="; hash = "sha256-nPsI89KSBA3cSNTMWyktZP5dkf+BwL3NZ4MuUf6G98o="; }; }; in Loading Loading @@ -181,7 +181,7 @@ stdenv.mkDerivation rec { meta = with lib; { description = "Intel SGX Architectural Enclave Service Manager"; homepage = "https://github.com/intel/linux-sgx"; maintainers = with maintainers; [ veehaitch citadelcore ]; maintainers = with maintainers; [ phlip9 veehaitch citadelcore ]; platforms = [ "x86_64-linux" ]; license = with licenses; [ bsd3 ]; }; Loading
pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch 0 → 100644 +26 −0 Original line number Diff line number Diff line diff --git a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp index aee499e9..13fa89d4 100644 --- a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp +++ b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp @@ -105,7 +105,7 @@ bool BundleResourceContainer::GetStat(int index, const_cast<mz_zip_archive*>(&m_ZipArchive), index) ? true : false; - stat.modifiedTime = zipStat.m_time; + stat.modifiedTime = 0; stat.crc32 = zipStat.m_crc32; // This will limit the size info from uint64 to uint32 on 32-bit // architectures. We don't care because we assume resources > 2GB diff --git a/external/CppMicroServices/third_party/miniz.c b/external/CppMicroServices/third_party/miniz.c index 6b0ebd7a..fa2aebca 100644 --- a/external/CppMicroServices/third_party/miniz.c +++ b/external/CppMicroServices/third_party/miniz.c @@ -170,7 +170,7 @@ // If MINIZ_NO_TIME is specified then the ZIP archive functions will not be able to get the current time, or // get/set file times, and the C run-time funcs that get/set times won't be called. // The current downside is the times written to your archives will be from 1979. -//#define MINIZ_NO_TIME +#define MINIZ_NO_TIME // Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's. //#define MINIZ_NO_ARCHIVE_APIS
pkgs/os-specific/linux/sgx/sdk/default.nix +18 −30 Original line number Diff line number Diff line { lib , stdenv , fetchFromGitHub , fetchpatch , autoconf , automake , binutils Loading @@ -27,15 +26,15 @@ stdenv.mkDerivation rec { pname = "sgx-sdk"; # Version as given in se_version.h version = "2.21.100.1"; version = "2.23.100.2"; # Version as used in the Git tag versionTag = "2.21"; versionTag = "2.23"; src = fetchFromGitHub { owner = "intel"; repo = "linux-sgx"; rev = "sgx_${versionTag}"; hash = "sha256-Yo2G0H0XUI2p9W7lDRLkFHw2t8X1220brGohQJ0r2WY="; hash = "sha256-i+fE6xKiuljG8LY8TIHgrW15DVpdp46bZdNo/BjgT/I="; fetchSubmodules = true; }; Loading @@ -46,39 +45,28 @@ stdenv.mkDerivation rec { ''; patches = [ # Fix missing pthread_compat.h, see https://github.com/intel/linux-sgx/pull/784 (fetchpatch { url = "https://github.com/intel/linux-sgx/commit/254b58f922a6bd49c308a4f47f05f525305bd760.patch"; sha256 = "sha256-sHU++K7NJ+PdITx3y0PwstA9MVh10rj2vrLn01N9F4w="; }) # There's a `make preparation` step that downloads some prebuilt binaries # and applies some patches to the in-repo git submodules. This patch removes # the parts that download things, since we can't do that inside the sandbox. ./disable-downloads.patch # This patch disable mtime in bundled zip file for reproducible builds. # # Context: The `aesm_service` binary depends on a vendored library called # `CppMicroServices`. At build time, this lib creates and then bundles # service resources into a zip file and then embeds this zip into the # binary. Without changes, the `aesm_service` will be different after every # build because the embedded zip file contents have different modified times. ./cppmicroservices-no-mtime.patch ]; # There's a `make preparation` step that downloads some prebuilt binaries and # applies some patches to the in-repo git submodules. We can't just run it, # since it downloads things, so this step just extracts the patching steps. postPatch = '' patchShebangs linux/installer/bin/build-installpkg.sh \ linux/installer/common/sdk/createTarball.sh \ linux/installer/common/sdk/install.sh \ external/sgx-emm/create_symlink.sh echo "Running 'make preparation' but without download steps" # Seems to download something. Build currently uses ipp-crypto and not # sgxssl so probably not an issue. # $ ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild pushd external/openmp/openmp_code git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 \ || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R popd pushd external/protobuf/protobuf_code git apply ../sgx_protobuf.patch >/dev/null 2>&1 \ || git apply ../sgx_protobuf.patch --check -R popd ./external/sgx-emm/create_symlink.sh make preparation ''; # We need `cmake` as a build input but don't use it to kick off the build phase Loading Loading @@ -300,7 +288,7 @@ stdenv.mkDerivation rec { meta = with lib; { description = "Intel SGX SDK for Linux built with IPP Crypto Library"; homepage = "https://github.com/intel/linux-sgx"; maintainers = with maintainers; [ sbellem arturcygan veehaitch ]; maintainers = with maintainers; [ phlip9 sbellem arturcygan veehaitch ]; platforms = [ "x86_64-linux" ]; license = with licenses; [ bsd3 ]; }; Loading
pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch 0 → 100644 +26 −0 Original line number Diff line number Diff line diff --git a/Makefile b/Makefile index 32433051..2e480efb 100644 --- a/Makefile +++ b/Makefile @@ -50,8 +50,8 @@ tips: preparation: # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip. # Only enable the download from git - git submodule update --init --recursive - ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild + # git submodule update --init --recursive + # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R ./external/sgx-emm/create_symlink.sh @@ -59,8 +59,8 @@ preparation: cd external/cbor && cp -r libcbor sgx_libcbor cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R - ./download_prebuilt.sh - ./external/dcap_source/QuoteGeneration/download_prebuilt.sh + # ./download_prebuilt.sh + # ./external/dcap_source/QuoteGeneration/download_prebuilt.sh psw: $(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS)
