Unverified Commit 653fc364 authored by Michael Daniels's avatar Michael Daniels Committed by GitHub
Browse files

sgx-psw: 2.25 -> 2.27; sgx-azure-dcap-client: 1.12.3 -> 1.13.0-pre0;... 

sgx-psw: 2.25 -> 2.27; sgx-azure-dcap-client: 1.12.3 -> 1.13.0-pre0; nixos/aesmd: unbreak; sgx-sdk: drop (#489368)
parents 52a81336 29c30249

nixos/modules/services/security/aesmd.nix

+9 −29
Original line number Diff line number Diff line
@@ -11,7 +11,6 @@ let 
    literalExpression

    makeLibraryPath

    mkEnableOption

    mkForce

    mkIf

    mkOption

    mkPackageOption
@@ -129,11 +128,6 @@ in 


    hardware.cpu.intel.sgx.provision.enable = true;



    # Make sure the AESM service can find the SGX devices until

    # https://github.com/intel/linux-sgx/issues/772 is resolved

    # and updated in nixpkgs.

    hardware.cpu.intel.sgx.enableDcapCompat = mkForce true;



    systemd.services.aesmd =

      let

        storeAesmFolder = "${sgx-psw}/aesm";
@@ -156,25 +150,16 @@ in 
        }

        // cfg.environment;



        # Make sure any of the SGX application enclave devices is available

        unitConfig.AssertPathExists = [

          # legacy out-of-tree driver

          "|/dev/isgx"

          # DCAP driver

          "|/dev/sgx/enclave"

          # in-tree driver

          "|/dev/sgx_enclave"

        ];

        # Ensure the SGX application enclave device is available

        unitConfig.AssertPathExists = [ "/dev/sgx_enclave" ];



        serviceConfig = {

          ExecStartPre = pkgs.writeShellScript "copy-aesmd-data-files.sh" ''

            set -euo pipefail

            whiteListFile="${aesmDataFolder}/white_list_cert_to_be_verify.bin"

            if [[ ! -f "$whiteListFile" ]]; then

              ${pkgs.coreutils}/bin/install -m 644 -D \

          # Run with elevated privileges to create /var/opt/aesmd/... before

          # dropping to DynamicUser.

          ExecStartPre = ''

            +${lib.getExe' pkgs.coreutils "install"} -m 644 -D \

                "${storeAesmFolder}/data/white_list_cert_to_be_verify.bin" \

                "$whiteListFile"

            fi

                "${aesmDataFolder}/white_list_cert_to_be_verify.bin"

          '';

          ExecStart = "${sgx-psw}/bin/aesm_service --no-daemon";

          ExecReload = ''${pkgs.coreutils}/bin/kill -SIGHUP "$MAINPID"'';
@@ -196,9 +181,8 @@ in 
          RuntimeDirectory = "aesmd";

          RuntimeDirectoryMode = "0750";



          # Hardening

          # --- Hardening ---



          # chroot into the runtime directory

          RootDirectory = "%t/aesmd";

          BindReadOnlyPaths = [

            builtins.storeDir
@@ -215,10 +199,6 @@ in 
          PrivateDevices = false;

          DevicePolicy = "closed";

          DeviceAllow = [

            # legacy out-of-tree driver

            "/dev/isgx rw"

            # DCAP driver

            "/dev/sgx rw"

            # in-tree driver

            "/dev/sgx_enclave rw"

            "/dev/sgx_provision rw"
@@ -230,7 +210,7 @@ in 
          RestrictAddressFamilies = [

            # Allocates the socket /var/run/aesmd/aesm.socket

            "AF_UNIX"

            # Uses the HTTP protocol to initialize some services

            # Makes HTTPS requests to the Intel PCCS service (or a cache).

            "AF_INET"

            "AF_INET6"

          ];

pkgs/by-name/sg/sgx-azure-dcap-client/missing-includes.patch

0 → 100644
+24 −0
Original line number Diff line number Diff line 
diff --git a/src/Linux/curl_easy.h b/src/Linux/curl_easy.h

index 047f3e2..c9c5e83 100644

--- a/src/Linux/curl_easy.h

+++ b/src/Linux/curl_easy.h

@@ -6,6 +6,7 @@

 #define CURL_EASY_H

 

 #define _CRT_SECURE_NO_WARNINGS // Use strncpy for portability.

+#include <cstdint>

 #include <cassert>

 #include <cstddef>

 #include <exception>

diff --git a/src/local_cache.h b/src/local_cache.h

index da86967..d9b0d3f 100644

--- a/src/local_cache.h

+++ b/src/local_cache.h

@@ -5,6 +5,7 @@

 #ifndef LOCAL_CACHE_H

 #define LOCAL_CACHE_H

 

+#include <cstdint>

 #include <string>

 #include <vector>

 #include <memory>

pkgs/by-name/sg/sgx-azure-dcap-client/package.nix

+5 −11
Original line number Diff line number Diff line 
{

  stdenv,

  fetchFromGitHub,

  fetchpatch,

  lib,

  curl,

  nlohmann_json,
@@ -36,23 +35,18 @@ let 
in

stdenv.mkDerivation (finalAttrs: {

  pname = "azure-dcap-client";

  version = "1.12.3";

  version = "1.13.0-pre0";



  src = fetchFromGitHub {

    owner = "microsoft";

    repo = "azure-dcap-client";

    rev = finalAttrs.version;

    hash = "sha256-zTDaICsSPXctgFRCZBiZwXV9dLk2pFL9kp5a8FkiTZA=";

    rev = "839ac4a2acc11b90cb91a483fcfc0cf7ae6a75c7";

    hash = "sha256-dVO5cSOcpkOuxql06exS4aLJgvtRg+Oi6k8HBIjwPlg=";

  };



  patches = [

    # Fix gcc-13 build:

    #   https://github.com/microsoft/Azure-DCAP-Client/pull/197

    (fetchpatch {

      name = "gcc-13.patch";

      url = "https://github.com/microsoft/Azure-DCAP-Client/commit/fbcae7b3c8f1155998248cf5b5f4c1df979483f5.patch";

      hash = "sha256-ezEuQql3stn58N1ZPKMlhPpUOBkDpCcENpGwFAmWtHc=";

    })

    # missing `#include <cstdint>`

    ./missing-includes.patch

  ];



  nativeBuildInputs = [

pkgs/by-name/sg/sgx-azure-dcap-client/test-suite.nix

+4 −0
Original line number Diff line number Diff line
@@ -11,7 +11,11 @@ sgx-azure-dcap-client.overrideAttrs (old: { 
  ];



  patches = (old.patches or [ ]) ++ [

    # Missing `#include <array>`

    ./tests-missing-includes.patch



    # gtest no longer supports c++14. Use c++17.

    ./tests-cpp-version.patch

  ];



  buildFlags = [

pkgs/by-name/sg/sgx-azure-dcap-client/tests-cpp-version.patch

0 → 100644
+39 −0
Original line number Diff line number Diff line 
diff --git a/src/Linux/CMakeLists.txt b/src/Linux/CMakeLists.txt

index 8567253..0137a7a 100644

--- a/src/Linux/CMakeLists.txt

+++ b/src/Linux/CMakeLists.txt

@@ -13,8 +13,8 @@ endif(__SERVICE_VM__)

 

 find_package(OpenSSL REQUIRED)

 

-set(CMAKE_CXX_STANDARD 14)

-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++14")

+set(CMAKE_CXX_STANDARD 17)

+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++17")

 

 # Link runTests with what we want to test and the GTest and pthread library

 add_executable(dcap_provider_utests ../UnitTest/test_local_cache.cpp ../UnitTest/test_quote_prov.cpp ../UnitTest/main.cpp ../Linux/local_cache.cpp)

diff --git a/src/Linux/Makefile.in b/src/Linux/Makefile.in

index 58a1c77..1ce6431 100644

--- a/src/Linux/Makefile.in

+++ b/src/Linux/Makefile.in

@@ -8,15 +8,15 @@ DEBUG ?= 0

 SERVICE_VM ?= 0

 ifeq ($(DEBUG), 1)

 ifeq ($(SERVICE_VM), 1)

-	CFLAGS = -fPIC -std=c++14 -g -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -D__SERVICE_VM__ -Wno-unknown-pragmas -pthread

+	CFLAGS = -fPIC -std=c++17 -g -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -D__SERVICE_VM__ -Wno-unknown-pragmas -pthread

 else

-	CFLAGS = -fPIC -std=c++14 -g -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -Wno-unknown-pragmas -pthread

+	CFLAGS = -fPIC -std=c++17 -g -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -Wno-unknown-pragmas -pthread

 endif

 else

 ifeq ($(SERVICE_VM), 1)

-	CFLAGS = -fPIC -std=c++14 -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -D__SERVICE_VM__ -Wno-unknown-pragmas -pthread

+	CFLAGS = -fPIC -std=c++17 -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -D__SERVICE_VM__ -Wno-unknown-pragmas -pthread

 else

-	CFLAGS = -fPIC -std=c++14 -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -Wno-unknown-pragmas -pthread

+	CFLAGS = -fPIC -std=c++17 -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -Wno-unknown-pragmas -pthread

 endif

 endif