Loading nixos/modules/services/security/aesmd.nix +26 −12 Original line number Diff line number Diff line Loading @@ -167,15 +167,25 @@ in ]; serviceConfig = { ExecStartPre = pkgs.writeShellScript "copy-aesmd-data-files.sh" '' ExecStartPre = let script = pkgs.writeShellScript "copy-aesmd-data-files.sh" '' set -euo pipefail # For some reason systemd 257+ won't properly bind mount the # StateDirectory with the aesmd DynamicUser owning it chown -R aesmd:aesmd /var/opt/aesmd whiteListFile="${aesmDataFolder}/white_list_cert_to_be_verify.bin" if [[ ! -f "$whiteListFile" ]]; then ${pkgs.coreutils}/bin/install -m 644 -D \ install -m 644 -o aesmd -g aesmd -D \ "${storeAesmFolder}/data/white_list_cert_to_be_verify.bin" \ "$whiteListFile" fi ''; # Run setup with elevated privileges in "+${script}"; ExecStart = "${sgx-psw}/bin/aesm_service --no-daemon"; ExecReload = ''${pkgs.coreutils}/bin/kill -SIGHUP "$MAINPID"''; Loading @@ -196,10 +206,14 @@ in RuntimeDirectory = "aesmd"; RuntimeDirectoryMode = "0750"; # Hardening # --- Hardening --- # NOTE(phlip9): Starting with systemd-v257, enabling both # `RootDirectory` (chroot) and `DynamicUser` prevents the service # from locating the `aesmd` user: # `XXX-copy-aesmd-data-files.sh: chown: invalid user: ‘aesmd:aesmd’` # RootDirectory = "%t/aesmd"; # chroot into the runtime directory RootDirectory = "%t/aesmd"; BindReadOnlyPaths = [ builtins.storeDir # Hardcoded path AESM_CONFIG_FILE in psw/ae/aesm_service/source/utils/aesm_config.cpp Loading pkgs/os-specific/linux/sgx/psw/cppmicroservices-compat.patch 0 → 100644 +87 −0 Original line number Diff line number Diff line diff --git a/external/CppMicroServices/CMakeLists.txt b/external/CppMicroServices/CMakeLists.txt index 8d0aff3..44d45d9 100644 --- a/external/CppMicroServices/CMakeLists.txt +++ b/external/CppMicroServices/CMakeLists.txt @@ -1,7 +1,7 @@ # Extract the current version from the VERSION file file(STRINGS VERSION _version LIMIT_COUNT 1) -set(US_CMAKE_MINIMUM_REQUIRED_VERSION 3.2) +set(US_CMAKE_MINIMUM_REQUIRED_VERSION 3.10) cmake_minimum_required(VERSION ${US_CMAKE_MINIMUM_REQUIRED_VERSION}) diff --git a/external/CppMicroServices/framework/include/cppmicroservices/AnyMap.h b/external/CppMicroServices/framework/include/cppmicroservices/AnyMap.h index 3f240f4..e8acef9 100644 --- a/external/CppMicroServices/framework/include/cppmicroservices/AnyMap.h +++ b/external/CppMicroServices/framework/include/cppmicroservices/AnyMap.h @@ -25,6 +25,7 @@ #include "cppmicroservices/Any.h" +#include <cstdint> #include <string> #include <unordered_map> diff --git a/external/CppMicroServices/framework/include/cppmicroservices/BundleEvent.h b/external/CppMicroServices/framework/include/cppmicroservices/BundleEvent.h index 9b36a9b..12894fa 100644 --- a/external/CppMicroServices/framework/include/cppmicroservices/BundleEvent.h +++ b/external/CppMicroServices/framework/include/cppmicroservices/BundleEvent.h @@ -25,6 +25,7 @@ #include "cppmicroservices/FrameworkExport.h" +#include <cstdint> #include <iostream> #include <memory> diff --git a/external/CppMicroServices/framework/include/cppmicroservices/Constants.h b/external/CppMicroServices/framework/include/cppmicroservices/Constants.h index 590a890..cf60926 100644 --- a/external/CppMicroServices/framework/include/cppmicroservices/Constants.h +++ b/external/CppMicroServices/framework/include/cppmicroservices/Constants.h @@ -25,6 +25,7 @@ #include "cppmicroservices/FrameworkConfig.h" +#include <cstdint> #include <string> namespace cppmicroservices { diff --git a/external/CppMicroServices/framework/include/cppmicroservices/FrameworkEvent.h b/external/CppMicroServices/framework/include/cppmicroservices/FrameworkEvent.h index 71caf1b..a29e87c 100644 --- a/external/CppMicroServices/framework/include/cppmicroservices/FrameworkEvent.h +++ b/external/CppMicroServices/framework/include/cppmicroservices/FrameworkEvent.h @@ -25,6 +25,7 @@ #include "cppmicroservices/FrameworkExport.h" +#include <cstdint> #include <iostream> #include <memory> diff --git a/external/CppMicroServices/framework/include/cppmicroservices/ServiceEvent.h b/external/CppMicroServices/framework/include/cppmicroservices/ServiceEvent.h index 451cb82..da7c5f0 100644 --- a/external/CppMicroServices/framework/include/cppmicroservices/ServiceEvent.h +++ b/external/CppMicroServices/framework/include/cppmicroservices/ServiceEvent.h @@ -25,6 +25,8 @@ #include "cppmicroservices/ServiceReference.h" +#include <cstdint> + US_MSVC_PUSH_DISABLE_WARNING( 4251) // 'identifier' : class 'type' needs to have dll-interface to be used by clients of class 'type2' diff --git a/psw/ae/aesm_service/source/CMakeLists.txt b/psw/ae/aesm_service/source/CMakeLists.txt index 5728e9b..0169263 100644 --- a/psw/ae/aesm_service/source/CMakeLists.txt +++ b/psw/ae/aesm_service/source/CMakeLists.txt @@ -30,7 +30,7 @@ # # [proj-begin] -cmake_minimum_required(VERSION 3.0.0) +cmake_minimum_required(VERSION 3.10.0) project(ModularAESM VERSION 0.1.0) pkgs/os-specific/linux/sgx/psw/default.nix +14 −7 Original line number Diff line number Diff line Loading @@ -20,15 +20,15 @@ stdenv.mkDerivation rec { pname = "sgx-psw"; # Version as given in se_version.h version = "2.25.100.3"; version = "2.27.100.1"; # Version as used in the Git tag versionTag = "2.25"; versionTag = "2.27"; src = fetchFromGitHub { owner = "intel"; repo = "linux-sgx"; rev = "sgx_${versionTag}"; hash = "sha256-RR+vFTd9ZM6XUn3KgQeUM+xoj1Ava4zQzFYA/nfXyaw="; hash = "sha256-hNmh4IgNJDNqt2xF8zBnD/x+saMyMk5hZLA3aOqzqEA="; fetchSubmodules = true; }; Loading @@ -52,11 +52,11 @@ stdenv.mkDerivation rec { # Fetch the Data Center Attestation Primitives (DCAP) platform enclaves # and pre-built sgxssl. dcap = rec { version = "1.22"; version = "1.24"; filename = "prebuilt_dcap_${version}.tar.gz"; prebuilt = fetchurl { url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; hash = "sha256-RTpJQ6epoAN8YQXSJUjJQ5mPaQIiQpStTWFsnspjjDQ="; hash = "sha256-sc/eYIPdhwAyDk2Zh1HU6yuFlobqVy/4++m5OnQE3Bc="; }; }; in Loading @@ -72,8 +72,8 @@ stdenv.mkDerivation rec { grep -q 'ae_file_name=${dcap.filename}' "$src/external/dcap_source/QuoteGeneration/download_prebuilt.sh" \ || (echo "Could not find expected prebuilt DCAP ${dcap.filename} in linux-sgx source" >&2 && exit 1) tar -xzvf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source ./prebuilt/ tar -xzvf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration ./psw/ tar -xzvf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source prebuilt/ tar -xzvf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration psw/ ''; patches = [ Loading @@ -90,6 +90,13 @@ stdenv.mkDerivation rec { # binary. Without changes, the `aesm_service` will be different after every # build because the embedded zip file contents have different modified times. ./cppmicroservices-no-mtime.patch # CppMicroServices is failing to build with CMake 4 and GCC 15 # PR: <https://github.com/intel/confidential-computing.sgx/pull/1098> # - CMake 4 dropped support for <3.5 and warns on <3.10, so bump the # `cmake_minimum_required` to 3.10 # - Various header files now need `#include <cstdint>` to compile ./cppmicroservices-compat.patch ]; postPatch = Loading pkgs/os-specific/linux/sgx/psw/disable-downloads.patch +4 −9 Original line number Diff line number Diff line diff --git a/Makefile b/Makefile index 19bc05a..6b1acd4 100644 index 144f4e4..834c23e 100644 --- a/Makefile +++ b/Makefile @@ -50,13 +50,13 @@ tips: @@ -50,22 +50,17 @@ tips: preparation: # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip. # Only enable the download from git - git submodule update --init --recursive + # git submodule update --init --recursive cd external/dcap_source/external/jwt-cpp && git apply ../0001-Add-a-macro-to-disable-time-support-in-jwt-for-SGX.patch >/dev/null 2>&1 || \ git apply ../0001-Add-a-macro-to-disable-time-support-in-jwt-for-SGX.patch -R --check - ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild + # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R cd external/protobuf/protobuf_code && git apply ../0001-bumped-protobuf-to-1.33.0.patch >/dev/null 2>&1 || git apply ../0001-bumped-protobuf-to-1.33.0.patch --check -R - cd external/protobuf/protobuf_code && git submodule update --init --recursive && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R + cd external/protobuf/protobuf_code && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R ./external/sgx-emm/create_symlink.sh cd external/mbedtls/mbedtls_code && git apply ../sgx_mbedtls.patch >/dev/null 2>&1 || git apply ../sgx_mbedtls.patch --check -R cd external/cbor && cp -r libcbor sgx_libcbor @@ -64,8 +64,8 @@ preparation: cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R cd external/ippcp_internal/ipp-crypto && git apply ../0001-IPP-crypto-for-SGX.patch > /dev/null 2>&1 || git apply ../0001-IPP-crypto-for-SGX.patch --check -R cd external/ippcp_internal/ipp-crypto && mkdir -p build - ./download_prebuilt.sh - ./external/dcap_source/QuoteGeneration/download_prebuilt.sh + # ./download_prebuilt.sh + # ./external/dcap_source/QuoteGeneration/download_prebuilt.sh psw: $(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS) pkgs/top-level/all-packages.nix +1 −1 Original line number Diff line number Diff line Loading @@ -8799,7 +8799,7 @@ with pkgs; }; sgx-psw = callPackage ../os-specific/linux/sgx/psw { protobuf = protobuf_21; protobuf = protobuf_33; }; sinit = callPackage ../os-specific/linux/sinit { Loading Loading
nixos/modules/services/security/aesmd.nix +26 −12 Original line number Diff line number Diff line Loading @@ -167,15 +167,25 @@ in ]; serviceConfig = { ExecStartPre = pkgs.writeShellScript "copy-aesmd-data-files.sh" '' ExecStartPre = let script = pkgs.writeShellScript "copy-aesmd-data-files.sh" '' set -euo pipefail # For some reason systemd 257+ won't properly bind mount the # StateDirectory with the aesmd DynamicUser owning it chown -R aesmd:aesmd /var/opt/aesmd whiteListFile="${aesmDataFolder}/white_list_cert_to_be_verify.bin" if [[ ! -f "$whiteListFile" ]]; then ${pkgs.coreutils}/bin/install -m 644 -D \ install -m 644 -o aesmd -g aesmd -D \ "${storeAesmFolder}/data/white_list_cert_to_be_verify.bin" \ "$whiteListFile" fi ''; # Run setup with elevated privileges in "+${script}"; ExecStart = "${sgx-psw}/bin/aesm_service --no-daemon"; ExecReload = ''${pkgs.coreutils}/bin/kill -SIGHUP "$MAINPID"''; Loading @@ -196,10 +206,14 @@ in RuntimeDirectory = "aesmd"; RuntimeDirectoryMode = "0750"; # Hardening # --- Hardening --- # NOTE(phlip9): Starting with systemd-v257, enabling both # `RootDirectory` (chroot) and `DynamicUser` prevents the service # from locating the `aesmd` user: # `XXX-copy-aesmd-data-files.sh: chown: invalid user: ‘aesmd:aesmd’` # RootDirectory = "%t/aesmd"; # chroot into the runtime directory RootDirectory = "%t/aesmd"; BindReadOnlyPaths = [ builtins.storeDir # Hardcoded path AESM_CONFIG_FILE in psw/ae/aesm_service/source/utils/aesm_config.cpp Loading
pkgs/os-specific/linux/sgx/psw/cppmicroservices-compat.patch 0 → 100644 +87 −0 Original line number Diff line number Diff line diff --git a/external/CppMicroServices/CMakeLists.txt b/external/CppMicroServices/CMakeLists.txt index 8d0aff3..44d45d9 100644 --- a/external/CppMicroServices/CMakeLists.txt +++ b/external/CppMicroServices/CMakeLists.txt @@ -1,7 +1,7 @@ # Extract the current version from the VERSION file file(STRINGS VERSION _version LIMIT_COUNT 1) -set(US_CMAKE_MINIMUM_REQUIRED_VERSION 3.2) +set(US_CMAKE_MINIMUM_REQUIRED_VERSION 3.10) cmake_minimum_required(VERSION ${US_CMAKE_MINIMUM_REQUIRED_VERSION}) diff --git a/external/CppMicroServices/framework/include/cppmicroservices/AnyMap.h b/external/CppMicroServices/framework/include/cppmicroservices/AnyMap.h index 3f240f4..e8acef9 100644 --- a/external/CppMicroServices/framework/include/cppmicroservices/AnyMap.h +++ b/external/CppMicroServices/framework/include/cppmicroservices/AnyMap.h @@ -25,6 +25,7 @@ #include "cppmicroservices/Any.h" +#include <cstdint> #include <string> #include <unordered_map> diff --git a/external/CppMicroServices/framework/include/cppmicroservices/BundleEvent.h b/external/CppMicroServices/framework/include/cppmicroservices/BundleEvent.h index 9b36a9b..12894fa 100644 --- a/external/CppMicroServices/framework/include/cppmicroservices/BundleEvent.h +++ b/external/CppMicroServices/framework/include/cppmicroservices/BundleEvent.h @@ -25,6 +25,7 @@ #include "cppmicroservices/FrameworkExport.h" +#include <cstdint> #include <iostream> #include <memory> diff --git a/external/CppMicroServices/framework/include/cppmicroservices/Constants.h b/external/CppMicroServices/framework/include/cppmicroservices/Constants.h index 590a890..cf60926 100644 --- a/external/CppMicroServices/framework/include/cppmicroservices/Constants.h +++ b/external/CppMicroServices/framework/include/cppmicroservices/Constants.h @@ -25,6 +25,7 @@ #include "cppmicroservices/FrameworkConfig.h" +#include <cstdint> #include <string> namespace cppmicroservices { diff --git a/external/CppMicroServices/framework/include/cppmicroservices/FrameworkEvent.h b/external/CppMicroServices/framework/include/cppmicroservices/FrameworkEvent.h index 71caf1b..a29e87c 100644 --- a/external/CppMicroServices/framework/include/cppmicroservices/FrameworkEvent.h +++ b/external/CppMicroServices/framework/include/cppmicroservices/FrameworkEvent.h @@ -25,6 +25,7 @@ #include "cppmicroservices/FrameworkExport.h" +#include <cstdint> #include <iostream> #include <memory> diff --git a/external/CppMicroServices/framework/include/cppmicroservices/ServiceEvent.h b/external/CppMicroServices/framework/include/cppmicroservices/ServiceEvent.h index 451cb82..da7c5f0 100644 --- a/external/CppMicroServices/framework/include/cppmicroservices/ServiceEvent.h +++ b/external/CppMicroServices/framework/include/cppmicroservices/ServiceEvent.h @@ -25,6 +25,8 @@ #include "cppmicroservices/ServiceReference.h" +#include <cstdint> + US_MSVC_PUSH_DISABLE_WARNING( 4251) // 'identifier' : class 'type' needs to have dll-interface to be used by clients of class 'type2' diff --git a/psw/ae/aesm_service/source/CMakeLists.txt b/psw/ae/aesm_service/source/CMakeLists.txt index 5728e9b..0169263 100644 --- a/psw/ae/aesm_service/source/CMakeLists.txt +++ b/psw/ae/aesm_service/source/CMakeLists.txt @@ -30,7 +30,7 @@ # # [proj-begin] -cmake_minimum_required(VERSION 3.0.0) +cmake_minimum_required(VERSION 3.10.0) project(ModularAESM VERSION 0.1.0)
pkgs/os-specific/linux/sgx/psw/default.nix +14 −7 Original line number Diff line number Diff line Loading @@ -20,15 +20,15 @@ stdenv.mkDerivation rec { pname = "sgx-psw"; # Version as given in se_version.h version = "2.25.100.3"; version = "2.27.100.1"; # Version as used in the Git tag versionTag = "2.25"; versionTag = "2.27"; src = fetchFromGitHub { owner = "intel"; repo = "linux-sgx"; rev = "sgx_${versionTag}"; hash = "sha256-RR+vFTd9ZM6XUn3KgQeUM+xoj1Ava4zQzFYA/nfXyaw="; hash = "sha256-hNmh4IgNJDNqt2xF8zBnD/x+saMyMk5hZLA3aOqzqEA="; fetchSubmodules = true; }; Loading @@ -52,11 +52,11 @@ stdenv.mkDerivation rec { # Fetch the Data Center Attestation Primitives (DCAP) platform enclaves # and pre-built sgxssl. dcap = rec { version = "1.22"; version = "1.24"; filename = "prebuilt_dcap_${version}.tar.gz"; prebuilt = fetchurl { url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; hash = "sha256-RTpJQ6epoAN8YQXSJUjJQ5mPaQIiQpStTWFsnspjjDQ="; hash = "sha256-sc/eYIPdhwAyDk2Zh1HU6yuFlobqVy/4++m5OnQE3Bc="; }; }; in Loading @@ -72,8 +72,8 @@ stdenv.mkDerivation rec { grep -q 'ae_file_name=${dcap.filename}' "$src/external/dcap_source/QuoteGeneration/download_prebuilt.sh" \ || (echo "Could not find expected prebuilt DCAP ${dcap.filename} in linux-sgx source" >&2 && exit 1) tar -xzvf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source ./prebuilt/ tar -xzvf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration ./psw/ tar -xzvf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source prebuilt/ tar -xzvf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration psw/ ''; patches = [ Loading @@ -90,6 +90,13 @@ stdenv.mkDerivation rec { # binary. Without changes, the `aesm_service` will be different after every # build because the embedded zip file contents have different modified times. ./cppmicroservices-no-mtime.patch # CppMicroServices is failing to build with CMake 4 and GCC 15 # PR: <https://github.com/intel/confidential-computing.sgx/pull/1098> # - CMake 4 dropped support for <3.5 and warns on <3.10, so bump the # `cmake_minimum_required` to 3.10 # - Various header files now need `#include <cstdint>` to compile ./cppmicroservices-compat.patch ]; postPatch = Loading
pkgs/os-specific/linux/sgx/psw/disable-downloads.patch +4 −9 Original line number Diff line number Diff line diff --git a/Makefile b/Makefile index 19bc05a..6b1acd4 100644 index 144f4e4..834c23e 100644 --- a/Makefile +++ b/Makefile @@ -50,13 +50,13 @@ tips: @@ -50,22 +50,17 @@ tips: preparation: # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip. # Only enable the download from git - git submodule update --init --recursive + # git submodule update --init --recursive cd external/dcap_source/external/jwt-cpp && git apply ../0001-Add-a-macro-to-disable-time-support-in-jwt-for-SGX.patch >/dev/null 2>&1 || \ git apply ../0001-Add-a-macro-to-disable-time-support-in-jwt-for-SGX.patch -R --check - ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild + # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R cd external/protobuf/protobuf_code && git apply ../0001-bumped-protobuf-to-1.33.0.patch >/dev/null 2>&1 || git apply ../0001-bumped-protobuf-to-1.33.0.patch --check -R - cd external/protobuf/protobuf_code && git submodule update --init --recursive && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R + cd external/protobuf/protobuf_code && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R ./external/sgx-emm/create_symlink.sh cd external/mbedtls/mbedtls_code && git apply ../sgx_mbedtls.patch >/dev/null 2>&1 || git apply ../sgx_mbedtls.patch --check -R cd external/cbor && cp -r libcbor sgx_libcbor @@ -64,8 +64,8 @@ preparation: cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R cd external/ippcp_internal/ipp-crypto && git apply ../0001-IPP-crypto-for-SGX.patch > /dev/null 2>&1 || git apply ../0001-IPP-crypto-for-SGX.patch --check -R cd external/ippcp_internal/ipp-crypto && mkdir -p build - ./download_prebuilt.sh - ./external/dcap_source/QuoteGeneration/download_prebuilt.sh + # ./download_prebuilt.sh + # ./external/dcap_source/QuoteGeneration/download_prebuilt.sh psw: $(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS)
pkgs/top-level/all-packages.nix +1 −1 Original line number Diff line number Diff line Loading @@ -8799,7 +8799,7 @@ with pkgs; }; sgx-psw = callPackage ../os-specific/linux/sgx/psw { protobuf = protobuf_21; protobuf = protobuf_33; }; sinit = callPackage ../os-specific/linux/sinit { Loading
