Commit bf15997e authored by Philip Hayes's avatar Philip Hayes
Browse files

sgx-ssl: split out tests. build-only by default. 

- Normally SGX has a SIM mode for running enclave tests on non-Intel SGX
  capable hardware; however, these tests do some tricky stuff with cpuid
  and CPU trap handling that make them non-portable.

- This diff makes it so OfBorg (which can't _run_ the tests) at least
  builds them. The tests are also split out into a separate derivation
  to save my sanity when iterating on them, since sgx-ssl takes like 30
  min to build...
parent 9dd20575

pkgs/os-specific/linux/sgx/ssl/default.nix

+13 −13
Original line number Diff line number Diff line 
{ stdenv

, callPackage

, fetchFromGitHub

, fetchurl

, lib

, openssl

, perl

, sgx-sdk

, which
@@ -37,7 +37,7 @@ stdenv.mkDerivation { 
  postPatch = ''

    patchShebangs Linux/build_openssl.sh



    # Run the test in the `installCheckPhase`, not the `buildPhase`

    # Skip the tests. Build and run separately (see below).

    substituteInPlace Linux/sgx/Makefile \

      --replace '$(MAKE) -C $(TEST_DIR) all' \

                'bash -c "true"'
@@ -46,7 +46,6 @@ stdenv.mkDerivation { 
  nativeBuildInputs = [

    perl

    sgx-sdk

    stdenv.cc.libc

    which

  ];
@@ -60,16 +59,17 @@ stdenv.mkDerivation { 
    "DESTDIR=$(out)"

  ];



  # Build the test app

  doInstallCheck = true;

  installCheckTarget = "test";

  installCheckFlags = [

    "SGX_MODE=SIM"

    "-j 1" # Makefile doesn't support multiple jobs

  ];

  nativeInstallCheckInputs = [

    openssl

  ];

  # These tests build on any x86_64-linux but BOTH SIM and HW will only _run_ on

  # real Intel hardware. Split these out so OfBorg doesn't choke on this pkg.

  #

  # ```

  # nix run .#sgx-ssl.tests.HW

  # nix run .#sgx-ssl.tests.SIM

  # ```

  passthru.tests = {

    HW = callPackage ./tests.nix { sgxMode = "HW"; inherit opensslVersion; };

    SIM = callPackage ./tests.nix { sgxMode = "SIM"; inherit opensslVersion; };

  };



  meta = with lib; {

    description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL";

pkgs/os-specific/linux/sgx/ssl/tests.nix

0 → 100644
+95 −0
Original line number Diff line number Diff line 
# This package _builds_ (but doesn't run!) the sgx-ssl test enclave + harness.

# The whole package effectively does:

#

# ```

# SGX_MODE=${sgxMode} make -C Linux/sgx/test_app

# cp Linux/sgx/{TestApp,TestEnclave.signed.so} $out/bin

# ```

#

# OfBorg fails to run these tests since they require real Intel HW. That

# includes the simulation mode! The tests appears to do something fancy with

# cpuid and exception trap handlers that make them very non-portable.

#

# These tests are split out from the parent pkg since recompiling the parent

# takes like 30 min : )



{ lib

, openssl

, sgx-psw

, sgx-sdk

, sgx-ssl

, stdenv

, which

, opensslVersion ? throw "required parameter"

, sgxMode ? throw "required parameter" # "SIM" or "HW"

}:

stdenv.mkDerivation {

  inherit (sgx-ssl) postPatch src version;

  pname = sgx-ssl.pname + "-tests-${sgxMode}";



  postUnpack = sgx-ssl.postUnpack + ''

    sourceRootAbs=$(readlink -e $sourceRoot)

    packageDir=$sourceRootAbs/Linux/package



    # Do the inverse of 'make install' and symlink built artifacts back into

    # '$src/Linux/package/' to avoid work.

    mkdir $packageDir/lib $packageDir/lib64

    ln -s ${lib.getLib sgx-ssl}/lib/* $packageDir/lib/

    ln -s ${lib.getLib sgx-ssl}/lib64/* $packageDir/lib64/

    ln -sf ${lib.getDev sgx-ssl}/include/* $packageDir/include/



    # test_app needs some internal openssl headers.

    # See: tail end of 'Linux/build_openssl.sh'

    tar -C $sourceRootAbs/openssl_source -xf $sourceRootAbs/openssl_source/openssl-${opensslVersion}.tar.gz

    echo '#define OPENSSL_VERSION_STR "${opensslVersion}"' > $sourceRootAbs/Linux/sgx/osslverstr.h

    ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/crypto $sourceRootAbs/Linux/sgx/test_app/enclave/

    ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/internal $sourceRootAbs/Linux/sgx/test_app/enclave/

  '';



  nativeBuildInputs = [

    openssl.bin

    sgx-sdk

    which

  ];



  preBuild = ''

    # Need to regerate the edl header

    make -C Linux/sgx/libsgx_tsgxssl sgx_tsgxssl_t.c

  '';



  makeFlags = [

    "-C Linux/sgx/test_app"

    "SGX_MODE=${sgxMode}"

  ];



  installPhase = ''

    runHook preInstall



    # Enclaves can't be stripped after signing.

    install -Dm 755 Linux/sgx/test_app/TestEnclave.signed.so -t $TMPDIR/enclaves



    install -Dm 755 Linux/sgx/test_app/TestApp -t $out/bin



    runHook postInstall

  '';



  postFixup = ''

    # Move the enclaves where they actually belong.

    mv $TMPDIR/enclaves/*.signed.so* $out/bin/



    # HW SGX must runs against sgx-psw, not sgx-sdk.

    if [[ "${sgxMode}" == "HW" ]]; then

      patchelf \

        --set-rpath "$( \

          patchelf --print-rpath $out/bin/TestApp \

            | sed 's|${lib.getLib sgx-sdk}|${lib.getLib sgx-psw}|' \

        )" \

        $out/bin/TestApp

    fi

  '';



  meta = {

    platforms = [ "x86_64-linux" ];

    mainProgram = "TestApp";

  };

}