sgx-sdk: drop (c7beca36) · Commits · nix / nixpkgs

pkgs/by-name/sg/sgx-ssl/package.nix

deleted100644 → 0

+0 −95

Original line number	Diff line number	Diff line
		{
		stdenv,
		callPackage,
		fetchFromGitHub,
		fetchurl,
		lib,
		perl,
		sgx-sdk,
		which,
		debug ? false,
		}:
		let
		sgxVersion = sgx-sdk.versionTag;
		opensslVersion = "3.0.13";
		in
		stdenv.mkDerivation {
		pname = "sgx-ssl" + lib.optionalString debug "-debug";
		version = "${sgxVersion}_${opensslVersion}";

		src = fetchFromGitHub {
		owner = "intel";
		repo = "intel-sgx-ssl";
		rev = "3.0_Rev2";
		hash = "sha256-dmLyaG6v+skjSa0KxLAfIfSBOxp9grrI7ds6WdGPe0I=";
		};

		postUnpack =
		let
		opensslSourceArchive = fetchurl {
		url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
		hash = "sha256-iFJXU/edO+wn0vp8ZqoLkrOqlJja/ZPXz6SzeAza4xM=";
		};
		in
		''
		ln -s ${opensslSourceArchive} $sourceRoot/openssl_source/openssl-${opensslVersion}.tar.gz
		'';

		postPatch = ''
		patchShebangs Linux/build_openssl.sh

		# Skip the tests. Build and run separately (see below).
		substituteInPlace Linux/sgx/Makefile \
		--replace-fail '$(MAKE) -C $(TEST_DIR) all' \
		'bash -c "true"'
		'';

		nativeBuildInputs = [
		perl
		sgx-sdk
		which
		];

		makeFlags = [
		"-C Linux"
		]
		++ lib.optionals debug [
		"DEBUG=1"
		];

		installFlags = [
		"DESTDIR=$(out)"
		];

		# These tests build on any x86_64-linux but BOTH SIM and HW will only _run_ on
		# real Intel hardware. Split these out so OfBorg doesn't choke on this pkg.
		#
		# ```
		# nix run .#sgx-ssl.tests.HW
		# nix run .#sgx-ssl.tests.SIM
		# ```
		passthru.tests = {
		HW = callPackage ./tests.nix {
		sgxMode = "HW";
		inherit opensslVersion;
		};
		SIM = callPackage ./tests.nix {
		sgxMode = "SIM";
		inherit opensslVersion;
		};
		};

		meta = {
		description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL";
		homepage = "https://github.com/intel/intel-sgx-ssl";
		maintainers = with lib.maintainers; [
		phlip9
		veehaitch
		];
		platforms = [ "x86_64-linux" ];
		license = with lib.licenses; [
		bsd3
		openssl
		];
		};
		}

pkgs/by-name/sg/sgx-ssl/tests.nix

deleted100644 → 0

+0 −96

Original line number	Diff line number	Diff line
		# This package _builds_ (but doesn't run!) the sgx-ssl test enclave + harness.
		# The whole package effectively does:
		#
		# ```
		# SGX_MODE=${sgxMode} make -C Linux/sgx/test_app
		# cp Linux/sgx/{TestApp,TestEnclave.signed.so} $out/bin
		# ```
		#
		# OfBorg fails to run these tests since they require real Intel HW. That
		# includes the simulation mode! The tests appears to do something fancy with
		# cpuid and exception trap handlers that make them very non-portable.
		#
		# These tests are split out from the parent pkg since recompiling the parent
		# takes like 30 min : )

		{
		lib,
		openssl,
		sgx-psw,
		sgx-sdk,
		sgx-ssl,
		stdenv,
		which,
		opensslVersion ? throw "required parameter",
		sgxMode ? throw "required parameter", # "SIM" or "HW"
		}:
		stdenv.mkDerivation {
		inherit (sgx-ssl) postPatch src version;
		pname = sgx-ssl.pname + "-tests-${sgxMode}";

		postUnpack = sgx-ssl.postUnpack + ''
		sourceRootAbs=$(readlink -e $sourceRoot)
		packageDir=$sourceRootAbs/Linux/package

		# Do the inverse of 'make install' and symlink built artifacts back into
		# '$src/Linux/package/' to avoid work.
		mkdir $packageDir/lib $packageDir/lib64
		ln -s ${lib.getLib sgx-ssl}/lib/* $packageDir/lib/
		ln -s ${lib.getLib sgx-ssl}/lib64/* $packageDir/lib64/
		ln -sf ${lib.getDev sgx-ssl}/include/* $packageDir/include/

		# test_app needs some internal openssl headers.
		# See: tail end of 'Linux/build_openssl.sh'
		tar -C $sourceRootAbs/openssl_source -xf $sourceRootAbs/openssl_source/openssl-${opensslVersion}.tar.gz
		echo '#define OPENSSL_VERSION_STR "${opensslVersion}"' > $sourceRootAbs/Linux/sgx/osslverstr.h
		ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/crypto $sourceRootAbs/Linux/sgx/test_app/enclave/
		ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/internal $sourceRootAbs/Linux/sgx/test_app/enclave/
		'';

		nativeBuildInputs = [
		openssl.bin
		sgx-sdk
		which
		];

		preBuild = ''
		# Need to regerate the edl header
		make -C Linux/sgx/libsgx_tsgxssl sgx_tsgxssl_t.c
		'';

		makeFlags = [
		"-C Linux/sgx/test_app"
		"SGX_MODE=${sgxMode}"
		];

		installPhase = ''
		runHook preInstall

		# Enclaves can't be stripped after signing.
		install -Dm 755 Linux/sgx/test_app/TestEnclave.signed.so -t $TMPDIR/enclaves

		install -Dm 755 Linux/sgx/test_app/TestApp -t $out/bin

		runHook postInstall
		'';

		postFixup = ''
		# Move the enclaves where they actually belong.
		mv $TMPDIR/enclaves/.signed.so $out/bin/

		# HW SGX must runs against sgx-psw, not sgx-sdk.
		if [[ "${sgxMode}" == "HW" ]]; then
		patchelf \
		--set-rpath "$( \
		patchelf --print-rpath $out/bin/TestApp \
		\| sed 's\|${lib.getLib sgx-sdk}\|${lib.getLib sgx-psw}\|' \
		)" \
		$out/bin/TestApp
		fi
		'';

		meta = {
		platforms = [ "x86_64-linux" ];
		mainProgram = "TestApp";
		};
		}

pkgs/os-specific/linux/sgx/samples/default.nix

deleted100644 → 0

+0 −146

Original line number	Diff line number	Diff line
		{
		stdenv,
		lib,
		makeWrapper,
		openssl,
		sgx-sdk,
		sgx-psw,
		which,
		# "SIM" or "HW"
		sgxMode,
		}:
		let
		isSimulation = sgxMode == "SIM";
		buildSample =
		name:
		stdenv.mkDerivation {
		pname = name;
		version = sgxMode;

		src = sgx-sdk.out;
		sourceRoot = "${sgx-sdk.name}/share/SampleCode/${name}";

		nativeBuildInputs = [
		makeWrapper
		openssl
		which
		];

		buildInputs = [
		sgx-sdk
		];

		# The samples don't have proper support for parallel building
		# causing them to fail randomly.
		enableParallelBuilding = false;

		buildFlags = [
		"SGX_MODE=${sgxMode}"
		];

		installPhase = ''
		runHook preInstall

		mkdir -p $out/{bin,lib}
		install -m 755 app $out/bin
		install *.so $out/lib

		wrapProgram "$out/bin/app" \
		--chdir "$out/lib" \
		${lib.optionalString (!isSimulation)
		''--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"''
		}

		runHook postInstall
		'';

		# Breaks the signature of the enclaves
		dontFixup = true;

		# We don't have access to real SGX hardware during the build
		doInstallCheck = isSimulation;
		installCheckPhase = ''
		runHook preInstallCheck

		pushd /
		echo a \| $out/bin/app
		popd

		runHook preInstallCheck
		'';
		};
		in
		{
		cxx11SGXDemo = buildSample "Cxx11SGXDemo";
		cxx14SGXDemo = buildSample "Cxx14SGXDemo";
		cxx17SGXDemo = buildSample "Cxx17SGXDemo";
		localAttestation = (buildSample "LocalAttestation").overrideAttrs (old: {
		installPhase = ''
		runHook preInstall

		mkdir -p $out/{bin,lib}
		install -m 755 bin/app* $out/bin
		install bin/*.so $out/lib

		for bin in $out/bin/*; do
		wrapProgram $bin \
		--chdir "$out/lib" \
		${lib.optionalString (!isSimulation)
		''--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"''
		}
		done

		runHook postInstall
		'';
		});
		powerTransition = buildSample "PowerTransition";
		protobufSGXDemo = buildSample "ProtobufSGXDemo";
		remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (old: {
		# Makefile sets rpath to point to $TMPDIR
		preFixup = ''
		patchelf --remove-rpath $out/bin/app
		'';

		postInstall = ''
		install sample_libcrypto/*.so $out/lib
		'';
		});
		sampleEnclave = buildSample "SampleEnclave";
		sampleEnclaveGMIPP = buildSample "SampleEnclaveGMIPP";
		sampleMbedCrypto = buildSample "SampleMbedCrypto";
		sealUnseal = (buildSample "SealUnseal").overrideAttrs (old: {
		prePatch = ''
		substituteInPlace App/App.cpp \
		--replace '"sealed_data_blob.txt"' '"/tmp/sealed_data_blob.txt"'
		'';
		});
		switchless = buildSample "Switchless";
		# # Requires SGX-patched openssl (sgxssl) build
		# sampleAttestedTLS = buildSample "SampleAttestedTLS";
		}
		// lib.optionalAttrs (!isSimulation) {
		# # Requires kernel >= v6.2 && HW SGX
		# sampleAEXNotify = buildSample "SampleAEXNotify";

		# Requires HW SGX
		sampleCommonLoader = (buildSample "SampleCommonLoader").overrideAttrs (old: {
		nativeBuildInputs = [ sgx-psw ] ++ old.nativeBuildInputs;

		installPhase = ''
		runHook preInstall

		mkdir -p $out/{bin,lib}
		mv sample app
		install -m 755 app $out/bin

		wrapProgram "$out/bin/app" \
		--chdir "$out/lib" \
		--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"

		runHook postInstall
		'';
		});

		# # SEGFAULTs in simulation mode?
		# sampleEnclavePCL = buildSample "SampleEnclavePCL";
		}

pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch

deleted100644 → 0

+0 −26

Original line number	Diff line number	Diff line
		diff --git a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
		index aee499e9..13fa89d4 100644
		--- a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
		+++ b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
		@@ -105,7 +105,7 @@ bool BundleResourceContainer::GetStat(int index,
		const_cast<mz_zip_archive*>(&m_ZipArchive), index)
		? true
		: false;
		- stat.modifiedTime = zipStat.m_time;
		+ stat.modifiedTime = 0;
		stat.crc32 = zipStat.m_crc32;
		// This will limit the size info from uint64 to uint32 on 32-bit
		// architectures. We don't care because we assume resources > 2GB
		diff --git a/external/CppMicroServices/third_party/miniz.c b/external/CppMicroServices/third_party/miniz.c
		index 6b0ebd7a..fa2aebca 100644
		--- a/external/CppMicroServices/third_party/miniz.c
		+++ b/external/CppMicroServices/third_party/miniz.c
		@@ -170,7 +170,7 @@
		// If MINIZ_NO_TIME is specified then the ZIP archive functions will not be able to get the current time, or
		// get/set file times, and the C run-time funcs that get/set times won't be called.
		// The current downside is the times written to your archives will be from 1979.
		-//#define MINIZ_NO_TIME
		+#define MINIZ_NO_TIME

		// Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's.
		//#define MINIZ_NO_ARCHIVE_APIS

pkgs/os-specific/linux/sgx/sdk/default.nix

deleted100644 → 0

+0 −304

Original line number	Diff line number	Diff line
		{
		lib,
		stdenv,
		fetchFromGitHub,
		autoconf,
		automake,
		binutils,
		callPackage,
		cmake,
		file,
		gdb,
		git,
		libtool,
		linkFarmFromDrvs,
		ocamlPackages,
		openssl,
		perl,
		python3,
		texinfo,
		validatePkgConfig,
		writeShellApplication,
		writeShellScript,
		writeText,
		debug ? false,
		}:
		stdenv.mkDerivation (finalAttrs: {
		pname = "sgx-sdk";
		# Version as given in se_version.h
		version = "2.24.100.3";
		# Version as used in the Git tag
		versionTag = "2.24";

		src = fetchFromGitHub {
		owner = "intel";
		repo = "linux-sgx";
		rev = "sgx_${finalAttrs.versionTag}";
		hash = "sha256-1urEdfMKNUqqyJ3wQ10+tvtlRuAKELpaCWIOzjCbYKw=";
		fetchSubmodules = true;
		};

		postUnpack = ''
		# Make sure this is the right version of linux-sgx
		grep -q '"${finalAttrs.version}"' "$src/common/inc/internal/se_version.h" \
		\|\| (echo "Could not find expected version ${finalAttrs.version} in linux-sgx source" >&2 && exit 1)
		'';

		patches = [
		# There's a `make preparation` step that downloads some prebuilt binaries
		# and applies some patches to the in-repo git submodules. This patch removes
		# the parts that download things, since we can't do that inside the sandbox.
		./disable-downloads.patch

		# This patch disable mtime in bundled zip file for reproducible builds.
		#
		# Context: The `aesm_service` binary depends on a vendored library called
		# `CppMicroServices`. At build time, this lib creates and then bundles
		# service resources into a zip file and then embeds this zip into the
		# binary. Without changes, the `aesm_service` will be different after every
		# build because the embedded zip file contents have different modified times.
		./cppmicroservices-no-mtime.patch
		];

		postPatch = ''
		patchShebangs linux/installer/bin/build-installpkg.sh \
		linux/installer/common/sdk/createTarball.sh \
		linux/installer/common/sdk/install.sh \
		external/sgx-emm/create_symlink.sh

		make preparation
		'';

		# We need `cmake` as a build input but don't use it to kick off the build phase
		dontUseCmakeConfigure = true;

		# SDK built with stackprotector produces broken enclaves which crash at runtime.
		# Disable all to be safe, SDK build configures compiler mitigations manually.
		hardeningDisable = [ "all" ];

		nativeBuildInputs = [
		autoconf
		automake
		cmake
		file
		git
		ocamlPackages.ocaml
		ocamlPackages.ocamlbuild
		perl
		python3
		texinfo
		validatePkgConfig
		];

		buildInputs = [
		libtool
		openssl
		];

		env.BINUTILS_DIR = "${binutils}/bin";

		# Build external/ippcp_internal first. The Makefile is rewritten to make the
		# build faster by splitting different versions of ipp-crypto builds and to
		# avoid patching the Makefile for reproducibility issues.
		preBuild =
		let
		ipp-crypto-no_mitigation = callPackage ./ipp-crypto.nix { };

		sgx-asm-pp = "python ${finalAttrs.src}/build-scripts/sgx-asm-pp.py --assembler=nasm";

		nasm-load = writeShellScript "nasm-load" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=LOAD $@";
		ipp-crypto-cve_2020_0551_load = callPackage ./ipp-crypto.nix {
		extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-load}" ];
		};

		nasm-cf = writeShellScript "nasm-cf" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=CF $@";
		ipp-crypto-cve_2020_0551_cf = callPackage ./ipp-crypto.nix {
		extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-cf}" ];
		};
		in
		''
		echo "Setting up IPP crypto build artifacts"

		pushd 'external/ippcp_internal'

		install -D -m a+rw ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a \
		lib/linux/intel64/no_mitigation/libippcp.a
		install -D -m a+rw ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a \
		lib/linux/intel64/cve_2020_0551_load/libippcp.a
		install -D -m a+rw ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a \
		lib/linux/intel64/cve_2020_0551_cf/libippcp.a

		cp -r ${ipp-crypto-no_mitigation}/include/* inc/

		mkdir inc/ippcp
		cp ${ipp-crypto-no_mitigation}/include/fips_cert.h inc/ippcp/

		rm inc/ippcp.h
		patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i ./inc/ippcp21u11.patch -o ./inc/ippcp.h

		install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE

		popd
		'';

		buildFlags = [
		"sdk_install_pkg"
		]
		++ lib.optionals debug [
		"DEBUG=1"
		];

		postBuild = ''
		patchShebangs linux/installer/bin/sgx_linux_x64_sdk_${finalAttrs.version}.bin
		'';

		installPhase = ''
		runHook preInstall

		installDir=$TMPDIR
		./linux/installer/bin/sgx_linux_x64_sdk_${finalAttrs.version}.bin -prefix $installDir
		installDir=$installDir/sgxsdk

		echo "Move files created by installer"

		mkdir -p $out/bin
		pushd $out

		mv $installDir/bin/sgx-gdb $out/bin
		mkdir $out/bin/x64
		for file in $installDir/bin/x64/*; do
		mv $file bin/
		ln -sr bin/$(basename $file) bin/x64/
		done
		rmdir $installDir/bin/{x64,}

		# Move `lib64` to `lib` and symlink `lib64`
		mv $installDir/lib64 lib
		ln -s lib/ lib64

		# Fixup the symlinks for libsgx_urts.so.* -> libsgx_urts.so
		for file in lib/libsgx_urts.so.*; do
		ln -srf lib/libsgx_urts.so $file
		done

		mv $installDir/include/ .

		mkdir -p share/
		mv $installDir/{SampleCode,licenses} share/

		mkdir -p share/bin
		mv $installDir/{environment,buildenv.mk} share/bin/
		ln -s share/bin/{environment,buildenv.mk} .

		# pkgconfig should go to lib/
		mv $installDir/pkgconfig lib/
		ln -s lib/pkgconfig/ .

		# Also create the `sdk_libs` for compat. All the files
		# link to libraries in `lib64/`, we shouldn't link the entire
		# directory, however, as there seems to be some ambiguity between
		# SDK and PSW libraries.
		mkdir sdk_libs/
		for file in $installDir/sdk_libs/*; do
		ln -sr lib/$(basename $file) sdk_libs/
		rm $file
		done
		rmdir $installDir/sdk_libs

		# No uninstall script required
		rm $installDir/uninstall.sh

		# Create an `sgxsdk` symlink which points to `$out` for compat
		ln -sr . sgxsdk

		# Make sure we didn't forget any files
		rmdir $installDir \|\| (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1)

		popd

		runHook postInstall
		'';

		preFixup = ''
		echo "Strip sgxsdk prefix"
		for path in "$out/share/bin/environment" "$out/bin/sgx-gdb"; do
		substituteInPlace $path --replace "$TMPDIR/sgxsdk" "$out"
		done

		echo "Fixing pkg-config files"
		sed -i "s\|prefix=.\|prefix=$out\|g" $out/lib/pkgconfig/.pc

		echo "Fixing SGX_SDK default in samples"
		substituteInPlace $out/share/SampleCode/LocalAttestation/buildenv.mk \
		--replace '/opt/intel/sgxsdk' "$out"
		for file in $out/share/SampleCode/*/Makefile; do
		substituteInPlace $file \
		--replace '/opt/intel/sgxsdk' "$out"
		done

		echo "Fixing BINUTILS_DIR in buildenv.mk"
		substituteInPlace $out/share/bin/buildenv.mk \
		--replace 'BINUTILS_DIR ?= /usr/local/bin' \
		'BINUTILS_DIR ?= ${finalAttrs.env.BINUTILS_DIR}'

		echo "Fixing GDB path in bin/sgx-gdb"
		substituteInPlace $out/bin/sgx-gdb --replace '/usr/local/bin/gdb' '${gdb}/bin/gdb'
		'';

		doInstallCheck = true;

		installCheckPhase = ''
		runHook preInstallCheck

		# Make sure all symlinks are valid
		output=$(find "$out" -type l -exec test ! -e {} \; -print)
		if [[ -n "$output" ]]; then
		echo "Broken symlinks:"
		echo "$output"
		exit 1
		fi

		runHook postInstallCheck
		'';

		setupHook = writeText "setup-hook.sh" ''
		sgxsdk() {
		export SGX_SDK=@out@
		}

		postHooks+=(sgxsdk)
		'';

		passthru.tests = callPackage ../samples { sgxMode = "SIM"; };

		# Run tests in SGX hardware mode on an SGX-enabled machine
		# $(nix-build -A sgx-sdk.runTestsHW)/bin/run-tests-hw
		passthru.runTestsHW =
		let
		testsHW = lib.filterAttrs (_: v: v ? "name") (callPackage ../samples { sgxMode = "HW"; });
		testsHWLinked = linkFarmFromDrvs "sgx-samples-hw-bundle" (lib.attrValues testsHW);
		in
		writeShellApplication {
		name = "run-tests-hw";
		text = ''
		for test in ${testsHWLinked}/*; do
		printf '* Running test %s *\n\n' "$(basename "$test")"
		printf 'a\n' \| "$test/bin/app"
		printf '\n'
		done
		'';
		};

		meta = {
		description = "Intel SGX SDK for Linux built with IPP Crypto Library";
		homepage = "https://github.com/intel/linux-sgx";
		maintainers = with lib.maintainers; [
		phlip9
		sbellem
		arturcygan
		veehaitch
		];
		platforms = [ "x86_64-linux" ];
		license = [ lib.licenses.bsd3 ];
		};
		})