Commit da0dc833 authored by Andreas Stührk's avatar Andreas Stührk Committed by Vincent Haupert
Browse files

nixos/aesmd: add option to configure quote provider library 



Changes sgx-psw to append `aesm` to `LD_LIBRARY_PATH`:
- Append instead of prepend to allow for overriding in service config
- As we already add a wrapper to add `aesm` to `LD_LIBRARY_PATH` it is
  not necessary to also set in `LD_LIBRARY_PATH` of the systemd service.

Co-authored-by: default avatarVincent Haupert <mail@vincent-haupert.de>
parent 7de32b0c

nixos/modules/services/security/aesmd.nix

+7 −2
Original line number Diff line number Diff line
@@ -25,6 +25,12 @@ in 
      default = false;

      description = lib.mdDoc "Whether to build the PSW package in debug mode.";

    };

    quoteProviderLibrary = mkOption {

      type = with types; nullOr path;

      default = null;

      example = literalExpression "pkgs.sgx-azure-dcap-client";

      description = lib.mdDoc "Custom quote provider library to use.";

    };

    settings = mkOption {

      description = lib.mdDoc "AESM configuration";

      default = { };
@@ -83,7 +89,6 @@ in 
        storeAesmFolder = "${sgx-psw}/aesm";

        # Hardcoded path AESM_DATA_FOLDER in psw/ae/aesm_service/source/oal/linux/aesm_util.cpp

        aesmDataFolder = "/var/opt/aesmd/data";

        aesmStateDirSystemd = "%S/aesmd";

      in

      {

        description = "Intel Architectural Enclave Service Manager";
@@ -98,7 +103,7 @@ in 
        environment = {

          NAME = "aesm_service";

          AESM_PATH = storeAesmFolder;

          LD_LIBRARY_PATH = storeAesmFolder;

          LD_LIBRARY_PATH = makeLibraryPath [ cfg.quoteProviderLibrary ];

        };



        # Make sure any of the SGX application enclave devices is available

nixos/tests/aesmd.nix

+64 −33
Original line number Diff line number Diff line 
{ pkgs, lib, ... }: {

  name = "aesmd";

  meta = {

    maintainers = with lib.maintainers; [ veehaitch ];

    maintainers = with lib.maintainers; [ trundle veehaitch ];

  };



  nodes.machine = { lib, ... }: {
@@ -25,14 +25,28 @@ 


    # We don't have a real SGX machine in NixOS tests

    systemd.services.aesmd.unitConfig.AssertPathExists = lib.mkForce [ ];



    specialisation = {

      withQuoteProvider.configuration = { ... }: {

        services.aesmd.quoteProviderLibrary = pkgs.sgx-azure-dcap-client;

      };

    };

  };



  testScript = ''

    with subtest("aesmd.service starts"):

      machine.wait_for_unit("aesmd.service")

  testScript = { nodes, ... }:

    let

      specialisations = "${nodes.machine.system.build.toplevel}/specialisation";

    in

    ''

      def get_aesmd_pid():

        status, main_pid = machine.systemctl("show --property MainPID --value aesmd.service")

        assert status == 0, "Could not get MainPID of aesmd.service"

      main_pid = main_pid.strip()

        return main_pid.strip()



      with subtest("aesmd.service starts"):

        machine.wait_for_unit("aesmd.service")



      main_pid = get_aesmd_pid()



      with subtest("aesmd.service runtime directory permissions"):

        runtime_dir = "/run/aesmd";
@@ -58,5 +72,22 @@ 
        aesmd_config = machine.succeed(f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/cat /etc/aesmd.conf")



        assert aesmd_config == "whitelist url = http://nixos.org\nproxy type = direct\ndefault quoting type = ecdsa_256\n", "aesmd.conf differs"



      with subtest("aesmd.service without quote provider library has correct LD_LIBRARY_PATH"):

        status, environment = machine.systemctl("show --property Environment --value aesmd.service")

        assert status == 0, "Could not get Environment of aesmd.service"

        env_by_name = dict(entry.split("=", 1) for entry in environment.split())

        assert not env_by_name["LD_LIBRARY_PATH"], "LD_LIBRARY_PATH is not empty"



      with subtest("aesmd.service with quote provider library starts"):

        machine.succeed('${specialisations}/withQuoteProvider/bin/switch-to-configuration test')

        machine.wait_for_unit("aesmd.service")



      main_pid = get_aesmd_pid()



      with subtest("aesmd.service with quote provider library has correct LD_LIBRARY_PATH"):

        ld_library_path = machine.succeed(f"xargs -0 -L1 -a /proc/{main_pid}/environ | grep LD_LIBRARY_PATH")

        assert ld_library_path.startswith("LD_LIBRARY_PATH=${pkgs.sgx-azure-dcap-client}/lib:"), \

          "LD_LIBRARY_PATH is not set to the configured quote provider library"

    '';

}

nixos/tests/all-tests.nix

+1 −1
Original line number Diff line number Diff line
@@ -69,7 +69,7 @@ in { 
  _3proxy = runTest ./3proxy.nix;

  acme = runTest ./acme.nix;

  adguardhome = runTest ./adguardhome.nix;

  aesmd = runTest ./aesmd.nix;

  aesmd = runTestOn ["x86_64-linux"] ./aesmd.nix;

  agate = runTest ./web-servers/agate.nix;

  agda = handleTest ./agda.nix {};

  airsonic = handleTest ./airsonic.nix {};

pkgs/os-specific/linux/sgx/psw/default.nix

+1 −1
Original line number Diff line number Diff line
@@ -121,7 +121,7 @@ stdenv.mkDerivation rec { 


    mkdir $out/bin

    makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \

      --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \

      --suffix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \

      --chdir "$out/aesm"



    # Make sure we didn't forget to handle any files