From 9dac06a14ddeef95b103a91579a5aa7d8b6ebe8a Mon Sep 17 00:00:00 2001 From: Vincent Haupert Date: Sun, 2 Jan 2022 23:38:00 +0100 Subject: [PATCH] sgx-sdk, sgx-psw: improve samples Make it easier to review updates to `sgx-{sdk,psw}` on machines with actual SGX hardware support. The passthru tests build and run the SGX samples in simulation mode which works without any hardware support. To run the samples on a machine with SGX hardware support, issue the following command: ```bash $(nix-build -A sgx-sdk.runTestsHW)/bin/run-tests-hw ``` Make sure the SGX AESM daemon is running as some tests require it. See the `services.aesmd.*` NixOS module options and the `sgx-psw` package for details. --- .../os-specific/linux/sgx/samples/default.nix | 109 ++++++++++++++++++ pkgs/os-specific/linux/sgx/sdk/default.nix | 24 +++- pkgs/os-specific/linux/sgx/sdk/samples.nix | 63 ---------- 3 files changed, 131 insertions(+), 65 deletions(-) create mode 100644 pkgs/os-specific/linux/sgx/samples/default.nix delete mode 100644 pkgs/os-specific/linux/sgx/sdk/samples.nix diff --git a/pkgs/os-specific/linux/sgx/samples/default.nix b/pkgs/os-specific/linux/sgx/samples/default.nix new file mode 100644 index 000000000000..f9c5ae450545 --- /dev/null +++ b/pkgs/os-specific/linux/sgx/samples/default.nix @@ -0,0 +1,109 @@ +{ stdenv +, lib +, makeWrapper +, sgx-sdk +, sgx-psw +, which + # "SIM" or "HW" +, sgxMode +}: +let + isSimulation = sgxMode == "SIM"; + buildSample = name: stdenv.mkDerivation { + pname = name; + version = sgxMode; + + src = sgx-sdk.out; + sourceRoot = "${sgx-sdk.name}/share/SampleCode/${name}"; + + nativeBuildInputs = [ + makeWrapper + which + ]; + + buildInputs = [ + sgx-sdk + ]; + + # The samples don't have proper support for parallel building + # causing them to fail randomly. + enableParallelBuilding = false; + + buildFlags = [ + "SGX_MODE=${sgxMode}" + ]; + + installPhase = '' + runHook preInstall + + mkdir -p $out/{bin,lib} + install -m 755 app $out/bin + install *.so $out/lib + + wrapProgram "$out/bin/app" \ + --run "cd $out/lib" \ + ${lib.optionalString (!isSimulation) + ''--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"''} + + runHook postInstall + ''; + + # Breaks the signature of the enclaves + dontFixup = true; + + # We don't have access to real SGX hardware during the build + doInstallCheck = isSimulation; + installCheckPhase = '' + runHook preInstallCheck + + pushd / + echo a | $out/bin/app + popd + + runHook preInstallCheck + ''; + }; +in +{ + cxx11SGXDemo = buildSample "Cxx11SGXDemo"; + localAttestation = (buildSample "LocalAttestation").overrideAttrs (oldAttrs: { + installPhase = '' + runHook preInstall + + mkdir -p $out/{bin,lib} + install -m 755 bin/app* $out/bin + install bin/*.so $out/lib + + for bin in $out/bin/*; do + wrapProgram $bin \ + --run "cd $out/lib" \ + ${lib.optionalString (!isSimulation) + ''--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"''} + done + + runHook postInstall + ''; + }); + powerTransition = buildSample "PowerTransition"; + protobufSGXDemo = buildSample "ProtobufSGXDemo"; + remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (oldAttrs: { + # Makefile sets rpath to point to $TMPDIR + preFixup = '' + patchelf --remove-rpath $out/bin/app + ''; + + postInstall = '' + install sample_libcrypto/*.so $out/lib + ''; + }); + sampleEnclave = buildSample "SampleEnclave"; + sampleEnclavePCL = buildSample "SampleEnclavePCL"; + sampleEnclaveGMIPP = buildSample "SampleEnclaveGMIPP"; + sealUnseal = (buildSample "SealUnseal").overrideAttrs (oldAttrs: { + prePatch = '' + substituteInPlace App/App.cpp \ + --replace '"sealed_data_blob.txt"' '"/tmp/sealed_data_blob.txt"' + ''; + }); + switchless = buildSample "Switchless"; +} diff --git a/pkgs/os-specific/linux/sgx/sdk/default.nix b/pkgs/os-specific/linux/sgx/sdk/default.nix index 18876f927e80..0a80040f33a7 100644 --- a/pkgs/os-specific/linux/sgx/sdk/default.nix +++ b/pkgs/os-specific/linux/sgx/sdk/default.nix @@ -3,15 +3,16 @@ , fetchFromGitHub , fetchpatch , fetchzip -, callPackage , autoconf , automake , binutils +, callPackage , cmake , file , gdb , git , libtool +, linkFarmFromDrvs , nasm , ocaml , ocamlPackages @@ -20,6 +21,7 @@ , python3 , texinfo , validatePkgConfig +, writeShellApplication , writeShellScript , writeText , debug ? false @@ -257,7 +259,25 @@ stdenv.mkDerivation rec { postHooks+=(sgxsdk) ''; - passthru.tests = callPackage ./samples.nix { }; + passthru.tests = callPackage ../samples { sgxMode = "SIM"; }; + + # Run tests in SGX hardware mode on an SGX-enabled machine + # $(nix-build -A sgx-sdk.runTestsHW)/bin/run-tests-hw + passthru.runTestsHW = + let + testsHW = lib.filterAttrs (_: v: v ? "name") (callPackage ../samples { sgxMode = "HW"; }); + testsHWLinked = linkFarmFromDrvs "sgx-samples-hw-bundle" (lib.attrValues testsHW); + in + writeShellApplication { + name = "run-tests-hw"; + text = '' + for test in ${testsHWLinked}/*; do + printf '*** Running test %s ***\n\n' "$(basename "$test")" + printf 'a\n' | "$test/bin/app" + printf '\n' + done + ''; + }; meta = with lib; { description = "Intel SGX SDK for Linux built with IPP Crypto Library"; diff --git a/pkgs/os-specific/linux/sgx/sdk/samples.nix b/pkgs/os-specific/linux/sgx/sdk/samples.nix deleted file mode 100644 index 21b31f824476..000000000000 --- a/pkgs/os-specific/linux/sgx/sdk/samples.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ stdenv -, sgx-sdk -, which -}: -let - buildSample = name: stdenv.mkDerivation rec { - inherit name; - - src = sgx-sdk.out; - sourceRoot = "${sgx-sdk.name}/share/SampleCode/${name}"; - - buildInputs = [ - sgx-sdk - ]; - - # The samples don't have proper support for parallel building - # causing them to fail randomly. - enableParallelBuilding = false; - - buildFlags = [ - "SGX_MODE=SIM" - ]; - - installPhase = '' - mkdir $out - install -m 755 app $out/app - install *.so $out/ - ''; - - doInstallCheck = true; - installCheckInputs = [ which ]; - installCheckPhase = '' - pushd $out - ./app - popd - ''; - }; -in -{ - cxx11SGXDemo = buildSample "Cxx11SGXDemo"; - localAttestation = (buildSample "LocalAttestation").overrideAttrs (oldAttrs: { - installPhase = '' - mkdir $out - cp -r bin/. $out/ - ''; - }); - powerTransition = (buildSample "PowerTransition").overrideAttrs (oldAttrs: { - # Requires interaction - doInstallCheck = false; - }); - protobufSGXDemo = buildSample "ProtobufSGXDemo"; - remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (oldAttrs: { - dontFixup = true; - installCheckPhase = '' - echo "a" | LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/sample_libcrypto ./app - ''; - }); - sampleEnclave = buildSample "SampleEnclave"; - sampleEnclavePCL = buildSample "SampleEnclavePCL"; - sampleEnclaveGMIPP = buildSample "SampleEnclaveGMIPP"; - sealUnseal = buildSample "SealUnseal"; - switchless = buildSample "Switchless"; -}