From dbff3c22c156de370cd8771688651becd62cab6b Mon Sep 17 00:00:00 2001
From: Vincent Haupert <mail@vincent-haupert.de>
Date: Tue, 29 Nov 2022 16:25:11 +0100
Subject: [PATCH] nixos/aesmd: add option `environment`

---
 nixos/modules/services/security/aesmd.nix | 12 +++++++++++-
 nixos/tests/aesmd.nix                     | 11 ++++++++++-
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/services/security/aesmd.nix b/nixos/modules/services/security/aesmd.nix
index f44dcb0de8ac..8b3f010d7c4d 100644
--- a/nixos/modules/services/security/aesmd.nix
+++ b/nixos/modules/services/security/aesmd.nix
@@ -25,6 +25,16 @@ in
       default = false;
       description = lib.mdDoc "Whether to build the PSW package in debug mode.";
     };
+    environment = mkOption {
+      type = with types; attrsOf str;
+      default = { };
+      description = mdDoc "Additional environment variables to pass to the AESM service.";
+      # Example environment variable for `sgx-azure-dcap-client` provider library
+      example = {
+        AZDCAP_COLLATERAL_VERSION = "v2";
+        AZDCAP_DEBUG_LOG_LEVEL = "INFO";
+      };
+    };
     quoteProviderLibrary = mkOption {
       type = with types; nullOr path;
       default = null;
@@ -104,7 +114,7 @@ in
           NAME = "aesm_service";
           AESM_PATH = storeAesmFolder;
           LD_LIBRARY_PATH = makeLibraryPath [ cfg.quoteProviderLibrary ];
-        };
+        } // cfg.environment;
 
         # Make sure any of the SGX application enclave devices is available
         unitConfig.AssertPathExists = [
diff --git a/nixos/tests/aesmd.nix b/nixos/tests/aesmd.nix
index c1b7232bb24a..848e1c599201 100644
--- a/nixos/tests/aesmd.nix
+++ b/nixos/tests/aesmd.nix
@@ -28,7 +28,12 @@
 
     specialisation = {
       withQuoteProvider.configuration = { ... }: {
-        services.aesmd.quoteProviderLibrary = pkgs.sgx-azure-dcap-client;
+        services.aesmd = {
+          quoteProviderLibrary = pkgs.sgx-azure-dcap-client;
+          environment = {
+            AZDCAP_DEBUG_LOG_LEVEL = "INFO";
+          };
+        };
       };
     };
   };
@@ -89,5 +94,9 @@
         ld_library_path = machine.succeed(f"xargs -0 -L1 -a /proc/{main_pid}/environ | grep LD_LIBRARY_PATH")
         assert ld_library_path.startswith("LD_LIBRARY_PATH=${pkgs.sgx-azure-dcap-client}/lib:"), \
           "LD_LIBRARY_PATH is not set to the configured quote provider library"
+
+      with subtest("aesmd.service with quote provider library has set AZDCAP_DEBUG_LOG_LEVEL"):
+        azdcp_debug_log_level = machine.succeed(f"xargs -0 -L1 -a /proc/{main_pid}/environ | grep AZDCAP_DEBUG_LOG_LEVEL")
+        assert azdcp_debug_log_level == "AZDCAP_DEBUG_LOG_LEVEL=INFO\n", "AZDCAP_DEBUG_LOG_LEVEL is not set to INFO"
     '';
 }