forked from mirrors/nixpkgs
4f7f8d0b2d
Also add some of the new samples as tests. Disable parallel builds for the samples as they don't seem to support it (fail randomly).
191 lines
5.5 KiB
Nix
191 lines
5.5 KiB
Nix
{ stdenv
|
|
, lib
|
|
, fetchurl
|
|
, cmake
|
|
, coreutils
|
|
, curl
|
|
, file
|
|
, glibc
|
|
, makeWrapper
|
|
, nixosTests
|
|
, protobuf
|
|
, python3
|
|
, sgx-sdk
|
|
, shadow
|
|
, systemd
|
|
, util-linux
|
|
, which
|
|
, debug ? false
|
|
}:
|
|
stdenv.mkDerivation rec {
|
|
inherit (sgx-sdk) version versionTag src;
|
|
pname = "sgx-psw";
|
|
|
|
postUnpack =
|
|
let
|
|
ae.prebuilt = fetchurl {
|
|
url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz";
|
|
hash = "sha256-JriA9UGYFkAPuCtRizk8RMM1YOYGR/eO9ILnx47A40s=";
|
|
};
|
|
dcap = rec {
|
|
version = "1.12.1";
|
|
filename = "prebuilt_dcap_${version}.tar.gz";
|
|
prebuilt = fetchurl {
|
|
url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
|
|
hash = "sha256-V/XHva9Sq3P36xSW+Sd0G6Dnk4H0ANO1Ns/u+FI1eGI=";
|
|
};
|
|
};
|
|
in
|
|
sgx-sdk.postUnpack + ''
|
|
# Make sure we use the correct version of prebuilt DCAP
|
|
grep -q 'ae_file_name=${dcap.filename}' "$src/external/dcap_source/QuoteGeneration/download_prebuilt.sh" \
|
|
|| (echo "Could not find expected prebuilt DCAP ${dcap.filename} in linux-sgx source" >&2 && exit 1)
|
|
|
|
tar -zxf ${ae.prebuilt} -C $sourceRoot/
|
|
tar -zxf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration/
|
|
'';
|
|
|
|
nativeBuildInputs = [
|
|
cmake
|
|
file
|
|
makeWrapper
|
|
python3
|
|
sgx-sdk
|
|
which
|
|
];
|
|
|
|
buildInputs = [
|
|
curl
|
|
protobuf
|
|
];
|
|
|
|
hardeningDisable = lib.optionals debug [
|
|
"fortify"
|
|
];
|
|
|
|
postPatch = ''
|
|
# https://github.com/intel/linux-sgx/pull/730
|
|
substituteInPlace buildenv.mk --replace '/bin/cp' 'cp'
|
|
substituteInPlace psw/ae/aesm_service/source/CMakeLists.txt \
|
|
--replace '/usr/bin/getconf' 'getconf'
|
|
|
|
# https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/205
|
|
substituteInPlace ./external/dcap_source/QuoteGeneration/buildenv.mk \
|
|
--replace '/bin/cp' 'cp'
|
|
substituteInPlace external/dcap_source/tools/SGXPlatformRegistration/Makefile \
|
|
--replace '/bin/cp' 'cp'
|
|
substituteInPlace external/dcap_source/tools/SGXPlatformRegistration/buildenv.mk \
|
|
--replace '/bin/cp' 'cp'
|
|
|
|
patchShebangs \
|
|
linux/installer/bin/build-installpkg.sh \
|
|
linux/installer/common/psw/createTarball.sh \
|
|
linux/installer/common/psw/install.sh
|
|
'';
|
|
|
|
dontUseCmakeConfigure = true;
|
|
|
|
# Randomly fails if enabled
|
|
enableParallelBuilding = false;
|
|
|
|
buildFlags = [
|
|
"psw_install_pkg"
|
|
] ++ lib.optionals debug [
|
|
"DEBUG=1"
|
|
];
|
|
|
|
installFlags = [
|
|
"-C linux/installer/common/psw/output"
|
|
"DESTDIR=$(TMPDIR)/install"
|
|
];
|
|
|
|
postInstall = ''
|
|
installDir=$TMPDIR/install
|
|
sgxPswDir=$installDir/opt/intel/sgxpsw
|
|
|
|
mv $installDir/usr/lib64/ $out/lib/
|
|
ln -sr $out/lib $out/lib64
|
|
|
|
# Install udev rules to lib/udev/rules.d
|
|
mv $sgxPswDir/udev/ $out/lib/
|
|
|
|
# Install example AESM config
|
|
mkdir $out/etc/
|
|
mv $sgxPswDir/aesm/conf/aesmd.conf $out/etc/
|
|
rmdir $sgxPswDir/aesm/conf/
|
|
|
|
# Delete init service
|
|
rm $sgxPswDir/aesm/aesmd.conf
|
|
|
|
# Move systemd services
|
|
mkdir -p $out/lib/systemd/system/
|
|
mv $sgxPswDir/aesm/aesmd.service $out/lib/systemd/system/
|
|
mv $sgxPswDir/remount-dev-exec.service $out/lib/systemd/system/
|
|
|
|
# Move misc files
|
|
mkdir $out/share/
|
|
mv $sgxPswDir/licenses $out/share/
|
|
|
|
# Remove unnecessary files
|
|
rm $sgxPswDir/{cleanup.sh,startup.sh}
|
|
rm -r $sgxPswDir/scripts
|
|
|
|
mv $sgxPswDir/aesm/ $out/
|
|
|
|
mkdir $out/bin
|
|
makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \
|
|
--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \
|
|
--run "cd $out/aesm"
|
|
|
|
# Make sure we didn't forget to handle any files
|
|
rmdir $sgxPswDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1)
|
|
'';
|
|
|
|
# Most—if not all—of those fixups are not relevant for NixOS as we have our own
|
|
# NixOS module which is based on those files without relying on them. Still, it
|
|
# is helpful to have properly patched versions for non-NixOS distributions.
|
|
postFixup = ''
|
|
header "Fixing aesmd.service"
|
|
substituteInPlace $out/lib/systemd/system/aesmd.service \
|
|
--replace '@aesm_folder@' \
|
|
"$out/aesm" \
|
|
--replace 'Type=forking' \
|
|
'Type=simple' \
|
|
--replace "ExecStart=$out/aesm/aesm_service" \
|
|
"ExecStart=$out/bin/aesm_service --no-daemon"\
|
|
--replace "/bin/mkdir" \
|
|
"${coreutils}/bin/mkdir" \
|
|
--replace "/bin/chown" \
|
|
"${coreutils}/bin/chown" \
|
|
--replace "/bin/chmod" \
|
|
"${coreutils}/bin/chmod" \
|
|
--replace "/bin/kill" \
|
|
"${coreutils}/bin/kill"
|
|
|
|
header "Fixing remount-dev-exec.service"
|
|
substituteInPlace $out/lib/systemd/system/remount-dev-exec.service \
|
|
--replace '/bin/mount' \
|
|
"${util-linux}/bin/mount"
|
|
|
|
header "Fixing linksgx.sh"
|
|
# https://github.com/intel/linux-sgx/pull/736
|
|
substituteInPlace $out/aesm/linksgx.sh \
|
|
--replace '/usr/bin/getent' \
|
|
'${glibc.bin}/bin/getent' \
|
|
--replace '/usr/sbin/usermod' \
|
|
'${shadow}/bin/usermod'
|
|
'';
|
|
|
|
passthru.tests = {
|
|
service = nixosTests.aesmd;
|
|
};
|
|
|
|
meta = with lib; {
|
|
description = "Intel SGX Architectural Enclave Service Manager";
|
|
homepage = "https://github.com/intel/linux-sgx";
|
|
maintainers = with maintainers; [ veehaitch citadelcore ];
|
|
platforms = [ "x86_64-linux" ];
|
|
license = with licenses; [ bsd3 ];
|
|
};
|
|
}
|